From ff8717bd708236d99908c4032660ba368c4177d1 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 17 Jan 2006 00:02:36 +0000 Subject: [PATCH 001/465] xref named.conf(5) --- bin/named/named.docbook | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/bin/named/named.docbook b/bin/named/named.docbook index 45cfc6b946..adab9a1410 100644 --- a/bin/named/named.docbook +++ b/bin/named/named.docbook @@ -18,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -341,6 +341,10 @@ lwresd 8 , + + named.conf + 5 + , BIND 9 Administrator Reference Manual. From 7b38e9b725cb0b18fc2b12e3a6dd57cb019ce431 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 17 Jan 2006 02:14:30 +0000 Subject: [PATCH 002/465] regen --- bin/named/named.8 | 3 ++- bin/named/named.html | 5 +++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/bin/named/named.8 b/bin/named/named.8 index 08f5e8733d..be183c1c59 100644 --- a/bin/named/named.8 +++ b/bin/named/named.8 @@ -13,7 +13,7 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: named.8,v 1.17.2.5 2005/10/13 02:23:29 marka Exp $ +.\" $Id: named.8,v 1.17.2.6 2006/01/17 02:14:30 marka Exp $ .\" .hy 0 .ad l @@ -162,6 +162,7 @@ RFC 1034, RFC 1035, \fBrndc\fR(8), \fBlwresd\fR(8), +\fBnamed.conf\fR(5), BIND 9 Administrator Reference Manual. .SH "AUTHOR" .PP diff --git a/bin/named/named.html b/bin/named/named.html index 710509d1e4..bf90a0368c 100644 --- a/bin/named/named.html +++ b/bin/named/named.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -215,11 +215,12 @@ RFC 1035, rndc(8), lwresd(8), + named.conf(5), BIND 9 Administrator Reference Manual.

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

From 43203bf5bba884703e918faffb876d2574bdd2b1 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 17 Jan 2006 23:30:03 +0000 Subject: [PATCH 003/465] newcopyrights --- util/copyrights | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/util/copyrights b/util/copyrights index f6add042fb..3c942137cf 100644 --- a/util/copyrights +++ b/util/copyrights @@ -140,7 +140,7 @@ ./bin/named/named.conf.5 MAN DOCBOOK ./bin/named/named.conf.docbook SGML 2004,2005 ./bin/named/named.conf.html HTML DOCBOOK -./bin/named/named.docbook SGML 2000,2001,2004,2005 +./bin/named/named.docbook SGML 2000,2001,2004,2005,2006 ./bin/named/named.html HTML DOCBOOK ./bin/named/notify.c C 1999,2000,2001,2003,2004 ./bin/named/query.c C 1999,2000,2001,2002,2003,2004,2005 From 94da720cf0f55a77612dc5342ec391a9707cb2ed Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 17 Jan 2006 23:49:29 +0000 Subject: [PATCH 004/465] update copyright notice --- bin/named/named.docbook | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/bin/named/named.docbook b/bin/named/named.docbook index adab9a1410..19eccef680 100644 --- a/bin/named/named.docbook +++ b/bin/named/named.docbook @@ -2,7 +2,7 @@ "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd" []> - + @@ -35,6 +35,7 @@ 2004 2005 + 2006 Internet Systems Consortium, Inc. ("ISC") From 2747e540864ec637cf60ec3045c3f2b8b5dad2dd Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 18 Jan 2006 04:58:58 +0000 Subject: [PATCH 005/465] regen --- bin/named/named.8 | 4 ++-- bin/named/named.html | 18 +++++++++--------- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/bin/named/named.8 b/bin/named/named.8 index be183c1c59..4339ddfd70 100644 --- a/bin/named/named.8 +++ b/bin/named/named.8 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -13,7 +13,7 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: named.8,v 1.17.2.6 2006/01/17 02:14:30 marka Exp $ +.\" $Id: named.8,v 1.17.2.7 2006/01/18 04:58:58 marka Exp $ .\" .hy 0 .ad l diff --git a/bin/named/named.html b/bin/named/named.html index bf90a0368c..6c99f3be94 100644 --- a/bin/named/named.html +++ b/bin/named/named.html @@ -1,5 +1,5 @@ - + @@ -32,7 +32,7 @@

named [-c config-file] [-d debug-level] [-f] [-g] [-n #cpus] [-p port] [-s] [-t directory] [-u user] [-v] [-x cache-file]

-

DESCRIPTION

+

DESCRIPTION

named is a Domain Name System (DNS) server, part of the BIND 9 distribution from ISC. For more @@ -46,7 +46,7 @@

-

OPTIONS

+

OPTIONS

-c config-file

@@ -165,7 +165,7 @@

-

SIGNALS

+

SIGNALS

In routine operation, signals should not be used to control the nameserver; rndc should be used @@ -186,7 +186,7 @@

-

CONFIGURATION

+

CONFIGURATION

The named configuration file is too complex to describe in detail here. A complete description is @@ -195,7 +195,7 @@

-

FILES

+

FILES

/etc/named.conf

@@ -208,7 +208,7 @@

-

SEE ALSO

+

SEE ALSO

RFC 1033, RFC 1034, @@ -220,7 +220,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

From 3dfc3b1da1d9ca6fa5f9f78d0fa7617d43945f00 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 23 Jan 2006 05:00:33 +0000 Subject: [PATCH 006/465] 1972. [contrib] DBUS dynamic forwarders integation from Jason Vas Dias . --- CHANGES | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGES b/CHANGES index f99287cb0f..a5b9fad2f1 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +1972. [contrib] DBUS dynamic forwarders integation from + Jason Vas Dias . + 1971. [port] linux: make detection of missing IF_NAMESIZE more robust. [RT #15443] From 5d84c263be7d17319b35e2109e11e080ba197ddf Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 23 Jan 2006 23:30:04 +0000 Subject: [PATCH 007/465] newcopyrights --- util/copyrights | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/util/copyrights b/util/copyrights index 3c942137cf..2a8545ecb3 100644 --- a/util/copyrights +++ b/util/copyrights @@ -785,6 +785,18 @@ ./conftools/perllib/dnsconf/named1.conf CONF-C 2000,2001,2004 ./conftools/perllib/dnsconf/test.pl PERL 2000,2001,2004 ./contrib/.cvsignore X 2000,2001 +./contrib/dbus/GetForwarders X 2006 +./contrib/dbus/INSTALL X 2006 +./contrib/dbus/Makefile X 2006 +./contrib/dbus/README.DBUS X 2006 +./contrib/dbus/SetForwarders X 2006 +./contrib/dbus/bind-9.3.2b1-dbus.patch X 2006 +./contrib/dbus/dbus_mgr.c X 2006 +./contrib/dbus/dbus_mgr.h X 2006 +./contrib/dbus/dbus_service.c X 2006 +./contrib/dbus/dbus_service.h X 2006 +./contrib/dbus/named-dbus-system.conf X 2006 +./contrib/dbus/named-dbus.service X 2006 ./contrib/idn/idnkit-1.0-src/ChangeLog X 2003 ./contrib/idn/idnkit-1.0-src/DISTFILES X 2003 ./contrib/idn/idnkit-1.0-src/INSTALL X 2003 From 2bd93028f2aa3a82fee00733639b126dec8d12f4 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 26 Jan 2006 23:11:39 +0000 Subject: [PATCH 008/465] 1955. [bug] Pre-allocate the cache cleaning interator. [RT #14998] Fix the CLEANER_IDLE macro to make this change complete. [RT #15815] --- lib/dns/cache.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/lib/dns/cache.c b/lib/dns/cache.c index 74aae8c1b7..04e2de8957 100644 --- a/lib/dns/cache.c +++ b/lib/dns/cache.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: cache.c,v 1.45.2.9 2006/01/06 00:01:41 marka Exp $ */ +/* $Id: cache.c,v 1.45.2.10 2006/01/26 23:11:39 marka Exp $ */ #include @@ -65,7 +65,6 @@ typedef enum { * Convenience macros for comprehensive assertion checking. */ #define CLEANER_IDLE(c) ((c)->state == cleaner_s_idle && \ - (c)->iterator == NULL && \ (c)->resched_event != NULL) #define CLEANER_BUSY(c) ((c)->state == cleaner_s_busy && \ (c)->iterator != NULL && \ From 816b943375db912983b4c67f3be28a7659ef725e Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Sun, 29 Jan 2006 22:56:11 +0000 Subject: [PATCH 009/465] regen --- bin/check/named-checkconf.html | 4 ++-- bin/rndc/rndc.conf.html | 4 ++-- doc/arm/Bv9ARM.ch06.html | 14 +++++++------- doc/arm/Bv9ARM.html | 8 ++++---- lib/lwres/man/lwres.html | 6 +++--- lib/lwres/man/lwres_gai_strerror.html | 4 ++-- lib/lwres/man/lwres_getnameinfo.html | 4 ++-- lib/lwres/man/lwres_hstrerror.html | 4 ++-- lib/lwres/man/lwres_inetntop.html | 4 ++-- lib/lwres/man/lwres_packet.html | 4 ++-- 10 files changed, 28 insertions(+), 28 deletions(-) diff --git a/bin/check/named-checkconf.html b/bin/check/named-checkconf.html index 95aed889c9..dda2f490c0 100644 --- a/bin/check/named-checkconf.html +++ b/bin/check/named-checkconf.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -32,7 +32,7 @@

named-checkconf [-v] [-t directory] {filename}

-

DESCRIPTION

+

DESCRIPTION

named-checkconf checks the syntax, but not the semantics, of a named configuration file. diff --git a/bin/rndc/rndc.conf.html b/bin/rndc/rndc.conf.html index dc557181fe..0f21a64bda 100644 --- a/bin/rndc/rndc.conf.html +++ b/bin/rndc/rndc.conf.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -32,7 +32,7 @@

rndc.conf

-

DESCRIPTION

+

DESCRIPTION

rndc.conf is the configuration file for rndc, the BIND 9 name server control diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html index 9a2976e860..0cc028cb81 100644 --- a/doc/arm/Bv9ARM.ch06.html +++ b/doc/arm/Bv9ARM.ch06.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -57,9 +57,9 @@ Usage

controls Statement Grammar
controls Statement Definition and Usage
-
include Statement Grammar
-
include Statement Definition and Usage
-
key Statement Grammar
+
include Statement Grammar
+
include Statement Definition and Usage
+
key Statement Grammar
key Statement Definition and Usage
logging Statement Grammar
logging Statement Definition and Usage
@@ -568,12 +568,12 @@ statement: controls { };.

-include Statement Grammar

+include Statement Grammar
include filename;

-include Statement Definition and Usage

+include Statement Definition and Usage

The include statement inserts the specified file at the point that the include statement is encountered. The include @@ -584,7 +584,7 @@ statement: controls { };.

-key Statement Grammar

+key Statement Grammar
key key_id {
     algorithm string;
     secret string;
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index 9b379960c3..6c56d1e5e0 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -137,9 +137,9 @@
 Usage
 
controls Statement Grammar

 
controls Statement Definition and Usage

-
include Statement Grammar

-
include Statement Definition and Usage

-
key Statement Grammar

+
include Statement Grammar

+
include Statement Definition and Usage

+
key Statement Grammar

 
key Statement Definition and Usage

 
logging Statement Grammar

 
logging Statement Definition and Usage

diff --git a/lib/lwres/man/lwres.html b/lib/lwres/man/lwres.html
index f0a56a478b..bf6c96e05a 100644
--- a/lib/lwres/man/lwres.html
+++ b/lib/lwres/man/lwres.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -32,7 +32,7 @@
 
#include <lwres/lwres.h>

 
 

-
DESCRIPTION

+
DESCRIPTION

 

 The BIND 9 lightweight resolver library is a simple, name service
 independent stub resolver library.  It provides hostname-to-address
@@ -47,7 +47,7 @@ UDP-based protocol.
 

 

 

-
OVERVIEW

+
OVERVIEW

 

 The lwresd library implements multiple name service APIs.
 The standard
diff --git a/lib/lwres/man/lwres_gai_strerror.html b/lib/lwres/man/lwres_gai_strerror.html
index 2f387b424f..2c7f2633ad 100644
--- a/lib/lwres/man/lwres_gai_strerror.html
+++ b/lib/lwres/man/lwres_gai_strerror.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -37,7 +37,7 @@ char *
 

 
 

-
DESCRIPTION

+
DESCRIPTION

 

 lwres_gai_strerror()
 returns an error message corresponding to an error code returned by
diff --git a/lib/lwres/man/lwres_getnameinfo.html b/lib/lwres/man/lwres_getnameinfo.html
index f3ea5efdc2..d3b11704c2 100644
--- a/lib/lwres/man/lwres_getnameinfo.html
+++ b/lib/lwres/man/lwres_getnameinfo.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -74,7 +74,7 @@ int
 

 
 

-
DESCRIPTION

+
DESCRIPTION

 
 This function is equivalent to the getnameinfo(3) function defined in RFC2133.
 lwres_getnameinfo() returns the hostname for the
 struct sockaddr sa which is
diff --git a/lib/lwres/man/lwres_hstrerror.html b/lib/lwres/man/lwres_hstrerror.html
index 8adc875b0e..77e2a508bc 100644
--- a/lib/lwres/man/lwres_hstrerror.html
+++ b/lib/lwres/man/lwres_hstrerror.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -40,7 +40,7 @@ const char *
 

 
 

-
DESCRIPTION

+
DESCRIPTION

 

 lwres_herror() prints the string
 s on stderr followed by the string
diff --git a/lib/lwres/man/lwres_inetntop.html b/lib/lwres/man/lwres_inetntop.html
index 6840a171c2..a4994eddc6 100644
--- a/lib/lwres/man/lwres_inetntop.html
+++ b/lib/lwres/man/lwres_inetntop.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -59,7 +59,7 @@ const char *
 

 
 

-
DESCRIPTION

+
DESCRIPTION

 

 lwres_net_ntop() converts an IP address of
 protocol family af — IPv4 or IPv6 —
diff --git a/lib/lwres/man/lwres_packet.html b/lib/lwres/man/lwres_packet.html
index a1f49efb0d..5621a49fba 100644
--- a/lib/lwres/man/lwres_packet.html
+++ b/lib/lwres/man/lwres_packet.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -64,7 +64,7 @@ lwres_result_t
 

 
 

-
DESCRIPTION

+
DESCRIPTION

 

 These functions rely on a
 struct lwres_lwpacket

From ea76ae3428d788c98a7a82ff21e19407cdce8707 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Mon, 30 Jan 2006 01:19:12 +0000
Subject: [PATCH 010/465] 1974.   [doc]           List each of the zone types
 and associated zone                         options seperately in the ARM.

---
 CHANGES                 |  3 ++
 doc/arm/Bv9ARM-book.xml | 82 +++++++++++++++++++++++++++++++++++++----
 2 files changed, 78 insertions(+), 7 deletions(-)

diff --git a/CHANGES b/CHANGES
index a5b9fad2f1..63918dcb88 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+1974.	[doc]		List each of the zone types and associated zone
+			options seperately in the ARM.
+
 1972.	[contrib]	DBUS dynamic forwarders integation from
 			Jason Vas Dias .
 
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 10dee5b712..1eee8489e9 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
 
 BIND 9 Administrator Reference Manual
@@ -4146,18 +4146,46 @@ view "external" {
 
 <command>zone</command>
 Statement Grammar
-      zone zone_name class { 
-    type ( master | slave | hint | stub | forward | delegation-only ) ;
-     allow-notify { address_match_list } ; 
+zone zone_name class {
+    type master;
      allow-query { address_match_list } ; 
      allow-transfer { address_match_list } ; 
      allow-update { address_match_list } ; 
      update-policy { update_policy_rule ... } ; 
+     also-notify { ip_addr port ip_port ;  ip_addr port ip_port ; ...  }; 
+     check-names (warn|fail|ignore) ; 
+     dialup dialup_option ; 
+     file string ; 
+     forward (only|first) ; 
+     forwarders {  ip_addr port ip_port ; ...  }; 
+     ixfr-base string ; 
+     ixfr-tmp-file string ; 
+     maintain-ixfr-base yes_or_no ; 
+     max-ixfr-log-size number ; 
+     max-transfer-idle-out number ; 
+     max-transfer-time-out number ; 
+     notify yes_or_no | explicit ; 
+     pubkey number number number string ; 
+     notify-source (ip4_addr | *) port ip_port ; 
+     notify-source-v6 (ip6_addr | *) port ip_port ; 
+     zone-statistics yes_or_no ; 
+     sig-validity-interval number ; 
+     database string ; 
+     min-refresh-time number ; 
+     max-refresh-time number ; 
+     min-retry-time number ; 
+     max-retry-time number ; 
+};
+
+zone zone_name class {
+    type slave;
+     allow-notify { address_match_list } ; 
+     allow-query { address_match_list } ; 
+     allow-transfer { address_match_list } ; 
      allow-update-forwarding { address_match_list } ; 
      also-notify { ip_addr port ip_port ;  ip_addr port ip_port ; ...  }; 
      check-names (warn|fail|ignore) ; 
      dialup dialup_option ; 
-     delegation-only yes_or_no ; 
      file string ; 
      forward (only|first) ; 
      forwarders {  ip_addr port ip_port ; ...  }; 
@@ -4177,14 +4205,54 @@ Statement Grammar
      notify-source (ip4_addr | *) port ip_port ; 
      notify-source-v6 (ip6_addr | *) port ip_port ; 
      zone-statistics yes_or_no ; 
-     sig-validity-interval number ; 
      database string ; 
      min-refresh-time number ; 
      max-refresh-time number ; 
      min-retry-time number ; 
      max-retry-time number ; 
+};
 
-};
+zone zone_name class {
+    type hint;
+     forward (only|first) ; 
+     forwarders {  ip_addr port ip_port ; ...  }; 
+     delegation-only yes_or_no ; 
+     check-names (warn|fail|ignore) ; 
+};
+
+zone zone_name class {
+    type stub;
+     allow-query { address_match_list } ; 
+     check-names (warn|fail|ignore) ; 
+     dialup dialup_option ; 
+     delegation-only yes_or_no ; 
+     file string ; 
+     forward (only|first) ; 
+     forwarders {  ip_addr port ip_port ; ...  }; 
+     masters port ip_port { ip_addr port ip_port key key; ... } ; 
+     max-transfer-idle-in number ; 
+     max-transfer-time-in number ; 
+     pubkey number number number string ; 
+     transfer-source (ip4_addr | *) port ip_port ; 
+     transfer-source-v6 (ip6_addr | *) port ip_port ; 
+     zone-statistics yes_or_no ; 
+     database string ; 
+     min-refresh-time number ; 
+     max-refresh-time number ; 
+     min-retry-time number ; 
+     max-retry-time number ; 
+};
+
+zone zone_name class {
+    type forward;
+     forward (only|first) ; 
+     forwarders {  ip_addr port ip_port ; ...  }; 
+     delegation-only yes_or_no ; 
+};
+
+zone zone_name class {
+    type delegation-only;
+};
 
 
 <command>zone</command> Statement Definition and Usage

From 4163727918a8ed519ecf57b8951bbd8b54f3fa15 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Mon, 30 Jan 2006 05:07:51 +0000
Subject: [PATCH 011/465] regen

---
 doc/arm/Bv9ARM.ch06.html | 122 ++++++++++++++++++++++++++++++---------
 doc/arm/Bv9ARM.ch07.html |  14 ++---
 doc/arm/Bv9ARM.ch08.html |  18 +++---
 doc/arm/Bv9ARM.ch09.html |  26 ++++-----
 doc/arm/Bv9ARM.html      |  36 ++++++------
 5 files changed, 142 insertions(+), 74 deletions(-)

diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index 0cc028cb81..d7293de3ff 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -76,16 +76,16 @@ and Usage
 
view Statement Definition and Usage

 
zone
 Statement Grammar

-
zone Statement Definition and Usage

+
zone Statement Definition and Usage

 
-
Zone File

+
Zone File

 

 
Types of Resource Records and When to Use Them

-
Discussion of MX Records

+
Discussion of MX Records

 
Setting TTLs

-
Inverse Mapping in IPv4

-
Other Zone File Directives

-
BIND Master File Extension: the  $GENERATE Directive

+
Inverse Mapping in IPv4

+
Other Zone File Directives

+
BIND Master File Extension: the  $GENERATE Directive

 

 
 

@@ -2377,18 +2377,46 @@ view "external" {
 

 zone
 Statement Grammar

-
zone zone_name [class] [{ 
-    type ( master | slave | hint | stub | forward | delegation-only ) ;
-    [ allow-notify { address_match_list } ; ]
+
zone zone_name [class] {
+    type master;
     [ allow-query { address_match_list } ; ]
     [ allow-transfer { address_match_list } ; ]
     [ allow-update { address_match_list } ; ]
     [ update-policy { update_policy_rule [...] } ; ]
+    [ also-notify { ip_addr [port ip_port] ; [ ip_addr [port ip_port] ; ... ] }; ]
+    [ check-names (warn|fail|ignore) ; ]
+    [ dialup dialup_option ; ]
+    [ file string ; ]
+    [ forward (only|first) ; ]
+    [ forwarders { [ ip_addr [port ip_port] ; ... ] }; ]
+    [ ixfr-base string ; ]
+    [ ixfr-tmp-file string ; ]
+    [ maintain-ixfr-base yes_or_no ; ]
+    [ max-ixfr-log-size number ; ]
+    [ max-transfer-idle-out number ; ]
+    [ max-transfer-time-out number ; ]
+    [ notify yes_or_no | explicit ; ]
+    [ pubkey number number number string ; ]
+    [ notify-source (ip4_addr | *) [port ip_port] ; ]
+    [ notify-source-v6 (ip6_addr | *) [port ip_port] ; ]
+    [ zone-statistics yes_or_no ; ]
+    [ sig-validity-interval number ; ]
+    [ database string ; ]
+    [ min-refresh-time number ; ]
+    [ max-refresh-time number ; ]
+    [ min-retry-time number ; ]
+    [ max-retry-time number ; ]
+};
+
+zone zone_name [class] {
+    type slave;
+    [ allow-notify { address_match_list } ; ]
+    [ allow-query { address_match_list } ; ]
+    [ allow-transfer { address_match_list } ; ]
     [ allow-update-forwarding { address_match_list } ; ]
     [ also-notify { ip_addr [port ip_port] ; [ ip_addr [port ip_port] ; ... ] }; ]
     [ check-names (warn|fail|ignore) ; ]
     [ dialup dialup_option ; ]
-    [ delegation-only yes_or_no ; ]
     [ file string ; ]
     [ forward (only|first) ; ]
     [ forwarders { [ ip_addr [port ip_port] ; ... ] }; ]
@@ -2408,22 +2436,62 @@ Statement Grammar
     [ notify-source (ip4_addr | *) [port ip_port] ; ]
     [ notify-source-v6 (ip6_addr | *) [port ip_port] ; ]
     [ zone-statistics yes_or_no ; ]
-    [ sig-validity-interval number ; ]
     [ database string ; ]
     [ min-refresh-time number ; ]
     [ max-refresh-time number ; ]
     [ min-retry-time number ; ]
     [ max-retry-time number ; ]
+};
 
-}];
+zone zone_name [class] {
+    type hint;
+    [ forward (only|first) ; ]
+    [ forwarders { [ ip_addr [port ip_port] ; ... ] }; ]
+    [ delegation-only yes_or_no ; ]
+    [ check-names (warn|fail|ignore) ; ]
+};
+
+zone zone_name [class] {
+    type stub;
+    [ allow-query { address_match_list } ; ]
+    [ check-names (warn|fail|ignore) ; ]
+    [ dialup dialup_option ; ]
+    [ delegation-only yes_or_no ; ]
+    [ file string ; ]
+    [ forward (only|first) ; ]
+    [ forwarders { [ ip_addr [port ip_port] ; ... ] }; ]
+    [ masters [port ip_port] { ip_addr [port ip_port] [key key]; [...] } ; ]
+    [ max-transfer-idle-in number ; ]
+    [ max-transfer-time-in number ; ]
+    [ pubkey number number number string ; ]
+    [ transfer-source (ip4_addr | *) [port ip_port] ; ]
+    [ transfer-source-v6 (ip6_addr | *) [port ip_port] ; ]
+    [ zone-statistics yes_or_no ; ]
+    [ database string ; ]
+    [ min-refresh-time number ; ]
+    [ max-refresh-time number ; ]
+    [ min-retry-time number ; ]
+    [ max-retry-time number ; ]
+};
+
+zone zone_name [class] {
+    type forward;
+    [ forward (only|first) ; ]
+    [ forwarders { [ ip_addr [port ip_port] ; ... ] }; ]
+    [ delegation-only yes_or_no ; ]
+};
+
+zone zone_name [class] {
+    type delegation-only;
+};
 

 
 

 

-zone Statement Definition and Usage

+zone Statement Definition and Usage

 

 

-Zone Types

+Zone Types

 
@@ -2534,7 +2602,7 @@ from forwarders.

 

-Class

+Class
The zone's name may optionally be followed by a class. If
 a class is not specified, class IN (for Internet),
 is assumed. This is correct for the vast majority of cases.

@@ -2549,7 +2617,7 @@ in the mid-1970s. Zone data for it can be specified with the 
 

-Zone Options

+Zone Options
 

 
allow-notify

 
See the description of
@@ -2765,7 +2833,7 @@ SIG, NS, SOA, and NXT. Types may be specified by name, including
 

 

 

-Zone File

+Zone File

 

 

 Types of Resource Records and When to Use Them

@@ -2775,7 +2843,7 @@ Since the publication of RFC 1034, several new RRs have been identified
 and implemented in the DNS. These are also included.

 

 

-Resource Records

+Resource Records

 
A domain name identifies a node.  Each node has a set of
         resource information, which may be empty.  The set of resource
         information associated with a particular name is composed of
@@ -3050,7 +3118,7 @@ used as "pointers" to other data in the DNS.

 
 

 

-Textual expression of RRs

+Textual expression of RRs

 
RRs are represented in binary form in the packets of the DNS
 protocol, and are usually represented in highly encoded form when
 stored in a nameserver or resolver.  In the examples provided in
@@ -3140,7 +3208,7 @@ each of a different class.

 
 

 

-Discussion of MX Records

+Discussion of MX Records

 
As described above, domain servers store information as a
 series of resource records, each of which contains a particular
 piece of information about a given domain name (which is usually,
@@ -3257,7 +3325,7 @@ can be explicitly specified, for example, 1h30m. 
 

 

-Inverse Mapping in IPv4

+Inverse Mapping in IPv4

 
Reverse name resolution (that is, translation from IP address
 to name) is achieved by means of the in-addr.arpa domain
 and PTR records. Entries in the in-addr.arpa domain are made in
@@ -3295,7 +3363,7 @@ that the example is relative to the listed origin.

 
 

 

-Other Zone File Directives

+Other Zone File Directives

 
The Master File Format was initially defined in RFC 1035 and
 has subsequently been extended. While the Master File Format itself
 is class independent all records in a Master File must be of the same
@@ -3304,7 +3372,7 @@ class.

 and $TTL.

 

 

-The $ORIGIN Directive

+The $ORIGIN Directive

 
Syntax: $ORIGIN
 domain-name [ comment]

 
$ORIGIN sets the domain name that will
@@ -3319,7 +3387,7 @@ WWW     CNAME   MAIN-SERVER
 
 

 

-The $INCLUDE Directive

+The $INCLUDE Directive

 
Syntax: $INCLUDE
 filename [
 origin ] [ comment ]

@@ -3343,7 +3411,7 @@ This could be construed as a deviation from RFC 1035, a feature, or both.
 
 

 

-The $TTL Directive

+The $TTL Directive

 
Syntax: $TTL
 default-ttl [
 comment ]

@@ -3354,7 +3422,7 @@ with undefined TTLs. Valid TTLs are of the range 0-2147483647 seconds.

 
 

 

-BIND Master File Extension: the  $GENERATE Directive

+BIND Master File Extension: the  $GENERATE Directive

 
Syntax: $GENERATE range lhs type rhs [ comment ]

 
$GENERATE is used to create a series of
 resource records that only differ from each other by an iterator. $GENERATE can
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index f7dc566f94..8d9905d971 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -46,11 +46,11 @@
 
Table of Contents

 

 
Access Control Lists

-
chroot and setuid (for
+
chroot and setuid (for
 UNIX servers)

 

-
The chroot Environment

-
Using the setuid Function

+
The chroot Environment

+
Using the setuid Function

 

 
Dynamic Update Security

 

@@ -100,7 +100,7 @@ see the AUSCERT advisory at
 
 

 

-chroot and setuid (for
+chroot and setuid (for
 UNIX servers)

 
On UNIX servers, it is possible to run BIND in a chrooted environment
 (chroot()) by specifying the "-t"
@@ -115,7 +115,7 @@ user 202:

 
/usr/local/bin/named -u 202 -t /var/named

 

 

-The chroot Environment

+The chroot Environment

 
In order for a chroot() environment to
 work properly in a particular directory
 (for example, /var/named),
@@ -140,7 +140,7 @@ to set up things like
 
 

 

-Using the setuid Function

+Using the setuid Function

 
Prior to running the named daemon, use
 the touch utility (to change file access and
 modification times) or the chown utility (to
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index 79f55f6bfa..a3003e5d55 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,18 +45,18 @@
 

 
Table of Contents

 

-
Common Problems

-
It's not working; how can I figure out what's wrong?

-
Incrementing and Changing the Serial Number

-
Where Can I Get Help?

+
Common Problems

+
It's not working; how can I figure out what's wrong?

+
Incrementing and Changing the Serial Number

+
Where Can I Get Help?

 

 

 

 

-Common Problems

+Common Problems

 

 

-It's not working; how can I figure out what's wrong?

+It's not working; how can I figure out what's wrong?

 
The best solution to solving installation and
       configuration issues is to take preventative measures by setting
       up logging files beforehand. The log files provide a
@@ -66,7 +66,7 @@
 
 

 

-Incrementing and Changing the Serial Number

+Incrementing and Changing the Serial Number

 
Zone serial numbers are just numbers-they aren't date
     related.  A lot of people set them to a number that represents a
     date, usually of the form YYYYMMDDRR. A number of people have been
@@ -87,7 +87,7 @@
 
 

 

-Where Can I Get Help?

+Where Can I Get Help?

 
The Internet Software Consortium (ISC) offers a wide range
     of support and service agreements for BIND and DHCP servers. Four
     levels of premium support are available and each level includes
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index b710f97aae..17205d8605 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -43,26 +43,26 @@
 

 
Table of Contents

 

-
Acknowledgements

-
A Brief History of the DNS and BIND

+
Acknowledgements

+
A Brief History of the DNS and BIND

 
Historical DNS Information

 
Classes of Resource Records

-
General DNS Reference Information

+
General DNS Reference Information

 
IPv6 addresses (A6)

 
Bibliography (and Suggested Reading)

 

 
Request for Comments (RFCs)

 
Internet Drafts

-
Other Documents About BIND

+
Other Documents About BIND

 

 

 

 

 

-Acknowledgements

+Acknowledgements

 

 

-A Brief History of the DNS and BIND

+A Brief History of the DNS and BIND

 
Although the "official" beginning of the Domain Name
       System occurred in 1984 with the publication of RFC 920, the
       core of the new system was described in 1983 in RFCs 882 and
@@ -122,7 +122,7 @@ individuals.

 Classes of Resource Records
 

 

-HS = hesiod

+HS = hesiod

 
The [hesiod] class is an information service
 developed by MIT's Project Athena. It is used to share information
 about various systems databases, such as users, groups, printers
@@ -131,7 +131,7 @@ hesiod.

 
 

 

-CH = chaos

+CH = chaos

 
The chaos class is used to specify zone
 data for the MIT-developed CHAOSnet, a LAN protocol created in the
 mid-1970s.

@@ -140,7 +140,7 @@ mid-1970s.

 
 

 

-General DNS Reference Information

+General DNS Reference Information

 

 

 IPv6 addresses (A6)

@@ -320,7 +320,7 @@ the number of the RFC). RFCs are also available via the Web at
 

 

 

-Bibliography

+Bibliography

 

 
Standards

 
[RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 

@@ -420,11 +420,11 @@ after which they are deleted unless updated by their authors.
 

 

 

-Other Documents About BIND

+Other Documents About BIND

 

 

 

-Bibliography

+Bibliography

 
Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 

 
 
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index 6c56d1e5e0..3d33187e10 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -156,49 +156,49 @@ and Usage
 
view Statement Definition and Usage

 
zone
 Statement Grammar

-
zone Statement Definition and Usage

+
zone Statement Definition and Usage

 
-
Zone File

+
Zone File

 

 
Types of Resource Records and When to Use Them

-
Discussion of MX Records

+
Discussion of MX Records

 
Setting TTLs

-
Inverse Mapping in IPv4

-
Other Zone File Directives

-
BIND Master File Extension: the  $GENERATE Directive

+
Inverse Mapping in IPv4

+
Other Zone File Directives

+
BIND Master File Extension: the  $GENERATE Directive

 

 
 
7. BIND 9 Security Considerations

 

 
Access Control Lists

-
chroot and setuid (for
+
chroot and setuid (for
 UNIX servers)

 

-
The chroot Environment

-
Using the setuid Function

+
The chroot Environment

+
Using the setuid Function

 

 
Dynamic Update Security

 

 
8. Troubleshooting

 

-
Common Problems

-
It's not working; how can I figure out what's wrong?

-
Incrementing and Changing the Serial Number

-
Where Can I Get Help?

+
Common Problems

+
It's not working; how can I figure out what's wrong?

+
Incrementing and Changing the Serial Number

+
Where Can I Get Help?

 

 
A. Appendices

 

-
Acknowledgements

-
A Brief History of the DNS and BIND

+
Acknowledgements

+
A Brief History of the DNS and BIND

 
Historical DNS Information

 
Classes of Resource Records

-
General DNS Reference Information

+
General DNS Reference Information

 
IPv6 addresses (A6)

 
Bibliography (and Suggested Reading)

 

 
Request for Comments (RFCs)

 
Internet Drafts

-
Other Documents About BIND

+
Other Documents About BIND

 

 

 

From 6dbcb085f554740e3054e73084622d4ea26f5d12 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 31 Jan 2006 00:48:05 +0000
Subject: [PATCH 012/465] 1975.   [bug]           libbind: isc_gethexstring()
 could misparse multi-line                         hex strings with comments.
 [RT #15814]

---
 CHANGES            | 3 +++
 lib/bind/isc/hex.c | 5 +++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index 63918dcb88..0245ac3d40 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+1975.	[bug]		libbind: isc_gethexstring() could misparse multi-line
+			hex strings with comments. [RT #15814]
+
 1974.	[doc]		List each of the zone types and associated zone
 			options seperately in the ARM.
 
diff --git a/lib/bind/isc/hex.c b/lib/bind/isc/hex.c
index c177ca0fa3..70312597c9 100644
--- a/lib/bind/isc/hex.c
+++ b/lib/bind/isc/hex.c
@@ -45,8 +45,9 @@ isc_gethexstring(unsigned char *buf, size_t len, int count, FILE *fp,
 			goto formerr;
 		/* comment */
 		if (c == ';') {
-			while ((c = fgetc(fp)) != EOF && c != '\n')
-				/* empty */
+			do {
+				c = fgetc(fp);
+			} while (c != EOF && c != '\n');
 			if (c == '\n' && *multiline)
 				continue;
 			goto formerr;

From 15a821d57016893b053b0dc4b0aa4b2c17cc3d30 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 31 Jan 2006 23:30:04 +0000
Subject: [PATCH 013/465] newcopyrights

---
 util/copyrights | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/util/copyrights b/util/copyrights
index 2a8545ecb3..943c334bb6 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -1316,7 +1316,7 @@
 ./lib/bind/isc/eventlib_p.h			X	2001,2005
 ./lib/bind/isc/heap.c				X	2001
 ./lib/bind/isc/heap.mdoc			X	2001
-./lib/bind/isc/hex.c				X	2001
+./lib/bind/isc/hex.c				X	2001,2006
 ./lib/bind/isc/logging.c			X	2001
 ./lib/bind/isc/logging.mdoc			X	2001
 ./lib/bind/isc/logging_p.h			X	2001

From 8f0201bac7e21655c04cfcae0ddb48f645277442 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 1 Feb 2006 22:39:46 +0000
Subject: [PATCH 014/465] comment typo

---
 lib/dns/include/dns/resolver.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/dns/include/dns/resolver.h b/lib/dns/include/dns/resolver.h
index 0b9a8eb35d..ee9e3008f6 100644
--- a/lib/dns/include/dns/resolver.h
+++ b/lib/dns/include/dns/resolver.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resolver.h,v 1.34.2.1 2004/03/09 06:11:21 marka Exp $ */
+/* $Id: resolver.h,v 1.34.2.2 2006/02/01 22:39:46 marka Exp $ */
 
 #ifndef DNS_RESOLVER_H
 #define DNS_RESOLVER_H 1
@@ -132,7 +132,7 @@ dns_resolver_create(dns_view_t *view,
  *
  *	'dispatchv6' is a valid dispatcher with an IPv6 UDP socket, or is NULL.
  *
- *	*resp != NULL && *resp == NULL.
+ *	resp != NULL && *resp == NULL.
  *
  * Returns:
  *

From fc9f7be17d1247b8b995d9878a8d941e1ade7baa Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 1 Feb 2006 23:30:03 +0000
Subject: [PATCH 015/465] newcopyrights

---
 util/copyrights | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/util/copyrights b/util/copyrights
index 943c334bb6..522cb67bdd 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -1640,7 +1640,7 @@
 ./lib/dns/include/dns/rdataslab.h		C	1999,2000,2001,2003,2004
 ./lib/dns/include/dns/rdatatype.h		C	1998,1999,2000,2001,2004
 ./lib/dns/include/dns/request.h			C	2000,2001,2004
-./lib/dns/include/dns/resolver.h		C	1999,2000,2001,2004
+./lib/dns/include/dns/resolver.h		C	1999,2000,2001,2004,2006
 ./lib/dns/include/dns/result.h			C	1998,1999,2000,2001,2002,2003,2004
 ./lib/dns/include/dns/rootns.h			C	1999,2000,2001,2004
 ./lib/dns/include/dns/sdb.h			C	2000,2001,2004

From 5b175a9ebfd2a8fec64f8dccc14fa4ef54bb21c9 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 1 Feb 2006 23:48:50 +0000
Subject: [PATCH 016/465] update copyright notice

---
 lib/dns/include/dns/resolver.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/dns/include/dns/resolver.h b/lib/dns/include/dns/resolver.h
index ee9e3008f6..7baf7580bf 100644
--- a/lib/dns/include/dns/resolver.h
+++ b/lib/dns/include/dns/resolver.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resolver.h,v 1.34.2.2 2006/02/01 22:39:46 marka Exp $ */
+/* $Id: resolver.h,v 1.34.2.3 2006/02/01 23:48:50 marka Exp $ */
 
 #ifndef DNS_RESOLVER_H
 #define DNS_RESOLVER_H 1

From 318308da922435b38765bcf1a33b132e09592f8e Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 2 Feb 2006 22:43:29 +0000
Subject: [PATCH 017/465] 1976.   [bug]           Handle systems with no IPv4
 addresses. [RT #15695]

---
 CHANGES                     | 2 ++
 lib/isc/unix/ifiter_ioctl.c | 8 ++++++--
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index 0245ac3d40..6a65304908 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+1976.	[bug]		Handle systems with no IPv4 addresses. [RT #15695]
+
 1975.	[bug]		libbind: isc_gethexstring() could misparse multi-line
 			hex strings with comments. [RT #15814]
 
diff --git a/lib/isc/unix/ifiter_ioctl.c b/lib/isc/unix/ifiter_ioctl.c
index f17e1fa0df..e239cb47e7 100644
--- a/lib/isc/unix/ifiter_ioctl.c
+++ b/lib/isc/unix/ifiter_ioctl.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ifiter_ioctl.c,v 1.19.2.6 2004/03/09 06:12:10 marka Exp $ */
+/* $Id: ifiter_ioctl.c,v 1.19.2.7 2006/02/02 22:43:29 marka Exp $ */
 
 /*
  * Obtain the list of network interfaces using the SIOCGLIFCONF ioctl.
@@ -233,7 +233,11 @@ internal_current(isc_interfaceiter_t *iter) {
 	char strbuf[ISC_STRERRORSIZE];
 
 	REQUIRE(VALID_IFITER(iter));
-	REQUIRE (iter->pos < (unsigned int) iter->ifc.lifc_len);
+	REQUIRE(iter->ifc.ifc_len == 0 ||
+		iter->pos < (unsigned int) iter->ifc.ifc_len);
+
+	if (iter->ifc.ifc_len == 0)
+		return (ISC_R_NOMORE);
 
 	ifrp = (struct lifreq *)((char *) iter->ifc.lifc_req + iter->pos);
 

From b2ec6f2dd5b720b6e5b9872ec08e3eabc0342e5a Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 2 Feb 2006 22:57:39 +0000
Subject: [PATCH 018/465] 1977.   [bug]           Silence noisy log message.
 [RT #15704]

---
 CHANGES           |  2 ++
 bin/named/query.c | 11 +++++++++--
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index 6a65304908..b38f610883 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+1977.	[bug]		Silence noisy log message. [RT #15704]
+
 1976.	[bug]		Handle systems with no IPv4 addresses. [RT #15695]
 
 1975.	[bug]		libbind: isc_gethexstring() could misparse multi-line
diff --git a/bin/named/query.c b/bin/named/query.c
index 715d93b930..a5c6256b1e 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: query.c,v 1.198.2.22 2005/05/16 05:30:01 marka Exp $ */
+/* $Id: query.c,v 1.198.2.23 2006/02/02 22:57:39 marka Exp $ */
 
 #include 
 
@@ -2410,6 +2410,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 	dns_zone_t *zone;
 	dns_rdata_cname_t cname;
 	dns_rdata_dname_t dname;
+	unsigned int options;
 	isc_boolean_t empty_wild;
 
 	CTRACE("query_find");
@@ -2434,6 +2435,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 	version = NULL;
 	zone = NULL;
 	empty_wild = ISC_FALSE;
+	options = 0;
 
 	if (event != NULL) {
 		/*
@@ -2501,7 +2503,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 	/*
 	 * First we must find the right database.
 	 */
-	result = query_getdb(client, client->query.qname, 0, &zone, &db,
+	options &= DNS_GETDB_NOLOG; /* Preserve DNS_GETDB_NOLOG. */
+	result = query_getdb(client, client->query.qname, options, &zone, &db,
 			     &version, &is_zone);
 	if (result != ISC_R_SUCCESS) {
 		if (result == DNS_R_REFUSED)
@@ -2986,6 +2989,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		query_maybeputqname(client);
 		client->query.qname = tname;
 		want_restart = ISC_TRUE;
+		if (!WANTRECURSION(client))
+			options |= DNS_GETDB_NOLOG;
 		goto addauth;
 	case DNS_R_DNAME:
 		/*
@@ -3099,6 +3104,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		client->query.qname = fname;
 		fname = NULL;
 		want_restart = ISC_TRUE;
+		if (!WANTRECURSION(client))
+			options |= DNS_GETDB_NOLOG;
 		goto addauth;
 	default:
 		/*

From bddb6ef78e0019007dcb782eba03ea274efc8bcd Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 2 Feb 2006 23:13:27 +0000
Subject: [PATCH 019/465] 1978.   [port]          Handle systems which have a
 broken recvmsg().                         [RT #15742]

---
 CHANGES               |  3 +++
 config.h.in           |  6 +++++-
 configure             | 16 +++++++++++++++-
 configure.in          | 13 ++++++++++++-
 lib/isc/unix/socket.c | 24 +++++++++++++++++++++++-
 5 files changed, 58 insertions(+), 4 deletions(-)

diff --git a/CHANGES b/CHANGES
index b38f610883..4b9805e8c2 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+1978.	[port]		Handle systems which have a broken recvmsg().
+			[RT #15742]
+
 1977.	[bug]		Silence noisy log message. [RT #15704]
 
 1976.	[bug]		Handle systems with no IPv4 addresses. [RT #15695]
diff --git a/config.h.in b/config.h.in
index f2b22e1606..226611cd2c 100644
--- a/config.h.in
+++ b/config.h.in
@@ -16,7 +16,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.h.in,v 1.47.2.18 2006/01/04 04:27:30 marka Exp $ */
+/* $Id: config.h.in,v 1.47.2.20 2006/02/02 23:13:27 marka Exp $ */
 
 /***
  *** This file is not to be included by any public header files, because
@@ -137,6 +137,10 @@ int sigwait(const unsigned int *set, int *sig);
 /* Define if threads need PTHREAD_SCOPE_SYSTEM */
 #undef NEED_PTHREAD_SCOPE_SYSTEM
 
+/* Define if recvmsg() does not meet all of the BSD socket API specifications.
+   */
+#undef BROKEN_RECVMSG
+
 /* Define if you cannot bind() before connect() for TCP sockets. */
 #undef BROKEN_TCP_BIND_BEFORE_CONNECT
 
diff --git a/configure b/configure
index e7a8e7ea6b..d58e402d54 100755
--- a/configure
+++ b/configure
@@ -1,5 +1,5 @@
 #! /bin/sh
-# From configure.in Revision: 1.294.2.57 .
+# From configure.in Revision: 1.294.2.58 .
 # Guess values for system-dependent variables and create Makefiles.
 # Generated by GNU Autoconf 2.59.
 #
@@ -25812,6 +25812,20 @@ fi
 rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
 
 
+#
+# Some hosts need msg_namelen to match the size of the socket stucture.
+# Some hosts don't set msg_namelen appropriately on return from recvmsg().
+#
+case $host in
+*os2*|*hp-mpeix*)
+
+cat >>confdefs.h <<\_ACEOF
+#define BROKEN_RECVMSG 1
+_ACEOF
+
+	;;
+esac
+
 #
 # Microsoft has their own way of handling shared libraries that requires
 # additional qualifiers on extern variables.  Unix systems don't need it.
diff --git a/configure.in b/configure.in
index 0497c7cc7e..0fd87385cb 100644
--- a/configure.in
+++ b/configure.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-AC_REVISION($Revision: 1.294.2.57 $)
+AC_REVISION($Revision: 1.294.2.58 $)
 
 AC_INIT(lib/dns/name.c)
 AC_PREREQ(2.13)
@@ -1553,6 +1553,17 @@ AC_MSG_RESULT(cannot determine type of rlim_cur when cross compiling - assuming
 ])
 AC_SUBST(ISC_PLATFORM_RLIMITTYPE)
 
+#
+# Some hosts need msg_namelen to match the size of the socket stucture.
+# Some hosts don't set msg_namelen appropriately on return from recvmsg().
+#
+case $host in
+*os2*|*hp-mpeix*)
+	AC_DEFINE(BROKEN_RECVMSG, 1,
+		  [Define if recvmsg() does not meet all of the BSD socket API specifications.])
+	;;
+esac
+
 #
 # Microsoft has their own way of handling shared libraries that requires
 # additional qualifiers on extern variables.  Unix systems don't need it.
diff --git a/lib/isc/unix/socket.c b/lib/isc/unix/socket.c
index aa7b65b106..639ab9e798 100644
--- a/lib/isc/unix/socket.c
+++ b/lib/isc/unix/socket.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: socket.c,v 1.207.2.38 2005/11/03 23:41:23 marka Exp $ */
+/* $Id: socket.c,v 1.207.2.39 2006/02/02 23:10:21 marka Exp $ */
 
 #include 
 
@@ -747,8 +747,26 @@ build_msghdr_recv(isc_socket_t *sock, isc_socketevent_t *dev,
 
 	if (sock->type == isc_sockettype_udp) {
 		memset(&dev->address, 0, sizeof(dev->address));
+#ifdef BROKEN_RECVMSG
+		if (sock->pf == AF_INET) {
+			msg->msg_name = (void *)&dev->address.type.sin;
+			msg->msg_namelen = sizeof(dev->address.type.sin6);
+		} else if (sock->pf == AF_INET6) {
+			msg->msg_name = (void *)&dev->address.type.sin6;
+			msg->msg_namelen = sizeof(dev->address.type.sin6);
+#ifdef ISC_PLATFORM_HAVESYSUNH
+		} else if (sock->pf == AF_UNIX) {
+			msg->msg_name = (void *)&dev->address.type.sunix;
+			msg->msg_namelen = sizeof(dev->address.type.sunix);
+#endif
+		} else {
+			msg->msg_name = (void *)&dev->address.type.sa;
+			msg->msg_namelen = sizeof(dev->address.type);
+		}
+#else
 		msg->msg_name = (void *)&dev->address.type.sa;
 		msg->msg_namelen = sizeof(dev->address.type);
+#endif
 #ifdef ISC_NET_RECVOVERFLOW
 		/* If needed, steal one iovec for overflow detection. */
 		maxiov--;
@@ -921,6 +939,10 @@ doio_recv(isc_socket_t *sock, isc_socketevent_t *dev) {
 	cc = recvmsg(sock->fd, &msghdr, 0);
 	recv_errno = errno;
 
+#if defined(ISC_SOCKET_DEBUG)
+	dump_msg(&msghdr);
+#endif
+
 	if (cc < 0) {
 		if (SOFT_ERROR(recv_errno))
 			return (DOIO_SOFT);

From 0163c9ba15f343b1a43b86fd400ee12221b1dddb Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 2 Feb 2006 23:30:53 +0000
Subject: [PATCH 020/465] newcopyrights

---
 util/copyrights | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/util/copyrights b/util/copyrights
index 522cb67bdd..acef08cdcb 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -143,7 +143,7 @@
 ./bin/named/named.docbook			SGML	2000,2001,2004,2005,2006
 ./bin/named/named.html				HTML	DOCBOOK
 ./bin/named/notify.c				C	1999,2000,2001,2003,2004
-./bin/named/query.c				C	1999,2000,2001,2002,2003,2004,2005
+./bin/named/query.c				C	1999,2000,2001,2002,2003,2004,2005,2006
 ./bin/named/server.c				C	1999,2000,2001,2002,2003,2004,2005,2006
 ./bin/named/sortlist.c				C	2000,2001,2004
 ./bin/named/tkeyconf.c				C	1999,2000,2001,2004
@@ -1958,7 +1958,7 @@
 ./lib/isc/unix/errno2result.h			C	2000,2001,2004
 ./lib/isc/unix/file.c				C	2000,2001,2004
 ./lib/isc/unix/fsaccess.c			C	2000,2001,2004
-./lib/isc/unix/ifiter_ioctl.c			C	1999,2000,2001,2003,2004
+./lib/isc/unix/ifiter_ioctl.c			C	1999,2000,2001,2003,2004,2006
 ./lib/isc/unix/ifiter_sysctl.c			C	1999,2000,2001,2004,2005
 ./lib/isc/unix/include/.cvsignore		X	1999,2000,2001
 ./lib/isc/unix/include/Makefile.in		MAKE	1998,1999,2000,2001,2004
@@ -1981,7 +1981,7 @@
 ./lib/isc/unix/net.c				C	1999,2000,2001,2004
 ./lib/isc/unix/os.c				C	2000,2001,2004,2005
 ./lib/isc/unix/resource.c			C	2000,2001,2004
-./lib/isc/unix/socket.c				C	1998,1999,2000,2001,2002,2003,2004,2005
+./lib/isc/unix/socket.c				C	1998,1999,2000,2001,2002,2003,2004,2005,2006
 ./lib/isc/unix/socket_p.h			C	2000,2001,2004
 ./lib/isc/unix/stdio.c				C	2000,2001,2004
 ./lib/isc/unix/stdtime.c			C	1999,2000,2001,2004

From 4f17ae23f1a091fb23c31ccc2e061d4e0013dff3 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 2 Feb 2006 23:37:51 +0000
Subject: [PATCH 021/465] 1979.   [port]          linux: allow named to drop
 core after changing                         user ids. [RT #15753]

---
 CHANGES             | 3 +++
 bin/named/unix/os.c | 9 ++++++++-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index 4b9805e8c2..4f19218221 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+1979.	[port]		linux: allow named to drop core after changing
+			user ids. [RT #15753]
+
 1978.	[port]		Handle systems which have a broken recvmsg().
 			[RT #15742]
 
diff --git a/bin/named/unix/os.c b/bin/named/unix/os.c
index 648a94c549..2ba6f42e89 100644
--- a/bin/named/unix/os.c
+++ b/bin/named/unix/os.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: os.c,v 1.46.2.15 2005/05/20 01:37:08 marka Exp $ */
+/* $Id: os.c,v 1.46.2.16 2006/02/02 23:37:51 marka Exp $ */
 
 #include 
 #include 
@@ -493,6 +493,13 @@ ns_os_changeuser(void) {
 #if defined(HAVE_LINUX_CAPABILITY_H) && !defined(HAVE_LINUXTHREADS)
 	linux_minprivs();
 #endif
+#if defined(HAVE_SYS_PRCTL_H) && defined(PR_SET_DUMPABLE)
+	/*
+	 * Restore the ability of named to drop core after the setuid()
+	 * call has disabled it.
+	 */
+	prctl(PR_SET_DUMPABLE,1,0,0,0);
+#endif
 }
 
 void

From c1aba9a4cbb60cb9565b2389a6a98d83b5190f74 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 3 Feb 2006 23:30:03 +0000
Subject: [PATCH 022/465] newcopyrights

---
 util/copyrights | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/util/copyrights b/util/copyrights
index acef08cdcb..18331cb434 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -151,7 +151,7 @@
 ./bin/named/unix/.cvsignore			X	1999,2000,2001
 ./bin/named/unix/Makefile.in			MAKE	1999,2000,2001,2004
 ./bin/named/unix/include/named/os.h		C	1999,2000,2001,2002,2004
-./bin/named/unix/os.c				C	1999,2000,2001,2002,2004,2005
+./bin/named/unix/os.c				C	1999,2000,2001,2002,2004,2005,2006
 ./bin/named/update.c				C	1999,2000,2001,2002,2003,2004,2005,2006
 ./bin/named/win32/include/named/ntservice.h	C	1999,2000,2001,2004
 ./bin/named/win32/include/named/os.h		C	1999,2000,2001,2002,2004

From 286626e9c32a2525bd5421ff5ecd26f7f1ba4541 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 3 Feb 2006 23:51:36 +0000
Subject: [PATCH 023/465] update copyright notice

---
 bin/named/query.c           | 4 ++--
 bin/named/unix/os.c         | 4 ++--
 lib/isc/unix/ifiter_ioctl.c | 4 ++--
 lib/isc/unix/socket.c       | 4 ++--
 4 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/bin/named/query.c b/bin/named/query.c
index a5c6256b1e..6a054635d2 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: query.c,v 1.198.2.23 2006/02/02 22:57:39 marka Exp $ */
+/* $Id: query.c,v 1.198.2.24 2006/02/03 23:51:35 marka Exp $ */
 
 #include 
 
diff --git a/bin/named/unix/os.c b/bin/named/unix/os.c
index 2ba6f42e89..264851ff39 100644
--- a/bin/named/unix/os.c
+++ b/bin/named/unix/os.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: os.c,v 1.46.2.16 2006/02/02 23:37:51 marka Exp $ */
+/* $Id: os.c,v 1.46.2.17 2006/02/03 23:51:36 marka Exp $ */
 
 #include 
 #include 
diff --git a/lib/isc/unix/ifiter_ioctl.c b/lib/isc/unix/ifiter_ioctl.c
index e239cb47e7..188df19f11 100644
--- a/lib/isc/unix/ifiter_ioctl.c
+++ b/lib/isc/unix/ifiter_ioctl.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ifiter_ioctl.c,v 1.19.2.7 2006/02/02 22:43:29 marka Exp $ */
+/* $Id: ifiter_ioctl.c,v 1.19.2.8 2006/02/03 23:51:36 marka Exp $ */
 
 /*
  * Obtain the list of network interfaces using the SIOCGLIFCONF ioctl.
diff --git a/lib/isc/unix/socket.c b/lib/isc/unix/socket.c
index 639ab9e798..66fd1cf7cb 100644
--- a/lib/isc/unix/socket.c
+++ b/lib/isc/unix/socket.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: socket.c,v 1.207.2.39 2006/02/02 23:10:21 marka Exp $ */
+/* $Id: socket.c,v 1.207.2.40 2006/02/03 23:51:36 marka Exp $ */
 
 #include 
 

From a4855ef75501922180159c5107ebac786a0ac9f5 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Mon, 6 Feb 2006 06:23:48 +0000
Subject: [PATCH 024/465] Redo back port of. 1976.   [bug]           Handle
 systems with no IPv4 addresses. [RT #15695]

---
 lib/isc/unix/ifiter_ioctl.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/lib/isc/unix/ifiter_ioctl.c b/lib/isc/unix/ifiter_ioctl.c
index 188df19f11..76f6250e1d 100644
--- a/lib/isc/unix/ifiter_ioctl.c
+++ b/lib/isc/unix/ifiter_ioctl.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ifiter_ioctl.c,v 1.19.2.8 2006/02/03 23:51:36 marka Exp $ */
+/* $Id: ifiter_ioctl.c,v 1.19.2.9 2006/02/06 06:23:48 marka Exp $ */
 
 /*
  * Obtain the list of network interfaces using the SIOCGLIFCONF ioctl.
@@ -233,10 +233,10 @@ internal_current(isc_interfaceiter_t *iter) {
 	char strbuf[ISC_STRERRORSIZE];
 
 	REQUIRE(VALID_IFITER(iter));
-	REQUIRE(iter->ifc.ifc_len == 0 ||
-		iter->pos < (unsigned int) iter->ifc.ifc_len);
+	REQUIRE(iter->ifc.lifc_len == 0 ||
+		iter->pos < (unsigned int) iter->ifc.lifc_len);
 
-	if (iter->ifc.ifc_len == 0)
+	if (iter->ifc.lifc_len == 0)
 		return (ISC_R_NOMORE);
 
 	ifrp = (struct lifreq *)((char *) iter->ifc.lifc_req + iter->pos);

From 8391f23b3b72a9a94447a7ce17ded875b72c9c72 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Mon, 13 Feb 2006 03:41:50 +0000
Subject: [PATCH 025/465] 1981.   [bug]           win32: condition.c:wait()
 could fail to reattain                         the mutex lock.

---
 CHANGES                   |  3 +++
 lib/isc/win32/condition.c | 17 +++++++++++++----
 2 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/CHANGES b/CHANGES
index 4f19218221..1859eab79d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+1981.	[bug]		win32: condition.c:wait() could fail to reattain
+			the mutex lock.
+
 1979.	[port]		linux: allow named to drop core after changing
 			user ids. [RT #15753]
 
diff --git a/lib/isc/win32/condition.c b/lib/isc/win32/condition.c
index c6e4f13f7f..4f61e0c60a 100644
--- a/lib/isc/win32/condition.c
+++ b/lib/isc/win32/condition.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: condition.c,v 1.17.2.1 2004/03/09 06:12:16 marka Exp $ */
+/* $Id: condition.c,v 1.17.2.2 2006/02/13 03:41:50 marka Exp $ */
 
 #include 
 
@@ -91,6 +91,7 @@ isc_result_t
 isc_condition_destroy(isc_condition_t *cond) {
 
 	REQUIRE(cond != NULL);
+	REQUIRE(cond->waiters == 0);
 
 	(void)CloseHandle(cond->events[LSIGNAL]);
 	(void)CloseHandle(cond->events[LBROADCAST]);
@@ -98,6 +99,15 @@ isc_condition_destroy(isc_condition_t *cond) {
 	return (ISC_R_SUCCESS);
 }
 
+/*
+ * This is always called when the mutex (lock) is held, but because
+ * we are waiting we need to release it and reacquire it as soon as the wait
+ * is over. This allows other threads to make use of the object guarded
+ * by the mutex but it should never try to delete it as long as the
+ * number of waiters > 0. Always reacquire the mutex regardless of the
+ * result of the wait. Note that EnterCriticalSection will wait to acquire
+ * the mutex.
+ */
 static isc_result_t
 wait(isc_condition_t *cond, isc_mutex_t *mutex, DWORD milliseconds) {
 	DWORD result;
@@ -105,16 +115,15 @@ wait(isc_condition_t *cond, isc_mutex_t *mutex, DWORD milliseconds) {
 	cond->waiters++;
 	LeaveCriticalSection(mutex);
 	result = WaitForMultipleObjects(2, cond->events, FALSE, milliseconds);
+	EnterCriticalSection(mutex);
+	cond->waiters--;
 	if (result == WAIT_FAILED) {
 		/* XXX */
 		return (ISC_R_UNEXPECTED);
 	}
-	EnterCriticalSection(mutex);
-	cond->waiters--;
 	if (cond->waiters == 0 &&
 	    !ResetEvent(cond->events[LBROADCAST])) {
 		/* XXX */
-		LeaveCriticalSection(mutex);
 		return (ISC_R_UNEXPECTED);
 	}
 

From 951ca26c60940562903621cc99c0905064e6ee24 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Mon, 13 Feb 2006 23:30:04 +0000
Subject: [PATCH 026/465] newcopyrights

---
 util/copyrights | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/util/copyrights b/util/copyrights
index 18331cb434..960957832d 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -1993,7 +1993,7 @@
 ./lib/isc/win32/DLLMain.c			C	2001,2004
 ./lib/isc/win32/Makefile.in			MAKE	1999,2000,2001,2004
 ./lib/isc/win32/app.c				C	1999,2000,2001,2004
-./lib/isc/win32/condition.c			C	1998,1999,2000,2001,2004
+./lib/isc/win32/condition.c			C	1998,1999,2000,2001,2004,2006
 ./lib/isc/win32/dir.c				C	1999,2000,2001,2004
 ./lib/isc/win32/entropy.c			C	2000,2001,2004
 ./lib/isc/win32/errno2result.c			C	2000,2001,2002,2003,2004,2005

From 317cc1a488123aa101d514f54078f7238aec2cf5 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Mon, 13 Feb 2006 23:50:51 +0000
Subject: [PATCH 027/465] update copyright notice

---
 lib/isc/win32/condition.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/isc/win32/condition.c b/lib/isc/win32/condition.c
index 4f61e0c60a..60ad2aa1ad 100644
--- a/lib/isc/win32/condition.c
+++ b/lib/isc/win32/condition.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: condition.c,v 1.17.2.2 2006/02/13 03:41:50 marka Exp $ */
+/* $Id: condition.c,v 1.17.2.3 2006/02/13 23:50:51 marka Exp $ */
 
 #include 
 

From dca44b90c96352111e0f1cdfdeccde1a13732161 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 17 Feb 2006 02:06:13 +0000
Subject: [PATCH 028/465] regen

---
 doc/arm/Bv9ARM.ch06.html         | 76 ++++++++++++++++++++------------
 doc/arm/Bv9ARM.ch07.html         | 14 +++---
 doc/arm/Bv9ARM.ch08.html         | 18 ++++----
 doc/arm/Bv9ARM.ch09.html         | 18 ++++----
 doc/arm/Bv9ARM.html              | 40 ++++++++---------
 doc/arm/man.dig.html             | 20 ++++-----
 doc/arm/man.dnssec-keygen.html   | 14 +++---
 doc/arm/man.dnssec-signzone.html | 12 ++---
 doc/arm/man.host.html            | 10 ++---
 doc/arm/man.named-checkconf.html | 12 ++---
 doc/arm/man.named-checkzone.html | 12 ++---
 doc/arm/man.named.html           | 16 +++----
 doc/arm/man.rndc-confgen.html    | 12 ++---
 doc/arm/man.rndc.conf.html       | 12 ++---
 doc/arm/man.rndc.html            | 12 ++---
 doc/misc/options                 | 10 +++++
 16 files changed, 170 insertions(+), 138 deletions(-)

diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index 4baa3f9c3b..9e396ae0ab 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -77,23 +77,23 @@
 
server Statement Grammar

 
server Statement Definition and
             Usage

-
trusted-keys Statement Grammar

-
trusted-keys Statement Definition
+
trusted-keys Statement Grammar

+
trusted-keys Statement Definition
             and Usage

 
view Statement Grammar

-
view Statement Definition and Usage

+
view Statement Definition and Usage

 
zone
             Statement Grammar

-
zone Statement Definition and Usage

+
zone Statement Definition and Usage

 
-
Zone File

+
Zone File

 

 
Types of Resource Records and When to Use Them

-
Discussion of MX Records

+
Discussion of MX Records

 
Setting TTLs

-
Inverse Mapping in IPv4

-
Other Zone File Directives

-
BIND Master File Extension: the  $GENERATE Directive

+
Inverse Mapping in IPv4

+
Other Zone File Directives

+
BIND Master File Extension: the  $GENERATE Directive

 
Additional File Formats

 

 
@@ -4322,6 +4322,10 @@ query-source-v6 address * port *;
     [ keys { string ; [ string ; [...]] } ; ]
     [ transfer-source (ip4_addr | *) [port ip_port] ; ]
     [ transfer-source-v6 (ip6_addr | *) [port ip_port] ; ]
+    [ notify-source (ip4_addr | *) [port ip_port] ; ]
+    [ notify-source-v6 (ip6_addr | *) [port ip_port] ; ]
+    [ query-source [ address ( ip_addr | * ) ] [ port ( ip_port | * ) ]; ]
+    [ query-source-v6 [ address ( ip_addr | * ) ] [ port ( ip_port | * ) ]; ]
 };
 
 
@@ -4475,10 +4479,28 @@ query-source-v6 address * port *;
             transfer-source-v6 in
             the section called “Zone Transfers”.
           

+

+            The notify-source and
+            notify-source-v6 clauses specify the
+            IPv4 and IPv6 source address to be used for notify
+            messages sent to remote servers, respectively.  For an
+            IPv4 remote server, only notify-source
+            can be specified.  Similarly, for an IPv6 remote server,
+            only notify-source-v6 can be specified.
+          

+

+            The query-source and
+            query-source-v6 clauses specify the
+            IPv4 and IPv6 source address to be used for queries
+            sent to remote servers, respectively.  For an IPv4
+            remote server, only query-source can
+            be specified.  Similarly, for an IPv6 remote server,
+            only query-source-v6 can be specified.
+          

 
 

 

-trusted-keys Statement Grammar

+trusted-keys Statement Grammar

 
trusted-keys {
     string number number number string ;
     [ string number number number string ; [...]]
@@ -4487,7 +4509,7 @@ query-source-v6 address * port *;
 
 

 

-trusted-keys Statement Definition
+trusted-keys Statement Definition
             and Usage

 

             The trusted-keys statement defines
@@ -4530,7 +4552,7 @@ query-source-v6 address * port *;
 

 

 

-view Statement Definition and Usage

+view Statement Definition and Usage

 

             The view statement is a powerful
             feature
@@ -4780,10 +4802,10 @@ zone zone_name [
 

 

-zone Statement Definition and Usage

+zone Statement Definition and Usage

 

 

-Zone Types

+Zone Types

 

 
 

 
 
 
@@ -4992,7 +5014,7 @@ zone zone_name [
 

 

-Class

+Class

 

               The zone's name may optionally be followed by a class. If
               a class is not specified, class IN (for Internet),
@@ -5014,7 +5036,7 @@ zone zone_name [
 

 

-Zone Options

+Zone Options

 

 
journal

 

@@ -5492,7 +5514,7 @@ zone zone_name [
 

 

-Zone File

+Zone File

 

 

 Types of Resource Records and When to Use Them

@@ -5505,7 +5527,7 @@ zone zone_name [
 

 

-Resource Records

+Resource Records

 

               A domain name identifies a node.  Each node has a set of
               resource information, which may be empty.  The set of resource
@@ -6156,7 +6178,7 @@ zone zone_name [
 

 

-Textual expression of RRs

+Textual expression of RRs

 

               RRs are represented in binary form in the packets of the DNS
               protocol, and are usually represented in highly encoded form
@@ -6359,7 +6381,7 @@ zone zone_name [
 

 

-Discussion of MX Records

+Discussion of MX Records

 

             As described above, domain servers store information as a
             series of resource records, each of which contains a particular
@@ -6617,7 +6639,7 @@ zone zone_name [
 

 

-Inverse Mapping in IPv4

+Inverse Mapping in IPv4

 

             Reverse name resolution (that is, translation from IP address
             to name) is achieved by means of the in-addr.arpa domain
@@ -6678,7 +6700,7 @@ zone zone_name [
 

 

-Other Zone File Directives

+Other Zone File Directives

 

             The Master File Format was initially defined in RFC 1035 and
             has subsequently been extended. While the Master File Format
@@ -6693,7 +6715,7 @@ zone zone_name [
 

 

-The $ORIGIN Directive

+The $ORIGIN Directive

 

               Syntax: $ORIGIN
               domain-name
@@ -6721,7 +6743,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 

 

-The $INCLUDE Directive

+The $INCLUDE Directive

 

               Syntax: $INCLUDE
               filename
@@ -6757,7 +6779,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 

 

-The $TTL Directive

+The $TTL Directive

 

               Syntax: $TTL
               default-ttl
@@ -6776,7 +6798,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 

 

-BIND Master File Extension: the  $GENERATE Directive

+BIND Master File Extension: the  $GENERATE Directive

 

             Syntax: $GENERATE
             range
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index b0fb4c0e0d..8532121d59 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -46,10 +46,10 @@
 
Table of Contents

 

 
Access Control Lists

-
chroot and setuid

+
chroot and setuid

 

-
The chroot Environment

-
Using the setuid Function

+
The chroot Environment

+
Using the setuid Function

 

 
Dynamic Update Security

 

@@ -116,7 +116,7 @@ zone "example.com" {
 
 

 

-chroot and setuid

+chroot and setuid

 

           On UNIX servers, it is possible to run BIND in a chrooted environment
           (chroot()) by specifying the "-t"
@@ -139,7 +139,7 @@ zone "example.com" {
         

 

 

-The chroot Environment

+The chroot Environment

 

             In order for a chroot() environment
             to
@@ -167,7 +167,7 @@ zone "example.com" {
 
 

 

-Using the setuid Function

+Using the setuid Function

 

             Prior to running the named daemon,
             use
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index c1d9fcdf6f..fa5dfbbbdf 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,18 +45,18 @@
 

 
Table of Contents

 

-
Common Problems

-
It's not working; how can I figure out what's wrong?

-
Incrementing and Changing the Serial Number

-
Where Can I Get Help?

+
Common Problems

+
It's not working; how can I figure out what's wrong?

+
Incrementing and Changing the Serial Number

+
Where Can I Get Help?

 

 

 

 

-Common Problems

+Common Problems

 

 

-It's not working; how can I figure out what's wrong?

+It's not working; how can I figure out what's wrong?

 

             The best solution to solving installation and
             configuration issues is to take preventative measures by setting
@@ -68,7 +68,7 @@
 
 

 

-Incrementing and Changing the Serial Number

+Incrementing and Changing the Serial Number

 

           Zone serial numbers are just numbers-they aren't date
           related.  A lot of people set them to a number that represents a
@@ -95,7 +95,7 @@
 
 

 

-Where Can I Get Help?

+Where Can I Get Help?

 

           The Internet Systems Consortium
           (ISC) offers a wide range
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index bc3475a634..10ab69b026 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,21 +45,21 @@
 

 
Table of Contents

 

-
Acknowledgments

+
Acknowledgments

 
A Brief History of the DNS and BIND

-
General DNS Reference Information

+
General DNS Reference Information

 
IPv6 addresses (AAAA)

 
Bibliography (and Suggested Reading)

 

 
Request for Comments (RFCs)

 
Internet Drafts

-
Other Documents About BIND

+
Other Documents About BIND

 

 

 

 

 

-Acknowledgments

+Acknowledgments

 

 

 A Brief History of the DNS and BIND

@@ -145,7 +145,7 @@
 

 

 

-General DNS Reference Information

+General DNS Reference Information

 

 

 IPv6 addresses (AAAA)

@@ -232,7 +232,7 @@
           

 

 

-Bibliography

+Bibliography

 

 
Standards

 
[RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 

@@ -417,11 +417,11 @@
 

 

 

-Other Documents About BIND

+Other Documents About BIND

 

 

 

-Bibliography

+Bibliography

 
Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 

 
 
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index 9786ebdc18..44a795f67c 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -155,54 +155,54 @@
 
server Statement Grammar

 
server Statement Definition and
             Usage

-
trusted-keys Statement Grammar

-
trusted-keys Statement Definition
+
trusted-keys Statement Grammar

+
trusted-keys Statement Definition
             and Usage

 
view Statement Grammar

-
view Statement Definition and Usage

+
view Statement Definition and Usage

 
zone
             Statement Grammar

-
zone Statement Definition and Usage

+
zone Statement Definition and Usage

 
-
Zone File

+
Zone File

 

 
Types of Resource Records and When to Use Them

-
Discussion of MX Records

+
Discussion of MX Records

 
Setting TTLs

-
Inverse Mapping in IPv4

-
Other Zone File Directives

-
BIND Master File Extension: the  $GENERATE Directive

+
Inverse Mapping in IPv4

+
Other Zone File Directives

+
BIND Master File Extension: the  $GENERATE Directive

 
Additional File Formats

 

 
 
7. BIND 9 Security Considerations

 

 
Access Control Lists

-
chroot and setuid

+
chroot and setuid

 

-
The chroot Environment

-
Using the setuid Function

+
The chroot Environment

+
Using the setuid Function

 

 
Dynamic Update Security

 

 
8. Troubleshooting

 

-
Common Problems

-
It's not working; how can I figure out what's wrong?

-
Incrementing and Changing the Serial Number

-
Where Can I Get Help?

+
Common Problems

+
It's not working; how can I figure out what's wrong?

+
Incrementing and Changing the Serial Number

+
Where Can I Get Help?

 

 
A. Appendices

 

-
Acknowledgments

+
Acknowledgments

 
A Brief History of the DNS and BIND

-
General DNS Reference Information

+
General DNS Reference Information

 
IPv6 addresses (AAAA)

 
Bibliography (and Suggested Reading)

 

 
Request for Comments (RFCs)

 
Internet Drafts

-
Other Documents About BIND

+
Other Documents About BIND

 

 

 
I. Manual pages

diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index 99585a90f6..fed8ea416b 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -52,7 +52,7 @@
 
dig  [global-queryopt...] [query...]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dig
       (domain information groper) is a flexible tool
       for interrogating DNS name servers.  It performs DNS lookups and
@@ -91,7 +91,7 @@
     

 

 

-
SIMPLE USAGE

+
SIMPLE USAGE

 

       A typical invocation of dig looks like:
       

@@ -137,7 +137,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

       The -b option sets the source IP address of the query
       to address.  This must be a valid
@@ -237,7 +237,7 @@
     

 

 

-
QUERY OPTIONS

+
QUERY OPTIONS

 
dig
       provides a number of query options which affect
       the way in which lookups are made and the results displayed.  Some of
@@ -556,7 +556,7 @@
     

 

 

-
MULTIPLE QUERIES

+
MULTIPLE QUERIES

 

       The BIND 9 implementation of dig 
       supports
@@ -602,7 +602,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
IDN SUPPORT

+
IDN SUPPORT

 

       If dig has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names.
@@ -616,14 +616,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
FILES

+
FILES

 
/etc/resolv.conf
     

 
${HOME}/.digrc
     

 

 

-
SEE ALSO

+
SEE ALSO

 
host(1),
       named(8),
       dnssec-keygen(8),
@@ -631,7 +631,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
BUGS

+
BUGS

 

       There are probably too many query options.
     

diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index d36024afaf..14f1aece73 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
dnssec-keygen  {-a algorithm} {-b keysize} {-n nametype} [-c class] [-e] [-f flag] [-g generator] [-h] [-k] [-p protocol] [-r randomdev] [-s strength] [-t type] [-v level] {name}

 

 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-keygen
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC <TBA\>.  It can also generate keys for use with
@@ -58,7 +58,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a algorithm

 

@@ -166,7 +166,7 @@
 

 

 

-
GENERATED KEYS

+
GENERATED KEYS

 

       When dnssec-keygen completes
       successfully,
@@ -212,7 +212,7 @@
     

 

 

-
EXAMPLE

+
EXAMPLE

 

       To generate a 768-bit DSA key for the domain
       example.com, the following command would be
@@ -233,7 +233,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
       RFC 2535,
@@ -242,7 +242,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index 31d0b4c1e9..889f4f9b4c 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
dnssec-signzone  [-a] [-c class] [-d directory] [-e end-time] [-f output-file] [-g] [-h] [-k key] [-l domain] [-i interval] [-I input-format] [-j jitter] [-n nthreads] [-o origin] [-O output-format] [-p] [-r randomdev] [-s start-time] [-t] [-v level] [-z] {zonefile} [key...]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-signzone
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
@@ -61,7 +61,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a

 

@@ -238,7 +238,7 @@
 

 

 

-
EXAMPLE

+
EXAMPLE

 

       The following command signs the example.com
       zone with the DSA key generated in the dnssec-keygen
@@ -264,14 +264,14 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 2535.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html
index ac8561c82a..ea7608884d 100644
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
host  [-aCdlnrsTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-m flag] [-4] [-6] {name} [server]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
host
       is a simple utility for performing DNS lookups.
       It is normally used to convert names to IP addresses and vice versa.
@@ -202,7 +202,7 @@
     

 

 

-
IDN SUPPORT

+
IDN SUPPORT

 

       If host has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names. 
@@ -216,12 +216,12 @@
     

 

 

-
FILES

+
FILES

 
/etc/resolv.conf
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dig(1),
       named(8).
     

diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index d568329efb..2737ab24c9 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,14 +50,14 @@
 
named-checkconf  [-v] [-j] [-t directory] {filename} [-z]

 

 

-
DESCRIPTION

+
DESCRIPTION

 
named-checkconf
       checks the syntax, but not the semantics, of a named
       configuration file.
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-t directory

 

@@ -88,20 +88,20 @@
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 
named-checkconf
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
named(8),
       BIND 9 Administrator Reference Manual.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index d5a6b683d0..ec17b59925 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -51,7 +51,7 @@
 
named-compilezone  [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-i mode] [-k mode] [-m mode] [-n mode] [-o filename] [-s style] [-t directory] [-w directory] [-D] [-W mode] {zonename} {filename}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
named-checkzone
       checks the syntax and integrity of a zone file.  It performs the
       same checks as named does when loading a
@@ -71,7 +71,7 @@
      

 

 

-
OPTIONS

+
OPTIONS

 

 
-d

 

@@ -251,21 +251,21 @@
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 
named-checkzone
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
named(8),
       RFC 1035,
       BIND 9 Administrator Reference Manual.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index 21a0e180d9..ff6a1f4b14 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
named  [-4] [-6] [-c config-file] [-d debug-level] [-f] [-g] [-n #cpus] [-p port] [-s] [-t directory] [-u user] [-v] [-x cache-file]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
named
       is a Domain Name System (DNS) server,
       part of the BIND 9 distribution from ISC.  For more
@@ -65,7 +65,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-4

 

@@ -198,7 +198,7 @@
 

 

 

-
SIGNALS

+
SIGNALS

 

       In routine operation, signals should not be used to control
       the nameserver; rndc should be used
@@ -219,7 +219,7 @@
     

 

 

-
CONFIGURATION

+
CONFIGURATION

 

       The named configuration file is too complex
       to describe in detail here.  A complete description is provided
@@ -228,7 +228,7 @@
     

 

 

-
FILES

+
FILES

 

 
/etc/named.conf

 

@@ -241,7 +241,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
RFC 1033,
       RFC 1034,
       RFC 1035,
@@ -251,7 +251,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index fbd8ead682..5cc468e90d 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -48,7 +48,7 @@
 
rndc-confgen  [-a] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc-confgen
       generates configuration files
       for rndc.  It can be used as a
@@ -64,7 +64,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a

 

@@ -171,7 +171,7 @@
 

 

 

-
EXAMPLES

+
EXAMPLES

 

       To allow rndc to be used with
       no manual configuration, run
@@ -188,7 +188,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc(8),
       rndc.conf(5),
       named(8),
@@ -196,7 +196,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index 0b4db4db3b..82db8b60fe 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
rndc.conf 

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc.conf is the configuration file
       for rndc, the BIND 9 name server control
       utility.  This file has a similar structure and syntax to
@@ -135,7 +135,7 @@
     

 

 

-
EXAMPLE

+
EXAMPLE

 
       options {
         default-server  localhost;
@@ -209,7 +209,7 @@
     

 

 

-
NAME SERVER CONFIGURATION

+
NAME SERVER CONFIGURATION

 

       The name server must be configured to accept rndc connections and
       to recognize the key specified in the rndc.conf
@@ -219,7 +219,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc(8),
       rndc-confgen(8),
       mmencode(1),
@@ -227,7 +227,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index 2175195758..10c4626a01 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
rndc  [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-V] [-y key_id] {command}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc
       controls the operation of a name
       server.  It supersedes the ndc utility
@@ -79,7 +79,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-b source-address

 

@@ -152,7 +152,7 @@
     

 

 

-
LIMITATIONS

+
LIMITATIONS

 
rndc
       does not yet support all the commands of
       the BIND 8 ndc utility.
@@ -166,7 +166,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc.conf(5),
       named(8),
       named.conf(5)
@@ -175,7 +175,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/misc/options b/doc/misc/options
index f24dcd84fc..78ff106530 100644
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -262,6 +262,12 @@ view   {
                 edns ;
                 edns-udp-size ;
                 max-udp-size ;
+                notify-source (  | * ) [ port (  | *
+                    ) ];
+                notify-source-v6 (  | * ) [ port ( 
+                    | * ) ];
+                query-source ;
+                query-source-v6 ;
                 transfer-source (  | * ) [ port (  |
                     * ) ];
                 transfer-source-v6 (  | * ) [ port (
@@ -457,6 +463,10 @@ server  {
         edns ;
         edns-udp-size ;
         max-udp-size ;
+        notify-source (  | * ) [ port (  | * ) ];
+        notify-source-v6 (  | * ) [ port (  | * ) ];
+        query-source ;
+        query-source-v6 ;
         transfer-source (  | * ) [ port (  | * ) ];
         transfer-source-v6 (  | * ) [ port (  | * ) ];
 };

From 78b7d41deb6a6db28696e83260dbd1ccfe6b96fa Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 17 Feb 2006 23:30:22 +0000
Subject: [PATCH 029/465] newcopyrights

---
 util/copyrights | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/util/copyrights b/util/copyrights
index f70bead5fe..422d68d4b3 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -1822,8 +1822,8 @@
 ./lib/dns/rdata/generic/cert_37.h		C	1999,2000,2001,2004,2005
 ./lib/dns/rdata/generic/cname_5.c		C	1998,1999,2000,2001,2004
 ./lib/dns/rdata/generic/cname_5.h		C	1998,1999,2000,2001,2004
-./lib/dns/rdata/generic/dlv_32769.c		C	2004
-./lib/dns/rdata/generic/dlv_32769.h		C	2004
+./lib/dns/rdata/generic/dlv_32769.c		C	2004,2006
+./lib/dns/rdata/generic/dlv_32769.h		C	2004,2006
 ./lib/dns/rdata/generic/dname_39.c		C	1999,2000,2001,2004
 ./lib/dns/rdata/generic/dname_39.h		C	1999,2000,2001,2004,2005
 ./lib/dns/rdata/generic/dnskey_48.c		C	2003,2004,2005
@@ -2259,13 +2259,13 @@
 ./lib/isccfg/include/isccfg/Makefile.in		MAKE	2001,2002,2004,2005
 ./lib/isccfg/include/isccfg/aclconf.h		C	1999,2000,2001,2004,2005
 ./lib/isccfg/include/isccfg/cfg.h		C	2000,2001,2002,2004,2005
-./lib/isccfg/include/isccfg/grammar.h		C	2002,2003,2004,2005
+./lib/isccfg/include/isccfg/grammar.h		C	2002,2003,2004,2005,2006
 ./lib/isccfg/include/isccfg/log.h		C	2001,2004,2005
 ./lib/isccfg/include/isccfg/namedconf.h		C	2002,2004,2005
 ./lib/isccfg/include/isccfg/version.h		C	2001,2004,2005
 ./lib/isccfg/log.c				C	2001,2004,2005
 ./lib/isccfg/namedconf.c			C	2002,2003,2004,2005,2006
-./lib/isccfg/parser.c				C	2000,2001,2002,2003,2004,2005
+./lib/isccfg/parser.c				C	2000,2001,2002,2003,2004,2005,2006
 ./lib/isccfg/version.c				C	1998,1999,2000,2001,2004,2005
 ./lib/isccfg/win32/DLLMain.c			C	2001,2004
 ./lib/isccfg/win32/libisccfg.def		X	2001,2005

From 0cfc2b930ce8b1fd2d7bb25e00bbfcc45a92d9a8 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Sun, 19 Feb 2006 06:50:48 +0000
Subject: [PATCH 030/465] update copyright notice

---
 lib/dns/rdata/generic/dlv_32769.c   | 4 ++--
 lib/dns/rdata/generic/dlv_32769.h   | 4 ++--
 lib/isccfg/include/isccfg/grammar.h | 4 ++--
 lib/isccfg/parser.c                 | 4 ++--
 4 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/lib/dns/rdata/generic/dlv_32769.c b/lib/dns/rdata/generic/dlv_32769.c
index 2f83879590..0be365a80f 100644
--- a/lib/dns/rdata/generic/dlv_32769.c
+++ b/lib/dns/rdata/generic/dlv_32769.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dlv_32769.c,v 1.2 2006/02/17 01:04:14 marka Exp $ */
+/* $Id: dlv_32769.c,v 1.3 2006/02/19 06:50:48 marka Exp $ */
 
 /* draft-ietf-dnsext-delegation-signer-05.txt */
 
diff --git a/lib/dns/rdata/generic/dlv_32769.h b/lib/dns/rdata/generic/dlv_32769.h
index acffe29d80..050a628333 100644
--- a/lib/dns/rdata/generic/dlv_32769.h
+++ b/lib/dns/rdata/generic/dlv_32769.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dlv_32769.h,v 1.2 2006/02/17 01:04:14 marka Exp $ */
+/* $Id: dlv_32769.h,v 1.3 2006/02/19 06:50:48 marka Exp $ */
 
 /* draft-ietf-dnsext-delegation-signer-05.txt */
 #ifndef GENERIC_DLV_32769_H
diff --git a/lib/isccfg/include/isccfg/grammar.h b/lib/isccfg/include/isccfg/grammar.h
index 9d7f4cceb3..5ffca2c8c1 100644
--- a/lib/isccfg/include/isccfg/grammar.h
+++ b/lib/isccfg/include/isccfg/grammar.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2002, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: grammar.h,v 1.10 2006/02/17 00:24:21 marka Exp $ */
+/* $Id: grammar.h,v 1.11 2006/02/19 06:50:48 marka Exp $ */
 
 #ifndef ISCCFG_GRAMMAR_H
 #define ISCCFG_GRAMMAR_H 1
diff --git a/lib/isccfg/parser.c b/lib/isccfg/parser.c
index 9d55acde8f..4af8f3806d 100644
--- a/lib/isccfg/parser.c
+++ b/lib/isccfg/parser.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: parser.c,v 1.121 2006/02/17 00:24:21 marka Exp $ */
+/* $Id: parser.c,v 1.122 2006/02/19 06:50:48 marka Exp $ */
 
 /*! \file */
 

From d00e58d4814b45c13434721b5771782e485dcb73 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 21 Feb 2006 23:12:27 +0000
Subject: [PATCH 031/465] 1986.   [func]          Report when a zone is
 removed. [RT #15849]

---
 CHANGES                    |   2 +
 bin/named/server.c         | 101 +++++++++++++++++++++++++++++++++----
 lib/dns/include/dns/zone.h |  18 ++++++-
 lib/dns/zone.c             |  38 +++++++++++++-
 4 files changed, 146 insertions(+), 13 deletions(-)

diff --git a/CHANGES b/CHANGES
index 914bf3ce0a..aa88f7fcda 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+1986.	[func]		Report when a zone is removed. [RT #15849]
+
 1985.	[protocol]	DLV has now been assigned a official type code of
 			32769. [RT #15807]
 
diff --git a/bin/named/server.c b/bin/named/server.c
index 6541c3cf51..43ab0dcdf9 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.c,v 1.456 2006/02/17 00:24:20 marka Exp $ */
+/* $Id: server.c,v 1.457 2006/02/21 23:12:27 marka Exp $ */
 
 /*! \file */
 
@@ -215,10 +215,6 @@ static const struct {
 	{ NULL, ISC_FALSE }
 };
 
-static const char *empty_dbtype[] = { "_builtin", "empty", NULL, NULL };
-static unsigned int empty_dbtypec = 
-		(sizeof(empty_dbtype) / sizeof(empty_dbtype[0]));
-
 static void
 fatal(const char *msg, isc_result_t result);
 
@@ -847,6 +843,38 @@ on_disable_list(cfg_obj_t *disablelist, dns_name_t *zonename) {
 	return (ISC_FALSE);
 }
 
+static void
+check_dbtype(dns_zone_t **zonep, unsigned int dbtypec, const char **dbargv,
+	     isc_mem_t *mctx)
+{
+	char **argv = NULL;
+	unsigned int i;
+	isc_result_t result;
+
+	result = dns_zone_getdbtype(*zonep, &argv, mctx);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_detach(zonep);
+		return;
+	}
+
+	/*
+	 * Check that all the arguments match.
+	 */
+	for (i = 0; i < dbtypec; i++)
+		if (argv[i] == NULL || strcmp(argv[i], dbargv[i]) != 0) {
+			dns_zone_detach(zonep);
+			break;
+		}
+
+	/*
+	 * Check that there are not extra arguments.
+	 */
+	if (i == dbtypec && argv[i] != NULL)
+		dns_zone_detach(zonep);
+	isc_mem_free(mctx, argv);
+}
+
+
 /*
  * Configure 'view' according to 'vconfig', taking defaults from 'config'
  * where values are missing in 'vconfig'.
@@ -1598,6 +1626,9 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 		char server[DNS_NAME_FORMATSIZE + 1];
 		char contact[DNS_NAME_FORMATSIZE + 1];
 		isc_boolean_t logit;
+		const char *empty_dbtype[4] =
+				    { "_builtin", "empty", NULL, NULL };
+		int empty_dbtypec = 4;
 
 		dns_fixedname_init(&fixed);
 		name = dns_fixedname_name(&fixed);
@@ -1638,6 +1669,7 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 		     empty = empty_zones[++empty_zone].zone)
 		{
 			dns_forwarders_t *forwarders = NULL;
+			dns_view_t *pview = NULL;
 
 			isc_buffer_init(&buffer, empty, strlen(empty));
 			isc_buffer_add(&buffer, strlen(empty));
@@ -1686,6 +1718,29 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 				continue;
 			}
 
+			/*
+			 * See if we can re-use a existing zone.
+			 */
+			result = dns_viewlist_find(&ns_g_server->viewlist,
+						   view->name, view->rdclass,
+						   &pview);
+			if (result != ISC_R_NOTFOUND &&
+			    result != ISC_R_SUCCESS)
+				goto cleanup;
+
+			if (pview != NULL) {
+				(void)dns_view_findzone(pview, name, &zone);
+				dns_view_detach(&pview);
+				if (zone != NULL)
+					check_dbtype(&zone, empty_dbtypec,
+						     empty_dbtype, mctx);
+				if (zone != NULL) {
+					dns_zone_setview(zone, view);
+					dns_zone_detach(&zone);
+					continue;
+				}
+			}
+
 			CHECK(dns_zone_create(&zone, mctx));
 			CHECK(dns_zone_setorigin(zone, name));
 			dns_zone_setview(zone, view);
@@ -2142,10 +2197,8 @@ configure_zone(cfg_obj_t *config, cfg_obj_t *zconfig, cfg_obj_t *vconfig,
 		result = dns_view_findzone(pview, origin, &zone);
 	if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS)
 		goto cleanup;
-	if (zone != NULL) {
-		if (! ns_zone_reusable(zone, zconfig))
-			dns_zone_detach(&zone);
-	}
+	if (zone != NULL && !ns_zone_reusable(zone, zconfig))
+		dns_zone_detach(&zone);
 
 	if (zone != NULL) {
 		/*
@@ -2552,6 +2605,31 @@ portlist_fromconf(dns_portlist_t *portlist, unsigned int family,
 	return (result);
 }
 
+static isc_result_t
+removed(dns_zone_t *zone, void *uap) {
+	const char *type;
+
+        if (dns_zone_getview(zone) != uap)
+		return (ISC_R_SUCCESS);
+
+	switch (dns_zone_gettype(zone)) {
+	case dns_zone_master:
+		type = "master";
+		break;
+	case dns_zone_slave:
+		type = "slave";
+		break;
+	case dns_zone_stub:
+		type = "stub";
+		break;
+	default:
+		type = "other";
+		break;
+	}
+	dns_zone_log(zone, ISC_LOG_INFO, "(%s) removed", type);
+	return (ISC_R_SUCCESS);
+}
+
 static isc_result_t
 load_configuration(const char *filename, ns_server_t *server,
 		   isc_boolean_t first_time)
@@ -3186,8 +3264,11 @@ load_configuration(const char *filename, ns_server_t *server,
 	     view = view_next) {
 		view_next = ISC_LIST_NEXT(view, link);
 		ISC_LIST_UNLINK(viewlist, view, link);
+		if (result == ISC_R_SUCCESS &&
+		    strcmp(view->name, "_bind") != 0)
+			(void)dns_zt_apply(view->zonetable, ISC_FALSE,
+					   removed, view);
 		dns_view_detach(&view);
-
 	}
 
 	/*
diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h
index e39832734e..1637958799 100644
--- a/lib/dns/include/dns/zone.h
+++ b/lib/dns/include/dns/zone.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.h,v 1.141 2006/01/06 00:01:44 marka Exp $ */
+/* $Id: zone.h,v 1.142 2006/02/21 23:12:27 marka Exp $ */
 
 #ifndef DNS_ZONE_H
 #define DNS_ZONE_H 1
@@ -356,6 +356,22 @@ dns_zone_setdbtype(dns_zone_t *zone,
  *\li	#ISC_R_SUCCESS
  */
 
+isc_result_t
+dns_zone_getdbtype(dns_zone_t *zone, char ***argv, isc_mem_t *mctx);
+/*%<
+ *	Returns the current dbtype.  isc_mem_free() should be used
+ * 	to free 'argv' after use.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *\li	'argv' to be non NULL and *argv to be NULL.
+ *\li	'mctx' to be valid.
+ *
+ * Returns:
+ *\li	#ISC_R_NOMEMORY
+ *\li	#ISC_R_SUCCESS
+ */
+
 void
 dns_zone_markdirty(dns_zone_t *zone);
 /*%<
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index a954a1af49..1b19ac9888 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.c,v 1.451 2006/02/17 00:24:21 marka Exp $ */
+/* $Id: zone.c,v 1.452 2006/02/21 23:12:27 marka Exp $ */
 
 /*! \file */
 
@@ -799,6 +799,39 @@ zone_freedbargs(dns_zone_t *zone) {
 	zone->db_argv = NULL;
 }
 
+isc_result_t
+dns_zone_getdbtype(dns_zone_t *zone, char ***argv, isc_mem_t *mctx) {
+	size_t size = 0;
+	unsigned int i;
+	isc_result_t result = ISC_R_SUCCESS;
+	void *mem;
+	char **tmp, *tmp2;
+	
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(argv != NULL && *argv == NULL);
+	
+	LOCK_ZONE(zone);
+	size = (zone->db_argc + 1) * sizeof(char *);
+	for (i = 0; i < zone->db_argc; i++)
+		size += strlen(zone->db_argv[i]) + 1;
+	mem = isc_mem_allocate(mctx, size);
+	if (mem != NULL) {
+		tmp = mem;
+		tmp2 = mem;
+		tmp2 += (zone->db_argc + 1) * sizeof(char *);
+		for (i = 0; i < zone->db_argc; i++) {
+			*tmp++ = tmp2;
+			strcpy(tmp2, zone->db_argv[i]);
+			tmp2 += strlen(tmp2) + 1;
+		}
+		*tmp = NULL;
+	} else
+		result = ISC_R_NOMEMORY;
+	UNLOCK_ZONE(zone);
+	*argv = mem;
+	return (result);
+}
+
 isc_result_t
 dns_zone_setdbtype(dns_zone_t *zone,
 		   unsigned int dbargc, const char * const *dbargv) {
@@ -5946,7 +5979,8 @@ dns_zone_getmaxxfrout(dns_zone_t *zone) {
 	return (zone->maxxfrout);
 }
 
-dns_zonetype_t dns_zone_gettype(dns_zone_t *zone) {
+dns_zonetype_t
+dns_zone_gettype(dns_zone_t *zone) {
 	REQUIRE(DNS_ZONE_VALID(zone));
 
 	return (zone->type);

From c5387e694299c41361660e54f23e89c7da3ede1d Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 21 Feb 2006 23:49:51 +0000
Subject: [PATCH 032/465] 1987.   [func]          DS/DLV SHA256 digest
 algorithm support. [RT #15608]

---
 CHANGES                      |  2 ++
 bin/dnssec/dnssec-signzone.c | 25 ++++++++++++++-
 lib/dns/ds.c                 | 42 ++++++++++++++++---------
 lib/dns/include/dns/ds.h     |  9 +++---
 lib/dns/validator.c          | 61 +++++++++++++++++++++++++++++++++++-
 lib/dns/win32/libdns.def     |  1 +
 6 files changed, 120 insertions(+), 20 deletions(-)

diff --git a/CHANGES b/CHANGES
index aa88f7fcda..bc5e58647d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+1987.	[func]		DS/DLV SHA256 digest algorithm support. [RT #15608]
+
 1986.	[func]		Report when a zone is removed. [RT #15849]
 
 1985.	[protocol]	DLV has now been assigned a official type code of
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index 433f9046fc..53f85c0be9 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -16,7 +16,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-signzone.c,v 1.196 2006/02/07 21:53:36 marka Exp $ */
+/* $Id: dnssec-signzone.c,v 1.197 2006/02/21 23:49:50 marka Exp $ */
 
 /*! \file */
 
@@ -632,6 +632,16 @@ loadds(dns_name_t *name, isc_uint32_t ttl, dns_rdataset_t *dsset) {
 					      ttl, &ds, &tuple);
 		check_result(result, "dns_difftuple_create");
 		dns_diff_append(&diff, &tuple);
+
+		dns_rdata_reset(&ds);
+		result = dns_ds_buildrdata(name, &key, DNS_DSDIGEST_SHA256,
+					   dsbuf, &ds);
+		check_result(result, "dns_ds_buildrdata");
+
+		result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, name,
+					      ttl, &ds, &tuple);
+		check_result(result, "dns_difftuple_create");
+		dns_diff_append(&diff, &tuple);
 	}
 	result = dns_diff_apply(&diff, db, ver);
 	check_result(result, "dns_diff_apply");
@@ -1585,6 +1595,19 @@ writeset(const char *prefix, dns_rdatatype_t type) {
 				ds.type = dns_rdatatype_dlv;
 			result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD,
 						      name, 0, &ds, &tuple);
+			check_result(result, "dns_difftuple_create");
+			dns_diff_append(&diff, &tuple);
+
+			dns_rdata_reset(&ds);
+			result = dns_ds_buildrdata(gorigin, &rdata,
+						   DNS_DSDIGEST_SHA256,
+						   dsbuf, &ds);
+			check_result(result, "dns_ds_buildrdata");
+			if (type == dns_rdatatype_dlv)
+				ds.type = dns_rdatatype_dlv;
+			result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD,
+						      name, 0, &ds, &tuple);
+
 		} else
 			result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD,
 						      gorigin, zonettl,
diff --git a/lib/dns/ds.c b/lib/dns/ds.c
index a952079ec0..38775401a5 100644
--- a/lib/dns/ds.c
+++ b/lib/dns/ds.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ds.c,v 1.7 2005/04/27 04:56:45 sra Exp $ */
+/* $Id: ds.c,v 1.8 2006/02/21 23:49:51 marka Exp $ */
 
 /*! \file */
 
@@ -26,6 +26,7 @@
 #include 
 #include 
 #include 
+#include 
 #include 
 
 #include 
@@ -42,10 +43,9 @@ dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key,
 		  unsigned int digest_type, unsigned char *buffer,
 		  dns_rdata_t *rdata)
 {
-	isc_sha1_t sha1;
 	dns_fixedname_t fname;
 	dns_name_t *name;
-	unsigned char digest[ISC_SHA1_DIGESTLENGTH];
+	unsigned char digest[ISC_SHA256_DIGESTLENGTH];
 	isc_region_t r;
 	isc_buffer_t b;
 	dns_rdata_ds_t ds;
@@ -53,7 +53,7 @@ dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key,
 	REQUIRE(key != NULL);
 	REQUIRE(key->type == dns_rdatatype_dnskey);
 
-	if (digest_type != DNS_DSDIGEST_SHA1)
+	if (!dns_ds_digest_supported(digest_type))
 		return (ISC_R_NOTIMPLEMENTED);
 
 	dns_fixedname_init(&fname);
@@ -63,21 +63,34 @@ dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key,
 	memset(buffer, 0, DNS_DS_BUFFERSIZE);
 	isc_buffer_init(&b, buffer, DNS_DS_BUFFERSIZE);
 
-	isc_sha1_init(&sha1);
-	dns_name_toregion(name, &r);
-	isc_sha1_update(&sha1, r.base, r.length);
-	dns_rdata_toregion(key, &r);
-	INSIST(r.length >= 4);
-	isc_sha1_update(&sha1, r.base, r.length);
-	isc_sha1_final(&sha1, digest);
+	if (digest_type == DNS_DSDIGEST_SHA1) {
+		isc_sha1_t sha1;
+		isc_sha1_init(&sha1);
+		dns_name_toregion(name, &r);
+		isc_sha1_update(&sha1, r.base, r.length);
+		dns_rdata_toregion(key, &r);
+		INSIST(r.length >= 4);
+		isc_sha1_update(&sha1, r.base, r.length);
+		isc_sha1_final(&sha1, digest);
+	} else {
+		isc_sha256_t sha256;
+		isc_sha256_init(&sha256);
+		dns_name_toregion(name, &r);
+		isc_sha256_update(&sha256, r.base, r.length);
+		dns_rdata_toregion(key, &r);
+		INSIST(r.length >= 4);
+		isc_sha256_update(&sha256, r.base, r.length);
+		isc_sha256_final(digest, &sha256);
+	}
 
 	ds.mctx = NULL;
 	ds.common.rdclass = key->rdclass;
 	ds.common.rdtype = dns_rdatatype_ds;
 	ds.algorithm = r.base[3];
 	ds.key_tag = dst_region_computeid(&r, ds.algorithm);
-	ds.digest_type = DNS_DSDIGEST_SHA1;
-	ds.length = ISC_SHA1_DIGESTLENGTH;
+	ds.digest_type = digest_type;
+	ds.length = (digest_type == DNS_DSDIGEST_SHA1) ?
+		    ISC_SHA1_DIGESTLENGTH : ISC_SHA256_DIGESTLENGTH;
 	ds.digest = digest;
 
 	return (dns_rdata_fromstruct(rdata, key->rdclass, dns_rdatatype_ds,
@@ -86,5 +99,6 @@ dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key,
 
 isc_boolean_t
 dns_ds_digest_supported(unsigned int digest_type) {
-	return  (ISC_TF(digest_type == DNS_DSDIGEST_SHA1));
+	return  (ISC_TF(digest_type == DNS_DSDIGEST_SHA1 ||
+			digest_type == DNS_DSDIGEST_SHA256));
 }
diff --git a/lib/dns/include/dns/ds.h b/lib/dns/include/dns/ds.h
index 809c5cf6e4..424b6627bc 100644
--- a/lib/dns/include/dns/ds.h
+++ b/lib/dns/include/dns/ds.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ds.h,v 1.6 2005/04/27 04:56:55 sra Exp $ */
+/* $Id: ds.h,v 1.7 2006/02/21 23:49:51 marka Exp $ */
 
 #ifndef DNS_DS_H
 #define DNS_DS_H 1
@@ -25,11 +25,12 @@
 #include 
 
 #define DNS_DSDIGEST_SHA1 (1)
+#define DNS_DSDIGEST_SHA256 (2)
 
 /*
- * Assuming SHA-1 digest type.
+ * Assuming SHA-256 digest type.
  */
-#define DNS_DS_BUFFERSIZE (24)
+#define DNS_DS_BUFFERSIZE (36)
 
 ISC_LANG_BEGINDECLS
 
@@ -53,7 +54,7 @@ dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key,
 
 isc_boolean_t
 dns_ds_digest_supported(unsigned int digest_type);
-/*
+/*%<
  * Is this digest algorithm supported by dns_ds_buildrdata()?
  */
 
diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 47694cd680..5534f4eb62 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.c,v 1.140 2006/01/04 23:50:24 marka Exp $ */
+/* $Id: validator.c,v 1.141 2006/02/21 23:49:51 marka Exp $ */
 
 /*! \file */
 
@@ -1499,6 +1499,7 @@ dlv_validatezonekey(dns_validator_t *val) {
 	isc_boolean_t supported_algorithm;
 	isc_result_t result;
 	unsigned char dsbuf[DNS_DS_BUFFERSIZE];
+	isc_uint8_t digest_type;
 
 	validator_log(val, ISC_LOG_DEBUG(3), "dlv_validatezonekey");
 
@@ -1509,6 +1510,31 @@ dlv_validatezonekey(dns_validator_t *val) {
 	 */
 	supported_algorithm = ISC_FALSE;
 
+	/*
+	 * If DNS_DSDIGEST_SHA256 is present we are required to prefer
+	 * it over DNS_DSDIGEST_SHA1.  This in practice means that we
+	 * need to ignore DNS_DSDIGEST_SHA1 if a DNS_DSDIGEST_SHA256
+	 * is present.
+	 */
+	digest_type = DNS_DSDIGEST_SHA1;
+	for (result = dns_rdataset_first(val->dsset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(val->dsset)) {
+		dns_rdata_reset(&dlvrdata);
+		dns_rdataset_current(&val->dlv, &dlvrdata);
+		dns_rdata_tostruct(&dlvrdata, &dlv, NULL);
+
+		if (!dns_resolver_algorithm_supported(val->view->resolver,
+						      val->event->name,
+						      dlv.algorithm))
+			continue;
+
+		if (dlv.digest_type == DNS_DSDIGEST_SHA256) {
+			digest_type = DNS_DSDIGEST_SHA256;
+			break;
+		}
+	}
+
 	for (result = dns_rdataset_first(&val->dlv);
 	     result == ISC_R_SUCCESS;
 	     result = dns_rdataset_next(&val->dlv))
@@ -1520,6 +1546,10 @@ dlv_validatezonekey(dns_validator_t *val) {
 		if (!dns_resolver_digest_supported(val->view->resolver,
 						   dlv.digest_type))
 			continue;
+		
+		if (dlv.digest_type != digest_type)
+			continue;
+
 		if (!dns_resolver_algorithm_supported(val->view->resolver,
 						      val->event->name,
 						      dlv.algorithm))
@@ -1643,6 +1673,7 @@ validatezonekey(dns_validator_t *val) {
 	dst_key_t *dstkey;
 	isc_boolean_t supported_algorithm;
 	isc_boolean_t atsep = ISC_FALSE;
+	isc_uint8_t digest_type;
 
 	/*
 	 * Caller must be holding the validator lock.
@@ -1812,6 +1843,31 @@ validatezonekey(dns_validator_t *val) {
 
 	supported_algorithm = ISC_FALSE;
 
+	/*
+	 * If DNS_DSDIGEST_SHA256 is present we are required to prefer
+	 * it over DNS_DSDIGEST_SHA1.  This in practice means that we
+	 * need to ignore DNS_DSDIGEST_SHA1 if a DNS_DSDIGEST_SHA256
+	 * is present.
+	 */
+	digest_type = DNS_DSDIGEST_SHA1;
+	for (result = dns_rdataset_first(val->dsset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(val->dsset)) {
+		dns_rdata_reset(&dsrdata);
+		dns_rdataset_current(val->dsset, &dsrdata);
+		dns_rdata_tostruct(&dsrdata, &ds, NULL);
+
+		if (!dns_resolver_algorithm_supported(val->view->resolver,
+						      val->event->name,
+						      ds.algorithm))
+			continue;
+
+		if (ds.digest_type == DNS_DSDIGEST_SHA256) {
+			digest_type = DNS_DSDIGEST_SHA256;
+			break;
+		}
+	}
+
 	for (result = dns_rdataset_first(val->dsset);
 	     result == ISC_R_SUCCESS;
 	     result = dns_rdataset_next(val->dsset))
@@ -1824,6 +1880,9 @@ validatezonekey(dns_validator_t *val) {
 						   ds.digest_type))
 			continue;
 
+		if (ds.digest_type != digest_type)
+			continue;
+
 		if (!dns_resolver_algorithm_supported(val->view->resolver,
 						      val->event->name,
 						      ds.algorithm))
diff --git a/lib/dns/win32/libdns.def b/lib/dns/win32/libdns.def
index da8e61758d..2a85e20707 100644
--- a/lib/dns/win32/libdns.def
+++ b/lib/dns/win32/libdns.def
@@ -188,6 +188,7 @@ dns_dnssec_verify
 dns_dnssec_verify2
 dns_dnssec_verifymessage
 dns_ds_buildrdata
+dns_ds_digest_supported
 dns_dumpctx_detach
 dns_fwdtable_add
 dns_fwdtable_create

From fcbc5d2353971f65726a9e86c1f37c813f9c2176 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 22 Feb 2006 01:55:10 +0000
Subject: [PATCH 033/465] post merge problem

---
 lib/dns/validator.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 5534f4eb62..f2ae4cfe6a 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.c,v 1.141 2006/02/21 23:49:51 marka Exp $ */
+/* $Id: validator.c,v 1.142 2006/02/22 01:55:10 marka Exp $ */
 
 /*! \file */
 
@@ -1517,9 +1517,9 @@ dlv_validatezonekey(dns_validator_t *val) {
 	 * is present.
 	 */
 	digest_type = DNS_DSDIGEST_SHA1;
-	for (result = dns_rdataset_first(val->dsset);
+	for (result = dns_rdataset_first(&val->dlv);
 	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(val->dsset)) {
+	     result = dns_rdataset_next(&val->dlv)) {
 		dns_rdata_reset(&dlvrdata);
 		dns_rdataset_current(&val->dlv, &dlvrdata);
 		dns_rdata_tostruct(&dlvrdata, &dlv, NULL);

From 8112eda1404b589fae1605f4c6a905c588904b75 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 22 Feb 2006 23:30:22 +0000
Subject: [PATCH 034/465] newcopyrights

---
 util/copyrights | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/util/copyrights b/util/copyrights
index 422d68d4b3..cfb56ea214 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -1690,7 +1690,7 @@
 ./lib/dns/dispatch.c				C	1999,2000,2001,2002,2003,2004,2005,2006
 ./lib/dns/dlz.c					C.PORTION	1999,2000,2001,2005
 ./lib/dns/dnssec.c				C	1999,2000,2001,2002,2003,2004,2005
-./lib/dns/ds.c					C	2002,2003,2004,2005
+./lib/dns/ds.c					C	2002,2003,2004,2005,2006
 ./lib/dns/dst_api.c				C.NAI	1999,2000,2001,2002,2003,2004,2005,2006
 ./lib/dns/dst_internal.h			C.NAI	2000,2001,2002,2004,2005,2006
 ./lib/dns/dst_lib.c				C	1999,2000,2001,2004,2005
@@ -1725,7 +1725,7 @@
 ./lib/dns/include/dns/dispatch.h		C	1999,2000,2001,2002,2003,2004,2005
 ./lib/dns/include/dns/dlz.h			C.PORTION	1999,2000,2001,2005
 ./lib/dns/include/dns/dnssec.h			C	1999,2000,2001,2002,2004,2005
-./lib/dns/include/dns/ds.h			C	2002,2004,2005
+./lib/dns/include/dns/ds.h			C	2002,2004,2005,2006
 ./lib/dns/include/dns/events.h			C	1999,2000,2001,2002,2004,2005
 ./lib/dns/include/dns/fixedname.h		C	1999,2000,2001,2004,2005
 ./lib/dns/include/dns/forward.h			C	2000,2001,2004,2005

From 3432cd69798e25dfdf449cc857100a58135d3693 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 22 Feb 2006 23:50:10 +0000
Subject: [PATCH 035/465] update copyright notice

---
 lib/dns/ds.c             | 4 ++--
 lib/dns/include/dns/ds.h | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/lib/dns/ds.c b/lib/dns/ds.c
index 38775401a5..2f67c2a20c 100644
--- a/lib/dns/ds.c
+++ b/lib/dns/ds.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2002, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ds.c,v 1.8 2006/02/21 23:49:51 marka Exp $ */
+/* $Id: ds.c,v 1.9 2006/02/22 23:50:10 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/include/dns/ds.h b/lib/dns/include/dns/ds.h
index 424b6627bc..baf392abc4 100644
--- a/lib/dns/include/dns/ds.h
+++ b/lib/dns/include/dns/ds.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ds.h,v 1.7 2006/02/21 23:49:51 marka Exp $ */
+/* $Id: ds.h,v 1.8 2006/02/22 23:50:10 marka Exp $ */
 
 #ifndef DNS_DS_H
 #define DNS_DS_H 1

From 5bcf8f96cfec31d3c111db67a33579280ab2c559 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 23 Feb 2006 22:22:42 +0000
Subject: [PATCH 036/465] update example

---
 FAQ     | 443 +++++++++++++++++++++++++++-----------------------------
 FAQ.xml |   6 +-
 2 files changed, 216 insertions(+), 233 deletions(-)

diff --git a/FAQ b/FAQ
index 773e2b191b..4c4b7648f7 100644
--- a/FAQ
+++ b/FAQ
@@ -1,24 +1,23 @@
 Frequently Asked Questions about BIND 9
 
---------------------------------------------------------------------------
+-------------------------------------------------------------------------------
 
 Q: Why doesn't -u work on Linux 2.2.x when I build with --enable-threads?
 
-A: Linux threads do not fully implement the Posix threads (pthreads)
-   standard. In particular, setuid() operates only on the current thread, not
-   the full process. Because of this limitation, BIND 9 cannot use setuid()
-   on Linux as it can on all other supported platforms. setuid() cannot be
-   called before creating threads, since the server does not start listening
-   on reserved ports until after threads have started.
+A: Linux threads do not fully implement the Posix threads (pthreads) standard. In
+   particular, setuid() operates only on the current thread, not the full process.
+   Because of this limitation, BIND 9 cannot use setuid() on Linux as it can on
+   all other supported platforms. setuid() cannot be called before creating
+   threads, since the server does not start listening on reserved ports until
+   after threads have started.
 
    In the 2.2.18 or 2.3.99-pre3 and newer kernels, the ability to preserve
    capabilities across a setuid() call is present. This allows BIND 9 to call
-   setuid() early, while retaining the ability to bind reserved ports. This
-   is a Linux-specific hack.
+   setuid() early, while retaining the ability to bind reserved ports. This is a
+   Linux-specific hack.
 
-   On a 2.2 kernel, BIND 9 does drop many root privileges, so it should be
-   less of a security risk than a root process that has not dropped
-   privileges.
+   On a 2.2 kernel, BIND 9 does drop many root privileges, so it should be less of
+   a security risk than a root process that has not dropped privileges.
 
    If Linux threads ever work correctly, this restriction will go away.
 
@@ -35,61 +34,60 @@ A: This is the result of a Linux kernel bug.
 
    See: http://marc.theaimsgroup.com/?l=linux-netdev&m=113081708031466&w=2
 
-Q: Why does named log the warning message "no TTL specified - using SOA
-   MINTTL instead"?
+Q: Why does named log the warning message "no TTL specified - using SOA MINTTL
+   instead"?
 
 A: Your zone file is illegal according to RFC1035. It must either have a line
    like:
 
    $TTL 86400
 
-   at the beginning, or the first record in it must have a TTL field, like
-   the "84600" in this example:
+   at the beginning, or the first record in it must have a TTL field, like the
+   "84600" in this example:
 
    example.com. 86400 IN SOA ns hostmaster ( 1 3600 1800 1814400 3600 )
 
 Q: Why do I see 5 (or more) copies of named on Linux?
 
-A: Linux threads each show up as a process under ps. The approximate number
-   of threads running is n+4, where n is the number of CPUs. Note that the
-   amount of memory used is not cumulative; if each process is using 10M of
-   memory, only a total of 10M is used.
+A: Linux threads each show up as a process under ps. The approximate number of
+   threads running is n+4, where n is the number of CPUs. Note that the amount of
+   memory used is not cumulative; if each process is using 10M of memory, only a
+   total of 10M is used.
 
 Q: Why does BIND 9 log "permission denied" errors accessing its configuration
    files or zones on my Linux system even though it is running as root?
 
-A: On Linux, BIND 9 drops most of its root privileges on startup. This
-   including the privilege to open files owned by other users. Therefore, if
-   the server is running as root, the configuration files and zone files
-   should also be owned by root.
+A: On Linux, BIND 9 drops most of its root privileges on startup. This including
+   the privilege to open files owned by other users. Therefore, if the server is
+   running as root, the configuration files and zone files should also be owned by
+   root.
 
-Q: Why do I get errors like "dns_zone_load: zone foo/IN: loading master file
-   bar: ran out of space"?
+Q: Why do I get errors like "dns_zone_load: zone foo/IN: loading master file bar:
+   ran out of space"?
 
-A: This is often caused by TXT records with missing close quotes. Check that
-   all TXT records containing quoted strings have both open and close quotes.
+A: This is often caused by TXT records with missing close quotes. Check that all
+   TXT records containing quoted strings have both open and close quotes.
 
 Q: How do I produce a usable core file from a multithreaded named on Linux?
 
 A: If the Linux kernel is 2.4.7 or newer, multithreaded core dumps are usable
    (that is, the correct thread is dumped). Otherwise, if using a 2.2 kernel,
-   apply the kernel patch found in contrib/linux/coredump-patch and rebuild
-   the kernel. This patch will cause multithreaded programs to dump the
-   correct thread.
+   apply the kernel patch found in contrib/linux/coredump-patch and rebuild the
+   kernel. This patch will cause multithreaded programs to dump the correct
+   thread.
 
 Q: How do I restrict people from looking up the server version?
 
-A: Put a "version" option containing something other than the real version in
-   the "options" section of named.conf. Note doing this will not prevent
-   attacks and may impede people trying to diagnose problems with your
-   server. Also it is possible to "fingerprint" nameservers to determine
-   their version.
+A: Put a "version" option containing something other than the real version in the
+   "options" section of named.conf. Note doing this will not prevent attacks and
+   may impede people trying to diagnose problems with your server. Also it is
+   possible to "fingerprint" nameservers to determine their version.
 
 Q: How do I restrict only remote users from looking up the server version?
 
-A: The following view statement will intercept lookups as the internal view
-   that holds the version information will be matched last. The caveats of
-   the previous answer still apply, of course.
+A: The following view statement will intercept lookups as the internal view that
+   holds the version information will be matched last. The caveats of the previous
+   answer still apply, of course.
 
    view "chaos" chaos {
            match-clients { ; };
@@ -100,126 +98,120 @@ A: The following view statement will intercept lookups as the internal view
            };
    };
 
-Q: What do "no source of entropy found" or "could not open entropy source
-   foo" mean?
+Q: What do "no source of entropy found" or "could not open entropy source foo"
+   mean?
 
-A: The server requires a source of entropy to perform certain operations,
-   mostly DNSSEC related. These messages indicate that you have no source of
-   entropy. On systems with /dev/random or an equivalent, it is used by
-   default. A source of entropy can also be defined using the random-device
-   option in named.conf.
+A: The server requires a source of entropy to perform certain operations, mostly
+   DNSSEC related. These messages indicate that you have no source of entropy. On
+   systems with /dev/random or an equivalent, it is used by default. A source of
+   entropy can also be defined using the random-device option in named.conf.
 
 Q: I installed BIND 9 and restarted named, but it's still BIND 8. Why?
 
 A: BIND 9 is installed under /usr/local by default. BIND 8 is often installed
    under /usr. Check that the correct named is running.
 
-Q: I'm trying to use TSIG to authenticate dynamic updates or zone transfers.
-   I'm sure I have the keys set up correctly, but the server is rejecting the
-   TSIG. Why?
+Q: I'm trying to use TSIG to authenticate dynamic updates or zone transfers. I'm
+   sure I have the keys set up correctly, but the server is rejecting the TSIG.
+   Why?
 
-A: This may be a clock skew problem. Check that the the clocks on the client
-   and server are properly synchronised (e.g., using ntp).
+A: This may be a clock skew problem. Check that the the clocks on the client and
+   server are properly synchronised (e.g., using ntp).
 
 Q: I'm trying to compile BIND 9, and "make" is failing due to files not being
    found. Why?
 
-A: Using a parallel or distributed "make" to build BIND 9 is not supported,
-   and doesn't work. If you are using one of these, use normal make or gmake
-   instead.
+A: Using a parallel or distributed "make" to build BIND 9 is not supported, and
+   doesn't work. If you are using one of these, use normal make or gmake instead.
 
-Q: I have a BIND 9 master and a BIND 8.2.3 slave, and the master is logging
-   error messages like "notify to 10.0.0.1#53 failed: unexpected end of
-   input". What's wrong?
+Q: I have a BIND 9 master and a BIND 8.2.3 slave, and the master is logging error
+   messages like "notify to 10.0.0.1#53 failed: unexpected end of input". What's
+   wrong?
 
-A: This error message is caused by a known bug in BIND 8.2.3 and is fixed in
-   BIND 8.2.4. It can be safely ignored - the notify has been acted on by the
-   slave despite the error message.
+A: This error message is caused by a known bug in BIND 8.2.3 and is fixed in BIND
+   8.2.4. It can be safely ignored - the notify has been acted on by the slave
+   despite the error message.
 
 Q: I keep getting log messages like the following. Why?
 
-   Dec 4 23:47:59 client 10.0.0.1#1355: updating zone 'example.com/IN':
-   update failed: 'RRset exists (value dependent)' prerequisite not satisfied
-   (NXRRSET)
+   Dec 4 23:47:59 client 10.0.0.1#1355: updating zone 'example.com/IN': update
+   failed: 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET)
 
-A: DNS updates allow the update request to test to see if certain conditions
-   are met prior to proceeding with the update. The message above is saying
-   that conditions were not met and the update is not proceeding. See doc/rfc
-   /rfc2136.txt for more details on prerequisites.
+A: DNS updates allow the update request to test to see if certain conditions are
+   met prior to proceeding with the update. The message above is saying that
+   conditions were not met and the update is not proceeding. See doc/rfc/
+   rfc2136.txt for more details on prerequisites.
 
 Q: I keep getting log messages like the following. Why?
 
    Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied
 
 A: Someone is trying to update your DNS data using the RFC2136 Dynamic Update
-   protocol. Windows 2000 machines have a habit of sending dynamic update
-   requests to DNS servers without being specifically configured to do so. If
-   the update requests are coming from a Windows 2000 machine, see http://
-   support.microsoft.com/support/kb/articles/q246/8/04.asp for information
-   about how to turn them off.
+   protocol. Windows 2000 machines have a habit of sending dynamic update requests
+   to DNS servers without being specifically configured to do so. If the update
+   requests are coming from a Windows 2000 machine, see http://
+   support.microsoft.com/support/kb/articles/q246/8/04.asp for information about
+   how to turn them off.
 
 Q: I see a log message like the following. Why?
 
    couldn't open pid file '/var/run/named.pid': Permission denied
 
-A: You are most likely running named as a non-root user, and that user does
-   not have permission to write in /var/run. The common ways of fixing this
-   are to create a /var/run/named directory owned by the named user and set
-   pid-file to "/var/run/named/named.pid", or set pid-file to "named.pid",
-   which will put the file in the directory specified by the directory option
-   (which, in this case, must be writable by the named user).
+A: You are most likely running named as a non-root user, and that user does not
+   have permission to write in /var/run. The common ways of fixing this are to
+   create a /var/run/named directory owned by the named user and set pid-file to "
+   /var/run/named/named.pid", or set pid-file to "named.pid", which will put the
+   file in the directory specified by the directory option (which, in this case,
+   must be writable by the named user).
 
-Q: When I do a "dig . ns", many of the A records for the root servers are
-   missing. Why?
+Q: When I do a "dig . ns", many of the A records for the root servers are missing.
+   Why?
 
-A: This is normal and harmless. It is a somewhat confusing side effect of the
-   way BIND 9 does RFC2181 trust ranking and of the efforts BIND 9 makes to
-   avoid promoting glue into answers.
+A: This is normal and harmless. It is a somewhat confusing side effect of the way
+   BIND 9 does RFC2181 trust ranking and of the efforts BIND 9 makes to avoid
+   promoting glue into answers.
 
-   When BIND 9 first starts up and primes its cache, it receives the root
-   server addresses as additional data in an authoritative response from a
-   root server, and these records are eligible for inclusion as additional
-   data in responses. Subsequently it receives a subset of the root server
-   addresses as additional data in a non-authoritative (referral) response
-   from a root server. This causes the addresses to now be considered
-   non-authoritative (glue) data, which is not eligible for inclusion in
-   responses.
+   When BIND 9 first starts up and primes its cache, it receives the root server
+   addresses as additional data in an authoritative response from a root server,
+   and these records are eligible for inclusion as additional data in responses.
+   Subsequently it receives a subset of the root server addresses as additional
+   data in a non-authoritative (referral) response from a root server. This causes
+   the addresses to now be considered non-authoritative (glue) data, which is not
+   eligible for inclusion in responses.
 
    The server does have a complete set of root server addresses cached at all
-   times, it just may not include all of them as additional data, depending
-   on whether they were last received as answers or as glue. You can always
-   look up the addresses with explicit queries like "dig a.root-servers.net
-   A".
+   times, it just may not include all of them as additional data, depending on
+   whether they were last received as answers or as glue. You can always look up
+   the addresses with explicit queries like "dig a.root-servers.net A".
 
 Q: Zone transfers from my BIND 9 master to my Windows 2000 slave fail. Why?
 
-A: This may be caused by a bug in the Windows 2000 DNS server where DNS
-   messages larger than 16K are not handled properly. This can be worked
-   around by setting the option "transfer-format one-answer;". Also check
-   whether your zone contains domain names with embedded spaces or other
-   special characters, like "John\032Doe\213s\032Computer", since such names
-   have been known to cause Windows 2000 slaves to incorrectly reject the
-   zone.
+A: This may be caused by a bug in the Windows 2000 DNS server where DNS messages
+   larger than 16K are not handled properly. This can be worked around by setting
+   the option "transfer-format one-answer;". Also check whether your zone contains
+   domain names with embedded spaces or other special characters, like "John\
+   032Doe\213s\032Computer", since such names have been known to cause Windows
+   2000 slaves to incorrectly reject the zone.
 
 Q: Why don't my zones reload when I do an "rndc reload" or SIGHUP?
 
-A: A zone can be updated either by editing zone files and reloading the
-   server or by dynamic update, but not both. If you have enabled dynamic
-   update for a zone using the "allow-update" option, you are not supposed to
-   edit the zone file by hand, and the server will not attempt to reload it.
+A: A zone can be updated either by editing zone files and reloading the server or
+   by dynamic update, but not both. If you have enabled dynamic update for a zone
+   using the "allow-update" option, you are not supposed to edit the zone file by
+   hand, and the server will not attempt to reload it.
 
-Q: I can query the nameserver from the nameserver but not from other
-   machines. Why?
+Q: I can query the nameserver from the nameserver but not from other machines.
+   Why?
 
-A: This is usually the result of the firewall configuration stopping the
-   queries and / or the replies.
+A: This is usually the result of the firewall configuration stopping the queries
+   and / or the replies.
 
-Q: How can I make a server a slave for both an internal and an external view
-   at the same time? When I tried, both views on the slave were transferred
-   from the same view on the master.
+Q: How can I make a server a slave for both an internal and an external view at
+   the same time? When I tried, both views on the slave were transferred from the
+   same view on the master.
 
-A: You will need to give the master and slave multiple IP addresses and use
-   those to make sure you reach the correct view on the other machine.
+A: You will need to give the master and slave multiple IP addresses and use those
+   to make sure you reach the correct view on the other machine.
 
    Master: 10.0.1.1 (internal), 10.0.1.2 (external, IP alias)
        internal:
@@ -247,8 +239,8 @@ A: You will need to give the master and slave multiple IP addresses and use
            transfer-source 10.0.1.4;
            query-source address 10.0.1.4;
 
-   You put the external address on the alias so that all the other dns
-   clients on these boxes see the internal view by default.
+   You put the external address on the alias so that all the other dns clients on
+   these boxes see the internal view by default.
 
 A: BIND 9.3 and later: Use TSIG to select the appropriate view.
 
@@ -263,7 +255,7 @@ A: BIND 9.3 and later: Use TSIG to select the appropriate view.
            };
            view "external" {
                    match-clients { key external; any; };
-                   server 10.0.0.2 { keys external; };
+                   server 10.0.1.2 { keys external; };
                    recursion no;
                    ...
            };
@@ -279,7 +271,7 @@ A: BIND 9.3 and later: Use TSIG to select the appropriate view.
            };
            view "external" {
                    match-clients { key external; any; };
-                   server 10.0.0.1 { keys external; };
+                   server 10.0.1.1 { keys external; };
                    recursion no;
                    ...
            };
@@ -287,8 +279,8 @@ A: BIND 9.3 and later: Use TSIG to select the appropriate view.
 Q: I have FreeBSD 4.x and "rndc-confgen -a" just sits there.
 
 A: /dev/random is not configured. Use rndcontrol(8) to tell the kernel to use
-   certain interrupts as a source of random events. You can make this
-   permanent by setting rand_irqs in /etc/rc.conf.
+   certain interrupts as a source of random events. You can make this permanent by
+   setting rand_irqs in /etc/rc.conf.
 
    /etc/rc.conf
    rand_irqs="3 14 15"
@@ -297,37 +289,34 @@ A: /dev/random is not configured. Use rndcontrol(8) to tell the kernel to use
 
 Q: Why is named listening on UDP port other than 53?
 
-A: Named uses a system selected port to make queries of other nameservers.
-   This behaviour can be overridden by using query-source to lock down the
-   port and/or address. See also notify-source and transfer-source.
+A: Named uses a system selected port to make queries of other nameservers. This
+   behaviour can be overridden by using query-source to lock down the port and/or
+   address. See also notify-source and transfer-source.
 
-Q: I get error messages like "multiple RRs of singleton type" and "CNAME and
-   other data" when transferring a zone. What does this mean?
+Q: I get error messages like "multiple RRs of singleton type" and "CNAME and other
+   data" when transferring a zone. What does this mean?
 
 A: These indicate a malformed master zone. You can identify the exact records
-   involved by transferring the zone using dig then running named-checkzone
-   on it.
+   involved by transferring the zone using dig then running named-checkzone on it.
 
    dig axfr example.com @master-server > tmp
    named-checkzone example.com tmp
 
-   A CNAME record cannot exist with the same name as another record except
-   for the DNSSEC records which prove its existance (NSEC).
+   A CNAME record cannot exist with the same name as another record except for the
+   DNSSEC records which prove its existance (NSEC).
 
-   RFC 1034, Section 3.6.2: "If a CNAME RR is present at a node, no other
-   data should be present; this ensures that the data for a canonical name
-   and its aliases cannot be different. This rule also insures that a cached
-   CNAME can be used without checking with an authoritative server for other
-   RR types."
+   RFC 1034, Section 3.6.2: "If a CNAME RR is present at a node, no other data
+   should be present; this ensures that the data for a canonical name and its
+   aliases cannot be different. This rule also insures that a cached CNAME can be
+   used without checking with an authoritative server for other RR types."
 
-Q: I get error messages like "named.conf:99: unexpected end of input" where
-   99 is the last line of named.conf.
+Q: I get error messages like "named.conf:99: unexpected end of input" where 99 is
+   the last line of named.conf.
 
-A: Some text editors (notepad and wordpad) fail to put a line title
-   indication (e.g. CR/LF) on the last line of a text file. This can be fixed
-   by "adding" a blank line to the end of the file. Named expects to see EOF
-   immediately after EOL and treats text files where this is not met as
-   truncated.
+A: Some text editors (notepad and wordpad) fail to put a line title indication
+   (e.g. CR/LF) on the last line of a text file. This can be fixed by "adding" a
+   blank line to the end of the file. Named expects to see EOF immediately after
+   EOL and treats text files where this is not met as truncated.
 
 Q: I get warning messages like "zone example.com/IN: refresh: failure trying
    master 1.2.3.4#53: timed out".
@@ -336,15 +325,15 @@ A: Check that you can make UDP queries from the slave to the master
 
    dig +norec example.com soa @1.2.3.4
 
-   You could be generating queries faster than the slave can cope with. Lower
-   the serial query rate.
+   You could be generating queries faster than the slave can cope with. Lower the
+   serial query rate.
 
    serial-query-rate 5; // default 20
 
 Q: How do I share a dynamic zone between multiple views?
 
-A: You choose one view to be master and the second a slave and transfer the
-   zone between views.
+A: You choose one view to be master and the second a slave and transfer the zone
+   between views.
 
    Master 10.0.1.1:
            key "external" {
@@ -383,19 +372,18 @@ A: You choose one view to be master and the second a slave and transfer the
                    };
            };
 
-Q: I get a error message like "zone wireless.ietf56.ietf.org/IN: loading
-   master file primaries/wireless.ietf56.ietf.org: no owner".
+Q: I get a error message like "zone wireless.ietf56.ietf.org/IN: loading master
+   file primaries/wireless.ietf56.ietf.org: no owner".
 
-A: This error is produced when a line in the master file contains leading
-   white space (tab/space) but the is no current record owner name to inherit
-   the name from. Usually this is the result of putting white space before a
-   comment. Forgeting the "@" for the SOA record or indenting the master
-   file.
+A: This error is produced when a line in the master file contains leading white
+   space (tab/space) but the is no current record owner name to inherit the name
+   from. Usually this is the result of putting white space before a comment.
+   Forgeting the "@" for the SOA record or indenting the master file.
 
 Q: Why are my logs in GMT (UTC).
 
-A: You are running chrooted (-t) and have not supplied local timzone
-   information in the chroot area.
+A: You are running chrooted (-t) and have not supplied local timzone information
+   in the chroot area.
 
    FreeBSD: /etc/localtime
    Solaris: /etc/TIMEZONE and /usr/share/lib/zoneinfo
@@ -403,8 +391,8 @@ A: You are running chrooted (-t) and have not supplied local timzone
 
    See also tzset(3) and zic(8).
 
-Q: I get the error message "named: capset failed: Operation not permitted"
-   when starting named.
+Q: I get the error message "named: capset failed: Operation not permitted" when
+   starting named.
 
 A: The capability module, part of "Linux Security Modules/LSM", has not been
    loaded into the kernel. See insmod(8).
@@ -413,23 +401,23 @@ Q: I get "rndc: connect failed: connection refused" when I try to run rndc.
 
 A: This is usually a configuration error.
 
-   First ensure that named is running and no errors are being reported at
-   startup (/var/log/messages or equivalent). Running "named -g " from a title can help at this point.
+   First ensure that named is running and no errors are being reported at startup
+   (/var/log/messages or equivalent). Running "named -g " from a
+   title can help at this point.
 
-   Secondly ensure that named is configured to use rndc either by
-   "rndc-confgen -a", rndc-confgen or manually. The Administrators Reference
-   manual has details on how to do this.
+   Secondly ensure that named is configured to use rndc either by "rndc-confgen
+   -a", rndc-confgen or manually. The Administrators Reference manual has details
+   on how to do this.
 
    Old versions of rndc-confgen used localhost rather than 127.0.0.1 in /etc/
-   rndc.conf for the default server. Update /etc/rndc.conf if necessary so
-   that the default server listed in /etc/rndc.conf matches the addresses
-   used in named.conf. "localhost" has two address (127.0.0.1 and ::1).
+   rndc.conf for the default server. Update /etc/rndc.conf if necessary so that
+   the default server listed in /etc/rndc.conf matches the addresses used in
+   named.conf. "localhost" has two address (127.0.0.1 and ::1).
 
-   If you use "rndc-confgen -a" and named is running with -t or -u ensure
-   that /etc/rndc.conf has the correct ownership and that a copy is in the
-   chroot area. You can do this by re-running "rndc-confgen -a" with
-   appropriate -t and -u arguments.
+   If you use "rndc-confgen -a" and named is running with -t or -u ensure that /
+   etc/rndc.conf has the correct ownership and that a copy is in the chroot area.
+   You can do this by re-running "rndc-confgen -a" with appropriate -t and -u
+   arguments.
 
 Q: I don't get RRSIG's returned when I use "dig +dnssec".
 
@@ -437,12 +425,11 @@ A: You need to ensure DNSSEC is enabled (dnssec-enable yes;).
 
 Q: I get "Error 1067" when starting named under Windows.
 
-A: This is the service manager saying that named exited. You need to examine
-   the Application log in the EventViewer to find out why.
+A: This is the service manager saying that named exited. You need to examine the
+   Application log in the EventViewer to find out why.
 
-   Common causes are that you failed to create "named.conf" (usually "C:\
-   windows\dns\etc\named.conf") or failed to specify the directory in
-   named.conf.
+   Common causes are that you failed to create "named.conf" (usually "C:\windows\
+   dns\etc\named.conf") or failed to specify the directory in named.conf.
 
    options {
            Directory "C:\windows\dns\etc";
@@ -457,18 +444,18 @@ A: These indicate a filesystem permission error preventing named creating /
 
    "dumping master file: sl/tmp-XXXX5il3sQ: open: permission denied"
 
-   Named needs write permission on the directory containing the file. Named
-   writes the new cache file to a temporary file then renames it to the name
-   specified in named.conf to ensure that the contents are always complete.
-   This is to prevent named loading a partial zone in the event of power
-   failure or similar interrupting the write of the master file.
+   Named needs write permission on the directory containing the file. Named writes
+   the new cache file to a temporary file then renames it to the name specified in
+   named.conf to ensure that the contents are always complete. This is to prevent
+   named loading a partial zone in the event of power failure or similar
+   interrupting the write of the master file.
 
    Note file names are relative to the directory specified in options and any
    chroot directory ([/][]).
 
-   If named is invoked as "named -t /chroot/DNS" with the following
-   named.conf then "/chroot/DNS/var/named/sl" needs to be writable by the
-   user named is running as.
+   If named is invoked as "named -t /chroot/DNS" with the following named.conf
+   then "/chroot/DNS/var/named/sl" needs to be writable by the user named is
+   running as.
 
    options {
            directory "/var/named";
@@ -488,28 +475,27 @@ A: Sun has a blog entry describing how to do this.
 
 Q: Can a NS record refer to a CNAME.
 
-A: No. The rules for glue (copies of the *address* records in the parent
-   zones) and additional section processing do not allow it to work.
+A: No. The rules for glue (copies of the *address* records in the parent zones)
+   and additional section processing do not allow it to work.
 
-   You would have to add both the CNAME and address records (A/AAAA) as glue
-   to the parent zone and have CNAMEs be followed when doing additional
-   section processing to make it work. No namesever implementation supports
-   either of these requirements.
+   You would have to add both the CNAME and address records (A/AAAA) as glue to
+   the parent zone and have CNAMEs be followed when doing additional section
+   processing to make it work. No namesever implementation supports either of
+   these requirements.
 
-Q: What does "RFC 1918 response from Internet for 0.0.0.10.IN-ADDR.ARPA"
-   mean?
+Q: What does "RFC 1918 response from Internet for 0.0.0.10.IN-ADDR.ARPA" mean?
 
-A: If the IN-ADDR.ARPA name covered refers to a internal address space you
-   are using then you have failed to follow RFC 1918 usage rules and are
-   leaking queries to the Internet. You should establish your own zones for
-   these addresses to prevent you quering the Internet's name servers for
-   these addresses. Please see http://as112.net/ for details of the problems
-   you are causing and the counter measures that have had to be deployed.
+A: If the IN-ADDR.ARPA name covered refers to a internal address space you are
+   using then you have failed to follow RFC 1918 usage rules and are leaking
+   queries to the Internet. You should establish your own zones for these
+   addresses to prevent you quering the Internet's name servers for these
+   addresses. Please see http://as112.net/ for details of the problems you are
+   causing and the counter measures that have had to be deployed.
 
    If you are not using these private addresses then a client has queried for
    them. You can just ignore the messages, get the offending client to stop
-   sending you these messages as they are most probably leaking them or setup
-   your own zones empty zones to serve answers to these queries.
+   sending you these messages as they are most probably leaking them or setup your
+   own zones empty zones to serve answers to these queries.
 
    zone "10.IN-ADDR.ARPA" {
            type master;
@@ -553,10 +539,10 @@ Q: I'm running BIND on Red Hat Enterprise Linux or Fedora Core -
 
 A: Red Hat Security Enhanced Linux (SELinux) policy security protections :
 
-   Red Hat have adopted the National Security Agency's SELinux security
-   policy ( see http://www.nsa.gov/selinux ) and recommendations for BIND
-   security , which are more secure than running named in a chroot and make
-   use of the bind-chroot environment unecessary .
+   Red Hat have adopted the National Security Agency's SELinux security policy (
+   see http://www.nsa.gov/selinux ) and recommendations for BIND security , which
+   are more secure than running named in a chroot and make use of the bind-chroot
+   environment unecessary .
 
    By default, named is not allowed by the SELinux policy to write, create or
    delete any files EXCEPT in these directories:
@@ -566,21 +552,18 @@ A: Red Hat Security Enhanced Linux (SELinux) policy security protections :
    $ROOTDIR/var/tmp
 
 
-   where $ROOTDIR may be set in /etc/sysconfig/named if bind-chroot is
-   installed.
+   where $ROOTDIR may be set in /etc/sysconfig/named if bind-chroot is installed.
 
-   The SELinux policy particularly does NOT allow named to modify the
-   $ROOTDIR/var/named directory, the default location for master zone
-   database files.
+   The SELinux policy particularly does NOT allow named to modify the $ROOTDIR/var
+   /named directory, the default location for master zone database files.
 
-   SELinux policy overrules file access permissions - so even if all the
-   files under /var/named have ownership named:named and mode rw-rw-r--,
-   named will still not be able to write or create files except in the
-   directories above, with SELinux in Enforcing mode.
+   SELinux policy overrules file access permissions - so even if all the files
+   under /var/named have ownership named:named and mode rw-rw-r--, named will
+   still not be able to write or create files except in the directories above,
+   with SELinux in Enforcing mode.
 
-   So, to allow named to update slave or DDNS zone files, it is best to
-   locate them in $ROOTDIR/var/named/slaves, with named.conf zone statements
-   such as:
+   So, to allow named to update slave or DDNS zone files, it is best to locate
+   them in $ROOTDIR/var/named/slaves, with named.conf zone statements such as:
 
    zone "slave.zone." IN {
            type slave;
@@ -594,8 +577,8 @@ A: Red Hat Security Enhanced Linux (SELinux) policy security protections :
    };
 
 
-   To allow named to create its cache dump and statistics files, for example,
-   you could use named.conf options statements such as:
+   To allow named to create its cache dump and statistics files, for example, you
+   could use named.conf options statements such as:
 
    options {
            ...
@@ -605,10 +588,10 @@ A: Red Hat Security Enhanced Linux (SELinux) policy security protections :
    };
 
 
-   You can also tell SELinux to allow named to update any zone database
-   files, by setting the SELinux tunable boolean parameter
-   'named_write_master_zones=1', using the system-config-securitylevel GUI,
-   using the 'setsebool' command, or in /etc/selinux/targeted/booleans.
+   You can also tell SELinux to allow named to update any zone database files, by
+   setting the SELinux tunable boolean parameter 'named_write_master_zones=1',
+   using the system-config-securitylevel GUI, using the 'setsebool' command, or in
+   /etc/selinux/targeted/booleans.
 
    You can disable SELinux protection for named entirely by setting the
    'named_disable_trans=1' SELinux tunable boolean parameter.
@@ -620,18 +603,18 @@ A: Red Hat Security Enhanced Linux (SELinux) policy security protections :
    named_cache_t: for files modifiable by named - $ROOTDIR/var/{tmp,named/{slaves,data}}
 
 
-   If you want to retain use of the SELinux policy for named, and put named
-   files in different locations, you can do so by changing the context of the
-   custom file locations .
+   If you want to retain use of the SELinux policy for named, and put named files
+   in different locations, you can do so by changing the context of the custom
+   file locations .
 
-   To create a custom configuration file location, eg. '/root/named.conf', to
-   use with the 'named -c' option, do:
+   To create a custom configuration file location, eg. '/root/named.conf', to use
+   with the 'named -c' option, do:
 
    # chcon system_u:object_r:named_conf_t /root/named.conf
 
 
-   To create a custom modifiable named data location, eg. '/var/log/named'
-   for a log file, do:
+   To create a custom modifiable named data location, eg. '/var/log/named' for a
+   log file, do:
 
    # chcon system_u:object_r:named_cache_t /var/log/named
 
@@ -641,6 +624,6 @@ A: Red Hat Security Enhanced Linux (SELinux) policy security protections :
    # chcon system_u:object_r:named_zone_t /root/zones/{.,*}
 
 
-   See these man-pages for more information : selinux(8), named_selinux(8),
-   chcon(1), setsebool(8)
+   See these man-pages for more information : selinux(8), named_selinux(8), chcon
+   (1), setsebool(8)
 
diff --git a/FAQ.xml b/FAQ.xml
index 460cb01ce8..3622882155 100644
--- a/FAQ.xml
+++ b/FAQ.xml
@@ -17,7 +17,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
 

   Frequently Asked Questions about BIND 9
@@ -536,7 +536,7 @@ Master 10.0.1.1:
 	};
 	view "external" {
 		match-clients { key external; any; };
-		server 10.0.0.2 { keys external; };
+		server 10.0.1.2 { keys external; };
 		recursion no;
 		...
 	};
@@ -552,7 +552,7 @@ Slave 10.0.1.2:
 	};
 	view "external" {
 		match-clients { key external; any; };
-		server 10.0.0.1 { keys external; };
+		server 10.0.1.1 { keys external; };
 		recursion no;
 		...
 	};

From 31526c8caa29c16b4a41f4d65064948b022a633d Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 23 Feb 2006 22:29:28 +0000
Subject: [PATCH 037/465] update copyright

---
 FAQ.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/FAQ.xml b/FAQ.xml
index 3622882155..0826ead71e 100644
--- a/FAQ.xml
+++ b/FAQ.xml
@@ -1,7 +1,7 @@
 
 
 
-
+
 
 

   Frequently Asked Questions about BIND 9

From 445dff4f5ff2ce3d370869524b07a316d9da0daf Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 23 Feb 2006 22:34:13 +0000
Subject: [PATCH 038/465] update example

---
 FAQ     | 386 +++++++++++++++++++++++++++++++++++---------------------
 FAQ.xml | 194 +++++++++++++++++++++++++++-
 2 files changed, 435 insertions(+), 145 deletions(-)

diff --git a/FAQ b/FAQ
index 9b806cbde5..4c4b7648f7 100644
--- a/FAQ
+++ b/FAQ
@@ -4,26 +4,36 @@ Frequently Asked Questions about BIND 9
 
 Q: Why doesn't -u work on Linux 2.2.x when I build with --enable-threads?
 
-A: Linux threads do not fully implement the Posix threads (pthreads) standard.
-   In particular, setuid() operates only on the current thread, not the full
-   process. Because of this limitation, BIND 9 cannot use setuid() on Linux as
-   it can on all other supported platforms. setuid() cannot be called before
-   creating threads, since the server does not start listening on reserved
-   ports until after threads have started.
+A: Linux threads do not fully implement the Posix threads (pthreads) standard. In
+   particular, setuid() operates only on the current thread, not the full process.
+   Because of this limitation, BIND 9 cannot use setuid() on Linux as it can on
+   all other supported platforms. setuid() cannot be called before creating
+   threads, since the server does not start listening on reserved ports until
+   after threads have started.
 
    In the 2.2.18 or 2.3.99-pre3 and newer kernels, the ability to preserve
    capabilities across a setuid() call is present. This allows BIND 9 to call
-   setuid() early, while retaining the ability to bind reserved ports. This is
-   a Linux-specific hack.
+   setuid() early, while retaining the ability to bind reserved ports. This is a
+   Linux-specific hack.
 
-   On a 2.2 kernel, BIND 9 does drop many root privileges, so it should be less
-   of a security risk than a root process that has not dropped privileges.
+   On a 2.2 kernel, BIND 9 does drop many root privileges, so it should be less of
+   a security risk than a root process that has not dropped privileges.
 
    If Linux threads ever work correctly, this restriction will go away.
 
    Configuring BIND9 with the --disable-threads option (the default) causes a
    non-threaded version to be built, which will allow -u to be used.
 
+Q: Why do I get the following errors:
+
+   general: errno2result.c:109: unexpected error:
+   general: unable to convert errno to isc_result: 14: Bad address
+   client: UDP client handler shutting down due to fatal receive error: unexpected error
+
+A: This is the result of a Linux kernel bug.
+
+   See: http://marc.theaimsgroup.com/?l=linux-netdev&m=113081708031466&w=2
+
 Q: Why does named log the warning message "no TTL specified - using SOA MINTTL
    instead"?
 
@@ -40,23 +50,23 @@ A: Your zone file is illegal according to RFC1035. It must either have a line
 Q: Why do I see 5 (or more) copies of named on Linux?
 
 A: Linux threads each show up as a process under ps. The approximate number of
-   threads running is n+4, where n is the number of CPUs. Note that the amount
-   of memory used is not cumulative; if each process is using 10M of memory,
-   only a total of 10M is used.
+   threads running is n+4, where n is the number of CPUs. Note that the amount of
+   memory used is not cumulative; if each process is using 10M of memory, only a
+   total of 10M is used.
 
 Q: Why does BIND 9 log "permission denied" errors accessing its configuration
    files or zones on my Linux system even though it is running as root?
 
-A: On Linux, BIND 9 drops most of its root privileges on startup. This
-   including the privilege to open files owned by other users. Therefore, if
-   the server is running as root, the configuration files and zone files should
-   also be owned by root.
+A: On Linux, BIND 9 drops most of its root privileges on startup. This including
+   the privilege to open files owned by other users. Therefore, if the server is
+   running as root, the configuration files and zone files should also be owned by
+   root.
 
-Q: Why do I get errors like "dns_zone_load: zone foo/IN: loading master file
-   bar: ran out of space"?
+Q: Why do I get errors like "dns_zone_load: zone foo/IN: loading master file bar:
+   ran out of space"?
 
-A: This is often caused by TXT records with missing close quotes. Check that
-   all TXT records containing quoted strings have both open and close quotes.
+A: This is often caused by TXT records with missing close quotes. Check that all
+   TXT records containing quoted strings have both open and close quotes.
 
 Q: How do I produce a usable core file from a multithreaded named on Linux?
 
@@ -68,16 +78,16 @@ A: If the Linux kernel is 2.4.7 or newer, multithreaded core dumps are usable
 
 Q: How do I restrict people from looking up the server version?
 
-A: Put a "version" option containing something other than the real version in
-   the "options" section of named.conf. Note doing this will not prevent
-   attacks and may impede people trying to diagnose problems with your server.
-   Also it is possible to "fingerprint" nameservers to determine their version.
+A: Put a "version" option containing something other than the real version in the
+   "options" section of named.conf. Note doing this will not prevent attacks and
+   may impede people trying to diagnose problems with your server. Also it is
+   possible to "fingerprint" nameservers to determine their version.
 
 Q: How do I restrict only remote users from looking up the server version?
 
-A: The following view statement will intercept lookups as the internal view
-   that holds the version information will be matched last. The caveats of the
-   previous answer still apply, of course.
+A: The following view statement will intercept lookups as the internal view that
+   holds the version information will be matched last. The caveats of the previous
+   answer still apply, of course.
 
    view "chaos" chaos {
            match-clients { ; };
@@ -91,48 +101,45 @@ A: The following view statement will intercept lookups as the internal view
 Q: What do "no source of entropy found" or "could not open entropy source foo"
    mean?
 
-A: The server requires a source of entropy to perform certain operations,
-   mostly DNSSEC related. These messages indicate that you have no source of
-   entropy. On systems with /dev/random or an equivalent, it is used by
-   default. A source of entropy can also be defined using the random-device
-   option in named.conf.
+A: The server requires a source of entropy to perform certain operations, mostly
+   DNSSEC related. These messages indicate that you have no source of entropy. On
+   systems with /dev/random or an equivalent, it is used by default. A source of
+   entropy can also be defined using the random-device option in named.conf.
 
 Q: I installed BIND 9 and restarted named, but it's still BIND 8. Why?
 
 A: BIND 9 is installed under /usr/local by default. BIND 8 is often installed
    under /usr. Check that the correct named is running.
 
-Q: I'm trying to use TSIG to authenticate dynamic updates or zone transfers.
-   I'm sure I have the keys set up correctly, but the server is rejecting the
-   TSIG. Why?
+Q: I'm trying to use TSIG to authenticate dynamic updates or zone transfers. I'm
+   sure I have the keys set up correctly, but the server is rejecting the TSIG.
+   Why?
 
-A: This may be a clock skew problem. Check that the the clocks on the client
-   and server are properly synchronised (e.g., using ntp).
+A: This may be a clock skew problem. Check that the the clocks on the client and
+   server are properly synchronised (e.g., using ntp).
 
 Q: I'm trying to compile BIND 9, and "make" is failing due to files not being
    found. Why?
 
 A: Using a parallel or distributed "make" to build BIND 9 is not supported, and
-   doesn't work. If you are using one of these, use normal make or gmake
-   instead.
+   doesn't work. If you are using one of these, use normal make or gmake instead.
 
-Q: I have a BIND 9 master and a BIND 8.2.3 slave, and the master is logging
-   error messages like "notify to 10.0.0.1#53 failed: unexpected end of input".
-   What's wrong?
+Q: I have a BIND 9 master and a BIND 8.2.3 slave, and the master is logging error
+   messages like "notify to 10.0.0.1#53 failed: unexpected end of input". What's
+   wrong?
 
-A: This error message is caused by a known bug in BIND 8.2.3 and is fixed in
-   BIND 8.2.4. It can be safely ignored - the notify has been acted on by the
-   slave despite the error message.
+A: This error message is caused by a known bug in BIND 8.2.3 and is fixed in BIND
+   8.2.4. It can be safely ignored - the notify has been acted on by the slave
+   despite the error message.
 
 Q: I keep getting log messages like the following. Why?
 
    Dec 4 23:47:59 client 10.0.0.1#1355: updating zone 'example.com/IN': update
-   failed: 'RRset exists (value dependent)' prerequisite not satisfied
-   (NXRRSET)
+   failed: 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET)
 
-A: DNS updates allow the update request to test to see if certain conditions
-   are met prior to proceeding with the update. The message above is saying
-   that conditions were not met and the update is not proceeding. See doc/rfc/
+A: DNS updates allow the update request to test to see if certain conditions are
+   met prior to proceeding with the update. The message above is saying that
+   conditions were not met and the update is not proceeding. See doc/rfc/
    rfc2136.txt for more details on prerequisites.
 
 Q: I keep getting log messages like the following. Why?
@@ -140,11 +147,11 @@ Q: I keep getting log messages like the following. Why?
    Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied
 
 A: Someone is trying to update your DNS data using the RFC2136 Dynamic Update
-   protocol. Windows 2000 machines have a habit of sending dynamic update
-   requests to DNS servers without being specifically configured to do so. If
-   the update requests are coming from a Windows 2000 machine, see http://
-   support.microsoft.com/support/kb/articles/q246/8/04.asp for information
-   about how to turn them off.
+   protocol. Windows 2000 machines have a habit of sending dynamic update requests
+   to DNS servers without being specifically configured to do so. If the update
+   requests are coming from a Windows 2000 machine, see http://
+   support.microsoft.com/support/kb/articles/q246/8/04.asp for information about
+   how to turn them off.
 
 Q: I see a log message like the following. Why?
 
@@ -152,59 +159,59 @@ Q: I see a log message like the following. Why?
 
 A: You are most likely running named as a non-root user, and that user does not
    have permission to write in /var/run. The common ways of fixing this are to
-   create a /var/run/named directory owned by the named user and set pid-file
-   to "/var/run/named/named.pid", or set pid-file to "named.pid", which will
-   put the file in the directory specified by the directory option (which, in
-   this case, must be writable by the named user).
+   create a /var/run/named directory owned by the named user and set pid-file to "
+   /var/run/named/named.pid", or set pid-file to "named.pid", which will put the
+   file in the directory specified by the directory option (which, in this case,
+   must be writable by the named user).
 
-Q: When I do a "dig . ns", many of the A records for the root servers are
-   missing. Why?
+Q: When I do a "dig . ns", many of the A records for the root servers are missing.
+   Why?
 
-A: This is normal and harmless. It is a somewhat confusing side effect of the
-   way BIND 9 does RFC2181 trust ranking and of the efforts BIND 9 makes to
-   avoid promoting glue into answers.
+A: This is normal and harmless. It is a somewhat confusing side effect of the way
+   BIND 9 does RFC2181 trust ranking and of the efforts BIND 9 makes to avoid
+   promoting glue into answers.
 
-   When BIND 9 first starts up and primes its cache, it receives the root
-   server addresses as additional data in an authoritative response from a root
-   server, and these records are eligible for inclusion as additional data in
-   responses. Subsequently it receives a subset of the root server addresses as
-   additional data in a non-authoritative (referral) response from a root
-   server. This causes the addresses to now be considered non-authoritative
-   (glue) data, which is not eligible for inclusion in responses.
+   When BIND 9 first starts up and primes its cache, it receives the root server
+   addresses as additional data in an authoritative response from a root server,
+   and these records are eligible for inclusion as additional data in responses.
+   Subsequently it receives a subset of the root server addresses as additional
+   data in a non-authoritative (referral) response from a root server. This causes
+   the addresses to now be considered non-authoritative (glue) data, which is not
+   eligible for inclusion in responses.
 
    The server does have a complete set of root server addresses cached at all
    times, it just may not include all of them as additional data, depending on
-   whether they were last received as answers or as glue. You can always look
-   up the addresses with explicit queries like "dig a.root-servers.net A".
+   whether they were last received as answers or as glue. You can always look up
+   the addresses with explicit queries like "dig a.root-servers.net A".
 
 Q: Zone transfers from my BIND 9 master to my Windows 2000 slave fail. Why?
 
-A: This may be caused by a bug in the Windows 2000 DNS server where DNS
-   messages larger than 16K are not handled properly. This can be worked around
-   by setting the option "transfer-format one-answer;". Also check whether your
-   zone contains domain names with embedded spaces or other special characters,
-   like "John\032Doe\213s\032Computer", since such names have been known to
-   cause Windows 2000 slaves to incorrectly reject the zone.
+A: This may be caused by a bug in the Windows 2000 DNS server where DNS messages
+   larger than 16K are not handled properly. This can be worked around by setting
+   the option "transfer-format one-answer;". Also check whether your zone contains
+   domain names with embedded spaces or other special characters, like "John\
+   032Doe\213s\032Computer", since such names have been known to cause Windows
+   2000 slaves to incorrectly reject the zone.
 
 Q: Why don't my zones reload when I do an "rndc reload" or SIGHUP?
 
-A: A zone can be updated either by editing zone files and reloading the server
-   or by dynamic update, but not both. If you have enabled dynamic update for a
-   zone using the "allow-update" option, you are not supposed to edit the zone
-   file by hand, and the server will not attempt to reload it.
+A: A zone can be updated either by editing zone files and reloading the server or
+   by dynamic update, but not both. If you have enabled dynamic update for a zone
+   using the "allow-update" option, you are not supposed to edit the zone file by
+   hand, and the server will not attempt to reload it.
 
 Q: I can query the nameserver from the nameserver but not from other machines.
    Why?
 
-A: This is usually the result of the firewall configuration stopping the
-   queries and / or the replies.
+A: This is usually the result of the firewall configuration stopping the queries
+   and / or the replies.
 
 Q: How can I make a server a slave for both an internal and an external view at
-   the same time? When I tried, both views on the slave were transferred from
-   the same view on the master.
+   the same time? When I tried, both views on the slave were transferred from the
+   same view on the master.
 
-A: You will need to give the master and slave multiple IP addresses and use
-   those to make sure you reach the correct view on the other machine.
+A: You will need to give the master and slave multiple IP addresses and use those
+   to make sure you reach the correct view on the other machine.
 
    Master: 10.0.1.1 (internal), 10.0.1.2 (external, IP alias)
        internal:
@@ -232,8 +239,8 @@ A: You will need to give the master and slave multiple IP addresses and use
            transfer-source 10.0.1.4;
            query-source address 10.0.1.4;
 
-   You put the external address on the alias so that all the other dns clients
-   on these boxes see the internal view by default.
+   You put the external address on the alias so that all the other dns clients on
+   these boxes see the internal view by default.
 
 A: BIND 9.3 and later: Use TSIG to select the appropriate view.
 
@@ -248,7 +255,7 @@ A: BIND 9.3 and later: Use TSIG to select the appropriate view.
            };
            view "external" {
                    match-clients { key external; any; };
-                   server 10.0.0.2 { keys external; };
+                   server 10.0.1.2 { keys external; };
                    recursion no;
                    ...
            };
@@ -264,7 +271,7 @@ A: BIND 9.3 and later: Use TSIG to select the appropriate view.
            };
            view "external" {
                    match-clients { key external; any; };
-                   server 10.0.0.1 { keys external; };
+                   server 10.0.1.1 { keys external; };
                    recursion no;
                    ...
            };
@@ -272,8 +279,8 @@ A: BIND 9.3 and later: Use TSIG to select the appropriate view.
 Q: I have FreeBSD 4.x and "rndc-confgen -a" just sits there.
 
 A: /dev/random is not configured. Use rndcontrol(8) to tell the kernel to use
-   certain interrupts as a source of random events. You can make this permanent
-   by setting rand_irqs in /etc/rc.conf.
+   certain interrupts as a source of random events. You can make this permanent by
+   setting rand_irqs in /etc/rc.conf.
 
    /etc/rc.conf
    rand_irqs="3 14 15"
@@ -283,34 +290,33 @@ A: /dev/random is not configured. Use rndcontrol(8) to tell the kernel to use
 Q: Why is named listening on UDP port other than 53?
 
 A: Named uses a system selected port to make queries of other nameservers. This
-   behaviour can be overridden by using query-source to lock down the port and/
-   or address. See also notify-source and transfer-source.
+   behaviour can be overridden by using query-source to lock down the port and/or
+   address. See also notify-source and transfer-source.
 
-Q: I get error messages like "multiple RRs of singleton type" and "CNAME and
-   other data" when transferring a zone. What does this mean?
+Q: I get error messages like "multiple RRs of singleton type" and "CNAME and other
+   data" when transferring a zone. What does this mean?
 
 A: These indicate a malformed master zone. You can identify the exact records
-   involved by transferring the zone using dig then running named-checkzone on
-   it.
+   involved by transferring the zone using dig then running named-checkzone on it.
 
    dig axfr example.com @master-server > tmp
    named-checkzone example.com tmp
 
-   A CNAME record cannot exist with the same name as another record except for
-   the DNSSEC records which prove its existance (NSEC).
+   A CNAME record cannot exist with the same name as another record except for the
+   DNSSEC records which prove its existance (NSEC).
 
    RFC 1034, Section 3.6.2: "If a CNAME RR is present at a node, no other data
    should be present; this ensures that the data for a canonical name and its
-   aliases cannot be different. This rule also insures that a cached CNAME can
-   be used without checking with an authoritative server for other RR types."
+   aliases cannot be different. This rule also insures that a cached CNAME can be
+   used without checking with an authoritative server for other RR types."
 
-Q: I get error messages like "named.conf:99: unexpected end of input" where 99
-   is the last line of named.conf.
+Q: I get error messages like "named.conf:99: unexpected end of input" where 99 is
+   the last line of named.conf.
 
 A: Some text editors (notepad and wordpad) fail to put a line title indication
-   (e.g. CR/LF) on the last line of a text file. This can be fixed by "adding"
-   a blank line to the end of the file. Named expects to see EOF immediately
-   after EOL and treats text files where this is not met as truncated.
+   (e.g. CR/LF) on the last line of a text file. This can be fixed by "adding" a
+   blank line to the end of the file. Named expects to see EOF immediately after
+   EOL and treats text files where this is not met as truncated.
 
 Q: I get warning messages like "zone example.com/IN: refresh: failure trying
    master 1.2.3.4#53: timed out".
@@ -319,15 +325,15 @@ A: Check that you can make UDP queries from the slave to the master
 
    dig +norec example.com soa @1.2.3.4
 
-   You could be generating queries faster than the slave can cope with. Lower
-   the serial query rate.
+   You could be generating queries faster than the slave can cope with. Lower the
+   serial query rate.
 
    serial-query-rate 5; // default 20
 
 Q: How do I share a dynamic zone between multiple views?
 
-A: You choose one view to be master and the second a slave and transfer the
-   zone between views.
+A: You choose one view to be master and the second a slave and transfer the zone
+   between views.
 
    Master 10.0.1.1:
            key "external" {
@@ -370,14 +376,14 @@ Q: I get a error message like "zone wireless.ietf56.ietf.org/IN: loading master
    file primaries/wireless.ietf56.ietf.org: no owner".
 
 A: This error is produced when a line in the master file contains leading white
-   space (tab/space) but the is no current record owner name to inherit the
-   name from. Usually this is the result of putting white space before a
-   comment. Forgeting the "@" for the SOA record or indenting the master file.
+   space (tab/space) but the is no current record owner name to inherit the name
+   from. Usually this is the result of putting white space before a comment.
+   Forgeting the "@" for the SOA record or indenting the master file.
 
 Q: Why are my logs in GMT (UTC).
 
-A: You are running chrooted (-t) and have not supplied local timzone
-   information in the chroot area.
+A: You are running chrooted (-t) and have not supplied local timzone information
+   in the chroot area.
 
    FreeBSD: /etc/localtime
    Solaris: /etc/TIMEZONE and /usr/share/lib/zoneinfo
@@ -395,23 +401,23 @@ Q: I get "rndc: connect failed: connection refused" when I try to run rndc.
 
 A: This is usually a configuration error.
 
-   First ensure that named is running and no errors are being reported at
-   startup (/var/log/messages or equivalent). Running "named -g " from a title can help at this point.
+   First ensure that named is running and no errors are being reported at startup
+   (/var/log/messages or equivalent). Running "named -g " from a
+   title can help at this point.
 
    Secondly ensure that named is configured to use rndc either by "rndc-confgen
-   -a", rndc-confgen or manually. The Administrators Reference manual has
-   details on how to do this.
+   -a", rndc-confgen or manually. The Administrators Reference manual has details
+   on how to do this.
 
    Old versions of rndc-confgen used localhost rather than 127.0.0.1 in /etc/
    rndc.conf for the default server. Update /etc/rndc.conf if necessary so that
    the default server listed in /etc/rndc.conf matches the addresses used in
    named.conf. "localhost" has two address (127.0.0.1 and ::1).
 
-   If you use "rndc-confgen -a" and named is running with -t or -u ensure that
-   /etc/rndc.conf has the correct ownership and that a copy is in the chroot
-   area. You can do this by re-running "rndc-confgen -a" with appropriate -t
-   and -u arguments.
+   If you use "rndc-confgen -a" and named is running with -t or -u ensure that /
+   etc/rndc.conf has the correct ownership and that a copy is in the chroot area.
+   You can do this by re-running "rndc-confgen -a" with appropriate -t and -u
+   arguments.
 
 Q: I don't get RRSIG's returned when I use "dig +dnssec".
 
@@ -419,12 +425,11 @@ A: You need to ensure DNSSEC is enabled (dnssec-enable yes;).
 
 Q: I get "Error 1067" when starting named under Windows.
 
-A: This is the service manager saying that named exited. You need to examine
-   the Application log in the EventViewer to find out why.
+A: This is the service manager saying that named exited. You need to examine the
+   Application log in the EventViewer to find out why.
 
-   Common causes are that you failed to create "named.conf" (usually "C:\
-   windows\dns\etc\named.conf") or failed to specify the directory in
-   named.conf.
+   Common causes are that you failed to create "named.conf" (usually "C:\windows\
+   dns\etc\named.conf") or failed to specify the directory in named.conf.
 
    options {
            Directory "C:\windows\dns\etc";
@@ -439,11 +444,11 @@ A: These indicate a filesystem permission error preventing named creating /
 
    "dumping master file: sl/tmp-XXXX5il3sQ: open: permission denied"
 
-   Named needs write permission on the directory containing the file. Named
-   writes the new cache file to a temporary file then renames it to the name
-   specified in named.conf to ensure that the contents are always complete.
-   This is to prevent named loading a partial zone in the event of power
-   failure or similar interrupting the write of the master file.
+   Named needs write permission on the directory containing the file. Named writes
+   the new cache file to a temporary file then renames it to the name specified in
+   named.conf to ensure that the contents are always complete. This is to prevent
+   named loading a partial zone in the event of power failure or similar
+   interrupting the write of the master file.
 
    Note file names are relative to the directory specified in options and any
    chroot directory ([/][]).
@@ -489,8 +494,8 @@ A: If the IN-ADDR.ARPA name covered refers to a internal address space you are
 
    If you are not using these private addresses then a client has queried for
    them. You can just ignore the messages, get the offending client to stop
-   sending you these messages as they are most probably leaking them or setup
-   your own zones empty zones to serve answers to these queries.
+   sending you these messages as they are most probably leaking them or setup your
+   own zones empty zones to serve answers to these queries.
 
    zone "10.IN-ADDR.ARPA" {
            type master;
@@ -523,3 +528,102 @@ A: If the IN-ADDR.ARPA name covered refers to a internal address space you are
 
    Future versions of named are likely to do this automatically.
 
+Q: I'm running BIND on Red Hat Enterprise Linux or Fedora Core -
+
+   Why can't named update slave zone database files?
+
+   Why can't named create DDNS journal files or update the master zones from
+   journals?
+
+   Why can't named create custom log files?
+
+A: Red Hat Security Enhanced Linux (SELinux) policy security protections :
+
+   Red Hat have adopted the National Security Agency's SELinux security policy (
+   see http://www.nsa.gov/selinux ) and recommendations for BIND security , which
+   are more secure than running named in a chroot and make use of the bind-chroot
+   environment unecessary .
+
+   By default, named is not allowed by the SELinux policy to write, create or
+   delete any files EXCEPT in these directories:
+
+   $ROOTDIR/var/named/slaves
+   $ROOTDIR/var/named/data
+   $ROOTDIR/var/tmp
+
+
+   where $ROOTDIR may be set in /etc/sysconfig/named if bind-chroot is installed.
+
+   The SELinux policy particularly does NOT allow named to modify the $ROOTDIR/var
+   /named directory, the default location for master zone database files.
+
+   SELinux policy overrules file access permissions - so even if all the files
+   under /var/named have ownership named:named and mode rw-rw-r--, named will
+   still not be able to write or create files except in the directories above,
+   with SELinux in Enforcing mode.
+
+   So, to allow named to update slave or DDNS zone files, it is best to locate
+   them in $ROOTDIR/var/named/slaves, with named.conf zone statements such as:
+
+   zone "slave.zone." IN {
+           type slave;
+           file "slaves/slave.zone.db";
+           ...
+   };
+   zone "ddns.zone." IN  {
+           type master;
+           allow-updates {...};
+           file "slaves/ddns.zone.db";
+   };
+
+
+   To allow named to create its cache dump and statistics files, for example, you
+   could use named.conf options statements such as:
+
+   options {
+           ...
+           dump-file "/var/named/data/cache_dump.db";
+           statistics-file "/var/named/data/named_stats.txt";
+           ...
+   };
+
+
+   You can also tell SELinux to allow named to update any zone database files, by
+   setting the SELinux tunable boolean parameter 'named_write_master_zones=1',
+   using the system-config-securitylevel GUI, using the 'setsebool' command, or in
+   /etc/selinux/targeted/booleans.
+
+   You can disable SELinux protection for named entirely by setting the
+   'named_disable_trans=1' SELinux tunable boolean parameter.
+
+   The SELinux named policy defines these SELinux contexts for named:
+
+   named_zone_t : for zone database files       - $ROOTDIR/var/named/*
+   named_conf_t : for named configuration files - $ROOTDIR/etc/{named,rndc}.*
+   named_cache_t: for files modifiable by named - $ROOTDIR/var/{tmp,named/{slaves,data}}
+
+
+   If you want to retain use of the SELinux policy for named, and put named files
+   in different locations, you can do so by changing the context of the custom
+   file locations .
+
+   To create a custom configuration file location, eg. '/root/named.conf', to use
+   with the 'named -c' option, do:
+
+   # chcon system_u:object_r:named_conf_t /root/named.conf
+
+
+   To create a custom modifiable named data location, eg. '/var/log/named' for a
+   log file, do:
+
+   # chcon system_u:object_r:named_cache_t /var/log/named
+
+
+   To create a custom zone file location, eg. /root/zones/, do:
+
+   # chcon system_u:object_r:named_zone_t /root/zones/{.,*}
+
+
+   See these man-pages for more information : selinux(8), named_selinux(8), chcon
+   (1), setsebool(8)
+
diff --git a/FAQ.xml b/FAQ.xml
index 6d6e391767..634cfe3845 100644
--- a/FAQ.xml
+++ b/FAQ.xml
@@ -1,7 +1,7 @@
 
 
 
-
+
 
 

   Frequently Asked Questions about BIND 9
@@ -64,6 +64,26 @@
       
     
 
+    
+      
+	
+	  Why do I get the following errors:
+general: errno2result.c:109: unexpected error:
+general: unable to convert errno to isc_result: 14: Bad address
+client: UDP client handler shutting down due to fatal receive error: unexpected error
+	
+      
+      
+	
+	  This is the result of a Linux kernel bug.
+	
+	
+	  See:
+	  http://marc.theaimsgroup.com/?l=linux-netdev&m=113081708031466&w=2
+	
+      
+    
+
     
       
 	
@@ -516,7 +536,7 @@ Master 10.0.1.1:
 	};
 	view "external" {
 		match-clients { key external; any; };
-		server 10.0.0.2 { keys external; };
+		server 10.0.1.2 { keys external; };
 		recursion no;
 		...
 	};
@@ -532,7 +552,7 @@ Slave 10.0.1.2:
 	};
 	view "external" {
 		match-clients { key external; any; };
-		server 10.0.0.1 { keys external; };
+		server 10.0.1.1 { keys external; };
 		recursion no;
 		...
 	};
@@ -997,11 +1017,177 @@ empty:
 	       1 3600 1200 604800 10800 )
 @ 10800 IN NS <name-of-server>.
 	
+	
 	
 	  Future versions of named are likely to do this automatically.
 	
+	
       
     
 
+    
+      
+	
+	   I'm running BIND on Red Hat Enterprise Linux or Fedora Core -
+	
+	
+	  Why can't named update slave zone database files?
+	
+	
+	  Why can't named create DDNS journal files or update
+	  the master zones from journals?
+	
+	
+	  Why can't named create custom log files?
+	
+      
+
+      
+	
+	  Red Hat Security Enhanced Linux (SELinux) policy security
+	  protections :
+	
+
+	
+	   Red Hat have adopted the National Security Agency's
+	   SELinux security policy ( see http://www.nsa.gov/selinux
+	   ) and recommendations for BIND security , which are more
+	   secure than running named in a chroot and make use of
+	   the bind-chroot environment unecessary .
+	
+
+	
+	  By default, named is not allowed by the SELinux policy
+	  to write, create or delete any files EXCEPT in these
+	  directories:
+	  
+	    
+$ROOTDIR/var/named/slaves
+$ROOTDIR/var/named/data
+$ROOTDIR/var/tmp
+	    
+	  
+	  where $ROOTDIR may be set in /etc/sysconfig/named if
+	  bind-chroot is installed.
+	
+
+	
+	  The SELinux policy particularly does NOT allow named to modify
+	  the $ROOTDIR/var/named directory, the default location for master
+	  zone database files.
+	
+
+	
+	  SELinux policy overrules file access permissions - so
+	  even if all the files under /var/named have ownership
+	  named:named and mode rw-rw-r--, named will still not be
+	  able to write or create files except in the directories
+	  above, with SELinux in Enforcing mode.
+	
+  
+	
+	  So, to allow named to update slave or DDNS zone files,
+	  it is best to locate them in $ROOTDIR/var/named/slaves,
+	  with named.conf zone statements such as:
+	  
+	    
+zone "slave.zone." IN {
+	type slave;
+	file "slaves/slave.zone.db";
+	...
+};   
+zone "ddns.zone." IN  {
+	type master;
+	allow-updates {...};
+	file "slaves/ddns.zone.db";
+};
+	    
+	  
+	
+
+	
+	  To allow named to create its cache dump and statistics
+	  files, for example, you could use named.conf options
+	  statements such as:
+	  
+	    
+options {
+	...
+	dump-file "/var/named/data/cache_dump.db";
+	statistics-file "/var/named/data/named_stats.txt";
+	...
+};
+	    
+	  
+	
+
+	
+	  You can also tell SELinux to allow named to update any
+	  zone database files, by setting the SELinux tunable boolean
+	  parameter 'named_write_master_zones=1', using the
+	  system-config-securitylevel GUI, using the 'setsebool'
+	  command, or in /etc/selinux/targeted/booleans.
+	
+  
+	
+	  You can disable SELinux protection for named entirely by
+	  setting the 'named_disable_trans=1' SELinux tunable boolean
+	  parameter.
+	
+    
+	
+	  The SELinux named policy defines these SELinux contexts for named:
+	  
+	    
+named_zone_t : for zone database files       - $ROOTDIR/var/named/*
+named_conf_t : for named configuration files - $ROOTDIR/etc/{named,rndc}.*
+named_cache_t: for files modifiable by named - $ROOTDIR/var/{tmp,named/{slaves,data}}
+	    
+	  
+	
+   
+	
+	  If you want to retain use of the SELinux policy for named,
+	  and put named files in different locations, you can do
+	  so by changing the context of the custom file locations
+	  .
+	
+
+	
+	  To create a custom configuration file location, eg.
+	  '/root/named.conf', to use with the 'named -c' option,
+	  do:
+	  
+	    
+# chcon system_u:object_r:named_conf_t /root/named.conf
+	    
+	  
+	
+  
+	
+	  To create a custom modifiable named data location, eg.
+	  '/var/log/named' for a log file, do:
+	  
+	    
+# chcon system_u:object_r:named_cache_t /var/log/named
+	    
+	  
+	
+   
+	
+   To create a custom zone file location, eg. /root/zones/, do:
+	  
+	    
+# chcon system_u:object_r:named_zone_t /root/zones/{.,*}
+	    
+	  
+	
+  
+	
+	  See these man-pages for more information : selinux(8),
+	  named_selinux(8), chcon(1), setsebool(8)
+	
+      
+    
   
 


From 2b7db25cf2a588f3d9f098fa182bc9aab7f06865 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 23 Feb 2006 22:37:44 +0000
Subject: [PATCH 039/465] new draft

---
 ...txt => draft-ietf-dnsext-ds-sha256-05.txt} |  120 +-
 ...-dnsop-dnssec-operational-practices-04.txt | 1736 ---------------
 ...-dnsop-dnssec-operational-practices-07.txt | 1904 +++++++++++++++++
 3 files changed, 1964 insertions(+), 1796 deletions(-)
 rename doc/draft/{draft-ietf-dnsext-ds-sha256-04.txt => draft-ietf-dnsext-ds-sha256-05.txt} (83%)
 delete mode 100644 doc/draft/draft-ietf-dnsop-dnssec-operational-practices-04.txt
 create mode 100644 doc/draft/draft-ietf-dnsop-dnssec-operational-practices-07.txt

diff --git a/doc/draft/draft-ietf-dnsext-ds-sha256-04.txt b/doc/draft/draft-ietf-dnsext-ds-sha256-05.txt
similarity index 83%
rename from doc/draft/draft-ietf-dnsext-ds-sha256-04.txt
rename to doc/draft/draft-ietf-dnsext-ds-sha256-05.txt
index fff6fd63f7..2460cb619b 100644
--- a/doc/draft/draft-ietf-dnsext-ds-sha256-04.txt
+++ b/doc/draft/draft-ietf-dnsext-ds-sha256-05.txt
@@ -3,11 +3,11 @@
 
 Network Working Group                                        W. Hardaker
 Internet-Draft                                                    Sparta
-Expires: July 17, 2006                                  January 13, 2006
+Expires: August 25, 2006                               February 21, 2006
 
 
  Use of SHA-256 in DNSSEC Delegation Signer (DS) Resource Records (RRs)
-                   draft-ietf-dnsext-ds-sha256-04.txt
+                   draft-ietf-dnsext-ds-sha256-05.txt
 
 Status of this Memo
 
@@ -32,7 +32,7 @@ Status of this Memo
    The list of Internet-Draft Shadow Directories can be accessed at
    http://www.ietf.org/shadow.html.
 
-   This Internet-Draft will expire on July 17, 2006.
+   This Internet-Draft will expire on August 25, 2006.
 
 Copyright Notice
 
@@ -52,9 +52,9 @@ Abstract
 
 
 
-Hardaker                  Expires July 17, 2006                 [Page 1]
+Hardaker                 Expires August 25, 2006                [Page 1]
 
-Internet-Draft       Use of SHA-256 in DNSSEC DS RRs        January 2006
+Internet-Draft       Use of SHA-256 in DNSSEC DS RRs       February 2006
 
 
 Table of Contents
@@ -71,8 +71,8 @@ Table of Contents
      6.1.  Potential Digest Type Downgrade Attacks . . . . . . . . . . 5
      6.2.  SHA-1 vs SHA-256 Considerations for DS Records  . . . . . . 6
    7.  Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 6
-   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . . . 6
-     8.1.  Normative References  . . . . . . . . . . . . . . . . . . . 6
+   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . . . 7
+     8.1.  Normative References  . . . . . . . . . . . . . . . . . . . 7
      8.2.  Informative References  . . . . . . . . . . . . . . . . . . 7
    Author's Address  . . . . . . . . . . . . . . . . . . . . . . . . . 8
    Intellectual Property and Copyright Statements  . . . . . . . . . . 9
@@ -108,9 +108,9 @@ Table of Contents
 
 
 
-Hardaker                  Expires July 17, 2006                 [Page 2]
+Hardaker                 Expires August 25, 2006                [Page 2]
 
-Internet-Draft       Use of SHA-256 in DNSSEC DS RRs        January 2006
+Internet-Draft       Use of SHA-256 in DNSSEC DS RRs       February 2006
 
 
 1.  Introduction
@@ -123,14 +123,18 @@ Internet-Draft       Use of SHA-256 in DNSSEC DS RRs        January 2006
    record, owned by the same domain as the DS RRset and with a type
    covered of DS.
 
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in [RFC2119].
+
 
 2.  Implementing the SHA-256 algorithm for DS record support
 
    This document specifies that the digest type code [XXX: To be
-   assigned by IANA; likely 2] is to be assigned to SHA-256 [SHA256] for
-   use within DS records.  The results of the digest algorithm MUST NOT
-   be truncated and the entire 32 byte digest result is to be published
-   in the DS record.
+   assigned by IANA; likely 2] is to be assigned to SHA-256 [SHA256]
+   [SHA256CODE] for use within DS records.  The results of the digest
+   algorithm MUST NOT be truncated and the entire 32 byte digest result
+   is to be published in the DS record.
 
 2.1.  DS record field values
 
@@ -160,13 +164,9 @@ Internet-Draft       Use of SHA-256 in DNSSEC DS RRs        January 2006
 
 
 
-
-
-
-
-Hardaker                  Expires July 17, 2006                 [Page 3]
+Hardaker                 Expires August 25, 2006                [Page 3]
 
-Internet-Draft       Use of SHA-256 in DNSSEC DS RRs        January 2006
+Internet-Draft       Use of SHA-256 in DNSSEC DS RRs       February 2006
 
 
                            1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
@@ -220,9 +220,9 @@ Internet-Draft       Use of SHA-256 in DNSSEC DS RRs        January 2006
 
 
 
-Hardaker                  Expires July 17, 2006                 [Page 4]
+Hardaker                 Expires August 25, 2006                [Page 4]
 
-Internet-Draft       Use of SHA-256 in DNSSEC DS RRs        January 2006
+Internet-Draft       Use of SHA-256 in DNSSEC DS RRs       February 2006
 
 
    the validator has no supported authentication path leading from the
@@ -241,6 +241,8 @@ Internet-Draft       Use of SHA-256 in DNSSEC DS RRs        January 2006
 
 5.  IANA Considerations
 
+   Only one IANA action is required by this document:
+
    The Digest Type to be used for supporting SHA-256 within DS records
    needs to be assigned by IANA.  This document requests that the Digest
    Type value of 2 be assigned to the SHA-256 digest algorithm.
@@ -270,17 +272,18 @@ Internet-Draft       Use of SHA-256 in DNSSEC DS RRs        January 2006
 
    For example, if the following conditions are all true:
 
+
+
+
+
+Hardaker                 Expires August 25, 2006                [Page 5]
+
+Internet-Draft       Use of SHA-256 in DNSSEC DS RRs       February 2006
+
+
    o  Both SHA-1 and SHA-256 based digests are published in DS records
       within a parent zone for a given child zone's DNSKEY.
 
-
-
-
-Hardaker                  Expires July 17, 2006                 [Page 5]
-
-Internet-Draft       Use of SHA-256 in DNSSEC DS RRs        January 2006
-
-
    o  The DS record with the SHA-1 digest matches the digest computed
       using the child zone's DNSKEY.
 
@@ -293,9 +296,13 @@ Internet-Draft       Use of SHA-256 in DNSSEC DS RRs        January 2006
 
 6.2.  SHA-1 vs SHA-256 Considerations for DS Records
 
-   Because of the weaknesses recently discovered within the SHA-1
-   algorithm, users of DNSSEC are encouraged to deploy the use of SHA-
-   256 as soon as the software implementations in use allow for it.
+   Users of DNSSEC are encouraged to deploy SHA-256 as soon as software
+   implementations allow for it.  SHA-256 is widely believed to be more
+   resilient to attack than SHA-1, and confidence in SHA-1's strength is
+   being eroded by recently-announced attacks.  Regardless of whether or
+   not the attacks on SHA-1 will affect DNSSEC, it is believed (at the
+   time of this writing) that SHA-256 is the better choice for use in DS
+   records.
 
    At the time of this publication, the SHA-256 digest algorithm is
    considered sufficiently strong for the immediate future.  It is also
@@ -317,26 +324,30 @@ Internet-Draft       Use of SHA-256 in DNSSEC DS RRs        January 2006
    went into the base documents.
 
    The following people contributed to portions of this document in some
-   fashion: Mark Andrews, Roy Arends, Olafur Gudmundsson, Olaf M.
-   Kolkman, Edward Lewis, Scott Rose, Stuart E. Schechter, Sam Weiler.
+   fashion: Mark Andrews, Roy Arends, Olafur Gudmundsson, Paul Hoffman,
+   Olaf M. Kolkman, Edward Lewis, Scott Rose, Stuart E. Schechter, Sam
+   Weiler.
+
+
+
+
+
+Hardaker                 Expires August 25, 2006                [Page 6]
+
+Internet-Draft       Use of SHA-256 in DNSSEC DS RRs       February 2006
 
 
 8.  References
 
 8.1.  Normative References
 
+   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
+              Requirement Levels", BCP 14, RFC 2119, March 1997.
+
    [RFC4033]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
               Rose, "DNS Security Introduction and Requirements",
               RFC 4033, March 2005.
 
-
-
-
-Hardaker                  Expires July 17, 2006                 [Page 6]
-
-Internet-Draft       Use of SHA-256 in DNSSEC DS RRs        January 2006
-
-
    [RFC4034]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
               Rose, "Resource Records for the DNS Security Extensions",
               RFC 4034, March 2005.
@@ -351,7 +362,7 @@ Internet-Draft       Use of SHA-256 in DNSSEC DS RRs        January 2006
 8.2.  Informative References
 
    [SHA256CODE]
-              Motorola Labs, "US Secure Hash Algorithms (SHA)",
+              Eastlake, D., "US Secure Hash Algorithms (SHA)",
               June 2005.
 
 
@@ -377,20 +388,9 @@ Internet-Draft       Use of SHA-256 in DNSSEC DS RRs        January 2006
 
 
 
-
-
-
-
-
-
-
-
-
-
-
-Hardaker                  Expires July 17, 2006                 [Page 7]
+Hardaker                 Expires August 25, 2006                [Page 7]
 
-Internet-Draft       Use of SHA-256 in DNSSEC DS RRs        January 2006
+Internet-Draft       Use of SHA-256 in DNSSEC DS RRs       February 2006
 
 
 Author's Address
@@ -398,7 +398,7 @@ Author's Address
    Wes Hardaker
    Sparta
    P.O. Box 382
-   Davis  95617
+   Davis, CA  95617
    US
 
    Email: hardaker@tislabs.com
@@ -444,9 +444,9 @@ Author's Address
 
 
 
-Hardaker                  Expires July 17, 2006                 [Page 8]
+Hardaker                 Expires August 25, 2006                [Page 8]
 
-Internet-Draft       Use of SHA-256 in DNSSEC DS RRs        January 2006
+Internet-Draft       Use of SHA-256 in DNSSEC DS RRs       February 2006
 
 
 Intellectual Property Statement
@@ -500,5 +500,5 @@ Acknowledgment
 
 
 
-Hardaker                  Expires July 17, 2006                 [Page 9]
+Hardaker                 Expires August 25, 2006                [Page 9]
 
diff --git a/doc/draft/draft-ietf-dnsop-dnssec-operational-practices-04.txt b/doc/draft/draft-ietf-dnsop-dnssec-operational-practices-04.txt
deleted file mode 100644
index a5d0d6079a..0000000000
--- a/doc/draft/draft-ietf-dnsop-dnssec-operational-practices-04.txt
+++ /dev/null
@@ -1,1736 +0,0 @@
-
-
-
-DNSOP                                                         O. Kolkman
-Internet-Draft                                                  RIPE NCC
-Expires: September 2, 2005                                     R. Gieben
-                                                              NLnet Labs
-                                                              March 2005
-
-
-                      DNSSEC Operational Practices
-          draft-ietf-dnsop-dnssec-operational-practices-04.txt
-
-Status of this Memo
-
-   By submitting this Internet-Draft, each author represents that any
-   applicable patent or other IPR claims of which he or she is aware
-   have been or will be disclosed, and any of which he or she becomes
-   aware will be disclosed, in accordance with Section 6 of BCP 79.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on September 2, 2005.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2005).
-
-Abstract
-
-   This document describes a set of practices for operating the DNS with
-   security extensions (DNSSEC).  The target audience is zone
-   administrators deploying DNSSEC.
-
-   The document discusses operational aspects of using keys and
-   signatures in the DNS.  It discusses issues as key generation, key
-   storage, signature generation, key rollover and related policies.
-
-
-
-Kolkman & Gieben        Expires September 2, 2005               [Page 1]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-Table of Contents
-
-   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
-     1.1   The Use of the Term 'key'  . . . . . . . . . . . . . . . .  4
-     1.2   Time Definitions . . . . . . . . . . . . . . . . . . . . .  5
-   2.  Keeping the Chain of Trust Intact  . . . . . . . . . . . . . .  5
-   3.  Keys Generation and Storage  . . . . . . . . . . . . . . . . .  6
-     3.1   Zone and Key Signing Keys  . . . . . . . . . . . . . . . .  6
-       3.1.1   Motivations for the KSK and ZSK Separation . . . . . .  6
-       3.1.2   KSKs for high level zones  . . . . . . . . . . . . . .  7
-     3.2   Randomness . . . . . . . . . . . . . . . . . . . . . . . .  8
-     3.3   Key Effectivity Period . . . . . . . . . . . . . . . . . .  8
-     3.4   Key Algorithm  . . . . . . . . . . . . . . . . . . . . . .  9
-     3.5   Key Sizes  . . . . . . . . . . . . . . . . . . . . . . . .  9
-     3.6   Private Key Storage  . . . . . . . . . . . . . . . . . . . 10
-   4.  Signature generation, Key Rollover and Related Policies  . . . 11
-     4.1   Time in DNSSEC . . . . . . . . . . . . . . . . . . . . . . 11
-       4.1.1   Time Considerations  . . . . . . . . . . . . . . . . . 11
-     4.2   Key Rollovers  . . . . . . . . . . . . . . . . . . . . . . 13
-       4.2.1   Zone-signing Key Rollovers . . . . . . . . . . . . . . 13
-       4.2.2   Key-signing Key Rollovers  . . . . . . . . . . . . . . 17
-       4.2.3   Difference Between ZSK and KSK Rollovers . . . . . . . 18
-       4.2.4   Automated Key Rollovers  . . . . . . . . . . . . . . . 19
-     4.3   Planning for Emergency Key Rollover  . . . . . . . . . . . 19
-       4.3.1   KSK Compromise . . . . . . . . . . . . . . . . . . . . 20
-       4.3.2   ZSK Compromise . . . . . . . . . . . . . . . . . . . . 20
-       4.3.3   Compromises of Keys Anchored in Resolvers  . . . . . . 20
-     4.4   Parental Policies  . . . . . . . . . . . . . . . . . . . . 21
-       4.4.1   Initial Key Exchanges and Parental Policies
-               Considerations . . . . . . . . . . . . . . . . . . . . 21
-       4.4.2   Storing Keys or Hashes?  . . . . . . . . . . . . . . . 21
-       4.4.3   Security Lameness  . . . . . . . . . . . . . . . . . . 22
-       4.4.4   DS Signature Validity Period . . . . . . . . . . . . . 22
-   5.  Security Considerations  . . . . . . . . . . . . . . . . . . . 23
-   6.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 23
-   7.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 24
-     7.1   Normative References . . . . . . . . . . . . . . . . . . . 24
-     7.2   Informative References . . . . . . . . . . . . . . . . . . 24
-       Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 25
-   A.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . . 25
-   B.  Zone-signing Key Rollover Howto  . . . . . . . . . . . . . . . 26
-   C.  Typographic Conventions  . . . . . . . . . . . . . . . . . . . 26
-   D.  Document Details and Changes . . . . . . . . . . . . . . . . . 29
-     D.1   draft-ietf-dnsop-dnssec-operational-practices-00 . . . . . 29
-     D.2   draft-ietf-dnsop-dnssec-operational-practices-01 . . . . . 29
-     D.3   draft-ietf-dnsop-dnssec-operational-practices-02 . . . . . 29
-     D.4   draft-ietf-dnsop-dnssec-operational-practices-03 . . . . . 29
-     D.5   draft-ietf-dnsop-dnssec-operational-practices-04 . . . . . 30
-
-
-
-Kolkman & Gieben        Expires September 2, 2005               [Page 2]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-       Intellectual Property and Copyright Statements . . . . . . . . 31
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben        Expires September 2, 2005               [Page 3]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-1.  Introduction
-
-   During workshops and early operational deployment tests, operators
-   and system administrators gained experience about operating the DNS
-   with security extensions (DNSSEC).  This document translates these
-   experiences into a set of practices for zone administrators.  At the
-   time of writing, there exists very little experience with DNSSEC in
-   production environments; this document should therefore explicitly
-   not be seen as representing 'Best Current Practices'.
-
-   The procedures herein are focused on the maintenance of signed zones
-   (i.e. signing and publishing zones on authoritative servers).  It is
-   intended that maintenance of zones such as resigning or key rollovers
-   be transparent to any verifying clients on the Internet.
-
-   The structure of this document is as follows.  In Section 2 we
-   discuss the importance of keeping the "chain of trust" intact.
-   Aspects of key generation and storage of private keys are discussed
-   in Section 3; the focus in this section is mainly on the private part
-   of the key(s).  Section 4 describes considerations concerning the
-   public part of the keys.  Since these public keys appear in the DNS
-   one has to take into account all kinds of timing issues, which are
-   discussed in Section 4.1.  Section 4.2 and Section 4.3 deal with the
-   rollover, or which, of keys.  Finally Section 4.4 discusses
-   considerations on how parents deal with their children's public keys
-   in order to maintain chains of trust.
-
-   The typographic conventions used in this document are explained in
-   Appendix C.
-
-   Since this is a document with operational suggestions and there are
-   no protocol specifications, the RFC2119 [4] language does not apply.
-
-   This document obsoletes RFC2541 [7]
-
-1.1  The Use of the Term 'key'
-
-   It is assumed that the reader is familiar with the concept of
-   asymmetric keys on which DNSSEC is based (Public Key Cryptography
-   [11]).  Therefore, this document will use the term 'key' rather
-   loosely.  Where it is written that 'a key is used to sign data' it is
-   assumed that the reader understands that it is the private part of
-   the key-pair that is used for signing.  It is also assumed that the
-   reader understands that the public part of the key-pair is published
-   in the DNSKEY resource record and that it is the public part that is
-   used in key-exchanges.
-
-
-
-
-
-Kolkman & Gieben        Expires September 2, 2005               [Page 4]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-1.2  Time Definitions
-
-   In this document we will be using a number of time related terms.
-   The following definitions apply:
-   o  "Signature validity period"
-         The period that a signature is valid.  It starts at the time
-         specified in the signature inception field of the RRSIG RR and
-         ends at the time specified in the expiration field of the RRSIG
-         RR.
-   o  "Signature publication period"
-         Time after which a signature (made with a specific key) is
-         replaced with a new signature (made with the same key).  This
-         replacement takes place by publishing the relevant RRSIG in the
-         master zone file.
-         After one stopped publishing an RRSIG in a zone it may take a
-         while before the RRSIG has expired from caches and has actually
-         been removed from the DNS.
-   o  "Key effectivity period"
-         The period which a key pair is expected to be effective.  This
-         period is defined as the time between the first inception time
-         stamp and the last expiration date of any signature made with
-         this key.
-         The key effectivity period can span multiple signature validity
-         periods.
-   o  "Maximum/Minimum Zone TTL"
-         The maximum or minimum value of the TTLs from the complete set
-         of RRs in a zone.
-
-2.  Keeping the Chain of Trust Intact
-
-   Maintaining a valid chain of trust is important because broken chains
-   of trust will result in data being marked as Bogus (as defined in [2]
-   section 5), which may cause entire (sub)domains to become invisible
-   to verifying clients.  The administrators of secured zones have to
-   realize that their zone is, to their clients, part of a chain of
-   trust.
-
-   As mentioned in the introduction, the procedures herein are intended
-   to ensure maintenance of zones, such as resigning or key rollovers,
-   will be transparent to the verifying clients on the Internet.
-
-   Administrators of secured zones will have to keep in mind that data
-   published on an authoritative primary server will not be immediately
-   seen by verifying clients; it may take some time for the data to be
-   transfered to other secondary authoritative nameservers and clients
-   may be fetching data from caching non-authoritative servers.
-
-   For the verifying clients it is important that data from secured
-
-
-
-Kolkman & Gieben        Expires September 2, 2005               [Page 5]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-   zones can be used to build chains of trust regardless of whether the
-   data came directly from an authoritative server, a caching nameserver
-   or some middle box.  Only by carefully using the available timing
-   parameters can a zone administrator assure that the data necessary
-   for verification can be obtained.
-
-   The responsibility for maintaining the chain of trust is shared by
-   administrators of secured zones in the chain of trust.  This is most
-   obvious in the case of a 'key compromise' when a trade off between
-   maintaining a valid chain of trust and replacing the compromised keys
-   as soon as possible must be made.  Then zone administrators will have
-   to make a trade off, between keeping the chain of trust intact -
-   thereby allowing for attacks with the compromised key - or to
-   deliberately break the chain of trust and making secured sub domains
-   invisible to security aware resolvers.  Also see Section 4.3.
-
-3.  Keys Generation and Storage
-
-   This section describes a number of considerations with respect to the
-   security of keys.  It deals with the generation, effectivity period,
-   size and storage of private keys.
-
-3.1  Zone and Key Signing Keys
-
-   The DNSSEC validation protocol does not distinguish between DNSKEYs.
-   All DNSKEYs can be used during the validation.  In practice operators
-   use Key Signing and Zone Signing Keys and use the so-called (Secure
-   Entry Point) SEP flag to distinguish between them during operations.
-   The dynamics and considerations are discussed below.
-
-   To make zone resigning and key rollover procedures easier to
-   implement, it is possible to use one or more keys as Key Signing Keys
-   (KSK).  These keys will only sign the apex DNSKEY RR set in a zone.
-   Other keys can be used to sign all the RRsets in a zone and are
-   referred to as Zone Signing Keys (ZSK).  In this document we assume
-   that KSKs are the subset of keys that are used for key exchanges with
-   the parent and potentially for configuration as trusted anchors - the
-   SEP keys.  In this document we assume a one-to-one mapping between
-   KSK and SEP keys and we assume the SEP flag [1] to be set on all
-   KSKs.
-
-3.1.1  Motivations for the KSK and ZSK Separation
-
-   Differentiating between the KSK and ZSK functions has several
-   advantages:
-
-
-
-
-
-
-Kolkman & Gieben        Expires September 2, 2005               [Page 6]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-   o  No parent/child interaction is required when ZSKs are updated.
-   o  The KSK can be made stronger (i.e. using more bits in the key
-      material).  This has little operational impact since it is only
-      used to sign a small fraction of the zone data.  Also when
-      verifying the KSK is only used to verify the zone's keyset.
-   o  As the KSK is only used to sign a key set, which is most probably
-      updated less frequently than other data in the zone, it can be
-      stored separately from and in a safer location than the ZSK.
-   o  A KSK can have a longer key effectivity period.
-
-   For almost any method of key management and zone signing the KSK is
-   used less frequently than the ZSK.  Once a key set is signed with the
-   KSK all the keys in the key set can be used as ZSK.  If a ZSK is
-   compromised, it can be simply dropped from the key set.  The new key
-   set is then resigned with the KSK.
-
-   Given the assumption that for KSKs the SEP flag is set, the KSK can
-   be distinguished from a ZSK by examining the flag field in the DNSKEY
-   RR.  If the flag field is an odd number it is a KSK.  If it is an
-   even number it is a ZSK.
-
-   The zone-signing key can be used to sign all the data in a zone on a
-   regular basis.  When a zone-signing key is to be rolled, no
-   interaction with the parent is needed.  This allows for "Signature
-   Validity Periods" on the order of days.
-
-   The key-signing key is only to be used to sign the DNSKEY RRs in a
-   zone.  If a key-signing key is to be rolled over, there will be
-   interactions with parties other than the zone administrator.  These
-   can include the registry of the parent zone or administrators of
-   verifying resolvers that have the particular key configured as
-   trusted entry points.  Hence, the key effectivity period of these
-   keys can and should be made much longer.  Although, given a long
-   enough key, the Key Usage Time can be on the order of years we
-   suggest planning for a key effectivity of the order of a few months
-   so that a key rollover remains an operational routine.
-
-3.1.2  KSKs for high level zones
-
-   Higher level zones are generally more sensitive than lower level
-   zones.  Anyone controlling or breaking the security of a zone thereby
-   obtains authority over all of its sub domains (except in the case of
-   resolvers that have locally configured the public key of a sub
-   domain).  Therefore, extra care should be taken with high level zones
-   and strong keys used.
-
-   The root zone is the most critical of all zones.  Someone controlling
-   or compromising the security of the root zone would control the
-
-
-
-Kolkman & Gieben        Expires September 2, 2005               [Page 7]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-   entire DNS name space of all resolvers using that root zone (except
-   in the case of resolvers that have locally configured the public key
-   of a sub domain).  Therefore, the utmost care must be taken in the
-   securing of the root zone.  The strongest and most carefully handled
-   keys should be used.  The root zone private key should always be kept
-   off line.
-
-   Many resolvers will start at a root server for their access to and
-   authentication of DNS data.  Securely updating the trust anchors in
-   an enormous population of resolvers around the world will be
-   extremely difficult.
-
-3.2  Randomness
-
-   Careful generation of all keys is a sometimes overlooked but
-   absolutely essential element in any cryptographically secure system.
-   The strongest algorithms used with the longest keys are still of no
-   use if an adversary can guess enough to lower the size of the likely
-   key space so that it can be exhaustively searched.  Technical
-   suggestions for the generation of random keys will be found in
-   RFC1750 [3].  One should carefully assess if the random number
-   generator used during key generation adheres to these suggestions.
-
-   Keys with a long effectivity period are particularly sensitive as
-   they will represent a more valuable target and be subject to attack
-   for a longer time than short period keys.  It is strongly recommended
-   that long term key generation occur off-line in a manner isolated
-   from the network via an air gap or, at a minimum, high level secure
-   hardware.
-
-3.3  Key Effectivity Period
-
-   For various reasons keys in DNSSEC need to be changed once in a
-   while.  The longer a key is in use, the greater the probability that
-   it will have been compromised through carelessness, accident,
-   espionage, or cryptanalysis.  Furthermore when key rollovers are too
-   rare an event, they will not become part of the operational habit and
-   there is risk that nobody on-site will remember the procedure for
-   rollover when the need is there.
-
-   For Key Signing Keys a reasonable key effectivity period is 13
-   months, with the intent to replace them after 12 months.  An intended
-   key effectivity period of a month is reasonable for Zone Signing
-   Keys.
-
-   Using these recommendations will lead to rollovers occurring
-   frequently enough to become part of 'operational habits'; the
-   procedure does not have to be reinvented every time a key is
-
-
-
-Kolkman & Gieben        Expires September 2, 2005               [Page 8]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-   replaced.
-
-   Key effectivity periods can be made very short, as in the order of a
-   few minutes.  But when replacing keys one has to take the
-   considerations from Section 4.1 and Section 4.2 into account.
-
-3.4  Key Algorithm
-
-   There are currently three different types of algorithms that can be
-   used in DNSSEC: RSA, DSA and elliptic curve cryptography.  The latter
-   is fairly new and still needs to be standardized for usage in DNSSEC.
-
-   RSA has been developed in an open and transparent manner.  As the
-   patent on RSA expired in 2000, its use is now also free.
-
-   DSA has been developed by NIST.  The creation of signatures is
-   roughly done at the same speed as with RSA, but is 10 to 40 times as
-   slow for verification [11].
-
-   We suggest the use of RSA/SHA-1 as the preferred algorithm for the
-   key.  The current known attacks on RSA can be defeated by making your
-   key longer.  As the MD5 hashing algorithm is showing (theoretical)
-   cracks, we recommend the usage of SHA1.
-
-   In 2005 some discoveries were made that SHA-1 also has some
-   weaknesses.  Currently SHA-1 is strong enough for DNSSEC.  It is
-   expected that a new hashing algorithm is rolled out, before any
-   attack becomes practical.
-
-3.5  Key Sizes
-
-   When choosing key sizes, zone administrators will need to take into
-   account how long a key will be used and how much data will be signed
-   during the key publication period.  It is hard to give precise
-   recommendations but Lenstra and Verheul [10] supplied the following
-   table with lower bound estimates for cryptographic key sizes.  Their
-   recommendations are based on a set of explicitly formulated parameter
-   settings, combined with existing data points about cryptographic
-   systems.  For details we refer to the original paper.
-
-
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben        Expires September 2, 2005               [Page 9]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-       Year    RSA Key Sizes       Year    RSA Key Sizes
-
-       2000        952             2015        1613
-       2001        990             2016        1664
-       2002        1028            2017        1717
-       2003        1068            2018        1771
-       2004        1108            2019        1825
-
-
-       2005        1149            2020        1881
-       2006        1191            2021        1937
-       2007        1235            2022        1995
-       2008        1279            2023        2054
-       2009        1323            2024        2113
-
-
-       2026        2236            2025        2174
-       2010        1369            2027        2299
-       2011        1416            2028        2362
-       2012        1464            2029        2427
-       2013        1513
-       2014        1562
-
-   For example, should you wish your key to last three years from 2003,
-   check the RSA key size values for 2006 in this table.  In this case
-   it should be at least 1191 bits.
-
-   Please keep in mind that nobody can see into the future, and that
-   these key lengths are only provided here as a guide.
-
-   When determining a key size one should take into account that a large
-   key will be slower during generation and verification.  For RSA,
-   verification, the most common operation, will vary roughly with the
-   square of the key size; signing will vary with the cube of the key
-   size length; and key generation will vary with the fourth power of
-   the modulus length.  Besides larger keys will increase the sizes of
-   the RRSIG and DNSKEY records and will therefore increase the chance
-   of DNS UDP packet overflow.  Also see Section 3.1.1 for a discussion
-   of how keys serving different roles (ZSK v.  KSK) may need different
-   key strengths.
-
-3.6  Private Key Storage
-
-   It is recommended that, where possible, zone private keys and the
-   zone file master copy be kept and used in off-line, non-network
-   connected, physically secure machines only.  Periodically an
-   application can be run to add authentication to a zone by adding
-   RRSIG and NSEC RRs.  Then the augmented file can be transferred,
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 10]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-   perhaps by sneaker-net, to the networked zone primary server machine.
-
-   The ideal situation is to have a one way information flow to the
-   network to avoid the possibility of tampering from the network.
-   Keeping the zone master file on-line on the network and simply
-   cycling it through an off-line signer does not do this.  The on-line
-   version could still be tampered with if the host it resides on is
-   compromised.  For maximum security, the master copy of the zone file
-   should be off net and should not be updated based on an unsecured
-   network mediated communication.
-
-   In general keeping a zone-file off-line will not be practical and the
-   machines on which zone files are maintained will be connected to a
-   network.  Operators are advised to take security measures to shield
-   unauthorized access to the master copy.
-
-   For dynamically updated secured zones [5] both the master copy and
-   the private key that is used to update signatures on updated RRs will
-   need to be on line.
-
-4.  Signature generation, Key Rollover and Related Policies
-
-4.1  Time in DNSSEC
-
-   Without DNSSEC all times in DNS are relative.  The SOA RR's refresh,
-   retry and expiration timers are counters that are used to determine
-   the time elapsed after a slave server synchronized (or tried to
-   synchronize) with a master server.  The Time to Live (TTL) value and
-   the SOA RR minimum TTL parameter [6] are used to determine how long a
-   forwarder should cache data after it has been fetched from an
-   authoritative server.  By using a signature validity period, DNSSEC
-   introduces the notion of an absolute time in the DNS.  Signatures in
-   DNSSEC have an expiration date after which the signature is marked as
-   invalid and the signed data is to be considered Bogus.
-
-4.1.1  Time Considerations
-
-   Because of the expiration of signatures, one should consider the
-   following:
-   o  We suggest the Maximum Zone TTL of your zone data to be a fraction
-      of your signature validity period.
-         If the TTL would be of similar order as the signature validity
-         period, then all RRsets fetched during the validity period
-         would be cached until the signature expiration time.  Section
-         7.1 of [2] suggests that "the resolver may use the time
-         remaining before expiration of the signature validity period of
-         a signed RRset as an upper bound for the TTL".  As a result
-         query load on authoritative servers would peak at signature
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 11]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-         expiration time, as this is also the time at which records
-         simultaneously expire from caches.
-         To avoid query load peaks we suggest the TTL on all the RRs in
-         your zone to be at least a few times smaller than your
-         signature validity period.
-   o  We suggest the signature publication period to be at least one
-      maximum TTL smaller than the signature validity period.
-         Resigning a zone shortly before the end of the signature
-         validity period may cause simultaneous expiration of data from
-         caches.  This in turn may lead to peaks in the load on
-         authoritative servers.
-   o  We suggest the minimum zone TTL to be long enough to both fetch
-      and verify all the RRs in the authentication chain.  A low TTL
-      could cause two problems:
-         1.  During validation, some data may expire before the
-         validation is complete.  The validator should be able to keep
-         all data, until is completed.  This applies to all RRs needed
-         to complete the chain of trust: DSs, DNSKEYs, RRSIGs, and the
-         final answers i.e. the RR set that is returned for the initial
-         query.
-         2.  Frequent verification causes load on recursive nameservers.
-         Data at delegation points, DSs, DNSKEYs and RRSIGs benefit from
-         caching.  The TTL on those should be relatively long.
-   o  Slave servers will need to be able to fetch newly signed zones
-      well before the RRSIGs in the zone served by the slave server pass
-      their signature expiration time.
-         When a slave server is out of sync with its master and data in
-         a zone is signed by expired signatures it may be better for the
-         slave server not to give out any answer.
-         Normally a slave server that is not able to contact a master
-         server for an extended period will expire a zone.  When that
-         happens the zone will not respond on queries.  The time of
-         expiration is set in the SOA record and is relative to the last
-         successful refresh between the master and the slave server.
-         There exists no coupling between the signature expiration of
-         RRSIGs in the zone and the expire parameter in the SOA.
-         If the server serves a DNSSEC zone than it may well happen that
-         the signatures expire well before the SOA expiration timer
-         counts down to zero.  It is not possible to completely prevent
-         this from happening by tweaking the SOA parameters.
-         However, the effects can be minimized where the SOA expiration
-         time is equal or smaller than the signature validity period.
-         The consequence of an authoritative server not being able to
-         update a zone, whilst that zone includes expired signatures, is
-         that non-secure resolvers will continue to be able to resolve
-         data served by the particular slave servers while security
-         aware resolvers will experience problems because of answers
-         being marked as Bogus.
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 12]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-         We suggest the SOA expiration timer being approximately one
-         third or one fourth of the signature validity period.  It will
-         allow problems with transfers from the master server to be
-         noticed before the actual signature time out.
-         We also suggest that operators of nameservers that supply
-         secondary services develop 'watch dogs' to spot upcoming
-         signature expirations in zones they slave, and take appropriate
-         action.
-         When determining the value for the expiration parameter one has
-         to take the following into account: What are the chances that
-         all my secondary zones expire; How quickly can I reach an
-         administrator of secondary servers to load a valid zone?  All
-         these arguments are not DNSSEC specific but may influence the
-         choice of your signature validity intervals.
-
-4.2  Key Rollovers
-
-   A DNSSEC key cannot be used forever (see Section 3.3).  So key
-   rollovers -- or supercessions, as they are sometimes called -- are a
-   fact of life when using DNSSEC.  Zone administrators who are in the
-   process of rolling their keys have to take into account that data
-   published in previous versions of their zone still lives in caches.
-   When deploying DNSSEC, this becomes an important consideration;
-   ignoring data that may be in caches may lead to loss of service for
-   clients.
-
-   The most pressing example of this is when zone material signed with
-   an old key is being validated by a resolver which does not have the
-   old zone key cached.  If the old key is no longer present in the
-   current zone, this validation fails, marking the data Bogus.
-   Alternatively, an attempt could be made to validate data which is
-   signed with a new key against an old key that lives in a local cache,
-   also resulting in data being marked Bogus.
-
-4.2.1  Zone-signing Key Rollovers
-
-   For zone-signing key rollovers there are two ways to make sure that
-   during the rollover data still cached can be verified with the new
-   key sets or newly generated signatures can be verified with the keys
-   still in caches.  One schema, described in Section 4.2.1.2, uses
-   double signatures; the other uses key pre-publication
-   (Section 4.2.1.1).  The pros, cons and recommendations are described
-   in Section 4.2.1.3.
-
-4.2.1.1  Pre-publish key set Rollover
-
-   This section shows how to perform a ZSK rollover without the need to
-   sign all the data in a zone twice - the so-called "pre-publish
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 13]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-   rollover".This method has advantages in the case of a key compromise.
-   If the old key is compromised, the new key has already been
-   distributed in the DNS.  The zone administrator is then able to
-   quickly switch to the new key and remove the compromised key from the
-   zone.  Another major advantage is that the zone size does not double,
-   as is the case with the double signature ZSK rollover.  A small
-   "HOWTO" for this kind of rollover can be found in Appendix B.
-
-    normal          pre-roll         roll            after
-
-    SOA0            SOA1             SOA2            SOA3
-    RRSIG10(SOA0)   RRSIG10(SOA1)    RRSIG11(SOA2)   RRSIG11(SOA3)
-
-    DNSKEY1         DNSKEY1          DNSKEY1         DNSKEY1
-    DNSKEY10        DNSKEY10         DNSKEY10        DNSKEY11
-                    DNSKEY11         DNSKEY11
-    RRSIG1 (DNSKEY) RRSIG1 (DNSKEY)  RRSIG1(DNSKEY)  RRSIG1 (DNSKEY)
-    RRSIG10(DNSKEY) RRSIG10(DNSKEY)  RRSIG11(DNSKEY) RRSIG11(DNSKEY)
-
-
-   normal: Version 0 of the zone: DNSKEY 1 is the key-signing key.
-      DNSKEY 10 is used to sign all the data of the zone, the zone-
-      signing key.
-   pre-roll: DNSKEY 11 is introduced into the key set.  Note that no
-      signatures are generated with this key yet, but this does not
-      secure against brute force attacks on the public key.  The minimum
-      duration of this pre-roll phase is the time it takes for the data
-      to propagate to the authoritative servers plus TTL value of the
-      key set.  This equates to two times the Maximum Zone TTL.
-   roll: At the rollover stage (SOA serial 2) DNSKEY 11 is used to sign
-      the data in the zone exclusively  (i.e. all the signatures from
-      DNSKEY 10 are removed from the zone).  DNSKEY 10 remains published
-      in the key set.  This way data that was loaded into caches from
-      version 1 of the zone can still be verified with key sets fetched
-      from version 2 of the zone.
-      The minimum time that the key set including DNSKEY 10 is to be
-      published is the time that it takes for zone data from the
-      previous version of the zone to expire from old caches i.e. the
-      time it takes for this zone to propagate to all authoritative
-      servers plus the Maximum Zone TTL value of any of the data in the
-      previous version of the zone.
-   after: DNSKEY 10 is removed from the zone.  The key set, now only
-      containing DNSKEY 1 and DNSKEY 11 is resigned with the DNSKEY 1.
-
-   The above scheme can be simplified by always publishing the "future"
-   key immediately after the rollover.  The scheme would look as follows
-   (we show two rollovers); the future key is introduced in "after" as
-   DNSKEY 12 and again a newer one, numbered 13, in "2nd after":
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 14]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-       normal              roll                after
-
-       SOA0                SOA2                SOA3
-       RRSIG10(SOA0)       RRSIG11(SOA2)       RRSIG11(SOA3)
-
-       DNSKEY1             DNSKEY1             DNSKEY1
-       DNSKEY10            DNSKEY10            DNSKEY11
-       DNSKEY11            DNSKEY11            DNSKEY12
-       RRSIG1(DNSKEY)      RRSIG1 (DNSKEY)     RRSIG1(DNSKEY)
-       RRSIG10(DNSKEY)     RRSIG11(DNSKEY)     RRSIG11(DNSKEY)
-
-
-       2nd roll            2nd after
-
-       SOA4                SOA5
-       RRSIG12(SOA4)       RRSIG12(SOA5)
-
-       DNSKEY1             DNSKEY1
-       DNSKEY11            DNSKEY12
-       DNSKEY12            DNSKEY13
-       RRSIG1(DNSKEY)      RRSIG1(DNSKEY)
-       RRSIG12(DNSKEY)     RRSIG12(DNSKEY)
-
-
-   Note that the key introduced after the rollover is not used for
-   production yet; the private key can thus be stored in a physically
-   secure manner and does not need to be 'fetched' every time a zone
-   needs to be signed.
-
-4.2.1.2  Double Signature Zone-signing Key Rollover
-
-   This section shows how to perform a ZSK key rollover using the double
-   zone data signature scheme, aptly named "double sig rollover".
-
-   During the rollover stage the new version of the zone file will need
-   to propagate to all authoritative servers and the data that exists in
-   (distant) caches will need to expire, requiring at least the maximum
-   Zone TTL.
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 15]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-       normal              roll               after
-
-       SOA0                SOA1               SOA2
-       RRSIG10(SOA0)       RRSIG10(SOA1)      RRSIG11(SOA2)
-                           RRSIG11(SOA1)
-
-       DNSKEY1             DNSKEY1            DNSKEY1
-       DNSKEY10            DNSKEY10           DNSKEY11
-                           DNSKEY11
-       RRSIG1(DNSKEY)      RRSIG1(DNSKEY)     RRSIG1(DNSKEY)
-       RRSIG10(DNSKEY)     RRSIG10(DNSKEY)    RRSIG11(DNSKEY)
-                           RRSIG11(DNSKEY)
-
-   normal: Version 0 of the zone: DNSKEY 1 is the key-signing key.
-      DNSKEY 10 is used to sign all the data of the zone, the zone-
-      signing key.
-   roll: At the rollover stage (SOA serial 1) DNSKEY 11 is introduced
-      into the key set and all the data in the zone is signed with
-      DNSKEY 10 and DNSKEY 11.  The rollover period will need to exist
-      until all data from version 0 of the zone has expired from remote
-      caches.  This will take at least the maximum Zone TTL of version 0
-      of the zone.
-   after: DNSKEY 10 is removed from the zone.  All the signatures from
-      DNSKEY 10 are removed from the zone.  The key set, now only
-      containing DNSKEY 11, is resigned with DNSKEY 1.
-
-   At every instance, RRSIGs from the previous version of the zone can
-   be verified with the DNSKEY RRset from the current version and the
-   other way around.  The data from the current version can be verified
-   with the data from the previous version of the zone.  The duration of
-   the rollover phase and the period between rollovers should be at
-   least the "Maximum Zone TTL".
-
-   Making sure that the rollover phase lasts until the signature
-   expiration time of the data in version 0 of the zone is recommended.
-   This way all caches are cleared of the old signatures.  However, this
-   date could be considerably longer than the Maximum Zone TTL, making
-   the rollover a lengthy procedure.
-
-   Note that in this example we assumed that the zone was not modified
-   during the rollover.  New data can be introduced in the zone as long
-   as it is signed with both keys.
-
-4.2.1.3  Pros and Cons of the Schemes
-
-
-
-
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 16]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-   Pre-publish-key set rollover: This rollover does not involve signing
-      the zone data twice.  Instead, before the actual rollover, the new
-      key is published in the key set and thus available for
-      cryptanalysis attacks.  A small disadvantage is that this process
-      requires four steps.  Also the pre-publish scheme involves more
-      parental work when used for KSK rollovers as explained in
-      Section 4.2.
-   Double signature rollover: The drawback of this signing scheme is
-      that during the rollover the number of signatures in your zone
-      doubles, this may be prohibitive if you have very big zones.  An
-      advantage is that it only requires three steps.
-
-4.2.2  Key-signing Key Rollovers
-
-   For the rollover of a key-signing key the same considerations as for
-   the rollover of a zone-signing key apply.  However we can use a
-   double signature scheme to guarantee that old data (only the apex key
-   set) in caches can be verified with a new key set and vice versa.
-
-   Since only the key set is signed with a KSK, zone size considerations
-   do not apply.
-
-
-       normal          roll            after
-
-       SOA0            SOA1            SOA2
-       RRSIG10(SOA0)   RRSIG10(SOA1)   RRSIG10(SOA2)
-
-       DNSKEY1         DNSKEY1         DNSKEY2
-                       DNSKEY2
-       DNSKEY10        DNSKEY10        DNSKEY10
-       RRSIG1 (DNSKEY) RRSIG1 (DNSKEY) RRSIG2(DNSKEY)
-                       RRSIG2 (DNSKEY)
-       RRSIG10(DNSKEY) RRSIG10(DNSKEY) RRSIG10(DNSKEY)
-
-   normal: Version 0 of the zone.  The parental DS points to DNSKEY1.
-      Before the rollover starts the child will have to verify what the
-      TTL is of the DS RR that points to DNSKEY1 - it is needed during
-      the rollover and we refer to the value as TTL_DS.
-   roll: During the rollover phase the zone administrator generates a
-      second KSK, DNSKEY2.  The key is provided to the parent and the
-      child will have to wait until a new DS RR has been generated that
-      points to DNSKEY2.  After that DS RR has been published on all
-      servers authoritative for the parent's zone, the zone
-      administrator has to wait at least TTL_DS to make sure that the
-      old DS RR has expired from caches.
-
-
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 17]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-   after: DNSKEY1 has been removed.
-
-   The scenario above puts the responsibility for maintaining a valid
-   chain of trust with the child.  It also is based on the premises that
-   the parent only has one DS RR (per algorithm) per zone.  An
-   alternative mechanism has been considered.  Using an established
-   trust relation, the interaction can be performed in-band, and the
-   removal of the keys by the child can possibly be signaled by the
-   parent.  In this mechanism there are periods where there are two DS
-   RRs at the parent.  Since at the moment of writing the protocol for
-   this interaction has not been developed further discussion is out of
-   scope for this document.
-
-4.2.3  Difference Between ZSK and KSK Rollovers
-
-   Note that KSK rollovers and ZSK rollovers are different.  A zone-key
-   rollover can be handled in two different ways: pre-publish (Section
-   Section 4.2.1.1) and double signature (Section Section 4.2.1.2).
-
-   As the KSK is used to validate the key set and because the KSK is not
-   changed during a ZSK rollover, a cache is able to validate the new
-   key set of the zone.  The pre-publish method would work for a KSK
-   rollover.  The record that are to be pre-published are the parental
-   DS RRs.
-
-   The pre-publish method has some drawbacks.  We first describe the
-   rollover scheme and then indicate these drawbacks.
-
-     normal          pre-roll         roll            after
-   Parent:
-     SOA0            SOA1             SOA2            SOA3
-     RRSIGpar(SOA0)  RRSIGpar(SOA1)   RRSIGpar(SOA2)  RRSIGpar(SOA3)
-     DS1             DS1              DS1             DS2
-                     DS2              DS2
-     RRSIGpar(DS)    RRSIGpar(DS)     RRSIGpar(DS)    RRSIGpar(DS)
-
-
-
-   Child:
-     SOA0            SOA0             SOA1            SOA1
-     RRSIG10(SOA0)   RRSIG10(SOA0)    RRSIG10(SOA1)   RRSIG10(SOA1)
-
-     DNSKEY1         DNSKEY1          DNSKEY2         DNSKEY2
-
-     DNSKEY10        DNSKEY10         DNSKEY10        DNSKEY10
-     RRSIG1 (DNSKEY) RRSIG1 (DNSKEY)  RRSIG2(DNSKEY)  RRSIG2 (DNSKEY)
-     RRSIG10(DNSKEY) RRSIG10(DNSKEY)  RRSIG10(DNSKEY) RRSIG10(DNSKEY)
-
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 18]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-   When the child zone wants to roll it notifies the parent during the
-   pre-roll phase and submits the new key to the parent.  The parent
-   publishes DS1 and DS2, pointing to DNSKEY1 and DNSKEY2 respectively.
-   During the rollover, which can take place as soon as the new DS set
-   propagated through the DNS, the child replaces DNSKEY1 with DNSKEY2.
-   Immediately after that it can notify the parent that the old DS
-   record can be deleted.
-
-   The drawbacks of these scheme are that during the pre-roll phase the
-   parent cannot verify the match between the DS RR and DNSKEY2 using
-   the DNS.  Besides, we introduce a "security lame" DS record
-   Section 4.4.3.  Finally the child-parent interaction consists of two
-   steps.  The "double signature" method only needs one interaction.
-
-4.2.4  Automated Key Rollovers
-
-   As keys must be renewed periodically, there is some motivation to
-   automate the rollover process.  Consider that:
-
-   o  ZSK rollovers are easy to automate as only the local zone is
-      involved.
-   o  A KSK rollover needs interaction between the parent and child.
-      Data exchange is needed to provide the new keys to the parent,
-      consequently, this data must be authenticated and integrity must
-      be guaranteed in order to avoid attacks on the rollover.
-   o  All time and TTL considerations presented in Section 4.2 apply to
-      an automated rollover.
-
-4.3  Planning for Emergency Key Rollover
-
-   This section deals with preparation for a possible key compromise.
-   Our advice is to have a documented procedure ready for when a key
-   compromise is suspected or confirmed.
-
-   When the private material of one of your keys is compromised it can
-   be used for as long as a valid authentication chain exists.  An
-   authentication chain remains intact for:
-   o  as long as a signature over the compromised key in the
-      authentication chain is valid,
-   o  as long as a parental DS RR (and signature) points to the
-      compromised key,
-   o  as long as the key is anchored in a resolver and is used as a
-      starting point for validation.  (This is generally the hardest to
-      update.)
-
-   While an authentication chain to your compromised key exists, your
-   name-space is vulnerable to abuse by anyone who has obtained
-   illegitimate possession of the key.Zone operators have to make a
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 19]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-   trade off if the abuse of the compromised key is worse than having
-   data in caches that cannot be validated.  If the zone operator
-   chooses to break the authentication chain to the compromised key,
-   data in caches signed with this key cannot be validated.  However, if
-   the zone administrator chooses to take the path of a regular roll-
-   over, the malicious key holder can spoof data so that it appears to
-   be valid.  Note that this kind of attack is more likely to occur in a
-   localized part of the network topology i.e. downstream from where the
-   spoof takes place.
-
-
-4.3.1  KSK Compromise
-
-   When the KSK has been compromised the parent must be notified as soon
-   as possible using secure means.  The key set of the zone should be
-   resigned as soon as possible.  Care must be taken to not break the
-   authentication chain.  The local zone can only be resigned with the
-   new KSK after the parent's zone has created and reloaded its zone
-   with the DS created from the new KSK.  Before this update takes place
-   it would be best to drop the security status of a zone all together:
-   the parent removes the DS of the child at the next zone update.
-   After that the child can be made secure again.
-
-   An additional danger of a key compromise is that the compromised key
-   can be used to facilitate a legitimate DNSKEY/DS and/or nameserver
-   rollover at the parent.  When that happens the domain can be in
-   dispute.  An authenticated out of band and secure notify mechanism to
-   contact a parent is needed in this case.
-
-4.3.2  ZSK Compromise
-
-   Primarily because there is no parental interaction required when a
-   ZSK is compromised, the situation is less severe than with with a KSK
-   compromise.  The zone must still be resigned with a new ZSK as soon
-   as possible.  As this is a local operation and requires no
-   communication between the parent and child this can be achieved
-   fairly quickly.  However, one has to take into account that just as
-   with a normal rollover the immediate disappearance from the old
-   compromised key may lead to verification problems.  The pre-
-   publication scheme as discussed above minimizes such problems.
-
-4.3.3  Compromises of Keys Anchored in Resolvers
-
-   A key can also be pre-configured in resolvers.  For instance, if
-   DNSSEC is successfully deployed the root key may be pre-configured in
-   most security aware resolvers.
-
-   If trust-anchor keys are compromised, the resolvers using these keys
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 20]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-   should be notified of this fact.  Zone administrators may consider
-   setting up a mailing list to communicate the fact that a SEP key is
-   about to be rolled over.  This communication will of course need to
-   be authenticated e.g. by using digital signatures.
-
-   End-users faced with the task of updating an anchored key should
-   always validate the new key.  New keys should be authenticated out of
-   the DNS, for example, looking them up on an SSL secured announcement
-   website.
-
-4.4  Parental Policies
-
-4.4.1  Initial Key Exchanges and Parental Policies Considerations
-
-   The initial key exchange is always subject to the policies set by the
-   parent (or its registry).  When designing a key exchange policy one
-   should take into account that the authentication and authorization
-   mechanisms used during a key exchange should be as strong as the
-   authentication and authorization mechanisms used for the exchange of
-   delegation information between parent and child.  I.e. there is no
-   implicit need in DNSSEC to make the authentication process stronger
-   than it was in DNS.
-
-   Using the DNS itself as the source for the actual DNSKEY material,
-   with an off-band check on the validity of the DNSKEY, has the benefit
-   that it reduces the chances of user error.  A parental DNSKEY
-   download tool can make use of the SEP bit [1] to select the proper
-   key from a DNSSEC key set; thereby reducing the chance that the wrong
-   DNSKEY is sent.  It can validate the self-signature over a key;
-   thereby verifying the ownership of the private key material.
-   Fetching the DNSKEY from the DNS ensures that the chain of trust
-   remains intact once the parent publishes the DS RR indicating the
-   child is secure.
-
-   Note: the off-band verification is still needed when the key-material
-   is fetched via the DNS.  The parent can never be sure whether the
-   DNSKEY RRs have been spoofed or not.
-
-4.4.2  Storing Keys or Hashes?
-
-   When designing a registry system one should consider which of the
-   DNSKEYs and/or the corresponding DSs to store.  Since a child zone
-   might wish to have a DS published using a message digest algorithm
-   not yet understood by the registry, the registry can't count on being
-   able to generate the DS record from a raw DNSKEY.  Thus, we recommend
-   that registry system at least support storing DS records.
-
-   It may also be useful to store DNSKEYs, since having them may help
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 21]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-   during troubleshooting and, so long as the child's chosen message
-   digest is supported, the overhead of generating DS records from them
-   is minimal.  Having an out-of-band mechanism, such as a Whois
-   database, to find out which keys are used to generate DS Resource
-   Records for specific owners and/or zones may also help with
-   troubleshooting.
-
-   The storage considerations also relate the design of the customer
-   interface and the method by which data is transfered between
-   registrant and registry; Will the child zone owner be able to upload
-   DS RRs with unknown hash algorithms or does the interface only allows
-   DNSKEYs?  In the registry-registrar model one can use the DNSSEC EPP
-   protocol extensions [9] which allows transfer of DS RRs and
-   optionally DNSKEY RRs.
-
-4.4.3  Security Lameness
-
-   Security Lameness is defined as what happens when a parent has a DS
-   RR pointing to a non-existing DNSKEY RR.  During key exchange a
-   parent should make sure that the child's key is actually configured
-   in the DNS before publishing a DS RR in its zone.  Failure to do so
-   could cause the child's zone being marked as Bogus.
-
-   Child zones should be very careful removing DNSKEY material,
-   specifically SEP keys, for which a DS RR exists.
-
-   Once a zone is "security lame", a fix (e.g. removing a DS RR) will
-   take time to propagate through the DNS.
-
-4.4.4  DS Signature Validity Period
-
-   Since the DS can be replayed as long as it has a valid signature, a
-   short signature validity period over the DS minimizes the time a
-   child is vulnerable in the case of a compromise of the child's
-   KSK(s).  A signature validity period that is too short introduces the
-   possibility that a zone is marked Bogus in case of a configuration
-   error in the signer.  There may not be enough time to fix the
-   problems before signatures expire.  Something as mundane as operator
-   unavailability during weekends shows the need for DS signature
-   validity periods longer than 2 days.  We recommend the minimum for a
-   DS signature validity period of a few days.
-
-   The maximum signature validity period of the DS record depends on how
-   long child zones are willing to be vulnerable after a key compromise.
-   Other considerations, such as how often the zone is (re)signed can
-   also be taken into account.
-
-   We consider a signature validity period of around one week to be a
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 22]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-   good compromise between the operational constraints of the parent and
-   minimizing damage for the child.
-
-   In addition to the signature validity period, which sets a lower
-   bound on the amount of times the zone owner will need to sign the
-   zone data and which sets an upper bound to the time a child is
-   vulnerable after key compromise,  there is the TTL value on the DS
-   RRs.  By lowering the TTL, the authoritative servers will see more
-   queries, on the other hand a low TTL increases the speed with which
-   new DS RRs propagate through the DNS.  As argued in Section 4.1.1,
-   the TTL should be a fraction of the signature validity period.
-
-5.  Security Considerations
-
-   DNSSEC adds data integrity to the DNS.  This document tries to assess
-   the operational considerations to maintain a stable and secure DNSSEC
-   service.  Not taking into account the 'data propagation' properties
-   in the DNS will cause validation failures and may make secured zones
-   unavailable to security aware resolvers.
-
-6.  Acknowledgments
-
-   Most of the ideas in this draft were the result of collective efforts
-   during workshops, discussions and try outs.
-
-   At the risk of forgetting individuals who were the original
-   contributors of the ideas we would like to acknowledge people who
-   were actively involved in the compilation of this document.  In
-   random order: Rip Loomis, Olafur Gudmundsson, Wesley Griffin, Michael
-   Richardson, Scott Rose, Rick van Rein, Tim McGinnis, Gilles Guette
-   Olivier Courtay, Sam Weiler, Jelte Jansen and Niall O'Reilly.
-
-   Some material in this document has been shamelessly copied from
-   RFC2541 [7] by Donald Eastlake.
-
-   Mike StJohns designed the key exchange between parent and child
-   mentioned in the last paragraph of Section 4.2.2
-
-   Section 4.2.4 was supplied by G. Guette and O. Courtay.
-
-   Emma Bretherick, Adrian Bedford and Lindy Foster corrected many of
-   the spelling and style issues.
-
-   Kolkman and Gieben take the blame for introducing all miscakes(SIC).
-
-7.  References
-
-
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 23]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-7.1  Normative References
-
-   [1]  Kolkman, O., Schlyter, J., and E. Lewis, "Domain Name System KEY
-        (DNSKEY) Resource Record (RR) Secure Entry Point (SEP) Flag",
-        RFC 3757, May 2004.
-
-   [2]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-        "DNS Security Introduction and Requirements", RFC 4033,
-        March 2005.
-
-7.2  Informative References
-
-   [3]   Eastlake, D., Crocker, S., and J. Schiller, "Randomness
-         Recommendations for Security", RFC 1750, December 1994.
-
-   [4]   Bradner, S., "Key words for use in RFCs to Indicate Requirement
-         Levels", BCP 14, RFC 2119, March 1997.
-
-   [5]   Eastlake, D., "Secure Domain Name System Dynamic Update",
-         RFC 2137, April 1997.
-
-   [6]   Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)",
-         RFC 2308, March 1998.
-
-   [7]   Eastlake, D., "DNS Security Operational Considerations",
-         RFC 2541, March 1999.
-
-   [8]   Gudmundsson, O., "Delegation Signer (DS) Resource Record (RR)",
-         RFC 3658, December 2003.
-
-   [9]   Hollenbeck, S., "Domain Name System (DNS) Security Extensions
-         Mapping for the Extensible  Provisioning Protocol (EPP)",
-         draft-hollenbeck-epp-secdns-07 (work in progress), March 2005.
-
-   [10]  Lenstra, A. and E. Verheul, "Selecting Cryptographic Key
-         Sizes", The Journal of Cryptology 14 (255-293), 2001.
-
-   [11]  Schneier, B., "Applied Cryptography: Protocols, Algorithms, and
-         Source Code in C", 1996.
-
-
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 24]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-Authors' Addresses
-
-   Olaf M. Kolkman
-   RIPE NCC
-   Singel 256
-   Amsterdam  1016 AB
-   The Netherlands
-
-   Phone: +31 20 535 4444
-   Email: olaf@ripe.net
-   URI:   http://www.ripe.net/
-
-
-   Miek Gieben
-   NLnet Labs
-   Kruislaan 419
-   Amsterdam  1098 VA
-   The Netherlands
-
-   Email: miek@nlnetlabs.nl
-   URI:   http://www.nlnetlabs.nl
-
-Appendix A.  Terminology
-
-   In this document there is some jargon used that is defined in other
-   documents.  In most cases we have not copied the text from the
-   documents defining the terms but given a more elaborate explanation
-   of the meaning.  Note that these explanations should not be seen as
-   authoritative.
-
-   Anchored Key: A DNSKEY configured in resolvers around the globe.
-      This key is hard to update, hence the term anchored.
-   Bogus: Also see Section 5 of [2].  An RRset in DNSSEC is marked
-      "Bogus" when a signature of a RRset does not validate against a
-      DNSKEY.
-   Key-Signing Key or KSK: A Key-Signing Key (KSK) is a key that is used
-      exclusively for signing the apex key set.  The fact that a key is
-      a KSK is only relevant to the signing tool.
-   Private and Public Keys: DNSSEC secures the DNS through the use of
-      public key cryptography.  Public key cryptography is based on the
-      existence of two keys, a public key and a private key.  The public
-      keys are published in the DNS by use of the DNSKEY Resource Record
-      (DNSKEY RR).  Private keys should remain private.
-   Key Rollover: A key rollover (also called key supercession in some
-      environments) is the act of replacing one key pair by another at
-      the end of a key effectivity period.
-
-
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 25]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-   Secure Entry Point key or SEP Key: A KSK that has a parental DS
-      record pointing to it.  Note: this is not enforced in the
-      protocol.  A SEP Key with no parental DS is security lame.
-   Singing the Zone File: The term used for the event where an
-      administrator joyfully signs its zone file while producing melodic
-      sound patterns.
-   Signer: The system that has access to the private key material and
-      signs the Resource Record sets in a zone.  A signer may be
-      configured to sign only parts of the zone e.g. only those RRsets
-      for which existing signatures are about to expire.
-   Zone-Signing Key or ZSK: A Zone Signing Key (ZSK) is a key that is
-      used for signing all data in a zone.  The fact that a key is a ZSK
-      is only relevant to the signing tool.
-   Zone Administrator: The 'role' that is responsible for signing a zone
-      and publishing it on the primary authoritative server.
-
-Appendix B.  Zone-signing Key Rollover Howto
-
-   Using the pre-published signature scheme and the most conservative
-   method to assure oneself that data does not live in caches here
-   follows the "HOWTO".
-   Step 0: The preparation: Create two keys and publish both in your key
-      set.  Mark one of the keys as "active" and the other as
-      "published".  Use the "active" key for signing your zone data.
-      Store the private part of the "published" key, preferably off-
-      line.
-      The protocol does not provide for attributes to mark a key as
-      active or published.  This is something you have to do on your
-      own, through the use of a notebook or key management tool.
-   Step 1: Determine expiration: At the beginning of the rollover make a
-      note of the highest expiration time of signatures in your zone
-      file created with the current key marked as "active".
-      Wait until the expiration time marked in Step 1 has passed
-   Step 2: Then start using the key that was marked as "published" to
-      sign your data i.e. mark it as "active".  Stop using the key that
-      was marked as "active", mark it as "rolled".
-   Step 3: It is safe to engage in a new rollover (Step 1) after at
-      least one "signature validity period".
-
-Appendix C.  Typographic Conventions
-
-   The following typographic conventions are used in this document:
-   Key notation: A key is denoted by KEYx, where x is a number, x could
-      be thought of as the key id.
-
-
-
-
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 26]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-   RRset notations: RRs are only denoted by the type.  All other
-      information - owner, class, rdata and TTL - is left out.  Thus:
-      "example.com 3600 IN A 192.168.1.1" is reduced to "A".  RRsets are
-      a list of RRs.  A example of this would be: "A1,A2", specifying
-      the RRset containing two "A" records.  This could again be
-      abbreviated to just "A".
-   Signature notation: Signatures are denoted as RRSIGx(RRset), which
-      means that RRset is signed with DNSKEYx.
-   Zone representation: Using the above notation we have simplified the
-      representation of a signed zone by leaving out all unnecessary
-      details such as the names and by representing all data by "SOAx"
-   SOA representation: SOA's are represented as SOAx, where x is the
-      serial number.
-   Using this notation the following zone:
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 27]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-   example.net.     600     IN SOA  ns.example.net. bert.example.net. (
-                            10         ; serial
-                            450        ; refresh (7 minutes 30 seconds)
-                            600        ; retry (10 minutes)
-                            345600     ; expire (4 days)
-                            300        ; minimum (5 minutes)
-                             )
-                     600     RRSIG   SOA 5 2 600 20130522213204 (
-                                     20130422213204 14 example.net.
-                                     cmL62SI6iAX46xGNQAdQ... )
-                     600     NS      a.iana-servers.net.
-                     600     NS      b.iana-servers.net.
-                     600     RRSIG   NS 5 2 600 20130507213204 (
-                                     20130407213204 14 example.net.
-                                     SO5epiJei19AjXoUpFnQ ... )
-                     3600    DNSKEY  256 3 5 (
-                                     EtRB9MP5/AvOuVO0I8XDxy0...
-                                     ) ; key id = 14
-                     3600    DNSKEY  256 3 5 (
-                                     gsPW/Yy19GzYIY+Gnr8HABU...
-                                     ) ; key id = 15
-                     3600    RRSIG   DNSKEY 5 2 3600 20130522213204 (
-                                     20130422213204 14 example.net.
-                                     J4zCe8QX4tXVGjV4e1r9... )
-                     3600    RRSIG   DNSKEY 5 2 3600 20130522213204 (
-                                     20130422213204 15 example.net.
-                                     keVDCOpsSeDReyV6O... )
-                     600     RRSIG   NSEC 5 2 600 20130507213204 (
-                                     20130407213204 14 example.net.
-                                     obj3HEp1GjnmhRjX... )
-   a.example.net.    600     IN TXT  "A label"
-                     600     RRSIG   TXT 5 3 600 20130507213204 (
-                                     20130407213204 14 example.net.
-                                     IkDMlRdYLmXH7QJnuF3v... )
-                     600     NSEC    b.example.com. TXT RRSIG NSEC
-                     600     RRSIG   NSEC 5 3 600 20130507213204 (
-                                     20130407213204 14 example.net.
-                                     bZMjoZ3bHjnEz0nIsPMM... )
-
-                     ...
-
-
-   is reduced to the following representation:
-
-
-
-
-
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 28]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-       SOA10
-       RRSIG14(SOA10)
-
-       DNSKEY14
-       DNSKEY15
-
-       RRSIG14(KEY)
-       RRSIG15(KEY)
-
-   The rest of the zone data has the same signature as the SOA record,
-   i.e a RRSIG created with DNSKEY 14.
-
-Appendix D.  Document Details and Changes
-
-   This section is to be removed by the RFC editor if and when the
-   document is published.
-
-   $Id: draft-ietf-dnsop-dnssec-operational-practices.xml,v 1.31.2.14
-   2005/03/21 15:51:41 dnssec Exp $
-
-D.1  draft-ietf-dnsop-dnssec-operational-practices-00
-
-   Submission as working group document.  This document is a modified
-   and updated version of draft-kolkman-dnssec-operational-practices-00.
-
-D.2  draft-ietf-dnsop-dnssec-operational-practices-01
-
-   changed the definition of "Bogus" to reflect the one in the protocol
-   draft.
-
-   Bad to Bogus
-
-   Style and spelling corrections
-
-   KSK - SEP mapping made explicit.
-
-   Updates from Sam Weiler added
-
-D.3  draft-ietf-dnsop-dnssec-operational-practices-02
-
-   Style and errors corrected.
-
-   Added Automatic rollover requirements from I-D.ietf-dnsop-key-
-   rollover-requirements.
-
-D.4  draft-ietf-dnsop-dnssec-operational-practices-03
-
-   Added the definition of Key effectivity period and used that term
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 29]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-   instead of Key validity period.
-
-   Modified the order of the sections, based on a suggestion by Rip
-   Loomis.
-
-   Included parts from RFC2541 [7].  Most of its ground was already
-   covered.  This document obsoletes RFC2541 [7].  Section 3.1.2
-   deserves some review as it in contrast to RFC2541 does _not_ give
-   recomendations about root-zone keys.
-
-   added a paragraph to Section 4.4.4
-
-D.5  draft-ietf-dnsop-dnssec-operational-practices-04
-
-   Somewhat more details added about the pre-publish KSK rollover.  Also
-   moved that subsection down a bit.
-
-   Editorial and content nits that came in during wg last call were
-   fixed.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 30]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-Intellectual Property Statement
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-
-Disclaimer of Validity
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Copyright Statement
-
-   Copyright (C) The Internet Society (2005).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-
-Acknowledgment
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 31]
-
diff --git a/doc/draft/draft-ietf-dnsop-dnssec-operational-practices-07.txt b/doc/draft/draft-ietf-dnsop-dnssec-operational-practices-07.txt
new file mode 100644
index 0000000000..56e5791ae9
--- /dev/null
+++ b/doc/draft/draft-ietf-dnsop-dnssec-operational-practices-07.txt
@@ -0,0 +1,1904 @@
+
+
+
+DNSOP                                                         O. Kolkman
+Internet-Draft                                                 R. Gieben
+Obsoletes: 2541 (if approved)                                 NLnet Labs
+Expires: August 25, 2006                               February 21, 2006
+
+
+                      DNSSEC Operational Practices
+          draft-ietf-dnsop-dnssec-operational-practices-07.txt
+
+Status of this Memo
+
+   By submitting this Internet-Draft, each author represents that any
+   applicable patent or other IPR claims of which he or she is aware
+   have been or will be disclosed, and any of which he or she becomes
+   aware will be disclosed, in accordance with Section 6 of BCP 79.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   This Internet-Draft will expire on August 25, 2006.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2006).
+
+Abstract
+
+   This document describes a set of practices for operating the DNS with
+   security extensions (DNSSEC).  The target audience is zone
+   administrators deploying DNSSEC.
+
+   The document discusses operational aspects of using keys and
+   signatures in the DNS.  It discusses issues as key generation, key
+   storage, signature generation, key rollover and related policies.
+
+
+
+
+Kolkman & Gieben         Expires August 25, 2006                [Page 1]
+
+Internet-Draft        DNSSEC Operational Practices         February 2006
+
+
+Table of Contents
+
+   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
+     1.1.  The Use of the Term 'key'  . . . . . . . . . . . . . . . .  4
+     1.2.  Time Definitions . . . . . . . . . . . . . . . . . . . . .  5
+   2.  Keeping the Chain of Trust Intact  . . . . . . . . . . . . . .  5
+   3.  Keys Generation and Storage  . . . . . . . . . . . . . . . . .  6
+     3.1.  Zone and Key Signing Keys  . . . . . . . . . . . . . . . .  6
+       3.1.1.  Motivations for the KSK and ZSK Separation . . . . . .  7
+       3.1.2.  KSKs for High Level Zones  . . . . . . . . . . . . . .  7
+     3.2.  Key Generation . . . . . . . . . . . . . . . . . . . . . .  8
+     3.3.  Key Effectivity Period . . . . . . . . . . . . . . . . . .  8
+     3.4.  Key Algorithm  . . . . . . . . . . . . . . . . . . . . . .  9
+     3.5.  Key Sizes  . . . . . . . . . . . . . . . . . . . . . . . . 10
+     3.6.  Private Key Storage  . . . . . . . . . . . . . . . . . . . 11
+   4.  Signature generation, Key Rollover and Related Policies  . . . 12
+     4.1.  Time in DNSSEC . . . . . . . . . . . . . . . . . . . . . . 12
+       4.1.1.  Time Considerations  . . . . . . . . . . . . . . . . . 12
+     4.2.  Key Rollovers  . . . . . . . . . . . . . . . . . . . . . . 14
+       4.2.1.  Zone signing Key Rollovers . . . . . . . . . . . . . . 14
+       4.2.2.  Key signing Key Rollovers  . . . . . . . . . . . . . . 18
+       4.2.3.  Difference Between ZSK and KSK Rollovers . . . . . . . 19
+       4.2.4.  Automated Key Rollovers  . . . . . . . . . . . . . . . 20
+     4.3.  Planning for Emergency Key Rollover  . . . . . . . . . . . 21
+       4.3.1.  KSK Compromise . . . . . . . . . . . . . . . . . . . . 21
+       4.3.2.  ZSK Compromise . . . . . . . . . . . . . . . . . . . . 23
+       4.3.3.  Compromises of Keys Anchored in Resolvers  . . . . . . 23
+     4.4.  Parental Policies  . . . . . . . . . . . . . . . . . . . . 23
+       4.4.1.  Initial Key Exchanges and Parental Policies
+               Considerations . . . . . . . . . . . . . . . . . . . . 23
+       4.4.2.  Storing Keys or Hashes?  . . . . . . . . . . . . . . . 24
+       4.4.3.  Security Lameness  . . . . . . . . . . . . . . . . . . 24
+       4.4.4.  DS Signature Validity Period . . . . . . . . . . . . . 25
+   5.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 25
+   6.  Security Considerations  . . . . . . . . . . . . . . . . . . . 26
+   7.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 26
+   8.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 26
+     8.1.  Normative References . . . . . . . . . . . . . . . . . . . 26
+     8.2.  Informative References . . . . . . . . . . . . . . . . . . 27
+   Appendix A.  Terminology . . . . . . . . . . . . . . . . . . . . . 28
+   Appendix B.  Zone signing Key Rollover Howto . . . . . . . . . . . 29
+   Appendix C.  Typographic Conventions . . . . . . . . . . . . . . . 29
+   Appendix D.  Document Details and Changes  . . . . . . . . . . . . 31
+     D.1.  draft-ietf-dnsop-dnssec-operational-practices-00 . . . . . 31
+     D.2.  draft-ietf-dnsop-dnssec-operational-practices-01 . . . . . 31
+     D.3.  draft-ietf-dnsop-dnssec-operational-practices-02 . . . . . 31
+     D.4.  draft-ietf-dnsop-dnssec-operational-practices-03 . . . . . 32
+     D.5.  draft-ietf-dnsop-dnssec-operational-practices-04 . . . . . 32
+
+
+
+Kolkman & Gieben         Expires August 25, 2006                [Page 2]
+
+Internet-Draft        DNSSEC Operational Practices         February 2006
+
+
+     D.6.  draft-ietf-dnsop-dnssec-operational-practices-05 . . . . . 32
+     D.7.  draft-ietf-dnsop-dnssec-operational-practices-06 . . . . . 32
+     D.8.  draft-ietf-dnsop-dnssec-operational-practices-07 . . . . . 32
+   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 33
+   Intellectual Property and Copyright Statements . . . . . . . . . . 34
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben         Expires August 25, 2006                [Page 3]
+
+Internet-Draft        DNSSEC Operational Practices         February 2006
+
+
+1.  Introduction
+
+   During workshops and early operational deployment tests, operators
+   and system administrators have gained experience about operating the
+   DNS with security extensions (DNSSEC).  This document translates
+   these experiences into a set of practices for zone administrators.
+   At the time of writing, there exists very little experience with
+   DNSSEC in production environments; this document should therefore
+   explicitly not be seen as representing 'Best Current Practices'.
+
+   The procedures herein are focused on the maintenance of signed zones
+   (i.e. signing and publishing zones on authoritative servers).  It is
+   intended that maintenance of zones such as re-signing or key
+   rollovers be transparent to any verifying clients on the Internet.
+
+   The structure of this document is as follows.  In Section 2 we
+   discuss the importance of keeping the "chain of trust" intact.
+   Aspects of key generation and storage of private keys are discussed
+   in Section 3; the focus in this section is mainly on the private part
+   of the key(s).  Section 4 describes considerations concerning the
+   public part of the keys.  Since these public keys appear in the DNS
+   one has to take into account all kinds of timing issues, which are
+   discussed in Section 4.1.  Section 4.2 and Section 4.3 deal with the
+   rollover, or supercession, of keys.  Finally Section 4.4 discusses
+   considerations on how parents deal with their children's public keys
+   in order to maintain chains of trust.
+
+   The typographic conventions used in this document are explained in
+   Appendix C.
+
+   Since this is a document with operational suggestions and there are
+   no protocol specifications, the RFC2119 [3] language does not apply.
+
+   This document obsoletes RFC2541 [6].
+
+1.1.  The Use of the Term 'key'
+
+   It is assumed that the reader is familiar with the concept of
+   asymmetric keys on which DNSSEC is based (Public Key Cryptography
+   [12]).  Therefore, this document will use the term 'key' rather
+   loosely.  Where it is written that 'a key is used to sign data' it is
+   assumed that the reader understands that it is the private part of
+   the key pair that is used for signing.  It is also assumed that the
+   reader understands that the public part of the key pair is published
+   in the DNSKEY resource record and that it is the public part that is
+   used in key exchanges.
+
+
+
+
+
+Kolkman & Gieben         Expires August 25, 2006                [Page 4]
+
+Internet-Draft        DNSSEC Operational Practices         February 2006
+
+
+1.2.  Time Definitions
+
+   In this document we will be using a number of time related terms.
+   The following definitions apply:
+   o  "Signature validity period"
+         The period that a signature is valid.  It starts at the time
+         specified in the signature inception field of the RRSIG RR and
+         ends at the time specified in the expiration field of the RRSIG
+         RR.
+   o  "Signature publication period"
+         Time after which a signature (made with a specific key) is
+         replaced with a new signature (made with the same key).  This
+         replacement takes place by publishing the relevant RRSIG in the
+         master zone file.
+         After one stopped publishing an RRSIG in a zone it may take a
+         while before the RRSIG has expired from caches and has actually
+         been removed from the DNS.
+   o  "Key effectivity period"
+         The period during which a key pair is expected to be effective.
+         This period is defined as the time between the first inception
+         time stamp and the last expiration date of any signature made
+         with this key, regardless of any discontinuity in the use of
+         the key.
+         The key effectivity period can span multiple signature validity
+         periods.
+   o  "Maximum/Minimum Zone TTL"
+         The maximum or minimum value of the TTLs from the complete set
+         of RRs in a zone.  Note that the minimum TTL is not the same as
+         the MINIMUM field in the SOA RR.  See [5] for more information.
+
+
+2.  Keeping the Chain of Trust Intact
+
+   Maintaining a valid chain of trust is important because broken chains
+   of trust will result in data being marked as Bogus (as defined in [2]
+   section 5), which may cause entire (sub)domains to become invisible
+   to verifying clients.  The administrators of secured zones have to
+   realize that their zone is, to verifying clients, part of a chain of
+   trust.
+
+   As mentioned in the introduction, the procedures herein are intended
+   to ensure that maintenance of zones, such as re-signing or key
+   rollovers, will be transparent to the verifying clients on the
+   Internet.
+
+   Administrators of secured zones will have to keep in mind that data
+   published on an authoritative primary server will not be immediately
+   seen by verifying clients; it may take some time for the data to be
+
+
+
+Kolkman & Gieben         Expires August 25, 2006                [Page 5]
+
+Internet-Draft        DNSSEC Operational Practices         February 2006
+
+
+   transferred to other secondary authoritative nameservers and clients
+   may be fetching data from caching non-authoritative servers.  In this
+   light it is good to note that the time for a zone transfer from
+   master to slave is negligible when using NOTIFY and IXFR, increasing
+   by reliance on AXFR, and more if you rely on the SOA timing
+   parameters for zone refresh.
+
+   For the verifying clients it is important that data from secured
+   zones can be used to build chains of trust regardless of whether the
+   data came directly from an authoritative server, a caching nameserver
+   or some middle box.  Only by carefully using the available timing
+   parameters can a zone administrator assure that the data necessary
+   for verification can be obtained.
+
+   The responsibility for maintaining the chain of trust is shared by
+   administrators of secured zones in the chain of trust.  This is most
+   obvious in the case of a 'key compromise' when a trade off between
+   maintaining a valid chain of trust and replacing the compromised keys
+   as soon as possible must be made.  Then zone administrators will have
+   to make a trade off, between keeping the chain of trust intact -
+   thereby allowing for attacks with the compromised key - or to
+   deliberately break the chain of trust and making secured sub domains
+   invisible to security aware resolvers.  Also see Section 4.3.
+
+
+3.  Keys Generation and Storage
+
+   This section describes a number of considerations with respect to the
+   security of keys.  It deals with the generation, effectivity period,
+   size and storage of private keys.
+
+3.1.  Zone and Key Signing Keys
+
+   The DNSSEC validation protocol does not distinguish between different
+   types of DNSKEYs.  All DNSKEYs can be used during the validation.  In
+   practice operators use Key Signing and Zone Signing Keys and use the
+   so-called (Secure Entry Point) SEP [1] flag to distinguish between
+   them during operations.  The dynamics and considerations are
+   discussed below.
+
+   To make zone re-signing and key rollover procedures easier to
+   implement, it is possible to use one or more keys as Key Signing Keys
+   (KSK).  These keys will only sign the apex DNSKEY RRSet in a zone.
+   Other keys can be used to sign all the RRSets in a zone and are
+   referred to as Zone Signing Keys (ZSK).  In this document we assume
+   that KSKs are the subset of keys that are used for key exchanges with
+   the parent and potentially for configuration as trusted anchors - the
+   SEP keys.  In this document we assume a one-to-one mapping between
+
+
+
+Kolkman & Gieben         Expires August 25, 2006                [Page 6]
+
+Internet-Draft        DNSSEC Operational Practices         February 2006
+
+
+   KSK and SEP keys and we assume the SEP flag to be set on all KSKs.
+
+3.1.1.  Motivations for the KSK and ZSK Separation
+
+   Differentiating between the KSK and ZSK functions has several
+   advantages:
+
+   o  No parent/child interaction is required when ZSKs are updated.
+   o  The KSK can be made stronger (i.e. using more bits in the key
+      material).  This has little operational impact since it is only
+      used to sign a small fraction of the zone data.  Also the KSK is
+      only used to verify the zone's key set, not for other RRSets in
+      the zone.
+   o  As the KSK is only used to sign a key set, which is most probably
+      updated less frequently than other data in the zone, it can be
+      stored separately from and in a safer location than the ZSK.
+   o  A KSK can have a longer key effectivity period.
+
+   For almost any method of key management and zone signing the KSK is
+   used less frequently than the ZSK.  Once a key set is signed with the
+   KSK all the keys in the key set can be used as ZSK.  If a ZSK is
+   compromised, it can be simply dropped from the key set.  The new key
+   set is then re-signed with the KSK.
+
+   Given the assumption that for KSKs the SEP flag is set, the KSK can
+   be distinguished from a ZSK by examining the flag field in the DNSKEY
+   RR.  If the flag field is an odd number it is a KSK.  If it is an
+   even number it is a ZSK.
+
+   The zone signing key can be used to sign all the data in a zone on a
+   regular basis.  When a zone signing key is to be rolled, no
+   interaction with the parent is needed.  This allows for "Signature
+   Validity Periods" on the order of days.
+
+   The key signing key is only to be used to sign the DNSKEY RRs in a
+   zone.  If a key signing key is to be rolled over, there will be
+   interactions with parties other than the zone administrator.  These
+   can include the registry of the parent zone or administrators of
+   verifying resolvers that have the particular key configured as secure
+   entry points.  Hence, the key effectivity period of these keys can
+   and should be made much longer.  Although, given a long enough key,
+   the Key Effectivity Period can be on the order of years we suggest
+   planning for a key effectivity of the order of a few months so that a
+   key rollover remains an operational routine.
+
+3.1.2.  KSKs for High Level Zones
+
+   Higher level zones are generally more sensitive than lower level
+
+
+
+Kolkman & Gieben         Expires August 25, 2006                [Page 7]
+
+Internet-Draft        DNSSEC Operational Practices         February 2006
+
+
+   zones.  Anyone controlling or breaking the security of a zone thereby
+   obtains authority over all of its sub domains (except in the case of
+   resolvers that have locally configured the public key of a sub
+   domain, in which case this, and only this, sub domain wouldn't be
+   affected by the compromise of the parent zone).  Therefore, extra
+   care should be taken with high level zones and strong keys should
+   used.
+
+   The root zone is the most critical of all zones.  Someone controlling
+   or compromising the security of the root zone would control the
+   entire DNS name space of all resolvers using that root zone (except
+   in the case of resolvers that have locally configured the public key
+   of a sub domain).  Therefore, the utmost care must be taken in the
+   securing of the root zone.  The strongest and most carefully handled
+   keys should be used.  The root zone private key should always be kept
+   off line.
+
+   Many resolvers will start at a root server for their access to and
+   authentication of DNS data.  Securely updating the trust anchors in
+   an enormous population of resolvers around the world will be
+   extremely difficult.
+
+3.2.  Key Generation
+
+   Careful generation of all keys is a sometimes overlooked but
+   absolutely essential element in any cryptographically secure system.
+   The strongest algorithms used with the longest keys are still of no
+   use if an adversary can guess enough to lower the size of the likely
+   key space so that it can be exhaustively searched.  Technical
+   suggestions for the generation of random keys will be found in
+   RFC4086 [9].  One should carefully assess if the random number
+   generator used during key generation adheres to these suggestions.
+
+   Keys with a long effectivity period are particularly sensitive as
+   they will represent a more valuable target and be subject to attack
+   for a longer time than short period keys.  It is strongly recommended
+   that long term key generation occur off-line in a manner isolated
+   from the network via an air gap or, at a minimum, high level secure
+   hardware.
+
+3.3.  Key Effectivity Period
+
+   For various reasons keys in DNSSEC need to be changed once in a
+   while.  The longer a key is in use, the greater the probability that
+   it will have been compromised through carelessness, accident,
+   espionage, or cryptanalysis.  Furthermore when key rollovers are too
+   rare an event, they will not become part of the operational habit and
+   there is risk that nobody on-site will remember the procedure for
+
+
+
+Kolkman & Gieben         Expires August 25, 2006                [Page 8]
+
+Internet-Draft        DNSSEC Operational Practices         February 2006
+
+
+   rollover when the need is there.
+
+   From a purely operational perspective a reasonable key effectivity
+   period for Key Signing Keys is 13 months, with the intent to replace
+   them after 12 months.  An intended key effectivity period of a month
+   is reasonable for Zone Signing Keys.
+
+   For a key sizes that matches these effectivity periods see
+   Section 3.5.
+
+   As argued in Section 3.1.2 securely updating trust anchors will be
+   extremely difficult.  On the other hand the "operational habit"
+   argument does also apply to trust anchor reconfiguration.  If a short
+   key-effectivity period is used and the trust anchor configuration has
+   to be revisited on a regular basis the odds that the configuration
+   tends to be forgotten is smaller.  The trade-off is against a system
+   that is so dynamic that administrators of the validating clients will
+   not be able to follow the modifications.
+
+   Key effectivity periods can be made very short, as in the order of a
+   few minutes.  But when replacing keys one has to take the
+   considerations from Section 4.1 and Section 4.2 into account.
+
+3.4.  Key Algorithm
+
+   There are currently three different types of algorithms that can be
+   used in DNSSEC: RSA, DSA and elliptic curve cryptography.  The latter
+   is fairly new and has yet to be standardized for usage in DNSSEC.
+
+   RSA has been developed in an open and transparent manner.  As the
+   patent on RSA expired in 2000, its use is now also free.
+
+   DSA has been developed by NIST.  The creation of signatures is
+   roughly done at the same speed as with RSA, but is 10 to 40 times as
+   slow for verification [12].
+
+   We suggest the use of RSA/SHA-1 as the preferred algorithm for the
+   key.  The current known attacks on RSA can be defeated by making your
+   key longer.  As the MD5 hashing algorithm is showing (theoretical)
+   cracks, we recommend the usage of SHA-1.
+
+   At the time of publication it is known that the SHA-1 hash has
+   cryptanalysis issues.  There is work in progress on addressing these
+   issues.  We recommend to use public key algorithms based on hashes
+   stronger than SHA-1, e.g.  SHA-256, as soon as these algorithms are
+   available in protocol specifications (See [14] and [15] ) and
+   implementations.
+
+
+
+
+Kolkman & Gieben         Expires August 25, 2006                [Page 9]
+
+Internet-Draft        DNSSEC Operational Practices         February 2006
+
+
+3.5.  Key Sizes
+
+   When choosing key sizes, zone administrators will need to take into
+   account how long a key will be used, how much data will be signed
+   during the key publication period (See Section 8.10 of [12]) and,
+   optionally, how large the key size of the parent is.  As the chain of
+   trust really is "a chain", it does not make much sense in making one
+   of the keys in the chain several times larger then the others.  As
+   always, it's the weakest link that defines the strength of the entire
+   chain.  Also see Section 3.1.1 for a discussion of how keys serving
+   different roles (ZSK v.  KSK) may need different key sizes.
+
+   Generating a key of the correct size is a difficult problem, RFC3766
+   [8] tries to deal with that problem.  Paragraph 1 of that RFC states:
+
+      1. Determine the attack resistance necessary to satisfy the
+         security requirements of the application.  Do this by
+         estimating the minimum number of computer operations that
+         the attacker will be forced to do in order to compromise
+         the security of the system and then take the logarithm base
+         two of that number.  Call that logarithm value "n".
+
+         A 1996 report recommended 90 bits as a good all-around choice
+         for system security.  The 90 bit number should be increased
+         by about 2/3 bit/year, or about 96 bits in 2005.
+
+   [8] goes on to explain how this number "n" can be used to calculate
+   the key sizes in public key cryptography.  This culminated in the
+   table given below (slightly modified for our purpose):
+
+
+      +-------------+-----------+--------------+
+      | System      |           |              |
+      | requirement | Symmetric | RSA or DSA   |
+      | for attack  | key size  | modulus size |
+      | resistance  | (bits)    | (bits)       |
+      | (bits)      |           |              |
+      +-------------+-----------+--------------+
+      |     70      |     70    |      947     |
+      |     80      |     80    |     1228     |
+      |     90      |     90    |     1553     |
+      |    100      |    100    |     1926     |
+      |    150      |    150    |     4575     |
+      |    200      |    200    |     8719     |
+      |    250      |    250    |    14596     |
+      +-------------+-----------+--------------+
+
+   The key sizes given are rather large.  This is because these keys are
+
+
+
+Kolkman & Gieben         Expires August 25, 2006               [Page 10]
+
+Internet-Draft        DNSSEC Operational Practices         February 2006
+
+
+   resilient against a trillionaire attacker.  Assuming this rich
+   attacker will not attack your key and that the key is rolled over
+   once a year, we come to the following recommendations about KSK
+   sizes; 1024 bits low value domains, 1300 for medium value and 2048
+   for the high value domains.
+
+   Whether a domain is of low, medium, high value depends solely on the
+   views of the zone owner.  One could for instance view leaf nodes in
+   the DNS as of low value and TLDs or the root zone of high value.  The
+   suggested key sizes should be safe for the next 5 years.
+
+   As ZSKs can be rolled over more easily (and thus more often) the key
+   sizes can be made smaller.  But as said in the introduction of this
+   paragraph, making the ZSKs' key sizes too small (in relation to the
+   KSKs' sizes) doesn't make much sense.  Try to limit the difference in
+   size to about 100 bits.
+
+   Note that nobody can see into the future, and that these key sizes
+   are only provided here as a guide.  Further information can be found
+   in [11] and Section 7.5 of [12].  It should be noted though that [11]
+   is already considered overly optimistic about what key sizes are
+   considered safe.
+
+   One final note concerning key sizes.  Larger keys will increase the
+   sizes of the RRSIG and DNSKEY records and will therefore increase the
+   chance of DNS UDP packet overflow.  Also the time it takes to
+   validate and create RRSIGs increases with larger keys, so don't
+   needlessly double your key sizes.
+
+3.6.  Private Key Storage
+
+   It is recommended that, where possible, zone private keys and the
+   zone file master copy that is to be signed, be kept and used in off-
+   line, non-network connected, physically secure machines only.
+   Periodically an application can be run to add authentication to a
+   zone by adding RRSIG and NSEC RRs.  Then the augmented file can be
+   transferred.
+
+   When relying on dynamic update to manage a signed zone [4], be aware
+   that at least one private key of the zone will have to reside on the
+   master server.  This key is only as secure as the amount of exposure
+   the server receives to unknown clients and the security of the host.
+   Although not mandatory one could administer the DNS in the following
+   way.  The master that processes the dynamic updates is unavailable
+   from generic hosts on the Internet, it is not listed in the NS RR
+   set, although its name appears in the SOA RRs MNAME field.  The
+   nameservers in the NS RR set are able to receive zone updates through
+   NOTIFY, IXFR, AXFR or an out-of-band distribution mechanism.  This
+
+
+
+Kolkman & Gieben         Expires August 25, 2006               [Page 11]
+
+Internet-Draft        DNSSEC Operational Practices         February 2006
+
+
+   approach is known as the "hidden master" setup.
+
+   The ideal situation is to have a one way information flow to the
+   network to avoid the possibility of tampering from the network.
+   Keeping the zone master file on-line on the network and simply
+   cycling it through an off-line signer does not do this.  The on-line
+   version could still be tampered with if the host it resides on is
+   compromised.  For maximum security, the master copy of the zone file
+   should be off net and should not be updated based on an unsecured
+   network mediated communication.
+
+   In general keeping a zone-file off-line will not be practical and the
+   machines on which zone files are maintained will be connected to a
+   network.  Operators are advised to take security measures to shield
+   unauthorized access to the master copy.
+
+   For dynamically updated secured zones [4] both the master copy and
+   the private key that is used to update signatures on updated RRs will
+   need to be on-line.
+
+
+4.  Signature generation, Key Rollover and Related Policies
+
+4.1.  Time in DNSSEC
+
+   Without DNSSEC all times in DNS are relative.  The SOA fields
+   REFRESH, RETRY and EXPIRATION are timers used to determine the time
+   elapsed after a slave server synchronized with a master server.  The
+   Time to Live (TTL) value and the SOA RR minimum TTL parameter [5] are
+   used to determine how long a forwarder should cache data after it has
+   been fetched from an authoritative server.  By using a signature
+   validity period, DNSSEC introduces the notion of an absolute time in
+   the DNS.  Signatures in DNSSEC have an expiration date after which
+   the signature is marked as invalid and the signed data is to be
+   considered Bogus.
+
+4.1.1.  Time Considerations
+
+   Because of the expiration of signatures, one should consider the
+   following:
+   o  We suggest the Maximum Zone TTL of your zone data to be a fraction
+      of your signature validity period.
+         If the TTL would be of similar order as the signature validity
+         period, then all RRSets fetched during the validity period
+         would be cached until the signature expiration time.  Section
+         7.1 of [2] suggests that "the resolver may use the time
+         remaining before expiration of the signature validity period of
+         a signed RRSet as an upper bound for the TTL".  As a result
+
+
+
+Kolkman & Gieben         Expires August 25, 2006               [Page 12]
+
+Internet-Draft        DNSSEC Operational Practices         February 2006
+
+
+         query load on authoritative servers would peak at signature
+         expiration time, as this is also the time at which records
+         simultaneously expire from caches.
+         To avoid query load peaks we suggest the TTL on all the RRs in
+         your zone to be at least a few times smaller than your
+         signature validity period.
+   o  We suggest the Signature Publication Period to end at least one
+      Maximum Zone TTL duration before the end of the Signature Validity
+      Period.
+         Re-signing a zone shortly before the end of the signature
+         validity period may cause simultaneous expiration of data from
+         caches.  This in turn may lead to peaks in the load on
+         authoritative servers.
+   o  We suggest the minimum zone TTL to be long enough to both fetch
+      and verifying all the RRs in the trust chain.  In workshop
+      environments it has been demonstrated [13] that a low TTL (under 5
+      to 10 minutes) caused disruptions because of the following two
+      problems:
+         1.  During validation, some data may expire before the
+         validation is complete.  The validator should be able to keep
+         all data, until is completed.  This applies to all RRs needed
+         to complete the chain of trust: DSs, DNSKEYs, RRSIGs, and the
+         final answers i.e. the RRSet that is returned for the initial
+         query.
+         2.  Frequent verification causes load on recursive nameservers.
+         Data at delegation points, DSs, DNSKEYs and RRSIGs benefit from
+         caching.  The TTL on those should be relatively long.
+   o  Slave servers will need to be able to fetch newly signed zones
+      well before the RRSIGs in the zone served by the slave server pass
+      their signature expiration time.
+         When a slave server is out of sync with its master and data in
+         a zone is signed by expired signatures it may be better for the
+         slave server not to give out any answer.
+         Normally a slave server that is not able to contact a master
+         server for an extended period will expire a zone.  When that
+         happens the server will respond differently to queries for that
+         zone.  Some servers issue SERVFAIL while others turn off the
+         'AA' bit in the answers.  The time of expiration is set in the
+         SOA record and is relative to the last successful refresh
+         between the master and the slave server.  There exists no
+         coupling between the signature expiration of RRSIGs in the zone
+         and the expire parameter in the SOA.
+         If the server serves a DNSSEC zone then it may well happen that
+         the signatures expire well before the SOA expiration timer
+         counts down to zero.  It is not possible to completely prevent
+         this from happening by tweaking the SOA parameters.
+
+
+
+
+
+Kolkman & Gieben         Expires August 25, 2006               [Page 13]
+
+Internet-Draft        DNSSEC Operational Practices         February 2006
+
+
+         However, the effects can be minimized where the SOA expiration
+         time is equal or shorter than the signature validity period.
+         The consequence of an authoritative server not being able to
+         update a zone, whilst that zone includes expired signatures, is
+         that non-secure resolvers will continue to be able to resolve
+         data served by the particular slave servers while security
+         aware resolvers will experience problems because of answers
+         being marked as Bogus.
+         We suggest the SOA expiration timer being approximately one
+         third or one fourth of the signature validity period.  It will
+         allow problems with transfers from the master server to be
+         noticed before the actual signature times out.
+         We also suggest that operators of nameservers that supply
+         secondary services develop 'watch dogs' to spot upcoming
+         signature expirations in zones they slave, and take appropriate
+         action.
+         When determining the value for the expiration parameter one has
+         to take the following into account: What are the chances that
+         all my secondaries expire the zone; How quickly can I reach an
+         administrator of secondary servers to load a valid zone?  All
+         these arguments are not DNSSEC specific but may influence the
+         choice of your signature validity intervals.
+
+4.2.  Key Rollovers
+
+   A DNSSEC key cannot be used forever (see Section 3.3).  So key
+   rollovers -- or supercessions, as they are sometimes called -- are a
+   fact of life when using DNSSEC.  Zone administrators who are in the
+   process of rolling their keys have to take into account that data
+   published in previous versions of their zone still lives in caches.
+   When deploying DNSSEC, this becomes an important consideration;
+   ignoring data that may be in caches may lead to loss of service for
+   clients.
+
+   The most pressing example of this occurs when zone material signed
+   with an old key is being validated by a resolver which does not have
+   the old zone key cached.  If the old key is no longer present in the
+   current zone, this validation fails, marking the data Bogus.
+   Alternatively, an attempt could be made to validate data which is
+   signed with a new key against an old key that lives in a local cache,
+   also resulting in data being marked Bogus.
+
+4.2.1.  Zone signing Key Rollovers
+
+   For zone signing key rollovers there are two ways to make sure that
+   during the rollover data still cached can be verified with the new
+   key sets or newly generated signatures can be verified with the keys
+   still in caches.  One schema, described in Section 4.2.1.2, uses
+
+
+
+Kolkman & Gieben         Expires August 25, 2006               [Page 14]
+
+Internet-Draft        DNSSEC Operational Practices         February 2006
+
+
+   double signatures; the other uses key pre-publication
+   (Section 4.2.1.1).  The pros, cons and recommendations are described
+   in Section 4.2.1.3.
+
+4.2.1.1.  Pre-publish Key Rollover
+
+   This section shows how to perform a ZSK rollover without the need to
+   sign all the data in a zone twice - the so-called "pre-publish
+   rollover".This method has advantages in the case of a key compromise.
+   If the old key is compromised, the new key has already been
+   distributed in the DNS.  The zone administrator is then able to
+   quickly switch to the new key and remove the compromised key from the
+   zone.  Another major advantage is that the zone size does not double,
+   as is the case with the double signature ZSK rollover.  A small
+   "HOWTO" for this kind of rollover can be found in Appendix B.
+
+    initial         new DNSKEY       new RRSIGs      DNSKEY removal
+
+    SOA0            SOA1             SOA2            SOA3
+    RRSIG10(SOA0)   RRSIG10(SOA1)    RRSIG11(SOA2)   RRSIG11(SOA3)
+
+    DNSKEY1         DNSKEY1          DNSKEY1         DNSKEY1
+    DNSKEY10        DNSKEY10         DNSKEY10        DNSKEY11
+                    DNSKEY11         DNSKEY11
+    RRSIG1 (DNSKEY) RRSIG1 (DNSKEY)  RRSIG1(DNSKEY)  RRSIG1 (DNSKEY)
+    RRSIG10(DNSKEY) RRSIG10(DNSKEY)  RRSIG11(DNSKEY) RRSIG11(DNSKEY)
+
+
+   initial: Initial version of the zone: DNSKEY 1 is the key signing
+      key.  DNSKEY 10 is used to sign all the data of the zone, the zone
+      signing key.
+   new DNSKEY: DNSKEY 11 is introduced into the key set.  Note that no
+      signatures are generated with this key yet, but this does not
+      secure against brute force attacks on the public key.  The minimum
+      duration of this pre-roll phase is the time it takes for the data
+      to propagate to the authoritative servers plus TTL value of the
+      key set.
+   new RRSIGs: At the "new RRSIGs" stage (SOA serial 2) DNSKEY 11 is
+      used to sign the data in the zone exclusively (i.e. all the
+      signatures from DNSKEY 10 are removed from the zone).  DNSKEY 10
+      remains published in the key set.  This way data that was loaded
+      into caches from version 1 of the zone can still be verified with
+      key sets fetched from version 2 of the zone.
+      The minimum time that the key set including DNSKEY 10 is to be
+      published is the time that it takes for zone data from the
+      previous version of the zone to expire from old caches i.e. the
+      time it takes for this zone to propagate to all authoritative
+      servers plus the Maximum Zone TTL value of any of the data in the
+
+
+
+Kolkman & Gieben         Expires August 25, 2006               [Page 15]
+
+Internet-Draft        DNSSEC Operational Practices         February 2006
+
+
+      previous version of the zone.
+   DNSKEY removal: DNSKEY 10 is removed from the zone.  The key set, now
+      only containing DNSKEY 1 and DNSKEY 11 is re-signed with the
+      DNSKEY 1.
+
+   The above scheme can be simplified by always publishing the "future"
+   key immediately after the rollover.  The scheme would look as follows
+   (we show two rollovers); the future key is introduced in "new DNSKEY"
+   as DNSKEY 12 and again a newer one, numbered 13, in "new DNSKEY
+   (II)":
+
+
+       initial             new RRSIGs          new DNSKEY
+
+       SOA0                SOA1                SOA2
+       RRSIG10(SOA0)       RRSIG11(SOA1)       RRSIG11(SOA2)
+
+       DNSKEY1             DNSKEY1             DNSKEY1
+       DNSKEY10            DNSKEY10            DNSKEY11
+       DNSKEY11            DNSKEY11            DNSKEY12
+       RRSIG1(DNSKEY)      RRSIG1 (DNSKEY)     RRSIG1(DNSKEY)
+       RRSIG10(DNSKEY)     RRSIG11(DNSKEY)     RRSIG11(DNSKEY)
+
+
+       new RRSIGs (II)       new DNSKEY (II)
+
+       SOA3                SOA4
+       RRSIG12(SOA3)       RRSIG12(SOA4)
+
+       DNSKEY1             DNSKEY1
+       DNSKEY11            DNSKEY12
+       DNSKEY12            DNSKEY13
+       RRSIG1(DNSKEY)      RRSIG1(DNSKEY)
+       RRSIG12(DNSKEY)     RRSIG12(DNSKEY)
+
+
+   Note that the key introduced in the "new DNSKEY" phase is not used
+   for production yet; the private key can thus be stored in a
+   physically secure manner and does not need to be 'fetched' every time
+   a zone needs to be signed.
+
+4.2.1.2.  Double Signature Zone signing Key Rollover
+
+   This section shows how to perform a ZSK key rollover using the double
+   zone data signature scheme, aptly named "double sig rollover".
+
+   During the "new DNSKEY" stage the new version of the zone file will
+   need to propagate to all authoritative servers and the data that
+
+
+
+Kolkman & Gieben         Expires August 25, 2006               [Page 16]
+
+Internet-Draft        DNSSEC Operational Practices         February 2006
+
+
+   exists in (distant) caches will need to expire, requiring at least
+   the maximum Zone TTL.
+
+       initial             new DNSKEY         DNSKEY removal
+
+       SOA0                SOA1               SOA2
+       RRSIG10(SOA0)       RRSIG10(SOA1)      RRSIG11(SOA2)
+                           RRSIG11(SOA1)
+
+       DNSKEY1             DNSKEY1            DNSKEY1
+       DNSKEY10            DNSKEY10           DNSKEY11
+                           DNSKEY11
+       RRSIG1(DNSKEY)      RRSIG1(DNSKEY)     RRSIG1(DNSKEY)
+       RRSIG10(DNSKEY)     RRSIG10(DNSKEY)    RRSIG11(DNSKEY)
+                           RRSIG11(DNSKEY)
+
+   initial: Initial Version of the zone: DNSKEY 1 is the key signing
+      key.  DNSKEY 10 is used to sign all the data of the zone, the zone
+      signing key.
+   new DNSKEY: At the "New DNSKEY" stage (SOA serial 1) DNSKEY 11 is
+      introduced into the key set and all the data in the zone is signed
+      with DNSKEY 10 and DNSKEY 11.  The rollover period will need to
+      exist until all data from version 0 of the zone has expired from
+      remote caches.  This will take at least the maximum Zone TTL of
+      version 0 of the zone.
+   DNSKEY removal: DNSKEY 10 is removed from the zone.  All the
+      signatures from DNSKEY 10 are removed from the zone.  The key set,
+      now only containing DNSKEY 11, is re-signed with DNSKEY 1.
+
+   At every instance, RRSIGs from the previous version of the zone can
+   be verified with the DNSKEY RRSet from the current version and the
+   other way around.  The data from the current version can be verified
+   with the data from the previous version of the zone.  The duration of
+   the "new DNSKEY" phase and the period between rollovers should be at
+   least the Maximum Zone TTL.
+
+   Making sure that the "new DNSKEY" phase lasts until the signature
+   expiration time of the data in initial version of the zone is
+   recommended.  This way all caches are cleared of the old signatures.
+   However, this duration could be considerably longer than the Maximum
+   Zone TTL, making the rollover a lengthy procedure.
+
+   Note that in this example we assumed that the zone was not modified
+   during the rollover.  New data can be introduced in the zone as long
+   as it is signed with both keys.
+
+
+
+
+
+
+Kolkman & Gieben         Expires August 25, 2006               [Page 17]
+
+Internet-Draft        DNSSEC Operational Practices         February 2006
+
+
+4.2.1.3.  Pros and Cons of the Schemes
+
+   Pre-publish Key Rollover: This rollover does not involve signing the
+      zone data twice.  Instead, before the actual rollover, the new key
+      is published in the key set and thus available for cryptanalysis
+      attacks.  A small disadvantage is that this process requires four
+      steps.  Also the pre-publish scheme involves more parental work
+      when used for KSK rollovers as explained in Section 4.2.3.
+   Double Signature Zone-signing Key Rollover: The drawback of this
+      signing scheme is that during the rollover the number of
+      signatures in your zone doubles, this may be prohibitive if you
+      have very big zones.  An advantage is that it only requires three
+      steps.
+
+4.2.2.  Key signing Key Rollovers
+
+   For the rollover of a key signing key the same considerations as for
+   the rollover of a zone signing key apply.  However we can use a
+   double signature scheme to guarantee that old data (only the apex key
+   set) in caches can be verified with a new key set and vice versa.
+   Since only the key set is signed with a KSK, zone size considerations
+   do not apply.
+
+
+       initial        new DNSKEY        DS change       DNSKEY removal
+     Parent:
+       SOA0           -------->         SOA1            -------->
+       RRSIGpar(SOA0) -------->         RRSIGpar(SOA1)  -------->
+       DS1            -------->         DS2             -------->
+       RRSIGpar(DS)   -------->         RRSIGpar(DS)    -------->
+
+
+     Child:
+       SOA0            SOA1             -------->       SOA2
+       RRSIG10(SOA0)   RRSIG10(SOA1)    -------->       RRSIG10(SOA2)
+                                        -------->
+       DNSKEY1         DNSKEY1          -------->       DNSKEY2
+                       DNSKEY2          -------->
+       DNSKEY10        DNSKEY10         -------->       DNSKEY10
+       RRSIG1 (DNSKEY) RRSIG1 (DNSKEY)  -------->       RRSIG2 (DNSKEY)
+                       RRSIG2 (DNSKEY)  -------->
+       RRSIG10(DNSKEY) RRSIG10(DNSKEY)  -------->       RRSIG10(DNSKEY)
+
+   initial: Initial version of the zone.  The parental DS points to
+      DNSKEY1.  Before the rollover starts the child will have to verify
+      what the TTL is of the DS RR that points to DNSKEY1 - it is needed
+      during the rollover and we refer to the value as TTL_DS.
+
+
+
+
+Kolkman & Gieben         Expires August 25, 2006               [Page 18]
+
+Internet-Draft        DNSSEC Operational Practices         February 2006
+
+
+   new DNSKEY: During the "new DNSKEY" phase the zone administrator
+      generates a second KSK, DNSKEY2.  The key is provided to the
+      parent and the child will have to wait until a new DS RR has been
+      generated that points to DNSKEY2.  After that DS RR has been
+      published on all servers authoritative for the parent's zone, the
+      zone administrator has to wait at least TTL_DS to make sure that
+      the old DS RR has expired from caches.
+   DS change: The parent replaces DS1 with DS2.
+   DNSKEY removal: DNSKEY1 has been removed.
+
+   The scenario above puts the responsibility for maintaining a valid
+   chain of trust with the child.  It also is based on the premises that
+   the parent only has one DS RR (per algorithm) per zone.  An
+   alternative mechanism has been considered.  Using an established
+   trust relation, the interaction can be performed in-band, and the
+   removal of the keys by the child can possibly be signaled by the
+   parent.  In this mechanism there are periods where there are two DS
+   RRs at the parent.  Since at the moment of writing the protocol for
+   this interaction has not been developed, further discussion is out of
+   scope for this document.
+
+4.2.3.  Difference Between ZSK and KSK Rollovers
+
+   Note that KSK rollovers and ZSK rollovers are different in the sense
+   that a KSK rollover requires interaction with the parent (and
+   possibly replacing of trust anchors) and the ensuing delay while
+   waiting for it.
+
+   A zone key rollover can be handled in two different ways: pre-publish
+   (Section Section 4.2.1.1) and double signature (Section
+   Section 4.2.1.2).
+
+   As the KSK is used to validate the key set and because the KSK is not
+   changed during a ZSK rollover, a cache is able to validate the new
+   key set of the zone.  The pre-publish method would work for a KSK
+   rollover.  The records that are to be pre-published are the parental
+   DS RRs.  The pre-publish method has some drawbacks for KSKs.  We
+   first describe the rollover scheme and then indicate these drawbacks.
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben         Expires August 25, 2006               [Page 19]
+
+Internet-Draft        DNSSEC Operational Practices         February 2006
+
+
+     initial         new DS           new DNSKEY      DS/DNSKEY removal
+   Parent:
+     SOA0            SOA1             -------->       SOA2
+     RRSIGpar(SOA0)  RRSIGpar(SOA1)   -------->       RRSIGpar(SOA2)
+     DS1             DS1              -------->       DS2
+                     DS2              -------->
+     RRSIGpar(DS)    RRSIGpar(DS)     -------->       RRSIGpar(DS)
+
+
+
+   Child:
+     SOA0            -------->        SOA1            SOA1
+     RRSIG10(SOA0)   -------->        RRSIG10(SOA1)   RRSIG10(SOA1)
+                     -------->
+     DNSKEY1         -------->        DNSKEY2         DNSKEY2
+                     -------->
+     DNSKEY10        -------->        DNSKEY10        DNSKEY10
+     RRSIG1 (DNSKEY) -------->        RRSIG2(DNSKEY)  RRSIG2 (DNSKEY)
+     RRSIG10(DNSKEY) -------->        RRSIG10(DNSKEY) RRSIG10(DNSKEY)
+
+   When the child zone wants to roll it notifies the parent during the
+   "new DS" phase and submits the new key (or the corresponding DS) to
+   the parent.  The parent publishes DS1 and DS2, pointing to DNSKEY1
+   and DNSKEY2 respectively.  During the rollover ("new DNSKEY" phase),
+   which can take place as soon as the new DS set propagated through the
+   DNS, the child replaces DNSKEY1 with DNSKEY2.  Immediately after that
+   ("DS/DNSKEY removal" phase) it can notify the parent that the old DS
+   record can be deleted.
+
+   The drawbacks of this scheme are that during the "new DS" phase the
+   parent cannot verify the match between the DS2 RR and DNSKEY2 using
+   the DNS -- as DNSKEY2 is not yet published.  Besides, we introduce a
+   "security lame" key (See Section 4.4.3).  Finally the child-parent
+   interaction consists of two steps.  The "double signature" method
+   only needs one interaction.
+
+4.2.4.  Automated Key Rollovers
+
+   As keys must be renewed periodically, there is some motivation to
+   automate the rollover process.  Consider that:
+
+   o  ZSK rollovers are easy to automate as only the child zone is
+      involved.
+   o  A KSK rollover needs interaction between parent and child.  Data
+      exchange is needed to provide the new keys to the parent,
+      consequently, this data must be authenticated and integrity must
+      be guaranteed in order to avoid attacks on the rollover.
+
+
+
+
+Kolkman & Gieben         Expires August 25, 2006               [Page 20]
+
+Internet-Draft        DNSSEC Operational Practices         February 2006
+
+
+4.3.  Planning for Emergency Key Rollover
+
+   This section deals with preparation for a possible key compromise.
+   Our advice is to have a documented procedure ready for when a key
+   compromise is suspected or confirmed.
+
+   When the private material of one of your keys is compromised it can
+   be used for as long as a valid trust chain exists.  A trust chain
+   remains intact for:
+   o  as long as a signature over the compromised key in the trust chain
+      is valid,
+   o  as long as a parental DS RR (and signature) points to the
+      compromised key,
+   o  as long as the key is anchored in a resolver and is used as a
+      starting point for validation (this is generally the hardest to
+      update).
+
+   While a trust chain to your compromised key exists, your name-space
+   is vulnerable to abuse by anyone who has obtained illegitimate
+   possession of the key.  Zone operators have to make a trade off if
+   the abuse of the compromised key is worse than having data in caches
+   that cannot be validated.  If the zone operator chooses to break the
+   trust chain to the compromised key, data in caches signed with this
+   key cannot be validated.  However, if the zone administrator chooses
+   to take the path of a regular roll-over, the malicious key holder can
+   spoof data so that it appears to be valid.
+
+4.3.1.  KSK Compromise
+
+   A zone containing a DNSKEY RRSet with a compromised KSK is vulnerable
+   as long as the compromised KSK is configured as trust anchor or a
+   parental DS points to it.
+
+   A compromised KSK can be used to sign the key set of an attacker's
+   zone.  That zone could be used to poison the DNS.
+
+   Therefore when the KSK has been compromised, the trust anchor or the
+   parental DS, should be replaced as soon as possible.  It is local
+   policy whether to break the trust chain during the emergency
+   rollover.  The trust chain would be broken when the compromised KSK
+   is removed from the child's zone while the parent still has a DS
+   pointing to the compromised KSK (the assumption is that there is only
+   one DS at the parent.  If there are multiple DSs this does not apply
+   -- however the chain of trust of this particular key is broken).
+
+   Note that an attacker's zone still uses the compromised KSK and the
+   presence of a parental DS would cause the data in this zone to appear
+   as valid.  Removing the compromised key would cause the attacker's
+
+
+
+Kolkman & Gieben         Expires August 25, 2006               [Page 21]
+
+Internet-Draft        DNSSEC Operational Practices         February 2006
+
+
+   zone to appear as valid and the child's zone as Bogus.  Therefore we
+   advise not to remove the KSK before the parent has a DS to a new KSK
+   in place.
+
+4.3.1.1.  Keeping the Chain of Trust Intact
+
+   If we follow this advice the timing of the replacement of the KSK is
+   somewhat critical.  The goal is to remove the compromised KSK as soon
+   as the new DS RR is available at the parent.  And also make sure that
+   the signature made with a new KSK over the key set with the
+   compromised KSK in it expires just after the new DS appears at the
+   parent.  Thus removing the old cruft in one swoop.
+
+   The procedure is as follows:
+   1.  Introduce a new KSK into the key set, keep the compromised KSK in
+       the key set.
+   2.  Sign the key set, with a short validity period.  The validity
+       period should expire shortly after the DS is expected to appear
+       in the parent and the old DSs have expired from caches.
+   3.  Upload the DS for this new key to the parent.
+   4.  Follow the procedure of the regular KSK rollover: Wait for the DS
+       to appear in the authoritative servers and then wait as long as
+       the TTL of the old DS RRs.  If necessary re-sign the DNSKEY RRSet
+       and modify/extend the expiration time.
+   5.  Remove the compromised DNSKEY RR from the zone and re-sign the
+       key set using your "normal" validity interval.
+
+   An additional danger of a key compromise is that the compromised key
+   could be used to facilitate a legitimate DNSKEY/DS rollover and/or
+   nameserver changes at the parent.  When that happens the domain may
+   be in dispute.  An authenticated out of band and secure notify
+   mechanism to contact a parent is needed in this case.
+
+   Note that this is only a problem when the DNSKEY and or DS records
+   are used for authentication at the parent.
+
+4.3.1.2.  Breaking the Chain of Trust
+
+   There are two methods to break the chain of trust.  The first method
+   causes the child zone to appear as 'Bogus' to validating resolvers.
+   The other causes the the child zone to appear as 'insecure'.  These
+   are described below.
+
+   In the method that causes the child zone to appear as 'Bogus' to
+   validating resolvers, the child zone replaces the current KSK with a
+   new one and resigns the key set.  Next it sends the DS of the new key
+   to the parent.  Only after the parent has placed the new DS in the
+   zone, the child's chain of trust is repaired.
+
+
+
+Kolkman & Gieben         Expires August 25, 2006               [Page 22]
+
+Internet-Draft        DNSSEC Operational Practices         February 2006
+
+
+   An alternative method of breaking the chain of trust is by removing
+   the DS RRs from the parent zone altogether.  As a result the child
+   zone would become insecure.
+
+4.3.2.  ZSK Compromise
+
+   Primarily because there is no parental interaction required when a
+   ZSK is compromised, the situation is less severe than with a KSK
+   compromise.  The zone must still be re-signed with a new ZSK as soon
+   as possible.  As this is a local operation and requires no
+   communication between the parent and child this can be achieved
+   fairly quickly.  However, one has to take into account that just as
+   with a normal rollover the immediate disappearance of the old
+   compromised key may lead to verification problems.  Also note that as
+   long as the RRSIG over the compromised ZSK is not expired the zone
+   may be still at risk.
+
+4.3.3.  Compromises of Keys Anchored in Resolvers
+
+   A key can also be pre-configured in resolvers.  For instance, if
+   DNSSEC is successfully deployed the root key may be pre-configured in
+   most security aware resolvers.
+
+   If trust-anchor keys are compromised, the resolvers using these keys
+   should be notified of this fact.  Zone administrators may consider
+   setting up a mailing list to communicate the fact that a SEP key is
+   about to be rolled over.  This communication will of course need to
+   be authenticated e.g. by using digital signatures.
+
+   End-users faced with the task of updating an anchored key should
+   always validate the new key.  New keys should be authenticated out of
+   band, for example, looking them up on an SSL secured announcement
+   website.
+
+4.4.  Parental Policies
+
+4.4.1.  Initial Key Exchanges and Parental Policies Considerations
+
+   The initial key exchange is always subject to the policies set by the
+   parent.  When designing a key exchange policy one should take into
+   account that the authentication and authorization mechanisms used
+   during a key exchange should be as strong as the authentication and
+   authorization mechanisms used for the exchange of delegation
+   information between parent and child.  I.e. there is no implicit need
+   in DNSSEC to make the authentication process stronger than it was in
+   DNS.
+
+   Using the DNS itself as the source for the actual DNSKEY material,
+
+
+
+Kolkman & Gieben         Expires August 25, 2006               [Page 23]
+
+Internet-Draft        DNSSEC Operational Practices         February 2006
+
+
+   with an off-band check on the validity of the DNSKEY, has the benefit
+   that it reduces the chances of user error.  A DNSKEY query tool can
+   make use of the SEP bit [1] to select the proper key from a DNSSEC
+   key set; thereby reducing the chance that the wrong DNSKEY is sent.
+   It can validate the self-signature over a key; thereby verifying the
+   ownership of the private key material.  Fetching the DNSKEY from the
+   DNS ensures that the chain of trust remains intact once the parent
+   publishes the DS RR indicating the child is secure.
+
+   Note: the off-band verification is still needed when the key-material
+   is fetched via the DNS.  The parent can never be sure whether the
+   DNSKEY RRs have been spoofed or not.
+
+4.4.2.  Storing Keys or Hashes?
+
+   When designing a registry system one should consider which of the
+   DNSKEYs and/or the corresponding DSs to store.  Since a child zone
+   might wish to have a DS published using a message digest algorithm
+   not yet understood by the registry, the registry can't count on being
+   able to generate the DS record from a raw DNSKEY.  Thus, we recommend
+   that registry systems at least support storing DS records.
+
+   It may also be useful to store DNSKEYs, since having them may help
+   during troubleshooting and, as long as the child's chosen message
+   digest is supported, the overhead of generating DS records from them
+   is minimal.  Having an out-of-band mechanism, such as a registry
+   directory (e.g.  Whois), to find out which keys are used to generate
+   DS Resource Records for specific owners and/or zones may also help
+   with troubleshooting.
+
+   The storage considerations also relate to the design of the customer
+   interface and the method by which data is transferred between
+   registrant and registry; Will the child zone administrator be able to
+   upload DS RRs with unknown hash algorithms or does the interface only
+   allow DNSKEYs?  In the registry-registrar model one can use the
+   DNSSEC EPP protocol extension [10] which allows transfer of DS RRs
+   and optionally DNSKEY RRs.
+
+4.4.3.  Security Lameness
+
+   Security Lameness is defined as what happens when a parent has a DS
+   RR pointing to a non-existing DNSKEY RR.  When this happens the
+   child's zone may be marked as "Bogus" by verifying DNS clients.
+
+   As part of a comprehensive delegation check the parent could, at key
+   exchange time, verify that the child's key is actually configured in
+   the DNS.  However if a parent does not understand the hashing
+   algorithm used by child the parental checks are limited to only
+
+
+
+Kolkman & Gieben         Expires August 25, 2006               [Page 24]
+
+Internet-Draft        DNSSEC Operational Practices         February 2006
+
+
+   comparing the key id.
+
+   Child zones should be very careful removing DNSKEY material,
+   specifically SEP keys, for which a DS RR exists.
+
+   Once a zone is "security lame", a fix (e.g. removing a DS RR) will
+   take time to propagate through the DNS.
+
+4.4.4.  DS Signature Validity Period
+
+   Since the DS can be replayed as long as it has a valid signature, a
+   short signature validity period over the DS minimizes the time a
+   child is vulnerable in the case of a compromise of the child's
+   KSK(s).  A signature validity period that is too short introduces the
+   possibility that a zone is marked Bogus in case of a configuration
+   error in the signer.  There may not be enough time to fix the
+   problems before signatures expire.  Something as mundane as operator
+   unavailability during weekends shows the need for DS signature
+   validity periods longer than 2 days.  We recommend an absolute
+   minimum for a DS signature validity period of a few days.
+
+   The maximum signature validity period of the DS record depends on how
+   long child zones are willing to be vulnerable after a key compromise.
+   On the other hand shortening the DS signature validity interval
+   increases the operational risk for the parent.  Therefore the parent
+   may have policy to use a signature validity interval that is
+   considerably longer than the child would hope for.
+
+   A compromise between the operational constraints of the parent and
+   minimizing damage for the child may result in a DS signature validity
+   period somewhere between the order of a week to order of months.
+
+   In addition to the signature validity period, which sets a lower
+   bound on the number of times the zone owner will need to sign the
+   zone data and which sets an upper bound to the time a child is
+   vulnerable after key compromise, there is the TTL value on the DS
+   RRs.  Shortening the TTL means that the authoritative servers will
+   see more queries.  But on the other hand, a short TTL lowers the
+   persistence of DS RRSets in caches thereby increases the speed with
+   which updated DS RRSets propagate through the DNS.
+
+
+5.  IANA Considerations
+
+   This overview document introduces no new IANA considerations.
+
+
+
+
+
+
+Kolkman & Gieben         Expires August 25, 2006               [Page 25]
+
+Internet-Draft        DNSSEC Operational Practices         February 2006
+
+
+6.  Security Considerations
+
+   DNSSEC adds data integrity to the DNS.  This document tries to assess
+   the operational considerations to maintain a stable and secure DNSSEC
+   service.  Not taking into account the 'data propagation' properties
+   in the DNS will cause validation failures and may make secured zones
+   unavailable to security aware resolvers.
+
+
+7.  Acknowledgments
+
+   Most of the ideas in this draft were the result of collective efforts
+   during workshops, discussions and try outs.
+
+   At the risk of forgetting individuals who were the original
+   contributors of the ideas we would like to acknowledge people who
+   were actively involved in the compilation of this document.  In
+   random order: Rip Loomis, Olafur Gudmundsson, Wesley Griffin, Michael
+   Richardson, Scott Rose, Rick van Rein, Tim McGinnis, Gilles Guette
+   Olivier Courtay, Sam Weiler, Jelte Jansen, Niall O'Reilly, Holger
+   Zuleger, Ed Lewis, Hilarie Orman, Marcos Sanz and Peter Koch.
+
+   Some material in this document has been shamelessly copied from
+   RFC2541 [6] by Donald Eastlake.
+
+   Mike StJohns designed the key exchange between parent and child
+   mentioned in the last paragraph of Section 4.2.2
+
+   Section 4.2.4 was supplied by G. Guette and O. Courtay.
+
+   Emma Bretherick, Adrian Bedford and Lindy Foster corrected many of
+   the spelling and style issues.
+
+   Kolkman and Gieben take the blame for introducing all miscakes(SIC).
+
+   Kolkman was employed by the RIPE NCC while working on this document.
+
+
+8.  References
+
+8.1.  Normative References
+
+   [1]  Kolkman, O., Schlyter, J., and E. Lewis, "Domain Name System KEY
+        (DNSKEY) Resource Record (RR) Secure Entry Point (SEP) Flag",
+        RFC 3757, May 2004.
+
+   [2]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+        "DNS Security Introduction and Requirements", RFC 4033,
+
+
+
+Kolkman & Gieben         Expires August 25, 2006               [Page 26]
+
+Internet-Draft        DNSSEC Operational Practices         February 2006
+
+
+        March 2005.
+
+8.2.  Informative References
+
+   [3]   Bradner, S., "Key words for use in RFCs to Indicate Requirement
+         Levels", BCP 14, RFC 2119, March 1997.
+
+   [4]   Eastlake, D., "Secure Domain Name System Dynamic Update",
+         RFC 2137, April 1997.
+
+   [5]   Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)",
+         RFC 2308, March 1998.
+
+   [6]   Eastlake, D., "DNS Security Operational Considerations",
+         RFC 2541, March 1999.
+
+   [7]   Gudmundsson, O., "Delegation Signer (DS) Resource Record (RR)",
+         RFC 3658, December 2003.
+
+   [8]   Orman, H. and P. Hoffman, "Determining Strengths For Public
+         Keys Used For Exchanging Symmetric Keys", BCP 86, RFC 3766,
+         April 2004.
+
+   [9]   Eastlake, D., Schiller, J., and S. Crocker, "Randomness
+         Requirements for Security", BCP 106, RFC 4086, June 2005.
+
+   [10]  Hollenbeck, S., "Domain Name System (DNS) Security Extensions
+         Mapping for the Extensible  Provisioning Protocol (EPP)",
+         draft-hollenbeck-epp-secdns-07 (work in progress), March 2005.
+
+   [11]  Lenstra, A. and E. Verheul, "Selecting Cryptographic Key
+         Sizes", The Journal of Cryptology 14 (255-293), 2001.
+
+   [12]  Schneier, B., "Applied Cryptography: Protocols, Algorithms, and
+         Source Code in C", 1996.
+
+   [13]  Rose, S., "NIST DNSSEC workshop notes", June 2001.
+
+   [14]  Jansen, J., "Use of RSA/SHA-256 DNSKEY and RRSIG Resource
+         Records in DNSSEC", draft-ietf-dnsext-dnssec-rsasha256-00.txt
+         (work in progress), January 2006.
+
+   [15]  Hardaker, W., "Use of SHA-256 in DNSSEC Delegation Signer (DS)
+         Resource Records (RRs)", draft-ietf-dnsext-ds-sha256-04.txt
+         (work in progress), January 2006.
+
+
+
+
+
+
+Kolkman & Gieben         Expires August 25, 2006               [Page 27]
+
+Internet-Draft        DNSSEC Operational Practices         February 2006
+
+
+Appendix A.  Terminology
+
+   In this document there is some jargon used that is defined in other
+   documents.  In most cases we have not copied the text from the
+   documents defining the terms but given a more elaborate explanation
+   of the meaning.  Note that these explanations should not be seen as
+   authoritative.
+
+   Anchored Key: A DNSKEY configured in resolvers around the globe.
+      This key is hard to update, hence the term anchored.
+   Bogus: Also see Section 5 of [2].  An RRSet in DNSSEC is marked
+      "Bogus" when a signature of a RRSet does not validate against a
+      DNSKEY.
+   Key Signing Key or KSK: A Key Signing Key (KSK) is a key that is used
+      exclusively for signing the apex key set.  The fact that a key is
+      a KSK is only relevant to the signing tool.
+   Key size: The term 'key size' can be substituted by 'modulus size'
+      throughout the document.  It is mathematical more correct to use
+      modulus size, but as this is a document directed at operators we
+      feel more at ease with the term key size.
+   Private and Public Keys: DNSSEC secures the DNS through the use of
+      public key cryptography.  Public key cryptography is based on the
+      existence of two (mathematical related) keys, a public key and a
+      private key.  The public keys are published in the DNS by use of
+      the DNSKEY Resource Record (DNSKEY RR).  Private keys should
+      remain private.
+   Key Rollover: A key rollover (also called key supercession in some
+      environments) is the act of replacing one key pair by another at
+      the end of a key effectivity period.
+   Secure Entry Point key or SEP Key: A KSK that has a parental DS
+      record pointing to it or is configured as a trust anchor.
+      Although not required by the protocol we recommend that the SEP
+      flag [1] is set on these keys.
+   Self-signature: This is only applies to signatures over DNSKEYs; a
+      signature made with DNSKEY x, over DNSKEY x is called a self-
+      signature.  Note: without further information self-signatures
+      convey no trust, they are usefull to check the authenticity of the
+      DNSKEY, i.e. they can be used as a hash.
+   Singing the Zone File: The term used for the event where an
+      administrator joyfully signs its zone file while producing melodic
+      sound patterns.
+   Signer: The system that has access to the private key material and
+      signs the Resource Record sets in a zone.  A signer may be
+      configured to sign only parts of the zone e.g. only those RRSets
+      for which existing signatures are about to expire.
+
+
+
+
+
+
+Kolkman & Gieben         Expires August 25, 2006               [Page 28]
+
+Internet-Draft        DNSSEC Operational Practices         February 2006
+
+
+   Zone Signing Key or ZSK: A Zone Signing Key (ZSK) is a key that is
+      used for signing all data in a zone.  The fact that a key is a ZSK
+      is only relevant to the signing tool.
+   Zone Administrator: The 'role' that is responsible for signing a zone
+      and publishing it on the primary authoritative server.
+
+
+Appendix B.  Zone signing Key Rollover Howto
+
+   Using the pre-published signature scheme and the most conservative
+   method to assure oneself that data does not live in caches, here
+   follows the "HOWTO".
+   Step 0: The preparation: Create two keys and publish both in your key
+      set.  Mark one of the keys as "active" and the other as
+      "published".  Use the "active" key for signing your zone data.
+      Store the private part of the "published" key, preferably off-
+      line.
+      The protocol does not provide for attributes to mark a key as
+      active or published.  This is something you have to do on your
+      own, through the use of a notebook or key management tool.
+   Step 1: Determine expiration: At the beginning of the rollover make a
+      note of the highest expiration time of signatures in your zone
+      file created with the current key marked as "active".
+      Wait until the expiration time marked in Step 1 has passed
+   Step 2: Then start using the key that was marked as "published" to
+      sign your data i.e. mark it as "active".  Stop using the key that
+      was marked as "active", mark it as "rolled".
+   Step 3: It is safe to engage in a new rollover (Step 1) after at
+      least one "signature validity period".
+
+
+Appendix C.  Typographic Conventions
+
+   The following typographic conventions are used in this document:
+   Key notation: A key is denoted by DNSKEYx, where x is a number or an
+      identifier, x could be thought of as the key id.
+   RRSet notations: RRs are only denoted by the type.  All other
+      information - owner, class, rdata and TTL - is left out.  Thus:
+      "example.com 3600 IN A 192.0.2.1" is reduced to "A".  RRSets are a
+      list of RRs.  A example of this would be: "A1, A2", specifying the
+      RRSet containing two "A" records.  This could again be abbreviated
+      to just "A".
+   Signature notation: Signatures are denoted as RRSIGx(RRSet), which
+      means that RRSet is signed with DNSKEYx.
+
+
+
+
+
+
+
+Kolkman & Gieben         Expires August 25, 2006               [Page 29]
+
+Internet-Draft        DNSSEC Operational Practices         February 2006
+
+
+   Zone representation: Using the above notation we have simplified the
+      representation of a signed zone by leaving out all unnecessary
+      details such as the names and by representing all data by "SOAx"
+   SOA representation: SOAs are represented as SOAx, where x is the
+      serial number.
+   Using this notation the following signed zone:
+
+
+   example.net.      86400  IN SOA  ns.example.net. bert.example.net. (
+                            2006022100   ; serial
+                            86400        ; refresh (  24 hours)
+                            7200         ; retry   (   2 hours)
+                            3600000      ; expire  (1000 hours)
+                            28800 )      ; minimum (   8 hours)
+                     86400  RRSIG   SOA 5 2 86400 20130522213204 (
+                                  20130422213204 14 example.net.
+                                  cmL62SI6iAX46xGNQAdQ... )
+                     86400  NS      a.iana-servers.net.
+                     86400  NS      b.iana-servers.net.
+                     86400  RRSIG   NS 5 2 86400 20130507213204 (
+                                  20130407213204 14 example.net.
+                                  SO5epiJei19AjXoUpFnQ ... )
+                     86400  DNSKEY  256 3 5 (
+                                  EtRB9MP5/AvOuVO0I8XDxy0... )
+                                    ; key id = 14
+                     86400  DNSKEY  257 3 5 (
+                                  gsPW/Yy19GzYIY+Gnr8HABU... )
+                                    ; key id = 15
+                     86400  RRSIG   DNSKEY 5 2 86400 20130522213204 (
+                                  20130422213204 14 example.net.
+                                  J4zCe8QX4tXVGjV4e1r9... )
+                     86400  RRSIG   DNSKEY 5 2 86400 20130522213204 (
+                                  20130422213204 15 example.net.
+                                  keVDCOpsSeDReyV6O... )
+                     86400  RRSIG   NSEC 5 2 86400 20130507213204 (
+                                  20130407213204 14 example.net.
+                                  obj3HEp1GjnmhRjX... )
+   a.example.net.    86400  IN TXT  "A label"
+                     86400  RRSIG   TXT 5 3 86400 20130507213204 (
+                                  20130407213204 14 example.net.
+                                  IkDMlRdYLmXH7QJnuF3v... )
+                     86400  NSEC    b.example.com. TXT RRSIG NSEC
+                     86400  RRSIG   NSEC 5 3 86400 20130507213204 (
+                                  20130407213204 14 example.net.
+                                  bZMjoZ3bHjnEz0nIsPMM... )
+                     ...
+
+   is reduced to the following representation:
+
+
+
+Kolkman & Gieben         Expires August 25, 2006               [Page 30]
+
+Internet-Draft        DNSSEC Operational Practices         February 2006
+
+
+       SOA2006022100
+       RRSIG14(SOA2006022100)
+
+       DNSKEY14
+       DNSKEY15
+
+       RRSIG14(KEY)
+       RRSIG15(KEY)
+
+   The rest of the zone data has the same signature as the SOA record,
+   i.e a RRSIG created with DNSKEY 14.
+
+
+Appendix D.  Document Details and Changes
+
+   This section is to be removed by the RFC editor if and when the
+   document is published.
+
+   $Id: draft-ietf-dnsop-dnssec-operational-practices.xml,v 1.31.2.14
+   2005/03/21 15:51:41 dnssec Exp $
+
+D.1.  draft-ietf-dnsop-dnssec-operational-practices-00
+
+   Submission as working group document.  This document is a modified
+   and updated version of draft-kolkman-dnssec-operational-practices-00.
+
+D.2.  draft-ietf-dnsop-dnssec-operational-practices-01
+
+   changed the definition of "Bogus" to reflect the one in the protocol
+   draft.
+
+   Bad to Bogus
+
+   Style and spelling corrections
+
+   KSK - SEP mapping made explicit.
+
+   Updates from Sam Weiler added
+
+D.3.  draft-ietf-dnsop-dnssec-operational-practices-02
+
+   Style and errors corrected.
+
+   Added Automatic rollover requirements from I-D.ietf-dnsop-key-
+   rollover-requirements.
+
+
+
+
+
+
+Kolkman & Gieben         Expires August 25, 2006               [Page 31]
+
+Internet-Draft        DNSSEC Operational Practices         February 2006
+
+
+D.4.  draft-ietf-dnsop-dnssec-operational-practices-03
+
+   Added the definition of Key effectivity period and used that term
+   instead of Key validity period.
+
+   Modified the order of the sections, based on a suggestion by Rip
+   Loomis.
+
+   Included parts from RFC2541 [6].  Most of its ground was already
+   covered.  This document obsoletes RFC2541 [6].  Section 3.1.2
+   deserves some review as it in contrast to RFC2541 does _not_ give
+   recomendations about root-zone keys.
+
+   added a paragraph to Section 4.4.4
+
+D.5.  draft-ietf-dnsop-dnssec-operational-practices-04
+
+   Somewhat more details added about the pre-publish KSK rollover.  Also
+   moved that subsection down a bit.
+
+   Editorial and content nits that came in during wg last call were
+   fixed.
+
+D.6.  draft-ietf-dnsop-dnssec-operational-practices-05
+
+   Applied some another set of comments that came in _after_ the the
+   WGLC.
+
+   Applied comments from Hilarie Orman and made a referece to RFC 3766.
+   Deleted of a lot of key length discussion and took over the
+   recommendations from RFC 3766.
+
+   Reworked all the heading of the rollover figures
+
+D.7.  draft-ietf-dnsop-dnssec-operational-practices-06
+
+   One comment from Scott Rose applied.
+
+   Marcos Sanz gave a lots of editorial nits.  Almost all are
+   incorporated.
+
+D.8.  draft-ietf-dnsop-dnssec-operational-practices-07
+
+   Peter Koch's comments applied.
+
+   SHA-1/SHA-256 remarks added
+
+
+
+
+
+Kolkman & Gieben         Expires August 25, 2006               [Page 32]
+
+Internet-Draft        DNSSEC Operational Practices         February 2006
+
+
+Authors' Addresses
+
+   Olaf M. Kolkman
+   NLnet Labs
+   Kruislaan 419
+   Amsterdam  1098 VA
+   The Netherlands
+
+   Email: olaf@nlnetlabs.nl
+   URI:   http://www.nlnetlabs.nl
+
+
+   Miek Gieben
+   NLnet Labs
+   Kruislaan 419
+   Amsterdam  1098 VA
+   The Netherlands
+
+   Email: miek@nlnetlabs.nl
+   URI:   http://www.nlnetlabs.nl
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben         Expires August 25, 2006               [Page 33]
+
+Internet-Draft        DNSSEC Operational Practices         February 2006
+
+
+Intellectual Property Statement
+
+   The IETF takes no position regarding the validity or scope of any
+   Intellectual Property Rights or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; nor does it represent that it has
+   made any independent effort to identify any such rights.  Information
+   on the procedures with respect to rights in RFC documents can be
+   found in BCP 78 and BCP 79.
+
+   Copies of IPR disclosures made to the IETF Secretariat and any
+   assurances of licenses to be made available, or the result of an
+   attempt made to obtain a general license or permission for the use of
+   such proprietary rights by implementers or users of this
+   specification can be obtained from the IETF on-line IPR repository at
+   http://www.ietf.org/ipr.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights that may cover technology that may be required to implement
+   this standard.  Please address the information to the IETF at
+   ietf-ipr@ietf.org.
+
+
+Disclaimer of Validity
+
+   This document and the information contained herein are provided on an
+   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Copyright Statement
+
+   Copyright (C) The Internet Society (2006).  This document is subject
+   to the rights, licenses and restrictions contained in BCP 78, and
+   except as set forth therein, the authors retain all their rights.
+
+
+Acknowledgment
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+Kolkman & Gieben         Expires August 25, 2006               [Page 34]
+

From 68ef9fdc82edfbeec5ab00c819f5c707e90e8b43 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 23 Feb 2006 23:17:06 +0000
Subject: [PATCH 040/465] auto update

---
 doc/private/branches | 1 +
 1 file changed, 1 insertion(+)

diff --git a/doc/private/branches b/doc/private/branches
index 60b7de26de..6f1038520f 100644
--- a/doc/private/branches
+++ b/doc/private/branches
@@ -68,6 +68,7 @@ rt15844				new
 rt15849				new	
 rt15855				new	
 rt15860				new	
+rt15878				new	
 rt1727				open		// ixfr-from-differences workfile
 rt6496a				review	marka
 rt6496b				new	

From 26f2eecc4833c6f2965b011423040eef44386ec1 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 23 Feb 2006 23:30:03 +0000
Subject: [PATCH 041/465] newcopyrights

---
 util/copyrights | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/util/copyrights b/util/copyrights
index 960957832d..10dd171f45 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -2,8 +2,8 @@
 ./CHANGES					X	2000,2001,2005,2006
 ./COPYRIGHT					TXT	1996,1997,1998,1999,2000,2001,2002,2003,2004,2005,2006
 ./EXCLUDED					X	2001,2002,2003
-./FAQ						X	2000,2001,2002,2003,2004,2005
-./FAQ.xml					SGML	2000,2001,2002,2003,2004,2005
+./FAQ						X	2000,2001,2002,2003,2004,2005,2006
+./FAQ.xml					SGML	2000,2001,2002,2003,2004,2005,2006
 ./Makefile.in					MAKE	1998,1999,2000,2001,2003,2004
 ./README					X	1999,2000,2001,2005,2006
 ./acconfig.h					C	1999,2000,2001,2003,2004

From eae67738cba5ca069e9d1d4e7b836a2f7b00a374 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 23 Feb 2006 23:30:22 +0000
Subject: [PATCH 042/465] newcopyrights

---
 util/copyrights | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/util/copyrights b/util/copyrights
index cfb56ea214..daa9fd5ada 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -1,8 +1,8 @@
 ./.cvsignore					X	1999,2000,2001
 ./CHANGES					X	2000,2001,2005,2006
 ./COPYRIGHT					TXT	1996,1997,1998,1999,2000,2001,2002,2003,2004,2005,2006
-./FAQ						X	2000,2001,2002,2003,2004,2005
-./FAQ.xml					SGML	2000,2001,2002,2003,2004,2005
+./FAQ						X	2000,2001,2002,2003,2004,2005,2006
+./FAQ.xml					SGML	2000,2001,2002,2003,2004,2005,2006
 ./Makefile.in					MAKE	1998,1999,2000,2001,2002,2004,2005
 ./README					X	1999,2000,2001,2005,2006
 ./README.idnkit					X	2005

From 472ce617b7c19ae38dfaa2fc9e8699e3bf9be4a8 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 24 Feb 2006 00:03:15 +0000
Subject: [PATCH 043/465] 1988.   [bug]           Remove a bus error from the
 SHA256/SHA512 support.                         [RT #15878]

---
 CHANGES                    |  3 +++
 lib/isc/include/isc/sha2.h |  8 +++++++-
 lib/isc/sha2.c             | 20 +++++++++++++-------
 3 files changed, 23 insertions(+), 8 deletions(-)

diff --git a/CHANGES b/CHANGES
index bc5e58647d..50b5c5e5ee 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+1988.	[bug]		Remove a bus error from the SHA256/SHA512 support.
+			[RT #15878]
+
 1987.	[func]		DS/DLV SHA256 digest algorithm support. [RT #15608]
 
 1986.	[func]		Report when a zone is removed. [RT #15849]
diff --git a/lib/isc/include/isc/sha2.h b/lib/isc/include/isc/sha2.h
index d84d7a060d..511d75ce01 100644
--- a/lib/isc/include/isc/sha2.h
+++ b/lib/isc/include/isc/sha2.h
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sha2.h,v 1.5 2006/01/31 23:01:23 marka Exp $ */
+/* $Id: sha2.h,v 1.6 2006/02/24 00:03:15 marka Exp $ */
 
 /*	$FreeBSD: src/sys/crypto/sha2/sha2.h,v 1.1.2.1 2001/07/03 11:01:36 ume Exp $	*/
 /*	$KAME: sha2.h,v 1.3 2001/03/12 08:27:48 itojun Exp $	*/
@@ -79,12 +79,18 @@ ISC_LANG_BEGINDECLS
 
 /*** SHA-256/384/512 Context Structures *******************************/
 
+/*
+ * Keep buffer immediately after bitcount to preserve alignment.
+ */
 typedef struct {
 	isc_uint32_t	state[8];
 	isc_uint64_t	bitcount;
 	isc_uint8_t	buffer[ISC_SHA256_BLOCK_LENGTH];
 } isc_sha256_t;
 
+/*
+ * Keep buffer immediately after bitcount to preserve alignment.
+ */
 typedef struct {
 	isc_uint64_t	state[8];
 	isc_uint64_t	bitcount[2];
diff --git a/lib/isc/sha2.c b/lib/isc/sha2.c
index b0046836ca..c05844f4ac 100644
--- a/lib/isc/sha2.c
+++ b/lib/isc/sha2.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sha2.c,v 1.7 2006/01/31 23:01:23 marka Exp $ */
+/* $Id: sha2.c,v 1.8 2006/02/24 00:03:15 marka Exp $ */
 
 /*	$FreeBSD: src/sys/crypto/sha2/sha2.c,v 1.2.2.2 2002/03/05 08:36:47 ume Exp $	*/
 /*	$KAME: sha2.c,v 1.8 2001/11/08 01:07:52 itojun Exp $	*/
@@ -592,7 +592,8 @@ isc_sha256_update(isc_sha256_t *context, const isc_uint8_t *data, size_t len) {
 			context->bitcount += freespace << 3;
 			len -= freespace;
 			data += freespace;
-			isc_sha256_transform(context, (isc_uint32_t*)context->buffer);
+			isc_sha256_transform(context,
+					     (isc_uint32_t*)context->buffer);
 		} else {
 			/* The buffer is not yet full */
 			memcpy(&context->buffer[usedspace], data, len);
@@ -604,7 +605,8 @@ isc_sha256_update(isc_sha256_t *context, const isc_uint8_t *data, size_t len) {
 	}
 	while (len >= ISC_SHA256_BLOCK_LENGTH) {
 		/* Process as many complete blocks as we can */
-		isc_sha256_transform(context, (const isc_uint32_t*)data);
+		memcpy(context->buffer, data, ISC_SHA256_BLOCK_LENGTH);
+		isc_sha256_transform(context, (isc_uint32_t*)context->buffer);
 		context->bitcount += ISC_SHA256_BLOCK_LENGTH << 3;
 		len -= ISC_SHA256_BLOCK_LENGTH;
 		data += ISC_SHA256_BLOCK_LENGTH;
@@ -648,7 +650,8 @@ isc_sha256_final(isc_uint8_t digest[], isc_sha256_t *context) {
 					       usedspace);
 				}
 				/* Do second-to-last transform: */
-				isc_sha256_transform(context, (isc_uint32_t*)context->buffer);
+				isc_sha256_transform(context,
+					       (isc_uint32_t*)context->buffer);
 
 				/* And set-up for the last transform: */
 				memset(context->buffer, 0,
@@ -926,7 +929,8 @@ void isc_sha512_update(isc_sha512_t *context, const isc_uint8_t *data, size_t le
 			ADDINC128(context->bitcount, freespace << 3);
 			len -= freespace;
 			data += freespace;
-			isc_sha512_transform(context, (isc_uint64_t*)context->buffer);
+			isc_sha512_transform(context,
+					     (isc_uint64_t*)context->buffer);
 		} else {
 			/* The buffer is not yet full */
 			memcpy(&context->buffer[usedspace], data, len);
@@ -938,7 +942,8 @@ void isc_sha512_update(isc_sha512_t *context, const isc_uint8_t *data, size_t le
 	}
 	while (len >= ISC_SHA512_BLOCK_LENGTH) {
 		/* Process as many complete blocks as we can */
-		isc_sha512_transform(context, (const isc_uint64_t*)data);
+		memcpy(context->buffer, data, ISC_SHA512_BLOCK_LENGTH);
+		isc_sha512_transform(context, (isc_uint64_t*)context->buffer);
 		ADDINC128(context->bitcount, ISC_SHA512_BLOCK_LENGTH << 3);
 		len -= ISC_SHA512_BLOCK_LENGTH;
 		data += ISC_SHA512_BLOCK_LENGTH;
@@ -975,7 +980,8 @@ void isc_sha512_last(isc_sha512_t *context) {
 				       ISC_SHA512_BLOCK_LENGTH - usedspace);
 			}
 			/* Do second-to-last transform: */
-			isc_sha512_transform(context, (isc_uint64_t*)context->buffer);
+			isc_sha512_transform(context,
+					    (isc_uint64_t*)context->buffer);
 
 			/* And set-up for the last transform: */
 			memset(context->buffer, 0, ISC_SHA512_BLOCK_LENGTH - 2);

From 4f54d095945d6f60f146112d37d31815ad73eb02 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 24 Feb 2006 03:47:22 +0000
Subject: [PATCH 044/465] 1989.   [bug]           win32: don't check the
 service password when                         re-installing. [RT #15882]

---
 CHANGES                                  |  3 +++
 bin/win32/BINDInstall/BINDInstallDlg.cpp | 24 +++++++++++++-----------
 2 files changed, 16 insertions(+), 11 deletions(-)

diff --git a/CHANGES b/CHANGES
index 50b5c5e5ee..77ed0de85e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+1989.	[bug]		win32: don't check the service password when
+			re-installing. [RT #15882]
+
 1988.	[bug]		Remove a bus error from the SHA256/SHA512 support.
 			[RT #15878]
 
diff --git a/bin/win32/BINDInstall/BINDInstallDlg.cpp b/bin/win32/BINDInstall/BINDInstallDlg.cpp
index 0b44c2ee15..5bc27d8ba3 100644
--- a/bin/win32/BINDInstall/BINDInstallDlg.cpp
+++ b/bin/win32/BINDInstall/BINDInstallDlg.cpp
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: BINDInstallDlg.cpp,v 1.21 2005/10/11 22:54:45 marka Exp $ */
+/* $Id: BINDInstallDlg.cpp,v 1.22 2006/02/24 03:47:22 marka Exp $ */
 
 /*
  * Copyright (c) 1999-2000 by Nortel Networks Corporation
@@ -416,27 +416,29 @@ void CBINDInstallDlg::OnInstall() {
 		return;
 	}
 	
-	/*
-	 * Check that the Password is not null.
-	 */
-	if (m_accountPassword.GetLength() == 0) {
-		MsgBox(IDS_ERR_NULLPASSWORD);
-		return;
-	}
-
 	/*
 	 * Check the entered account name.
 	 */
 	if (ValidateServiceAccount() == FALSE)
 		return;
 
-
 	/*
 	 * For Registration we need to know if account was changed.
 	 */
-	if(m_accountName != m_currentAccount)
+	if (m_accountName != m_currentAccount)
 		m_accountUsed = FALSE;
 
+	if (m_accountUsed == FALSE && m_serviceExists == FALSE)
+	{
+	/*
+	 * Check that the Password is not null.
+	 */
+		if (m_accountPassword.GetLength() == 0) {
+			MsgBox(IDS_ERR_NULLPASSWORD);
+			return;
+		}
+	}
+
 	/* Directories */
 	m_etcDir = m_targetDir + "\\etc";
 	m_binDir = m_targetDir + "\\bin";

From 113aa279d1f5dbe77dfaa5a7f35623d49c85b77f Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 24 Feb 2006 23:30:26 +0000
Subject: [PATCH 045/465] newcopyrights

---
 util/copyrights | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/util/copyrights b/util/copyrights
index daa9fd5ada..e69d78c15e 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -808,7 +808,7 @@
 ./bin/win32/BINDInstall/BINDInstall.h		C.PORTION	2001,2004
 ./bin/win32/BINDInstall/BINDInstall.mak		X	2001
 ./bin/win32/BINDInstall/BINDInstall.rc		X	2001,2005
-./bin/win32/BINDInstall/BINDInstallDlg.cpp	C.PORTION	2001,2003,2004,2005
+./bin/win32/BINDInstall/BINDInstallDlg.cpp	C.PORTION	2001,2003,2004,2005,2006
 ./bin/win32/BINDInstall/BINDInstallDlg.h	C.PORTION	2001,2004
 ./bin/win32/BINDInstall/DirBrowse.cpp		C.PORTION	2001,2004
 ./bin/win32/BINDInstall/DirBrowse.h		C.PORTION	2001,2004

From 69f56d4ef26da3898498a0d6ef04d92a28c2ebb2 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Sun, 26 Feb 2006 22:28:22 +0000
Subject: [PATCH 046/465] remove redundant memset

---
 lib/isc/hmacmd5.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/lib/isc/hmacmd5.c b/lib/isc/hmacmd5.c
index bf611a01e6..2f21a36dd1 100644
--- a/lib/isc/hmacmd5.c
+++ b/lib/isc/hmacmd5.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: hmacmd5.c,v 1.11 2006/01/27 23:57:46 marka Exp $ */
+/* $Id: hmacmd5.c,v 1.12 2006/02/26 22:28:22 marka Exp $ */
 
 /*! \file
  * This code implements the HMAC-MD5 keyed hash algorithm
@@ -65,7 +65,6 @@ void
 isc_hmacmd5_invalidate(isc_hmacmd5_t *ctx) {
 	isc_md5_invalidate(&ctx->md5ctx);
 	memset(ctx->key, 0, sizeof(ctx->key));
-	memset(ctx, 0, sizeof(ctx));
 }
 
 /*!

From 6c4435e3eec4421c0e6b3250cf97db65f788b7d9 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Sun, 26 Feb 2006 22:28:38 +0000
Subject: [PATCH 047/465] update copyright notice

---
 bin/win32/BINDInstall/BINDInstallDlg.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/bin/win32/BINDInstall/BINDInstallDlg.cpp b/bin/win32/BINDInstall/BINDInstallDlg.cpp
index 5bc27d8ba3..7f20277ce5 100644
--- a/bin/win32/BINDInstall/BINDInstallDlg.cpp
+++ b/bin/win32/BINDInstall/BINDInstallDlg.cpp
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: BINDInstallDlg.cpp,v 1.22 2006/02/24 03:47:22 marka Exp $ */
+/* $Id: BINDInstallDlg.cpp,v 1.23 2006/02/26 22:28:38 marka Exp $ */
 
 /*
  * Copyright (c) 1999-2000 by Nortel Networks Corporation

From e86581466652132f069eae8d1c5427d59e50602d Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Sun, 26 Feb 2006 22:34:05 +0000
Subject: [PATCH 048/465] remove redundant memset

---
 lib/isc/hmacmd5.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/lib/isc/hmacmd5.c b/lib/isc/hmacmd5.c
index 42dc6435ac..8acd717565 100644
--- a/lib/isc/hmacmd5.c
+++ b/lib/isc/hmacmd5.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: hmacmd5.c,v 1.5.2.1 2004/03/09 06:11:46 marka Exp $ */
+/* $Id: hmacmd5.c,v 1.5.2.2 2006/02/26 22:34:05 marka Exp $ */
 
 /*
  * This code implements the HMAC-MD5 keyed hash algorithm
@@ -65,7 +65,6 @@ void
 isc_hmacmd5_invalidate(isc_hmacmd5_t *ctx) {
 	isc_md5_invalidate(&ctx->md5ctx);
 	memset(ctx->key, 0, sizeof (ctx->key));
-	memset(ctx, 0, sizeof (ctx));
 }
 
 /*

From 95b484c9580d06eb2f9735a22e9841389c2859ba Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Sun, 26 Feb 2006 22:57:18 +0000
Subject: [PATCH 049/465] fix minor typos

---
 CHANGES                          | 8 ++++----
 bin/named/server.c               | 4 ++--
 bin/tests/compress_test.c        | 4 ++--
 bin/tests/rdata_test.c           | 8 ++++----
 bin/tests/system/dnssec/tests.sh | 4 ++--
 configure                        | 8 ++++----
 configure.in                     | 4 ++--
 doc/arm/Bv9ARM-book.xml          | 6 +++---
 lib/bind/configure               | 2 +-
 lib/bind/irs/irp.c               | 4 ++--
 lib/dns/validator.c              | 4 ++--
 libtool.m4                       | 2 +-
 12 files changed, 29 insertions(+), 29 deletions(-)

diff --git a/CHANGES b/CHANGES
index 77ed0de85e..06a25e348e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -141,7 +141,7 @@
 			when using forwarders. [RT #15549]
 
 1945.	[cleanup]	dnssec-keygen: RSA (RSAMD5) is nolonger recommended.
-			To generate a RSAMD5 key you must explictly request
+			To generate a RSAMD5 key you must explicitly request
 			RSAMD5. [RT #13780]
 			
 1944.	[cleanup]	isc_hash_create() does not need a read/write lock.
@@ -1714,8 +1714,8 @@
 
 1414.	[func]		Support for KSK flag.
 
-1413.	[func]		Explictly request the (re-)generation of DS records from
-			keysets (dnssec-signzone -g).
+1413.	[func]		Explicitly request the (re-)generation of DS records
+			from keysets (dnssec-signzone -g).
 
 1412.	[func]		You can now specify servers to be tried if a nameserver
 			has IPv6 address and you only support IPv4 or the
@@ -5964,7 +5964,7 @@
 			, ,  or
 			.
 
- 119.	[cleanup]	structure definitions for generic rdata stuctures do
+ 119.	[cleanup]	structure definitions for generic rdata structures do
 			not have _generic_ in their names.
 
  118.	[cleanup]	libdns.a is now namespace-clean, on NetBSD, excepting
diff --git a/bin/named/server.c b/bin/named/server.c
index 43ab0dcdf9..a78b07951b 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.c,v 1.457 2006/02/21 23:12:27 marka Exp $ */
+/* $Id: server.c,v 1.458 2006/02/26 22:54:46 marka Exp $ */
 
 /*! \file */
 
@@ -622,7 +622,7 @@ configure_order(dns_order_t *order, cfg_obj_t *ent) {
 	/*
 	 * "*" should match everything including the root (BIND 8 compat).
 	 * As dns_name_matcheswildcard(".", "*.") returns FALSE add a
-	 * explict entry for "." when the name is "*".
+	 * explicit entry for "." when the name is "*".
 	 */
 	if (addroot) {
 		result = dns_order_add(order, dns_rootname,
diff --git a/bin/tests/compress_test.c b/bin/tests/compress_test.c
index 3f1b4f4f7e..587f66a625 100644
--- a/bin/tests/compress_test.c
+++ b/bin/tests/compress_test.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: compress_test.c,v 1.29 2005/04/29 00:22:38 marka Exp $ */
+/* $Id: compress_test.c,v 1.30 2006/02/26 22:54:46 marka Exp $ */
 
 /*! \file */
 
@@ -133,7 +133,7 @@ test(unsigned int allowed, dns_name_t *name1, dns_name_t *name2,
 		case DNS_COMPRESS_NONE: s = "DNS_COMPRESS_NONE"; break;
 		case DNS_COMPRESS_GLOBAL14: s = "DNS_COMPRESS_GLOBAL14"; break;
 		/* case DNS_COMPRESS_ALL: s = "DNS_COMPRESS_ALL"; break; */
-		default: s = "UNKOWN"; break;
+		default: s = "UNKNOWN"; break;
 		}
 		fprintf(stdout, "Allowed = %s\n", s);
 	}
diff --git a/bin/tests/rdata_test.c b/bin/tests/rdata_test.c
index 37256dadde..e95894e4e0 100644
--- a/bin/tests/rdata_test.c
+++ b/bin/tests/rdata_test.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdata_test.c,v 1.44 2005/07/14 06:46:44 marka Exp $ */
+/* $Id: rdata_test.c,v 1.45 2006/02/26 22:54:46 marka Exp $ */
 
 #include 
 
@@ -309,7 +309,7 @@ viastruct(dns_rdata_t *rdata, isc_mem_t *mctx,
 		break;
 	}
 	if (result != ISC_R_SUCCESS)
-		fprintf(stdout, "viastruct: tostuct %d %d return %s\n",
+		fprintf(stdout, "viastruct: tostruct %d %d return %s\n",
 			rdata->type, rdata->rdclass,
 			dns_result_totext(result));
 	else
@@ -571,7 +571,7 @@ viastruct(dns_rdata_t *rdata, isc_mem_t *mctx,
 		break;
 	}
 	if (result != ISC_R_SUCCESS)
-		fprintf(stdout, "viastruct: tostuct %d %d return %s\n",
+		fprintf(stdout, "viastruct: tostruct %d %d return %s\n",
 			rdata->type, rdata->rdclass,
 			dns_result_totext(result));
 	else {
@@ -582,7 +582,7 @@ viastruct(dns_rdata_t *rdata, isc_mem_t *mctx,
 		result = dns_rdata_fromstruct(rdata2, rdc, rdt, sp, b);
 		if (result != ISC_R_SUCCESS)
 			fprintf(stdout,
-				"viastruct: fromstuct %d %d return %s\n",
+				"viastruct: fromstruct %d %d return %s\n",
 				rdata->type, rdata->rdclass,
 				dns_result_totext(result));
 		else if (rdata->length != rdata2->length ||
diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index db78ff8c42..0a708e3fc5 100644
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.47 2005/09/06 03:51:34 marka Exp $
+# $Id: tests.sh,v 1.48 2006/02/26 22:54:46 marka Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
@@ -428,7 +428,7 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
-echo "I:checking privately secure wilcard to nxdomain works ($n)"
+echo "I:checking privately secure wildcard to nxdomain works ($n)"
 ret=0
 $DIG $DIGOPTS +noauth a.wild.private.secure.example. SOA @10.53.0.2 \
 	> dig.out.ns2.test$n || ret=1
diff --git a/configure b/configure
index 4a12f43c4b..ea0f9938df 100755
--- a/configure
+++ b/configure
@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 #
-# $Id: configure,v 1.389 2006/02/02 23:07:53 marka Exp $
+# $Id: configure,v 1.390 2006/02/26 22:57:17 marka Exp $
 #
 # Portions Copyright (C) 1996-2001  Nominum, Inc.
 #
@@ -29,7 +29,7 @@
 # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
 # OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-# From configure.in Revision: 1.401 .
+# From configure.in Revision: 1.402 .
 # Guess values for system-dependent variables and create Makefiles.
 # Generated by GNU Autoconf 2.59.
 #
@@ -12919,7 +12919,7 @@ echo "${ECHO_T}$lt_cv_dlopen_self_static" >&6
 fi
 
 
-# Report which librarie types wil actually be built
+# Report which libraries types will actually be built
 echo "$as_me:$LINENO: checking if libtool supports shared libraries" >&5
 echo $ECHO_N "checking if libtool supports shared libraries... $ECHO_C" >&6
 echo "$as_me:$LINENO: result: $can_build_shared" >&5
@@ -27279,7 +27279,7 @@ fi
 esac
 
 #
-# Some hosts need msg_namelen to match the size of the socket stucture.
+# Some hosts need msg_namelen to match the size of the socket structure.
 # Some hosts don't set msg_namelen appropriately on return from recvmsg().
 #
 case $host in
diff --git a/configure.in b/configure.in
index 1920ccadbf..fdc2d316fc 100644
--- a/configure.in
+++ b/configure.in
@@ -18,7 +18,7 @@ AC_DIVERT_PUSH(1)dnl
 esyscmd([sed "s/^/# /" COPYRIGHT])dnl
 AC_DIVERT_POP()dnl
 
-AC_REVISION($Revision: 1.401 $)
+AC_REVISION($Revision: 1.402 $)
 
 AC_INIT(lib/dns/name.c)
 AC_PREREQ(2.59)
@@ -1781,7 +1781,7 @@ case "$host" in
 esac
 
 #
-# Some hosts need msg_namelen to match the size of the socket stucture.
+# Some hosts need msg_namelen to match the size of the socket structure.
 # Some hosts don't set msg_namelen appropriately on return from recvmsg().
 #
 case $host in
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index a2310f16ac..8f44de9b72 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   BIND 9 Administrator Reference Manual
 
@@ -7269,10 +7269,10 @@ query-source-v6 address * port *;
 	    If you are using the address ranges covered here you should
 	    already have reverse zones covering the addresses you use.
 	    In practice this appears to not be the case with many queries
-	    being made to the infrustucture servers for names in these
+	    being made to the infrustructure servers for names in these
 	    spaces.  So many in fact that sacrificial servers were needed
 	    to be deployed to channel the query load away from the
-	    infrustucture servers.
+	    infrustructure servers.
 	  
 	  
 	    The real parent servers for these zones should disable all
diff --git a/lib/bind/configure b/lib/bind/configure
index a9d0ab78d8..65bca20b04 100644
--- a/lib/bind/configure
+++ b/lib/bind/configure
@@ -12350,7 +12350,7 @@ echo "${ECHO_T}$lt_cv_dlopen_self_static" >&6
 fi
 
 
-# Report which librarie types wil actually be built
+# Report which libraries types will actually be built
 echo "$as_me:$LINENO: checking if libtool supports shared libraries" >&5
 echo $ECHO_N "checking if libtool supports shared libraries... $ECHO_C" >&6
 echo "$as_me:$LINENO: result: $can_build_shared" >&5
diff --git a/lib/bind/irs/irp.c b/lib/bind/irs/irp.c
index 15eb261b05..e4915aebd3 100644
--- a/lib/bind/irs/irp.c
+++ b/lib/bind/irs/irp.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: irp.c,v 1.7 2005/04/27 04:56:27 sra Exp $";
+static const char rcsid[] = "$Id: irp.c,v 1.8 2006/02/26 22:54:47 marka Exp $";
 #endif
 
 /* Imports */
@@ -504,7 +504,7 @@ irs_irp_get_full_response(struct irp_p *pvt, int *code, char *text,
  * int irs_irp_send_command(struct irp_p *pvt, const char *fmt, ...);
  *
  *	Sends command to remote connected via the PVT
- *	struture. FMT and args after it are fprintf-like
+ *	structure. FMT and args after it are fprintf-like
  *	arguments for formatting.
  *
  * Returns:
diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index f2ae4cfe6a..d21abb5376 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.c,v 1.142 2006/02/22 01:55:10 marka Exp $ */
+/* $Id: validator.c,v 1.143 2006/02/26 22:54:47 marka Exp $ */
 
 /*! \file */
 
@@ -734,7 +734,7 @@ nsecnoexistnodata(dns_validator_t *val, dns_name_t* name, dns_name_t *nsecname,
 					       wild, NULL);
 		if (result != ISC_R_SUCCESS) {
 			validator_log(val, ISC_LOG_DEBUG(3),
-				    "failure generating wilcard name");
+				    "failure generating wildcard name");
 			return (result);
 		}
 	}
diff --git a/libtool.m4 b/libtool.m4
index c3b71e8932..551ffd0d83 100644
--- a/libtool.m4
+++ b/libtool.m4
@@ -2557,7 +2557,7 @@ AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH($1)
 AC_LIBTOOL_SYS_LIB_STRIP
 AC_LIBTOOL_DLOPEN_SELF($1)
 
-# Report which librarie types wil actually be built
+# Report which libraries types will actually be built
 AC_MSG_CHECKING([if libtool supports shared libraries])
 AC_MSG_RESULT([$can_build_shared])
 

From 36775ac557a76e1eefaba12feef35817d8ceca26 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Sun, 26 Feb 2006 23:08:41 +0000
Subject: [PATCH 050/465] fix minor typos

---
 CHANGES                   | 2 +-
 bin/tests/compress_test.c | 4 ++--
 bin/tests/rdata_test.c    | 8 ++++----
 configure                 | 6 +++---
 configure.in              | 4 ++--
 lib/bind/irs/irp.c        | 4 ++--
 libtool.m4                | 2 +-
 7 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/CHANGES b/CHANGES
index 1859eab79d..739ab81066 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4717,7 +4717,7 @@
 			, ,  or
 			.
 
- 119.	[cleanup]	structure definitions for generic rdata stuctures do
+ 119.	[cleanup]	structure definitions for generic rdata structures do
 			not have _generic_ in their names.
 
  118.	[cleanup]	libdns.a is now namespace-clean, on NetBSD, excepting
diff --git a/bin/tests/compress_test.c b/bin/tests/compress_test.c
index 6f1f1994c9..2b7f39863a 100644
--- a/bin/tests/compress_test.c
+++ b/bin/tests/compress_test.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: compress_test.c,v 1.24.2.1 2004/03/09 06:09:30 marka Exp $ */
+/* $Id: compress_test.c,v 1.24.2.2 2006/02/26 23:07:35 marka Exp $ */
 
 #include 
 
@@ -131,7 +131,7 @@ test(unsigned int allowed, dns_name_t *name1, dns_name_t *name2,
 		case DNS_COMPRESS_NONE: s = "DNS_COMPRESS_NONE"; break;
 		case DNS_COMPRESS_GLOBAL14: s = "DNS_COMPRESS_GLOBAL14"; break;
 		/* case DNS_COMPRESS_ALL: s = "DNS_COMPRESS_ALL"; break; */
-		default: s = "UNKOWN"; break;
+		default: s = "UNKNOWN"; break;
 		}
 		fprintf(stdout, "Allowed = %s\n", s);
 	}
diff --git a/bin/tests/rdata_test.c b/bin/tests/rdata_test.c
index 13229de560..c529bfd731 100644
--- a/bin/tests/rdata_test.c
+++ b/bin/tests/rdata_test.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdata_test.c,v 1.35.2.3 2005/03/17 03:59:31 marka Exp $ */
+/* $Id: rdata_test.c,v 1.35.2.4 2006/02/26 23:07:35 marka Exp $ */
 
 #include 
 
@@ -276,7 +276,7 @@ viastruct(dns_rdata_t *rdata, isc_mem_t *mctx,
 		break;
 	}
 	if (result != ISC_R_SUCCESS)
-		fprintf(stdout, "viastruct: tostuct %d %d return %s\n",
+		fprintf(stdout, "viastruct: tostruct %d %d return %s\n",
 			rdata->type, rdata->rdclass,
 			dns_result_totext(result));
 	else
@@ -505,7 +505,7 @@ viastruct(dns_rdata_t *rdata, isc_mem_t *mctx,
 		break;
 	}
 	if (result != ISC_R_SUCCESS)
-		fprintf(stdout, "viastruct: tostuct %d %d return %s\n",
+		fprintf(stdout, "viastruct: tostruct %d %d return %s\n",
 			rdata->type, rdata->rdclass,
 			dns_result_totext(result));
 	else {
@@ -516,7 +516,7 @@ viastruct(dns_rdata_t *rdata, isc_mem_t *mctx,
 		result = dns_rdata_fromstruct(rdata2, rdc, rdt, sp, b);
 		if (result != ISC_R_SUCCESS)
 			fprintf(stdout,
-				"viastruct: fromstuct %d %d return %s\n",
+				"viastruct: fromstruct %d %d return %s\n",
 				rdata->type, rdata->rdclass,
 				dns_result_totext(result));
 		else if (rdata->length != rdata2->length ||
diff --git a/configure b/configure
index d58e402d54..6253d4007e 100755
--- a/configure
+++ b/configure
@@ -1,5 +1,5 @@
 #! /bin/sh
-# From configure.in Revision: 1.294.2.58 .
+# From configure.in Revision: 1.294.2.59 .
 # Guess values for system-dependent variables and create Makefiles.
 # Generated by GNU Autoconf 2.59.
 #
@@ -12721,7 +12721,7 @@ echo "${ECHO_T}$lt_cv_dlopen_self_static" >&6
 fi
 
 
-# Report which librarie types wil actually be built
+# Report which libraries types will actually be built
 echo "$as_me:$LINENO: checking if libtool supports shared libraries" >&5
 echo $ECHO_N "checking if libtool supports shared libraries... $ECHO_C" >&6
 echo "$as_me:$LINENO: result: $can_build_shared" >&5
@@ -25813,7 +25813,7 @@ rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
 
 
 #
-# Some hosts need msg_namelen to match the size of the socket stucture.
+# Some hosts need msg_namelen to match the size of the socket structure.
 # Some hosts don't set msg_namelen appropriately on return from recvmsg().
 #
 case $host in
diff --git a/configure.in b/configure.in
index 0fd87385cb..64c4aac29a 100644
--- a/configure.in
+++ b/configure.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-AC_REVISION($Revision: 1.294.2.58 $)
+AC_REVISION($Revision: 1.294.2.59 $)
 
 AC_INIT(lib/dns/name.c)
 AC_PREREQ(2.13)
@@ -1554,7 +1554,7 @@ AC_MSG_RESULT(cannot determine type of rlim_cur when cross compiling - assuming
 AC_SUBST(ISC_PLATFORM_RLIMITTYPE)
 
 #
-# Some hosts need msg_namelen to match the size of the socket stucture.
+# Some hosts need msg_namelen to match the size of the socket structure.
 # Some hosts don't set msg_namelen appropriately on return from recvmsg().
 #
 case $host in
diff --git a/lib/bind/irs/irp.c b/lib/bind/irs/irp.c
index 9c73310684..433264ba0b 100644
--- a/lib/bind/irs/irp.c
+++ b/lib/bind/irs/irp.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: irp.c,v 1.3.2.3 2004/03/17 01:54:21 marka Exp $";
+static const char rcsid[] = "$Id: irp.c,v 1.3.2.4 2006/02/26 23:07:35 marka Exp $";
 #endif
 
 /* Imports */
@@ -517,7 +517,7 @@ irs_irp_get_full_response(struct irp_p *pvt, int *code, char *text,
  * int irs_irp_send_command(struct irp_p *pvt, const char *fmt, ...);
  *
  *	Sends command to remote connected via the PVT
- *	struture. FMT and args after it are fprintf-like
+ *	structure. FMT and args after it are fprintf-like
  *	arguments for formatting.
  *
  * Returns:
diff --git a/libtool.m4 b/libtool.m4
index c3b71e8932..551ffd0d83 100644
--- a/libtool.m4
+++ b/libtool.m4
@@ -2557,7 +2557,7 @@ AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH($1)
 AC_LIBTOOL_SYS_LIB_STRIP
 AC_LIBTOOL_DLOPEN_SELF($1)
 
-# Report which librarie types wil actually be built
+# Report which libraries types will actually be built
 AC_MSG_CHECKING([if libtool supports shared libraries])
 AC_MSG_RESULT([$can_build_shared])
 

From 615ad124f8f81c76b19f03651f231809c74b313f Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Sun, 26 Feb 2006 23:30:03 +0000
Subject: [PATCH 051/465] newcopyrights

---
 util/copyrights | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/util/copyrights b/util/copyrights
index 10dd171f45..b9010aab97 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -208,7 +208,7 @@
 ./bin/tests/byaddr_test.c			C	2000,2001,2004
 ./bin/tests/byname_test.c			C	2000,2001,2004,2005
 ./bin/tests/cfg_test.c				C	2001,2004
-./bin/tests/compress_test.c			C	1999,2000,2001,2004
+./bin/tests/compress_test.c			C	1999,2000,2001,2004,2006
 ./bin/tests/db/.cvsignore			X	1999,2000,2001
 ./bin/tests/db/Makefile.in			MAKE	1999,2000,2001,2004
 ./bin/tests/db/dns_db_class_1.data		X	1999,2000,2001
@@ -410,7 +410,7 @@
 ./bin/tests/rbt_test.c				C	1999,2000,2001,2004,2005
 ./bin/tests/rbt_test.out			X	1999,2000,2001
 ./bin/tests/rbt_test.txt			SH	1999,2000,2001,2003,2004
-./bin/tests/rdata_test.c			C	1998,1999,2000,2001,2004,2005
+./bin/tests/rdata_test.c			C	1998,1999,2000,2001,2004,2005,2006
 ./bin/tests/resolv.conf.sample			CONF-SH	2000,2001,2004
 ./bin/tests/rwlock_test.c			C	1998,1999,2000,2001,2004,2005
 ./bin/tests/serial_test.c			C	1999,2000,2001,2004
@@ -1261,7 +1261,7 @@
 ./lib/bind/irs/getservent_r.c			X	2001
 ./lib/bind/irs/hesiod.c				X	2001,2005
 ./lib/bind/irs/hesiod_p.h			X	2001
-./lib/bind/irs/irp.c				X	2001
+./lib/bind/irs/irp.c				X	2001,2006
 ./lib/bind/irs/irp_gr.c				X	2001
 ./lib/bind/irs/irp_ho.c				X	2001
 ./lib/bind/irs/irp_ng.c				X	2001
@@ -1828,7 +1828,7 @@
 ./lib/isc/hash.c				C	2003,2004,2006
 ./lib/isc/heap.c				C	1997,1998,1999,2000,2001,2004
 ./lib/isc/hex.c					C	2000,2001,2002,2004
-./lib/isc/hmacmd5.c				C	2000,2001,2004
+./lib/isc/hmacmd5.c				C	2000,2001,2004,2006
 ./lib/isc/include/.cvsignore			X	1999,2000,2001
 ./lib/isc/include/Makefile.in			MAKE	1998,1999,2000,2001,2004
 ./lib/isc/include/isc/.cvsignore		X	1999,2000,2001
@@ -2238,7 +2238,7 @@
 ./lib/win32/bindevt/bindevt.dsw			X	2001
 ./lib/win32/bindevt/bindevt.mak			X	2001
 ./lib/win32/bindevt/bindevt.mc			MC	2001,2004
-./libtool.m4					X	2000,2001
+./libtool.m4					X	2000,2001,2006
 ./ltmain.sh					X	1999,2000,2001
 ./make/.cvsignore				X	1999,2000,2001
 ./make/Makefile.in				MAKE	1998,1999,2000,2001,2004

From abf32d940f8f674b3971ef41b306a01b3da8d2cf Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Sun, 26 Feb 2006 23:30:20 +0000
Subject: [PATCH 052/465] newcopyrights

---
 util/copyrights | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/util/copyrights b/util/copyrights
index e69d78c15e..e091a388a0 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -194,7 +194,7 @@
 ./bin/tests/byaddr_test.c			C	2000,2001,2002,2004,2005
 ./bin/tests/byname_test.c			C	2000,2001,2004,2005
 ./bin/tests/cfg_test.c				C	2001,2002,2004,2005
-./bin/tests/compress_test.c			C	1999,2000,2001,2004,2005
+./bin/tests/compress_test.c			C	1999,2000,2001,2004,2005,2006
 ./bin/tests/db/.cvsignore			X	1999,2000,2001
 ./bin/tests/db/Makefile.in			MAKE	1999,2000,2001,2002,2004
 ./bin/tests/db/dns_db_class_1.data		X	1999,2000,2001
@@ -394,7 +394,7 @@
 ./bin/tests/rbt_test.c				C	1999,2000,2001,2004,2005
 ./bin/tests/rbt_test.out			X	1999,2000,2001
 ./bin/tests/rbt_test.txt			SH	1999,2000,2001,2004
-./bin/tests/rdata_test.c			C	1998,1999,2000,2001,2002,2003,2004,2005
+./bin/tests/rdata_test.c			C	1998,1999,2000,2001,2002,2003,2004,2005,2006
 ./bin/tests/resolv.conf.sample			CONF-SH	2000,2001,2004
 ./bin/tests/rwlock_test.c			C	1998,1999,2000,2001,2004,2005
 ./bin/tests/serial_test.c			C	1999,2000,2001,2003,2004
@@ -505,7 +505,7 @@
 ./bin/tests/system/dnssec/ns6/named.conf	CONF-C	2004
 ./bin/tests/system/dnssec/prereq.sh		SH	2000,2001,2002,2004,2006
 ./bin/tests/system/dnssec/setup.sh		SH	2000,2001,2004
-./bin/tests/system/dnssec/tests.sh		SH	2000,2001,2002,2004,2005
+./bin/tests/system/dnssec/tests.sh		SH	2000,2001,2002,2004,2005,2006
 ./bin/tests/system/forward/clean.sh		SH	2000,2001,2004
 ./bin/tests/system/forward/ns1/.cvsignore	X	2000,2001
 ./bin/tests/system/forward/ns1/example.db	X	2000,2001
@@ -1258,7 +1258,7 @@
 ./lib/bind/bsd/utimes.c				X	2001,2005
 ./lib/bind/bsd/writev.c				X	2001,2005
 ./lib/bind/config.h.in				X	2001,2005
-./lib/bind/configure				X	2001,2005
+./lib/bind/configure				X	2001,2005,2006
 ./lib/bind/configure.in				SH	2001,2004,2005
 ./lib/bind/dst/.cvsignore			X	2001
 ./lib/bind/dst/Makefile.in			MAKE	2001,2004
@@ -1349,7 +1349,7 @@
 ./lib/bind/irs/getservent_r.c			X	2001,2005
 ./lib/bind/irs/hesiod.c				X	2001,2005
 ./lib/bind/irs/hesiod_p.h			X	2001,2005
-./lib/bind/irs/irp.c				X	2001,2005
+./lib/bind/irs/irp.c				X	2001,2005,2006
 ./lib/bind/irs/irp_gr.c				X	2001,2005
 ./lib/bind/irs/irp_ho.c				X	2001,2005
 ./lib/bind/irs/irp_ng.c				X	2001,2005
@@ -2410,7 +2410,7 @@
 ./lib/win32/bindevt/bindevt.dsw			X	2001
 ./lib/win32/bindevt/bindevt.mak			X	2001
 ./lib/win32/bindevt/bindevt.mc			MC	2001,2004
-./libtool.m4					X	2000,2001
+./libtool.m4					X	2000,2001,2006
 ./ltmain.sh					X	1999,2000,2001
 ./make/.cvsignore				X	1999,2000,2001
 ./make/Makefile.in				MAKE	1998,1999,2000,2001,2004

From 022d5f388ccf648aec870b7c872fcdff1e45ee15 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Sun, 26 Feb 2006 23:49:47 +0000
Subject: [PATCH 053/465] update copyright notice

---
 bin/tests/compress_test.c | 4 ++--
 bin/tests/rdata_test.c    | 4 ++--
 lib/isc/hmacmd5.c         | 4 ++--
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/bin/tests/compress_test.c b/bin/tests/compress_test.c
index 2b7f39863a..5448f1d963 100644
--- a/bin/tests/compress_test.c
+++ b/bin/tests/compress_test.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: compress_test.c,v 1.24.2.2 2006/02/26 23:07:35 marka Exp $ */
+/* $Id: compress_test.c,v 1.24.2.3 2006/02/26 23:49:47 marka Exp $ */
 
 #include 
 
diff --git a/bin/tests/rdata_test.c b/bin/tests/rdata_test.c
index c529bfd731..1b877c361e 100644
--- a/bin/tests/rdata_test.c
+++ b/bin/tests/rdata_test.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdata_test.c,v 1.35.2.4 2006/02/26 23:07:35 marka Exp $ */
+/* $Id: rdata_test.c,v 1.35.2.5 2006/02/26 23:49:47 marka Exp $ */
 
 #include 
 
diff --git a/lib/isc/hmacmd5.c b/lib/isc/hmacmd5.c
index 8acd717565..e6836f1db8 100644
--- a/lib/isc/hmacmd5.c
+++ b/lib/isc/hmacmd5.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: hmacmd5.c,v 1.5.2.2 2006/02/26 22:34:05 marka Exp $ */
+/* $Id: hmacmd5.c,v 1.5.2.3 2006/02/26 23:49:47 marka Exp $ */
 
 /*
  * This code implements the HMAC-MD5 keyed hash algorithm

From 8131d4ed6d6231ec8bc2940845d1b5282dc6c1ba Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Sun, 26 Feb 2006 23:49:50 +0000
Subject: [PATCH 054/465] update copyright notice

---
 bin/tests/compress_test.c        | 4 ++--
 bin/tests/rdata_test.c           | 4 ++--
 bin/tests/system/dnssec/tests.sh | 4 ++--
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/bin/tests/compress_test.c b/bin/tests/compress_test.c
index 587f66a625..814094b488 100644
--- a/bin/tests/compress_test.c
+++ b/bin/tests/compress_test.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: compress_test.c,v 1.30 2006/02/26 22:54:46 marka Exp $ */
+/* $Id: compress_test.c,v 1.31 2006/02/26 23:49:50 marka Exp $ */
 
 /*! \file */
 
diff --git a/bin/tests/rdata_test.c b/bin/tests/rdata_test.c
index e95894e4e0..6b338db1ce 100644
--- a/bin/tests/rdata_test.c
+++ b/bin/tests/rdata_test.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdata_test.c,v 1.45 2006/02/26 22:54:46 marka Exp $ */
+/* $Id: rdata_test.c,v 1.46 2006/02/26 23:49:50 marka Exp $ */
 
 #include 
 
diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index 0a708e3fc5..d48524718e 100644
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.48 2006/02/26 22:54:46 marka Exp $
+# $Id: tests.sh,v 1.49 2006/02/26 23:49:50 marka Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh

From 20cacd1459af74d1b4a10e274506562b230822e1 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Mon, 27 Feb 2006 02:18:24 +0000
Subject: [PATCH 055/465] regen

---
 doc/arm/Bv9ARM.ch06.html | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index 9e396ae0ab..0e95897b36 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -4057,10 +4057,10 @@ query-source-v6 address * port *;
             If you are using the address ranges covered here you should
             already have reverse zones covering the addresses you use.
             In practice this appears to not be the case with many queries
-            being made to the infrustucture servers for names in these
+            being made to the infrustructure servers for names in these
             spaces.  So many in fact that sacrificial servers were needed
             to be deployed to channel the query load away from the
-            infrustucture servers.
+            infrustructure servers.
           

 

 
Note


From 9af69f2d83d5ff0776f4ce6cb136c755266be903 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Mon, 27 Feb 2006 21:08:42 +0000
Subject: [PATCH 056/465] update entry

---
 FAQ     | 3 +++
 FAQ.xml | 6 +++++-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/FAQ b/FAQ
index 4c4b7648f7..5c6a2a7368 100644
--- a/FAQ
+++ b/FAQ
@@ -54,6 +54,9 @@ A: Linux threads each show up as a process under ps. The approximate number of
    memory used is not cumulative; if each process is using 10M of memory, only a
    total of 10M is used.
 
+   Newer versions of Linux's ps command hide the individual threads and require -L
+   to display them.
+
 Q: Why does BIND 9 log "permission denied" errors accessing its configuration
    files or zones on my Linux system even though it is running as root?
 
diff --git a/FAQ.xml b/FAQ.xml
index 0826ead71e..221ef87707 100644
--- a/FAQ.xml
+++ b/FAQ.xml
@@ -17,7 +17,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
 

   Frequently Asked Questions about BIND 9
@@ -125,6 +125,10 @@ example.com. 86400 IN SOA ns hostmaster ( 1 3600 1800 1814400 3600 )
+	
+	  Newer versions of Linux's ps command hide the individual threads
+	  and require -L to display them.
+	
       
     
 

From 1547f4c84161f6ab0c300301ced8ecb9aabcc07c Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Mon, 27 Feb 2006 21:11:57 +0000
Subject: [PATCH 057/465] update entry

---
 FAQ     | 3 +++
 FAQ.xml | 6 +++++-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/FAQ b/FAQ
index 4c4b7648f7..5c6a2a7368 100644
--- a/FAQ
+++ b/FAQ
@@ -54,6 +54,9 @@ A: Linux threads each show up as a process under ps. The approximate number of
    memory used is not cumulative; if each process is using 10M of memory, only a
    total of 10M is used.
 
+   Newer versions of Linux's ps command hide the individual threads and require -L
+   to display them.
+
 Q: Why does BIND 9 log "permission denied" errors accessing its configuration
    files or zones on my Linux system even though it is running as root?
 
diff --git a/FAQ.xml b/FAQ.xml
index 634cfe3845..d6196185d0 100644
--- a/FAQ.xml
+++ b/FAQ.xml
@@ -17,7 +17,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
 

   Frequently Asked Questions about BIND 9
@@ -125,6 +125,10 @@ example.com. 86400 IN SOA ns hostmaster ( 1 3600 1800 1814400 3600 )
+	
+	  Newer versions of Linux's ps command hide the individual threads
+	  and require -L to display them.
+	
       
     
 

From 886fff19f145c93c64967a87e1ff5a9ce18503a6 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Mon, 27 Feb 2006 23:06:40 +0000
Subject: [PATCH 058/465] 4431:   The DNSSEC Lookaside Validation (DLV) DNS
 Resource Record

---
 doc/rfc/index       |   1 +
 doc/rfc/rfc4431.txt | 227 ++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 228 insertions(+)
 create mode 100644 doc/rfc/rfc4431.txt

diff --git a/doc/rfc/index b/doc/rfc/index
index fe97d27ce6..947827e59a 100644
--- a/doc/rfc/index
+++ b/doc/rfc/index
@@ -105,3 +105,4 @@
 4255:	Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints
 4343:	Domain Name System (DNS) Case Insensitivity Clarification
 4367:	What's in a Name: False Assumptions about DNS Names
+4431:	The DNSSEC Lookaside Validation (DLV) DNS Resource Record
diff --git a/doc/rfc/rfc4431.txt b/doc/rfc/rfc4431.txt
new file mode 100644
index 0000000000..8b3887229c
--- /dev/null
+++ b/doc/rfc/rfc4431.txt
@@ -0,0 +1,227 @@
+
+
+
+
+
+
+Network Working Group                                         M. Andrews
+Request for Comments: 4431                   Internet Systems Consortium
+Category: Informational                                        S. Weiler
+                                                            SPARTA, Inc.
+                                                           February 2006
+
+
+       The DNSSEC Lookaside Validation (DLV) DNS Resource Record
+
+Status of This Memo
+
+   This memo provides information for the Internet community.  It does
+   not specify an Internet standard of any kind.  Distribution of this
+   memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2006).
+
+Abstract
+
+   This document defines a new DNS resource record, called the DNSSEC
+   Lookaside Validation (DLV) RR, for publishing DNSSEC trust anchors
+   outside of the DNS delegation chain.
+
+1.  Introduction
+
+   DNSSEC [1] [2] [3] authenticates DNS data by building public-key
+   signature chains along the DNS delegation chain from a trust anchor,
+   ideally a trust anchor for the DNS root.
+
+   This document defines a new resource record for publishing such trust
+   anchors outside of the DNS's normal delegation chain.  Use of these
+   records by DNSSEC validators is outside the scope of this document,
+   but it is expected that these records will help resolvers validate
+   DNSSEC-signed data from zones whose ancestors either aren't signed or
+   refuse to publish delegation signer (DS) records for their children.
+
+2.  DLV Resource Record
+
+   The DLV resource record has exactly the same wire and presentation
+   formats as the DS resource record, defined in RFC 4034, Section 5.
+   It uses the same IANA-assigned values in the algorithm and digest
+   type fields as the DS record.  (Those IANA registries are known as
+   the "DNS Security Algorithm Numbers" and "DS RR Type Algorithm
+   Numbers" registries.)
+
+
+
+
+
+Andrews & Weiler             Informational                      [Page 1]
+
+RFC 4431                  DLV Resource Record              February 2006
+
+
+   The DLV record is a normal DNS record type without any special
+   processing requirements.  In particular, the DLV record does not
+   inherit any of the special processing or handling requirements of the
+   DS record type (described in Section 3.1.4.1 of RFC 4035).  Unlike
+   the DS record, the DLV record may not appear on the parent's side of
+   a zone cut.  A DLV record may, however, appear at the apex of a zone.
+
+3.  Security Considerations
+
+   For authoritative servers and resolvers that do not attempt to use
+   DLV RRs as part of DNSSEC validation, there are no particular
+   security concerns -- DLV RRs are just like any other DNS data.
+
+   Software using DLV RRs as part of DNSSEC validation will almost
+   certainly want to impose constraints on their use, but those
+   constraints are best left to be described by the documents that more
+   fully describe the particulars of how the records are used.  At a
+   minimum, it would be unwise to use the records without some sort of
+   cryptographic authentication.  More likely than not, DNSSEC itself
+   will be used to authenticate the DLV RRs.  Depending on how a DLV RR
+   is used, failure to properly authenticate it could lead to
+   significant additional security problems including failure to detect
+   spoofed DNS data.
+
+   RFC 4034, Section 8, describes security considerations specific to
+   the DS RR.  Those considerations are equally applicable to DLV RRs.
+   Of particular note, the key tag field is used to help select DNSKEY
+   RRs efficiently, but it does not uniquely identify a single DNSKEY
+   RR.  It is possible for two distinct DNSKEY RRs to have the same
+   owner name, the same algorithm type, and the same key tag.  An
+   implementation that uses only the key tag to select a DNSKEY RR might
+   select the wrong public key in some circumstances.
+
+   For further discussion of the security implications of DNSSEC, see
+   RFC 4033, RFC 4034, and RFC 4035.
+
+4.  IANA Considerations
+
+   IANA has assigned DNS type code 32769 to the DLV resource record from
+   the Specification Required portion of the DNS Resource Record Type
+   registry, as defined in [4].
+
+   The DLV resource record reuses the same algorithm and digest type
+   registries already used for the DS resource record, currently known
+   as the "DNS Security Algorithm Numbers" and "DS RR Type Algorithm
+   Numbers" registries.
+
+
+
+
+
+Andrews & Weiler             Informational                      [Page 2]
+
+RFC 4431                  DLV Resource Record              February 2006
+
+
+5.  Normative References
+
+   [1]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+        "DNS Security Introduction and Requirements", RFC 4033,
+        March 2005.
+
+   [2]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+        "Resource Records for the DNS Security Extensions", RFC 4034,
+        March 2005.
+
+   [3]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+        "Protocol Modifications for the DNS Security Extensions",
+        RFC 4035, March 2005.
+
+   [4]  Eastlake, D., Brunner-Williams, E., and B. Manning, "Domain Name
+        System (DNS) IANA Considerations", BCP 42, RFC 2929,
+        September 2000.
+
+Authors' Addresses
+
+   Mark Andrews
+   Internet Systems Consortium
+   950 Charter St.
+   Redwood City, CA  94063
+   US
+
+   EMail: Mark_Andrews@isc.org
+
+
+   Samuel Weiler
+   SPARTA, Inc.
+   7075 Samuel Morse Drive
+   Columbia, Maryland  21046
+   US
+
+   EMail: weiler@tislabs.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Andrews & Weiler             Informational                      [Page 3]
+
+RFC 4431                  DLV Resource Record              February 2006
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (2006).
+
+   This document is subject to the rights, licenses and restrictions
+   contained in BCP 78, and except as set forth therein, the authors
+   retain all their rights.
+
+   This document and the information contained herein are provided on an
+   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Intellectual Property
+
+   The IETF takes no position regarding the validity or scope of any
+   Intellectual Property Rights or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; nor does it represent that it has
+   made any independent effort to identify any such rights.  Information
+   on the procedures with respect to rights in RFC documents can be
+   found in BCP 78 and BCP 79.
+
+   Copies of IPR disclosures made to the IETF Secretariat and any
+   assurances of licenses to be made available, or the result of an
+   attempt made to obtain a general license or permission for the use of
+   such proprietary rights by implementers or users of this
+   specification can be obtained from the IETF on-line IPR repository at
+   http://www.ietf.org/ipr.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights that may cover technology that may be required to implement
+   this standard.  Please address the information to the IETF at
+   ietf-ipr@ietf.org.
+
+Acknowledgement
+
+   Funding for the RFC Editor function is provided by the IETF
+   Administrative Support Activity (IASA).
+
+
+
+
+
+
+
+Andrews & Weiler             Informational                      [Page 4]
+

From c4008fdd56a8045802ed125e40a06bf1df9b7fbe Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Mon, 27 Feb 2006 23:55:15 +0000
Subject: [PATCH 059/465] 1990.   [bug]           libbind:  isc's override of
 broken gettimeofday()                         implementions was not always
 effective.                         [RT #15709]

---
 CHANGES                  | 4 ++++
 lib/bind/port_after.h.in | 1 +
 2 files changed, 5 insertions(+)

diff --git a/CHANGES b/CHANGES
index 06a25e348e..303cc11103 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+1990.	[bug]		libbind:  isc's override of broken gettimeofday()
+			implementions was not always effective.
+			[RT #15709]
+
 1989.	[bug]		win32: don't check the service password when
 			re-installing. [RT #15882]
 
diff --git a/lib/bind/port_after.h.in b/lib/bind/port_after.h.in
index 0c956b71ed..12d8d2bc34 100644
--- a/lib/bind/port_after.h.in
+++ b/lib/bind/port_after.h.in
@@ -5,6 +5,7 @@
 #include 
 #include 
 #include 
+#include 
 #if (!defined(BSD)) || (BSD < 199306)
 #include 
 #endif

From 36f9c51bda508a4b7afba4e14204193e4d673e23 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 28 Feb 2006 00:10:10 +0000
Subject: [PATCH 060/465] 1990.   [bug]           libbind:  isc's override of
 broken gettimeofday()                         implementions was not always
 effective.                         [RT #15709]

---
 CHANGES                  | 4 ++++
 lib/bind/port_after.h.in | 1 +
 2 files changed, 5 insertions(+)

diff --git a/CHANGES b/CHANGES
index 739ab81066..9e9a15f630 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+1990.	[bug]		libbind:  isc's override of broken gettimeofday()
+			implementions was not always effective.
+			[RT #15709]
+
 1981.	[bug]		win32: condition.c:wait() could fail to reattain
 			the mutex lock.
 
diff --git a/lib/bind/port_after.h.in b/lib/bind/port_after.h.in
index 0c956b71ed..12d8d2bc34 100644
--- a/lib/bind/port_after.h.in
+++ b/lib/bind/port_after.h.in
@@ -5,6 +5,7 @@
 #include 
 #include 
 #include 
+#include 
 #if (!defined(BSD)) || (BSD < 199306)
 #include 
 #endif

From 45e1bd63587102c3bb361eaca42ee7b714fb3542 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 28 Feb 2006 02:39:52 +0000
Subject: [PATCH 061/465] 1991.   [cleanup]       The configuration data, once
 read, should be treated                         as readonly.  Expand the use
 of const to enforce this                         at compile time. [RT #15813]

---
 CHANGES                             |   4 +
 bin/check/named-checkconf.c         |  61 +++---
 bin/named/config.c                  |  70 +++----
 bin/named/controlconf.c             | 102 +++++-----
 bin/named/include/named/config.h    |  25 +--
 bin/named/include/named/control.h   |   4 +-
 bin/named/include/named/globals.h   |   4 +-
 bin/named/include/named/logconf.h   |   4 +-
 bin/named/include/named/lwresd.h    |   7 +-
 bin/named/include/named/server.h    |   4 +-
 bin/named/include/named/sortlist.h  |  13 +-
 bin/named/include/named/tkeyconf.h  |   6 +-
 bin/named/include/named/tsigconf.h  |   4 +-
 bin/named/include/named/zoneconf.h  |   9 +-
 bin/named/logconf.c                 |  52 ++---
 bin/named/lwdgabn.c                 |   4 +-
 bin/named/lwresd.c                  |  20 +-
 bin/named/query.c                   |  10 +-
 bin/named/server.c                  | 236 +++++++++++------------
 bin/named/sortlist.c                |  18 +-
 bin/named/tkeyconf.c                |   8 +-
 bin/named/tsigconf.c                |  20 +-
 bin/named/zoneconf.c                |  61 +++---
 bin/rndc/rndc.c                     |  32 ++--
 lib/bind9/check.c                   | 284 ++++++++++++++--------------
 lib/bind9/include/bind9/check.h     |   7 +-
 lib/dns/acl.c                       |  40 ++--
 lib/dns/compress.c                  |  10 +-
 lib/dns/include/dns/acl.h           |  36 ++--
 lib/dns/include/dns/compress.h      |   8 +-
 lib/dns/include/dns/message.h       |   6 +-
 lib/dns/include/dns/name.h          |  10 +-
 lib/dns/include/dns/peer.h          |   9 +-
 lib/dns/include/dns/rdataset.h      |  10 +-
 lib/dns/include/dns/types.h         |   4 +-
 lib/dns/include/dns/zone.h          |  28 +--
 lib/dns/message.c                   |   6 +-
 lib/dns/name.c                      |  12 +-
 lib/dns/peer.c                      |  12 +-
 lib/dns/rdataset.c                  |  14 +-
 lib/dns/zone.c                      |  30 +--
 lib/isc/include/isc/sockaddr.h      |  12 +-
 lib/isc/include/isc/symtab.h        |   3 +-
 lib/isc/sockaddr.c                  |  12 +-
 lib/isccfg/aclconf.c                |  24 +--
 lib/isccfg/include/isccfg/aclconf.h |   6 +-
 lib/isccfg/include/isccfg/cfg.h     |  71 +++----
 lib/isccfg/include/isccfg/grammar.h |  30 +--
 lib/isccfg/namedconf.c              |  16 +-
 lib/isccfg/parser.c                 | 122 ++++++------
 50 files changed, 832 insertions(+), 768 deletions(-)

diff --git a/CHANGES b/CHANGES
index 303cc11103..0d7d8fd621 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+1991.	[cleanup]	The configuration data, once read, should be treated
+			as readonly.  Expand the use of const to enforce this
+			at compile time. [RT #15813]
+
 1990.	[bug]		libbind:  isc's override of broken gettimeofday()
 			implementions was not always effective.
 			[RT #15709]
diff --git a/bin/check/named-checkconf.c b/bin/check/named-checkconf.c
index b0eb11e705..be834bcb79 100644
--- a/bin/check/named-checkconf.c
+++ b/bin/check/named-checkconf.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named-checkconf.c,v 1.41 2006/01/07 00:23:35 marka Exp $ */
+/* $Id: named-checkconf.c,v 1.42 2006/02/28 02:39:51 marka Exp $ */
 
 /*! \file */
 
@@ -66,7 +66,7 @@ usage(void) {
 
 /*% directory callback */
 static isc_result_t
-directory_callback(const char *clausename, cfg_obj_t *obj, void *arg) {
+directory_callback(const char *clausename, const cfg_obj_t *obj, void *arg) {
 	isc_result_t result;
 	const char *directory;
 
@@ -91,7 +91,7 @@ directory_callback(const char *clausename, cfg_obj_t *obj, void *arg) {
 }
 
 static isc_boolean_t
-get_maps(cfg_obj_t **maps, const char *name, cfg_obj_t **obj) {
+get_maps(const cfg_obj_t **maps, const char *name, const cfg_obj_t **obj) {
 	int i;
 	for (i = 0;; i++) {
 		if (maps[i] == NULL)
@@ -102,11 +102,11 @@ get_maps(cfg_obj_t **maps, const char *name, cfg_obj_t **obj) {
 }
 
 static isc_boolean_t
-get_checknames(cfg_obj_t **maps, cfg_obj_t **obj) {
-	cfg_listelt_t *element;
-	cfg_obj_t *checknames;
-	cfg_obj_t *type;
-	cfg_obj_t *value;
+get_checknames(const cfg_obj_t **maps, const cfg_obj_t **obj) {
+	const cfg_listelt_t *element;
+	const cfg_obj_t *checknames;
+	const cfg_obj_t *type;
+	const cfg_obj_t *value;
 	isc_result_t result;
 	int i;
 
@@ -135,7 +135,7 @@ get_checknames(cfg_obj_t **maps, cfg_obj_t **obj) {
 }
 
 static isc_result_t
-config_get(cfg_obj_t **maps, const char *name, cfg_obj_t **obj) {
+config_get(const cfg_obj_t **maps, const char *name, const cfg_obj_t **obj) {
 	int i;
 
 	for (i = 0;; i++) {
@@ -148,22 +148,23 @@ config_get(cfg_obj_t **maps, const char *name, cfg_obj_t **obj) {
 
 /*% configure the zone */
 static isc_result_t
-configure_zone(const char *vclass, const char *view, cfg_obj_t *zconfig,
-	       cfg_obj_t *vconfig, cfg_obj_t *config, isc_mem_t *mctx)
+configure_zone(const char *vclass, const char *view,
+	       const cfg_obj_t *zconfig, const cfg_obj_t *vconfig,
+	       const cfg_obj_t *config, isc_mem_t *mctx)
 {
 	int i = 0;
 	isc_result_t result;
 	const char *zclass;
 	const char *zname;
 	const char *zfile;
-	cfg_obj_t *maps[4];
-	cfg_obj_t *zoptions = NULL;
-	cfg_obj_t *classobj = NULL;
-	cfg_obj_t *typeobj = NULL;
-	cfg_obj_t *fileobj = NULL;
-	cfg_obj_t *dbobj = NULL;
-	cfg_obj_t *obj = NULL;
-	cfg_obj_t *fmtobj = NULL;
+	const cfg_obj_t *maps[4];
+	const cfg_obj_t *zoptions = NULL;
+	const cfg_obj_t *classobj = NULL;
+	const cfg_obj_t *typeobj = NULL;
+	const cfg_obj_t *fileobj = NULL;
+	const cfg_obj_t *dbobj = NULL;
+	const cfg_obj_t *obj = NULL;
+	const cfg_obj_t *fmtobj = NULL;
 	dns_masterformat_t masterformat;
 
 	zone_options = DNS_ZONEOPT_CHECKNS | DNS_ZONEOPT_MANYERRORS;
@@ -309,12 +310,12 @@ configure_zone(const char *vclass, const char *view, cfg_obj_t *zconfig,
 
 /*% configure a view */
 static isc_result_t
-configure_view(const char *vclass, const char *view, cfg_obj_t *config,
-	       cfg_obj_t *vconfig, isc_mem_t *mctx)
+configure_view(const char *vclass, const char *view, const cfg_obj_t *config,
+	       const cfg_obj_t *vconfig, isc_mem_t *mctx)
 {
-	cfg_listelt_t *element;
-	cfg_obj_t *voptions;
-	cfg_obj_t *zonelist;
+	const cfg_listelt_t *element;
+	const cfg_obj_t *voptions;
+	const cfg_obj_t *zonelist;
 	isc_result_t result = ISC_R_SUCCESS;
 	isc_result_t tresult;
 
@@ -332,7 +333,7 @@ configure_view(const char *vclass, const char *view, cfg_obj_t *config,
 	     element != NULL;
 	     element = cfg_list_next(element))
 	{
-		cfg_obj_t *zconfig = cfg_listelt_value(element);
+		const cfg_obj_t *zconfig = cfg_listelt_value(element);
 		tresult = configure_zone(vclass, view, zconfig, vconfig,
 					 config, mctx);
 		if (tresult != ISC_R_SUCCESS)
@@ -344,11 +345,11 @@ configure_view(const char *vclass, const char *view, cfg_obj_t *config,
 
 /*% load zones from the configuration */
 static isc_result_t
-load_zones_fromconfig(cfg_obj_t *config, isc_mem_t *mctx) {
-	cfg_listelt_t *element;
-	cfg_obj_t *classobj;
-	cfg_obj_t *views;
-	cfg_obj_t *vconfig;
+load_zones_fromconfig(const cfg_obj_t *config, isc_mem_t *mctx) {
+	const cfg_listelt_t *element;
+	const cfg_obj_t *classobj;
+	const cfg_obj_t *views;
+	const cfg_obj_t *vconfig;
 	const char *vclass;
 	isc_result_t result = ISC_R_SUCCESS;
 	isc_result_t tresult;
diff --git a/bin/named/config.c b/bin/named/config.c
index 04a9b36fe4..7cf5d3c841 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.c,v 1.68 2006/01/27 02:35:14 marka Exp $ */
+/* $Id: config.c,v 1.69 2006/02/28 02:39:51 marka Exp $ */
 
 /*! \file */
 
@@ -216,7 +216,7 @@ ns_config_parsedefaults(cfg_parser_t *parser, cfg_obj_t **conf) {
 }
 
 isc_result_t
-ns_config_get(cfg_obj_t **maps, const char *name, cfg_obj_t **obj) {
+ns_config_get(const cfg_obj_t **maps, const char *name, const cfg_obj_t **obj) {
 	int i;
 
 	for (i = 0;; i++) {
@@ -228,11 +228,13 @@ ns_config_get(cfg_obj_t **maps, const char *name, cfg_obj_t **obj) {
 }
 
 isc_result_t
-ns_checknames_get(cfg_obj_t **maps, const char *which, cfg_obj_t **obj) {
-	cfg_listelt_t *element;
-	cfg_obj_t *checknames;
-	cfg_obj_t *type;
-	cfg_obj_t *value;
+ns_checknames_get(const cfg_obj_t **maps, const char *which,
+		  const cfg_obj_t **obj)
+{
+	const cfg_listelt_t *element;
+	const cfg_obj_t *checknames;
+	const cfg_obj_t *type;
+	const cfg_obj_t *value;
 	int i;
 
 	for (i = 0;; i++) {
@@ -263,8 +265,8 @@ ns_checknames_get(cfg_obj_t **maps, const char *which, cfg_obj_t **obj) {
 }
 
 int
-ns_config_listcount(cfg_obj_t *list) {
-	cfg_listelt_t *e;
+ns_config_listcount(const cfg_obj_t *list) {
+	const cfg_listelt_t *e;
 	int i = 0;
 
 	for (e = cfg_list_first(list); e != NULL; e = cfg_list_next(e))
@@ -274,7 +276,7 @@ ns_config_listcount(cfg_obj_t *list) {
 }
 
 isc_result_t
-ns_config_getclass(cfg_obj_t *classobj, dns_rdataclass_t defclass,
+ns_config_getclass(const cfg_obj_t *classobj, dns_rdataclass_t defclass,
 		   dns_rdataclass_t *classp) {
 	isc_textregion_t r;
 	isc_result_t result;
@@ -293,7 +295,7 @@ ns_config_getclass(cfg_obj_t *classobj, dns_rdataclass_t defclass,
 }
 
 isc_result_t
-ns_config_gettype(cfg_obj_t *typeobj, dns_rdatatype_t deftype,
+ns_config_gettype(const cfg_obj_t *typeobj, dns_rdatatype_t deftype,
 		   dns_rdatatype_t *typep) {
 	isc_textregion_t r;
 	isc_result_t result;
@@ -312,7 +314,7 @@ ns_config_gettype(cfg_obj_t *typeobj, dns_rdatatype_t deftype,
 }
 
 dns_zonetype_t
-ns_config_getzonetype(cfg_obj_t *zonetypeobj) {
+ns_config_getzonetype(const cfg_obj_t *zonetypeobj) {
 	dns_zonetype_t ztype = dns_zone_none;
 	const char *str;
 
@@ -329,14 +331,14 @@ ns_config_getzonetype(cfg_obj_t *zonetypeobj) {
 }
 
 isc_result_t
-ns_config_getiplist(cfg_obj_t *config, cfg_obj_t *list,
+ns_config_getiplist(const cfg_obj_t *config, const cfg_obj_t *list,
 		    in_port_t defport, isc_mem_t *mctx,
 		    isc_sockaddr_t **addrsp, isc_uint32_t *countp)
 {
 	int count, i = 0;
-	cfg_obj_t *addrlist;
-	cfg_obj_t *portobj;
-	cfg_listelt_t *element;
+	const cfg_obj_t *addrlist;
+	const cfg_obj_t *portobj;
+	const cfg_listelt_t *element;
 	isc_sockaddr_t *addrs;
 	in_port_t port;
 	isc_result_t result;
@@ -396,10 +398,12 @@ ns_config_putiplist(isc_mem_t *mctx, isc_sockaddr_t **addrsp,
 }
 
 static isc_result_t
-get_masters_def(cfg_obj_t *cctx, const char *name, cfg_obj_t **ret) {
+get_masters_def(const cfg_obj_t *cctx, const char *name,
+	        const cfg_obj_t **ret)
+{
 	isc_result_t result;
-	cfg_obj_t *masters = NULL;
-	cfg_listelt_t *elt;
+	const cfg_obj_t *masters = NULL;
+	const cfg_listelt_t *elt;
 
 	result = cfg_map_get(cctx, "masters", &masters);
 	if (result != ISC_R_SUCCESS)
@@ -407,7 +411,7 @@ get_masters_def(cfg_obj_t *cctx, const char *name, cfg_obj_t **ret) {
 	for (elt = cfg_list_first(masters);
 	     elt != NULL;
 	     elt = cfg_list_next(elt)) {
-		cfg_obj_t *list;
+		const cfg_obj_t *list;
 		const char *listname;
 
 		list = cfg_listelt_value(elt);
@@ -422,24 +426,24 @@ get_masters_def(cfg_obj_t *cctx, const char *name, cfg_obj_t **ret) {
 }
 
 isc_result_t
-ns_config_getipandkeylist(cfg_obj_t *config, cfg_obj_t *list, isc_mem_t *mctx,
-			  isc_sockaddr_t **addrsp, dns_name_t ***keysp,
-			  isc_uint32_t *countp)
+ns_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list,
+			  isc_mem_t *mctx, isc_sockaddr_t **addrsp,
+			  dns_name_t ***keysp, isc_uint32_t *countp)
 {
 	isc_uint32_t addrcount = 0, keycount = 0, i = 0;
 	isc_uint32_t listcount = 0, l = 0, j;
 	isc_uint32_t stackcount = 0, pushed = 0;
 	isc_result_t result;
-	cfg_listelt_t *element;
-	cfg_obj_t *addrlist;
-	cfg_obj_t *portobj;
+	const cfg_listelt_t *element;
+	const cfg_obj_t *addrlist;
+	const cfg_obj_t *portobj;
 	in_port_t port;
 	dns_fixedname_t fname;
 	isc_sockaddr_t *addrs = NULL;
 	dns_name_t **keys = NULL;
 	struct { const char *name; } *lists = NULL;
 	struct {
-		cfg_listelt_t *element;
+		const cfg_listelt_t *element;
 		in_port_t port;
 	} *stack = NULL;
 
@@ -473,8 +477,8 @@ ns_config_getipandkeylist(cfg_obj_t *config, cfg_obj_t *list, isc_mem_t *mctx,
 	     element != NULL;
 	     element = cfg_list_next(element))
 	{
-		cfg_obj_t *addr;
-		cfg_obj_t *key;
+		const cfg_obj_t *addr;
+		const cfg_obj_t *key;
 		const char *keystr;
 		isc_buffer_t b;
 
@@ -699,10 +703,10 @@ ns_config_putipandkeylist(isc_mem_t *mctx, isc_sockaddr_t **addrsp,
 }
 
 isc_result_t
-ns_config_getport(cfg_obj_t *config, in_port_t *portp) {
-	cfg_obj_t *maps[3];
-	cfg_obj_t *options = NULL;
-	cfg_obj_t *portobj = NULL;
+ns_config_getport(const cfg_obj_t *config, in_port_t *portp) {
+	const cfg_obj_t *maps[3];
+	const cfg_obj_t *options = NULL;
+	const cfg_obj_t *portobj = NULL;
 	isc_result_t result;
 	int i;
 
diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c
index e7a4bb6929..65ad781f34 100644
--- a/bin/named/controlconf.c
+++ b/bin/named/controlconf.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: controlconf.c,v 1.49 2006/01/27 23:57:46 marka Exp $ */
+/* $Id: controlconf.c,v 1.50 2006/02/28 02:39:51 marka Exp $ */
 
 /*! \file */
 
@@ -659,10 +659,12 @@ ns_controls_shutdown(ns_controls_t *controls) {
 }
 
 static isc_result_t
-cfgkeylist_find(cfg_obj_t *keylist, const char *keyname, cfg_obj_t **objp) {
-	cfg_listelt_t *element;
+cfgkeylist_find(const cfg_obj_t *keylist, const char *keyname,
+	        const cfg_obj_t **objp)
+{
+	const cfg_listelt_t *element;
 	const char *str;
-	cfg_obj_t *obj;
+	const cfg_obj_t *obj;
 
 	for (element = cfg_list_first(keylist);
 	     element != NULL;
@@ -681,13 +683,13 @@ cfgkeylist_find(cfg_obj_t *keylist, const char *keyname, cfg_obj_t **objp) {
 }
 
 static isc_result_t
-controlkeylist_fromcfg(cfg_obj_t *keylist, isc_mem_t *mctx,
+controlkeylist_fromcfg(const cfg_obj_t *keylist, isc_mem_t *mctx,
 		       controlkeylist_t *keyids)
 {
-	cfg_listelt_t *element;
+	const cfg_listelt_t *element;
 	char *newstr = NULL;
 	const char *str;
-	cfg_obj_t *obj;
+	const cfg_obj_t *obj;
 	controlkey_t *key = NULL;
 
 	for (element = cfg_list_first(keylist);
@@ -722,11 +724,11 @@ controlkeylist_fromcfg(cfg_obj_t *keylist, isc_mem_t *mctx,
 }
 
 static void
-register_keys(cfg_obj_t *control, cfg_obj_t *keylist,
+register_keys(const cfg_obj_t *control, const cfg_obj_t *keylist,
 	      controlkeylist_t *keyids, isc_mem_t *mctx, const char *socktext)
 {
 	controlkey_t *keyid, *next;
-	cfg_obj_t *keydef;
+	const cfg_obj_t *keydef;
 	char secret[1024];
 	isc_buffer_t b;
 	isc_result_t result;
@@ -746,8 +748,8 @@ register_keys(cfg_obj_t *control, cfg_obj_t *keylist,
 			ISC_LIST_UNLINK(*keyids, keyid, link);
 			free_controlkey(keyid, mctx);
 		} else {
-			cfg_obj_t *algobj = NULL;
-			cfg_obj_t *secretobj = NULL;
+			const cfg_obj_t *algobj = NULL;
+			const cfg_obj_t *secretobj = NULL;
 			const char *algstr = NULL;
 			const char *secretstr = NULL;
 
@@ -815,9 +817,9 @@ get_rndckey(isc_mem_t *mctx, controlkeylist_t *keyids) {
 	isc_result_t result;
 	cfg_parser_t *pctx = NULL;
 	cfg_obj_t *config = NULL;
-	cfg_obj_t *key = NULL;
-	cfg_obj_t *algobj = NULL;
-	cfg_obj_t *secretobj = NULL;
+	const cfg_obj_t *key = NULL;
+	const cfg_obj_t *algobj = NULL;
+	const cfg_obj_t *secretobj = NULL;
 	const char *algstr = NULL;
 	const char *secretstr = NULL;
 	controlkey_t *keyid = NULL;
@@ -898,12 +900,13 @@ get_rndckey(isc_mem_t *mctx, controlkeylist_t *keyids) {
  * valid or both are NULL.
  */
 static void
-get_key_info(cfg_obj_t *config, cfg_obj_t *control,
-	     cfg_obj_t **global_keylistp, cfg_obj_t **control_keylistp)
+get_key_info(const cfg_obj_t *config, const cfg_obj_t *control,
+	     const cfg_obj_t **global_keylistp,
+	     const cfg_obj_t **control_keylistp)
 {
 	isc_result_t result;
-	cfg_obj_t *control_keylist = NULL;
-	cfg_obj_t *global_keylist = NULL;
+	const cfg_obj_t *control_keylist = NULL;
+	const cfg_obj_t *global_keylist = NULL;
 
 	REQUIRE(global_keylistp != NULL && *global_keylistp == NULL);
 	REQUIRE(control_keylistp != NULL && *control_keylistp == NULL);
@@ -922,16 +925,15 @@ get_key_info(cfg_obj_t *config, cfg_obj_t *control,
 }
 
 static void
-update_listener(ns_controls_t *cp,
-		controllistener_t **listenerp, cfg_obj_t *control,
-		cfg_obj_t *config, isc_sockaddr_t *addr,
-		cfg_aclconfctx_t *aclconfctx, const char *socktext,
-		isc_sockettype_t type)
+update_listener(ns_controls_t *cp, controllistener_t **listenerp,
+		const cfg_obj_t *control, const cfg_obj_t *config,
+		isc_sockaddr_t *addr, cfg_aclconfctx_t *aclconfctx,
+	        const char *socktext, isc_sockettype_t type)
 {
 	controllistener_t *listener;
-	cfg_obj_t *allow;
-	cfg_obj_t *global_keylist = NULL;
-	cfg_obj_t *control_keylist = NULL;
+	const cfg_obj_t *allow;
+	const cfg_obj_t *global_keylist = NULL;
+	const cfg_obj_t *control_keylist = NULL;
 	dns_acl_t *new_acl = NULL;
 	controlkeylist_t keys;
 	isc_result_t result = ISC_R_SUCCESS;
@@ -1062,15 +1064,15 @@ update_listener(ns_controls_t *cp,
 
 static void
 add_listener(ns_controls_t *cp, controllistener_t **listenerp,
-	     cfg_obj_t *control, cfg_obj_t *config, isc_sockaddr_t *addr,
-	     cfg_aclconfctx_t *aclconfctx, const char *socktext,
-	     isc_sockettype_t type)
+	     const cfg_obj_t *control, const cfg_obj_t *config,
+	     isc_sockaddr_t *addr, cfg_aclconfctx_t *aclconfctx,
+	     const char *socktext, isc_sockettype_t type)
 {
 	isc_mem_t *mctx = cp->server->mctx;
 	controllistener_t *listener;
-	cfg_obj_t *allow;
-	cfg_obj_t *global_keylist = NULL;
-	cfg_obj_t *control_keylist = NULL;
+	const cfg_obj_t *allow;
+	const cfg_obj_t *global_keylist = NULL;
+	const cfg_obj_t *control_keylist = NULL;
 	dns_acl_t *new_acl = NULL;
 	isc_result_t result = ISC_R_SUCCESS;
 
@@ -1200,13 +1202,13 @@ add_listener(ns_controls_t *cp, controllistener_t **listenerp,
 }
 
 isc_result_t
-ns_controls_configure(ns_controls_t *cp, cfg_obj_t *config,
+ns_controls_configure(ns_controls_t *cp, const cfg_obj_t *config,
 		      cfg_aclconfctx_t *aclconfctx)
 {
 	controllistener_t *listener;
 	controllistenerlist_t new_listeners;
-	cfg_obj_t *controlslist = NULL;
-	cfg_listelt_t *element, *element2;
+	const cfg_obj_t *controlslist = NULL;
+	const cfg_listelt_t *element, *element2;
 	char socktext[ISC_SOCKADDR_FORMATSIZE];
 
 	ISC_LIST_INIT(new_listeners);
@@ -1228,8 +1230,8 @@ ns_controls_configure(ns_controls_t *cp, cfg_obj_t *config,
 		for (element = cfg_list_first(controlslist);
 		     element != NULL;
 		     element = cfg_list_next(element)) {
-			cfg_obj_t *controls;
-			cfg_obj_t *inetcontrols = NULL;
+			const cfg_obj_t *controls;
+			const cfg_obj_t *inetcontrols = NULL;
 
 			controls = cfg_listelt_value(element);
 			(void)cfg_map_get(controls, "inet", &inetcontrols);
@@ -1239,9 +1241,9 @@ ns_controls_configure(ns_controls_t *cp, cfg_obj_t *config,
 			for (element2 = cfg_list_first(inetcontrols);
 			     element2 != NULL;
 			     element2 = cfg_list_next(element2)) {
-				cfg_obj_t *control;
-				cfg_obj_t *obj;
-				isc_sockaddr_t *addr;
+				const cfg_obj_t *control;
+				const cfg_obj_t *obj;
+				isc_sockaddr_t addr;
 
 				/*
 				 * The parser handles BIND 8 configuration file
@@ -1251,12 +1253,12 @@ ns_controls_configure(ns_controls_t *cp, cfg_obj_t *config,
 				control = cfg_listelt_value(element2);
 
 				obj = cfg_tuple_get(control, "address");
-				addr = cfg_obj_assockaddr(obj);
-				if (isc_sockaddr_getport(addr) == 0)
-					isc_sockaddr_setport(addr,
+				addr = *cfg_obj_assockaddr(obj);
+				if (isc_sockaddr_getport(&addr) == 0)
+					isc_sockaddr_setport(&addr,
 							     NS_CONTROL_PORT);
 
-				isc_sockaddr_format(addr, socktext,
+				isc_sockaddr_format(&addr, socktext,
 						    sizeof(socktext));
 
 				isc_log_write(ns_g_lctx,
@@ -1267,7 +1269,7 @@ ns_controls_configure(ns_controls_t *cp, cfg_obj_t *config,
 					      socktext);
 
 				update_listener(cp, &listener, control, config,
-						addr, aclconfctx, socktext,
+						&addr, aclconfctx, socktext,
 						isc_sockettype_tcp);
 
 				if (listener != NULL)
@@ -1282,7 +1284,7 @@ ns_controls_configure(ns_controls_t *cp, cfg_obj_t *config,
 					 * This is a new listener.
 					 */
 					add_listener(cp, &listener, control,
-						     config, addr, aclconfctx,
+						     config, &addr, aclconfctx,
 						     socktext,
 						     isc_sockettype_tcp);
 
@@ -1294,8 +1296,8 @@ ns_controls_configure(ns_controls_t *cp, cfg_obj_t *config,
 		for (element = cfg_list_first(controlslist);
 		     element != NULL;
 		     element = cfg_list_next(element)) {
-			cfg_obj_t *controls;
-			cfg_obj_t *unixcontrols = NULL;
+			const cfg_obj_t *controls;
+			const cfg_obj_t *unixcontrols = NULL;
 
 			controls = cfg_listelt_value(element);
 			(void)cfg_map_get(controls, "unix", &unixcontrols);
@@ -1305,8 +1307,8 @@ ns_controls_configure(ns_controls_t *cp, cfg_obj_t *config,
 			for (element2 = cfg_list_first(unixcontrols);
 			     element2 != NULL;
 			     element2 = cfg_list_next(element2)) {
-				cfg_obj_t *control;
-				cfg_obj_t *path;
+				const cfg_obj_t *control;
+				const cfg_obj_t *path;
 				isc_sockaddr_t addr;
 				isc_result_t result;
 
diff --git a/bin/named/include/named/config.h b/bin/named/include/named/config.h
index b81004fa1c..8c3fe202d5 100644
--- a/bin/named/include/named/config.h
+++ b/bin/named/include/named/config.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.h,v 1.11 2006/01/27 23:57:46 marka Exp $ */
+/* $Id: config.h,v 1.12 2006/02/28 02:39:51 marka Exp $ */
 
 #ifndef NAMED_CONFIG_H
 #define NAMED_CONFIG_H 1
@@ -31,27 +31,28 @@ isc_result_t
 ns_config_parsedefaults(cfg_parser_t *parser, cfg_obj_t **conf);
 
 isc_result_t
-ns_config_get(cfg_obj_t **maps, const char* name, cfg_obj_t **obj);
+ns_config_get(const cfg_obj_t **maps, const char* name, const cfg_obj_t **obj);
 
 isc_result_t
-ns_checknames_get(cfg_obj_t **maps, const char* name, cfg_obj_t **obj);
+ns_checknames_get(const cfg_obj_t **maps, const char* name,
+		  const cfg_obj_t **obj);
 
 int
-ns_config_listcount(cfg_obj_t *list);
+ns_config_listcount(const cfg_obj_t *list);
 
 isc_result_t
-ns_config_getclass(cfg_obj_t *classobj, dns_rdataclass_t defclass,
+ns_config_getclass(const cfg_obj_t *classobj, dns_rdataclass_t defclass,
 		   dns_rdataclass_t *classp);
 
 isc_result_t
-ns_config_gettype(cfg_obj_t *typeobj, dns_rdatatype_t deftype,
+ns_config_gettype(const cfg_obj_t *typeobj, dns_rdatatype_t deftype,
 		  dns_rdatatype_t *typep);
 
 dns_zonetype_t
-ns_config_getzonetype(cfg_obj_t *zonetypeobj);
+ns_config_getzonetype(const cfg_obj_t *zonetypeobj);
 
 isc_result_t
-ns_config_getiplist(cfg_obj_t *config, cfg_obj_t *list,
+ns_config_getiplist(const cfg_obj_t *config, const cfg_obj_t *list,
 		    in_port_t defport, isc_mem_t *mctx,
 		    isc_sockaddr_t **addrsp, isc_uint32_t *countp);
 
@@ -60,16 +61,16 @@ ns_config_putiplist(isc_mem_t *mctx, isc_sockaddr_t **addrsp,
 		    isc_uint32_t count);
 
 isc_result_t
-ns_config_getipandkeylist(cfg_obj_t *config, cfg_obj_t *list, isc_mem_t *mctx,
-			  isc_sockaddr_t **addrsp, dns_name_t ***keys,
-			  isc_uint32_t *countp);
+ns_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list,
+			  isc_mem_t *mctx, isc_sockaddr_t **addrsp,
+			  dns_name_t ***keys, isc_uint32_t *countp);
 
 void
 ns_config_putipandkeylist(isc_mem_t *mctx, isc_sockaddr_t **addrsp,
 			  dns_name_t ***keys, isc_uint32_t count);
 
 isc_result_t
-ns_config_getport(cfg_obj_t *config, in_port_t *portp);
+ns_config_getport(const cfg_obj_t *config, in_port_t *portp);
 
 isc_result_t
 ns_config_getkeyalgorithm(const char *str, dns_name_t **name,
diff --git a/bin/named/include/named/control.h b/bin/named/include/named/control.h
index 525faa35f3..800aaf078e 100644
--- a/bin/named/include/named/control.h
+++ b/bin/named/include/named/control.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: control.h,v 1.19 2005/04/27 04:55:57 sra Exp $ */
+/* $Id: control.h,v 1.20 2006/02/28 02:39:51 marka Exp $ */
 
 #ifndef NAMED_CONTROL_H
 #define NAMED_CONTROL_H 1
@@ -71,7 +71,7 @@ ns_controls_destroy(ns_controls_t **ctrlsp);
  */
 
 isc_result_t
-ns_controls_configure(ns_controls_t *controls, cfg_obj_t *config,
+ns_controls_configure(ns_controls_t *controls, const cfg_obj_t *config,
 		      cfg_aclconfctx_t *aclconfctx);
 /*%<
  * Configure zero or more command channels into 'controls'
diff --git a/bin/named/include/named/globals.h b/bin/named/include/named/globals.h
index ba39bdc606..0b13ee6bcc 100644
--- a/bin/named/include/named/globals.h
+++ b/bin/named/include/named/globals.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: globals.h,v 1.66 2005/04/29 00:22:30 marka Exp $ */
+/* $Id: globals.h,v 1.67 2006/02/28 02:39:51 marka Exp $ */
 
 #ifndef NAMED_GLOBALS_H
 #define NAMED_GLOBALS_H 1
@@ -77,7 +77,7 @@ EXTERN unsigned int		ns_g_debuglevel		INIT(0);
  * Current configuration information.
  */
 EXTERN cfg_obj_t *		ns_g_config		INIT(NULL);
-EXTERN cfg_obj_t *		ns_g_defaults		INIT(NULL);
+EXTERN const cfg_obj_t *	ns_g_defaults		INIT(NULL);
 EXTERN const char *		ns_g_conffile		INIT(NS_SYSCONFDIR
 							     "/named.conf");
 EXTERN const char *		ns_g_keyfile		INIT(NS_SYSCONFDIR
diff --git a/bin/named/include/named/logconf.h b/bin/named/include/named/logconf.h
index 9b4ec0f727..6b42865c15 100644
--- a/bin/named/include/named/logconf.h
+++ b/bin/named/include/named/logconf.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: logconf.h,v 1.13 2005/04/29 00:22:30 marka Exp $ */
+/* $Id: logconf.h,v 1.14 2006/02/28 02:39:51 marka Exp $ */
 
 #ifndef NAMED_LOGCONF_H
 #define NAMED_LOGCONF_H 1
@@ -25,7 +25,7 @@
 #include 
 
 isc_result_t
-ns_log_configure(isc_logconfig_t *logconf, cfg_obj_t *logstmt);
+ns_log_configure(isc_logconfig_t *logconf, const cfg_obj_t *logstmt);
 /*%<
  * Set up the logging configuration in '*logconf' according to
  * the named.conf data in 'logstmt'.
diff --git a/bin/named/include/named/lwresd.h b/bin/named/include/named/lwresd.h
index 1a3b868e4a..18056caa25 100644
--- a/bin/named/include/named/lwresd.h
+++ b/bin/named/include/named/lwresd.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwresd.h,v 1.15 2005/04/29 00:22:31 marka Exp $ */
+/* $Id: lwresd.h,v 1.16 2006/02/28 02:39:51 marka Exp $ */
 
 #ifndef NAMED_LWRESD_H
 #define NAMED_LWRESD_H 1
@@ -58,7 +58,7 @@ struct ns_lwreslistener {
  * Configure lwresd.
  */
 isc_result_t
-ns_lwresd_configure(isc_mem_t *mctx, cfg_obj_t *config);
+ns_lwresd_configure(isc_mem_t *mctx, const cfg_obj_t *config);
 
 isc_result_t
 ns_lwresd_parseeresolvconf(isc_mem_t *mctx, cfg_parser_t *pctx,
@@ -75,7 +75,8 @@ ns_lwresd_shutdown(void);
  */
 /*% create manager */
 isc_result_t
-ns_lwdmanager_create(isc_mem_t *mctx, cfg_obj_t *lwres, ns_lwresd_t **lwresdp);
+ns_lwdmanager_create(isc_mem_t *mctx, const cfg_obj_t *lwres,
+		      ns_lwresd_t **lwresdp);
 
 /*% attach to manager */
 void
diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h
index 1237de15fa..0ccaf08edd 100644
--- a/bin/named/include/named/server.h
+++ b/bin/named/include/named/server.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.h,v 1.80 2005/08/18 00:57:27 marka Exp $ */
+/* $Id: server.h,v 1.81 2006/02/28 02:39:51 marka Exp $ */
 
 #ifndef NAMED_SERVER_H
 #define NAMED_SERVER_H 1
@@ -219,6 +219,6 @@ ns_server_dumprecursing(ns_server_t *server);
  * Maintain a list of dispatches that require reserved ports.
  */
 void
-ns_add_reserved_dispatch(ns_server_t *server, isc_sockaddr_t *addr);
+ns_add_reserved_dispatch(ns_server_t *server, const isc_sockaddr_t *addr);
 
 #endif /* NAMED_SERVER_H */
diff --git a/bin/named/include/named/sortlist.h b/bin/named/include/named/sortlist.h
index fe85595f88..a5ab613991 100644
--- a/bin/named/include/named/sortlist.h
+++ b/bin/named/include/named/sortlist.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sortlist.h,v 1.7 2005/04/29 00:22:32 marka Exp $ */
+/* $Id: sortlist.h,v 1.8 2006/02/28 02:39:51 marka Exp $ */
 
 #ifndef NAMED_SORTLIST_H
 #define NAMED_SORTLIST_H 1
@@ -30,7 +30,7 @@
  * Type for callback functions that rank addresses.
  */
 typedef int 
-(*dns_addressorderfunc_t)(isc_netaddr_t *address, void *arg);
+(*dns_addressorderfunc_t)(const isc_netaddr_t *address, const void *arg);
 
 /*%
  * Return value type for setup_sortlist.
@@ -42,7 +42,8 @@ typedef enum {
 } ns_sortlisttype_t;
 
 ns_sortlisttype_t
-ns_sortlist_setup(dns_acl_t *acl, isc_netaddr_t *clientaddr, void **argp);
+ns_sortlist_setup(dns_acl_t *acl, isc_netaddr_t *clientaddr,
+		  const void **argp);
 /*%<
  * Find the sortlist statement in 'acl' that applies to 'clientaddr', if any.
  *
@@ -57,14 +58,14 @@ ns_sortlist_setup(dns_acl_t *acl, isc_netaddr_t *clientaddr, void **argp);
  */
 
 int
-ns_sortlist_addrorder1(isc_netaddr_t *addr, void *arg);
+ns_sortlist_addrorder1(const isc_netaddr_t *addr, const void *arg);
 /*%<
  * Find the sort order of 'addr' in 'arg', the matching element
  * of a 1-element top-level sortlist statement.
  */
 
 int
-ns_sortlist_addrorder2(isc_netaddr_t *addr, void *arg);
+ns_sortlist_addrorder2(const isc_netaddr_t *addr, const void *arg);
 /*%<
  * Find the sort order of 'addr' in 'arg', a topology-like
  * ACL forming the second element in a 2-element top-level
@@ -74,7 +75,7 @@ ns_sortlist_addrorder2(isc_netaddr_t *addr, void *arg);
 void
 ns_sortlist_byaddrsetup(dns_acl_t *sortlist_acl, isc_netaddr_t *client_addr,
 			dns_addressorderfunc_t *orderp,
-			void **argp);
+			const void **argp);
 /*%<
  * Find the sortlist statement in 'acl' that applies to 'clientaddr', if any.
  * If a sortlist statement applies, return in '*orderp' a pointer to a function
diff --git a/bin/named/include/named/tkeyconf.h b/bin/named/include/named/tkeyconf.h
index 290c94ff13..637c0b227c 100644
--- a/bin/named/include/named/tkeyconf.h
+++ b/bin/named/include/named/tkeyconf.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tkeyconf.h,v 1.12 2005/04/29 00:22:33 marka Exp $ */
+/* $Id: tkeyconf.h,v 1.13 2006/02/28 02:39:51 marka Exp $ */
 
 #ifndef NS_TKEYCONF_H
 #define NS_TKEYCONF_H 1
@@ -30,8 +30,8 @@
 ISC_LANG_BEGINDECLS
 
 isc_result_t
-ns_tkeyctx_fromconfig(cfg_obj_t *options, isc_mem_t *mctx, isc_entropy_t *ectx,
-		      dns_tkeyctx_t **tctxp);
+ns_tkeyctx_fromconfig(const cfg_obj_t *options, isc_mem_t *mctx,
+		      isc_entropy_t *ectx, dns_tkeyctx_t **tctxp);
 /*%<
  * 	Create a TKEY context and configure it, including the default DH key
  *	and default domain, according to 'options'.
diff --git a/bin/named/include/named/tsigconf.h b/bin/named/include/named/tsigconf.h
index 8338111984..6472a4bd3d 100644
--- a/bin/named/include/named/tsigconf.h
+++ b/bin/named/include/named/tsigconf.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tsigconf.h,v 1.12 2005/04/29 00:22:33 marka Exp $ */
+/* $Id: tsigconf.h,v 1.13 2006/02/28 02:39:51 marka Exp $ */
 
 #ifndef NS_TSIGCONF_H
 #define NS_TSIGCONF_H 1
@@ -28,7 +28,7 @@
 ISC_LANG_BEGINDECLS
 
 isc_result_t
-ns_tsigkeyring_fromconfig(cfg_obj_t *config, cfg_obj_t *vconfig,
+ns_tsigkeyring_fromconfig(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 			  isc_mem_t *mctx, dns_tsig_keyring_t **ringp);
 /*%<
  * Create a TSIG key ring and configure it according to the 'key'
diff --git a/bin/named/include/named/zoneconf.h b/bin/named/include/named/zoneconf.h
index d73faab67d..676f0981ab 100644
--- a/bin/named/include/named/zoneconf.h
+++ b/bin/named/include/named/zoneconf.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zoneconf.h,v 1.22 2005/04/27 04:56:01 sra Exp $ */
+/* $Id: zoneconf.h,v 1.23 2006/02/28 02:39:51 marka Exp $ */
 
 #ifndef NS_ZONECONF_H
 #define NS_ZONECONF_H 1
@@ -31,8 +31,9 @@
 ISC_LANG_BEGINDECLS
 
 isc_result_t
-ns_zone_configure(cfg_obj_t *config, cfg_obj_t *vconfig, cfg_obj_t *zconfig,
-		  cfg_aclconfctx_t *ac, dns_zone_t *zone);
+ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
+		  const cfg_obj_t *zconfig, cfg_aclconfctx_t *ac,
+		  dns_zone_t *zone);
 /*%<
  * Configure or reconfigure a zone according to the named.conf
  * data in 'cctx' and 'czone'.
@@ -49,7 +50,7 @@ ns_zone_configure(cfg_obj_t *config, cfg_obj_t *vconfig, cfg_obj_t *zconfig,
  */
 
 isc_boolean_t
-ns_zone_reusable(dns_zone_t *zone, cfg_obj_t *zconfig);
+ns_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig);
 /*%<
  * If 'zone' can be safely reconfigured according to the configuration
  * data in 'zconfig', return ISC_TRUE.  If the configuration data is so
diff --git a/bin/named/logconf.c b/bin/named/logconf.c
index fb485cfc27..8d0b4b0335 100644
--- a/bin/named/logconf.c
+++ b/bin/named/logconf.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: logconf.c,v 1.38 2005/08/23 02:36:06 marka Exp $ */
+/* $Id: logconf.c,v 1.39 2006/02/28 02:39:51 marka Exp $ */
 
 /*! \file */
 
@@ -43,13 +43,13 @@
  * in 'ccat' and add it to 'lctx'.
  */
 static isc_result_t
-category_fromconf(cfg_obj_t *ccat, isc_logconfig_t *lctx) {
+category_fromconf(const cfg_obj_t *ccat, isc_logconfig_t *lctx) {
 	isc_result_t result;
 	const char *catname;
 	isc_logcategory_t *category;
 	isc_logmodule_t *module;
-	cfg_obj_t *destinations = NULL;
-	cfg_listelt_t *element = NULL;
+	const cfg_obj_t *destinations = NULL;
+	const cfg_listelt_t *element = NULL;
 
 	catname = cfg_obj_asstring(cfg_tuple_get(ccat, "name"));
 	category = isc_log_categorybyname(ns_g_lctx, catname);
@@ -70,7 +70,7 @@ category_fromconf(cfg_obj_t *ccat, isc_logconfig_t *lctx) {
 	     element != NULL;
 	     element = cfg_list_next(element))
 	{
-		cfg_obj_t *channel = cfg_listelt_value(element);
+		const cfg_obj_t *channel = cfg_listelt_value(element);
 		const char *channelname = cfg_obj_asstring(channel);
 
 		result = isc_log_usechannel(lctx, channelname, category,
@@ -91,18 +91,18 @@ category_fromconf(cfg_obj_t *ccat, isc_logconfig_t *lctx) {
  * in 'cchan' and add it to 'lctx'.
  */
 static isc_result_t
-channel_fromconf(cfg_obj_t *channel, isc_logconfig_t *lctx) {
+channel_fromconf(const cfg_obj_t *channel, isc_logconfig_t *lctx) {
 	isc_result_t result;
 	isc_logdestination_t dest;
 	unsigned int type;
 	unsigned int flags = 0;
 	int level;
 	const char *channelname;
-	cfg_obj_t *fileobj = NULL;
-	cfg_obj_t *syslogobj = NULL;
-	cfg_obj_t *nullobj = NULL;
-	cfg_obj_t *stderrobj = NULL;
-	cfg_obj_t *severity = NULL;
+	const cfg_obj_t *fileobj = NULL;
+	const cfg_obj_t *syslogobj = NULL;
+	const cfg_obj_t *nullobj = NULL;
+	const cfg_obj_t *stderrobj = NULL;
+	const cfg_obj_t *severity = NULL;
 	int i;
 
 	channelname = cfg_obj_asstring(cfg_map_getname(channel));
@@ -132,9 +132,10 @@ channel_fromconf(cfg_obj_t *channel, isc_logconfig_t *lctx) {
 	type = ISC_LOG_TONULL;
 	
 	if (fileobj != NULL) {
-		cfg_obj_t *pathobj = cfg_tuple_get(fileobj, "file");
-		cfg_obj_t *sizeobj = cfg_tuple_get(fileobj, "size");
-		cfg_obj_t *versionsobj = cfg_tuple_get(fileobj, "versions");
+		const cfg_obj_t *pathobj = cfg_tuple_get(fileobj, "file");
+		const cfg_obj_t *sizeobj = cfg_tuple_get(fileobj, "size");
+		const cfg_obj_t *versionsobj =
+				 cfg_tuple_get(fileobj, "versions");
 		isc_int32_t versions = ISC_LOG_ROLLNEVER;
 		isc_offset_t size = 0;
 
@@ -176,9 +177,9 @@ channel_fromconf(cfg_obj_t *channel, isc_logconfig_t *lctx) {
 	 * Munge flags.
 	 */
 	{
-		cfg_obj_t *printcat = NULL;
-		cfg_obj_t *printsev = NULL;
-		cfg_obj_t *printtime = NULL;
+		const cfg_obj_t *printcat = NULL;
+		const cfg_obj_t *printsev = NULL;
+		const cfg_obj_t *printtime = NULL;
 
 		(void)cfg_map_get(channel, "print-category", &printcat);
 		(void)cfg_map_get(channel, "print-severity", &printsev);
@@ -244,13 +245,14 @@ channel_fromconf(cfg_obj_t *channel, isc_logconfig_t *lctx) {
 }
 
 isc_result_t
-ns_log_configure(isc_logconfig_t *logconf, cfg_obj_t *logstmt) {
+ns_log_configure(isc_logconfig_t *logconf, const cfg_obj_t *logstmt) {
 	isc_result_t result;
-	cfg_obj_t *channels = NULL;
-	cfg_obj_t *categories = NULL;
-	cfg_listelt_t *element;
+	const cfg_obj_t *channels = NULL;
+	const cfg_obj_t *categories = NULL;
+	const cfg_listelt_t *element;
 	isc_boolean_t default_set = ISC_FALSE;
 	isc_boolean_t unmatched_set = ISC_FALSE;
+	const cfg_obj_t *catname;
 
 	CHECK(ns_log_setdefaultchannels(logconf));
 
@@ -259,7 +261,7 @@ ns_log_configure(isc_logconfig_t *logconf, cfg_obj_t *logstmt) {
 	     element != NULL;
 	     element = cfg_list_next(element))
 	{
-		cfg_obj_t *channel = cfg_listelt_value(element);
+		const cfg_obj_t *channel = cfg_listelt_value(element);
 		CHECK(channel_fromconf(channel, logconf));
 	}
 
@@ -268,15 +270,15 @@ ns_log_configure(isc_logconfig_t *logconf, cfg_obj_t *logstmt) {
 	     element != NULL;
 	     element = cfg_list_next(element))
 	{
-		cfg_obj_t *category = cfg_listelt_value(element);
+		const cfg_obj_t *category = cfg_listelt_value(element);
 		CHECK(category_fromconf(category, logconf));
 		if (!default_set) {
-			cfg_obj_t *catname = cfg_tuple_get(category, "name");
+			catname = cfg_tuple_get(category, "name");
 			if (strcmp(cfg_obj_asstring(catname), "default") == 0)
 				default_set = ISC_TRUE;
 		}
 		if (!unmatched_set) {
-			cfg_obj_t *catname = cfg_tuple_get(category, "name");
+			catname = cfg_tuple_get(category, "name");
 			if (strcmp(cfg_obj_asstring(catname), "unmatched") == 0)
 				unmatched_set = ISC_TRUE;
 		}
diff --git a/bin/named/lwdgabn.c b/bin/named/lwdgabn.c
index d5da2f1db9..b7c84de12b 100644
--- a/bin/named/lwdgabn.c
+++ b/bin/named/lwdgabn.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwdgabn.c,v 1.18 2005/06/23 04:21:59 marka Exp $ */
+/* $Id: lwdgabn.c,v 1.19 2006/02/28 02:39:51 marka Exp $ */
 
 /*! \file */
 
@@ -122,7 +122,7 @@ sort_addresses(ns_lwdclient_t *client) {
 	rankedaddress *addrs;
 	isc_netaddr_t remote;
 	dns_addressorderfunc_t order;
-	void *arg;
+	const void *arg;
 	ns_lwresd_t *lwresd = client->clientmgr->listener->manager;
 	unsigned int i;
 	isc_result_t result;
diff --git a/bin/named/lwresd.c b/bin/named/lwresd.c
index 67c2edae25..3726706fd9 100644
--- a/bin/named/lwresd.c
+++ b/bin/named/lwresd.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwresd.c,v 1.51 2005/11/30 03:33:48 marka Exp $ */
+/* $Id: lwresd.c,v 1.52 2006/02/28 02:39:51 marka Exp $ */
 
 /*! \file 
  * \brief
@@ -286,14 +286,14 @@ ns_lwresd_parseeresolvconf(isc_mem_t *mctx, cfg_parser_t *pctx,
  * Handle lwresd manager objects
  */
 isc_result_t
-ns_lwdmanager_create(isc_mem_t *mctx, cfg_obj_t *lwres,
+ns_lwdmanager_create(isc_mem_t *mctx, const cfg_obj_t *lwres,
 		     ns_lwresd_t **lwresdp)
 {
 	ns_lwresd_t *lwresd;
 	const char *vname;
 	dns_rdataclass_t vclass;
-	cfg_obj_t *obj, *viewobj, *searchobj;
-	cfg_listelt_t *element;
+	const cfg_obj_t *obj, *viewobj, *searchobj;
+	const cfg_listelt_t *element;
 	isc_result_t result;
 
 	INSIST(lwresdp != NULL && *lwresdp == NULL);
@@ -357,7 +357,7 @@ ns_lwdmanager_create(isc_mem_t *mctx, cfg_obj_t *lwres,
 		     element != NULL;
 		     element = cfg_list_next(element))
 		{
-			cfg_obj_t *search;
+			const cfg_obj_t *search;
 			const char *searchstr;
 			isc_buffer_t namebuf;
 			dns_fixedname_t fname;
@@ -752,11 +752,11 @@ configure_listener(isc_sockaddr_t *address, ns_lwresd_t *lwresd,
 }
 
 isc_result_t
-ns_lwresd_configure(isc_mem_t *mctx, cfg_obj_t *config) {
-	cfg_obj_t *lwreslist = NULL;
-	cfg_obj_t *lwres = NULL;
-	cfg_obj_t *listenerslist = NULL;
-	cfg_listelt_t *element = NULL;
+ns_lwresd_configure(isc_mem_t *mctx, const cfg_obj_t *config) {
+	const cfg_obj_t *lwreslist = NULL;
+	const cfg_obj_t *lwres = NULL;
+	const cfg_obj_t *listenerslist = NULL;
+	const cfg_listelt_t *element = NULL;
 	ns_lwreslistener_t *listener;
 	ns_lwreslistenerlist_t newlisteners;
 	isc_result_t result;
diff --git a/bin/named/query.c b/bin/named/query.c
index e51ea3af66..098cb6d824 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: query.c,v 1.280 2006/02/02 22:48:58 marka Exp $ */
+/* $Id: query.c,v 1.281 2006/02/28 02:39:51 marka Exp $ */
 
 /*! \file */
 
@@ -3052,7 +3052,7 @@ do { \
  *	ISC_R_NOTIMPLEMENTED	The rdata is not a known address type.
  */
 static isc_result_t
-rdata_tonetaddr(dns_rdata_t *rdata, isc_netaddr_t *netaddr) {
+rdata_tonetaddr(const dns_rdata_t *rdata, isc_netaddr_t *netaddr) {
 	struct in_addr ina;
 	struct in6_addr in6a;
 
@@ -3078,7 +3078,7 @@ rdata_tonetaddr(dns_rdata_t *rdata, isc_netaddr_t *netaddr) {
  * sortlist statement.
  */
 static int
-query_sortlist_order_2element(dns_rdata_t *rdata, void *arg) {
+query_sortlist_order_2element(const dns_rdata_t *rdata, const void *arg) {
 	isc_netaddr_t netaddr;
 
 	if (rdata_tonetaddr(rdata, &netaddr) != ISC_R_SUCCESS)
@@ -3091,7 +3091,7 @@ query_sortlist_order_2element(dns_rdata_t *rdata, void *arg) {
  * of a 1-element top-level sortlist statement.
  */
 static int
-query_sortlist_order_1element(dns_rdata_t *rdata, void *arg) {
+query_sortlist_order_1element(const dns_rdata_t *rdata, const void *arg) {
 	isc_netaddr_t netaddr;
 
 	if (rdata_tonetaddr(rdata, &netaddr) != ISC_R_SUCCESS)
@@ -3107,7 +3107,7 @@ static void
 setup_query_sortlist(ns_client_t *client) {
 	isc_netaddr_t netaddr;
 	dns_rdatasetorderfunc_t order = NULL;
-	void *order_arg = NULL;
+	const void *order_arg = NULL;
 
 	isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
 	switch (ns_sortlist_setup(client->view->sortlist,
diff --git a/bin/named/server.c b/bin/named/server.c
index a78b07951b..fa62826319 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.c,v 1.458 2006/02/26 22:54:46 marka Exp $ */
+/* $Id: server.c,v 1.459 2006/02/28 02:39:51 marka Exp $ */
 
 /*! \file */
 
@@ -222,25 +222,25 @@ static void
 ns_server_reload(isc_task_t *task, isc_event_t *event);
 
 static isc_result_t
-ns_listenelt_fromconfig(cfg_obj_t *listener, cfg_obj_t *config,
+ns_listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config,
 			cfg_aclconfctx_t *actx,
 			isc_mem_t *mctx, ns_listenelt_t **target);
 static isc_result_t
-ns_listenlist_fromconfig(cfg_obj_t *listenlist, cfg_obj_t *config,
+ns_listenlist_fromconfig(const cfg_obj_t *listenlist, const cfg_obj_t *config,
 			 cfg_aclconfctx_t *actx,
 			 isc_mem_t *mctx, ns_listenlist_t **target);
 
 static isc_result_t
-configure_forward(cfg_obj_t *config, dns_view_t *view, dns_name_t *origin,
-		  cfg_obj_t *forwarders, cfg_obj_t *forwardtype);
+configure_forward(const cfg_obj_t *config, dns_view_t *view, dns_name_t *origin,
+		  const cfg_obj_t *forwarders, const cfg_obj_t *forwardtype);
 
 static isc_result_t
-configure_alternates(cfg_obj_t *config, dns_view_t *view,
-		     cfg_obj_t *alternates);
+configure_alternates(const cfg_obj_t *config, dns_view_t *view,
+		     const cfg_obj_t *alternates);
 
 static isc_result_t
-configure_zone(cfg_obj_t *config, cfg_obj_t *zconfig, cfg_obj_t *vconfig,
-	       isc_mem_t *mctx, dns_view_t *view,
+configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
+	       const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view,
 	       cfg_aclconfctx_t *aclconf);
 
 static void
@@ -252,13 +252,13 @@ end_reserved_dispatches(ns_server_t *server, isc_boolean_t all);
  * (for a global default).
  */
 static isc_result_t
-configure_view_acl(cfg_obj_t *vconfig, cfg_obj_t *config,
+configure_view_acl(const cfg_obj_t *vconfig, const cfg_obj_t *config,
 		   const char *aclname, cfg_aclconfctx_t *actx,
 		   isc_mem_t *mctx, dns_acl_t **aclp)
 {
 	isc_result_t result;
-	cfg_obj_t *maps[3];
-	cfg_obj_t *aclobj = NULL;
+	const cfg_obj_t *maps[3];
+	const cfg_obj_t *aclobj = NULL;
 	int i = 0;
 
 	if (*aclp != NULL)
@@ -266,7 +266,7 @@ configure_view_acl(cfg_obj_t *vconfig, cfg_obj_t *config,
 	if (vconfig != NULL)
 		maps[i++] = cfg_tuple_get(vconfig, "options");
 	if (config != NULL) {
-		cfg_obj_t *options = NULL;
+		const cfg_obj_t *options = NULL;
 		(void)cfg_map_get(config, "options", &options);
 		if (options != NULL)
 			maps[i++] = options;
@@ -287,7 +287,7 @@ configure_view_acl(cfg_obj_t *vconfig, cfg_obj_t *config,
 }
 
 static isc_result_t
-configure_view_dnsseckey(cfg_obj_t *vconfig, cfg_obj_t *key,
+configure_view_dnsseckey(const cfg_obj_t *vconfig, const cfg_obj_t *key,
 			 dns_keytable_t *keytable, isc_mem_t *mctx)
 {
 	dns_rdataclass_t viewclass;
@@ -314,7 +314,7 @@ configure_view_dnsseckey(cfg_obj_t *vconfig, cfg_obj_t *key,
 	if (vconfig == NULL)
 		viewclass = dns_rdataclass_in;
 	else {
-		cfg_obj_t *classobj = cfg_tuple_get(vconfig, "class");
+		const cfg_obj_t *classobj = cfg_tuple_get(vconfig, "class");
 		CHECK(ns_config_getclass(classobj, dns_rdataclass_in,
 					 &viewclass));
 	}
@@ -390,15 +390,15 @@ configure_view_dnsseckey(cfg_obj_t *vconfig, cfg_obj_t *key,
  * from 'vconfig' and 'config'.  The variable to be configured is '*target'.
  */
 static isc_result_t
-configure_view_dnsseckeys(cfg_obj_t *vconfig, cfg_obj_t *config,
+configure_view_dnsseckeys(const cfg_obj_t *vconfig, const cfg_obj_t *config,
 			  isc_mem_t *mctx, dns_keytable_t **target)
 {
 	isc_result_t result;
-	cfg_obj_t *keys = NULL;
-	cfg_obj_t *voptions = NULL;
-	cfg_listelt_t *element, *element2;
-	cfg_obj_t *keylist;
-	cfg_obj_t *key;
+	const cfg_obj_t *keys = NULL;
+	const cfg_obj_t *voptions = NULL;
+	const cfg_listelt_t *element, *element2;
+	const cfg_obj_t *keylist;
+	const cfg_obj_t *key;
 	dns_keytable_t *keytable = NULL;
 
 	CHECK(dns_keytable_create(mctx, &keytable));
@@ -437,10 +437,10 @@ configure_view_dnsseckeys(cfg_obj_t *vconfig, cfg_obj_t *config,
 }
 
 static isc_result_t
-mustbesecure(cfg_obj_t *mbs, dns_resolver_t *resolver)
+mustbesecure(const cfg_obj_t *mbs, dns_resolver_t *resolver)
 {
-	cfg_listelt_t *element;
-	cfg_obj_t *obj;
+	const cfg_listelt_t *element;
+	const cfg_obj_t *obj;
 	const char *str;
 	dns_fixedname_t fixed;
 	dns_name_t *name;
@@ -474,14 +474,14 @@ mustbesecure(cfg_obj_t *mbs, dns_resolver_t *resolver)
  * Get a dispatch appropriate for the resolver of a given view.
  */
 static isc_result_t
-get_view_querysource_dispatch(cfg_obj_t **maps,
+get_view_querysource_dispatch(const cfg_obj_t **maps,
 			      int af, dns_dispatch_t **dispatchp)
 {
 	isc_result_t result;
 	dns_dispatch_t *disp;
 	isc_sockaddr_t sa;
 	unsigned int attrs, attrmask;
-	cfg_obj_t *obj = NULL;
+	const cfg_obj_t *obj = NULL;
 
 	/*
 	 * Make compiler happy.
@@ -572,10 +572,10 @@ get_view_querysource_dispatch(cfg_obj_t **maps,
 }
 
 static isc_result_t
-configure_order(dns_order_t *order, cfg_obj_t *ent) {
+configure_order(dns_order_t *order, const cfg_obj_t *ent) {
 	dns_rdataclass_t rdclass;
 	dns_rdatatype_t rdtype;
-	cfg_obj_t *obj;
+	const cfg_obj_t *obj;
 	dns_fixedname_t fixed;
 	unsigned int mode = 0;
 	const char *str;
@@ -636,10 +636,10 @@ configure_order(dns_order_t *order, cfg_obj_t *ent) {
 }
 
 static isc_result_t
-configure_peer(cfg_obj_t *cpeer, isc_mem_t *mctx, dns_peer_t **peerp) {
+configure_peer(const cfg_obj_t *cpeer, isc_mem_t *mctx, dns_peer_t **peerp) {
 	isc_netaddr_t na;
 	dns_peer_t *peer;
-	cfg_obj_t *obj;
+	const cfg_obj_t *obj;
 	const char *str;
 	isc_result_t result;
 	unsigned int prefixlen;
@@ -768,10 +768,10 @@ configure_peer(cfg_obj_t *cpeer, isc_mem_t *mctx, dns_peer_t **peerp) {
 }
 
 static isc_result_t
-disable_algorithms(cfg_obj_t *disabled, dns_resolver_t *resolver) {
+disable_algorithms(const cfg_obj_t *disabled, dns_resolver_t *resolver) {
 	isc_result_t result;
-	cfg_obj_t *algorithms;
-	cfg_listelt_t *element;
+	const cfg_obj_t *algorithms;
+	const cfg_listelt_t *element;
 	const char *str;
 	dns_fixedname_t fixed;
 	dns_name_t *name;
@@ -814,12 +814,12 @@ disable_algorithms(cfg_obj_t *disabled, dns_resolver_t *resolver) {
 }
 
 static isc_boolean_t
-on_disable_list(cfg_obj_t *disablelist, dns_name_t *zonename) {
-	cfg_listelt_t *element;
+on_disable_list(const cfg_obj_t *disablelist, dns_name_t *zonename) {
+	const cfg_listelt_t *element;
 	dns_fixedname_t fixed;
 	dns_name_t *name;
 	isc_result_t result;
-	cfg_obj_t *value;
+	const cfg_obj_t *value;
 	const char *str;
 	isc_buffer_t b;
 
@@ -883,26 +883,26 @@ check_dbtype(dns_zone_t **zonep, unsigned int dbtypec, const char **dbargv,
  * global defaults in 'config' used exclusively.
  */
 static isc_result_t
-configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
-	       isc_mem_t *mctx, cfg_aclconfctx_t *actx,
-	       isc_boolean_t need_hints)
+configure_view(dns_view_t *view, const cfg_obj_t *config,
+	       const cfg_obj_t *vconfig, isc_mem_t *mctx,
+	       cfg_aclconfctx_t *actx, isc_boolean_t need_hints)
 {
-	cfg_obj_t *maps[4];
-	cfg_obj_t *cfgmaps[3];
-	cfg_obj_t *options = NULL;
-	cfg_obj_t *voptions = NULL;
-	cfg_obj_t *forwardtype;
-	cfg_obj_t *forwarders;
-	cfg_obj_t *alternates;
-	cfg_obj_t *zonelist;
+	const cfg_obj_t *maps[4];
+	const cfg_obj_t *cfgmaps[3];
+	const cfg_obj_t *options = NULL;
+	const cfg_obj_t *voptions = NULL;
+	const cfg_obj_t *forwardtype;
+	const cfg_obj_t *forwarders;
+	const cfg_obj_t *alternates;
+	const cfg_obj_t *zonelist;
 #ifdef DLZ
- 	cfg_obj_t *dlz;
+ 	const cfg_obj_t *dlz;
  	unsigned int dlzargc;
  	char **dlzargv;
 #endif
-	cfg_obj_t *disabled;
-	cfg_obj_t *obj;
-	cfg_listelt_t *element;
+	const cfg_obj_t *disabled;
+	const cfg_obj_t *obj;
+	const cfg_listelt_t *element;
 	in_port_t port;
 	dns_cache_t *cache = NULL;
 	isc_result_t result;
@@ -928,7 +928,7 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 	const char *forview = " for view ";
 	isc_boolean_t rfc1918;
 	isc_boolean_t empty_zones_enable;
-	cfg_obj_t *disablelist = NULL;
+	const cfg_obj_t *disablelist = NULL;
 
 	REQUIRE(DNS_VIEW_VALID(view));
 
@@ -1023,7 +1023,7 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 	     element != NULL;
 	     element = cfg_list_next(element))
 	{
-		cfg_obj_t *zconfig = cfg_listelt_value(element);
+		const cfg_obj_t *zconfig = cfg_listelt_value(element);
 		CHECK(configure_zone(config, zconfig, vconfig, mctx, view,
 				     actx));
 	}
@@ -1306,8 +1306,8 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 	 * Configure the view's peer list.
 	 */
 	{
-		cfg_obj_t *peers = NULL;
-		cfg_listelt_t *element;
+		const cfg_obj_t *peers = NULL;
+		const cfg_listelt_t *element;
 		dns_peerlist_t *newpeers = NULL;
 
 		(void)ns_config_get(cfgmaps, "server", &peers);
@@ -1316,7 +1316,7 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 		     element != NULL;
 		     element = cfg_list_next(element))
 		{
-			cfg_obj_t *cpeer = cfg_listelt_value(element);
+			const cfg_obj_t *cpeer = cfg_listelt_value(element);
 			dns_peer_t *peer;
 
 			CHECK(configure_peer(cpeer, mctx, &peer));
@@ -1331,8 +1331,8 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 	 *	Configure the views rrset-order.
 	 */
 	{
-		cfg_obj_t *rrsetorder = NULL;
-		cfg_listelt_t *element;
+		const cfg_obj_t *rrsetorder = NULL;
+		const cfg_listelt_t *element;
 
 		(void)ns_config_get(maps, "rrset-order", &rrsetorder);
 		CHECK(dns_order_create(mctx, &order));
@@ -1340,7 +1340,7 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 		     element != NULL;
 		     element = cfg_list_next(element))
 		{
-			cfg_obj_t *ent = cfg_listelt_value(element);
+			const cfg_obj_t *ent = cfg_listelt_value(element);
 
 			CHECK(configure_order(order, ent));
 		}
@@ -1575,7 +1575,7 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 			dns_name_t *name;
 			isc_buffer_t b;
 			const char *str;
-			cfg_obj_t *exclude;
+			const cfg_obj_t *exclude;
 
 			dns_fixedname_init(&fixed);
 			name = dns_fixedname_name(&fixed);
@@ -1800,12 +1800,12 @@ configure_hints(dns_view_t *view, const char *filename) {
 }
 
 static isc_result_t
-configure_alternates(cfg_obj_t *config, dns_view_t *view,
-		     cfg_obj_t *alternates)
+configure_alternates(const cfg_obj_t *config, dns_view_t *view,
+		     const cfg_obj_t *alternates)
 {
-	cfg_obj_t *portobj;
-	cfg_obj_t *addresses;
-	cfg_listelt_t *element;
+	const cfg_obj_t *portobj;
+	const cfg_obj_t *addresses;
+	const cfg_listelt_t *element;
 	isc_result_t result = ISC_R_SUCCESS;
 	in_port_t port;
 
@@ -1838,7 +1838,7 @@ configure_alternates(cfg_obj_t *config, dns_view_t *view,
 	     element != NULL;
 	     element = cfg_list_next(element))
 	{
-		cfg_obj_t *alternate = cfg_listelt_value(element);
+		const cfg_obj_t *alternate = cfg_listelt_value(element);
 		isc_sockaddr_t sa;
 
 		if (!cfg_obj_issockaddr(alternate)) {
@@ -1885,12 +1885,12 @@ configure_alternates(cfg_obj_t *config, dns_view_t *view,
 }
 
 static isc_result_t
-configure_forward(cfg_obj_t *config, dns_view_t *view, dns_name_t *origin,
-		  cfg_obj_t *forwarders, cfg_obj_t *forwardtype)
+configure_forward(const cfg_obj_t *config, dns_view_t *view, dns_name_t *origin,
+		  const cfg_obj_t *forwarders, const cfg_obj_t *forwardtype)
 {
-	cfg_obj_t *portobj;
-	cfg_obj_t *faddresses;
-	cfg_listelt_t *element;
+	const cfg_obj_t *portobj;
+	const cfg_obj_t *faddresses;
+	const cfg_listelt_t *element;
 	dns_fwdpolicy_t fwdpolicy = dns_fwdpolicy_none;
 	isc_sockaddrlist_t addresses;
 	isc_sockaddr_t *sa;
@@ -1928,7 +1928,7 @@ configure_forward(cfg_obj_t *config, dns_view_t *view, dns_name_t *origin,
 	     element != NULL;
 	     element = cfg_list_next(element))
 	{
-		cfg_obj_t *forwarder = cfg_listelt_value(element);
+		const cfg_obj_t *forwarder = cfg_listelt_value(element);
 		sa = isc_mem_get(view->mctx, sizeof(isc_sockaddr_t));
 		if (sa == NULL) {
 			result = ISC_R_NOMEMORY;
@@ -1993,14 +1993,16 @@ configure_forward(cfg_obj_t *config, dns_view_t *view, dns_name_t *origin,
  * The view created is attached to '*viewp'.
  */
 static isc_result_t
-create_view(cfg_obj_t *vconfig, dns_viewlist_t *viewlist, dns_view_t **viewp) {
+create_view(const cfg_obj_t *vconfig, dns_viewlist_t *viewlist,
+	    dns_view_t **viewp)
+{
 	isc_result_t result;
 	const char *viewname;
 	dns_rdataclass_t viewclass;
 	dns_view_t *view = NULL;
 
 	if (vconfig != NULL) {
-		cfg_obj_t *classobj = NULL;
+		const cfg_obj_t *classobj = NULL;
 
 		viewname = cfg_obj_asstring(cfg_tuple_get(vconfig, "name"));
 		classobj = cfg_tuple_get(vconfig, "class");
@@ -2030,19 +2032,19 @@ create_view(cfg_obj_t *vconfig, dns_viewlist_t *viewlist, dns_view_t **viewp) {
  * Configure or reconfigure a zone.
  */
 static isc_result_t
-configure_zone(cfg_obj_t *config, cfg_obj_t *zconfig, cfg_obj_t *vconfig,
-	       isc_mem_t *mctx, dns_view_t *view,
+configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
+	       const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view,
 	       cfg_aclconfctx_t *aclconf)
 {
 	dns_view_t *pview = NULL;	/* Production view */
 	dns_zone_t *zone = NULL;	/* New or reused zone */
 	dns_zone_t *dupzone = NULL;
-	cfg_obj_t *options = NULL;
-	cfg_obj_t *zoptions = NULL;
-	cfg_obj_t *typeobj = NULL;
-	cfg_obj_t *forwarders = NULL;
-	cfg_obj_t *forwardtype = NULL;
-	cfg_obj_t *only = NULL;
+	const cfg_obj_t *options = NULL;
+	const cfg_obj_t *zoptions = NULL;
+	const cfg_obj_t *typeobj = NULL;
+	const cfg_obj_t *forwarders = NULL;
+	const cfg_obj_t *forwardtype = NULL;
+	const cfg_obj_t *only = NULL;
 	isc_result_t result;
 	isc_result_t tresult;
 	isc_buffer_t buffer;
@@ -2099,7 +2101,7 @@ configure_zone(cfg_obj_t *config, cfg_obj_t *zconfig, cfg_obj_t *vconfig,
 	 * configure it and return.
 	 */
 	if (strcasecmp(ztypestr, "hint") == 0) {
-		cfg_obj_t *fileobj = NULL;
+		const cfg_obj_t *fileobj = NULL;
 		if (cfg_map_get(zoptions, "file", &fileobj) != ISC_R_SUCCESS) {
 			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 				      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
@@ -2267,9 +2269,10 @@ configure_zone(cfg_obj_t *config, cfg_obj_t *zconfig, cfg_obj_t *vconfig,
  * Configure a single server quota.
  */
 static void
-configure_server_quota(cfg_obj_t **maps, const char *name, isc_quota_t *quota)
+configure_server_quota(const cfg_obj_t **maps, const char *name,
+		       isc_quota_t *quota)
 {
-	cfg_obj_t *obj = NULL;
+	const cfg_obj_t *obj = NULL;
 	isc_result_t result;
 
 	result = ns_config_get(maps, name, &obj);
@@ -2282,7 +2285,7 @@ configure_server_quota(cfg_obj_t **maps, const char *name, isc_quota_t *quota)
  * parsed.  This can be extended to support other options if necessary.
  */
 static isc_result_t
-directory_callback(const char *clausename, cfg_obj_t *obj, void *arg) {
+directory_callback(const char *clausename, const cfg_obj_t *obj, void *arg) {
 	isc_result_t result;
 	const char *directory;
 
@@ -2535,7 +2538,7 @@ setstring(ns_server_t *server, char **field, const char *value) {
  * or NULL if whether 'obj' is a string or void value, respectively.
  */
 static isc_result_t
-setoptstring(ns_server_t *server, char **field, cfg_obj_t *obj) {
+setoptstring(ns_server_t *server, char **field, const cfg_obj_t *obj) {
 	if (cfg_obj_isvoid(obj))
 		return (setstring(server, field, NULL));
 	else
@@ -2543,10 +2546,11 @@ setoptstring(ns_server_t *server, char **field, cfg_obj_t *obj) {
 }
 
 static void
-set_limit(cfg_obj_t **maps, const char *configname, const char *description,
-	  isc_resource_t resourceid, isc_resourcevalue_t defaultvalue)
+set_limit(const cfg_obj_t **maps, const char *configname,
+	  const char *description, isc_resource_t resourceid,
+	  isc_resourcevalue_t defaultvalue)
 {
-	cfg_obj_t *obj = NULL;
+	const cfg_obj_t *obj = NULL;
 	const char *resource;
 	isc_resourcevalue_t value;
 	isc_result_t result;
@@ -2578,7 +2582,7 @@ set_limit(cfg_obj_t **maps, const char *configname, const char *description,
 		  ns_g_init ## resource)
 
 static void
-set_limits(cfg_obj_t **maps) {
+set_limits(const cfg_obj_t **maps) {
 	SETLIMIT("stacksize", stacksize, "stack size");
 	SETLIMIT("datasize", datasize, "data size");
 	SETLIMIT("coresize", coresize, "core size");
@@ -2587,15 +2591,15 @@ set_limits(cfg_obj_t **maps) {
 
 static isc_result_t
 portlist_fromconf(dns_portlist_t *portlist, unsigned int family,
-		  cfg_obj_t *ports)
+		  const cfg_obj_t *ports)
 {
-	cfg_listelt_t *element;
+	const cfg_listelt_t *element;
 	isc_result_t result = ISC_R_SUCCESS;
 
 	for (element = cfg_list_first(ports);
 	     element != NULL;
 	     element = cfg_list_next(element)) {
-		cfg_obj_t *obj = cfg_listelt_value(element);
+		const cfg_obj_t *obj = cfg_listelt_value(element);
 		in_port_t port = (in_port_t)cfg_obj_asuint32(obj);
 		
 		result = dns_portlist_add(portlist, family, port);
@@ -2638,13 +2642,13 @@ load_configuration(const char *filename, ns_server_t *server,
 	isc_interval_t interval;
 	cfg_parser_t *parser = NULL;
 	cfg_obj_t *config;
-	cfg_obj_t *options;
-	cfg_obj_t *views;
-	cfg_obj_t *obj;
-	cfg_obj_t *v4ports, *v6ports;
-	cfg_obj_t *maps[3];
-	cfg_obj_t *builtin_views;
-	cfg_listelt_t *element;
+	const cfg_obj_t *options;
+	const cfg_obj_t *views;
+	const cfg_obj_t *obj;
+	const cfg_obj_t *v4ports, *v6ports;
+	const cfg_obj_t *maps[3];
+	const cfg_obj_t *builtin_views;
+	const cfg_listelt_t *element;
 	dns_view_t *view = NULL;
 	dns_view_t *view_next;
 	dns_viewlist_t viewlist;
@@ -2831,7 +2835,7 @@ load_configuration(const char *filename, ns_server_t *server,
 	 * statement.
 	 */
 	{
-		cfg_obj_t *clistenon = NULL;
+		const cfg_obj_t *clistenon = NULL;
 		ns_listenlist_t *listenon = NULL;
 
 		clistenon = NULL;
@@ -2865,7 +2869,7 @@ load_configuration(const char *filename, ns_server_t *server,
 	 * Ditto for IPv6.
 	 */
 	{
-		cfg_obj_t *clistenon = NULL;
+		const cfg_obj_t *clistenon = NULL;
 		ns_listenlist_t *listenon = NULL;
 
 		if (options != NULL)
@@ -2952,7 +2956,7 @@ load_configuration(const char *filename, ns_server_t *server,
 	     element != NULL;
 	     element = cfg_list_next(element))
 	{
-		cfg_obj_t *vconfig = cfg_listelt_value(element);
+		const cfg_obj_t *vconfig = cfg_listelt_value(element);
 		view = NULL;
 
 		CHECK(create_view(vconfig, &viewlist, &view));
@@ -2992,7 +2996,7 @@ load_configuration(const char *filename, ns_server_t *server,
 	     element != NULL;
 	     element = cfg_list_next(element))
 	{
-		cfg_obj_t *vconfig = cfg_listelt_value(element);
+		const cfg_obj_t *vconfig = cfg_listelt_value(element);
 		CHECK(create_view(vconfig, &viewlist, &view));
 		CHECK(configure_view(view, config, vconfig, ns_g_mctx,
 				     &aclconfctx, ISC_FALSE));
@@ -3096,7 +3100,7 @@ load_configuration(const char *filename, ns_server_t *server,
 			      "ignoring config file logging "
 			      "statement due to -g option");
 	} else {
-		cfg_obj_t *logobj = NULL;
+		const cfg_obj_t *logobj = NULL;
 		isc_logconfig_t *logc = NULL;
 
 		CHECKM(isc_logconfig_create(ns_g_lctx, &logc),
@@ -3135,8 +3139,8 @@ load_configuration(const char *filename, ns_server_t *server,
 	 * compatibility.
 	 */
 	if (first_time) {
-		cfg_obj_t *logobj = NULL;
-		cfg_obj_t *categories = NULL;
+		const cfg_obj_t *logobj = NULL;
+		const cfg_obj_t *categories = NULL;
 
 		obj = NULL;
 		if (ns_config_get(maps, "querylog", &obj) == ISC_R_SUCCESS) {
@@ -3148,12 +3152,12 @@ load_configuration(const char *filename, ns_server_t *server,
 				(void)cfg_map_get(logobj, "category",
 						  &categories);
 			if (categories != NULL) {
-				cfg_listelt_t *element;
+				const cfg_listelt_t *element;
 				for (element = cfg_list_first(categories);
 				     element != NULL;
 				     element = cfg_list_next(element))
 				{
-					cfg_obj_t *catobj;
+					const cfg_obj_t *catobj;
 					const char *str;
 
 					obj = cfg_listelt_value(element);
@@ -3657,7 +3661,7 @@ end_reserved_dispatches(ns_server_t *server, isc_boolean_t all) {
 }
 
 void
-ns_add_reserved_dispatch(ns_server_t *server, isc_sockaddr_t *addr) {
+ns_add_reserved_dispatch(ns_server_t *server, const isc_sockaddr_t *addr) {
 	ns_dispatch_t *dispatch;
 	in_port_t port;
 	char addrbuf[ISC_SOCKADDR_FORMATSIZE];
@@ -4033,12 +4037,12 @@ ns_server_togglequerylog(ns_server_t *server) {
 }
 
 static isc_result_t
-ns_listenlist_fromconfig(cfg_obj_t *listenlist, cfg_obj_t *config,
+ns_listenlist_fromconfig(const cfg_obj_t *listenlist, const cfg_obj_t *config,
 			 cfg_aclconfctx_t *actx,
 			 isc_mem_t *mctx, ns_listenlist_t **target)
 {
 	isc_result_t result;
-	cfg_listelt_t *element;
+	const cfg_listelt_t *element;
 	ns_listenlist_t *dlist = NULL;
 
 	REQUIRE(target != NULL && *target == NULL);
@@ -4052,7 +4056,7 @@ ns_listenlist_fromconfig(cfg_obj_t *listenlist, cfg_obj_t *config,
 	     element = cfg_list_next(element))
 	{
 		ns_listenelt_t *delt = NULL;
-		cfg_obj_t *listener = cfg_listelt_value(element);
+		const cfg_obj_t *listener = cfg_listelt_value(element);
 		result = ns_listenelt_fromconfig(listener, config, actx,
 						 mctx, &delt);
 		if (result != ISC_R_SUCCESS)
@@ -4072,12 +4076,12 @@ ns_listenlist_fromconfig(cfg_obj_t *listenlist, cfg_obj_t *config,
  * data structure.
  */
 static isc_result_t
-ns_listenelt_fromconfig(cfg_obj_t *listener, cfg_obj_t *config,
+ns_listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config,
 			cfg_aclconfctx_t *actx,
 			isc_mem_t *mctx, ns_listenelt_t **target)
 {
 	isc_result_t result;
-	cfg_obj_t *portobj;
+	const cfg_obj_t *portobj;
 	in_port_t port;
 	ns_listenelt_t *delt = NULL;
 	REQUIRE(target != NULL && *target == NULL);
diff --git a/bin/named/sortlist.c b/bin/named/sortlist.c
index 09c33f4a94..72267e78c2 100644
--- a/bin/named/sortlist.c
+++ b/bin/named/sortlist.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sortlist.c,v 1.11 2005/04/29 00:22:29 marka Exp $ */
+/* $Id: sortlist.c,v 1.12 2006/02/28 02:39:51 marka Exp $ */
 
 /*! \file */
 
@@ -32,7 +32,9 @@
 #include 
 
 ns_sortlisttype_t
-ns_sortlist_setup(dns_acl_t *acl, isc_netaddr_t *clientaddr, void **argp) {
+ns_sortlist_setup(dns_acl_t *acl, isc_netaddr_t *clientaddr,
+		  const void **argp)
+{
 	unsigned int i;
 
 	if (acl == NULL)
@@ -46,7 +48,7 @@ ns_sortlist_setup(dns_acl_t *acl, isc_netaddr_t *clientaddr, void **argp) {
 		dns_aclelement_t *e = &acl->elements[i];
 		dns_aclelement_t *try_elt;
 		dns_aclelement_t *order_elt = NULL;
-		dns_aclelement_t *matched_elt = NULL;
+		const dns_aclelement_t *matched_elt = NULL;
 
 		if (e->type == dns_aclelementtype_nestedacl) {
 			dns_acl_t *inner = e->u.nestedacl;
@@ -108,8 +110,8 @@ ns_sortlist_setup(dns_acl_t *acl, isc_netaddr_t *clientaddr, void **argp) {
 }
 
 int
-ns_sortlist_addrorder2(isc_netaddr_t *addr, void *arg) {
-	dns_acl_t *sortacl = (dns_acl_t *) arg;
+ns_sortlist_addrorder2(const isc_netaddr_t *addr, const void *arg) {
+	const dns_acl_t *sortacl = (const dns_acl_t *) arg;
 	int match;
 
 	(void)dns_acl_match(addr, NULL, sortacl,
@@ -124,8 +126,8 @@ ns_sortlist_addrorder2(isc_netaddr_t *addr, void *arg) {
 }
 
 int
-ns_sortlist_addrorder1(isc_netaddr_t *addr, void *arg) {
-	dns_aclelement_t *matchelt = (dns_aclelement_t *) arg;
+ns_sortlist_addrorder1(const isc_netaddr_t *addr, const void *arg) {
+	const dns_aclelement_t *matchelt = (const dns_aclelement_t *) arg;
 	if (dns_aclelement_match(addr, NULL, matchelt,
 				 &ns_g_server->aclenv,
 				 NULL)) {
@@ -138,7 +140,7 @@ ns_sortlist_addrorder1(isc_netaddr_t *addr, void *arg) {
 void
 ns_sortlist_byaddrsetup(dns_acl_t *sortlist_acl, isc_netaddr_t *client_addr,
 		       dns_addressorderfunc_t *orderp,
-		       void **argp)
+		       const void **argp)
 {
 	ns_sortlisttype_t sortlisttype;
 
diff --git a/bin/named/tkeyconf.c b/bin/named/tkeyconf.c
index f7dd5dd247..f4039c17b9 100644
--- a/bin/named/tkeyconf.c
+++ b/bin/named/tkeyconf.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tkeyconf.c,v 1.24 2005/08/23 02:36:07 marka Exp $ */
+/* $Id: tkeyconf.c,v 1.25 2006/02/28 02:39:51 marka Exp $ */
 
 /*! \file */
 
@@ -44,8 +44,8 @@
 
 
 isc_result_t
-ns_tkeyctx_fromconfig(cfg_obj_t *options, isc_mem_t *mctx, isc_entropy_t *ectx,
-		       dns_tkeyctx_t **tctxp)
+ns_tkeyctx_fromconfig(const cfg_obj_t *options, isc_mem_t *mctx,
+		      isc_entropy_t *ectx, dns_tkeyctx_t **tctxp)
 {
 	isc_result_t result;
 	dns_tkeyctx_t *tctx = NULL;
@@ -54,7 +54,7 @@ ns_tkeyctx_fromconfig(cfg_obj_t *options, isc_mem_t *mctx, isc_entropy_t *ectx,
 	dns_fixedname_t fname;
 	dns_name_t *name;
 	isc_buffer_t b;
-	cfg_obj_t *obj;
+	const cfg_obj_t *obj;
 	int type;
 
 	result = dns_tkeyctx_create(mctx, ectx, &tctx);
diff --git a/bin/named/tsigconf.c b/bin/named/tsigconf.c
index 830dc78553..37142e1ec5 100644
--- a/bin/named/tsigconf.c
+++ b/bin/named/tsigconf.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tsigconf.c,v 1.27 2006/01/27 23:57:46 marka Exp $ */
+/* $Id: tsigconf.c,v 1.28 2006/02/28 02:39:51 marka Exp $ */
 
 /*! \file */
 
@@ -37,10 +37,12 @@
 #include 
 
 static isc_result_t
-add_initial_keys(cfg_obj_t *list, dns_tsig_keyring_t *ring, isc_mem_t *mctx) {
+add_initial_keys(const cfg_obj_t *list, dns_tsig_keyring_t *ring,
+		 isc_mem_t *mctx)
+{
 	dns_tsigkey_t *tsigkey = NULL;
-	cfg_listelt_t *element;
-	cfg_obj_t *key = NULL;
+	const cfg_listelt_t *element;
+	const cfg_obj_t *key = NULL;
 	const char *keyid = NULL;
 	unsigned char *secret = NULL;
 	int secretalloc = 0;
@@ -53,8 +55,8 @@ add_initial_keys(cfg_obj_t *list, dns_tsig_keyring_t *ring, isc_mem_t *mctx) {
 	     element != NULL;
 	     element = cfg_list_next(element))
 	{
-		cfg_obj_t *algobj = NULL;
-		cfg_obj_t *secretobj = NULL;
+		const cfg_obj_t *algobj = NULL;
+		const cfg_obj_t *secretobj = NULL;
 		dns_name_t keyname;
 		dns_name_t *alg;
 		const char *algstr;
@@ -138,11 +140,11 @@ add_initial_keys(cfg_obj_t *list, dns_tsig_keyring_t *ring, isc_mem_t *mctx) {
 }
 
 isc_result_t
-ns_tsigkeyring_fromconfig(cfg_obj_t *config, cfg_obj_t *vconfig,
+ns_tsigkeyring_fromconfig(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 			  isc_mem_t *mctx, dns_tsig_keyring_t **ringp)
 {
-	cfg_obj_t *maps[3];
-	cfg_obj_t *keylist;
+	const cfg_obj_t *maps[3];
+	const cfg_obj_t *keylist;
 	dns_tsig_keyring_t *ring = NULL;
 	isc_result_t result;
 	int i;
diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
index 8594d133a4..ad1f6c1823 100644
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zoneconf.c,v 1.130 2006/02/16 01:34:24 marka Exp $ */
+/* $Id: zoneconf.c,v 1.131 2006/02/28 02:39:51 marka Exp $ */
 
 /*% */
 
@@ -58,15 +58,15 @@
  * Convenience function for configuring a single zone ACL.
  */
 static isc_result_t
-configure_zone_acl(cfg_obj_t *zconfig, cfg_obj_t *vconfig, cfg_obj_t *config,
-		   const char *aclname, cfg_aclconfctx_t *actx,
-		   dns_zone_t *zone, 
+configure_zone_acl(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig,
+		   const cfg_obj_t *config, const char *aclname,
+		   cfg_aclconfctx_t *actx, dns_zone_t *zone, 
 		   void (*setzacl)(dns_zone_t *, dns_acl_t *),
 		   void (*clearzacl)(dns_zone_t *))
 {
 	isc_result_t result;
-	cfg_obj_t *maps[4];
-	cfg_obj_t *aclobj = NULL;
+	const cfg_obj_t *maps[4];
+	const cfg_obj_t *aclobj = NULL;
 	int i = 0;
 	dns_acl_t *dacl = NULL;
 
@@ -75,7 +75,7 @@ configure_zone_acl(cfg_obj_t *zconfig, cfg_obj_t *vconfig, cfg_obj_t *config,
 	if (vconfig != NULL)
 		maps[i++] = cfg_tuple_get(vconfig, "options");
 	if (config != NULL) {
-		cfg_obj_t *options = NULL;
+		const cfg_obj_t *options = NULL;
 		(void)cfg_map_get(config, "options", &options);
 		if (options != NULL)
 			maps[i++] = options;
@@ -101,9 +101,9 @@ configure_zone_acl(cfg_obj_t *zconfig, cfg_obj_t *vconfig, cfg_obj_t *config,
  * Parse the zone update-policy statement.
  */
 static isc_result_t
-configure_zone_ssutable(cfg_obj_t *zconfig, dns_zone_t *zone) {
-	cfg_obj_t *updatepolicy = NULL;
-	cfg_listelt_t *element, *element2;
+configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone) {
+	const cfg_obj_t *updatepolicy = NULL;
+	const cfg_listelt_t *element, *element2;
 	dns_ssutable_t *table = NULL;
 	isc_mem_t *mctx = dns_zone_getmctx(zone);
 	isc_result_t result;
@@ -122,12 +122,12 @@ configure_zone_ssutable(cfg_obj_t *zconfig, dns_zone_t *zone) {
 	     element != NULL;
 	     element = cfg_list_next(element))
 	{
-		cfg_obj_t *stmt = cfg_listelt_value(element);
-		cfg_obj_t *mode = cfg_tuple_get(stmt, "mode");
-		cfg_obj_t *identity = cfg_tuple_get(stmt, "identity");
-		cfg_obj_t *matchtype = cfg_tuple_get(stmt, "matchtype");
-		cfg_obj_t *dname = cfg_tuple_get(stmt, "name");
-		cfg_obj_t *typelist = cfg_tuple_get(stmt, "types");
+		const cfg_obj_t *stmt = cfg_listelt_value(element);
+		const cfg_obj_t *mode = cfg_tuple_get(stmt, "mode");
+		const cfg_obj_t *identity = cfg_tuple_get(stmt, "identity");
+		const cfg_obj_t *matchtype = cfg_tuple_get(stmt, "matchtype");
+		const cfg_obj_t *dname = cfg_tuple_get(stmt, "name");
+		const cfg_obj_t *typelist = cfg_tuple_get(stmt, "types");
 		const char *str;
 		isc_boolean_t grant = ISC_FALSE;
 		unsigned int mtype = DNS_SSUMATCHTYPE_NAME;
@@ -200,7 +200,7 @@ configure_zone_ssutable(cfg_obj_t *zconfig, dns_zone_t *zone) {
 		     element2 != NULL;
 		     element2 = cfg_list_next(element2))
 		{
-			cfg_obj_t *typeobj;
+			const cfg_obj_t *typeobj;
 			isc_textregion_t r;
 
 			INSIST(i < n);
@@ -246,8 +246,8 @@ configure_zone_ssutable(cfg_obj_t *zconfig, dns_zone_t *zone) {
  * Convert a config file zone type into a server zone type.
  */
 static inline dns_zonetype_t
-zonetype_fromconfig(cfg_obj_t *map) {
-	cfg_obj_t *obj = NULL;
+zonetype_fromconfig(const cfg_obj_t *map) {
+	const cfg_obj_t *obj = NULL;
 	isc_result_t result;
 
 	result = cfg_map_get(map, "type", &obj);
@@ -302,7 +302,9 @@ strtoargv(isc_mem_t *mctx, char *s, unsigned int *argcp, char ***argvp) {
 }
 
 static void
-checknames(dns_zonetype_t ztype, cfg_obj_t **maps, cfg_obj_t **objp) {
+checknames(dns_zonetype_t ztype, const cfg_obj_t **maps,
+	   const cfg_obj_t **objp)
+{
 	const char *zone = NULL;
 	isc_result_t result;
 
@@ -317,17 +319,18 @@ checknames(dns_zonetype_t ztype, cfg_obj_t **maps, cfg_obj_t **objp) {
 }
 
 isc_result_t
-ns_zone_configure(cfg_obj_t *config, cfg_obj_t *vconfig, cfg_obj_t *zconfig,
-		  cfg_aclconfctx_t *ac, dns_zone_t *zone)
+ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
+		  const cfg_obj_t *zconfig, cfg_aclconfctx_t *ac,
+		  dns_zone_t *zone)
 {
 	isc_result_t result;
 	const char *zname;
 	dns_rdataclass_t zclass;
 	dns_rdataclass_t vclass;
-	cfg_obj_t *maps[5];
-	cfg_obj_t *zoptions = NULL;
-	cfg_obj_t *options = NULL;
-	cfg_obj_t *obj;
+	const cfg_obj_t *maps[5];
+	const cfg_obj_t *zoptions = NULL;
+	const cfg_obj_t *options = NULL;
+	const cfg_obj_t *obj;
 	const char *filename = NULL;
 	dns_notifytype_t notifytype = dns_notifytype_yes;
 	isc_sockaddr_t *addrs;
@@ -876,9 +879,9 @@ ns_zone_configure(cfg_obj_t *config, cfg_obj_t *vconfig, cfg_obj_t *zconfig,
 }
 
 isc_boolean_t
-ns_zone_reusable(dns_zone_t *zone, cfg_obj_t *zconfig) {
-	cfg_obj_t *zoptions = NULL;
-	cfg_obj_t *obj = NULL;
+ns_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig) {
+	const cfg_obj_t *zoptions = NULL;
+	const cfg_obj_t *obj = NULL;
 	const char *cfilename;
 	const char *zfilename;
 
diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c
index ee01bcc05d..b0c4a3542b 100644
--- a/bin/rndc/rndc.c
+++ b/bin/rndc/rndc.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rndc.c,v 1.108 2005/09/19 00:18:00 marka Exp $ */
+/* $Id: rndc.c,v 1.109 2006/02/28 02:39:51 marka Exp $ */
 
 /*! \file */
 
@@ -415,25 +415,25 @@ parse_config(isc_mem_t *mctx, isc_log_t *log, const char *keyname,
 {
 	isc_result_t result;
 	const char *conffile = admin_conffile;
-	cfg_obj_t *addresses = NULL;
-	cfg_obj_t *defkey = NULL;
-	cfg_obj_t *options = NULL;
-	cfg_obj_t *servers = NULL;
-	cfg_obj_t *server = NULL;
-	cfg_obj_t *keys = NULL;
-	cfg_obj_t *key = NULL;
-	cfg_obj_t *defport = NULL;
-	cfg_obj_t *secretobj = NULL;
-	cfg_obj_t *algorithmobj = NULL;
+	const cfg_obj_t *addresses = NULL;
+	const cfg_obj_t *defkey = NULL;
+	const cfg_obj_t *options = NULL;
+	const cfg_obj_t *servers = NULL;
+	const cfg_obj_t *server = NULL;
+	const cfg_obj_t *keys = NULL;
+	const cfg_obj_t *key = NULL;
+	const cfg_obj_t *defport = NULL;
+	const cfg_obj_t *secretobj = NULL;
+	const cfg_obj_t *algorithmobj = NULL;
 	cfg_obj_t *config = NULL;
-	cfg_obj_t *address = NULL;
-	cfg_listelt_t *elt;
+	const cfg_obj_t *address = NULL;
+	const cfg_listelt_t *elt;
 	const char *secretstr;
 	const char *algorithm;
 	static char secretarray[1024];
 	const cfg_type_t *conftype = &cfg_type_rndcconf;
 	isc_boolean_t key_only = ISC_FALSE;
-	cfg_listelt_t *element;
+	const cfg_listelt_t *element;
 
 	if (! isc_file_exists(conffile)) {
 		conffile = admin_keyfile;
@@ -460,7 +460,7 @@ parse_config(isc_mem_t *mctx, isc_log_t *log, const char *keyname,
 	if (key_only && servername == NULL)
 		servername = "127.0.0.1";
 	else if (servername == NULL && options != NULL) {
-		cfg_obj_t *defserverobj = NULL;
+		const cfg_obj_t *defserverobj = NULL;
 		(void)cfg_map_get(options, "default-server", &defserverobj);
 		if (defserverobj != NULL)
 			servername = cfg_obj_asstring(defserverobj);
@@ -570,7 +570,7 @@ parse_config(isc_mem_t *mctx, isc_log_t *log, const char *keyname,
 			if (!cfg_obj_issockaddr(address)) {
 				unsigned int myport;
 				const char *name;
-				cfg_obj_t *obj;
+				const cfg_obj_t *obj;
 
 				obj = cfg_tuple_get(address, "name");
 				name = cfg_obj_asstring(obj);
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index b94cdaa65e..32a65d6101 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: check.c,v 1.69 2006/02/17 00:24:20 marka Exp $ */
+/* $Id: check.c,v 1.70 2006/02/28 02:39:51 marka Exp $ */
 
 /*! \file */
 
@@ -54,12 +54,12 @@ freekey(char *key, unsigned int type, isc_symvalue_t value, void *userarg) {
 }
 
 static isc_result_t
-check_orderent(cfg_obj_t *ent, isc_log_t *logctx) {
+check_orderent(const cfg_obj_t *ent, isc_log_t *logctx) {
 	isc_result_t result = ISC_R_SUCCESS;
 	isc_result_t tresult;
 	isc_textregion_t r;
 	dns_fixedname_t fixed;
-	cfg_obj_t *obj;
+	const cfg_obj_t *obj;
 	dns_rdataclass_t rdclass;
 	dns_rdatatype_t rdtype;
 	isc_buffer_t b;
@@ -136,11 +136,11 @@ check_orderent(cfg_obj_t *ent, isc_log_t *logctx) {
 }
 
 static isc_result_t
-check_order(cfg_obj_t *options, isc_log_t *logctx) {
+check_order(const cfg_obj_t *options, isc_log_t *logctx) {
 	isc_result_t result = ISC_R_SUCCESS;
 	isc_result_t tresult;
-	cfg_listelt_t *element;
-	cfg_obj_t *obj = NULL;
+	const cfg_listelt_t *element;
+	const cfg_obj_t *obj = NULL;
 
 	if (cfg_map_get(options, "rrset-order", &obj) != ISC_R_SUCCESS)
 		return (result);
@@ -157,11 +157,11 @@ check_order(cfg_obj_t *options, isc_log_t *logctx) {
 }
 
 static isc_result_t
-check_dual_stack(cfg_obj_t *options, isc_log_t *logctx) {
-	cfg_listelt_t *element;
-	cfg_obj_t *alternates = NULL;
-	cfg_obj_t *value;
-	cfg_obj_t *obj;
+check_dual_stack(const cfg_obj_t *options, isc_log_t *logctx) {
+	const cfg_listelt_t *element;
+	const cfg_obj_t *alternates = NULL;
+	const cfg_obj_t *value;
+	const cfg_obj_t *obj;
 	const char *str;
 	dns_fixedname_t fixed;
 	dns_name_t *name;
@@ -217,9 +217,9 @@ check_dual_stack(cfg_obj_t *options, isc_log_t *logctx) {
 }
 
 static isc_result_t
-check_forward(cfg_obj_t *options, isc_log_t *logctx) {
-	cfg_obj_t *forward = NULL;
-	cfg_obj_t *forwarders = NULL;
+check_forward(const cfg_obj_t *options, isc_log_t *logctx) {
+	const cfg_obj_t *forward = NULL;
+	const cfg_obj_t *forwarders = NULL;
 
 	(void)cfg_map_get(options, "forward", &forward);
 	(void)cfg_map_get(options, "forwarders", &forwarders);
@@ -233,15 +233,15 @@ check_forward(cfg_obj_t *options, isc_log_t *logctx) {
 }
 
 static isc_result_t
-disabled_algorithms(cfg_obj_t *disabled, isc_log_t *logctx) {
+disabled_algorithms(const cfg_obj_t *disabled, isc_log_t *logctx) {
 	isc_result_t result = ISC_R_SUCCESS;
 	isc_result_t tresult;
-	cfg_listelt_t *element;
+	const cfg_listelt_t *element;
 	const char *str;
 	isc_buffer_t b;
 	dns_fixedname_t fixed;
 	dns_name_t *name;
-	cfg_obj_t *obj;
+	const cfg_obj_t *obj;
 
 	dns_fixedname_init(&fixed);
 	name = dns_fixedname_name(&fixed);
@@ -285,8 +285,9 @@ disabled_algorithms(cfg_obj_t *disabled, isc_log_t *logctx) {
 }
 
 static isc_result_t
-nameexist(cfg_obj_t *obj, const char *name, int value, isc_symtab_t *symtab,
-	  const char *fmt, isc_log_t *logctx, isc_mem_t *mctx)
+nameexist(const cfg_obj_t *obj, const char *name, int value,
+	  isc_symtab_t *symtab, const char *fmt, isc_log_t *logctx,
+	  isc_mem_t *mctx)
 {
 	char *key;
 	const char *file;
@@ -297,14 +298,14 @@ nameexist(cfg_obj_t *obj, const char *name, int value, isc_symtab_t *symtab,
 	key = isc_mem_strdup(mctx, name);
 	if (key == NULL)
 		return (ISC_R_NOMEMORY);
-	symvalue.as_pointer = obj;
+	symvalue.as_cpointer = obj;
 	result = isc_symtab_define(symtab, key, value, symvalue,
 				   isc_symexists_reject);
 	if (result == ISC_R_EXISTS) {
 		RUNTIME_CHECK(isc_symtab_lookup(symtab, key, value,
 						&symvalue) == ISC_R_SUCCESS);
-		file = cfg_obj_file(symvalue.as_pointer);
-		line = cfg_obj_line(symvalue.as_pointer);
+		file = cfg_obj_file(symvalue.as_cpointer);
+		line = cfg_obj_line(symvalue.as_cpointer);
 
 		if (file == NULL)
 			file = "";
@@ -318,10 +319,10 @@ nameexist(cfg_obj_t *obj, const char *name, int value, isc_symtab_t *symtab,
 }
 
 static isc_result_t
-mustbesecure(cfg_obj_t *secure, isc_symtab_t *symtab, isc_log_t *logctx,
+mustbesecure(const cfg_obj_t *secure, isc_symtab_t *symtab, isc_log_t *logctx,
 	     isc_mem_t *mctx)
 {
-	cfg_obj_t *obj;
+	const cfg_obj_t *obj;
 	char namebuf[DNS_NAME_FORMATSIZE];
 	const char *str;
 	dns_fixedname_t fixed;
@@ -350,13 +351,13 @@ mustbesecure(cfg_obj_t *secure, isc_symtab_t *symtab, isc_log_t *logctx,
 }
 
 static isc_result_t
-checkacl(const char *aclname, cfg_aclconfctx_t *actx, cfg_obj_t *zconfig,
-	 cfg_obj_t *voptions, cfg_obj_t *config, isc_log_t *logctx,
-	 isc_mem_t *mctx)
+checkacl(const char *aclname, cfg_aclconfctx_t *actx, const cfg_obj_t *zconfig,
+	 const cfg_obj_t *voptions, const cfg_obj_t *config,
+	 isc_log_t *logctx, isc_mem_t *mctx)
 {
 	isc_result_t result;
-	cfg_obj_t *aclobj = NULL;
-	cfg_obj_t *options;
+	const cfg_obj_t *aclobj = NULL;
+	const cfg_obj_t *options;
 	dns_acl_t *acl = NULL;
 
 	if (zconfig != NULL) {
@@ -380,8 +381,8 @@ checkacl(const char *aclname, cfg_aclconfctx_t *actx, cfg_obj_t *zconfig,
 }
 
 static isc_result_t
-check_viewacls(cfg_aclconfctx_t *actx, cfg_obj_t *voptions, cfg_obj_t *config,
-	      isc_log_t *logctx, isc_mem_t *mctx)
+check_viewacls(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions,
+	       const cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx)
 {
 	isc_result_t result = ISC_R_SUCCESS, tresult;
 	int i = 0;
@@ -406,12 +407,12 @@ typedef struct {
 } intervaltable;
 
 static isc_result_t
-check_options(cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
+check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
 	isc_result_t result = ISC_R_SUCCESS;
 	isc_result_t tresult;
 	unsigned int i;
-	cfg_obj_t *obj = NULL;
-	cfg_listelt_t *element;
+	const cfg_obj_t *obj = NULL;
+	const cfg_listelt_t *element;
 	isc_symtab_t *symtab = NULL;
 	dns_fixedname_t fixed;
 	const char *str;
@@ -470,8 +471,8 @@ check_options(cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
 	(void)cfg_map_get(options, "root-delegation-only", &obj);
 	if (obj != NULL) {
 		if (!cfg_obj_isvoid(obj)) {
-			cfg_listelt_t *element;
-			cfg_obj_t *exclude;
+			const cfg_listelt_t *element;
+			const cfg_obj_t *exclude;
 			const char *str;
 			dns_fixedname_t fixed;
 			dns_name_t *name;
@@ -666,10 +667,10 @@ check_options(cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
 }
 
 static isc_result_t
-get_masters_def(cfg_obj_t *cctx, const char *name, cfg_obj_t **ret) {
+get_masters_def(const cfg_obj_t *cctx, const char *name, const cfg_obj_t **ret) {
 	isc_result_t result;
-	cfg_obj_t *masters = NULL;
-	cfg_listelt_t *elt;
+	const cfg_obj_t *masters = NULL;
+	const cfg_listelt_t *elt;
 
 	result = cfg_map_get(cctx, "masters", &masters);
 	if (result != ISC_R_SUCCESS)
@@ -677,7 +678,7 @@ get_masters_def(cfg_obj_t *cctx, const char *name, cfg_obj_t **ret) {
 	for (elt = cfg_list_first(masters);
 	     elt != NULL;
 	     elt = cfg_list_next(elt)) {
-		cfg_obj_t *list;
+		const cfg_obj_t *list;
 		const char *listname;
 
 		list = cfg_listelt_value(elt);
@@ -692,18 +693,18 @@ get_masters_def(cfg_obj_t *cctx, const char *name, cfg_obj_t **ret) {
 }
 
 static isc_result_t
-validate_masters(cfg_obj_t *obj, cfg_obj_t *config, isc_uint32_t *countp,
-		 isc_log_t *logctx, isc_mem_t *mctx)
+validate_masters(const cfg_obj_t *obj, const cfg_obj_t *config,
+	         isc_uint32_t *countp, isc_log_t *logctx, isc_mem_t *mctx)
 {
 	isc_result_t result = ISC_R_SUCCESS;
 	isc_result_t tresult;
 	isc_uint32_t count = 0;
 	isc_symtab_t *symtab = NULL;
 	isc_symvalue_t symvalue;
-	cfg_listelt_t *element;
-	cfg_listelt_t **stack = NULL;
+	const cfg_listelt_t *element;
+	const cfg_listelt_t **stack = NULL;
 	isc_uint32_t stackcount = 0, pushed = 0;
-	cfg_obj_t *list;
+	const cfg_obj_t *list;
 
 	REQUIRE(countp != NULL);
 	result = isc_symtab_create(mctx, 100, NULL, NULL, ISC_FALSE, &symtab);
@@ -721,8 +722,8 @@ validate_masters(cfg_obj_t *obj, cfg_obj_t *config, isc_uint32_t *countp,
 	     element = cfg_list_next(element))
 	{
 		const char *listname;
-		cfg_obj_t *addr;
-		cfg_obj_t *key;
+		const cfg_obj_t *addr;
+		const cfg_obj_t *key;
 
 		addr = cfg_tuple_get(cfg_listelt_value(element),
 				     "masterselement");
@@ -740,7 +741,7 @@ validate_masters(cfg_obj_t *obj, cfg_obj_t *config, isc_uint32_t *countp,
 				result = ISC_R_FAILURE;
 		}
 		listname = cfg_obj_asstring(addr);
-		symvalue.as_pointer = addr;
+		symvalue.as_cpointer = addr;
 		tresult = isc_symtab_define(symtab, listname, 1, symvalue,
 					    isc_symexists_reject);
 		if (tresult == ISC_R_EXISTS)
@@ -788,11 +789,11 @@ validate_masters(cfg_obj_t *obj, cfg_obj_t *config, isc_uint32_t *countp,
 }
 
 static isc_result_t
-check_update_policy(cfg_obj_t *policy, isc_log_t *logctx) {
+check_update_policy(const cfg_obj_t *policy, isc_log_t *logctx) {
 	isc_result_t result = ISC_R_SUCCESS;
 	isc_result_t tresult;
-	cfg_listelt_t *element;
-	cfg_listelt_t *element2;
+	const cfg_listelt_t *element;
+	const cfg_listelt_t *element2;
 	dns_fixedname_t fixed;
 	const char *str;
 	isc_buffer_t b;
@@ -801,11 +802,11 @@ check_update_policy(cfg_obj_t *policy, isc_log_t *logctx) {
 	     element != NULL;
 	     element = cfg_list_next(element))
 	{
-		cfg_obj_t *stmt = cfg_listelt_value(element);
-		cfg_obj_t *identity = cfg_tuple_get(stmt, "identity");
-		cfg_obj_t *matchtype = cfg_tuple_get(stmt, "matchtype");
-		cfg_obj_t *dname = cfg_tuple_get(stmt, "name");
-		cfg_obj_t *typelist = cfg_tuple_get(stmt, "types");
+		const cfg_obj_t *stmt = cfg_listelt_value(element);
+		const cfg_obj_t *identity = cfg_tuple_get(stmt, "identity");
+		const cfg_obj_t *matchtype = cfg_tuple_get(stmt, "matchtype");
+		const cfg_obj_t *dname = cfg_tuple_get(stmt, "name");
+		const cfg_obj_t *typelist = cfg_tuple_get(stmt, "types");
 
 		dns_fixedname_init(&fixed);
 		str = cfg_obj_asstring(identity);
@@ -842,7 +843,7 @@ check_update_policy(cfg_obj_t *policy, isc_log_t *logctx) {
 		     element2 != NULL;
 		     element2 = cfg_list_next(element2))
 		{
-			cfg_obj_t *typeobj;
+			const cfg_obj_t *typeobj;
 			isc_textregion_t r;
 			dns_rdatatype_t type;
 			
@@ -875,15 +876,16 @@ typedef struct {
 } optionstable;
 
 static isc_result_t
-check_zoneconf(cfg_obj_t *zconfig, cfg_obj_t *voptions, cfg_obj_t *config,
-	       isc_symtab_t *symtab, dns_rdataclass_t defclass,
-	       cfg_aclconfctx_t *actx, isc_log_t *logctx, isc_mem_t *mctx)
+check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
+	       const cfg_obj_t *config, isc_symtab_t *symtab,
+	       dns_rdataclass_t defclass, cfg_aclconfctx_t *actx,
+	       isc_log_t *logctx, isc_mem_t *mctx)
 {
 	const char *zname;
 	const char *typestr;
 	unsigned int ztype;
-	cfg_obj_t *zoptions;
-	cfg_obj_t *obj = NULL;
+	const cfg_obj_t *zoptions;
+	const cfg_obj_t *obj = NULL;
 	isc_result_t result = ISC_R_SUCCESS;
 	isc_result_t tresult;
 	unsigned int i;
@@ -1107,7 +1109,7 @@ check_zoneconf(cfg_obj_t *zconfig, cfg_obj_t *voptions, cfg_obj_t *config,
 	 * Check the excessively complicated "dialup" option.
 	 */
 	if (ztype == MASTERZONE || ztype == SLAVEZONE || ztype == STUBZONE) {
-		cfg_obj_t *dialup = NULL;
+		const cfg_obj_t *dialup = NULL;
 		(void)cfg_map_get(zoptions, "dialup", &dialup);
 		if (dialup != NULL && cfg_obj_isstring(dialup)) {
 			const char *str = cfg_obj_asstring(dialup);
@@ -1181,9 +1183,9 @@ typedef struct keyalgorithms {
 } algorithmtable;
 
 isc_result_t
-bind9_check_key(cfg_obj_t *key, isc_log_t *logctx) {
-	cfg_obj_t *algobj = NULL;
-	cfg_obj_t *secretobj = NULL;
+bind9_check_key(const cfg_obj_t *key, isc_log_t *logctx) {
+	const cfg_obj_t *algobj = NULL;
+	const cfg_obj_t *secretobj = NULL;
 	const char *keyname = cfg_obj_asstring(cfg_map_getname(key));
 	const char *algorithm;
 	int i;
@@ -1263,16 +1265,16 @@ bind9_check_key(cfg_obj_t *key, isc_log_t *logctx) {
 }
 
 static isc_result_t
-check_keylist(cfg_obj_t *keys, isc_symtab_t *symtab, isc_log_t *logctx) {
+check_keylist(const cfg_obj_t *keys, isc_symtab_t *symtab, isc_log_t *logctx) {
 	isc_result_t result = ISC_R_SUCCESS;
 	isc_result_t tresult;
-	cfg_listelt_t *element;
+	const cfg_listelt_t *element;
 
 	for (element = cfg_list_first(keys);
 	     element != NULL;
 	     element = cfg_list_next(element))
 	{
-		cfg_obj_t *key = cfg_listelt_value(element);
+		const cfg_obj_t *key = cfg_listelt_value(element);
 		const char *keyname = cfg_obj_asstring(cfg_map_getname(key));
 		isc_symvalue_t symvalue;
 
@@ -1280,7 +1282,7 @@ check_keylist(cfg_obj_t *keys, isc_symtab_t *symtab, isc_log_t *logctx) {
 		if (tresult != ISC_R_SUCCESS)
 			return (tresult);
 
-		symvalue.as_pointer = key;
+		symvalue.as_cpointer = key;
 		tresult = isc_symtab_define(symtab, keyname, 1,
 					    symvalue, isc_symexists_reject);
 		if (tresult == ISC_R_EXISTS) {
@@ -1289,8 +1291,8 @@ check_keylist(cfg_obj_t *keys, isc_symtab_t *symtab, isc_log_t *logctx) {
 
 			RUNTIME_CHECK(isc_symtab_lookup(symtab, keyname,
 					    1, &symvalue) == ISC_R_SUCCESS);
-			file = cfg_obj_file(symvalue.as_pointer);
-			line = cfg_obj_line(symvalue.as_pointer);
+			file = cfg_obj_file(symvalue.as_cpointer);
+			line = cfg_obj_line(symvalue.as_cpointer);
 
 			if (file == NULL)
 				file = "";
@@ -1316,14 +1318,14 @@ static struct {
 };
 
 static isc_result_t
-check_servers(cfg_obj_t *servers, isc_log_t *logctx) {
+check_servers(const cfg_obj_t *servers, isc_log_t *logctx) {
 	isc_result_t result = ISC_R_SUCCESS;
 	isc_result_t tresult;
-	cfg_listelt_t *e1, *e2;
-	cfg_obj_t *v1, *v2;
+	const cfg_listelt_t *e1, *e2;
+	const cfg_obj_t *v1, *v2;
 	isc_netaddr_t n1, n2;
 	unsigned int p1, p2;
-	cfg_obj_t *obj;
+	const cfg_obj_t *obj;
 	char buf[ISC_NETADDR_FORMATSIZE];
 	const char *xfr;
 	int source;
@@ -1383,13 +1385,13 @@ check_servers(cfg_obj_t *servers, isc_log_t *logctx) {
 }
 		
 static isc_result_t
-check_viewconf(cfg_obj_t *config, cfg_obj_t *voptions, dns_rdataclass_t vclass,
-	       isc_log_t *logctx, isc_mem_t *mctx)
+check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
+	       dns_rdataclass_t vclass, isc_log_t *logctx, isc_mem_t *mctx)
 {
-	cfg_obj_t *servers = NULL;
-	cfg_obj_t *zones = NULL;
-	cfg_obj_t *keys = NULL;
-	cfg_listelt_t *element;
+	const cfg_obj_t *servers = NULL;
+	const cfg_obj_t *zones = NULL;
+	const cfg_obj_t *keys = NULL;
+	const cfg_listelt_t *element;
 	isc_symtab_t *symtab = NULL;
 	isc_result_t result = ISC_R_SUCCESS;
 	isc_result_t tresult = ISC_R_SUCCESS;
@@ -1416,7 +1418,7 @@ check_viewconf(cfg_obj_t *config, cfg_obj_t *voptions, dns_rdataclass_t vclass,
 	     element = cfg_list_next(element))
 	{
 		isc_result_t tresult;
-		cfg_obj_t *zone = cfg_listelt_value(element);
+		const cfg_obj_t *zone = cfg_listelt_value(element);
 
 		tresult = check_zoneconf(zone, voptions, config, symtab,
 					 vclass, &actx, logctx, mctx);
@@ -1461,7 +1463,7 @@ check_viewconf(cfg_obj_t *config, cfg_obj_t *voptions, dns_rdataclass_t vclass,
 	 * Check that forwarding is reasonable.
 	 */
 	if (voptions == NULL) {
-		cfg_obj_t *options = NULL;
+		const cfg_obj_t *options = NULL;
 		(void)cfg_map_get(config, "options", &options);
 		if (options != NULL)
 			if (check_forward(options, logctx) != ISC_R_SUCCESS)
@@ -1474,7 +1476,7 @@ check_viewconf(cfg_obj_t *config, cfg_obj_t *voptions, dns_rdataclass_t vclass,
 	 * Check that dual-stack-servers is reasonable.
 	 */
 	if (voptions == NULL) {
-		cfg_obj_t *options = NULL;
+		const cfg_obj_t *options = NULL;
 		(void)cfg_map_get(config, "options", &options);
 		if (options != NULL)
 			if (check_dual_stack(options, logctx) != ISC_R_SUCCESS)
@@ -1525,20 +1527,22 @@ default_channels[] = {
 };
 
 static isc_result_t
-bind9_check_logging(cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx) {
-	cfg_obj_t *categories = NULL;
-	cfg_obj_t *category;
-	cfg_obj_t *channels = NULL;
-	cfg_obj_t *channel;
-	cfg_listelt_t *element;
-	cfg_listelt_t *delement;
+bind9_check_logging(const cfg_obj_t *config, isc_log_t *logctx,
+		    isc_mem_t *mctx)
+{
+	const cfg_obj_t *categories = NULL;
+	const cfg_obj_t *category;
+	const cfg_obj_t *channels = NULL;
+	const cfg_obj_t *channel;
+	const cfg_listelt_t *element;
+	const cfg_listelt_t *delement;
 	const char *channelname;
 	const char *catname;
-	cfg_obj_t *fileobj = NULL;
-        cfg_obj_t *syslogobj = NULL;
-        cfg_obj_t *nullobj = NULL;
-        cfg_obj_t *stderrobj = NULL;
-        cfg_obj_t *logobj = NULL;
+	const cfg_obj_t *fileobj = NULL;
+        const cfg_obj_t *syslogobj = NULL;
+        const cfg_obj_t *nullobj = NULL;
+        const cfg_obj_t *stderrobj = NULL;
+        const cfg_obj_t *logobj = NULL;
 	isc_result_t result = ISC_R_SUCCESS;
 	isc_result_t tresult;
 	isc_symtab_t *symtab = NULL;
@@ -1553,7 +1557,7 @@ bind9_check_logging(cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx) {
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
-	symvalue.as_pointer = NULL;
+	symvalue.as_cpointer = NULL;
 	for (i = 0; default_channels[i] != NULL; i++) {
 		tresult = isc_symtab_define(symtab, default_channels[i], 1,
 					    symvalue, isc_symexists_replace);
@@ -1631,10 +1635,10 @@ bind9_check_logging(cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx) {
 }
 
 static isc_result_t
-key_exists(cfg_obj_t *keylist, const char *keyname) {
-	cfg_listelt_t *element;
+key_exists(const cfg_obj_t *keylist, const char *keyname) {
+	const cfg_listelt_t *element;
 	const char *str;
-	cfg_obj_t *obj;
+	const cfg_obj_t *obj;
 	
 	if (keylist == NULL)
 		return (ISC_R_NOTFOUND);
@@ -1651,13 +1655,13 @@ key_exists(cfg_obj_t *keylist, const char *keyname) {
 }
 
 static isc_result_t
-bind9_check_controlskeys(cfg_obj_t *control, cfg_obj_t *keylist,
+bind9_check_controlskeys(const cfg_obj_t *control, const cfg_obj_t *keylist,
 			 isc_log_t *logctx)
 {
 	isc_result_t result = ISC_R_SUCCESS, tresult;
-	cfg_obj_t *control_keylist;
-	cfg_listelt_t *element;
-	cfg_obj_t *key;
+	const cfg_obj_t *control_keylist;
+	const cfg_listelt_t *element;
+	const cfg_obj_t *key;
 	
 	control_keylist = cfg_tuple_get(control, "keys");
 	if (cfg_obj_isvoid(control_keylist))
@@ -1679,17 +1683,19 @@ bind9_check_controlskeys(cfg_obj_t *control, cfg_obj_t *keylist,
 }
 
 static isc_result_t
-bind9_check_controls(cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx) {
+bind9_check_controls(const cfg_obj_t *config, isc_log_t *logctx,
+		     isc_mem_t *mctx)
+{
 	isc_result_t result = ISC_R_SUCCESS, tresult;
 	cfg_aclconfctx_t actx;
-	cfg_listelt_t *element, *element2;
-	cfg_obj_t *allow;
-	cfg_obj_t *control;
-	cfg_obj_t *controls;
-	cfg_obj_t *controlslist = NULL;
-	cfg_obj_t *inetcontrols;
-	cfg_obj_t *unixcontrols;
-	cfg_obj_t *keylist = NULL;
+	const cfg_listelt_t *element, *element2;
+	const cfg_obj_t *allow;
+	const cfg_obj_t *control;
+	const cfg_obj_t *controls;
+	const cfg_obj_t *controlslist = NULL;
+	const cfg_obj_t *inetcontrols;
+	const cfg_obj_t *unixcontrols;
+	const cfg_obj_t *keylist = NULL;
 	const char *path;
 	isc_uint32_t perm, mask;
 	dns_acl_t *acl = NULL;
@@ -1774,14 +1780,16 @@ bind9_check_controls(cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx) {
 }
 
 isc_result_t
-bind9_check_namedconf(cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx) {
-	cfg_obj_t *options = NULL;
-	cfg_obj_t *servers = NULL;
-	cfg_obj_t *views = NULL;
-	cfg_obj_t *acls = NULL;
-	cfg_obj_t *kals = NULL;
-	cfg_obj_t *obj;
-	cfg_listelt_t *velement;
+bind9_check_namedconf(const cfg_obj_t *config, isc_log_t *logctx,
+		      isc_mem_t *mctx)
+{
+	const cfg_obj_t *options = NULL;
+	const cfg_obj_t *servers = NULL;
+	const cfg_obj_t *views = NULL;
+	const cfg_obj_t *acls = NULL;
+	const cfg_obj_t *kals = NULL;
+	const cfg_obj_t *obj;
+	const cfg_listelt_t *velement;
 	isc_result_t result = ISC_R_SUCCESS;
 	isc_result_t tresult;
 	isc_symtab_t *symtab = NULL;
@@ -1821,7 +1829,7 @@ bind9_check_namedconf(cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx) {
 				   logctx, mctx) != ISC_R_SUCCESS)
 			result = ISC_R_FAILURE;
 	} else {
-		cfg_obj_t *zones = NULL;
+		const cfg_obj_t *zones = NULL;
 
 		(void)cfg_map_get(config, "zone", &zones);
 		if (zones != NULL) {
@@ -1839,10 +1847,10 @@ bind9_check_namedconf(cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx) {
 	     velement != NULL;
 	     velement = cfg_list_next(velement))
 	{
-		cfg_obj_t *view = cfg_listelt_value(velement);
-		cfg_obj_t *vname = cfg_tuple_get(view, "name");
-		cfg_obj_t *voptions = cfg_tuple_get(view, "options");
-		cfg_obj_t *vclassobj = cfg_tuple_get(view, "class");
+		const cfg_obj_t *view = cfg_listelt_value(velement);
+		const cfg_obj_t *vname = cfg_tuple_get(view, "name");
+		const cfg_obj_t *voptions = cfg_tuple_get(view, "options");
+		const cfg_obj_t *vclassobj = cfg_tuple_get(view, "class");
 		dns_rdataclass_t vclass = dns_rdataclass_in;
 		isc_result_t tresult = ISC_R_SUCCESS;
 		const char *key = cfg_obj_asstring(vname);
@@ -1860,7 +1868,7 @@ bind9_check_namedconf(cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx) {
 					    cfg_obj_asstring(vname), r.base);
 		}
 		if (tresult == ISC_R_SUCCESS && symtab != NULL) {
-			symvalue.as_pointer = view;
+			symvalue.as_cpointer = view;
 			tresult = isc_symtab_define(symtab, key, vclass,
 						    symvalue,
 						    isc_symexists_reject);
@@ -1869,8 +1877,8 @@ bind9_check_namedconf(cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx) {
 				unsigned int line;
 				RUNTIME_CHECK(isc_symtab_lookup(symtab, key,
 				           vclass, &symvalue) == ISC_R_SUCCESS);
-				file = cfg_obj_file(symvalue.as_pointer);
-				line = cfg_obj_line(symvalue.as_pointer);
+				file = cfg_obj_file(symvalue.as_cpointer);
+				line = cfg_obj_line(symvalue.as_cpointer);
 				cfg_obj_log(view, logctx, ISC_LOG_ERROR,
 					    "view '%s': already exists "
 					    "previous definition: %s:%u",
@@ -1910,14 +1918,14 @@ bind9_check_namedconf(cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx) {
 
         tresult = cfg_map_get(config, "acl", &acls);
         if (tresult == ISC_R_SUCCESS) {
-		cfg_listelt_t *elt;
-		cfg_listelt_t *elt2;
+		const cfg_listelt_t *elt;
+		const cfg_listelt_t *elt2;
 		const char *aclname;
 
 		for (elt = cfg_list_first(acls);
 		     elt != NULL;
 		     elt = cfg_list_next(elt)) {
-			cfg_obj_t *acl = cfg_listelt_value(elt);
+			const cfg_obj_t *acl = cfg_listelt_value(elt);
 			unsigned int i;
 
 			aclname = cfg_obj_asstring(cfg_tuple_get(acl, "name"));
@@ -1936,7 +1944,7 @@ bind9_check_namedconf(cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx) {
 			for (elt2 = cfg_list_next(elt);
 			     elt2 != NULL;
 			     elt2 = cfg_list_next(elt2)) {
-				cfg_obj_t *acl2 = cfg_listelt_value(elt2);
+				const cfg_obj_t *acl2 = cfg_listelt_value(elt2);
 				const char *name;
 				name = cfg_obj_asstring(cfg_tuple_get(acl2,
 								      "name"));
@@ -1960,21 +1968,21 @@ bind9_check_namedconf(cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx) {
 
         tresult = cfg_map_get(config, "kal", &kals);
         if (tresult == ISC_R_SUCCESS) {
-		cfg_listelt_t *elt;
-		cfg_listelt_t *elt2;
+		const cfg_listelt_t *elt;
+		const cfg_listelt_t *elt2;
 		const char *aclname;
 
 		for (elt = cfg_list_first(kals);
 		     elt != NULL;
 		     elt = cfg_list_next(elt)) {
-			cfg_obj_t *acl = cfg_listelt_value(elt);
+			const cfg_obj_t *acl = cfg_listelt_value(elt);
 
 			aclname = cfg_obj_asstring(cfg_tuple_get(acl, "name"));
 
 			for (elt2 = cfg_list_next(elt);
 			     elt2 != NULL;
 			     elt2 = cfg_list_next(elt2)) {
-				cfg_obj_t *acl2 = cfg_listelt_value(elt2);
+				const cfg_obj_t *acl2 = cfg_listelt_value(elt2);
 				const char *name;
 				name = cfg_obj_asstring(cfg_tuple_get(acl2,
 								      "name"));
diff --git a/lib/bind9/include/bind9/check.h b/lib/bind9/include/bind9/check.h
index 5f9ed3e7b3..4a56724eb4 100644
--- a/lib/bind9/include/bind9/check.h
+++ b/lib/bind9/include/bind9/check.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: check.h,v 1.4 2005/04/29 00:22:42 marka Exp $ */
+/* $Id: check.h,v 1.5 2006/02/28 02:39:51 marka Exp $ */
 
 #ifndef BIND9_CHECK_H
 #define BIND9_CHECK_H 1
@@ -30,7 +30,8 @@
 ISC_LANG_BEGINDECLS
 
 isc_result_t
-bind9_check_namedconf(cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx);
+bind9_check_namedconf(const cfg_obj_t *config, isc_log_t *logctx,
+		      isc_mem_t *mctx);
 /*%<
  * Check the syntactic validity of a configuration parse tree generated from
  * a named.conf file.
@@ -46,7 +47,7 @@ bind9_check_namedconf(cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx);
  */
 
 isc_result_t
-bind9_check_key(cfg_obj_t *config, isc_log_t *logctx);
+bind9_check_key(const cfg_obj_t *config, isc_log_t *logctx);
 /*%<
  * Same as bind9_check_namedconf(), but for a single 'key' statement.
  */
diff --git a/lib/dns/acl.c b/lib/dns/acl.c
index cfc3714681..907a531079 100644
--- a/lib/dns/acl.c
+++ b/lib/dns/acl.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: acl.c,v 1.28 2005/07/12 01:00:14 marka Exp $ */
+/* $Id: acl.c,v 1.29 2006/02/28 02:39:51 marka Exp $ */
 
 /*! \file */
 
@@ -74,7 +74,7 @@ dns_acl_create(isc_mem_t *mctx, int n, dns_acl_t **target) {
 }
 
 isc_result_t
-dns_acl_appendelement(dns_acl_t *acl, dns_aclelement_t *elt) {
+dns_acl_appendelement(dns_acl_t *acl, const dns_aclelement_t *elt) {
 	if (acl->length + 1 > acl->alloc) {
 		/*
 		 * Resize the ACL.
@@ -129,12 +129,12 @@ dns_acl_none(isc_mem_t *mctx, dns_acl_t **target) {
 }
 
 isc_result_t
-dns_acl_match(isc_netaddr_t *reqaddr,
-	      dns_name_t *reqsigner,
-	      dns_acl_t *acl,
-	      dns_aclenv_t *env,
+dns_acl_match(const isc_netaddr_t *reqaddr,
+	      const dns_name_t *reqsigner,
+	      const dns_acl_t *acl,
+	      const dns_aclenv_t *env,
 	      int *match,
-	      dns_aclelement_t **matchelt)
+	      dns_aclelement_t const**matchelt)
 {
 	unsigned int i;
 
@@ -156,9 +156,9 @@ dns_acl_match(isc_netaddr_t *reqaddr,
 }
 
 isc_result_t
-dns_acl_elementmatch(dns_acl_t *acl,
-		     dns_aclelement_t *elt,
-		     dns_aclelement_t **matchelt)
+dns_acl_elementmatch(const dns_acl_t *acl,
+		     const dns_aclelement_t *elt,
+		     const dns_aclelement_t **matchelt)
 {
 	unsigned int i;
 
@@ -179,14 +179,14 @@ dns_acl_elementmatch(dns_acl_t *acl,
 }
 
 isc_boolean_t
-dns_aclelement_match(isc_netaddr_t *reqaddr,
-		     dns_name_t *reqsigner,
-		     dns_aclelement_t *e,
-		     dns_aclenv_t *env,
-		     dns_aclelement_t **matchelt)
+dns_aclelement_match(const isc_netaddr_t *reqaddr,
+		     const dns_name_t *reqsigner,
+		     const dns_aclelement_t *e,
+		     const dns_aclenv_t *env,
+		     const dns_aclelement_t **matchelt)
 {
 	dns_acl_t *inner = NULL;
-	isc_netaddr_t *addr;
+	const isc_netaddr_t *addr;
 	isc_netaddr_t v4addr;
 	int indirectmatch;
 	isc_result_t result;
@@ -318,7 +318,7 @@ dns_acl_detach(dns_acl_t **aclp) {
 }
 
 isc_boolean_t
-dns_aclelement_equal(dns_aclelement_t *ea, dns_aclelement_t *eb) {
+dns_aclelement_equal(const dns_aclelement_t *ea, const dns_aclelement_t *eb) {
 	if (ea->type != eb->type)
 		return (ISC_FALSE);
 	switch (ea->type) {
@@ -344,7 +344,7 @@ dns_aclelement_equal(dns_aclelement_t *ea, dns_aclelement_t *eb) {
 }
 
 isc_boolean_t
-dns_acl_equal(dns_acl_t *a, dns_acl_t *b) {
+dns_acl_equal(const dns_acl_t *a, const dns_acl_t *b) {
 	unsigned int i;
 	if (a == b)
 		return (ISC_TRUE);
@@ -359,7 +359,7 @@ dns_acl_equal(dns_acl_t *a, dns_acl_t *b) {
 }
 
 static isc_boolean_t
-is_loopback(dns_aclipprefix_t *p) {
+is_loopback(const dns_aclipprefix_t *p) {
 	switch (p->address.family) {
 	case AF_INET:
 		if (p->prefixlen == 32 &&
@@ -378,7 +378,7 @@ is_loopback(dns_aclipprefix_t *p) {
 }
 
 isc_boolean_t
-dns_acl_isinsecure(dns_acl_t *a) {
+dns_acl_isinsecure(const dns_acl_t *a) {
 	unsigned int i;
 	for (i = 0; i < a->length; i++) {
 		dns_aclelement_t *e = &a->elements[i];
diff --git a/lib/dns/compress.c b/lib/dns/compress.c
index 8eed3fc689..07eea1372b 100644
--- a/lib/dns/compress.c
+++ b/lib/dns/compress.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: compress.c,v 1.55 2005/04/27 04:56:45 sra Exp $ */
+/* $Id: compress.c,v 1.56 2006/02/28 02:39:51 marka Exp $ */
 
 /*! \file */
 
@@ -131,7 +131,7 @@ do { \
  * If no match is found return ISC_FALSE.
  */
 isc_boolean_t
-dns_compress_findglobal(dns_compress_t *cctx, dns_name_t *name,
+dns_compress_findglobal(dns_compress_t *cctx, const dns_name_t *name,
 			dns_name_t *prefix, isc_uint16_t *offset)
 {
 	dns_name_t tname, nname;
@@ -186,15 +186,15 @@ dns_compress_findglobal(dns_compress_t *cctx, dns_name_t *name,
 }
 
 static inline unsigned int
-name_length(dns_name_t *name) {
+name_length(const dns_name_t *name) {
 	isc_region_t r;
 	dns_name_toregion(name, &r);
 	return (r.length);
 }
 
 void
-dns_compress_add(dns_compress_t *cctx, dns_name_t *name, dns_name_t *prefix,
-		 isc_uint16_t offset)
+dns_compress_add(dns_compress_t *cctx, const dns_name_t *name,
+		 const dns_name_t *prefix, isc_uint16_t offset)
 {
 	dns_name_t tname;
 	unsigned int start;
diff --git a/lib/dns/include/dns/acl.h b/lib/dns/include/dns/acl.h
index 6df26544b2..fe3592fa87 100644
--- a/lib/dns/include/dns/acl.h
+++ b/lib/dns/include/dns/acl.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: acl.h,v 1.24 2005/04/29 00:22:53 marka Exp $ */
+/* $Id: acl.h,v 1.25 2006/02/28 02:39:51 marka Exp $ */
 
 #ifndef DNS_ACL_H
 #define DNS_ACL_H 1
@@ -105,7 +105,7 @@ dns_acl_create(isc_mem_t *mctx, int n, dns_acl_t **target);
  */
 
 isc_result_t
-dns_acl_appendelement(dns_acl_t *acl, dns_aclelement_t *elt);
+dns_acl_appendelement(dns_acl_t *acl, const dns_aclelement_t *elt);
 /*%<
  * Append an element to an existing ACL.
  */
@@ -129,13 +129,13 @@ void
 dns_acl_detach(dns_acl_t **aclp);
 
 isc_boolean_t
-dns_aclelement_equal(dns_aclelement_t *ea, dns_aclelement_t *eb);
+dns_aclelement_equal(const dns_aclelement_t *ea, const dns_aclelement_t *eb);
 
 isc_boolean_t
-dns_acl_equal(dns_acl_t *a, dns_acl_t *b);
+dns_acl_equal(const dns_acl_t *a, const dns_acl_t *b);
 
 isc_boolean_t
-dns_acl_isinsecure(dns_acl_t *a);
+dns_acl_isinsecure(const dns_acl_t *a);
 /*%<
  * Return #ISC_TRUE iff the acl 'a' is considered insecure, that is,
  * if it contains IP addresses other than those of the local host.
@@ -155,12 +155,12 @@ void
 dns_aclenv_destroy(dns_aclenv_t *env);
 
 isc_result_t
-dns_acl_match(isc_netaddr_t *reqaddr,
-	      dns_name_t *reqsigner,
-	      dns_acl_t *acl,
-	      dns_aclenv_t *env,
+dns_acl_match(const isc_netaddr_t *reqaddr,
+	      const dns_name_t *reqsigner,
+	      const dns_acl_t *acl,
+	      const dns_aclenv_t *env,
 	      int *match,
-	      dns_aclelement_t **matchelt);
+	      const dns_aclelement_t **matchelt);
 /*%<
  * General, low-level ACL matching.  This is expected to
  * be useful even for weird stuff like the topology and sortlist statements.
@@ -186,11 +186,11 @@ dns_acl_match(isc_netaddr_t *reqaddr,
  */
 
 isc_boolean_t
-dns_aclelement_match(isc_netaddr_t *reqaddr,
-		     dns_name_t *reqsigner,
-		     dns_aclelement_t *e,
-		     dns_aclenv_t *env,		     
-		     dns_aclelement_t **matchelt);
+dns_aclelement_match(const isc_netaddr_t *reqaddr,
+		     const dns_name_t *reqsigner,
+		     const dns_aclelement_t *e,
+		     const dns_aclenv_t *env,		     
+		     const dns_aclelement_t **matchelt);
 /*%<
  * Like dns_acl_match, but matches against the single ACL element 'e'
  * rather than a complete list and returns ISC_TRUE iff it matched.
@@ -201,9 +201,9 @@ dns_aclelement_match(isc_netaddr_t *reqaddr,
  */
 
 isc_result_t
-dns_acl_elementmatch(dns_acl_t *acl,
-		     dns_aclelement_t *elt,
-		     dns_aclelement_t **matchelt);
+dns_acl_elementmatch(const dns_acl_t *acl,
+		     const dns_aclelement_t *elt,
+		     const dns_aclelement_t **matchelt);
 /*%<
  * Search for an ACL element in 'acl' which is exactly the same as 'elt'.
  * If there is one, and 'matchelt' is non NULL, then '*matchelt' will point
diff --git a/lib/dns/include/dns/compress.h b/lib/dns/include/dns/compress.h
index 8f9ecaebe6..e845499683 100644
--- a/lib/dns/include/dns/compress.h
+++ b/lib/dns/include/dns/compress.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: compress.h,v 1.35 2005/04/27 04:56:54 sra Exp $ */
+/* $Id: compress.h,v 1.36 2006/02/28 02:39:51 marka Exp $ */
 
 #ifndef DNS_COMPRESS_H
 #define DNS_COMPRESS_H 1
@@ -157,7 +157,7 @@ dns_compress_getedns(dns_compress_t *cctx);
  */
 
 isc_boolean_t
-dns_compress_findglobal(dns_compress_t *cctx, dns_name_t *name,
+dns_compress_findglobal(dns_compress_t *cctx, const dns_name_t *name,
 			dns_name_t *prefix, isc_uint16_t *offset);
 /*%<
  *	Finds longest possible match of 'name' in the global compression table.
@@ -176,8 +176,8 @@ dns_compress_findglobal(dns_compress_t *cctx, dns_name_t *name,
  */
 
 void
-dns_compress_add(dns_compress_t *cctx, dns_name_t *name, dns_name_t *prefix,
-		 isc_uint16_t offset);
+dns_compress_add(dns_compress_t *cctx, const dns_name_t *name,
+		 const dns_name_t *prefix, isc_uint16_t offset);
 /*%<
  *	Add compression pointers for 'name' to the compression table,
  *	not replacing existing pointers.
diff --git a/lib/dns/include/dns/message.h b/lib/dns/include/dns/message.h
index 13c1b6b40f..953b14e613 100644
--- a/lib/dns/include/dns/message.h
+++ b/lib/dns/include/dns/message.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: message.h,v 1.118 2006/01/06 00:01:44 marka Exp $ */
+/* $Id: message.h,v 1.119 2006/02/28 02:39:51 marka Exp $ */
 
 #ifndef DNS_MESSAGE_H
 #define DNS_MESSAGE_H 1
@@ -240,7 +240,7 @@ struct dns_message {
 	isc_region_t			saved;
 
 	dns_rdatasetorderfunc_t		order;
-	void *				order_arg;
+	const void *			order_arg;
 };
 
 /***
@@ -1283,7 +1283,7 @@ dns_message_getrawmessage(dns_message_t *msg);
 
 void
 dns_message_setsortorder(dns_message_t *msg, dns_rdatasetorderfunc_t order,
-			 void *order_arg);
+			 const void *order_arg);
 /*%<
  * Define the order in which RR sets get rendered by
  * dns_message_rendersection() to be the ascending order
diff --git a/lib/dns/include/dns/name.h b/lib/dns/include/dns/name.h
index 0484890e29..bcf508c48d 100644
--- a/lib/dns/include/dns/name.h
+++ b/lib/dns/include/dns/name.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: name.h,v 1.120 2005/10/26 04:35:54 marka Exp $ */
+/* $Id: name.h,v 1.121 2006/02/28 02:39:51 marka Exp $ */
 
 #ifndef DNS_NAME_H
 #define DNS_NAME_H 1
@@ -604,7 +604,7 @@ dns_name_getlabelsequence(const dns_name_t *source, unsigned int first,
 
 
 void
-dns_name_clone(dns_name_t *source, dns_name_t *target);
+dns_name_clone(const dns_name_t *source, dns_name_t *target);
 /*%<
  * Make 'target' refer to the same name as 'source'.
  *
@@ -720,7 +720,8 @@ dns_name_fromwire(dns_name_t *name, isc_buffer_t *source,
  */
 
 isc_result_t
-dns_name_towire(dns_name_t *name, dns_compress_t *cctx, isc_buffer_t *target);
+dns_name_towire(const dns_name_t *name, dns_compress_t *cctx,
+	        isc_buffer_t *target);
 /*%<
  * Convert 'name' into wire format, compressing it as specified by the
  * compression context 'cctx', and storing the result in 'target'.
@@ -994,7 +995,8 @@ dns_name_split(dns_name_t *name, unsigned int suffixlabels,
  */
 
 isc_result_t
-dns_name_dup(dns_name_t *source, isc_mem_t *mctx, dns_name_t *target);
+dns_name_dup(const dns_name_t *source, isc_mem_t *mctx,
+	     dns_name_t *target);
 /*%<
  * Make 'target' a dynamically allocated copy of 'source'.
  *
diff --git a/lib/dns/include/dns/peer.h b/lib/dns/include/dns/peer.h
index 46057bb7bd..59b92835c3 100644
--- a/lib/dns/include/dns/peer.h
+++ b/lib/dns/include/dns/peer.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: peer.h,v 1.27 2006/02/17 00:24:21 marka Exp $ */
+/* $Id: peer.h,v 1.28 2006/02/28 02:39:51 marka Exp $ */
 
 #ifndef DNS_PEER_H
 #define DNS_PEER_H 1
@@ -177,7 +177,8 @@ isc_result_t
 dns_peer_setkey(dns_peer_t *peer, dns_name_t **keyval);
 
 isc_result_t
-dns_peer_settransfersource(dns_peer_t *peer, isc_sockaddr_t *transfer_source);
+dns_peer_settransfersource(dns_peer_t *peer,
+			   const isc_sockaddr_t *transfer_source);
 
 isc_result_t
 dns_peer_gettransfersource(dns_peer_t *peer, isc_sockaddr_t *transfer_source);
@@ -195,13 +196,13 @@ isc_result_t
 dns_peer_getmaxudp(dns_peer_t *peer, isc_uint16_t *maxudp);
 
 isc_result_t
-dns_peer_setnotifysource(dns_peer_t *peer, isc_sockaddr_t *notify_source);
+dns_peer_setnotifysource(dns_peer_t *peer, const isc_sockaddr_t *notify_source);
 
 isc_result_t
 dns_peer_getnotifysource(dns_peer_t *peer, isc_sockaddr_t *notify_source);
 
 isc_result_t
-dns_peer_setquerysource(dns_peer_t *peer, isc_sockaddr_t *query_source);
+dns_peer_setquerysource(dns_peer_t *peer, const isc_sockaddr_t *query_source);
 
 isc_result_t
 dns_peer_getquerysource(dns_peer_t *peer, isc_sockaddr_t *query_source);
diff --git a/lib/dns/include/dns/rdataset.h b/lib/dns/include/dns/rdataset.h
index 755facbdec..f8ffb666f2 100644
--- a/lib/dns/include/dns/rdataset.h
+++ b/lib/dns/include/dns/rdataset.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdataset.h,v 1.56 2005/07/18 05:58:59 marka Exp $ */
+/* $Id: rdataset.h,v 1.57 2006/02/28 02:39:51 marka Exp $ */
 
 #ifndef DNS_RDATASET_H
 #define DNS_RDATASET_H 1
@@ -398,11 +398,11 @@ dns_rdataset_towire(dns_rdataset_t *rdataset,
 
 isc_result_t
 dns_rdataset_towiresorted(dns_rdataset_t *rdataset,
-			  dns_name_t *owner_name,
+			  const dns_name_t *owner_name,
 			  dns_compress_t *cctx,
 			  isc_buffer_t *target,
 			  dns_rdatasetorderfunc_t order,
-			  void *order_arg,
+			  const void *order_arg,
 			  unsigned int options,
 			  unsigned int *countp);
 /*%<
@@ -417,11 +417,11 @@ dns_rdataset_towiresorted(dns_rdataset_t *rdataset,
 
 isc_result_t
 dns_rdataset_towirepartial(dns_rdataset_t *rdataset,
-			   dns_name_t *owner_name,
+			   const dns_name_t *owner_name,
 			   dns_compress_t *cctx,
 			   isc_buffer_t *target,
 			   dns_rdatasetorderfunc_t order,
-			   void *order_arg,
+			   const void *order_arg,
 			   unsigned int options,
 			   unsigned int *countp,
 			   void **state);
diff --git a/lib/dns/include/dns/types.h b/lib/dns/include/dns/types.h
index 611a721168..c7ce50bc04 100644
--- a/lib/dns/include/dns/types.h
+++ b/lib/dns/include/dns/types.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: types.h,v 1.119 2006/01/27 23:57:46 marka Exp $ */
+/* $Id: types.h,v 1.120 2006/02/28 02:39:51 marka Exp $ */
 
 #ifndef DNS_TYPES_H
 #define DNS_TYPES_H 1
@@ -308,7 +308,7 @@ typedef void
 (*dns_updatecallback_t)(void *, isc_result_t, dns_message_t *);
 
 typedef int 
-(*dns_rdatasetorderfunc_t)(dns_rdata_t *, void *);
+(*dns_rdatasetorderfunc_t)(const dns_rdata_t *, const void *);
 
 typedef isc_boolean_t
 (*dns_checkmxfunc_t)(dns_zone_t *, dns_name_t *, dns_name_t *);
diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h
index 1637958799..7d8502e4e5 100644
--- a/lib/dns/include/dns/zone.h
+++ b/lib/dns/include/dns/zone.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.h,v 1.142 2006/02/21 23:12:27 marka Exp $ */
+/* $Id: zone.h,v 1.143 2006/02/28 02:39:51 marka Exp $ */
 
 #ifndef DNS_ZONE_H
 #define DNS_ZONE_H 1
@@ -176,7 +176,7 @@ dns_zone_getview(dns_zone_t *zone);
  */
 
 isc_result_t
-dns_zone_setorigin(dns_zone_t *zone, dns_name_t *origin);
+dns_zone_setorigin(dns_zone_t *zone, const dns_name_t *origin);
 /*%<
  *	Sets the zones origin to 'origin'.
  *
@@ -465,11 +465,13 @@ dns_zone_maintenance(dns_zone_t *zone);
  */
 
 isc_result_t
-dns_zone_setmasters(dns_zone_t *zone, isc_sockaddr_t *masters,
+dns_zone_setmasters(dns_zone_t *zone, const isc_sockaddr_t *masters,
 		    isc_uint32_t count);
 isc_result_t
-dns_zone_setmasterswithkeys(dns_zone_t *zone, isc_sockaddr_t *masters,
-			    dns_name_t **keynames, isc_uint32_t count);
+dns_zone_setmasterswithkeys(dns_zone_t *zone,
+			    const isc_sockaddr_t *masters,
+			    dns_name_t **keynames,
+			    isc_uint32_t count);
 /*%<
  *	Set the list of master servers for the zone.
  *
@@ -491,7 +493,7 @@ dns_zone_setmasterswithkeys(dns_zone_t *zone, isc_sockaddr_t *masters,
  */
 
 isc_result_t
-dns_zone_setalsonotify(dns_zone_t *zone, isc_sockaddr_t *notify,
+dns_zone_setalsonotify(dns_zone_t *zone, const isc_sockaddr_t *notify,
 		       isc_uint32_t count);
 /*%<
  *	Set the list of additional servers to be notified when
@@ -576,9 +578,10 @@ dns_zone_setmaxretrytime(dns_zone_t *zone, isc_uint32_t val);
  */
 
 isc_result_t
-dns_zone_setxfrsource4(dns_zone_t *zone, isc_sockaddr_t *xfrsource);
+dns_zone_setxfrsource4(dns_zone_t *zone, const isc_sockaddr_t *xfrsource);
 isc_result_t
-dns_zone_setaltxfrsource4(dns_zone_t *zone, isc_sockaddr_t *xfrsource);
+dns_zone_setaltxfrsource4(dns_zone_t *zone,
+			  const isc_sockaddr_t *xfrsource);
 /*%<
  * 	Set the source address to be used in IPv4 zone transfers.
  *
@@ -603,9 +606,10 @@ dns_zone_getaltxfrsource4(dns_zone_t *zone);
  */
 
 isc_result_t
-dns_zone_setxfrsource6(dns_zone_t *zone, isc_sockaddr_t *xfrsource);
+dns_zone_setxfrsource6(dns_zone_t *zone, const isc_sockaddr_t *xfrsource);
 isc_result_t
-dns_zone_setaltxfrsource6(dns_zone_t *zone, isc_sockaddr_t *xfrsource);
+dns_zone_setaltxfrsource6(dns_zone_t *zone,
+			  const isc_sockaddr_t *xfrsource);
 /*%<
  * 	Set the source address to be used in IPv6 zone transfers.
  *
@@ -630,7 +634,7 @@ dns_zone_getaltxfrsource6(dns_zone_t *zone);
  */
 
 isc_result_t
-dns_zone_setnotifysrc4(dns_zone_t *zone, isc_sockaddr_t *notifysrc);
+dns_zone_setnotifysrc4(dns_zone_t *zone, const isc_sockaddr_t *notifysrc);
 /*%<
  * 	Set the source address to be used with IPv4 NOTIFY messages.
  *
@@ -653,7 +657,7 @@ dns_zone_getnotifysrc4(dns_zone_t *zone);
  */
 
 isc_result_t
-dns_zone_setnotifysrc6(dns_zone_t *zone, isc_sockaddr_t *notifysrc);
+dns_zone_setnotifysrc6(dns_zone_t *zone, const isc_sockaddr_t *notifysrc);
 /*%<
  * 	Set the source address to be used with IPv6 NOTIFY messages.
  *
diff --git a/lib/dns/message.c b/lib/dns/message.c
index 65ae0b438c..e518b35e70 100644
--- a/lib/dns/message.c
+++ b/lib/dns/message.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: message.c,v 1.230 2006/01/06 00:01:44 marka Exp $ */
+/* $Id: message.c,v 1.231 2006/02/28 02:39:51 marka Exp $ */
 
 /*! \file */
 
@@ -1825,7 +1825,7 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
 		if (rdataset != NULL &&
 		    (rdataset->attributes & DNS_RDATASETATTR_REQUIREDGLUE) != 0 &&
 		    (rdataset->attributes & DNS_RDATASETATTR_RENDERED) == 0) {
-			void *order_arg = msg->order_arg;
+			const void *order_arg = msg->order_arg;
 			st = *(msg->buffer);
 			count = 0;
 			if (partial)
@@ -3213,7 +3213,7 @@ dns_message_getrawmessage(dns_message_t *msg) {
 
 void
 dns_message_setsortorder(dns_message_t *msg, dns_rdatasetorderfunc_t order,
-			 void *order_arg)
+			 const void *order_arg)
 {
 	REQUIRE(DNS_MESSAGE_VALID(msg));
 	msg->order = order;
diff --git a/lib/dns/name.c b/lib/dns/name.c
index a069dfd01c..c3bc70eb6a 100644
--- a/lib/dns/name.c
+++ b/lib/dns/name.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: name.c,v 1.158 2006/01/10 23:50:42 marka Exp $ */
+/* $Id: name.c,v 1.159 2006/02/28 02:39:51 marka Exp $ */
 
 /*! \file */
 
@@ -938,7 +938,7 @@ dns_name_getlabelsequence(const dns_name_t *source,
 }
 
 void
-dns_name_clone(dns_name_t *source, dns_name_t *target) {
+dns_name_clone(const dns_name_t *source, dns_name_t *target) {
 
 	/*
 	 * Make 'target' refer to the same name as 'source'.
@@ -1897,7 +1897,9 @@ dns_name_fromwire(dns_name_t *name, isc_buffer_t *source,
 }
 
 isc_result_t
-dns_name_towire(dns_name_t *name, dns_compress_t *cctx, isc_buffer_t *target) {
+dns_name_towire(const dns_name_t *name, dns_compress_t *cctx,
+		isc_buffer_t *target)
+{
 	unsigned int methods;
 	isc_uint16_t offset;
 	dns_name_t gp;	/* Global compression prefix */
@@ -2111,7 +2113,9 @@ dns_name_split(dns_name_t *name, unsigned int suffixlabels,
 }
 
 isc_result_t
-dns_name_dup(dns_name_t *source, isc_mem_t *mctx, dns_name_t *target) {
+dns_name_dup(const dns_name_t *source, isc_mem_t *mctx,
+	     dns_name_t *target)
+{
 	/*
 	 * Make 'target' a dynamically allocated copy of 'source'.
 	 */
diff --git a/lib/dns/peer.c b/lib/dns/peer.c
index dff6cd35ad..86a85b7dbd 100644
--- a/lib/dns/peer.c
+++ b/lib/dns/peer.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: peer.c,v 1.26 2006/02/17 00:24:21 marka Exp $ */
+/* $Id: peer.c,v 1.27 2006/02/28 02:39:51 marka Exp $ */
 
 /*! \file */
 
@@ -532,7 +532,9 @@ dns_peer_setkeybycharp(dns_peer_t *peer, const char *keyval) {
 }
 
 isc_result_t
-dns_peer_settransfersource(dns_peer_t *peer, isc_sockaddr_t *transfer_source) {
+dns_peer_settransfersource(dns_peer_t *peer,
+			   const isc_sockaddr_t *transfer_source)
+{
 	REQUIRE(DNS_PEER_VALID(peer));
 
 	if (peer->transfer_source != NULL) {
@@ -563,7 +565,9 @@ dns_peer_gettransfersource(dns_peer_t *peer, isc_sockaddr_t *transfer_source) {
 }
 
 isc_result_t
-dns_peer_setnotifysource(dns_peer_t *peer, isc_sockaddr_t *notify_source) {
+dns_peer_setnotifysource(dns_peer_t *peer,
+			 const isc_sockaddr_t *notify_source)
+{
 	REQUIRE(DNS_PEER_VALID(peer));
 
 	if (peer->notify_source != NULL) {
@@ -594,7 +598,7 @@ dns_peer_getnotifysource(dns_peer_t *peer, isc_sockaddr_t *notify_source) {
 }
 
 isc_result_t
-dns_peer_setquerysource(dns_peer_t *peer, isc_sockaddr_t *query_source) {
+dns_peer_setquerysource(dns_peer_t *peer, const isc_sockaddr_t *query_source) {
 	REQUIRE(DNS_PEER_VALID(peer));
 
 	if (peer->query_source != NULL) {
diff --git a/lib/dns/rdataset.c b/lib/dns/rdataset.c
index 59aab8104c..7ae14ca15c 100644
--- a/lib/dns/rdataset.c
+++ b/lib/dns/rdataset.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdataset.c,v 1.75 2005/04/29 00:22:51 marka Exp $ */
+/* $Id: rdataset.c,v 1.76 2006/02/28 02:39:51 marka Exp $ */
 
 /*! \file */
 
@@ -285,9 +285,9 @@ towire_compare(const void *av, const void *bv) {
 }
 
 static isc_result_t
-towiresorted(dns_rdataset_t *rdataset, dns_name_t *owner_name,
+towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
 	     dns_compress_t *cctx, isc_buffer_t *target,
-	     dns_rdatasetorderfunc_t order, void *order_arg,
+	     dns_rdatasetorderfunc_t order, const void *order_arg,
 	     isc_boolean_t partial, unsigned int options,
 	     unsigned int *countp, void **state)
 {
@@ -533,11 +533,11 @@ towiresorted(dns_rdataset_t *rdataset, dns_name_t *owner_name,
 
 isc_result_t
 dns_rdataset_towiresorted(dns_rdataset_t *rdataset,
-			  dns_name_t *owner_name,
+			  const dns_name_t *owner_name,
 			  dns_compress_t *cctx,
 			  isc_buffer_t *target,
 			  dns_rdatasetorderfunc_t order,
-			  void *order_arg,
+			  const void *order_arg,
 			  unsigned int options,
 			  unsigned int *countp)
 {
@@ -548,11 +548,11 @@ dns_rdataset_towiresorted(dns_rdataset_t *rdataset,
 
 isc_result_t
 dns_rdataset_towirepartial(dns_rdataset_t *rdataset,
-			   dns_name_t *owner_name,
+			   const dns_name_t *owner_name,
 			   dns_compress_t *cctx,
 			   isc_buffer_t *target,
 			   dns_rdatasetorderfunc_t order,
-			   void *order_arg,
+			   const void *order_arg,
 			   unsigned int options,
 			   unsigned int *countp,
 			   void **state)
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 1b19ac9888..4a9e53294e 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.c,v 1.452 2006/02/21 23:12:27 marka Exp $ */
+/* $Id: zone.c,v 1.453 2006/02/28 02:39:51 marka Exp $ */
 
 /*! \file */
 
@@ -900,7 +900,7 @@ dns_zone_getview(dns_zone_t *zone) {
 
 
 isc_result_t
-dns_zone_setorigin(dns_zone_t *zone, dns_name_t *origin) {
+dns_zone_setorigin(dns_zone_t *zone, const dns_name_t *origin) {
 	isc_result_t result;
 
 	REQUIRE(DNS_ZONE_VALID(zone));
@@ -2470,7 +2470,7 @@ dns_zone_getoptions(dns_zone_t *zone) {
 }
 
 isc_result_t
-dns_zone_setxfrsource4(dns_zone_t *zone, isc_sockaddr_t *xfrsource) {
+dns_zone_setxfrsource4(dns_zone_t *zone, const isc_sockaddr_t *xfrsource) {
 	REQUIRE(DNS_ZONE_VALID(zone));
 
 	LOCK_ZONE(zone);
@@ -2487,7 +2487,7 @@ dns_zone_getxfrsource4(dns_zone_t *zone) {
 }
 
 isc_result_t
-dns_zone_setxfrsource6(dns_zone_t *zone, isc_sockaddr_t *xfrsource) {
+dns_zone_setxfrsource6(dns_zone_t *zone, const isc_sockaddr_t *xfrsource) {
 	REQUIRE(DNS_ZONE_VALID(zone));
 
 	LOCK_ZONE(zone);
@@ -2504,7 +2504,9 @@ dns_zone_getxfrsource6(dns_zone_t *zone) {
 }
 
 isc_result_t
-dns_zone_setaltxfrsource4(dns_zone_t *zone, isc_sockaddr_t *altxfrsource) {
+dns_zone_setaltxfrsource4(dns_zone_t *zone,
+			  const isc_sockaddr_t *altxfrsource)
+{
 	REQUIRE(DNS_ZONE_VALID(zone));
 
 	LOCK_ZONE(zone);
@@ -2521,7 +2523,9 @@ dns_zone_getaltxfrsource4(dns_zone_t *zone) {
 }
 
 isc_result_t
-dns_zone_setaltxfrsource6(dns_zone_t *zone, isc_sockaddr_t *altxfrsource) {
+dns_zone_setaltxfrsource6(dns_zone_t *zone,
+			  const isc_sockaddr_t *altxfrsource)
+{
 	REQUIRE(DNS_ZONE_VALID(zone));
 
 	LOCK_ZONE(zone);
@@ -2538,7 +2542,7 @@ dns_zone_getaltxfrsource6(dns_zone_t *zone) {
 }
 
 isc_result_t
-dns_zone_setnotifysrc4(dns_zone_t *zone, isc_sockaddr_t *notifysrc) {
+dns_zone_setnotifysrc4(dns_zone_t *zone, const isc_sockaddr_t *notifysrc) {
 	REQUIRE(DNS_ZONE_VALID(zone));
 
 	LOCK_ZONE(zone);
@@ -2555,7 +2559,7 @@ dns_zone_getnotifysrc4(dns_zone_t *zone) {
 }
 
 isc_result_t
-dns_zone_setnotifysrc6(dns_zone_t *zone, isc_sockaddr_t *notifysrc) {
+dns_zone_setnotifysrc6(dns_zone_t *zone, const isc_sockaddr_t *notifysrc) {
 	REQUIRE(DNS_ZONE_VALID(zone));
 
 	LOCK_ZONE(zone);
@@ -2572,7 +2576,7 @@ dns_zone_getnotifysrc6(dns_zone_t *zone) {
 }
 
 isc_result_t
-dns_zone_setalsonotify(dns_zone_t *zone, isc_sockaddr_t *notify,
+dns_zone_setalsonotify(dns_zone_t *zone, const isc_sockaddr_t *notify,
 		       isc_uint32_t count)
 {
 	isc_sockaddr_t *new;
@@ -2602,7 +2606,7 @@ dns_zone_setalsonotify(dns_zone_t *zone, isc_sockaddr_t *notify,
 }
 
 isc_result_t
-dns_zone_setmasters(dns_zone_t *zone, isc_sockaddr_t *masters,
+dns_zone_setmasters(dns_zone_t *zone, const isc_sockaddr_t *masters,
 		    isc_uint32_t count)
 {
 	isc_result_t result;
@@ -2612,8 +2616,10 @@ dns_zone_setmasters(dns_zone_t *zone, isc_sockaddr_t *masters,
 }
 
 isc_result_t
-dns_zone_setmasterswithkeys(dns_zone_t *zone, isc_sockaddr_t *masters,
-			    dns_name_t **keynames, isc_uint32_t count)
+dns_zone_setmasterswithkeys(dns_zone_t *zone,
+			    const isc_sockaddr_t *masters,
+			    dns_name_t **keynames,
+			    isc_uint32_t count)
 {
 	isc_sockaddr_t *new;
 	isc_result_t result = ISC_R_SUCCESS;
diff --git a/lib/isc/include/isc/sockaddr.h b/lib/isc/include/isc/sockaddr.h
index b65a85163d..472714ca69 100644
--- a/lib/isc/include/isc/sockaddr.h
+++ b/lib/isc/include/isc/sockaddr.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sockaddr.h,v 1.49 2005/07/28 04:54:17 marka Exp $ */
+/* $Id: sockaddr.h,v 1.50 2006/02/28 02:39:52 marka Exp $ */
 
 #ifndef ISC_SOCKADDR_H
 #define ISC_SOCKADDR_H 1
@@ -168,7 +168,7 @@ isc_sockaddr_setport(isc_sockaddr_t *sockaddr, in_port_t port);
  */
 
 in_port_t
-isc_sockaddr_getport(isc_sockaddr_t *sockaddr);
+isc_sockaddr_getport(const isc_sockaddr_t *sockaddr);
 /*%<
  * Get the port stored in 'sockaddr'.
  */
@@ -195,25 +195,25 @@ isc_sockaddr_format(const isc_sockaddr_t *sa, char *array, unsigned int size);
  */
 
 isc_boolean_t
-isc_sockaddr_ismulticast(isc_sockaddr_t *sa);
+isc_sockaddr_ismulticast(const isc_sockaddr_t *sa);
 /*%<
  * Returns #ISC_TRUE if the address is a multicast address.
  */
 
 isc_boolean_t
-isc_sockaddr_isexperimental(isc_sockaddr_t *sa);
+isc_sockaddr_isexperimental(const isc_sockaddr_t *sa);
 /*
  * Returns ISC_TRUE if the address is a experimental (CLASS E) address.
  */
 
 isc_boolean_t
-isc_sockaddr_islinklocal(isc_sockaddr_t *sa);
+isc_sockaddr_islinklocal(const isc_sockaddr_t *sa);
 /*%<
  * Returns ISC_TRUE if the address is a link local addresss.
  */
 
 isc_boolean_t
-isc_sockaddr_issitelocal(isc_sockaddr_t *sa);
+isc_sockaddr_issitelocal(const isc_sockaddr_t *sa);
 /*%<
  * Returns ISC_TRUE if the address is a sitelocal address.
  */
diff --git a/lib/isc/include/isc/symtab.h b/lib/isc/include/isc/symtab.h
index eee1ab7318..5d4efa0785 100644
--- a/lib/isc/include/isc/symtab.h
+++ b/lib/isc/include/isc/symtab.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: symtab.h,v 1.19 2005/04/29 00:23:45 marka Exp $ */
+/* $Id: symtab.h,v 1.20 2006/02/28 02:39:52 marka Exp $ */
 
 #ifndef ISC_SYMTAB_H
 #define ISC_SYMTAB_H 1
@@ -86,6 +86,7 @@
 /*% Symbol table value. */
 typedef union isc_symvalue {
 	void *				as_pointer;
+	const void *			as_cpointer;
 	int				as_integer;
 	unsigned int			as_uinteger;
 } isc_symvalue_t;
diff --git a/lib/isc/sockaddr.c b/lib/isc/sockaddr.c
index c4fb408ca0..8a8f926c0e 100644
--- a/lib/isc/sockaddr.c
+++ b/lib/isc/sockaddr.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sockaddr.c,v 1.65 2005/04/27 04:57:15 sra Exp $ */
+/* $Id: sockaddr.c,v 1.66 2006/02/28 02:39:52 marka Exp $ */
 
 /*! \file */
 
@@ -415,7 +415,7 @@ isc_sockaddr_setport(isc_sockaddr_t *sockaddr, in_port_t port) {
 }
 
 in_port_t
-isc_sockaddr_getport(isc_sockaddr_t *sockaddr) {
+isc_sockaddr_getport(const isc_sockaddr_t *sockaddr) {
 	in_port_t port = 0;
 
 	switch (sockaddr->type.sa.sa_family) {
@@ -437,7 +437,7 @@ isc_sockaddr_getport(isc_sockaddr_t *sockaddr) {
 }
 
 isc_boolean_t
-isc_sockaddr_ismulticast(isc_sockaddr_t *sockaddr) {
+isc_sockaddr_ismulticast(const isc_sockaddr_t *sockaddr) {
 	isc_netaddr_t netaddr;
 
 	if (sockaddr->type.sa.sa_family == AF_INET ||
@@ -449,7 +449,7 @@ isc_sockaddr_ismulticast(isc_sockaddr_t *sockaddr) {
 }
 
 isc_boolean_t
-isc_sockaddr_isexperimental(isc_sockaddr_t *sockaddr) {
+isc_sockaddr_isexperimental(const isc_sockaddr_t *sockaddr) {
 	isc_netaddr_t netaddr;
 
 	if (sockaddr->type.sa.sa_family == AF_INET) {
@@ -460,7 +460,7 @@ isc_sockaddr_isexperimental(isc_sockaddr_t *sockaddr) {
 }
 
 isc_boolean_t
-isc_sockaddr_issitelocal(isc_sockaddr_t *sockaddr) {
+isc_sockaddr_issitelocal(const isc_sockaddr_t *sockaddr) {
 	isc_netaddr_t netaddr;
 
 	if (sockaddr->type.sa.sa_family == AF_INET6) {
@@ -471,7 +471,7 @@ isc_sockaddr_issitelocal(isc_sockaddr_t *sockaddr) {
 }
 
 isc_boolean_t
-isc_sockaddr_islinklocal(isc_sockaddr_t *sockaddr) {
+isc_sockaddr_islinklocal(const isc_sockaddr_t *sockaddr) {
 	isc_netaddr_t netaddr;
 
 	if (sockaddr->type.sa.sa_family == AF_INET6) {
diff --git a/lib/isccfg/aclconf.c b/lib/isccfg/aclconf.c
index a93c1181bd..4154a9fea6 100644
--- a/lib/isccfg/aclconf.c
+++ b/lib/isccfg/aclconf.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: aclconf.c,v 1.5 2005/08/23 02:36:10 marka Exp $ */
+/* $Id: aclconf.c,v 1.6 2006/02/28 02:39:52 marka Exp $ */
 
 #include 
 
@@ -53,10 +53,10 @@ cfg_aclconfctx_destroy(cfg_aclconfctx_t *ctx) {
  * Find the definition of the named acl whose name is "name".
  */
 static isc_result_t
-get_acl_def(cfg_obj_t *cctx, const char *name, cfg_obj_t **ret) {
+get_acl_def(const cfg_obj_t *cctx, const char *name, const cfg_obj_t **ret) {
 	isc_result_t result;
-	cfg_obj_t *acls = NULL;
-	cfg_listelt_t *elt;
+	const cfg_obj_t *acls = NULL;
+	const cfg_listelt_t *elt;
 	
 	result = cfg_map_get(cctx, "acl", &acls);
 	if (result != ISC_R_SUCCESS)
@@ -64,7 +64,7 @@ get_acl_def(cfg_obj_t *cctx, const char *name, cfg_obj_t **ret) {
 	for (elt = cfg_list_first(acls);
 	     elt != NULL;
 	     elt = cfg_list_next(elt)) {
-		cfg_obj_t *acl = cfg_listelt_value(elt);
+		const cfg_obj_t *acl = cfg_listelt_value(elt);
 		const char *aclname = cfg_obj_asstring(cfg_tuple_get(acl, "name"));
 		if (strcasecmp(aclname, name) == 0) {
 			*ret = cfg_tuple_get(acl, "value");
@@ -75,12 +75,12 @@ get_acl_def(cfg_obj_t *cctx, const char *name, cfg_obj_t **ret) {
 }
 
 static isc_result_t
-convert_named_acl(cfg_obj_t *nameobj, cfg_obj_t *cctx,
+convert_named_acl(const cfg_obj_t *nameobj, const cfg_obj_t *cctx,
 		  isc_log_t *lctx, cfg_aclconfctx_t *ctx,
 		  isc_mem_t *mctx, dns_acl_t **target)
 {
 	isc_result_t result;
-	cfg_obj_t *cacl = NULL;
+	const cfg_obj_t *cacl = NULL;
 	dns_acl_t *dacl;
 	dns_acl_t loop;
 	const char *aclname = cfg_obj_asstring(nameobj);
@@ -130,7 +130,7 @@ convert_named_acl(cfg_obj_t *nameobj, cfg_obj_t *cctx,
 }
 
 static isc_result_t
-convert_keyname(cfg_obj_t *keyobj, isc_log_t *lctx, isc_mem_t *mctx,
+convert_keyname(const cfg_obj_t *keyobj, isc_log_t *lctx, isc_mem_t *mctx,
 		dns_name_t *dnsname)
 {
 	isc_result_t result;
@@ -155,8 +155,8 @@ convert_keyname(cfg_obj_t *keyobj, isc_log_t *lctx, isc_mem_t *mctx,
 }
 
 isc_result_t
-cfg_acl_fromconfig(cfg_obj_t *caml,
-		   cfg_obj_t *cctx,
+cfg_acl_fromconfig(const cfg_obj_t *caml,
+		   const cfg_obj_t *cctx,
 	 	   isc_log_t *lctx,
 		   cfg_aclconfctx_t *ctx,
 		   isc_mem_t *mctx,
@@ -166,7 +166,7 @@ cfg_acl_fromconfig(cfg_obj_t *caml,
 	unsigned int count;
 	dns_acl_t *dacl = NULL;
 	dns_aclelement_t *de;
-	cfg_listelt_t *elt;
+	const cfg_listelt_t *elt;
 
 	REQUIRE(target != NULL && *target == NULL);
 
@@ -185,7 +185,7 @@ cfg_acl_fromconfig(cfg_obj_t *caml,
 	     elt != NULL;
 	     elt = cfg_list_next(elt))
 	{
-		cfg_obj_t *ce = cfg_listelt_value(elt);
+		const cfg_obj_t *ce = cfg_listelt_value(elt);
 		if (cfg_obj_istuple(ce)) {
 			/* This must be a negated element. */
 			ce = cfg_tuple_get(ce, "value");
diff --git a/lib/isccfg/include/isccfg/aclconf.h b/lib/isccfg/include/isccfg/aclconf.h
index 642972d3bc..df26ef89ce 100644
--- a/lib/isccfg/include/isccfg/aclconf.h
+++ b/lib/isccfg/include/isccfg/aclconf.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: aclconf.h,v 1.4 2005/01/13 05:15:16 marka Exp $ */
+/* $Id: aclconf.h,v 1.5 2006/02/28 02:39:52 marka Exp $ */
 
 #ifndef ISCCFG_ACLCONF_H
 #define ISCCFG_ACLCONF_H 1
@@ -49,8 +49,8 @@ cfg_aclconfctx_destroy(cfg_aclconfctx_t *ctx);
  */
 
 isc_result_t
-cfg_acl_fromconfig(cfg_obj_t *caml,
-		   cfg_obj_t *cctx,
+cfg_acl_fromconfig(const cfg_obj_t *caml,
+		   const cfg_obj_t *cctx,
 		   isc_log_t *lctx,
 		   cfg_aclconfctx_t *ctx,
 		   isc_mem_t *mctx,
diff --git a/lib/isccfg/include/isccfg/cfg.h b/lib/isccfg/include/isccfg/cfg.h
index e79691aa97..c0b26bfea6 100644
--- a/lib/isccfg/include/isccfg/cfg.h
+++ b/lib/isccfg/include/isccfg/cfg.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cfg.h,v 1.37 2005/08/23 02:36:11 marka Exp $ */
+/* $Id: cfg.h,v 1.38 2006/02/28 02:39:52 marka Exp $ */
 
 #ifndef ISCCFG_CFG_H
 #define ISCCFG_CFG_H 1
@@ -75,7 +75,7 @@ typedef struct cfg_listelt cfg_listelt_t;
  * "directory".
  */
 typedef isc_result_t
-(*cfg_parsecallback_t)(const char *clausename, cfg_obj_t *obj, void *arg);
+(*cfg_parsecallback_t)(const char *clausename, const cfg_obj_t *obj, void *arg);
 
 /***
  *** Functions
@@ -144,20 +144,20 @@ cfg_parser_destroy(cfg_parser_t **pctxp);
  */
 
 isc_boolean_t
-cfg_obj_isvoid(cfg_obj_t *obj);
+cfg_obj_isvoid(const cfg_obj_t *obj);
 /*%<
  * Return true iff 'obj' is of void type (e.g., an optional 
  * value not specified).
  */
 
 isc_boolean_t
-cfg_obj_ismap(cfg_obj_t *obj);
+cfg_obj_ismap(const cfg_obj_t *obj);
 /*%<
  * Return true iff 'obj' is of a map type.
  */
 
 isc_result_t
-cfg_map_get(cfg_obj_t *mapobj, const char* name, cfg_obj_t **obj);
+cfg_map_get(const cfg_obj_t *mapobj, const char* name, const cfg_obj_t **obj);
 /*%<
  * Extract an element from a configuration object, which
  * must be of a map type.
@@ -172,8 +172,8 @@ cfg_map_get(cfg_obj_t *mapobj, const char* name, cfg_obj_t **obj);
  * \li     #ISC_R_NOTFOUND                 - name not found in map
  */
 
-cfg_obj_t *
-cfg_map_getname(cfg_obj_t *mapobj);
+const cfg_obj_t *
+cfg_map_getname(const cfg_obj_t *mapobj);
 /*%<
  * Get the name of a named map object, like a server "key" clause.
  *
@@ -186,13 +186,13 @@ cfg_map_getname(cfg_obj_t *mapobj);
  */
 
 isc_boolean_t
-cfg_obj_istuple(cfg_obj_t *obj);
+cfg_obj_istuple(const cfg_obj_t *obj);
 /*%<
  * Return true iff 'obj' is of a map type.
  */
 
-cfg_obj_t *
-cfg_tuple_get(cfg_obj_t *tupleobj, const char *name);
+const cfg_obj_t *
+cfg_tuple_get(const cfg_obj_t *tupleobj, const char *name);
 /*%<
  * Extract an element from a configuration object, which
  * must be of a tuple type.
@@ -204,13 +204,13 @@ cfg_tuple_get(cfg_obj_t *tupleobj, const char *name);
  */
 
 isc_boolean_t
-cfg_obj_isuint32(cfg_obj_t *obj);
+cfg_obj_isuint32(const cfg_obj_t *obj);
 /*%<
  * Return true iff 'obj' is of integer type.
  */
 
 isc_uint32_t
-cfg_obj_asuint32(cfg_obj_t *obj);
+cfg_obj_asuint32(const cfg_obj_t *obj);
 /*%<
  * Returns the value of a configuration object of 32-bit integer type.
  *
@@ -222,13 +222,13 @@ cfg_obj_asuint32(cfg_obj_t *obj);
  */
 
 isc_boolean_t
-cfg_obj_isuint64(cfg_obj_t *obj);
+cfg_obj_isuint64(const cfg_obj_t *obj);
 /*%<
  * Return true iff 'obj' is of integer type.
  */
 
 isc_uint64_t
-cfg_obj_asuint64(cfg_obj_t *obj);
+cfg_obj_asuint64(const cfg_obj_t *obj);
 /*%<
  * Returns the value of a configuration object of 64-bit integer type.
  *
@@ -240,13 +240,13 @@ cfg_obj_asuint64(cfg_obj_t *obj);
  */
 
 isc_boolean_t
-cfg_obj_isstring(cfg_obj_t *obj);
+cfg_obj_isstring(const cfg_obj_t *obj);
 /*%<
  * Return true iff 'obj' is of string type.
  */
 
 const char *
-cfg_obj_asstring(cfg_obj_t *obj);
+cfg_obj_asstring(const cfg_obj_t *obj);
 /*%<
  * Returns the value of a configuration object of a string type
  * as a null-terminated string.
@@ -259,13 +259,13 @@ cfg_obj_asstring(cfg_obj_t *obj);
  */
 
 isc_boolean_t
-cfg_obj_isboolean(cfg_obj_t *obj);
+cfg_obj_isboolean(const cfg_obj_t *obj);
 /*%<
  * Return true iff 'obj' is of a boolean type.
  */
 
 isc_boolean_t
-cfg_obj_asboolean(cfg_obj_t *obj);
+cfg_obj_asboolean(const cfg_obj_t *obj);
 /*%<
  * Returns the value of a configuration object of a boolean type.
  *
@@ -277,13 +277,13 @@ cfg_obj_asboolean(cfg_obj_t *obj);
  */
 
 isc_boolean_t
-cfg_obj_issockaddr(cfg_obj_t *obj);
+cfg_obj_issockaddr(const cfg_obj_t *obj);
 /*%<
  * Return true iff 'obj' is a socket address.
  */
 
-isc_sockaddr_t *
-cfg_obj_assockaddr(cfg_obj_t *obj);
+const isc_sockaddr_t *
+cfg_obj_assockaddr(const cfg_obj_t *obj);
 /*%<
  * Returns the value of a configuration object representing a socket address.
  *
@@ -296,13 +296,13 @@ cfg_obj_assockaddr(cfg_obj_t *obj);
  */
 
 isc_boolean_t
-cfg_obj_isnetprefix(cfg_obj_t *obj);
+cfg_obj_isnetprefix(const cfg_obj_t *obj);
 /*%<
  * Return true iff 'obj' is a network prefix.
  */
 
 void
-cfg_obj_asnetprefix(cfg_obj_t *obj, isc_netaddr_t *netaddr,
+cfg_obj_asnetprefix(const cfg_obj_t *obj, isc_netaddr_t *netaddr,
 		    unsigned int *prefixlen);
 /*%<
  * Gets the value of a configuration object representing a network
@@ -315,13 +315,13 @@ cfg_obj_asnetprefix(cfg_obj_t *obj, isc_netaddr_t *netaddr,
  */
 
 isc_boolean_t
-cfg_obj_islist(cfg_obj_t *obj);
+cfg_obj_islist(const cfg_obj_t *obj);
 /*%<
  * Return true iff 'obj' is of list type.
  */
 
-cfg_listelt_t *
-cfg_list_first(cfg_obj_t *obj);
+const cfg_listelt_t *
+cfg_list_first(const cfg_obj_t *obj);
 /*%<
  * Returns the first list element in a configuration object of a list type.
  *
@@ -333,8 +333,8 @@ cfg_list_first(cfg_obj_t *obj);
  * 	or NULL if the list is empty or nonexistent.
  */
 
-cfg_listelt_t *
-cfg_list_next(cfg_listelt_t *elt);
+const cfg_listelt_t *
+cfg_list_next(const cfg_listelt_t *elt);
 /*%<
  * Returns the next element of a list of configuration objects.
  *
@@ -347,8 +347,8 @@ cfg_list_next(cfg_listelt_t *elt);
  * 	or NULL if there are no more elements.
  */
 
-cfg_obj_t *
-cfg_listelt_value(cfg_listelt_t *elt);
+const cfg_obj_t *
+cfg_listelt_value(const cfg_listelt_t *elt);
 /*%<
  * Returns the configuration object associated with cfg_listelt_t.
  *
@@ -361,7 +361,7 @@ cfg_listelt_value(cfg_listelt_t *elt);
  */
 
 void
-cfg_print(cfg_obj_t *obj,
+cfg_print(const cfg_obj_t *obj,
 	  void (*f)(void *closure, const char *text, int textlen),
 	  void *closure);
 /*%<
@@ -379,7 +379,7 @@ cfg_print_grammar(const cfg_type_t *type,
  */
 
 isc_boolean_t
-cfg_obj_istype(cfg_obj_t *obj, const cfg_type_t *type);
+cfg_obj_istype(const cfg_obj_t *obj, const cfg_type_t *type);
 /*%<
  * Return true iff 'obj' is of type 'type'. 
  */
@@ -390,7 +390,8 @@ void cfg_obj_destroy(cfg_parser_t *pctx, cfg_obj_t **obj);
  */
 
 void
-cfg_obj_log(cfg_obj_t *obj, isc_log_t *lctx, int level, const char *fmt, ...)
+cfg_obj_log(const cfg_obj_t *obj, isc_log_t *lctx, int level,
+            const char *fmt, ...)
 	ISC_FORMAT_PRINTF(4, 5);
 /*%<
  * Log a message concerning configuration object 'obj' to the logging
@@ -399,13 +400,13 @@ cfg_obj_log(cfg_obj_t *obj, isc_log_t *lctx, int level, const char *fmt, ...)
  */
 
 const char *
-cfg_obj_file(cfg_obj_t *obj);
+cfg_obj_file(const cfg_obj_t *obj);
 /*%<
  * Return the file that defined this object.
  */
 
 unsigned int
-cfg_obj_line(cfg_obj_t *obj);
+cfg_obj_line(const cfg_obj_t *obj);
 /*%<
  * Return the line in file where this object was defined.
  */
diff --git a/lib/isccfg/include/isccfg/grammar.h b/lib/isccfg/include/isccfg/grammar.h
index 5ffca2c8c1..0a137cabf1 100644
--- a/lib/isccfg/include/isccfg/grammar.h
+++ b/lib/isccfg/include/isccfg/grammar.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: grammar.h,v 1.11 2006/02/19 06:50:48 marka Exp $ */
+/* $Id: grammar.h,v 1.12 2006/02/28 02:39:52 marka Exp $ */
 
 #ifndef ISCCFG_GRAMMAR_H
 #define ISCCFG_GRAMMAR_H 1
@@ -65,7 +65,7 @@ typedef struct cfg_rep cfg_rep_t;
 
 typedef isc_result_t (*cfg_parsefunc_t)(cfg_parser_t *, const cfg_type_t *type,
 					cfg_obj_t **);
-typedef void	     (*cfg_printfunc_t)(cfg_printer_t *, cfg_obj_t *);
+typedef void	     (*cfg_printfunc_t)(cfg_printer_t *, const cfg_obj_t *);
 typedef void	     (*cfg_docfunc_t)(cfg_printer_t *, const cfg_type_t *);
 typedef void	     (*cfg_freefunc_t)(cfg_parser_t *, cfg_obj_t *);
 
@@ -155,7 +155,7 @@ struct cfg_obj {
 		isc_sockaddr_t	sockaddr;
 		cfg_netprefix_t netprefix;
 	}               value;
-	char *		file;
+	const char *	file;
 	unsigned int    line;
 };
 
@@ -283,16 +283,16 @@ isc_result_t
 cfg_parse_uint32(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
 
 void
-cfg_print_uint32(cfg_printer_t *pctx, cfg_obj_t *obj);
+cfg_print_uint32(cfg_printer_t *pctx, const cfg_obj_t *obj);
 
 void
-cfg_print_uint64(cfg_printer_t *pctx, cfg_obj_t *obj);
+cfg_print_uint64(cfg_printer_t *pctx, const cfg_obj_t *obj);
 
 isc_result_t
 cfg_parse_qstring(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
 
 void
-cfg_print_ustring(cfg_printer_t *pctx, cfg_obj_t *obj);
+cfg_print_ustring(cfg_printer_t *pctx, const cfg_obj_t *obj);
 
 isc_result_t
 cfg_parse_astring(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
@@ -301,7 +301,7 @@ isc_result_t
 cfg_parse_rawaddr(cfg_parser_t *pctx, unsigned int flags, isc_netaddr_t *na);
 
 void
-cfg_print_rawaddr(cfg_printer_t *pctx, isc_netaddr_t *na);
+cfg_print_rawaddr(cfg_printer_t *pctx, const isc_netaddr_t *na);
 
 isc_boolean_t
 cfg_lookingat_netaddr(cfg_parser_t *pctx, unsigned int flags);
@@ -313,7 +313,7 @@ isc_result_t
 cfg_parse_sockaddr(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
 
 void
-cfg_print_sockaddr(cfg_printer_t *pctx, cfg_obj_t *obj);
+cfg_print_sockaddr(cfg_printer_t *pctx, const cfg_obj_t *obj);
 
 void
 cfg_doc_sockaddr(cfg_printer_t *pctx, const cfg_type_t *type);
@@ -332,7 +332,7 @@ isc_result_t
 cfg_parse_tuple(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
 
 void
-cfg_print_tuple(cfg_printer_t *pctx, cfg_obj_t *obj);
+cfg_print_tuple(cfg_printer_t *pctx, const cfg_obj_t *obj);
 
 void
 cfg_doc_tuple(cfg_printer_t *pctx, const cfg_type_t *type);
@@ -348,7 +348,7 @@ isc_result_t
 cfg_parse_bracketed_list(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
 
 void
-cfg_print_bracketed_list(cfg_printer_t *pctx, cfg_obj_t *obj);
+cfg_print_bracketed_list(cfg_printer_t *pctx, const cfg_obj_t *obj);
 
 void
 cfg_doc_bracketed_list(cfg_printer_t *pctx, const cfg_type_t *type);
@@ -357,7 +357,7 @@ isc_result_t
 cfg_parse_spacelist(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
 
 void
-cfg_print_spacelist(cfg_printer_t *pctx, cfg_obj_t *obj);
+cfg_print_spacelist(cfg_printer_t *pctx, const cfg_obj_t *obj);
 
 isc_result_t
 cfg_parse_enum(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
@@ -387,7 +387,7 @@ cfg_parse_netprefix_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **
 ret);
 
 void
-cfg_print_map(cfg_printer_t *pctx, cfg_obj_t *obj);
+cfg_print_map(cfg_printer_t *pctx, const cfg_obj_t *obj);
 
 void
 cfg_doc_map(cfg_printer_t *pctx, const cfg_type_t *type);
@@ -396,7 +396,7 @@ isc_result_t
 cfg_parse_mapbody(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
 
 void
-cfg_print_mapbody(cfg_printer_t *pctx, cfg_obj_t *obj);
+cfg_print_mapbody(cfg_printer_t *pctx, const cfg_obj_t *obj);
 
 void
 cfg_doc_mapbody(cfg_printer_t *pctx, const cfg_type_t *type);
@@ -405,7 +405,7 @@ isc_result_t
 cfg_parse_void(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
 
 void
-cfg_print_void(cfg_printer_t *pctx, cfg_obj_t *obj);
+cfg_print_void(cfg_printer_t *pctx, const cfg_obj_t *obj);
 
 void
 cfg_doc_void(cfg_printer_t *pctx, const cfg_type_t *type);
@@ -414,7 +414,7 @@ isc_result_t
 cfg_parse_obj(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
 
 void
-cfg_print_obj(cfg_printer_t *pctx, cfg_obj_t *obj);
+cfg_print_obj(cfg_printer_t *pctx, const cfg_obj_t *obj);
 
 void
 cfg_doc_obj(cfg_printer_t *pctx, const cfg_type_t *type);
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index c3ceb7bad6..b4cd481cf2 100644
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: namedconf.c,v 1.65 2006/02/17 00:24:21 marka Exp $ */
+/* $Id: namedconf.c,v 1.66 2006/02/28 02:39:52 marka Exp $ */
 
 /*! \file */
 
@@ -60,7 +60,7 @@ static isc_result_t
 parse_optional_keyvalue(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
 
 static void
-print_keyvalue(cfg_printer_t *pctx, cfg_obj_t *obj);
+print_keyvalue(cfg_printer_t *pctx, const cfg_obj_t *obj);
 
 static void
 doc_keyvalue(cfg_printer_t *pctx, const cfg_type_t *type);
@@ -459,7 +459,7 @@ static cfg_type_t cfg_type_transferformat = {
  */
 
 static void
-print_none(cfg_printer_t *pctx, cfg_obj_t *obj) {
+print_none(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	UNUSED(obj);
 	cfg_print_chars(pctx, "none", 4);
 }
@@ -500,7 +500,7 @@ static cfg_type_t cfg_type_qstringornone = {
  */
 
 static void
-print_hostname(cfg_printer_t *pctx, cfg_obj_t *obj) {
+print_hostname(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	UNUSED(obj);
 	cfg_print_chars(pctx, "hostname", 4);
 }
@@ -1213,7 +1213,7 @@ parse_optional_keyvalue(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **
 }
 
 static void
-print_keyvalue(cfg_printer_t *pctx, cfg_obj_t *obj) {
+print_keyvalue(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	const keyword_type_t *kw = obj->type->of;
 	cfg_print_cstr(pctx, kw->name);
 	cfg_print_chars(pctx, " ", 1);
@@ -1460,7 +1460,7 @@ parse_querysource(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
 }
 
 static void
-print_querysource(cfg_printer_t *pctx, cfg_obj_t *obj) {
+print_querysource(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	isc_netaddr_t na;
 	isc_netaddr_fromsockaddr(&na, &obj->value.sockaddr);
 	cfg_print_chars(pctx, "address ", 8);
@@ -1541,7 +1541,7 @@ static cfg_tuplefielddef_t negated_fields[] = {
 };
 
 static void
-print_negated(cfg_printer_t *pctx, cfg_obj_t *obj) {
+print_negated(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	cfg_print_chars(pctx, "!", 1);
 	cfg_print_tuple(pctx, obj);
 }
@@ -1758,7 +1758,7 @@ parse_logfile(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
 }
 
 static void
-print_logfile(cfg_printer_t *pctx, cfg_obj_t *obj) {
+print_logfile(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	cfg_print_obj(pctx, obj->value.tuple[0]); /* file */
 	if (obj->value.tuple[1]->type->print != cfg_print_void) {
 		cfg_print_chars(pctx, " versions ", 10);
diff --git a/lib/isccfg/parser.c b/lib/isccfg/parser.c
index 4af8f3806d..4c03286d8a 100644
--- a/lib/isccfg/parser.c
+++ b/lib/isccfg/parser.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: parser.c,v 1.122 2006/02/19 06:50:48 marka Exp $ */
+/* $Id: parser.c,v 1.123 2006/02/28 02:39:52 marka Exp $ */
 
 /*! \file */
 
@@ -70,7 +70,7 @@ static isc_result_t
 parse_list(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
 
 static void
-print_list(cfg_printer_t *pctx, cfg_obj_t *obj);
+print_list(cfg_printer_t *pctx, const cfg_obj_t *obj);
 
 static void
 free_list(cfg_parser_t *pctx, cfg_obj_t *obj);
@@ -136,7 +136,7 @@ static cfg_type_t cfg_type_implicitlist = {
 /* Functions. */
 
 void
-cfg_print_obj(cfg_printer_t *pctx, cfg_obj_t *obj) {
+cfg_print_obj(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	obj->type->print(pctx, obj);
 }
 
@@ -179,7 +179,7 @@ cfg_parse_obj(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
 }
 
 void
-cfg_print(cfg_obj_t *obj,
+cfg_print(const cfg_obj_t *obj,
 	  void (*f)(void *closure, const char *text, int textlen),
 	  void *closure)
 {
@@ -245,14 +245,14 @@ cfg_parse_tuple(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
 }
 
 void
-cfg_print_tuple(cfg_printer_t *pctx, cfg_obj_t *obj) {
+cfg_print_tuple(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	unsigned int i;
 	const cfg_tuplefielddef_t *fields = obj->type->of;
 	const cfg_tuplefielddef_t *f;
 	isc_boolean_t need_space = ISC_FALSE;
 
 	for (f = fields, i = 0; f->name != NULL; f++, i++) {
-		cfg_obj_t *fieldobj = obj->value.tuple[i];
+		const cfg_obj_t *fieldobj = obj->value.tuple[i];
 		if (need_space)
 			cfg_print_chars(pctx, " ", 1);
 		cfg_print_obj(pctx, fieldobj);
@@ -293,13 +293,13 @@ free_tuple(cfg_parser_t *pctx, cfg_obj_t *obj) {
 }
 
 isc_boolean_t
-cfg_obj_istuple(cfg_obj_t *obj) {
+cfg_obj_istuple(const cfg_obj_t *obj) {
 	REQUIRE(obj != NULL);
 	return (ISC_TF(obj->type->rep == &cfg_rep_tuple));
 }
 
-cfg_obj_t *
-cfg_tuple_get(cfg_obj_t *tupleobj, const char* name) {
+const cfg_obj_t *
+cfg_tuple_get(const cfg_obj_t *tupleobj, const char* name) {
 	unsigned int i;
 	const cfg_tuplefielddef_t *fields;
 	const cfg_tuplefielddef_t *f;
@@ -550,7 +550,7 @@ cfg_parse_void(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
 }
 
 void
-cfg_print_void(cfg_printer_t *pctx, cfg_obj_t *obj) {
+cfg_print_void(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	UNUSED(pctx);
 	UNUSED(obj);
 }
@@ -562,7 +562,7 @@ cfg_doc_void(cfg_printer_t *pctx, const cfg_type_t *type) {
 }
 
 isc_boolean_t
-cfg_obj_isvoid(cfg_obj_t *obj) {
+cfg_obj_isvoid(const cfg_obj_t *obj) {
 	REQUIRE(obj != NULL);
 	return (ISC_TF(obj->type->rep == &cfg_rep_void));
 }
@@ -608,18 +608,18 @@ cfg_print_rawuint(cfg_printer_t *pctx, unsigned int u) {
 }
 
 void
-cfg_print_uint32(cfg_printer_t *pctx, cfg_obj_t *obj) {
+cfg_print_uint32(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	cfg_print_rawuint(pctx, obj->value.uint32);
 }
 
 isc_boolean_t
-cfg_obj_isuint32(cfg_obj_t *obj) {
+cfg_obj_isuint32(const cfg_obj_t *obj) {
 	REQUIRE(obj != NULL);
 	return (ISC_TF(obj->type->rep == &cfg_rep_uint32));
 }
 
 isc_uint32_t
-cfg_obj_asuint32(cfg_obj_t *obj) {
+cfg_obj_asuint32(const cfg_obj_t *obj) {
 	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_uint32);
 	return (obj->value.uint32);
 }
@@ -634,19 +634,19 @@ cfg_type_t cfg_type_uint32 = {
  * uint64
  */
 isc_boolean_t
-cfg_obj_isuint64(cfg_obj_t *obj) {
+cfg_obj_isuint64(const cfg_obj_t *obj) {
 	REQUIRE(obj != NULL);
 	return (ISC_TF(obj->type->rep == &cfg_rep_uint64));
 }
 
 isc_uint64_t
-cfg_obj_asuint64(cfg_obj_t *obj) {
+cfg_obj_asuint64(const cfg_obj_t *obj) {
 	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_uint64);
 	return (obj->value.uint64);
 }
 
 void
-cfg_print_uint64(cfg_printer_t *pctx, cfg_obj_t *obj) {
+cfg_print_uint64(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	char buf[32];
 	snprintf(buf, sizeof(buf), "%" ISC_PRINT_QUADFORMAT "u",
 		 obj->value.uint64);
@@ -725,7 +725,9 @@ parse_ustring(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
 }
 
 isc_result_t
-cfg_parse_astring(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+cfg_parse_astring(cfg_parser_t *pctx, const cfg_type_t *type,
+		  cfg_obj_t **ret)
+{
         isc_result_t result;
 	UNUSED(type);
 
@@ -783,12 +785,12 @@ cfg_doc_enum(cfg_printer_t *pctx, const cfg_type_t *type) {
 }
 
 void
-cfg_print_ustring(cfg_printer_t *pctx, cfg_obj_t *obj) {
+cfg_print_ustring(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	cfg_print_chars(pctx, obj->value.string.base, obj->value.string.length);
 }
 
 static void
-print_qstring(cfg_printer_t *pctx, cfg_obj_t *obj) {
+print_qstring(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	cfg_print_chars(pctx, "\"", 1);
 	cfg_print_ustring(pctx, obj);
 	cfg_print_chars(pctx, "\"", 1);
@@ -801,13 +803,13 @@ free_string(cfg_parser_t *pctx, cfg_obj_t *obj) {
 }
 
 isc_boolean_t
-cfg_obj_isstring(cfg_obj_t *obj) {
+cfg_obj_isstring(const cfg_obj_t *obj) {
 	REQUIRE(obj != NULL);
 	return (ISC_TF(obj->type->rep == &cfg_rep_string));
 }
 
 const char *
-cfg_obj_asstring(cfg_obj_t *obj) {
+cfg_obj_asstring(const cfg_obj_t *obj) {
 	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_string);
 	return (obj->value.string.base);
 }
@@ -835,13 +837,13 @@ cfg_type_t cfg_type_astring = {
  */
 
 isc_boolean_t
-cfg_obj_isboolean(cfg_obj_t *obj) {
+cfg_obj_isboolean(const cfg_obj_t *obj) {
 	REQUIRE(obj != NULL);
 	return (ISC_TF(obj->type->rep == &cfg_rep_boolean));
 }
 
 isc_boolean_t
-cfg_obj_asboolean(cfg_obj_t *obj) {
+cfg_obj_asboolean(const cfg_obj_t *obj) {
 	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_boolean);
 	return (obj->value.boolean);
 }
@@ -887,7 +889,7 @@ parse_boolean(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
 }
 
 static void
-print_boolean(cfg_printer_t *pctx, cfg_obj_t *obj) {
+print_boolean(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	if (obj->value.boolean)
 		cfg_print_chars(pctx, "yes", 3);
 	else
@@ -1001,9 +1003,9 @@ parse_list(cfg_parser_t *pctx, const cfg_type_t *listtype, cfg_obj_t **ret)
 }
 
 static void
-print_list(cfg_printer_t *pctx, cfg_obj_t *obj) {
-	cfg_list_t *list = &obj->value.list;
-	cfg_listelt_t *elt;
+print_list(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	const cfg_list_t *list = &obj->value.list;
+	const cfg_listelt_t *elt;
 
 	for (elt = ISC_LIST_HEAD(*list);
 	     elt != NULL;
@@ -1027,7 +1029,7 @@ cfg_parse_bracketed_list(cfg_parser_t *pctx, const cfg_type_t *type,
 }
 
 void
-cfg_print_bracketed_list(cfg_printer_t *pctx, cfg_obj_t *obj) {
+cfg_print_bracketed_list(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	print_open(pctx);
 	print_list(pctx, obj);
 	print_close(pctx);
@@ -1074,9 +1076,9 @@ cfg_parse_spacelist(cfg_parser_t *pctx, const cfg_type_t *listtype,
 }
 
 void
-cfg_print_spacelist(cfg_printer_t *pctx, cfg_obj_t *obj) {
-	cfg_list_t *list = &obj->value.list;
-	cfg_listelt_t *elt;
+cfg_print_spacelist(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	const cfg_list_t *list = &obj->value.list;
+	const cfg_listelt_t *elt;
 
 	for (elt = ISC_LIST_HEAD(*list);
 	     elt != NULL;
@@ -1088,27 +1090,27 @@ cfg_print_spacelist(cfg_printer_t *pctx, cfg_obj_t *obj) {
 }
 
 isc_boolean_t
-cfg_obj_islist(cfg_obj_t *obj) {
+cfg_obj_islist(const cfg_obj_t *obj) {
 	REQUIRE(obj != NULL);
 	return (ISC_TF(obj->type->rep == &cfg_rep_list));
 }
 
-cfg_listelt_t *
-cfg_list_first(cfg_obj_t *obj) {
+const cfg_listelt_t *
+cfg_list_first(const cfg_obj_t *obj) {
 	REQUIRE(obj == NULL || obj->type->rep == &cfg_rep_list);
 	if (obj == NULL)
 		return (NULL);
 	return (ISC_LIST_HEAD(obj->value.list));
 }
 
-cfg_listelt_t *
-cfg_list_next(cfg_listelt_t *elt) {
+const cfg_listelt_t *
+cfg_list_next(const cfg_listelt_t *elt) {
 	REQUIRE(elt != NULL);
 	return (ISC_LIST_NEXT(elt, link));
 }
 
-cfg_obj_t *
-cfg_listelt_value(cfg_listelt_t *elt) {
+const cfg_obj_t *
+cfg_listelt_value(const cfg_listelt_t *elt) {
 	REQUIRE(elt != NULL);
 	return (elt->obj);
 }
@@ -1376,7 +1378,7 @@ cfg_parse_netprefix_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **
 }
 
 void
-cfg_print_mapbody(cfg_printer_t *pctx, cfg_obj_t *obj) {
+cfg_print_mapbody(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	isc_result_t result = ISC_R_SUCCESS;
 
 	const cfg_clausedef_t * const *clauseset;
@@ -1456,7 +1458,7 @@ static struct flagtext {
 };
 
 void
-cfg_print_map(cfg_printer_t *pctx, cfg_obj_t *obj) {
+cfg_print_map(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	if (obj->value.map.id != NULL) {
 		cfg_print_obj(pctx, obj->value.map.id);
 		cfg_print_chars(pctx, " ", 1);
@@ -1518,16 +1520,16 @@ cfg_doc_map(cfg_printer_t *pctx, const cfg_type_t *type) {
 }
 
 isc_boolean_t
-cfg_obj_ismap(cfg_obj_t *obj) {
+cfg_obj_ismap(const cfg_obj_t *obj) {
 	REQUIRE(obj != NULL);
 	return (ISC_TF(obj->type->rep == &cfg_rep_map));
 }
 
 isc_result_t
-cfg_map_get(cfg_obj_t *mapobj, const char* name, cfg_obj_t **obj) {
+cfg_map_get(const cfg_obj_t *mapobj, const char* name, const cfg_obj_t **obj) {
 	isc_result_t result;
 	isc_symvalue_t val;
-	cfg_map_t *map;
+	const cfg_map_t *map;
 	
 	REQUIRE(mapobj != NULL && mapobj->type->rep == &cfg_rep_map);
 	REQUIRE(name != NULL);
@@ -1542,8 +1544,8 @@ cfg_map_get(cfg_obj_t *mapobj, const char* name, cfg_obj_t **obj) {
 	return (ISC_R_SUCCESS);
 }
 
-cfg_obj_t *
-cfg_map_getname(cfg_obj_t *mapobj) {
+const cfg_obj_t *
+cfg_map_getname(const cfg_obj_t *mapobj) {
 	REQUIRE(mapobj != NULL && mapobj->type->rep == &cfg_rep_map);
 	return (mapobj->value.map.id);
 }
@@ -1792,7 +1794,7 @@ cfg_parse_rawport(cfg_parser_t *pctx, unsigned int flags, in_port_t *port) {
 }
 
 void
-cfg_print_rawaddr(cfg_printer_t *pctx, isc_netaddr_t *na) {
+cfg_print_rawaddr(cfg_printer_t *pctx, const isc_netaddr_t *na) {
 	isc_result_t result;
 	char text[128];
 	isc_buffer_t buf;
@@ -1935,21 +1937,22 @@ cfg_parse_netprefix(cfg_parser_t *pctx, const cfg_type_t *type,
 }
 
 static void
-print_netprefix(cfg_printer_t *pctx, cfg_obj_t *obj) {
-	cfg_netprefix_t *p = &obj->value.netprefix;
+print_netprefix(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	const cfg_netprefix_t *p = &obj->value.netprefix;
+
 	cfg_print_rawaddr(pctx, &p->address);
 	cfg_print_chars(pctx, "/", 1);
 	cfg_print_rawuint(pctx, p->prefixlen);
 }
 
 isc_boolean_t
-cfg_obj_isnetprefix(cfg_obj_t *obj) {
+cfg_obj_isnetprefix(const cfg_obj_t *obj) {
 	REQUIRE(obj != NULL);
 	return (ISC_TF(obj->type->rep == &cfg_rep_netprefix));
 }
 
 void
-cfg_obj_asnetprefix(cfg_obj_t *obj, isc_netaddr_t *netaddr,
+cfg_obj_asnetprefix(const cfg_obj_t *obj, isc_netaddr_t *netaddr,
 		    unsigned int *prefixlen) {
 	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_netprefix);
 	*netaddr = obj->value.netprefix.address;
@@ -2000,7 +2003,7 @@ cfg_parse_sockaddr(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
 }
 
 void
-cfg_print_sockaddr(cfg_printer_t *pctx, cfg_obj_t *obj) {
+cfg_print_sockaddr(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	isc_netaddr_t netaddr;
 	in_port_t port;
 	char buf[ISC_NETADDR_FORMATSIZE];
@@ -2045,13 +2048,13 @@ cfg_doc_sockaddr(cfg_printer_t *pctx, const cfg_type_t *type) {
 }
 
 isc_boolean_t
-cfg_obj_issockaddr(cfg_obj_t *obj) {
+cfg_obj_issockaddr(const cfg_obj_t *obj) {
 	REQUIRE(obj != NULL);
 	return (ISC_TF(obj->type->rep == &cfg_rep_sockaddr));
 }
 
-isc_sockaddr_t *
-cfg_obj_assockaddr(cfg_obj_t *obj) {
+const isc_sockaddr_t *
+cfg_obj_assockaddr(const cfg_obj_t *obj) {
 	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_sockaddr);
 	return (&obj->value.sockaddr);
 }
@@ -2248,7 +2251,8 @@ parser_complain(cfg_parser_t *pctx, isc_boolean_t is_warning,
 }
 
 void
-cfg_obj_log(cfg_obj_t *obj, isc_log_t *lctx, int level, const char *fmt, ...) {
+cfg_obj_log(const cfg_obj_t *obj, isc_log_t *lctx, int level,
+	    const char *fmt, ...) {
 	va_list ap;
 	char msgbuf[2048];
 
@@ -2266,12 +2270,12 @@ cfg_obj_log(cfg_obj_t *obj, isc_log_t *lctx, int level, const char *fmt, ...) {
 }
 
 const char *
-cfg_obj_file(cfg_obj_t *obj) {
+cfg_obj_file(const cfg_obj_t *obj) {
 	return (obj->file);
 }
 
 unsigned int
-cfg_obj_line(cfg_obj_t *obj) {
+cfg_obj_line(const cfg_obj_t *obj) {
 	return (obj->line);
 }
 
@@ -2332,7 +2336,7 @@ free_map(cfg_parser_t *pctx, cfg_obj_t *obj) {
 }
 
 isc_boolean_t
-cfg_obj_istype(cfg_obj_t *obj, const cfg_type_t *type) {
+cfg_obj_istype(const cfg_obj_t *obj, const cfg_type_t *type) {
 	return (ISC_TF(obj->type == type));
 }
 

From b1d1934865f601fbcb8cdbb108ebb71f1c3eafae Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 28 Feb 2006 23:30:03 +0000
Subject: [PATCH 062/465] newcopyrights

---
 util/copyrights | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/util/copyrights b/util/copyrights
index b9010aab97..3dda56c0f8 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -1545,7 +1545,7 @@
 ./lib/bind/port/unknown/Makefile.in		MAKE	2001,2004
 ./lib/bind/port/unknown/include/.cvsignore	X	2001
 ./lib/bind/port/unknown/include/Makefile.in	MAKE	2001,2004,2005
-./lib/bind/port_after.h.in			X	2001,2005
+./lib/bind/port_after.h.in			X	2001,2005,2006
 ./lib/bind/port_before.h.in			X	2001,2005
 ./lib/bind/resolv/.cvsignore			X	2001
 ./lib/bind/resolv/Makefile.in			MAKE	2001,2004,2005

From 6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 28 Feb 2006 23:30:22 +0000
Subject: [PATCH 063/465] newcopyrights

---
 util/copyrights | 60 ++++++++++++++++++++++++-------------------------
 1 file changed, 30 insertions(+), 30 deletions(-)

diff --git a/util/copyrights b/util/copyrights
index e091a388a0..4d1bd0c626 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -83,41 +83,41 @@
 ./bin/named/include/named/builtin.h		C	2001,2004,2005
 ./bin/named/include/named/client.h		C	1999,2000,2001,2002,2003,2004,2005
 ./bin/named/include/named/config.h		C	2001,2002,2004,2005,2006
-./bin/named/include/named/control.h		C	2001,2002,2003,2004,2005
-./bin/named/include/named/globals.h		C	1999,2000,2001,2002,2003,2004,2005
+./bin/named/include/named/control.h		C	2001,2002,2003,2004,2005,2006
+./bin/named/include/named/globals.h		C	1999,2000,2001,2002,2003,2004,2005,2006
 ./bin/named/include/named/interfacemgr.h	C	1999,2000,2001,2002,2004,2005
 ./bin/named/include/named/listenlist.h		C	2000,2001,2004,2005
 ./bin/named/include/named/log.h			C	1999,2000,2001,2002,2004,2005
-./bin/named/include/named/logconf.h		C	1999,2000,2001,2004,2005
+./bin/named/include/named/logconf.h		C	1999,2000,2001,2004,2005,2006
 ./bin/named/include/named/lwaddr.h		C	2000,2001,2004,2005
 ./bin/named/include/named/lwdclient.h		C	2000,2001,2004,2005
-./bin/named/include/named/lwresd.h		C	2000,2001,2004,2005
+./bin/named/include/named/lwresd.h		C	2000,2001,2004,2005,2006
 ./bin/named/include/named/lwsearch.h		C	2000,2001,2004,2005
 ./bin/named/include/named/main.h		C	1999,2000,2001,2002,2004,2005
 ./bin/named/include/named/notify.h		C	1999,2000,2001,2004,2005
 ./bin/named/include/named/ns_smf_globals.h	C	2005
 ./bin/named/include/named/query.h		C	1999,2000,2001,2002,2004,2005
-./bin/named/include/named/server.h		C	1999,2000,2001,2002,2003,2004,2005
-./bin/named/include/named/sortlist.h		C	2000,2001,2004,2005
-./bin/named/include/named/tkeyconf.h		C	1999,2000,2001,2004,2005
-./bin/named/include/named/tsigconf.h		C	1999,2000,2001,2004,2005
+./bin/named/include/named/server.h		C	1999,2000,2001,2002,2003,2004,2005,2006
+./bin/named/include/named/sortlist.h		C	2000,2001,2004,2005,2006
+./bin/named/include/named/tkeyconf.h		C	1999,2000,2001,2004,2005,2006
+./bin/named/include/named/tsigconf.h		C	1999,2000,2001,2004,2005,2006
 ./bin/named/include/named/types.h		C	1999,2000,2001,2004,2005
 ./bin/named/include/named/update.h		C	1999,2000,2001,2004,2005
 ./bin/named/include/named/xfrout.h		C	1999,2000,2001,2004,2005
-./bin/named/include/named/zoneconf.h		C	1999,2000,2001,2002,2004,2005
+./bin/named/include/named/zoneconf.h		C	1999,2000,2001,2002,2004,2005,2006
 ./bin/named/interfacemgr.c			C	1999,2000,2001,2002,2004,2005
 ./bin/named/listenlist.c			C	2000,2001,2004,2005
 ./bin/named/log.c				C	1999,2000,2001,2002,2004,2005
-./bin/named/logconf.c				C	1999,2000,2001,2004,2005
+./bin/named/logconf.c				C	1999,2000,2001,2004,2005,2006
 ./bin/named/lwaddr.c				C	2000,2001,2004,2005
 ./bin/named/lwdclient.c				C	2000,2001,2004,2005
 ./bin/named/lwderror.c				C	2000,2001,2004,2005
-./bin/named/lwdgabn.c				C	2000,2001,2004,2005
+./bin/named/lwdgabn.c				C	2000,2001,2004,2005,2006
 ./bin/named/lwdgnba.c				C	2000,2001,2002,2004,2005
 ./bin/named/lwdgrbn.c				C	2000,2001,2003,2004,2005
 ./bin/named/lwdnoop.c				C	2000,2001,2004,2005
 ./bin/named/lwresd.8				MAN	DOCBOOK
-./bin/named/lwresd.c				C	2000,2001,2002,2003,2004,2005
+./bin/named/lwresd.c				C	2000,2001,2002,2003,2004,2005,2006
 ./bin/named/lwresd.docbook			SGML	2000,2001,2004,2005
 ./bin/named/lwresd.html				HTML	DOCBOOK
 ./bin/named/lwsearch.c				C	2000,2001,2004,2005
@@ -131,8 +131,8 @@
 ./bin/named/notify.c				C	1999,2000,2001,2002,2003,2004,2005
 ./bin/named/query.c				C	1999,2000,2001,2002,2003,2004,2005,2006
 ./bin/named/server.c				C	1999,2000,2001,2002,2003,2004,2005,2006
-./bin/named/sortlist.c				C	2000,2001,2004,2005
-./bin/named/tkeyconf.c				C	1999,2000,2001,2004,2005
+./bin/named/sortlist.c				C	2000,2001,2004,2005,2006
+./bin/named/tkeyconf.c				C	1999,2000,2001,2004,2005,2006
 ./bin/named/tsigconf.c				C	1999,2000,2001,2004,2005,2006
 ./bin/named/unix/.cvsignore			X	1999,2000,2001
 ./bin/named/unix/Makefile.in			MAKE	1999,2000,2001,2004
@@ -165,7 +165,7 @@
 ./bin/rndc/rndc-confgen.docbook			SGML	2001,2003,2004,2005
 ./bin/rndc/rndc-confgen.html			HTML	DOCBOOK
 ./bin/rndc/rndc.8				MAN	DOCBOOK
-./bin/rndc/rndc.c				C	2000,2001,2002,2003,2004,2005
+./bin/rndc/rndc.c				C	2000,2001,2002,2003,2004,2005,2006
 ./bin/rndc/rndc.conf				CONF-C	2000,2001,2004
 ./bin/rndc/rndc.conf.5				MAN	DOCBOOK
 ./bin/rndc/rndc.conf.docbook			SGML	2000,2001,2004,2005
@@ -1634,7 +1634,7 @@
 ./lib/bind/port/unknown/Makefile.in		MAKE	2001,2004
 ./lib/bind/port/unknown/include/.cvsignore	X	2001
 ./lib/bind/port/unknown/include/Makefile.in	MAKE	2001,2004,2005
-./lib/bind/port_after.h.in			X	2001,2005
+./lib/bind/port_after.h.in			X	2001,2005,2006
 ./lib/bind/port_before.h.in			X	2001,2005
 ./lib/bind/resolv/.cvsignore			X	2001
 ./lib/bind/resolv/Makefile.in			MAKE	2001,2004,2005
@@ -1663,7 +1663,7 @@
 ./lib/bind9/include/Makefile.in			MAKE	2001,2004
 ./lib/bind9/include/bind9/.cvsignore		X	2001
 ./lib/bind9/include/bind9/Makefile.in		MAKE	2001,2004
-./lib/bind9/include/bind9/check.h		C	2001,2004,2005
+./lib/bind9/include/bind9/check.h		C	2001,2004,2005,2006
 ./lib/bind9/include/bind9/getaddresses.h	C	2001,2004,2005
 ./lib/bind9/include/bind9/version.h		C	2001,2004,2005
 ./lib/bind9/version.c				C	2001,2004,2005
@@ -1676,13 +1676,13 @@
 ./lib/dns/.cvsignore				X	1999,2000,2001
 ./lib/dns/Makefile.in				MAKE	1998,1999,2000,2001,2002,2003,2004,2005,2006
 ./lib/dns/acache.c				C	2004,2005
-./lib/dns/acl.c					C	1999,2000,2001,2002,2004,2005
+./lib/dns/acl.c					C	1999,2000,2001,2002,2004,2005,2006
 ./lib/dns/adb.c					C	1999,2000,2001,2002,2003,2004,2005
 ./lib/dns/api					X	1999,2000,2001
 ./lib/dns/byaddr.c				C	2000,2001,2002,2003,2004,2005
 ./lib/dns/cache.c				C	1999,2000,2001,2002,2003,2004,2005,2006
 ./lib/dns/callbacks.c				C	1999,2000,2001,2004,2005
-./lib/dns/compress.c				C	1999,2000,2001,2004,2005
+./lib/dns/compress.c				C	1999,2000,2001,2004,2005,2006
 ./lib/dns/db.c					C	1999,2000,2001,2003,2004,2005
 ./lib/dns/dbiterator.c				C	1999,2000,2001,2004,2005
 ./lib/dns/dbtable.c				C	1999,2000,2001,2004,2005
@@ -1710,14 +1710,14 @@
 ./lib/dns/include/dns/.cvsignore		X	1999,2000,2001
 ./lib/dns/include/dns/Makefile.in		MAKE	1998,1999,2000,2001,2002,2003,2004
 ./lib/dns/include/dns/acache.h			C	2004
-./lib/dns/include/dns/acl.h			C	1999,2000,2001,2002,2004,2005
+./lib/dns/include/dns/acl.h			C	1999,2000,2001,2002,2004,2005,2006
 ./lib/dns/include/dns/adb.h			C	1999,2000,2001,2002,2003,2004,2005
 ./lib/dns/include/dns/bit.h			C	2000,2001,2004,2005
 ./lib/dns/include/dns/byaddr.h			C	2000,2001,2002,2003,2004,2005
 ./lib/dns/include/dns/cache.h			C	1999,2000,2001,2004,2005
 ./lib/dns/include/dns/callbacks.h		C	1999,2000,2001,2002,2004,2005
 ./lib/dns/include/dns/cert.h			C	1999,2000,2001,2004,2005
-./lib/dns/include/dns/compress.h		C	1999,2000,2001,2002,2004,2005
+./lib/dns/include/dns/compress.h		C	1999,2000,2001,2002,2004,2005,2006
 ./lib/dns/include/dns/db.h			C	1999,2000,2001,2002,2003,2004,2005
 ./lib/dns/include/dns/dbiterator.h		C	1999,2000,2001,2004,2005
 ./lib/dns/include/dns/dbtable.h			C	1999,2000,2001,2004,2005
@@ -1739,7 +1739,7 @@
 ./lib/dns/include/dns/master.h			C	1999,2000,2001,2002,2004,2005
 ./lib/dns/include/dns/masterdump.h		C	1999,2000,2001,2002,2004,2005
 ./lib/dns/include/dns/message.h			C	1999,2000,2001,2002,2003,2004,2005,2006
-./lib/dns/include/dns/name.h			C	1998,1999,2000,2001,2002,2003,2004,2005
+./lib/dns/include/dns/name.h			C	1998,1999,2000,2001,2002,2003,2004,2005,2006
 ./lib/dns/include/dns/ncache.h			C	1999,2000,2001,2002,2004,2005
 ./lib/dns/include/dns/nsec.h			C	1999,2000,2001,2003,2004,2005
 ./lib/dns/include/dns/opcode.h			C	2002,2004,2005
@@ -1751,7 +1751,7 @@
 ./lib/dns/include/dns/rdata.h			C	1998,1999,2000,2001,2002,2003,2004,2005
 ./lib/dns/include/dns/rdataclass.h		C	1998,1999,2000,2001,2004,2005
 ./lib/dns/include/dns/rdatalist.h		C	1999,2000,2001,2004,2005
-./lib/dns/include/dns/rdataset.h		C	1999,2000,2001,2002,2003,2004,2005
+./lib/dns/include/dns/rdataset.h		C	1999,2000,2001,2002,2003,2004,2005,2006
 ./lib/dns/include/dns/rdatasetiter.h		C	1999,2000,2001,2004,2005
 ./lib/dns/include/dns/rdataslab.h		C	1999,2000,2001,2002,2004,2005
 ./lib/dns/include/dns/rdatatype.h		C	1998,1999,2000,2001,2004,2005
@@ -1920,7 +1920,7 @@
 ./lib/dns/rdata/rdatastructsuf.h		C	1999,2000,2001,2004
 ./lib/dns/rdatalist.c				C	1999,2000,2001,2003,2004,2005
 ./lib/dns/rdatalist_p.h				C	2000,2001,2004,2005
-./lib/dns/rdataset.c				C	1999,2000,2001,2002,2003,2004,2005
+./lib/dns/rdataset.c				C	1999,2000,2001,2002,2003,2004,2005,2006
 ./lib/dns/rdatasetiter.c			C	1999,2000,2001,2004,2005
 ./lib/dns/rdataslab.c				C	1999,2000,2001,2002,2003,2004,2005
 ./lib/dns/request.c				C	2000,2001,2002,2004,2005,2006
@@ -2030,12 +2030,12 @@
 ./lib/isc/include/isc/serial.h			C	1999,2000,2001,2004,2005
 ./lib/isc/include/isc/sha1.h			C	2000,2001,2004,2005,2006
 ./lib/isc/include/isc/sha2.h			C	2005,2006
-./lib/isc/include/isc/sockaddr.h		C	1998,1999,2000,2001,2002,2003,2004,2005
+./lib/isc/include/isc/sockaddr.h		C	1998,1999,2000,2001,2002,2003,2004,2005,2006
 ./lib/isc/include/isc/socket.h			C	1998,1999,2000,2001,2002,2004,2005
 ./lib/isc/include/isc/stdio.h			C	2000,2001,2004,2005
 ./lib/isc/include/isc/stdlib.h			C	2003,2004,2005
 ./lib/isc/include/isc/string.h			C	2000,2001,2003,2004,2005
-./lib/isc/include/isc/symtab.h			C	1996,1997,1998,1999,2000,2001,2004,2005
+./lib/isc/include/isc/symtab.h			C	1996,1997,1998,1999,2000,2001,2004,2005,2006
 ./lib/isc/include/isc/task.h			C	1998,1999,2000,2001,2003,2004,2005
 ./lib/isc/include/isc/taskpool.h		C	1999,2000,2001,2004,2005
 ./lib/isc/include/isc/timer.h			C	1998,1999,2000,2001,2002,2004,2005
@@ -2099,7 +2099,7 @@
 ./lib/isc/serial.c				C	1999,2000,2001,2004,2005
 ./lib/isc/sha1.c				C	2000,2001,2003,2004,2005
 ./lib/isc/sha2.c				C	2005,2006
-./lib/isc/sockaddr.c				C	1999,2000,2001,2002,2003,2004,2005
+./lib/isc/sockaddr.c				C	1999,2000,2001,2002,2003,2004,2005,2006
 ./lib/isc/sparc64/include/isc/atomic.h		C	2005
 ./lib/isc/string.c				C	1999,2000,2001,2003,2004,2005
 ./lib/isc/strtoul.c				C	2003,2004,2005
@@ -2251,14 +2251,14 @@
 ./lib/isccc/win32/version.c			C	2001,2004
 ./lib/isccfg/.cvsignore				X	2001
 ./lib/isccfg/Makefile.in			MAKE	2001,2002,2003,2004,2005
-./lib/isccfg/aclconf.c				C	1999,2000,2001,2002,2004,2005
+./lib/isccfg/aclconf.c				C	1999,2000,2001,2002,2004,2005,2006
 ./lib/isccfg/api				X	2001
 ./lib/isccfg/include/.cvsignore			X	2001
 ./lib/isccfg/include/Makefile.in		MAKE	2001,2004
 ./lib/isccfg/include/isccfg/.cvsignore		X	2001
 ./lib/isccfg/include/isccfg/Makefile.in		MAKE	2001,2002,2004,2005
-./lib/isccfg/include/isccfg/aclconf.h		C	1999,2000,2001,2004,2005
-./lib/isccfg/include/isccfg/cfg.h		C	2000,2001,2002,2004,2005
+./lib/isccfg/include/isccfg/aclconf.h		C	1999,2000,2001,2004,2005,2006
+./lib/isccfg/include/isccfg/cfg.h		C	2000,2001,2002,2004,2005,2006
 ./lib/isccfg/include/isccfg/grammar.h		C	2002,2003,2004,2005,2006
 ./lib/isccfg/include/isccfg/log.h		C	2001,2004,2005
 ./lib/isccfg/include/isccfg/namedconf.h		C	2002,2004,2005

From 441b3a264bfc7f193b0fb5807660aaa904471f09 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 1 Mar 2006 01:34:08 +0000
Subject: [PATCH 064/465] 1991.   [cleanup]       The configuration data, once
 read, should be treated                         as readonly.  Expand the use
 of const to enforce this                         at compile time. [RT #15813]

---
 CHANGES                            |   4 +
 bin/check/named-checkconf.c        |   6 +-
 bin/named/aclconf.c                |  30 ++---
 bin/named/config.c                 |  52 ++++----
 bin/named/controlconf.c            | 100 +++++++-------
 bin/named/include/named/aclconf.h  |   6 +-
 bin/named/include/named/config.h   |  20 +--
 bin/named/include/named/control.h  |   4 +-
 bin/named/include/named/globals.h  |   4 +-
 bin/named/include/named/logconf.h  |   4 +-
 bin/named/include/named/lwresd.h   |   7 +-
 bin/named/include/named/server.h   |   4 +-
 bin/named/include/named/sortlist.h |  13 +-
 bin/named/include/named/tkeyconf.h |   6 +-
 bin/named/include/named/tsigconf.h |   4 +-
 bin/named/include/named/zoneconf.h |   9 +-
 bin/named/logconf.c                |  58 +++++----
 bin/named/lwdgabn.c                |   4 +-
 bin/named/lwresd.c                 |  22 ++--
 bin/named/query.c                  |  10 +-
 bin/named/server.c                 | 202 +++++++++++++++--------------
 bin/named/sortlist.c               |  18 +--
 bin/named/tkeyconf.c               |  10 +-
 bin/named/tsigconf.c               |  26 ++--
 bin/named/zoneconf.c               |  67 +++++-----
 bin/rndc/rndc.c                    |  24 ++--
 lib/dns/acl.c                      |  34 ++---
 lib/dns/cache.c                    |   4 +-
 lib/dns/compress.c                 |  10 +-
 lib/dns/include/dns/acl.h          |  30 ++---
 lib/dns/include/dns/cache.h        |   4 +-
 lib/dns/include/dns/compress.h     |   8 +-
 lib/dns/include/dns/masterdump.h   |   4 +-
 lib/dns/include/dns/message.h      |   6 +-
 lib/dns/include/dns/name.h         |   9 +-
 lib/dns/include/dns/rdataset.h     |  12 +-
 lib/dns/include/dns/types.h        |   4 +-
 lib/dns/include/dns/zone.h         |  22 ++--
 lib/dns/message.c                  |   6 +-
 lib/dns/name.c                     |  12 +-
 lib/dns/rdataset.c                 |  16 +--
 lib/dns/zone.c                     |  22 ++--
 lib/isc/include/isc/sockaddr.h     |  10 +-
 lib/isc/include/isc/symtab.h       |   3 +-
 lib/isc/sockaddr.c                 |  10 +-
 lib/isccfg/check.c                 | 105 +++++++--------
 lib/isccfg/include/isccfg/cfg.h    |  69 +++++-----
 lib/isccfg/include/isccfg/check.h  |   7 +-
 lib/isccfg/parser.c                | 143 ++++++++++----------
 49 files changed, 653 insertions(+), 611 deletions(-)

diff --git a/CHANGES b/CHANGES
index 9e9a15f630..86bec10f5f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+1991.	[cleanup]	The configuration data, once read, should be treated
+			as readonly.  Expand the use of const to enforce this
+			at compile time. [RT #15813]
+
 1990.	[bug]		libbind:  isc's override of broken gettimeofday()
 			implementions was not always effective.
 			[RT #15709]
diff --git a/bin/check/named-checkconf.c b/bin/check/named-checkconf.c
index 83d3cd9441..98f24c3a58 100644
--- a/bin/check/named-checkconf.c
+++ b/bin/check/named-checkconf.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named-checkconf.c,v 1.12.2.1 2004/03/09 06:09:09 marka Exp $ */
+/* $Id: named-checkconf.c,v 1.12.2.2 2006/03/01 01:34:04 marka Exp $ */
 
 #include 
 
@@ -45,9 +45,9 @@ usage(void) {
 }
 
 static isc_result_t
-directory_callback(const char *clausename, cfg_obj_t *obj, void *arg) {
+directory_callback(const char *clausename, const cfg_obj_t *obj, void *arg) {
 	isc_result_t result;
-	char *directory;
+	const char *directory;
 
 	REQUIRE(strcasecmp("directory", clausename) == 0);
 
diff --git a/bin/named/aclconf.c b/bin/named/aclconf.c
index ef684fcc2d..c2459f2a72 100644
--- a/bin/named/aclconf.c
+++ b/bin/named/aclconf.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: aclconf.c,v 1.27.2.3 2005/03/17 03:59:29 marka Exp $ */
+/* $Id: aclconf.c,v 1.27.2.4 2006/03/01 01:34:04 marka Exp $ */
 
 #include 
 
@@ -52,10 +52,10 @@ ns_aclconfctx_destroy(ns_aclconfctx_t *ctx) {
  * Find the definition of the named acl whose name is "name".
  */
 static isc_result_t
-get_acl_def(cfg_obj_t *cctx, char *name, cfg_obj_t **ret) {
+get_acl_def(const cfg_obj_t *cctx, const char *name, const cfg_obj_t **ret) {
 	isc_result_t result;
-	cfg_obj_t *acls = NULL;
-	cfg_listelt_t *elt;
+	const cfg_obj_t *acls = NULL;
+	const cfg_listelt_t *elt;
 	
 	result = cfg_map_get(cctx, "acl", &acls);
 	if (result != ISC_R_SUCCESS)
@@ -63,7 +63,7 @@ get_acl_def(cfg_obj_t *cctx, char *name, cfg_obj_t **ret) {
 	for (elt = cfg_list_first(acls);
 	     elt != NULL;
 	     elt = cfg_list_next(elt)) {
-		cfg_obj_t *acl = cfg_listelt_value(elt);
+		const cfg_obj_t *acl = cfg_listelt_value(elt);
 		const char *aclname = cfg_obj_asstring(cfg_tuple_get(acl, "name"));
 		if (strcasecmp(aclname, name) == 0) {
 			*ret = cfg_tuple_get(acl, "value");
@@ -74,15 +74,15 @@ get_acl_def(cfg_obj_t *cctx, char *name, cfg_obj_t **ret) {
 }
 
 static isc_result_t
-convert_named_acl(cfg_obj_t *nameobj, cfg_obj_t *cctx,
+convert_named_acl(const cfg_obj_t *nameobj, const cfg_obj_t *cctx,
 		  ns_aclconfctx_t *ctx, isc_mem_t *mctx,
 		  dns_acl_t **target)
 {
 	isc_result_t result;
-	cfg_obj_t *cacl = NULL;
+	const cfg_obj_t *cacl = NULL;
 	dns_acl_t *dacl;
 	dns_acl_t loop;
-	char *aclname = cfg_obj_asstring(nameobj);
+	const char *aclname = cfg_obj_asstring(nameobj);
 
 	/* Look for an already-converted version. */
 	for (dacl = ISC_LIST_HEAD(ctx->named_acl_cache);
@@ -111,7 +111,7 @@ convert_named_acl(cfg_obj_t *nameobj, cfg_obj_t *cctx,
 	 */
 	memset(&loop, 0, sizeof(loop));
 	ISC_LINK_INIT(&loop, nextincache);
-	loop.name = aclname;
+	DE_CONST(aclname, loop.name);
 	loop.magic = LOOP_MAGIC;
 	ISC_LIST_APPEND(ctx->named_acl_cache, &loop, nextincache);
 	result = ns_acl_fromconfig(cacl, cctx, ctx, mctx, &dacl);
@@ -129,7 +129,7 @@ convert_named_acl(cfg_obj_t *nameobj, cfg_obj_t *cctx,
 }
 
 static isc_result_t
-convert_keyname(cfg_obj_t *keyobj, isc_mem_t *mctx, dns_name_t *dnsname) {
+convert_keyname(const cfg_obj_t *keyobj, isc_mem_t *mctx, dns_name_t *dnsname) {
 	isc_result_t result;
 	isc_buffer_t buf;
 	dns_fixedname_t fixname;
@@ -152,8 +152,8 @@ convert_keyname(cfg_obj_t *keyobj, isc_mem_t *mctx, dns_name_t *dnsname) {
 }
 
 isc_result_t
-ns_acl_fromconfig(cfg_obj_t *caml,
-		  cfg_obj_t *cctx,
+ns_acl_fromconfig(const cfg_obj_t *caml,
+		  const cfg_obj_t *cctx,
 		  ns_aclconfctx_t *ctx,
 		  isc_mem_t *mctx,
 		  dns_acl_t **target)
@@ -162,7 +162,7 @@ ns_acl_fromconfig(cfg_obj_t *caml,
 	unsigned int count;
 	dns_acl_t *dacl = NULL;
 	dns_aclelement_t *de;
-	cfg_listelt_t *elt;
+	const cfg_listelt_t *elt;
 
 	REQUIRE(target != NULL && *target == NULL);
 
@@ -181,7 +181,7 @@ ns_acl_fromconfig(cfg_obj_t *caml,
 	     elt != NULL;
 	     elt = cfg_list_next(elt))
 	{
-		cfg_obj_t *ce = cfg_listelt_value(elt);
+		const cfg_obj_t *ce = cfg_listelt_value(elt);
 		if (cfg_obj_istuple(ce)) {
 			/* This must be a negated element. */
 			ce = cfg_tuple_get(ce, "value");
@@ -213,7 +213,7 @@ ns_acl_fromconfig(cfg_obj_t *caml,
 				goto cleanup;
 		} else if (cfg_obj_isstring(ce)) {
 			/* ACL name */
-			char *name = cfg_obj_asstring(ce);
+			const char *name = cfg_obj_asstring(ce);
 			if (strcasecmp(name, "localhost") == 0) {
 				de->type = dns_aclelementtype_localhost;
 			} else if (strcasecmp(name, "localnets") == 0) {
diff --git a/bin/named/config.c b/bin/named/config.c
index 57cbd8c378..b8e639fe39 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.c,v 1.11.2.8 2006/01/04 23:50:16 marka Exp $ */
+/* $Id: config.c,v 1.11.2.9 2006/03/01 01:34:04 marka Exp $ */
 
 #include 
 
@@ -156,7 +156,7 @@ ns_config_parsedefaults(cfg_parser_t *parser, cfg_obj_t **conf) {
 }
 
 isc_result_t
-ns_config_get(cfg_obj_t **maps, const char* name, cfg_obj_t **obj) {
+ns_config_get(const cfg_obj_t **maps, const char* name, const cfg_obj_t **obj) {
 	int i;
 
 	for (i = 0; ; i++) {
@@ -168,8 +168,8 @@ ns_config_get(cfg_obj_t **maps, const char* name, cfg_obj_t **obj) {
 }
 
 int
-ns_config_listcount(cfg_obj_t *list) {
-	cfg_listelt_t *e;
+ns_config_listcount(const cfg_obj_t *list) {
+	const cfg_listelt_t *e;
 	int i = 0;
 
 	for (e = cfg_list_first(list); e != NULL; e = cfg_list_next(e))
@@ -179,9 +179,9 @@ ns_config_listcount(cfg_obj_t *list) {
 }
 
 isc_result_t
-ns_config_getclass(cfg_obj_t *classobj, dns_rdataclass_t defclass,
+ns_config_getclass(const cfg_obj_t *classobj, dns_rdataclass_t defclass,
 		   dns_rdataclass_t *classp) {
-	char *str;
+	const char *str;
 	isc_textregion_t r;
 	isc_result_t result;
 
@@ -190,7 +190,7 @@ ns_config_getclass(cfg_obj_t *classobj, dns_rdataclass_t defclass,
 		return (ISC_R_SUCCESS);
 	}
 	str = cfg_obj_asstring(classobj);
-	r.base = str;
+	DE_CONST(str, r.base);
 	r.length = strlen(str);
 	result = dns_rdataclass_fromtext(classp, &r);
 	if (result != ISC_R_SUCCESS)
@@ -200,9 +200,9 @@ ns_config_getclass(cfg_obj_t *classobj, dns_rdataclass_t defclass,
 }
 
 dns_zonetype_t
-ns_config_getzonetype(cfg_obj_t *zonetypeobj) {
+ns_config_getzonetype(const cfg_obj_t *zonetypeobj) {
 	dns_zonetype_t ztype = dns_zone_none;
-	char *str;
+	const char *str;
 
 	str = cfg_obj_asstring(zonetypeobj);
 	if (strcasecmp(str, "master") == 0)
@@ -217,14 +217,14 @@ ns_config_getzonetype(cfg_obj_t *zonetypeobj) {
 }
 
 isc_result_t
-ns_config_getiplist(cfg_obj_t *config, cfg_obj_t *list,
+ns_config_getiplist(const cfg_obj_t *config, const cfg_obj_t *list,
 		    in_port_t defport, isc_mem_t *mctx,
 		    isc_sockaddr_t **addrsp, isc_uint32_t *countp)
 {
 	int count, i = 0;
-	cfg_obj_t *addrlist;
-	cfg_obj_t *portobj;
-	cfg_listelt_t *element;
+	const cfg_obj_t *addrlist;
+	const cfg_obj_t *portobj;
+	const cfg_listelt_t *element;
 	isc_sockaddr_t *addrs;
 	in_port_t port;
 	isc_result_t result;
@@ -283,15 +283,15 @@ ns_config_putiplist(isc_mem_t *mctx, isc_sockaddr_t **addrsp,
 }
 
 isc_result_t
-ns_config_getipandkeylist(cfg_obj_t *config, cfg_obj_t *list, isc_mem_t *mctx,
-			  isc_sockaddr_t **addrsp, dns_name_t ***keysp,
-			  isc_uint32_t *countp)
+ns_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list,
+			  isc_mem_t *mctx, isc_sockaddr_t **addrsp,
+			  dns_name_t ***keysp, isc_uint32_t *countp)
 {
 	isc_uint32_t count, i = 0;
 	isc_result_t result;
-	cfg_listelt_t *element;
-	cfg_obj_t *addrlist;
-	cfg_obj_t *portobj;
+	const cfg_listelt_t *element;
+	const cfg_obj_t *addrlist;
+	const cfg_obj_t *portobj;
 	in_port_t port;
 	dns_fixedname_t fname;
 	isc_sockaddr_t *addrs = NULL;
@@ -332,9 +332,9 @@ ns_config_getipandkeylist(cfg_obj_t *config, cfg_obj_t *list, isc_mem_t *mctx,
 	     element != NULL;
 	     element = cfg_list_next(element), i++)
 	{
-		cfg_obj_t *addr;
-		cfg_obj_t *key;
-		char *keystr;
+		const cfg_obj_t *addr;
+		const cfg_obj_t *key;
+		const char *keystr;
 		isc_buffer_t b;
 
 		INSIST(i < count);
@@ -415,10 +415,10 @@ ns_config_putipandkeylist(isc_mem_t *mctx, isc_sockaddr_t **addrsp,
 }
 
 isc_result_t
-ns_config_getport(cfg_obj_t *config, in_port_t *portp) {
-	cfg_obj_t *maps[3];
-	cfg_obj_t *options = NULL;
-	cfg_obj_t *portobj = NULL;
+ns_config_getport(const cfg_obj_t *config, in_port_t *portp) {
+	const cfg_obj_t *maps[3];
+	const cfg_obj_t *options = NULL;
+	const cfg_obj_t *portobj = NULL;
 	isc_result_t result;
 	int i;
 
diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c
index ceb3e2e8a7..ba3b381ea2 100644
--- a/bin/named/controlconf.c
+++ b/bin/named/controlconf.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: controlconf.c,v 1.28.2.13 2006/01/04 23:50:16 marka Exp $ */
+/* $Id: controlconf.c,v 1.28.2.14 2006/03/01 01:34:05 marka Exp $ */
 
 #include 
 
@@ -656,10 +656,12 @@ ns_controls_shutdown(ns_controls_t *controls) {
 }
 
 static isc_result_t
-cfgkeylist_find(cfg_obj_t *keylist, const char *keyname, cfg_obj_t **objp) {
-	cfg_listelt_t *element;
+cfgkeylist_find(const cfg_obj_t *keylist, const char *keyname,
+	        const cfg_obj_t **objp)
+{
+	const cfg_listelt_t *element;
 	const char *str;
-	cfg_obj_t *obj;
+	const cfg_obj_t *obj;
 
 	for (element = cfg_list_first(keylist);
 	     element != NULL;
@@ -678,13 +680,13 @@ cfgkeylist_find(cfg_obj_t *keylist, const char *keyname, cfg_obj_t **objp) {
 }
 
 static isc_result_t
-controlkeylist_fromcfg(cfg_obj_t *keylist, isc_mem_t *mctx,
+controlkeylist_fromcfg(const cfg_obj_t *keylist, isc_mem_t *mctx,
 		       controlkeylist_t *keyids)
 {
-	cfg_listelt_t *element;
+	const cfg_listelt_t *element;
 	char *newstr = NULL;
 	const char *str;
-	cfg_obj_t *obj;
+	const cfg_obj_t *obj;
 	controlkey_t *key = NULL;
 
 	for (element = cfg_list_first(keylist);
@@ -719,11 +721,11 @@ controlkeylist_fromcfg(cfg_obj_t *keylist, isc_mem_t *mctx,
 }
 
 static void
-register_keys(cfg_obj_t *control, cfg_obj_t *keylist,
+register_keys(const cfg_obj_t *control, const cfg_obj_t *keylist,
 	      controlkeylist_t *keyids, isc_mem_t *mctx, const char *socktext)
 {
 	controlkey_t *keyid, *next;
-	cfg_obj_t *keydef;
+	const cfg_obj_t *keydef;
 	char secret[1024];
 	isc_buffer_t b;
 	isc_result_t result;
@@ -743,10 +745,10 @@ register_keys(cfg_obj_t *control, cfg_obj_t *keylist,
 			ISC_LIST_UNLINK(*keyids, keyid, link);
 			free_controlkey(keyid, mctx);
 		} else {
-			cfg_obj_t *algobj = NULL;
-			cfg_obj_t *secretobj = NULL;
-			char *algstr = NULL;
-			char *secretstr = NULL;
+			const cfg_obj_t *algobj = NULL;
+			const cfg_obj_t *secretobj = NULL;
+			const char *algstr = NULL;
+			const char *secretstr = NULL;
 
 			(void)cfg_map_get(keydef, "algorithm", &algobj);
 			(void)cfg_map_get(keydef, "secret", &secretobj);
@@ -812,11 +814,11 @@ get_rndckey(isc_mem_t *mctx, controlkeylist_t *keyids) {
 	isc_result_t result;
 	cfg_parser_t *pctx = NULL;
 	cfg_obj_t *config = NULL;
-	cfg_obj_t *key = NULL;
-	cfg_obj_t *algobj = NULL;
-	cfg_obj_t *secretobj = NULL;
-	char *algstr = NULL;
-	char *secretstr = NULL;
+	const cfg_obj_t *key = NULL;
+	const cfg_obj_t *algobj = NULL;
+	const cfg_obj_t *secretobj = NULL;
+	const char *algstr = NULL;
+	const char *secretstr = NULL;
 	controlkey_t *keyid = NULL;
 	char secret[1024];
 	isc_buffer_t b;
@@ -895,12 +897,13 @@ get_rndckey(isc_mem_t *mctx, controlkeylist_t *keyids) {
  * valid or both are NULL.
  */
 static void
-get_key_info(cfg_obj_t *config, cfg_obj_t *control,
-	     cfg_obj_t **global_keylistp, cfg_obj_t **control_keylistp)
+get_key_info(const cfg_obj_t *config, const cfg_obj_t *control,
+	     const cfg_obj_t **global_keylistp,
+	     const cfg_obj_t **control_keylistp)
 {
 	isc_result_t result;
-	cfg_obj_t *control_keylist = NULL;
-	cfg_obj_t *global_keylist = NULL;
+	const cfg_obj_t *control_keylist = NULL;
+	const cfg_obj_t *global_keylist = NULL;
 
 	REQUIRE(global_keylistp != NULL && *global_keylistp == NULL);
 	REQUIRE(control_keylistp != NULL && *control_keylistp == NULL);
@@ -919,15 +922,15 @@ get_key_info(cfg_obj_t *config, cfg_obj_t *control,
 }
 
 static void
-update_listener(ns_controls_t *cp,
-		controllistener_t **listenerp, cfg_obj_t *control,
-		cfg_obj_t *config, isc_sockaddr_t *addr,
-		ns_aclconfctx_t *aclconfctx, const char *socktext)
+update_listener(ns_controls_t *cp, controllistener_t **listenerp,
+		const cfg_obj_t *control, const cfg_obj_t *config,
+		isc_sockaddr_t *addr, ns_aclconfctx_t *aclconfctx,
+		const char *socktext)
 {
 	controllistener_t *listener;
-	cfg_obj_t *allow;
-	cfg_obj_t *global_keylist = NULL;
-	cfg_obj_t *control_keylist = NULL;
+	const cfg_obj_t *allow;
+	const cfg_obj_t *global_keylist = NULL;
+	const cfg_obj_t *control_keylist = NULL;
 	dns_acl_t *new_acl = NULL;
 	controlkeylist_t keys;
 	isc_result_t result = ISC_R_SUCCESS;
@@ -1037,14 +1040,15 @@ update_listener(ns_controls_t *cp,
 
 static void
 add_listener(ns_controls_t *cp, controllistener_t **listenerp,
-	     cfg_obj_t *control, cfg_obj_t *config, isc_sockaddr_t *addr,
-	     ns_aclconfctx_t *aclconfctx, const char *socktext)
+	     const cfg_obj_t *control, const cfg_obj_t *config,
+	     isc_sockaddr_t *addr, ns_aclconfctx_t *aclconfctx,
+	     const char *socktext)
 {
 	isc_mem_t *mctx = cp->server->mctx;
 	controllistener_t *listener;
-	cfg_obj_t *allow;
-	cfg_obj_t *global_keylist = NULL;
-	cfg_obj_t *control_keylist = NULL;
+	const cfg_obj_t *allow;
+	const cfg_obj_t *global_keylist = NULL;
+	const cfg_obj_t *control_keylist = NULL;
 	dns_acl_t *new_acl = NULL;
 	isc_result_t result = ISC_R_SUCCESS;
 
@@ -1155,13 +1159,13 @@ add_listener(ns_controls_t *cp, controllistener_t **listenerp,
 }
 
 isc_result_t
-ns_controls_configure(ns_controls_t *cp, cfg_obj_t *config,
+ns_controls_configure(ns_controls_t *cp, const cfg_obj_t *config,
 		      ns_aclconfctx_t *aclconfctx)
 {
 	controllistener_t *listener;
 	controllistenerlist_t new_listeners;
-	cfg_obj_t *controlslist = NULL;
-	cfg_listelt_t *element, *element2;
+	const cfg_obj_t *controlslist = NULL;
+	const cfg_listelt_t *element, *element2;
 	char socktext[ISC_SOCKADDR_FORMATSIZE];
 
 	ISC_LIST_INIT(new_listeners);
@@ -1183,8 +1187,8 @@ ns_controls_configure(ns_controls_t *cp, cfg_obj_t *config,
 		for (element = cfg_list_first(controlslist);
 		     element != NULL;
 		     element = cfg_list_next(element)) {
-			cfg_obj_t *controls;
-			cfg_obj_t *inetcontrols = NULL;
+			const cfg_obj_t *controls;
+			const cfg_obj_t *inetcontrols = NULL;
 
 			controls = cfg_listelt_value(element);
 			(void)cfg_map_get(controls, "inet", &inetcontrols);
@@ -1194,9 +1198,9 @@ ns_controls_configure(ns_controls_t *cp, cfg_obj_t *config,
 			for (element2 = cfg_list_first(inetcontrols);
 			     element2 != NULL;
 			     element2 = cfg_list_next(element2)) {
-				cfg_obj_t *control;
-				cfg_obj_t *obj;
-				isc_sockaddr_t *addr;
+				const cfg_obj_t *control;
+				const cfg_obj_t *obj;
+				isc_sockaddr_t addr;
 
 				/*
 				 * The parser handles BIND 8 configuration file
@@ -1209,12 +1213,12 @@ ns_controls_configure(ns_controls_t *cp, cfg_obj_t *config,
 				control = cfg_listelt_value(element2);
 
 				obj = cfg_tuple_get(control, "address");
-				addr = cfg_obj_assockaddr(obj);
-				if (isc_sockaddr_getport(addr) == 0)
-					isc_sockaddr_setport(addr,
+				addr = *cfg_obj_assockaddr(obj);
+				if (isc_sockaddr_getport(&addr) == 0)
+					isc_sockaddr_setport(&addr,
 							     NS_CONTROL_PORT);
 
-				isc_sockaddr_format(addr, socktext,
+				isc_sockaddr_format(&addr, socktext,
 						    sizeof(socktext));
 
 				isc_log_write(ns_g_lctx,
@@ -1225,7 +1229,7 @@ ns_controls_configure(ns_controls_t *cp, cfg_obj_t *config,
 					      socktext);
 
 				update_listener(cp, &listener, control, config,
-						addr, aclconfctx, socktext);
+						&addr, aclconfctx, socktext);
 
 				if (listener != NULL)
 					/*
@@ -1239,7 +1243,7 @@ ns_controls_configure(ns_controls_t *cp, cfg_obj_t *config,
 					 * This is a new listener.
 					 */
 					add_listener(cp, &listener, control,
-						     config, addr, aclconfctx,
+						     config, &addr, aclconfctx,
 						     socktext);
 
 				if (listener != NULL)
diff --git a/bin/named/include/named/aclconf.h b/bin/named/include/named/aclconf.h
index 639ce5686c..661b22db9a 100644
--- a/bin/named/include/named/aclconf.h
+++ b/bin/named/include/named/aclconf.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: aclconf.h,v 1.12.2.1 2004/03/09 06:09:21 marka Exp $ */
+/* $Id: aclconf.h,v 1.12.2.2 2006/03/01 01:34:05 marka Exp $ */
 
 #ifndef NS_ACLCONF_H
 #define NS_ACLCONF_H 1
@@ -49,8 +49,8 @@ ns_aclconfctx_destroy(ns_aclconfctx_t *ctx);
  */
 
 isc_result_t
-ns_acl_fromconfig(cfg_obj_t *caml,
-		  cfg_obj_t *cctx,
+ns_acl_fromconfig(const cfg_obj_t *caml,
+		  const cfg_obj_t *cctx,
 		  ns_aclconfctx_t *ctx,
 		  isc_mem_t *mctx,
 		  dns_acl_t **target);
diff --git a/bin/named/include/named/config.h b/bin/named/include/named/config.h
index 3d97be62c7..0d8b4560c8 100644
--- a/bin/named/include/named/config.h
+++ b/bin/named/include/named/config.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.h,v 1.4.2.1 2004/03/09 06:09:21 marka Exp $ */
+/* $Id: config.h,v 1.4.2.2 2006/03/01 01:34:05 marka Exp $ */
 
 #ifndef NAMED_CONFIG_H
 #define NAMED_CONFIG_H 1
@@ -29,20 +29,20 @@ isc_result_t
 ns_config_parsedefaults(cfg_parser_t *parser, cfg_obj_t **conf);
 
 isc_result_t
-ns_config_get(cfg_obj_t **maps, const char* name, cfg_obj_t **obj);
+ns_config_get(const cfg_obj_t **maps, const char* name, const cfg_obj_t **obj);
 
 int
-ns_config_listcount(cfg_obj_t *list);
+ns_config_listcount(const cfg_obj_t *list);
 
 isc_result_t
-ns_config_getclass(cfg_obj_t *classobj, dns_rdataclass_t defclass,
+ns_config_getclass(const cfg_obj_t *classobj, dns_rdataclass_t defclass,
 		   dns_rdataclass_t *classp);
 
 dns_zonetype_t
-ns_config_getzonetype(cfg_obj_t *zonetypeobj);
+ns_config_getzonetype(const cfg_obj_t *zonetypeobj);
 
 isc_result_t
-ns_config_getiplist(cfg_obj_t *config, cfg_obj_t *list,
+ns_config_getiplist(const cfg_obj_t *config, const cfg_obj_t *list,
 		    in_port_t defport, isc_mem_t *mctx,
 		    isc_sockaddr_t **addrsp, isc_uint32_t *countp);
 
@@ -51,16 +51,16 @@ ns_config_putiplist(isc_mem_t *mctx, isc_sockaddr_t **addrsp,
 		    isc_uint32_t count);
 
 isc_result_t
-ns_config_getipandkeylist(cfg_obj_t *config, cfg_obj_t *list, isc_mem_t *mctx,
-			  isc_sockaddr_t **addrsp, dns_name_t ***keys,
-			  isc_uint32_t *countp);
+ns_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list,
+			  isc_mem_t *mctx, isc_sockaddr_t **addrsp,
+			  dns_name_t ***keys, isc_uint32_t *countp);
 
 void
 ns_config_putipandkeylist(isc_mem_t *mctx, isc_sockaddr_t **addrsp,
 			  dns_name_t ***keys, isc_uint32_t count);
 
 isc_result_t
-ns_config_getport(cfg_obj_t *config, in_port_t *portp);
+ns_config_getport(const cfg_obj_t *config, in_port_t *portp);
 
 isc_result_t
 ns_config_getkeyalgorithm(const char *str, dns_name_t **name);
diff --git a/bin/named/include/named/control.h b/bin/named/include/named/control.h
index a805c00867..880865dea1 100644
--- a/bin/named/include/named/control.h
+++ b/bin/named/include/named/control.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: control.h,v 1.6.2.3 2004/03/09 06:09:21 marka Exp $ */
+/* $Id: control.h,v 1.6.2.4 2006/03/01 01:34:05 marka Exp $ */
 
 #ifndef NAMED_CONTROL_H
 #define NAMED_CONTROL_H 1
@@ -61,7 +61,7 @@ ns_controls_destroy(ns_controls_t **ctrlsp);
  */
 
 isc_result_t
-ns_controls_configure(ns_controls_t *controls, cfg_obj_t *config,
+ns_controls_configure(ns_controls_t *controls, const cfg_obj_t *config,
 		      ns_aclconfctx_t *aclconfctx);
 /*
  * Configure zero or more command channels into 'controls'
diff --git a/bin/named/include/named/globals.h b/bin/named/include/named/globals.h
index d2a2250e92..7c90132127 100644
--- a/bin/named/include/named/globals.h
+++ b/bin/named/include/named/globals.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: globals.h,v 1.59.2.1 2004/03/09 06:09:21 marka Exp $ */
+/* $Id: globals.h,v 1.59.2.2 2006/03/01 01:34:05 marka Exp $ */
 
 #ifndef NAMED_GLOBALS_H
 #define NAMED_GLOBALS_H 1
@@ -73,7 +73,7 @@ EXTERN unsigned int		ns_g_debuglevel		INIT(0);
  * Current configuration information.
  */
 EXTERN cfg_obj_t *		ns_g_config		INIT(NULL);
-EXTERN cfg_obj_t *		ns_g_defaults		INIT(NULL);
+EXTERN const cfg_obj_t *	ns_g_defaults		INIT(NULL);
 EXTERN const char *		ns_g_conffile		INIT(NS_SYSCONFDIR
 							     "/named.conf");
 EXTERN const char *		ns_g_keyfile		INIT(NS_SYSCONFDIR
diff --git a/bin/named/include/named/logconf.h b/bin/named/include/named/logconf.h
index 9e0dbf1a78..3ae7747475 100644
--- a/bin/named/include/named/logconf.h
+++ b/bin/named/include/named/logconf.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: logconf.h,v 1.10.2.1 2004/03/09 06:09:22 marka Exp $ */
+/* $Id: logconf.h,v 1.10.2.2 2006/03/01 01:34:05 marka Exp $ */
 
 #ifndef NAMED_LOGCONF_H
 #define NAMED_LOGCONF_H 1
@@ -23,7 +23,7 @@
 #include 
 
 isc_result_t
-ns_log_configure(isc_logconfig_t *logconf, cfg_obj_t *logstmt);
+ns_log_configure(isc_logconfig_t *logconf, const cfg_obj_t *logstmt);
 /*
  * Set up the logging configuration in '*logconf' according to
  * the named.conf data in 'logstmt'.
diff --git a/bin/named/include/named/lwresd.h b/bin/named/include/named/lwresd.h
index 37af4d64ee..6a8bda51a5 100644
--- a/bin/named/include/named/lwresd.h
+++ b/bin/named/include/named/lwresd.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwresd.h,v 1.12.2.1 2004/03/09 06:09:22 marka Exp $ */
+/* $Id: lwresd.h,v 1.12.2.2 2006/03/01 01:34:05 marka Exp $ */
 
 #ifndef NAMED_LWRESD_H
 #define NAMED_LWRESD_H 1
@@ -56,7 +56,7 @@ struct ns_lwreslistener {
  * Configure lwresd.
  */
 isc_result_t
-ns_lwresd_configure(isc_mem_t *mctx, cfg_obj_t *config);
+ns_lwresd_configure(isc_mem_t *mctx, const cfg_obj_t *config);
 
 isc_result_t
 ns_lwresd_parseeresolvconf(isc_mem_t *mctx, cfg_parser_t *pctx,
@@ -72,7 +72,8 @@ ns_lwresd_shutdown(void);
  * Manager functions
  */
 isc_result_t
-ns_lwdmanager_create(isc_mem_t *mctx, cfg_obj_t *lwres, ns_lwresd_t **lwresdp);
+ns_lwdmanager_create(isc_mem_t *mctx, const cfg_obj_t *lwres,
+		      ns_lwresd_t **lwresdp);
 
 void
 ns_lwdmanager_attach(ns_lwresd_t *source, ns_lwresd_t **targetp);
diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h
index fc112d5ea8..06606b05c2 100644
--- a/bin/named/include/named/server.h
+++ b/bin/named/include/named/server.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.h,v 1.58.2.3 2004/03/09 06:09:23 marka Exp $ */
+/* $Id: server.h,v 1.58.2.4 2006/03/01 01:34:05 marka Exp $ */
 
 #ifndef NAMED_SERVER_H
 #define NAMED_SERVER_H 1
@@ -177,6 +177,6 @@ ns_server_status(ns_server_t *server, isc_buffer_t *text);
  * Maintain a list of dispatches that require reserved ports.
  */
 void
-ns_add_reserved_dispatch(ns_server_t *server, isc_sockaddr_t *addr);
+ns_add_reserved_dispatch(ns_server_t *server, const isc_sockaddr_t *addr);
 
 #endif /* NAMED_SERVER_H */
diff --git a/bin/named/include/named/sortlist.h b/bin/named/include/named/sortlist.h
index 7b520b75b8..7d4e77e39e 100644
--- a/bin/named/include/named/sortlist.h
+++ b/bin/named/include/named/sortlist.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sortlist.h,v 1.4.2.1 2004/03/09 06:09:23 marka Exp $ */
+/* $Id: sortlist.h,v 1.4.2.2 2006/03/01 01:34:05 marka Exp $ */
 
 #ifndef NAMED_SORTLIST_H
 #define NAMED_SORTLIST_H 1
@@ -28,7 +28,7 @@
  * Type for callback functions that rank addresses.
  */
 typedef int 
-(*dns_addressorderfunc_t)(isc_netaddr_t *address, void *arg);
+(*dns_addressorderfunc_t)(const isc_netaddr_t *address, const void *arg);
 
 /*
  * Return value type for setup_sortlist.
@@ -40,7 +40,8 @@ typedef enum {
 } ns_sortlisttype_t;
 
 ns_sortlisttype_t
-ns_sortlist_setup(dns_acl_t *acl, isc_netaddr_t *clientaddr, void **argp);
+ns_sortlist_setup(dns_acl_t *acl, isc_netaddr_t *clientaddr,
+		  const void **argp);
 /*
  * Find the sortlist statement in 'acl' that applies to 'clientaddr', if any.
  *
@@ -55,14 +56,14 @@ ns_sortlist_setup(dns_acl_t *acl, isc_netaddr_t *clientaddr, void **argp);
  */
 
 int
-ns_sortlist_addrorder1(isc_netaddr_t *addr, void *arg);
+ns_sortlist_addrorder1(const isc_netaddr_t *addr, const void *arg);
 /*
  * Find the sort order of 'addr' in 'arg', the matching element
  * of a 1-element top-level sortlist statement.
  */
 
 int
-ns_sortlist_addrorder2(isc_netaddr_t *addr, void *arg);
+ns_sortlist_addrorder2(const isc_netaddr_t *addr, const void *arg);
 /*
  * Find the sort order of 'addr' in 'arg', a topology-like
  * ACL forming the second element in a 2-element top-level
@@ -72,7 +73,7 @@ ns_sortlist_addrorder2(isc_netaddr_t *addr, void *arg);
 void
 ns_sortlist_byaddrsetup(dns_acl_t *sortlist_acl, isc_netaddr_t *client_addr,
 			dns_addressorderfunc_t *orderp,
-			void **argp);
+			const void **argp);
 /*
  * Find the sortlist statement in 'acl' that applies to 'clientaddr', if any.
  * If a sortlist statement applies, return in '*orderp' a pointer to a function
diff --git a/bin/named/include/named/tkeyconf.h b/bin/named/include/named/tkeyconf.h
index 87ba18f9ee..3946ca9ac0 100644
--- a/bin/named/include/named/tkeyconf.h
+++ b/bin/named/include/named/tkeyconf.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tkeyconf.h,v 1.9.2.1 2004/03/09 06:09:23 marka Exp $ */
+/* $Id: tkeyconf.h,v 1.9.2.2 2006/03/01 01:34:05 marka Exp $ */
 
 #ifndef NS_TKEYCONF_H
 #define NS_TKEYCONF_H 1
@@ -28,8 +28,8 @@
 ISC_LANG_BEGINDECLS
 
 isc_result_t
-ns_tkeyctx_fromconfig(cfg_obj_t *options, isc_mem_t *mctx, isc_entropy_t *ectx,
-		      dns_tkeyctx_t **tctxp);
+ns_tkeyctx_fromconfig(const cfg_obj_t *options, isc_mem_t *mctx,
+		      isc_entropy_t *ectx, dns_tkeyctx_t **tctxp);
 /*
  * 	Create a TKEY context and configure it, including the default DH key
  *	and default domain, according to 'options'.
diff --git a/bin/named/include/named/tsigconf.h b/bin/named/include/named/tsigconf.h
index 05f1a9ef3c..8116cbf872 100644
--- a/bin/named/include/named/tsigconf.h
+++ b/bin/named/include/named/tsigconf.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tsigconf.h,v 1.9.2.1 2004/03/09 06:09:23 marka Exp $ */
+/* $Id: tsigconf.h,v 1.9.2.2 2006/03/01 01:34:05 marka Exp $ */
 
 #ifndef NS_TSIGCONF_H
 #define NS_TSIGCONF_H 1
@@ -26,7 +26,7 @@
 ISC_LANG_BEGINDECLS
 
 isc_result_t
-ns_tsigkeyring_fromconfig(cfg_obj_t *config, cfg_obj_t *vconfig,
+ns_tsigkeyring_fromconfig(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 			  isc_mem_t *mctx, dns_tsig_keyring_t **ringp);
 /*
  * Create a TSIG key ring and configure it according to the 'key'
diff --git a/bin/named/include/named/zoneconf.h b/bin/named/include/named/zoneconf.h
index a3437858a5..67bce66b28 100644
--- a/bin/named/include/named/zoneconf.h
+++ b/bin/named/include/named/zoneconf.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zoneconf.h,v 1.16.2.3 2004/03/09 06:09:23 marka Exp $ */
+/* $Id: zoneconf.h,v 1.16.2.4 2006/03/01 01:34:05 marka Exp $ */
 
 #ifndef NS_ZONECONF_H
 #define NS_ZONECONF_H 1
@@ -30,8 +30,9 @@
 ISC_LANG_BEGINDECLS
 
 isc_result_t
-ns_zone_configure(cfg_obj_t *config, cfg_obj_t *vconfig, cfg_obj_t *zconfig,
-		  ns_aclconfctx_t *ac, dns_zone_t *zone);
+ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
+		  const cfg_obj_t *zconfig, ns_aclconfctx_t *ac,
+		  dns_zone_t *zone);
 /*
  * Configure or reconfigure a zone according to the named.conf
  * data in 'cctx' and 'czone'.
@@ -48,7 +49,7 @@ ns_zone_configure(cfg_obj_t *config, cfg_obj_t *vconfig, cfg_obj_t *zconfig,
  */
 
 isc_boolean_t
-ns_zone_reusable(dns_zone_t *zone, cfg_obj_t *zconfig);
+ns_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig);
 /*
  * If 'zone' can be safely reconfigured according to the configuration
  * data in 'zconfig', return ISC_TRUE.  If the configuration data is so
diff --git a/bin/named/logconf.c b/bin/named/logconf.c
index 6e87d5cd46..d5baa0a097 100644
--- a/bin/named/logconf.c
+++ b/bin/named/logconf.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: logconf.c,v 1.30.2.5 2004/03/09 06:09:18 marka Exp $ */
+/* $Id: logconf.c,v 1.30.2.6 2006/03/01 01:34:05 marka Exp $ */
 
 #include 
 
@@ -41,13 +41,13 @@
  * in 'ccat' and add it to 'lctx'.
  */
 static isc_result_t
-category_fromconf(cfg_obj_t *ccat, isc_logconfig_t *lctx) {
+category_fromconf(const cfg_obj_t *ccat, isc_logconfig_t *lctx) {
 	isc_result_t result;
 	const char *catname;
 	isc_logcategory_t *category;
 	isc_logmodule_t *module;
-	cfg_obj_t *destinations = NULL;
-	cfg_listelt_t *element = NULL;
+	const cfg_obj_t *destinations = NULL;
+	const cfg_listelt_t *element = NULL;
 
 	catname = cfg_obj_asstring(cfg_tuple_get(ccat, "name"));
 	category = isc_log_categorybyname(ns_g_lctx, catname);
@@ -68,8 +68,8 @@ category_fromconf(cfg_obj_t *ccat, isc_logconfig_t *lctx) {
 	     element != NULL;
 	     element = cfg_list_next(element))
 	{
-		cfg_obj_t *channel = cfg_listelt_value(element);
-		char *channelname = cfg_obj_asstring(channel);
+		const cfg_obj_t *channel = cfg_listelt_value(element);
+		const char *channelname = cfg_obj_asstring(channel);
 
 		result = isc_log_usechannel(lctx, channelname, category,
 					    module);
@@ -89,18 +89,18 @@ category_fromconf(cfg_obj_t *ccat, isc_logconfig_t *lctx) {
  * in 'cchan' and add it to 'lctx'.
  */
 static isc_result_t
-channel_fromconf(cfg_obj_t *channel, isc_logconfig_t *lctx) {
+channel_fromconf(const cfg_obj_t *channel, isc_logconfig_t *lctx) {
 	isc_result_t result;
 	isc_logdestination_t dest;
 	unsigned int type;
 	unsigned int flags = 0;
 	int level;
 	const char *channelname;
-	cfg_obj_t *fileobj = NULL;
-	cfg_obj_t *syslogobj = NULL;
-	cfg_obj_t *nullobj = NULL;
-	cfg_obj_t *stderrobj = NULL;
-	cfg_obj_t *severity = NULL;
+	const cfg_obj_t *fileobj = NULL;
+	const cfg_obj_t *syslogobj = NULL;
+	const cfg_obj_t *nullobj = NULL;
+	const cfg_obj_t *stderrobj = NULL;
+	const cfg_obj_t *severity = NULL;
 	int i;
 
 	channelname = cfg_obj_asstring(cfg_map_getname(channel));
@@ -130,9 +130,10 @@ channel_fromconf(cfg_obj_t *channel, isc_logconfig_t *lctx) {
 	type = ISC_LOG_TONULL;
 	
 	if (fileobj != NULL) {
-		cfg_obj_t *pathobj = cfg_tuple_get(fileobj, "file");
-		cfg_obj_t *sizeobj = cfg_tuple_get(fileobj, "size");
-		cfg_obj_t *versionsobj = cfg_tuple_get(fileobj, "versions");
+		const cfg_obj_t *pathobj = cfg_tuple_get(fileobj, "file");
+		const cfg_obj_t *sizeobj = cfg_tuple_get(fileobj, "size");
+		const cfg_obj_t *versionsobj =
+				 cfg_tuple_get(fileobj, "versions");
 		isc_int32_t versions = ISC_LOG_ROLLNEVER;
 		isc_offset_t size = 0;
 
@@ -157,7 +158,7 @@ channel_fromconf(cfg_obj_t *channel, isc_logconfig_t *lctx) {
 		type = ISC_LOG_TOSYSLOG;
 
 		if (cfg_obj_isstring(syslogobj)) {
-			char *facilitystr = cfg_obj_asstring(syslogobj);
+			const char *facilitystr = cfg_obj_asstring(syslogobj);
 			(void)isc_syslog_facilityfromstring(facilitystr,
 							    &facility);
 		}
@@ -174,9 +175,9 @@ channel_fromconf(cfg_obj_t *channel, isc_logconfig_t *lctx) {
 	 * Munge flags.
 	 */
 	{
-		cfg_obj_t *printcat = NULL;
-		cfg_obj_t *printsev = NULL;
-		cfg_obj_t *printtime = NULL;
+		const cfg_obj_t *printcat = NULL;
+		const cfg_obj_t *printsev = NULL;
+		const cfg_obj_t *printtime = NULL;
 
 		(void)cfg_map_get(channel, "print-category", &printcat);
 		(void)cfg_map_get(channel, "print-severity", &printsev);
@@ -193,7 +194,7 @@ channel_fromconf(cfg_obj_t *channel, isc_logconfig_t *lctx) {
 	level = ISC_LOG_INFO;
 	if (cfg_map_get(channel, "severity", &severity) == ISC_R_SUCCESS) {
 		if (cfg_obj_isstring(severity)) {
-			char *str = cfg_obj_asstring(severity);
+			const char *str = cfg_obj_asstring(severity);
 			if (strcasecmp(str, "critical") == 0)
 				level = ISC_LOG_CRITICAL;
 			else if (strcasecmp(str, "error") == 0)
@@ -242,13 +243,14 @@ channel_fromconf(cfg_obj_t *channel, isc_logconfig_t *lctx) {
 }
 
 isc_result_t
-ns_log_configure(isc_logconfig_t *logconf, cfg_obj_t *logstmt) {
+ns_log_configure(isc_logconfig_t *logconf, const cfg_obj_t *logstmt) {
 	isc_result_t result;
-	cfg_obj_t *channels = NULL;
-	cfg_obj_t *categories = NULL;
-	cfg_listelt_t *element;
+	const cfg_obj_t *channels = NULL;
+	const cfg_obj_t *categories = NULL;
+	const cfg_listelt_t *element;
 	isc_boolean_t default_set = ISC_FALSE;
 	isc_boolean_t unmatched_set = ISC_FALSE;
+	const cfg_obj_t *catname;
 
 	CHECK(ns_log_setdefaultchannels(logconf));
 
@@ -257,7 +259,7 @@ ns_log_configure(isc_logconfig_t *logconf, cfg_obj_t *logstmt) {
 	     element != NULL;
 	     element = cfg_list_next(element))
 	{
-		cfg_obj_t *channel = cfg_listelt_value(element);
+		const cfg_obj_t *channel = cfg_listelt_value(element);
 		CHECK(channel_fromconf(channel, logconf));
 	}
 
@@ -266,15 +268,15 @@ ns_log_configure(isc_logconfig_t *logconf, cfg_obj_t *logstmt) {
 	     element != NULL;
 	     element = cfg_list_next(element))
 	{
-		cfg_obj_t *category = cfg_listelt_value(element);
+		const cfg_obj_t *category = cfg_listelt_value(element);
 		CHECK(category_fromconf(category, logconf));
 		if (!default_set) {
-			cfg_obj_t *catname = cfg_tuple_get(category, "name");
+			catname = cfg_tuple_get(category, "name");
 			if (strcmp(cfg_obj_asstring(catname), "default") == 0)
 				default_set = ISC_TRUE;
 		}
 		if (!unmatched_set) {
-			cfg_obj_t *catname = cfg_tuple_get(category, "name");
+			catname = cfg_tuple_get(category, "name");
 			if (strcmp(cfg_obj_asstring(catname), "unmatched") == 0)
 				unmatched_set = ISC_TRUE;
 		}
diff --git a/bin/named/lwdgabn.c b/bin/named/lwdgabn.c
index d53a5df728..4cc2962031 100644
--- a/bin/named/lwdgabn.c
+++ b/bin/named/lwdgabn.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwdgabn.c,v 1.13.2.1 2004/03/09 06:09:18 marka Exp $ */
+/* $Id: lwdgabn.c,v 1.13.2.2 2006/03/01 01:34:05 marka Exp $ */
 
 #include 
 
@@ -120,7 +120,7 @@ sort_addresses(ns_lwdclient_t *client) {
 	rankedaddress *addrs;
 	isc_netaddr_t remote;
 	dns_addressorderfunc_t order;
-	void *arg;
+	const void *arg;
 	ns_lwresd_t *lwresd = client->clientmgr->listener->manager;
 	unsigned int i;
 	isc_result_t result;
diff --git a/bin/named/lwresd.c b/bin/named/lwresd.c
index d37f43ed74..5b90457251 100644
--- a/bin/named/lwresd.c
+++ b/bin/named/lwresd.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwresd.c,v 1.37.2.5 2006/01/04 23:50:16 marka Exp $ */
+/* $Id: lwresd.c,v 1.37.2.6 2006/03/01 01:34:05 marka Exp $ */
 
 /*
  * Main program for the Lightweight Resolver Daemon.
@@ -285,14 +285,14 @@ ns_lwresd_parseeresolvconf(isc_mem_t *mctx, cfg_parser_t *pctx,
  * Handle lwresd manager objects
  */
 isc_result_t
-ns_lwdmanager_create(isc_mem_t *mctx, cfg_obj_t *lwres,
+ns_lwdmanager_create(isc_mem_t *mctx, const cfg_obj_t *lwres,
 		     ns_lwresd_t **lwresdp)
 {
 	ns_lwresd_t *lwresd;
 	const char *vname;
 	dns_rdataclass_t vclass;
-	cfg_obj_t *obj, *viewobj, *searchobj;
-	cfg_listelt_t *element;
+	const cfg_obj_t *obj, *viewobj, *searchobj;
+	const cfg_listelt_t *element;
 	isc_result_t result;
 
 	INSIST(lwresdp != NULL && *lwresdp == NULL);
@@ -356,8 +356,8 @@ ns_lwdmanager_create(isc_mem_t *mctx, cfg_obj_t *lwres,
 		     element != NULL;
 		     element = cfg_list_next(element))
 		{
-			cfg_obj_t *search;
-			char *searchstr;
+			const cfg_obj_t *search;
+			const char *searchstr;
 			isc_buffer_t namebuf;
 			dns_fixedname_t fname;
 			dns_name_t *name;
@@ -739,11 +739,11 @@ configure_listener(isc_sockaddr_t *address, ns_lwresd_t *lwresd,
 }
 
 isc_result_t
-ns_lwresd_configure(isc_mem_t *mctx, cfg_obj_t *config) {
-	cfg_obj_t *lwreslist = NULL;
-	cfg_obj_t *lwres = NULL;
-	cfg_obj_t *listenerslist = NULL;
-	cfg_listelt_t *element = NULL;
+ns_lwresd_configure(isc_mem_t *mctx, const cfg_obj_t *config) {
+	const cfg_obj_t *lwreslist = NULL;
+	const cfg_obj_t *lwres = NULL;
+	const cfg_obj_t *listenerslist = NULL;
+	const cfg_listelt_t *element = NULL;
 	ns_lwreslistener_t *listener;
 	ns_lwreslistenerlist_t newlisteners;
 	isc_result_t result;
diff --git a/bin/named/query.c b/bin/named/query.c
index 6a054635d2..8fc512c926 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: query.c,v 1.198.2.24 2006/02/03 23:51:35 marka Exp $ */
+/* $Id: query.c,v 1.198.2.25 2006/03/01 01:34:05 marka Exp $ */
 
 #include 
 
@@ -2278,7 +2278,7 @@ do { \
  *	ISC_R_NOTIMPLEMENTED	The rdata is not a known address type.
  */
 static isc_result_t
-rdata_tonetaddr(dns_rdata_t *rdata, isc_netaddr_t *netaddr) {
+rdata_tonetaddr(const dns_rdata_t *rdata, isc_netaddr_t *netaddr) {
 	struct in_addr ina;
 	struct in6_addr in6a;
 	
@@ -2304,7 +2304,7 @@ rdata_tonetaddr(dns_rdata_t *rdata, isc_netaddr_t *netaddr) {
  * sortlist statement.
  */
 static int
-query_sortlist_order_2element(dns_rdata_t *rdata, void *arg) {
+query_sortlist_order_2element(const dns_rdata_t *rdata, const void *arg) {
 	isc_netaddr_t netaddr;
 
 	if (rdata_tonetaddr(rdata, &netaddr) != ISC_R_SUCCESS)
@@ -2317,7 +2317,7 @@ query_sortlist_order_2element(dns_rdata_t *rdata, void *arg) {
  * of a 1-element top-level sortlist statement.
  */
 static int
-query_sortlist_order_1element(dns_rdata_t *rdata, void *arg) {
+query_sortlist_order_1element(const dns_rdata_t *rdata, const void *arg) {
 	isc_netaddr_t netaddr;
 
 	if (rdata_tonetaddr(rdata, &netaddr) != ISC_R_SUCCESS)
@@ -2333,7 +2333,7 @@ static void
 setup_query_sortlist(ns_client_t *client) {
 	isc_netaddr_t netaddr;
 	dns_rdatasetorderfunc_t order = NULL;
-	void *order_arg = NULL;
+	const void *order_arg = NULL;
 	
 	isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
 	switch (ns_sortlist_setup(client->view->sortlist,
diff --git a/bin/named/server.c b/bin/named/server.c
index d7bc186977..737afbcf40 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.c,v 1.339.2.36 2006/01/04 23:50:16 marka Exp $ */
+/* $Id: server.c,v 1.339.2.37 2006/03/01 01:34:05 marka Exp $ */
 
 #include 
 
@@ -119,21 +119,21 @@ static void
 ns_server_reload(isc_task_t *task, isc_event_t *event);
 
 static isc_result_t
-ns_listenelt_fromconfig(cfg_obj_t *listener, cfg_obj_t *config,
+ns_listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config,
 			ns_aclconfctx_t *actx,
 			isc_mem_t *mctx, ns_listenelt_t **target);
 static isc_result_t
-ns_listenlist_fromconfig(cfg_obj_t *listenlist, cfg_obj_t *config,
+ns_listenlist_fromconfig(const cfg_obj_t *listenlist, const cfg_obj_t *config,
 			 ns_aclconfctx_t *actx,
 			 isc_mem_t *mctx, ns_listenlist_t **target);
 
 static isc_result_t
-configure_forward(cfg_obj_t *config, dns_view_t *view, dns_name_t *origin,
-		  cfg_obj_t *forwarders, cfg_obj_t *forwardtype);
+configure_forward(const cfg_obj_t *config, dns_view_t *view, dns_name_t *origin,
+		  const cfg_obj_t *forwarders, const cfg_obj_t *forwardtype);
 
 static isc_result_t
-configure_zone(cfg_obj_t *config, cfg_obj_t *zconfig, cfg_obj_t *vconfig,
-	       isc_mem_t *mctx, dns_view_t *view,
+configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
+	       const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view,
 	       ns_aclconfctx_t *aclconf);
 
 static void
@@ -145,13 +145,13 @@ end_reserved_dispatches(ns_server_t *server, isc_boolean_t all);
  * (for a global default).
  */
 static isc_result_t
-configure_view_acl(cfg_obj_t *vconfig, cfg_obj_t *config,
+configure_view_acl(const cfg_obj_t *vconfig, const cfg_obj_t *config,
 		   const char *aclname, ns_aclconfctx_t *actx,
 		   isc_mem_t *mctx, dns_acl_t **aclp)
 {
 	isc_result_t result;
-	cfg_obj_t *maps[3];
-	cfg_obj_t *aclobj = NULL;
+	const cfg_obj_t *maps[3];
+	const cfg_obj_t *aclobj = NULL;
 	int i = 0;
 
 	if (*aclp != NULL)
@@ -159,7 +159,7 @@ configure_view_acl(cfg_obj_t *vconfig, cfg_obj_t *config,
 	if (vconfig != NULL)
 		maps[i++] = cfg_tuple_get(vconfig, "options");
 	if (config != NULL) {
-		cfg_obj_t *options = NULL;
+		const cfg_obj_t *options = NULL;
 		cfg_map_get(config, "options", &options);
 		if (options != NULL)
 			maps[i++] = options;
@@ -180,13 +180,13 @@ configure_view_acl(cfg_obj_t *vconfig, cfg_obj_t *config,
 
 #ifdef ISC_RFC2535
 static isc_result_t
-configure_view_dnsseckey(cfg_obj_t *vconfig, cfg_obj_t *key,
+configure_view_dnsseckey(const cfg_obj_t *vconfig, const cfg_obj_t *key,
 			 dns_keytable_t *keytable, isc_mem_t *mctx)
 {
 	dns_rdataclass_t viewclass;
 	dns_rdata_key_t keystruct;
 	isc_uint32_t flags, proto, alg;
-	char *keystr, *keynamestr;
+	const char *keystr, *keynamestr;
 	unsigned char keydata[4096];
 	isc_buffer_t keydatabuf;
 	unsigned char rrdata[4096];
@@ -207,7 +207,7 @@ configure_view_dnsseckey(cfg_obj_t *vconfig, cfg_obj_t *key,
 	if (vconfig == NULL)
 		viewclass = dns_rdataclass_in;
 	else {
-		cfg_obj_t *classobj = cfg_tuple_get(vconfig, "class");
+		const cfg_obj_t *classobj = cfg_tuple_get(vconfig, "class");
 		CHECK(ns_config_getclass(classobj, dns_rdataclass_in,
 					 &viewclass));
 	}
@@ -284,16 +284,16 @@ configure_view_dnsseckey(cfg_obj_t *vconfig, cfg_obj_t *key,
  * from 'vconfig' and 'config'.  The variable to be configured is '*target'.
  */
 static isc_result_t
-configure_view_dnsseckeys(cfg_obj_t *vconfig, cfg_obj_t *config,
+configure_view_dnsseckeys(const cfg_obj_t *vconfig, const cfg_obj_t *config,
 			  isc_mem_t *mctx, dns_keytable_t **target)
 {
 	isc_result_t result;
 #ifdef ISC_RFC2535
-	cfg_obj_t *keys = NULL;
-	cfg_obj_t *voptions = NULL;
-	cfg_listelt_t *element, *element2;
-	cfg_obj_t *keylist;
-	cfg_obj_t *key;
+	const cfg_obj_t *keys = NULL;
+	const cfg_obj_t *voptions = NULL;
+	const cfg_listelt_t *element, *element2;
+	const cfg_obj_t *keylist;
+	const cfg_obj_t *key;
 #endif
 	dns_keytable_t *keytable = NULL;
 
@@ -341,14 +341,14 @@ configure_view_dnsseckeys(cfg_obj_t *vconfig, cfg_obj_t *config,
  * Get a dispatch appropriate for the resolver of a given view.
  */
 static isc_result_t
-get_view_querysource_dispatch(cfg_obj_t **maps,
+get_view_querysource_dispatch(const cfg_obj_t **maps,
 			      int af, dns_dispatch_t **dispatchp)
 {
 	isc_result_t result;
 	dns_dispatch_t *disp;
 	isc_sockaddr_t sa;
 	unsigned int attrs, attrmask;
-	cfg_obj_t *obj = NULL;
+	const cfg_obj_t *obj = NULL;
 
 	/*
 	 * Make compiler happy.
@@ -439,12 +439,12 @@ get_view_querysource_dispatch(cfg_obj_t **maps,
 }
 
 static isc_result_t
-configure_peer(cfg_obj_t *cpeer, isc_mem_t *mctx, dns_peer_t **peerp) {
-	isc_sockaddr_t *sa;
+configure_peer(const cfg_obj_t *cpeer, isc_mem_t *mctx, dns_peer_t **peerp) {
+	const isc_sockaddr_t *sa;
 	isc_netaddr_t na;
 	dns_peer_t *peer;
-	cfg_obj_t *obj;
-	char *str;
+	const cfg_obj_t *obj;
+	const char *str;
 	isc_result_t result;
 
 	sa = cfg_obj_assockaddr(cfg_map_getname(cpeer));
@@ -515,18 +515,19 @@ configure_peer(cfg_obj_t *cpeer, isc_mem_t *mctx, dns_peer_t **peerp) {
  * global defaults in 'config' used exclusively.
  */
 static isc_result_t
-configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
-	       isc_mem_t *mctx, ns_aclconfctx_t *actx)
+configure_view(dns_view_t *view, const cfg_obj_t *config,
+	       const cfg_obj_t *vconfig, isc_mem_t *mctx,
+	       ns_aclconfctx_t *actx)
 {
-	cfg_obj_t *maps[4];
-	cfg_obj_t *cfgmaps[3];
-	cfg_obj_t *options = NULL;
-	cfg_obj_t *voptions = NULL;
-	cfg_obj_t *forwardtype;
-	cfg_obj_t *forwarders;
-	cfg_obj_t *zonelist;
-	cfg_obj_t *obj;
-	cfg_listelt_t *element;
+	const cfg_obj_t *maps[4];
+	const cfg_obj_t *cfgmaps[3];
+	const cfg_obj_t *options = NULL;
+	const cfg_obj_t *voptions = NULL;
+	const cfg_obj_t *forwardtype;
+	const cfg_obj_t *forwarders;
+	const cfg_obj_t *zonelist;
+	const cfg_obj_t *obj;
+	const cfg_listelt_t *element;
 	in_port_t port;
 	dns_cache_t *cache = NULL;
 	isc_result_t result;
@@ -539,7 +540,7 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 	dns_dispatch_t *dispatch6 = NULL;
 	isc_boolean_t reused_cache = ISC_FALSE;
 	int i;
-	char *str;
+	const char *str;
 
 	REQUIRE(DNS_VIEW_VALID(view));
 
@@ -584,7 +585,7 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 	     element != NULL;
 	     element = cfg_list_next(element))
 	{
-		cfg_obj_t *zconfig = cfg_listelt_value(element);
+		const cfg_obj_t *zconfig = cfg_listelt_value(element);
 		CHECK(configure_zone(config, zconfig, vconfig, mctx, view,
 				     actx));
 	}
@@ -742,8 +743,8 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 	 * Configure the view's peer list.
 	 */
 	{
-		cfg_obj_t *peers = NULL;
-		cfg_listelt_t *element;
+		const cfg_obj_t *peers = NULL;
+		const cfg_listelt_t *element;
 		dns_peerlist_t *newpeers = NULL;
 
 		(void)ns_config_get(cfgmaps, "server", &peers);
@@ -752,7 +753,7 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 		     element != NULL;
 		     element = cfg_list_next(element))
 		{
-			cfg_obj_t *cpeer = cfg_listelt_value(element);
+			const cfg_obj_t *cpeer = cfg_listelt_value(element);
 			dns_peer_t *peer;
 
 			CHECK(configure_peer(cpeer, mctx, &peer));
@@ -913,8 +914,8 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 			dns_fixedname_t fixed;
 			dns_name_t *name;
 			isc_buffer_t b;
-			char *str;
-			cfg_obj_t *exclude;
+			const char *str;
+			const cfg_obj_t *exclude;
 
 			dns_fixedname_init(&fixed);
 			name = dns_fixedname_name(&fixed);
@@ -981,14 +982,16 @@ create_bind_view(dns_view_t **viewp) {
  * option or the global defaults.
  */
 static isc_result_t
-create_version_zone(cfg_obj_t **maps, dns_zonemgr_t *zmgr, dns_view_t *view) {
+create_version_zone(const cfg_obj_t **maps, dns_zonemgr_t *zmgr,
+		    dns_view_t *view)
+{
 	isc_result_t result;
 	dns_db_t *db = NULL;
 	dns_zone_t *zone = NULL;
 	dns_dbversion_t *dbver = NULL;
 	dns_difftuple_t *tuple = NULL;
 	dns_diff_t diff;
-	char *versiontext;
+	const char *versiontext;
 	unsigned char buf[256];
 	isc_region_t r;
 	size_t len;
@@ -1002,7 +1005,7 @@ create_version_zone(cfg_obj_t **maps, dns_zonemgr_t *zmgr, dns_view_t *view) {
 					 "\0\0\0\0"	/* expire */
 					 "\0\0\0\0";	/* minimum */
 	dns_name_t origin;
-	cfg_obj_t *obj = NULL;
+	const cfg_obj_t *obj = NULL;
 	dns_acl_t *acl = NULL;
 
 	dns_diff_init(ns_g_mctx, &diff);
@@ -1094,7 +1097,8 @@ create_version_zone(cfg_obj_t **maps, dns_zonemgr_t *zmgr, dns_view_t *view) {
  * The strings returned list the BIND 9 authors.
  */
 static isc_result_t
-create_authors_zone(cfg_obj_t *options, dns_zonemgr_t *zmgr, dns_view_t *view)
+create_authors_zone(const cfg_obj_t *options, dns_zonemgr_t *zmgr,
+		    dns_view_t *view)
 {
 	isc_result_t result;
 	dns_db_t *db = NULL;
@@ -1130,7 +1134,7 @@ create_authors_zone(cfg_obj_t *options, dns_zonemgr_t *zmgr, dns_view_t *view)
 		"\020Brian Wellington",
 		NULL,
 	};
-	cfg_obj_t *obj = NULL;
+	const cfg_obj_t *obj = NULL;
 	dns_acl_t *acl = NULL;
 
 	/*
@@ -1236,12 +1240,12 @@ configure_hints(dns_view_t *view, const char *filename) {
 }
 
 static isc_result_t
-configure_forward(cfg_obj_t *config, dns_view_t *view, dns_name_t *origin,
-		  cfg_obj_t *forwarders, cfg_obj_t *forwardtype)
+configure_forward(const cfg_obj_t *config, dns_view_t *view, dns_name_t *origin,
+		  const cfg_obj_t *forwarders, const cfg_obj_t *forwardtype)
 {
-	cfg_obj_t *portobj;
-	cfg_obj_t *faddresses;
-	cfg_listelt_t *element;
+	const cfg_obj_t *portobj;
+	const cfg_obj_t *faddresses;
+	const cfg_listelt_t *element;
 	dns_fwdpolicy_t fwdpolicy = dns_fwdpolicy_none;
 	isc_sockaddrlist_t addresses;
 	isc_sockaddr_t *sa;
@@ -1279,7 +1283,7 @@ configure_forward(cfg_obj_t *config, dns_view_t *view, dns_name_t *origin,
 	     element != NULL;
 	     element = cfg_list_next(element))
 	{
-		cfg_obj_t *forwarder = cfg_listelt_value(element);
+		const cfg_obj_t *forwarder = cfg_listelt_value(element);
 		sa = isc_mem_get(view->mctx, sizeof(isc_sockaddr_t));
 		if (sa == NULL) {
 			result = ISC_R_NOMEMORY;
@@ -1302,7 +1306,7 @@ configure_forward(cfg_obj_t *config, dns_view_t *view, dns_name_t *origin,
 		if (forwardtype == NULL)
 			fwdpolicy = dns_fwdpolicy_first;
 		else {
-			char *forwardstr = cfg_obj_asstring(forwardtype);
+			const char *forwardstr = cfg_obj_asstring(forwardtype);
 			if (strcasecmp(forwardstr, "first") == 0)
 				fwdpolicy = dns_fwdpolicy_first;
 			else if (strcasecmp(forwardstr, "only") == 0)
@@ -1344,14 +1348,16 @@ configure_forward(cfg_obj_t *config, dns_view_t *view, dns_name_t *origin,
  * The view created is attached to '*viewp'.
  */
 static isc_result_t
-create_view(cfg_obj_t *vconfig, dns_viewlist_t *viewlist, dns_view_t **viewp) {
+create_view(const cfg_obj_t *vconfig, dns_viewlist_t *viewlist,
+	    dns_view_t **viewp)
+{
 	isc_result_t result;
 	const char *viewname;
 	dns_rdataclass_t viewclass;
 	dns_view_t *view = NULL;
 
 	if (vconfig != NULL) {
-		cfg_obj_t *classobj = NULL;
+		const cfg_obj_t *classobj = NULL;
 
 		viewname = cfg_obj_asstring(cfg_tuple_get(vconfig, "name"));
 		classobj = cfg_tuple_get(vconfig, "class");
@@ -1381,19 +1387,19 @@ create_view(cfg_obj_t *vconfig, dns_viewlist_t *viewlist, dns_view_t **viewp) {
  * Configure or reconfigure a zone.
  */
 static isc_result_t
-configure_zone(cfg_obj_t *config, cfg_obj_t *zconfig, cfg_obj_t *vconfig,
-	       isc_mem_t *mctx, dns_view_t *view,
+configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
+	       const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view,
 	       ns_aclconfctx_t *aclconf)
 {
 	dns_view_t *pview = NULL;	/* Production view */
 	dns_zone_t *zone = NULL;	/* New or reused zone */
 	dns_zone_t *dupzone = NULL;
-	cfg_obj_t *options = NULL;
-	cfg_obj_t *zoptions = NULL;
-	cfg_obj_t *typeobj = NULL;
-	cfg_obj_t *forwarders = NULL;
-	cfg_obj_t *forwardtype = NULL;
-	cfg_obj_t *only = NULL;
+	const cfg_obj_t *options = NULL;
+	const cfg_obj_t *zoptions = NULL;
+	const cfg_obj_t *typeobj = NULL;
+	const cfg_obj_t *forwarders = NULL;
+	const cfg_obj_t *forwardtype = NULL;
+	const cfg_obj_t *only = NULL;
 	isc_result_t result;
 	isc_result_t tresult;
 	isc_buffer_t buffer;
@@ -1450,7 +1456,7 @@ configure_zone(cfg_obj_t *config, cfg_obj_t *zconfig, cfg_obj_t *vconfig,
 	 * configure it and return.
 	 */
 	if (strcasecmp(ztypestr, "hint") == 0) {
-		cfg_obj_t *fileobj = NULL;
+		const cfg_obj_t *fileobj = NULL;
 		if (cfg_map_get(zoptions, "file", &fileobj) != ISC_R_SUCCESS) {
 			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 				      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
@@ -1460,7 +1466,7 @@ configure_zone(cfg_obj_t *config, cfg_obj_t *zconfig, cfg_obj_t *vconfig,
 			goto cleanup;
 		}
 		if (dns_name_equal(origin, dns_rootname)) {
-			char *hintsfile = cfg_obj_asstring(fileobj);
+			const char *hintsfile = cfg_obj_asstring(fileobj);
 
 			result = configure_hints(view, hintsfile);
 			if (result != ISC_R_SUCCESS) {
@@ -1614,9 +1620,10 @@ configure_zone(cfg_obj_t *config, cfg_obj_t *zconfig, cfg_obj_t *vconfig,
  * Configure a single server quota.
  */
 static void
-configure_server_quota(cfg_obj_t **maps, const char *name, isc_quota_t *quota)
+configure_server_quota(const cfg_obj_t **maps, const char *name,
+		       isc_quota_t *quota)
 {
-	cfg_obj_t *obj = NULL;
+	const cfg_obj_t *obj = NULL;
 	isc_result_t result;
 
 	result = ns_config_get(maps, name, &obj);
@@ -1629,9 +1636,9 @@ configure_server_quota(cfg_obj_t **maps, const char *name, isc_quota_t *quota)
  * parsed.  This can be extended to support other options if necessary.
  */
 static isc_result_t
-directory_callback(const char *clausename, cfg_obj_t *obj, void *arg) {
+directory_callback(const char *clausename, const cfg_obj_t *obj, void *arg) {
 	isc_result_t result;
-	char *directory;
+	const char *directory;
 
 	REQUIRE(strcasecmp("directory", clausename) == 0);
 
@@ -1740,11 +1747,12 @@ setdumpfile(ns_server_t *server, const char *name) {
 }
 
 static void
-set_limit(cfg_obj_t **maps, const char *configname, const char *description,
-	  isc_resource_t resourceid, isc_resourcevalue_t defaultvalue)
+set_limit(const cfg_obj_t **maps, const char *configname,
+	  const char *description, isc_resource_t resourceid,
+	  isc_resourcevalue_t defaultvalue)
 {
-	cfg_obj_t *obj = NULL;
-	char *resource;
+	const cfg_obj_t *obj = NULL;
+	const char *resource;
 	isc_resourcevalue_t value;
 	isc_result_t result;
 
@@ -1775,7 +1783,7 @@ set_limit(cfg_obj_t **maps, const char *configname, const char *description,
 		  ns_g_init ## resource)
 
 static void
-set_limits(cfg_obj_t **maps) {
+set_limits(const cfg_obj_t **maps) {
 	SETLIMIT("stacksize", stacksize, "stack size");
 	SETLIMIT("datasize", datasize, "data size");
 	SETLIMIT("coresize", coresize, "core size");
@@ -1789,11 +1797,11 @@ load_configuration(const char *filename, ns_server_t *server,
 	isc_result_t result;
 	cfg_parser_t *parser = NULL;
 	cfg_obj_t *config;
-	cfg_obj_t *options;
-	cfg_obj_t *views;
-	cfg_obj_t *obj;
-	cfg_obj_t *maps[3];
-	cfg_listelt_t *element;
+	const cfg_obj_t *options;
+	const cfg_obj_t *views;
+	const cfg_obj_t *obj;
+	const cfg_obj_t *maps[3];
+	const cfg_listelt_t *element;
 	dns_view_t *view = NULL;
 	dns_view_t *view_next;
 	dns_viewlist_t viewlist;
@@ -1932,7 +1940,7 @@ load_configuration(const char *filename, ns_server_t *server,
 	 * statement.
 	 */
 	{
-		cfg_obj_t *clistenon = NULL;
+		const cfg_obj_t *clistenon = NULL;
 		ns_listenlist_t *listenon = NULL;
 
 		clistenon = NULL;
@@ -1966,7 +1974,7 @@ load_configuration(const char *filename, ns_server_t *server,
 	 * Ditto for IPv6.
 	 */
 	{
-		cfg_obj_t *clistenon = NULL;
+		const cfg_obj_t *clistenon = NULL;
 		ns_listenlist_t *listenon = NULL;
 
 		if (options != NULL)
@@ -2049,7 +2057,7 @@ load_configuration(const char *filename, ns_server_t *server,
 	     element != NULL;
 	     element = cfg_list_next(element))
 	{
-		cfg_obj_t *vconfig;
+		const cfg_obj_t *vconfig;
 
 		view = NULL;
 		vconfig = cfg_listelt_value(element);
@@ -2169,7 +2177,7 @@ load_configuration(const char *filename, ns_server_t *server,
 			      "ignoring config file logging "
 			      "statement due to -g option");
 	} else {
-		cfg_obj_t *logobj = NULL;
+		const cfg_obj_t *logobj = NULL;
 		isc_logconfig_t *logc = NULL;
 
 		CHECKM(isc_logconfig_create(ns_g_lctx, &logc),
@@ -2208,19 +2216,19 @@ load_configuration(const char *filename, ns_server_t *server,
 	 * compatibility.
 	 */
 	if (first_time) {
-		cfg_obj_t *logobj = NULL;
-		cfg_obj_t *categories = NULL;
+		const cfg_obj_t *logobj = NULL;
+		const cfg_obj_t *categories = NULL;
 		(void)cfg_map_get(config, "logging", &logobj);
 		if (logobj != NULL)
 			(void)cfg_map_get(logobj, "category", &categories);
 		if (categories != NULL) {
-			cfg_listelt_t *element;
+			const cfg_listelt_t *element;
 			for (element = cfg_list_first(categories);
 			     element != NULL;
 			     element = cfg_list_next(element))
 			{
-				cfg_obj_t *catobj;
-				char *str;
+				const cfg_obj_t *catobj;
+				const char *str;
 
 				obj = cfg_listelt_value(element);
 				catobj = cfg_tuple_get(obj, "name");
@@ -2627,7 +2635,7 @@ end_reserved_dispatches(ns_server_t *server, isc_boolean_t all) {
 }
 
 void
-ns_add_reserved_dispatch(ns_server_t *server, isc_sockaddr_t *addr) {
+ns_add_reserved_dispatch(ns_server_t *server, const isc_sockaddr_t *addr) {
 	ns_dispatch_t *dispatch;
 	in_port_t port;
 	char addrbuf[ISC_SOCKADDR_FORMATSIZE];
@@ -2929,12 +2937,12 @@ ns_server_togglequerylog(ns_server_t *server) {
 }
 
 static isc_result_t
-ns_listenlist_fromconfig(cfg_obj_t *listenlist, cfg_obj_t *config,
+ns_listenlist_fromconfig(const cfg_obj_t *listenlist, const cfg_obj_t *config,
 			 ns_aclconfctx_t *actx,
 			 isc_mem_t *mctx, ns_listenlist_t **target)
 {
 	isc_result_t result;
-	cfg_listelt_t *element;
+	const cfg_listelt_t *element;
 	ns_listenlist_t *dlist = NULL;
 
 	REQUIRE(target != NULL && *target == NULL);
@@ -2948,7 +2956,7 @@ ns_listenlist_fromconfig(cfg_obj_t *listenlist, cfg_obj_t *config,
 	     element = cfg_list_next(element))
 	{
 		ns_listenelt_t *delt = NULL;
-		cfg_obj_t *listener = cfg_listelt_value(element);
+		const cfg_obj_t *listener = cfg_listelt_value(element);
 		result = ns_listenelt_fromconfig(listener, config, actx,
 						 mctx, &delt);
 		if (result != ISC_R_SUCCESS)
@@ -2968,12 +2976,12 @@ ns_listenlist_fromconfig(cfg_obj_t *listenlist, cfg_obj_t *config,
  * data structure.
  */
 static isc_result_t
-ns_listenelt_fromconfig(cfg_obj_t *listener, cfg_obj_t *config,
+ns_listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config,
 			ns_aclconfctx_t *actx,
 			isc_mem_t *mctx, ns_listenelt_t **target)
 {
 	isc_result_t result;
-	cfg_obj_t *portobj;
+	const cfg_obj_t *portobj;
 	in_port_t port;
 	ns_listenelt_t *delt = NULL;
 	REQUIRE(target != NULL && *target == NULL);
diff --git a/bin/named/sortlist.c b/bin/named/sortlist.c
index 4e8cffbcc7..6f92af4e79 100644
--- a/bin/named/sortlist.c
+++ b/bin/named/sortlist.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sortlist.c,v 1.5.2.1 2004/03/09 06:09:20 marka Exp $ */
+/* $Id: sortlist.c,v 1.5.2.2 2006/03/01 01:34:05 marka Exp $ */
 
 #include 
 
@@ -30,7 +30,9 @@
 #include 
 
 ns_sortlisttype_t
-ns_sortlist_setup(dns_acl_t *acl, isc_netaddr_t *clientaddr, void **argp) {
+ns_sortlist_setup(dns_acl_t *acl, isc_netaddr_t *clientaddr,
+		  const void **argp)
+{
 	unsigned int i;
 
 	if (acl == NULL)
@@ -42,7 +44,7 @@ ns_sortlist_setup(dns_acl_t *acl, isc_netaddr_t *clientaddr, void **argp) {
 		 * in the sortlist (see ARM).
 		 */
 		dns_aclelement_t *e = &acl->elements[i];
-		dns_aclelement_t *matchelt = NULL;
+		const dns_aclelement_t *matchelt = NULL;
 		dns_acl_t *inner;
 
 		if (e->type != dns_aclelementtype_nestedacl)
@@ -88,8 +90,8 @@ ns_sortlist_setup(dns_acl_t *acl, isc_netaddr_t *clientaddr, void **argp) {
 }
 
 int
-ns_sortlist_addrorder2(isc_netaddr_t *addr, void *arg) {
-	dns_acl_t *sortacl = (dns_acl_t *) arg;
+ns_sortlist_addrorder2(const isc_netaddr_t *addr, const void *arg) {
+	const dns_acl_t *sortacl = (const dns_acl_t *) arg;
 	int match;
 
 	(void)dns_acl_match(addr, NULL, sortacl,
@@ -104,8 +106,8 @@ ns_sortlist_addrorder2(isc_netaddr_t *addr, void *arg) {
 }
 
 int
-ns_sortlist_addrorder1(isc_netaddr_t *addr, void *arg) {
-	dns_aclelement_t *matchelt = (dns_aclelement_t *) arg;
+ns_sortlist_addrorder1(const isc_netaddr_t *addr, const void *arg) {
+	const dns_aclelement_t *matchelt = (const dns_aclelement_t *) arg;
 	if (dns_aclelement_match(addr, NULL, matchelt,
 				 &ns_g_server->aclenv,
 				 NULL)) {
@@ -118,7 +120,7 @@ ns_sortlist_addrorder1(isc_netaddr_t *addr, void *arg) {
 void
 ns_sortlist_byaddrsetup(dns_acl_t *sortlist_acl, isc_netaddr_t *client_addr,
 		       dns_addressorderfunc_t *orderp,
-		       void **argp)
+		       const void **argp)
 {
 	ns_sortlisttype_t sortlisttype;
 
diff --git a/bin/named/tkeyconf.c b/bin/named/tkeyconf.c
index 0f7dad6d38..bab4585ea3 100644
--- a/bin/named/tkeyconf.c
+++ b/bin/named/tkeyconf.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tkeyconf.c,v 1.19.2.1 2004/03/09 06:09:20 marka Exp $ */
+/* $Id: tkeyconf.c,v 1.19.2.2 2006/03/01 01:34:05 marka Exp $ */
 
 #include 
 
@@ -42,17 +42,17 @@
 
 
 isc_result_t
-ns_tkeyctx_fromconfig(cfg_obj_t *options, isc_mem_t *mctx, isc_entropy_t *ectx,
-		       dns_tkeyctx_t **tctxp)
+ns_tkeyctx_fromconfig(const cfg_obj_t *options, isc_mem_t *mctx,
+		      isc_entropy_t *ectx, dns_tkeyctx_t **tctxp)
 {
 	isc_result_t result;
 	dns_tkeyctx_t *tctx = NULL;
-	char *s;
+	const char *s;
 	isc_uint32_t n;
 	dns_fixedname_t fname;
 	dns_name_t *name;
 	isc_buffer_t b;
-	cfg_obj_t *obj;
+	const cfg_obj_t *obj;
 
 	result = dns_tkeyctx_create(mctx, ectx, &tctx);
 	if (result != ISC_R_SUCCESS)
diff --git a/bin/named/tsigconf.c b/bin/named/tsigconf.c
index 03f887abed..4a15eada9a 100644
--- a/bin/named/tsigconf.c
+++ b/bin/named/tsigconf.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tsigconf.c,v 1.21.2.1 2004/03/09 06:09:20 marka Exp $ */
+/* $Id: tsigconf.c,v 1.21.2.2 2006/03/01 01:34:05 marka Exp $ */
 
 #include 
 
@@ -35,10 +35,12 @@
 #include 
 
 static isc_result_t
-add_initial_keys(cfg_obj_t *list, dns_tsig_keyring_t *ring, isc_mem_t *mctx) {
-	cfg_listelt_t *element;
-	cfg_obj_t *key = NULL;
-	char *keyid = NULL;
+add_initial_keys(const cfg_obj_t *list, dns_tsig_keyring_t *ring,
+		 isc_mem_t *mctx)
+{
+	const cfg_listelt_t *element;
+	const cfg_obj_t *key = NULL;
+	const char *keyid = NULL;
 	unsigned char *secret = NULL;
 	int secretalloc = 0;
 	int secretlen = 0;
@@ -49,14 +51,14 @@ add_initial_keys(cfg_obj_t *list, dns_tsig_keyring_t *ring, isc_mem_t *mctx) {
 	     element != NULL;
 	     element = cfg_list_next(element))
 	{
-		cfg_obj_t *algobj = NULL;
-		cfg_obj_t *secretobj = NULL;
+		const cfg_obj_t *algobj = NULL;
+		const cfg_obj_t *secretobj = NULL;
 		dns_name_t keyname;
 		dns_name_t *alg;
-		char *algstr;
+		const char *algstr;
 		char keynamedata[1024];
 		isc_buffer_t keynamesrc, keynamebuf;
-		char *secretstr;
+		const char *secretstr;
 		isc_buffer_t secretbuf;
 
 		key = cfg_listelt_value(element);
@@ -129,11 +131,11 @@ add_initial_keys(cfg_obj_t *list, dns_tsig_keyring_t *ring, isc_mem_t *mctx) {
 }
 
 isc_result_t
-ns_tsigkeyring_fromconfig(cfg_obj_t *config, cfg_obj_t *vconfig,
+ns_tsigkeyring_fromconfig(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 			  isc_mem_t *mctx, dns_tsig_keyring_t **ringp)
 {
-	cfg_obj_t *maps[3];
-	cfg_obj_t *keylist;
+	const cfg_obj_t *maps[3];
+	const cfg_obj_t *keylist;
 	dns_tsig_keyring_t *ring = NULL;
 	isc_result_t result;
 	int i;
diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
index 2d87858207..31b41cc909 100644
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zoneconf.c,v 1.87.2.11 2006/01/05 03:38:35 marka Exp $ */
+/* $Id: zoneconf.c,v 1.87.2.12 2006/03/01 01:34:05 marka Exp $ */
 
 #include 
 
@@ -52,15 +52,15 @@
  * Convenience function for configuring a single zone ACL.
  */
 static isc_result_t
-configure_zone_acl(cfg_obj_t *zconfig, cfg_obj_t *vconfig, cfg_obj_t *config,
-		   const char *aclname, ns_aclconfctx_t *actx,
-		   dns_zone_t *zone, 
+configure_zone_acl(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig,
+		   const cfg_obj_t *config, const char *aclname,
+		   ns_aclconfctx_t *actx, dns_zone_t *zone, 
 		   void (*setzacl)(dns_zone_t *, dns_acl_t *),
 		   void (*clearzacl)(dns_zone_t *))
 {
 	isc_result_t result;
-	cfg_obj_t *maps[4];
-	cfg_obj_t *aclobj = NULL;
+	const cfg_obj_t *maps[4];
+	const cfg_obj_t *aclobj = NULL;
 	int i = 0;
 	dns_acl_t *dacl = NULL;
 
@@ -69,7 +69,7 @@ configure_zone_acl(cfg_obj_t *zconfig, cfg_obj_t *vconfig, cfg_obj_t *config,
 	if (vconfig != NULL)
 		maps[i++] = cfg_tuple_get(vconfig, "options");
 	if (config != NULL) {
-		cfg_obj_t *options = NULL;
+		const cfg_obj_t *options = NULL;
 		(void)cfg_map_get(config, "options", &options);
 		if (options != NULL)
 			maps[i++] = options;
@@ -95,9 +95,9 @@ configure_zone_acl(cfg_obj_t *zconfig, cfg_obj_t *vconfig, cfg_obj_t *config,
  * Parse the zone update-policy statement.
  */
 static isc_result_t
-configure_zone_ssutable(cfg_obj_t *zconfig, dns_zone_t *zone) {
-	cfg_obj_t *updatepolicy = NULL;
-	cfg_listelt_t *element, *element2;
+configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone) {
+	const cfg_obj_t *updatepolicy = NULL;
+	const cfg_listelt_t *element, *element2;
 	dns_ssutable_t *table = NULL;
 	isc_mem_t *mctx = dns_zone_getmctx(zone);
 	isc_result_t result;
@@ -116,13 +116,13 @@ configure_zone_ssutable(cfg_obj_t *zconfig, dns_zone_t *zone) {
 	     element != NULL;
 	     element = cfg_list_next(element))
 	{
-		cfg_obj_t *stmt = cfg_listelt_value(element);
-		cfg_obj_t *mode = cfg_tuple_get(stmt, "mode");
-		cfg_obj_t *identity = cfg_tuple_get(stmt, "identity");
-		cfg_obj_t *matchtype = cfg_tuple_get(stmt, "matchtype");
-		cfg_obj_t *dname = cfg_tuple_get(stmt, "name");
-		cfg_obj_t *typelist = cfg_tuple_get(stmt, "types");
-		char *str;
+		const cfg_obj_t *stmt = cfg_listelt_value(element);
+		const cfg_obj_t *mode = cfg_tuple_get(stmt, "mode");
+		const cfg_obj_t *identity = cfg_tuple_get(stmt, "identity");
+		const cfg_obj_t *matchtype = cfg_tuple_get(stmt, "matchtype");
+		const cfg_obj_t *dname = cfg_tuple_get(stmt, "name");
+		const cfg_obj_t *typelist = cfg_tuple_get(stmt, "types");
+		const char *str;
 		isc_boolean_t grant = ISC_FALSE;
 		unsigned int mtype = DNS_SSUMATCHTYPE_NAME;
 		dns_fixedname_t fname, fident;
@@ -190,14 +190,14 @@ configure_zone_ssutable(cfg_obj_t *zconfig, dns_zone_t *zone) {
 		     element2 != NULL;
 		     element2 = cfg_list_next(element2))
 		{
-			cfg_obj_t *typeobj;
+			const cfg_obj_t *typeobj;
 			isc_textregion_t r;
 
 			INSIST(i < n);
 
 			typeobj = cfg_listelt_value(element2);
 			str = cfg_obj_asstring(typeobj);
-			r.base = str;
+			DE_CONST(str, r.base);
 			r.length = strlen(str);
 
 			result = dns_rdatatype_fromtext(&types[i++], &r);
@@ -236,8 +236,8 @@ configure_zone_ssutable(cfg_obj_t *zconfig, dns_zone_t *zone) {
  * Convert a config file zone type into a server zone type.
  */
 static inline dns_zonetype_t
-zonetype_fromconfig(cfg_obj_t *map) {
-	cfg_obj_t *obj = NULL;
+zonetype_fromconfig(const cfg_obj_t *map) {
+	const cfg_obj_t *obj = NULL;
 	isc_result_t result;
 
 	result = cfg_map_get(map, "type", &obj);
@@ -292,17 +292,18 @@ strtoargv(isc_mem_t *mctx, char *s, unsigned int *argcp, char ***argvp) {
 }
 
 isc_result_t
-ns_zone_configure(cfg_obj_t *config, cfg_obj_t *vconfig, cfg_obj_t *zconfig,
-		  ns_aclconfctx_t *ac, dns_zone_t *zone)
+ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
+		  const cfg_obj_t *zconfig, ns_aclconfctx_t *ac,
+		  dns_zone_t *zone)
 {
 	isc_result_t result;
-	char *zname;
+	const char *zname;
 	dns_rdataclass_t zclass;
 	dns_rdataclass_t vclass;
-	cfg_obj_t *maps[5];
-	cfg_obj_t *zoptions = NULL;
-	cfg_obj_t *options = NULL;
-	cfg_obj_t *obj;
+	const cfg_obj_t *maps[5];
+	const cfg_obj_t *zoptions = NULL;
+	const cfg_obj_t *options = NULL;
+	const cfg_obj_t *obj;
 	const char *filename = NULL;
 	dns_notifytype_t notifytype = dns_notifytype_yes;
 	isc_sockaddr_t *addrs;
@@ -407,7 +408,7 @@ ns_zone_configure(cfg_obj_t *config, cfg_obj_t *vconfig, cfg_obj_t *zconfig,
 		else
 			dialup = dns_dialuptype_no;
 	} else {
-		char *dialupstr = cfg_obj_asstring(obj);
+		const char *dialupstr = cfg_obj_asstring(obj);
 		if (strcasecmp(dialupstr, "notify") == 0)
 			dialup = dns_dialuptype_notify;
 		else if (strcasecmp(dialupstr, "notify-passive") == 0)
@@ -441,7 +442,7 @@ ns_zone_configure(cfg_obj_t *config, cfg_obj_t *vconfig, cfg_obj_t *zconfig,
 			else
 				notifytype = dns_notifytype_no;
 		} else {
-			char *notifystr = cfg_obj_asstring(obj);
+			const char *notifystr = cfg_obj_asstring(obj);
 			if (strcasecmp(notifystr, "explicit") == 0)
 				notifytype = dns_notifytype_explicit;
 			else
@@ -602,9 +603,9 @@ ns_zone_configure(cfg_obj_t *config, cfg_obj_t *vconfig, cfg_obj_t *zconfig,
 }
 
 isc_boolean_t
-ns_zone_reusable(dns_zone_t *zone, cfg_obj_t *zconfig) {
-	cfg_obj_t *zoptions = NULL;
-	cfg_obj_t *obj = NULL;
+ns_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig) {
+	const cfg_obj_t *zoptions = NULL;
+	const cfg_obj_t *obj = NULL;
 	const char *cfilename;
 	const char *zfilename;
 
diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c
index 071b8ac4c7..ba83be1edb 100644
--- a/bin/rndc/rndc.c
+++ b/bin/rndc/rndc.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rndc.c,v 1.77.2.6 2004/03/09 06:09:27 marka Exp $ */
+/* $Id: rndc.c,v 1.77.2.7 2006/03/01 01:34:05 marka Exp $ */
 
 /*
  * Principal Author: DCL
@@ -409,17 +409,17 @@ parse_config(isc_mem_t *mctx, isc_log_t *log, const char *keyname,
 {
 	isc_result_t result;
 	const char *conffile = admin_conffile;
-	cfg_obj_t *defkey = NULL;
-	cfg_obj_t *options = NULL;
-	cfg_obj_t *servers = NULL;
-	cfg_obj_t *server = NULL;
-	cfg_obj_t *keys = NULL;
-	cfg_obj_t *key = NULL;
-	cfg_obj_t *defport = NULL;
-	cfg_obj_t *secretobj = NULL;
-	cfg_obj_t *algorithmobj = NULL;
+	const cfg_obj_t *defkey = NULL;
+	const cfg_obj_t *options = NULL;
+	const cfg_obj_t *servers = NULL;
+	const cfg_obj_t *server = NULL;
+	const cfg_obj_t *keys = NULL;
+	const cfg_obj_t *key = NULL;
+	const cfg_obj_t *defport = NULL;
+	const cfg_obj_t *secretobj = NULL;
+	const cfg_obj_t *algorithmobj = NULL;
 	cfg_obj_t *config = NULL;
-	cfg_listelt_t *elt;
+	const cfg_listelt_t *elt;
 	const char *secretstr;
 	const char *algorithm;
 	static char secretarray[1024];
@@ -451,7 +451,7 @@ parse_config(isc_mem_t *mctx, isc_log_t *log, const char *keyname,
 	if (key_only && servername == NULL)
 		servername = "127.0.0.1";
 	else if (servername == NULL && options != NULL) {
-		cfg_obj_t *defserverobj = NULL;
+		const cfg_obj_t *defserverobj = NULL;
 		(void)cfg_map_get(options, "default-server", &defserverobj);
 		if (defserverobj != NULL)
 			servername = cfg_obj_asstring(defserverobj);
diff --git a/lib/dns/acl.c b/lib/dns/acl.c
index eb2fa1c54a..68962b6867 100644
--- a/lib/dns/acl.c
+++ b/lib/dns/acl.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: acl.c,v 1.23.2.1 2004/03/09 06:10:59 marka Exp $ */
+/* $Id: acl.c,v 1.23.2.2 2006/03/01 01:34:05 marka Exp $ */
 
 #include 
 
@@ -68,7 +68,7 @@ dns_acl_create(isc_mem_t *mctx, int n, dns_acl_t **target) {
 }
 
 isc_result_t
-dns_acl_appendelement(dns_acl_t *acl, dns_aclelement_t *elt) {
+dns_acl_appendelement(dns_acl_t *acl, const dns_aclelement_t *elt) {
 	if (acl->length + 1 > acl->alloc) {
 		/*
 		 * Resize the ACL.
@@ -123,12 +123,12 @@ dns_acl_none(isc_mem_t *mctx, dns_acl_t **target) {
 }
 
 isc_result_t
-dns_acl_match(isc_netaddr_t *reqaddr,
-	      dns_name_t *reqsigner,
-	      dns_acl_t *acl,
-	      dns_aclenv_t *env,
+dns_acl_match(const isc_netaddr_t *reqaddr,
+	      const dns_name_t *reqsigner,
+	      const dns_acl_t *acl,
+	      const dns_aclenv_t *env,
 	      int *match,
-	      dns_aclelement_t **matchelt)
+	      dns_aclelement_t const**matchelt)
 {
 	unsigned int i;
 
@@ -150,14 +150,14 @@ dns_acl_match(isc_netaddr_t *reqaddr,
 }
 
 isc_boolean_t
-dns_aclelement_match(isc_netaddr_t *reqaddr,
-		     dns_name_t *reqsigner,
-		     dns_aclelement_t *e,
-		     dns_aclenv_t *env,
-		     dns_aclelement_t **matchelt)
+dns_aclelement_match(const isc_netaddr_t *reqaddr,
+		     const dns_name_t *reqsigner,
+		     const dns_aclelement_t *e,
+		     const dns_aclenv_t *env,
+		     const dns_aclelement_t **matchelt)
 {
 	dns_acl_t *inner = NULL;
-	isc_netaddr_t *addr;
+	const isc_netaddr_t *addr;
 	isc_netaddr_t v4addr;
 	int indirectmatch;
 	isc_result_t result;
@@ -289,7 +289,7 @@ dns_acl_detach(dns_acl_t **aclp) {
 }
 
 isc_boolean_t
-dns_aclelement_equal(dns_aclelement_t *ea, dns_aclelement_t *eb) {
+dns_aclelement_equal(const dns_aclelement_t *ea, const dns_aclelement_t *eb) {
 	if (ea->type != eb->type)
 		return (ISC_FALSE);
 	switch (ea->type) {
@@ -314,7 +314,7 @@ dns_aclelement_equal(dns_aclelement_t *ea, dns_aclelement_t *eb) {
 }
 
 isc_boolean_t
-dns_acl_equal(dns_acl_t *a, dns_acl_t *b) {
+dns_acl_equal(const dns_acl_t *a, const dns_acl_t *b) {
 	unsigned int i;
 	if (a == b)
 		return (ISC_TRUE);
@@ -329,7 +329,7 @@ dns_acl_equal(dns_acl_t *a, dns_acl_t *b) {
 }
 
 static isc_boolean_t
-is_loopback(dns_aclipprefix_t *p) {
+is_loopback(const dns_aclipprefix_t *p) {
 	switch (p->address.family) {
 	case AF_INET:
 		if (p->prefixlen == 32 &&
@@ -348,7 +348,7 @@ is_loopback(dns_aclipprefix_t *p) {
 }
 
 isc_boolean_t
-dns_acl_isinsecure(dns_acl_t *a) {
+dns_acl_isinsecure(const dns_acl_t *a) {
 	unsigned int i;
 	for (i = 0; i < a->length; i++) {
 		dns_aclelement_t *e = &a->elements[i];
diff --git a/lib/dns/cache.c b/lib/dns/cache.c
index 04e2de8957..4305e0c0de 100644
--- a/lib/dns/cache.c
+++ b/lib/dns/cache.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cache.c,v 1.45.2.10 2006/01/26 23:11:39 marka Exp $ */
+/* $Id: cache.c,v 1.45.2.11 2006/03/01 01:34:05 marka Exp $ */
 
 #include 
 
@@ -378,7 +378,7 @@ dns_cache_attachdb(dns_cache_t *cache, dns_db_t **dbp) {
 }
 
 isc_result_t
-dns_cache_setfilename(dns_cache_t *cache, char *filename) {
+dns_cache_setfilename(dns_cache_t *cache, const char *filename) {
 	char *newname;
 
 	REQUIRE(VALID_CACHE(cache));
diff --git a/lib/dns/compress.c b/lib/dns/compress.c
index e5c7631538..fd241a7fb3 100644
--- a/lib/dns/compress.c
+++ b/lib/dns/compress.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: compress.c,v 1.50.2.2 2004/03/09 06:11:00 marka Exp $ */
+/* $Id: compress.c,v 1.50.2.3 2006/03/01 01:34:05 marka Exp $ */
 
 #define DNS_NAME_USEINLINE 1
 
@@ -111,7 +111,7 @@ do { \
  * If no match is found return ISC_FALSE.
  */
 isc_boolean_t
-dns_compress_findglobal(dns_compress_t *cctx, dns_name_t *name,
+dns_compress_findglobal(dns_compress_t *cctx, const dns_name_t *name,
 			dns_name_t *prefix, isc_uint16_t *offset)
 {
 	dns_name_t tname, nname;
@@ -161,15 +161,15 @@ dns_compress_findglobal(dns_compress_t *cctx, dns_name_t *name,
 }
 
 static inline unsigned int
-name_length(dns_name_t *name) {
+name_length(const dns_name_t *name) {
 	isc_region_t r;
 	dns_name_toregion(name, &r);
 	return (r.length);
 }
 
 void
-dns_compress_add(dns_compress_t *cctx, dns_name_t *name, dns_name_t *prefix,
-		 isc_uint16_t offset)
+dns_compress_add(dns_compress_t *cctx, const dns_name_t *name,
+		 const dns_name_t *prefix, isc_uint16_t offset)
 {
 	dns_name_t tname;
 	unsigned int start;
diff --git a/lib/dns/include/dns/acl.h b/lib/dns/include/dns/acl.h
index 674a9c44ae..7a38b8d1c2 100644
--- a/lib/dns/include/dns/acl.h
+++ b/lib/dns/include/dns/acl.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: acl.h,v 1.20.2.1 2004/03/09 06:11:12 marka Exp $ */
+/* $Id: acl.h,v 1.20.2.2 2006/03/01 01:34:05 marka Exp $ */
 
 #ifndef DNS_ACL_H
 #define DNS_ACL_H 1
@@ -104,7 +104,7 @@ dns_acl_create(isc_mem_t *mctx, int n, dns_acl_t **target);
  */
 
 isc_result_t
-dns_acl_appendelement(dns_acl_t *acl, dns_aclelement_t *elt);
+dns_acl_appendelement(dns_acl_t *acl, const dns_aclelement_t *elt);
 /*
  * Append an element to an existing ACL.
  */
@@ -128,13 +128,13 @@ void
 dns_acl_detach(dns_acl_t **aclp);
 
 isc_boolean_t
-dns_aclelement_equal(dns_aclelement_t *ea, dns_aclelement_t *eb);
+dns_aclelement_equal(const dns_aclelement_t *ea, const dns_aclelement_t *eb);
 
 isc_boolean_t
-dns_acl_equal(dns_acl_t *a, dns_acl_t *b);
+dns_acl_equal(const dns_acl_t *a, const dns_acl_t *b);
 
 isc_boolean_t
-dns_acl_isinsecure(dns_acl_t *a);
+dns_acl_isinsecure(const dns_acl_t *a);
 /*
  * Return ISC_TRUE iff the acl 'a' is considered insecure, that is,
  * if it contains IP addresses other than those of the local host.
@@ -154,12 +154,12 @@ void
 dns_aclenv_destroy(dns_aclenv_t *env);
 
 isc_result_t
-dns_acl_match(isc_netaddr_t *reqaddr,
-	      dns_name_t *reqsigner,
-	      dns_acl_t *acl,
-	      dns_aclenv_t *env,
+dns_acl_match(const isc_netaddr_t *reqaddr,
+	      const dns_name_t *reqsigner,
+	      const dns_acl_t *acl,
+	      const dns_aclenv_t *env,
 	      int *match,
-	      dns_aclelement_t **matchelt);
+	      const dns_aclelement_t **matchelt);
 /*
  * General, low-level ACL matching.  This is expected to
  * be useful even for weird stuff like the topology and sortlist statements.
@@ -185,11 +185,11 @@ dns_acl_match(isc_netaddr_t *reqaddr,
  */
 
 isc_boolean_t
-dns_aclelement_match(isc_netaddr_t *reqaddr,
-		     dns_name_t *reqsigner,
-		     dns_aclelement_t *e,
-		     dns_aclenv_t *env,		     
-		     dns_aclelement_t **matchelt);
+dns_aclelement_match(const isc_netaddr_t *reqaddr,
+		     const dns_name_t *reqsigner,
+		     const dns_aclelement_t *e,
+		     const dns_aclenv_t *env,		     
+		     const dns_aclelement_t **matchelt);
 /*
  * Like dns_acl_match, but matches against the single ACL element 'e'
  * rather than a complete list and returns ISC_TRUE iff it matched.
diff --git a/lib/dns/include/dns/cache.h b/lib/dns/include/dns/cache.h
index 4b4d9c8880..18c50cdaca 100644
--- a/lib/dns/include/dns/cache.h
+++ b/lib/dns/include/dns/cache.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cache.h,v 1.17.2.1 2004/03/09 06:11:13 marka Exp $ */
+/* $Id: cache.h,v 1.17.2.2 2006/03/01 01:34:05 marka Exp $ */
 
 #ifndef DNS_CACHE_H
 #define DNS_CACHE_H 1
@@ -151,7 +151,7 @@ dns_cache_attachdb(dns_cache_t *cache, dns_db_t **dbp);
 
 
 isc_result_t
-dns_cache_setfilename(dns_cache_t *cahce, char *filename);
+dns_cache_setfilename(dns_cache_t *cahce, const char *filename);
 /*
  * If 'filename' is non-NULL, make the cache persistent.
  * The cache's data will be stored in the given file.
diff --git a/lib/dns/include/dns/compress.h b/lib/dns/include/dns/compress.h
index 8d7191fc3f..c514c3163b 100644
--- a/lib/dns/include/dns/compress.h
+++ b/lib/dns/include/dns/compress.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: compress.h,v 1.29.2.3 2004/03/09 06:11:14 marka Exp $ */
+/* $Id: compress.h,v 1.29.2.4 2006/03/01 01:34:05 marka Exp $ */
 
 #ifndef DNS_COMPRESS_H
 #define DNS_COMPRESS_H 1
@@ -136,7 +136,7 @@ dns_compress_getedns(dns_compress_t *cctx);
  */
 
 isc_boolean_t
-dns_compress_findglobal(dns_compress_t *cctx, dns_name_t *name,
+dns_compress_findglobal(dns_compress_t *cctx, const dns_name_t *name,
 			dns_name_t *prefix, isc_uint16_t *offset);
 /*
  *	Finds longest possible match of 'name' in the global compression table.
@@ -155,8 +155,8 @@ dns_compress_findglobal(dns_compress_t *cctx, dns_name_t *name,
  */
 
 void
-dns_compress_add(dns_compress_t *cctx, dns_name_t *name, dns_name_t *prefix,
-		 isc_uint16_t offset);
+dns_compress_add(dns_compress_t *cctx, const dns_name_t *name,
+		 const dns_name_t *prefix, isc_uint16_t offset);
 /*
  *	Add compression pointers for 'name' to the compression table,
  *	not replacing existing pointers.
diff --git a/lib/dns/include/dns/masterdump.h b/lib/dns/include/dns/masterdump.h
index 6980cf808e..c9efb40139 100644
--- a/lib/dns/include/dns/masterdump.h
+++ b/lib/dns/include/dns/masterdump.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: masterdump.h,v 1.22.2.3 2005/09/06 02:11:55 marka Exp $ */
+/* $Id: masterdump.h,v 1.22.2.4 2006/03/01 01:34:05 marka Exp $ */
 
 #ifndef DNS_MASTERDUMP_H
 #define DNS_MASTERDUMP_H 1
@@ -159,7 +159,7 @@ dns_master_questiontotext(dns_name_t *owner_name,
 
 isc_result_t
 dns_rdataset_towire(dns_rdataset_t *rdataset,
-		    dns_name_t *owner_name,
+		    const dns_name_t *owner_name,
 		    dns_compress_t *cctx,
 		    isc_buffer_t *target,
 		    unsigned int *countp);
diff --git a/lib/dns/include/dns/message.h b/lib/dns/include/dns/message.h
index e084d43834..b49db0c582 100644
--- a/lib/dns/include/dns/message.h
+++ b/lib/dns/include/dns/message.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: message.h,v 1.100.2.6 2006/01/06 00:01:41 marka Exp $ */
+/* $Id: message.h,v 1.100.2.7 2006/03/01 01:34:05 marka Exp $ */
 
 #ifndef DNS_MESSAGE_H
 #define DNS_MESSAGE_H 1
@@ -231,7 +231,7 @@ struct dns_message {
 	isc_region_t			saved;
 
 	dns_rdatasetorderfunc_t		order;
-	void *				order_arg;
+	const void *			order_arg;
 };
 
 /***
@@ -1247,7 +1247,7 @@ dns_message_getrawmessage(dns_message_t *msg);
 
 void
 dns_message_setsortorder(dns_message_t *msg, dns_rdatasetorderfunc_t order,
-			 void *order_arg);
+			 const void *order_arg);
 /*
  * Define the order in which RR sets get rendered by
  * dns_message_rendersection() to be the ascending order
diff --git a/lib/dns/include/dns/name.h b/lib/dns/include/dns/name.h
index d1f96d82ee..fe338830f1 100644
--- a/lib/dns/include/dns/name.h
+++ b/lib/dns/include/dns/name.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: name.h,v 1.95.2.9 2004/09/08 00:34:23 marka Exp $ */
+/* $Id: name.h,v 1.95.2.10 2006/03/01 01:34:07 marka Exp $ */
 
 #ifndef DNS_NAME_H
 #define DNS_NAME_H 1
@@ -679,7 +679,7 @@ dns_name_getlabelsequence(const dns_name_t *source, unsigned int first,
 
 
 void
-dns_name_clone(dns_name_t *source, dns_name_t *target);
+dns_name_clone(const dns_name_t *source, dns_name_t *target);
 /*
  * Make 'target' refer to the same name as 'source'.
  *
@@ -796,7 +796,8 @@ dns_name_fromwire(dns_name_t *name, isc_buffer_t *source,
  */
 
 isc_result_t
-dns_name_towire(dns_name_t *name, dns_compress_t *cctx, isc_buffer_t *target);
+dns_name_towire(const dns_name_t *name, dns_compress_t *cctx,
+		isc_buffer_t *target);
 /*
  * Convert 'name' into wire format, compressing it as specified by the
  * compression context 'cctx', and storing the result in 'target'.
@@ -1132,7 +1133,7 @@ dns_name_splitatdepth(dns_name_t *name, unsigned int depth,
  */
 
 isc_result_t
-dns_name_dup(dns_name_t *source, isc_mem_t *mctx, dns_name_t *target);
+dns_name_dup(const dns_name_t *source, isc_mem_t *mctx, dns_name_t *target);
 /*
  * Make 'target' a dynamically allocated copy of 'source'.
  *
diff --git a/lib/dns/include/dns/rdataset.h b/lib/dns/include/dns/rdataset.h
index b6f6d00748..4854f2a8fc 100644
--- a/lib/dns/include/dns/rdataset.h
+++ b/lib/dns/include/dns/rdataset.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdataset.h,v 1.41.2.8 2005/03/16 00:57:43 marka Exp $ */
+/* $Id: rdataset.h,v 1.41.2.9 2006/03/01 01:34:07 marka Exp $ */
 
 #ifndef DNS_RDATASET_H
 #define DNS_RDATASET_H 1
@@ -306,7 +306,7 @@ dns_rdataset_totext(dns_rdataset_t *rdataset,
 
 isc_result_t
 dns_rdataset_towire(dns_rdataset_t *rdataset,
-		    dns_name_t *owner_name,
+		    const dns_name_t *owner_name,
 		    dns_compress_t *cctx,
 		    isc_buffer_t *target,
 		    unsigned int *countp);
@@ -344,11 +344,11 @@ dns_rdataset_towire(dns_rdataset_t *rdataset,
 
 isc_result_t
 dns_rdataset_towiresorted(dns_rdataset_t *rdataset,
-			  dns_name_t *owner_name,
+			  const dns_name_t *owner_name,
 			  dns_compress_t *cctx,
 			  isc_buffer_t *target,
 			  dns_rdatasetorderfunc_t order,
-			  void *order_arg,
+			  const void *order_arg,
 			  unsigned int *countp);
 /*
  * Like dns_rdataset_towire(), but sorting the rdatasets according to
@@ -362,11 +362,11 @@ dns_rdataset_towiresorted(dns_rdataset_t *rdataset,
 
 isc_result_t
 dns_rdataset_towirepartial(dns_rdataset_t *rdataset,
-			   dns_name_t *owner_name,
+			   const dns_name_t *owner_name,
 			   dns_compress_t *cctx,
 			   isc_buffer_t *target,
 			   dns_rdatasetorderfunc_t order,
-			   void *order_arg,
+			   const void *order_arg,
 			   unsigned int *countp,
 			   void **state);
 /*
diff --git a/lib/dns/include/dns/types.h b/lib/dns/include/dns/types.h
index df6d8a3b94..caa244708e 100644
--- a/lib/dns/include/dns/types.h
+++ b/lib/dns/include/dns/types.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: types.h,v 1.103.2.1 2004/03/09 06:11:24 marka Exp $ */
+/* $Id: types.h,v 1.103.2.2 2006/03/01 01:34:07 marka Exp $ */
 
 #ifndef DNS_TYPES_H
 #define DNS_TYPES_H 1
@@ -299,6 +299,6 @@ typedef void
 (*dns_updatecallback_t)(void *, isc_result_t, dns_message_t *);
 
 typedef int 
-(*dns_rdatasetorderfunc_t)(dns_rdata_t *rdata, void *arg);
+(*dns_rdatasetorderfunc_t)(const dns_rdata_t *rdata, const void *arg);
 
 #endif /* DNS_TYPES_H */
diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h
index fb54b08b5d..5a633a8e61 100644
--- a/lib/dns/include/dns/zone.h
+++ b/lib/dns/include/dns/zone.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.h,v 1.106.2.9 2004/10/26 02:08:00 marka Exp $ */
+/* $Id: zone.h,v 1.106.2.10 2006/03/01 01:34:07 marka Exp $ */
 
 #ifndef DNS_ZONE_H
 #define DNS_ZONE_H 1
@@ -156,7 +156,7 @@ dns_zone_getview(dns_zone_t *zone);
  */
 
 isc_result_t
-dns_zone_setorigin(dns_zone_t *zone, dns_name_t *origin);
+dns_zone_setorigin(dns_zone_t *zone, const dns_name_t *origin);
 /*
  *	Sets the zones origin to 'origin'.
  *
@@ -393,11 +393,13 @@ dns_zone_maintenance(dns_zone_t *zone);
  */
 
 isc_result_t
-dns_zone_setmasters(dns_zone_t *zone, isc_sockaddr_t *masters,
+dns_zone_setmasters(dns_zone_t *zone, const isc_sockaddr_t *masters,
 		    isc_uint32_t count);
 isc_result_t
-dns_zone_setmasterswithkeys(dns_zone_t *zone, isc_sockaddr_t *masters,
-			    dns_name_t **keynames, isc_uint32_t count);
+dns_zone_setmasterswithkeys(dns_zone_t *zone,
+			    const isc_sockaddr_t *masters,
+			    dns_name_t **keynames,
+			    isc_uint32_t count);
 /*
  *	Set the list of master servers for the zone.
  *
@@ -419,7 +421,7 @@ dns_zone_setmasterswithkeys(dns_zone_t *zone, isc_sockaddr_t *masters,
  */
 
 isc_result_t
-dns_zone_setalsonotify(dns_zone_t *zone, isc_sockaddr_t *notify,
+dns_zone_setalsonotify(dns_zone_t *zone, const isc_sockaddr_t *notify,
 		       isc_uint32_t count);
 /*
  *	Set the list of additional servers to be notified when
@@ -504,7 +506,7 @@ dns_zone_setmaxretrytime(dns_zone_t *zone, isc_uint32_t val);
  */
 
 isc_result_t
-dns_zone_setxfrsource4(dns_zone_t *zone, isc_sockaddr_t *xfrsource);
+dns_zone_setxfrsource4(dns_zone_t *zone, const isc_sockaddr_t *xfrsource);
 /*
  * 	Set the source address to be used in IPv4 zone transfers.
  *
@@ -527,7 +529,7 @@ dns_zone_getxfrsource4(dns_zone_t *zone);
  */
 
 isc_result_t
-dns_zone_setxfrsource6(dns_zone_t *zone, isc_sockaddr_t *xfrsource);
+dns_zone_setxfrsource6(dns_zone_t *zone, const isc_sockaddr_t *xfrsource);
 /*
  * 	Set the source address to be used in IPv6 zone transfers.
  *
@@ -550,7 +552,7 @@ dns_zone_getxfrsource6(dns_zone_t *zone);
  */
 
 isc_result_t
-dns_zone_setnotifysrc4(dns_zone_t *zone, isc_sockaddr_t *notifysrc);
+dns_zone_setnotifysrc4(dns_zone_t *zone, const isc_sockaddr_t *notifysrc);
 /*
  * 	Set the source address to be used with IPv4 NOTIFY messages.
  *
@@ -573,7 +575,7 @@ dns_zone_getnotifysrc4(dns_zone_t *zone);
  */
 
 isc_result_t
-dns_zone_setnotifysrc6(dns_zone_t *zone, isc_sockaddr_t *notifysrc);
+dns_zone_setnotifysrc6(dns_zone_t *zone, const isc_sockaddr_t *notifysrc);
 /*
  * 	Set the source address to be used with IPv6 NOTIFY messages.
  *
diff --git a/lib/dns/message.c b/lib/dns/message.c
index 25eb2e4c79..a19014df1c 100644
--- a/lib/dns/message.c
+++ b/lib/dns/message.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: message.c,v 1.194.2.19 2006/01/05 01:04:30 marka Exp $ */
+/* $Id: message.c,v 1.194.2.20 2006/03/01 01:34:05 marka Exp $ */
 
 /***
  *** Imports
@@ -1799,7 +1799,7 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
 		if (rdataset != NULL &&
 		    (rdataset->attributes & DNS_RDATASETATTR_REQUIREDGLUE) != 0 &&
 		    (rdataset->attributes & DNS_RDATASETATTR_RENDERED) == 0) {
-			void *order_arg = msg->order_arg;
+			const void *order_arg = msg->order_arg;
 			st = *(msg->buffer);
 			count = 0;
 			if (partial)
@@ -3153,7 +3153,7 @@ dns_message_getrawmessage(dns_message_t *msg) {
 
 void
 dns_message_setsortorder(dns_message_t *msg, dns_rdatasetorderfunc_t order,
-			 void *order_arg)
+			 const void *order_arg)
 {
 	REQUIRE(DNS_MESSAGE_VALID(msg));
 	msg->order = order;
diff --git a/lib/dns/name.c b/lib/dns/name.c
index 41ea103d21..e4fd8f87c5 100644
--- a/lib/dns/name.c
+++ b/lib/dns/name.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: name.c,v 1.127.2.12 2005/07/23 04:34:21 marka Exp $ */
+/* $Id: name.c,v 1.127.2.13 2006/03/01 01:34:05 marka Exp $ */
 
 #include 
 
@@ -1032,7 +1032,7 @@ dns_name_getlabelsequence(const dns_name_t *source,
 }
 
 void
-dns_name_clone(dns_name_t *source, dns_name_t *target) {
+dns_name_clone(const dns_name_t *source, dns_name_t *target) {
 
 	/*
 	 * Make 'target' refer to the same name as 'source'.
@@ -2545,7 +2545,9 @@ dns_name_fromwire(dns_name_t *name, isc_buffer_t *source,
 }
 
 isc_result_t
-dns_name_towire(dns_name_t *name, dns_compress_t *cctx, isc_buffer_t *target) {
+dns_name_towire(const dns_name_t *name, dns_compress_t *cctx,
+		isc_buffer_t *target)
+{
 	unsigned int methods;
 	isc_uint16_t offset;
 	dns_name_t gp;	/* Global compression prefix */
@@ -3127,7 +3129,9 @@ dns_name_splitatdepth(dns_name_t *name, unsigned int depth,
 }
 
 isc_result_t
-dns_name_dup(dns_name_t *source, isc_mem_t *mctx, dns_name_t *target) {
+dns_name_dup(const dns_name_t *source, isc_mem_t *mctx,
+	     dns_name_t *target)
+{
 	/*
 	 * Make 'target' a dynamically allocated copy of 'source'.
 	 */
diff --git a/lib/dns/rdataset.c b/lib/dns/rdataset.c
index f77765805c..534847d15c 100644
--- a/lib/dns/rdataset.c
+++ b/lib/dns/rdataset.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdataset.c,v 1.58.2.5 2004/03/09 06:11:06 marka Exp $ */
+/* $Id: rdataset.c,v 1.58.2.6 2006/03/01 01:34:05 marka Exp $ */
 
 #include 
 
@@ -272,9 +272,9 @@ towire_compare(const void *av, const void *bv) {
 }
 
 static isc_result_t
-towiresorted(dns_rdataset_t *rdataset, dns_name_t *owner_name,
+towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
 	     dns_compress_t *cctx, isc_buffer_t *target,
-	     dns_rdatasetorderfunc_t order, void *order_arg,
+	     dns_rdatasetorderfunc_t order, const void *order_arg,
 	     isc_boolean_t partial, unsigned int *countp,
 	     void **state)
 {
@@ -483,11 +483,11 @@ towiresorted(dns_rdataset_t *rdataset, dns_name_t *owner_name,
 
 isc_result_t
 dns_rdataset_towiresorted(dns_rdataset_t *rdataset,
-			  dns_name_t *owner_name,
+			  const dns_name_t *owner_name,
 			  dns_compress_t *cctx,
 			  isc_buffer_t *target,
 			  dns_rdatasetorderfunc_t order,
-			  void *order_arg,
+			  const void *order_arg,
 			  unsigned int *countp)
 {
 	return (towiresorted(rdataset, owner_name, cctx, target,
@@ -496,11 +496,11 @@ dns_rdataset_towiresorted(dns_rdataset_t *rdataset,
 
 isc_result_t
 dns_rdataset_towirepartial(dns_rdataset_t *rdataset,
-			   dns_name_t *owner_name,
+			   const dns_name_t *owner_name,
 			   dns_compress_t *cctx,
 			   isc_buffer_t *target,
 			   dns_rdatasetorderfunc_t order,
-			   void *order_arg,
+			   const void *order_arg,
 			   unsigned int *countp,
 			   void **state)
 {
@@ -511,7 +511,7 @@ dns_rdataset_towirepartial(dns_rdataset_t *rdataset,
 
 isc_result_t
 dns_rdataset_towire(dns_rdataset_t *rdataset,
-		    dns_name_t *owner_name,
+		    const dns_name_t *owner_name,
 		    dns_compress_t *cctx,
 		    isc_buffer_t *target,
 		    unsigned int *countp)
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index f046f5d30c..ce09bbcbca 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.c,v 1.333.2.42 2006/01/04 04:08:14 marka Exp $ */
+/* $Id: zone.c,v 1.333.2.43 2006/03/01 01:34:05 marka Exp $ */
 
 #include 
 
@@ -754,7 +754,7 @@ dns_zone_getview(dns_zone_t *zone) {
 
 
 isc_result_t
-dns_zone_setorigin(dns_zone_t *zone, dns_name_t *origin) {
+dns_zone_setorigin(dns_zone_t *zone, const dns_name_t *origin) {
 	isc_result_t result;
 
 	REQUIRE(DNS_ZONE_VALID(zone));
@@ -1698,7 +1698,7 @@ dns_zone_getoptions(dns_zone_t *zone) {
 }
 
 isc_result_t
-dns_zone_setxfrsource4(dns_zone_t *zone, isc_sockaddr_t *xfrsource) {
+dns_zone_setxfrsource4(dns_zone_t *zone, const isc_sockaddr_t *xfrsource) {
 	REQUIRE(DNS_ZONE_VALID(zone));
 
 	LOCK_ZONE(zone);
@@ -1715,7 +1715,7 @@ dns_zone_getxfrsource4(dns_zone_t *zone) {
 }
 
 isc_result_t
-dns_zone_setxfrsource6(dns_zone_t *zone, isc_sockaddr_t *xfrsource) {
+dns_zone_setxfrsource6(dns_zone_t *zone, const isc_sockaddr_t *xfrsource) {
 	REQUIRE(DNS_ZONE_VALID(zone));
 
 	LOCK_ZONE(zone);
@@ -1732,7 +1732,7 @@ dns_zone_getxfrsource6(dns_zone_t *zone) {
 }
 
 isc_result_t
-dns_zone_setnotifysrc4(dns_zone_t *zone, isc_sockaddr_t *notifysrc) {
+dns_zone_setnotifysrc4(dns_zone_t *zone, const isc_sockaddr_t *notifysrc) {
 	REQUIRE(DNS_ZONE_VALID(zone));
 
 	LOCK_ZONE(zone);
@@ -1749,7 +1749,7 @@ dns_zone_getnotifysrc4(dns_zone_t *zone) {
 }
 
 isc_result_t
-dns_zone_setnotifysrc6(dns_zone_t *zone, isc_sockaddr_t *notifysrc) {
+dns_zone_setnotifysrc6(dns_zone_t *zone, const isc_sockaddr_t *notifysrc) {
 	REQUIRE(DNS_ZONE_VALID(zone));
 
 	LOCK_ZONE(zone);
@@ -1766,7 +1766,7 @@ dns_zone_getnotifysrc6(dns_zone_t *zone) {
 }
 
 isc_result_t
-dns_zone_setalsonotify(dns_zone_t *zone, isc_sockaddr_t *notify,
+dns_zone_setalsonotify(dns_zone_t *zone, const isc_sockaddr_t *notify,
 		       isc_uint32_t count)
 {
 	isc_sockaddr_t *new;
@@ -1796,7 +1796,7 @@ dns_zone_setalsonotify(dns_zone_t *zone, isc_sockaddr_t *notify,
 }
 
 isc_result_t
-dns_zone_setmasters(dns_zone_t *zone, isc_sockaddr_t *masters,
+dns_zone_setmasters(dns_zone_t *zone, const isc_sockaddr_t *masters,
 		    isc_uint32_t count)
 {
 	isc_result_t result;
@@ -1806,8 +1806,10 @@ dns_zone_setmasters(dns_zone_t *zone, isc_sockaddr_t *masters,
 }
 
 isc_result_t
-dns_zone_setmasterswithkeys(dns_zone_t *zone, isc_sockaddr_t *masters,
-			    dns_name_t **keynames, isc_uint32_t count)
+dns_zone_setmasterswithkeys(dns_zone_t *zone,
+			    const isc_sockaddr_t *masters,
+			    dns_name_t **keynames,
+			    isc_uint32_t count)
 {
 	isc_sockaddr_t *new;
 	isc_result_t result = ISC_R_SUCCESS;
diff --git a/lib/isc/include/isc/sockaddr.h b/lib/isc/include/isc/sockaddr.h
index a18f1c623d..6bb470a43b 100644
--- a/lib/isc/include/isc/sockaddr.h
+++ b/lib/isc/include/isc/sockaddr.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sockaddr.h,v 1.35.2.2 2004/03/09 06:12:01 marka Exp $ */
+/* $Id: sockaddr.h,v 1.35.2.3 2006/03/01 01:34:07 marka Exp $ */
 
 #ifndef ISC_SOCKADDR_H
 #define ISC_SOCKADDR_H 1
@@ -138,7 +138,7 @@ isc_sockaddr_setport(isc_sockaddr_t *sockaddr, in_port_t port);
  */
 
 in_port_t
-isc_sockaddr_getport(isc_sockaddr_t *sockaddr);
+isc_sockaddr_getport(const isc_sockaddr_t *sockaddr);
 /*
  * Get the port stored in 'sockaddr'.
  */
@@ -157,7 +157,7 @@ isc_sockaddr_totext(const isc_sockaddr_t *sockaddr, isc_buffer_t *target);
  */
 
 void
-isc_sockaddr_format(isc_sockaddr_t *sa, char *array, unsigned int size);
+isc_sockaddr_format(const isc_sockaddr_t *sa, char *array, unsigned int size);
 /*
  * Format a human-readable representation of the socket address '*sa'
  * into the character array 'array', which is of size 'size'.
@@ -165,13 +165,13 @@ isc_sockaddr_format(isc_sockaddr_t *sa, char *array, unsigned int size);
  */
 
 isc_boolean_t
-isc_sockaddr_ismulticast(isc_sockaddr_t *sa);
+isc_sockaddr_ismulticast(const isc_sockaddr_t *sa);
 /*
  * Returns ISC_TRUE if the address is a multicast address
  */
 
 isc_boolean_t
-isc_sockaddr_isexperimental(isc_sockaddr_t *sa);
+isc_sockaddr_isexperimental(const isc_sockaddr_t *sa);
 /*
  * Returns ISC_TRUE if the address is a experimental (CLASS E) address.
  */
diff --git a/lib/isc/include/isc/symtab.h b/lib/isc/include/isc/symtab.h
index 55ff8b57ab..b65529093e 100644
--- a/lib/isc/include/isc/symtab.h
+++ b/lib/isc/include/isc/symtab.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: symtab.h,v 1.16.2.1 2004/03/09 06:12:02 marka Exp $ */
+/* $Id: symtab.h,v 1.16.2.2 2006/03/01 01:34:07 marka Exp $ */
 
 #ifndef ISC_SYMTAB_H
 #define ISC_SYMTAB_H 1
@@ -88,6 +88,7 @@
 
 typedef union isc_symvalue {
 	void *				as_pointer;
+	const void *			as_cpointer;
 	int				as_integer;
 	unsigned int			as_uinteger;
 } isc_symvalue_t;
diff --git a/lib/isc/sockaddr.c b/lib/isc/sockaddr.c
index 89562118f5..58b9fe6f17 100644
--- a/lib/isc/sockaddr.c
+++ b/lib/isc/sockaddr.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sockaddr.c,v 1.48.2.5 2004/03/09 06:11:51 marka Exp $ */
+/* $Id: sockaddr.c,v 1.48.2.6 2006/03/01 01:34:07 marka Exp $ */
 
 #include 
 
@@ -155,7 +155,7 @@ isc_sockaddr_totext(const isc_sockaddr_t *sockaddr, isc_buffer_t *target) {
 }
 
 void
-isc_sockaddr_format(isc_sockaddr_t *sa, char *array, unsigned int size) {
+isc_sockaddr_format(const isc_sockaddr_t *sa, char *array, unsigned int size) {
 	isc_result_t result;
 	isc_buffer_t buf;
 
@@ -388,7 +388,7 @@ isc_sockaddr_setport(isc_sockaddr_t *sockaddr, in_port_t port) {
 }
 
 in_port_t
-isc_sockaddr_getport(isc_sockaddr_t *sockaddr) {
+isc_sockaddr_getport(const isc_sockaddr_t *sockaddr) {
 	in_port_t port = 0;
 
 	switch (sockaddr->type.sa.sa_family) {
@@ -410,7 +410,7 @@ isc_sockaddr_getport(isc_sockaddr_t *sockaddr) {
 }
 
 isc_boolean_t
-isc_sockaddr_ismulticast(isc_sockaddr_t *sockaddr) {
+isc_sockaddr_ismulticast(const isc_sockaddr_t *sockaddr) {
 	isc_netaddr_t netaddr;
 
 	isc_netaddr_fromsockaddr(&netaddr, sockaddr);
@@ -418,7 +418,7 @@ isc_sockaddr_ismulticast(isc_sockaddr_t *sockaddr) {
 }
 
 isc_boolean_t
-isc_sockaddr_isexperimental(isc_sockaddr_t *sockaddr) {
+isc_sockaddr_isexperimental(const isc_sockaddr_t *sockaddr) {
 	isc_netaddr_t netaddr;
 
 	if (sockaddr->type.sa.sa_family == AF_INET) {
diff --git a/lib/isccfg/check.c b/lib/isccfg/check.c
index a69a4fdb91..7f09f76245 100644
--- a/lib/isccfg/check.c
+++ b/lib/isccfg/check.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: check.c,v 1.14.2.26 2004/11/22 05:01:37 marka Exp $ */
+/* $Id: check.c,v 1.14.2.27 2006/03/01 01:34:07 marka Exp $ */
 
 #include 
 
@@ -45,9 +45,9 @@ freekey(char *key, unsigned int type, isc_symvalue_t value, void *userarg) {
 }
 
 static isc_result_t
-check_forward(cfg_obj_t *options, isc_log_t *logctx) {
-	cfg_obj_t *forward = NULL;
-	cfg_obj_t *forwarders = NULL;
+check_forward(const cfg_obj_t *options, isc_log_t *logctx) {
+	const cfg_obj_t *forward = NULL;
+	const cfg_obj_t *forwarders = NULL;
 
 	(void)cfg_map_get(options, "forward", &forward);
 	(void)cfg_map_get(options, "forwarders", &forwarders);
@@ -66,10 +66,10 @@ typedef struct {
 } intervaltable;
 
 static isc_result_t
-check_options(cfg_obj_t *options, isc_log_t *logctx) {
+check_options(const cfg_obj_t *options, isc_log_t *logctx) {
 	isc_result_t result = ISC_R_SUCCESS;
 	unsigned int i;
-	cfg_obj_t *obj;
+	const cfg_obj_t *obj;
 
 	static intervaltable intervals[] = {
 	{ "cleaning-interval", 60 },
@@ -89,7 +89,7 @@ check_options(cfg_obj_t *options, isc_log_t *logctx) {
 	 */
 	for (i = 0; i < sizeof(intervals) / sizeof(intervals[0]); i++) {
 		isc_uint32_t val;
-		cfg_obj_t *obj = NULL;
+		const cfg_obj_t *obj = NULL;
 		(void)cfg_map_get(options, intervals[i].name, &obj);
 		if (obj == NULL)
 			continue;
@@ -106,9 +106,9 @@ check_options(cfg_obj_t *options, isc_log_t *logctx) {
 	(void)cfg_map_get(options, "root-delegation-only", &obj);
 	if (obj != NULL) {
 		if (!cfg_obj_isvoid(obj)) {
-			cfg_listelt_t *element;
-			cfg_obj_t *exclude;
-			char *str;
+			const cfg_listelt_t *element;
+			const cfg_obj_t *exclude;
+			const char *str;
 			dns_fixedname_t fixed;
 			dns_name_t *name;
 			isc_buffer_t b;
@@ -151,15 +151,15 @@ typedef struct {
 } optionstable;
 
 static isc_result_t
-check_zoneconf(cfg_obj_t *zconfig, isc_symtab_t *symtab, isc_log_t *logctx,
-	       isc_mem_t *mctx)
+check_zoneconf(const cfg_obj_t *zconfig, isc_symtab_t *symtab,
+	       isc_log_t *logctx, isc_mem_t *mctx)
 {
 	const char *zname;
 	const char *typestr;
 	unsigned int ztype;
-	cfg_obj_t *zoptions;
-	cfg_obj_t *obj = NULL;
-	cfg_obj_t *addrlist = NULL;
+	const cfg_obj_t *zoptions;
+	const cfg_obj_t *obj = NULL;
+	const cfg_obj_t *addrlist = NULL;
 	isc_symvalue_t symvalue;
 	isc_result_t result = ISC_R_SUCCESS;
 	isc_result_t tresult;
@@ -349,10 +349,10 @@ check_zoneconf(cfg_obj_t *zconfig, isc_symtab_t *symtab, isc_log_t *logctx,
 	 * Check the excessively complicated "dialup" option.
 	 */
 	if (ztype == MASTERZONE || ztype == SLAVEZONE || ztype == STUBZONE) {
-		cfg_obj_t *dialup = NULL;
+		const cfg_obj_t *dialup = NULL;
 		cfg_map_get(zoptions, "dialup", &dialup);
 		if (dialup != NULL && cfg_obj_isstring(dialup)) {
-			char *str = cfg_obj_asstring(dialup);
+			const char *str = cfg_obj_asstring(dialup);
 			for (i = 0;
 			     i < sizeof(dialups) / sizeof(dialups[0]);
 			     i++)
@@ -417,9 +417,9 @@ check_zoneconf(cfg_obj_t *zconfig, isc_symtab_t *symtab, isc_log_t *logctx,
 }
 
 isc_result_t
-cfg_check_key(cfg_obj_t *key, isc_log_t *logctx) {
-	cfg_obj_t *algobj = NULL;
-	cfg_obj_t *secretobj = NULL;
+cfg_check_key(const cfg_obj_t *key, isc_log_t *logctx) {
+	const cfg_obj_t *algobj = NULL;
+	const cfg_obj_t *secretobj = NULL;
 	const char *keyname = cfg_obj_asstring(cfg_map_getname(key));
 	
 	cfg_map_get(key, "algorithm", &algobj);
@@ -435,16 +435,16 @@ cfg_check_key(cfg_obj_t *key, isc_log_t *logctx) {
 }
 		
 static isc_result_t
-check_keylist(cfg_obj_t *keys, isc_symtab_t *symtab, isc_log_t *logctx) {
+check_keylist(const cfg_obj_t *keys, isc_symtab_t *symtab, isc_log_t *logctx) {
 	isc_result_t result = ISC_R_SUCCESS;
 	isc_result_t tresult;
-	cfg_listelt_t *element;
+	const cfg_listelt_t *element;
 
 	for (element = cfg_list_first(keys);
 	     element != NULL;
 	     element = cfg_list_next(element))
 	{
-		cfg_obj_t *key = cfg_listelt_value(element);
+		const cfg_obj_t *key = cfg_listelt_value(element);
 		const char *keyname = cfg_obj_asstring(cfg_map_getname(key));
 		isc_symvalue_t symvalue;
 
@@ -466,11 +466,11 @@ check_keylist(cfg_obj_t *keys, isc_symtab_t *symtab, isc_log_t *logctx) {
 }
 
 static isc_result_t
-check_servers(cfg_obj_t *servers, isc_log_t *logctx) {
+check_servers(const cfg_obj_t *servers, isc_log_t *logctx) {
 	isc_result_t result = ISC_R_SUCCESS;
-	cfg_listelt_t *e1, *e2;
-	cfg_obj_t *v1, *v2;
-	isc_sockaddr_t *s1, *s2;
+	const cfg_listelt_t *e1, *e2;
+	const cfg_obj_t *v1, *v2;
+	const isc_sockaddr_t *s1, *s2;
 	isc_netaddr_t na;
 
 	for (e1 = cfg_list_first(servers); e1 != NULL; e1 = cfg_list_next(e1)) {
@@ -501,12 +501,13 @@ check_servers(cfg_obj_t *servers, isc_log_t *logctx) {
 }
   		
 static isc_result_t
-check_viewconf(cfg_obj_t *config, cfg_obj_t *vconfig, isc_log_t *logctx, isc_mem_t *mctx)
+check_viewconf(const cfg_obj_t *config, const cfg_obj_t *vconfig,
+	       isc_log_t *logctx, isc_mem_t *mctx)
 {
-	cfg_obj_t *servers = NULL;
-	cfg_obj_t *zones = NULL;
-	cfg_obj_t *keys = NULL;
-	cfg_listelt_t *element;
+	const cfg_obj_t *servers = NULL;
+	const cfg_obj_t *zones = NULL;
+	const cfg_obj_t *keys = NULL;
+	const cfg_listelt_t *element;
 	isc_symtab_t *symtab = NULL;
 	isc_result_t result = ISC_R_SUCCESS;
 	isc_result_t tresult = ISC_R_SUCCESS;
@@ -529,7 +530,7 @@ check_viewconf(cfg_obj_t *config, cfg_obj_t *vconfig, isc_log_t *logctx, isc_mem
 	     element != NULL;
 	     element = cfg_list_next(element))
 	{
-		cfg_obj_t *zone = cfg_listelt_value(element);
+		const cfg_obj_t *zone = cfg_listelt_value(element);
 
 		if (check_zoneconf(zone, symtab, logctx, mctx) != ISC_R_SUCCESS)
 			result = ISC_R_FAILURE;
@@ -572,7 +573,7 @@ check_viewconf(cfg_obj_t *config, cfg_obj_t *vconfig, isc_log_t *logctx, isc_mem
 	 * Check that forwarding is reasonable.
 	 */
 	if (vconfig == NULL) {
-		cfg_obj_t *options = NULL;
+		const cfg_obj_t *options = NULL;
 		cfg_map_get(config, "options", &options);
 		if (options != NULL)
 			if (check_forward(options, logctx) != ISC_R_SUCCESS)
@@ -602,13 +603,15 @@ check_viewconf(cfg_obj_t *config, cfg_obj_t *vconfig, isc_log_t *logctx, isc_mem
 
 
 isc_result_t
-cfg_check_namedconf(cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx) {
-	cfg_obj_t *options = NULL;
-	cfg_obj_t *servers = NULL;
-	cfg_obj_t *views = NULL;
-	cfg_obj_t *acls = NULL;
-	cfg_obj_t *obj;
-	cfg_listelt_t *velement;
+cfg_check_namedconf(const cfg_obj_t *config, isc_log_t *logctx,
+		    isc_mem_t *mctx)
+{ 
+	const cfg_obj_t *options = NULL;
+	const cfg_obj_t *servers = NULL;
+	const cfg_obj_t *views = NULL;
+	const cfg_obj_t *acls = NULL;
+	const cfg_obj_t *obj;
+	const cfg_listelt_t *velement;
 	isc_result_t result = ISC_R_SUCCESS;
 	isc_result_t tresult;
 	isc_symtab_t *symtab = NULL;
@@ -634,7 +637,7 @@ cfg_check_namedconf(cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx) {
 				   != ISC_R_SUCCESS)
 			result = ISC_R_FAILURE;
 	} else {
-		cfg_obj_t *zones = NULL;
+		const cfg_obj_t *zones = NULL;
 
 		(void)cfg_map_get(config, "zone", &zones);
 		if (zones != NULL) {
@@ -652,10 +655,10 @@ cfg_check_namedconf(cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx) {
 	     velement != NULL;
 	     velement = cfg_list_next(velement))
 	{
-		cfg_obj_t *view = cfg_listelt_value(velement);
-		cfg_obj_t *vname = cfg_tuple_get(view, "name");
-		cfg_obj_t *voptions = cfg_tuple_get(view, "options");
-		cfg_obj_t *vclassobj = cfg_tuple_get(view, "class");
+		const cfg_obj_t *view = cfg_listelt_value(velement);
+		const cfg_obj_t *vname = cfg_tuple_get(view, "name");
+		const cfg_obj_t *voptions = cfg_tuple_get(view, "options");
+		const cfg_obj_t *vclassobj = cfg_tuple_get(view, "class");
 		dns_rdataclass_t vclass = dns_rdataclass_in;
 		isc_result_t tresult = ISC_R_SUCCESS;
 		const char *key = cfg_obj_asstring(vname);
@@ -673,7 +676,7 @@ cfg_check_namedconf(cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx) {
 					    cfg_obj_asstring(vname), r.base);
 		}
 		if (tresult == ISC_R_SUCCESS && symtab != NULL) {
-			symvalue.as_pointer = view;
+			symvalue.as_cpointer = view;
 			tresult = isc_symtab_define(symtab, key, vclass,
 						    symvalue,
 						    isc_symexists_reject);
@@ -713,14 +716,14 @@ cfg_check_namedconf(cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx) {
 
         tresult = cfg_map_get(config, "acl", &acls);
         if (tresult == ISC_R_SUCCESS) {
-		cfg_listelt_t *elt;
-		cfg_listelt_t *elt2;
+		const cfg_listelt_t *elt;
+		const cfg_listelt_t *elt2;
 		const char *aclname;
 
 		for (elt = cfg_list_first(acls);
 		     elt != NULL;
 		     elt = cfg_list_next(elt)) {
-			cfg_obj_t *acl = cfg_listelt_value(elt);
+			const cfg_obj_t *acl = cfg_listelt_value(elt);
 			unsigned int i;
 
 			aclname = cfg_obj_asstring(cfg_tuple_get(acl, "name"));
@@ -739,7 +742,7 @@ cfg_check_namedconf(cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx) {
 			for (elt2 = cfg_list_next(elt);
 			     elt2 != NULL;
 			     elt2 = cfg_list_next(elt2)) {
-				cfg_obj_t *acl2 = cfg_listelt_value(elt2);
+				const cfg_obj_t *acl2 = cfg_listelt_value(elt2);
 				const char *name;
 				name = cfg_obj_asstring(cfg_tuple_get(acl2,
 								      "name"));
diff --git a/lib/isccfg/include/isccfg/cfg.h b/lib/isccfg/include/isccfg/cfg.h
index c7fa8cbafb..46c04c90b3 100644
--- a/lib/isccfg/include/isccfg/cfg.h
+++ b/lib/isccfg/include/isccfg/cfg.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cfg.h,v 1.30.2.1 2004/03/09 06:12:31 marka Exp $ */
+/* $Id: cfg.h,v 1.30.2.2 2006/03/01 01:34:08 marka Exp $ */
 
 #ifndef ISCCFG_CFG_H
 #define ISCCFG_CFG_H 1
@@ -75,7 +75,7 @@ typedef struct cfg_listelt cfg_listelt_t;
  * "directory".
  */
 typedef isc_result_t
-(*cfg_parsecallback_t)(const char *clausename, cfg_obj_t *obj, void *arg);
+(*cfg_parsecallback_t)(const char *clausename, const cfg_obj_t *obj, void *arg);
 
 /***
  *** Functions
@@ -144,20 +144,20 @@ cfg_parser_destroy(cfg_parser_t **pctxp);
  */
 
 isc_boolean_t
-cfg_obj_isvoid(cfg_obj_t *obj);
+cfg_obj_isvoid(const cfg_obj_t *obj);
 /*
  * Return true iff 'obj' is of void type (e.g., an optional 
  * value not specified).
  */
 
 isc_boolean_t
-cfg_obj_ismap(cfg_obj_t *obj);
+cfg_obj_ismap(const cfg_obj_t *obj);
 /*
  * Return true iff 'obj' is of a map type.
  */
 
 isc_result_t
-cfg_map_get(cfg_obj_t *mapobj, const char* name, cfg_obj_t **obj);
+cfg_map_get(const cfg_obj_t *mapobj, const char* name, const cfg_obj_t **obj);
 /*
  * Extract an element from a configuration object, which
  * must be of a map type.
@@ -172,8 +172,8 @@ cfg_map_get(cfg_obj_t *mapobj, const char* name, cfg_obj_t **obj);
  *      ISC_R_NOTFOUND                 - name not found in map
  */
 
-cfg_obj_t *
-cfg_map_getname(cfg_obj_t *mapobj);
+const cfg_obj_t *
+cfg_map_getname(const cfg_obj_t *mapobj);
 /*
  * Get the name of a named map object, like a server "key" clause.
  *
@@ -186,13 +186,13 @@ cfg_map_getname(cfg_obj_t *mapobj);
  */
 
 isc_boolean_t
-cfg_obj_istuple(cfg_obj_t *obj);
+cfg_obj_istuple(const cfg_obj_t *obj);
 /*
  * Return true iff 'obj' is of a map type.
  */
 
-cfg_obj_t *
-cfg_tuple_get(cfg_obj_t *tupleobj, const char *name);
+const cfg_obj_t *
+cfg_tuple_get(const cfg_obj_t *tupleobj, const char *name);
 /*
  * Extract an element from a configuration object, which
  * must be of a tuple type.
@@ -204,13 +204,13 @@ cfg_tuple_get(cfg_obj_t *tupleobj, const char *name);
  */
 
 isc_boolean_t
-cfg_obj_isuint32(cfg_obj_t *obj);
+cfg_obj_isuint32(const cfg_obj_t *obj);
 /*
  * Return true iff 'obj' is of integer type.
  */
 
 isc_uint32_t
-cfg_obj_asuint32(cfg_obj_t *obj);
+cfg_obj_asuint32(const cfg_obj_t *obj);
 /*
  * Returns the value of a configuration object of 32-bit integer type.
  *
@@ -222,13 +222,13 @@ cfg_obj_asuint32(cfg_obj_t *obj);
  */
 
 isc_boolean_t
-cfg_obj_isuint64(cfg_obj_t *obj);
+cfg_obj_isuint64(const cfg_obj_t *obj);
 /*
  * Return true iff 'obj' is of integer type.
  */
 
 isc_uint64_t
-cfg_obj_asuint64(cfg_obj_t *obj);
+cfg_obj_asuint64(const cfg_obj_t *obj);
 /*
  * Returns the value of a configuration object of 64-bit integer type.
  *
@@ -240,13 +240,13 @@ cfg_obj_asuint64(cfg_obj_t *obj);
  */
 
 isc_boolean_t
-cfg_obj_isstring(cfg_obj_t *obj);
+cfg_obj_isstring(const cfg_obj_t *obj);
 /*
  * Return true iff 'obj' is of string type.
  */
 
-char *
-cfg_obj_asstring(cfg_obj_t *obj);
+const char *
+cfg_obj_asstring(const cfg_obj_t *obj);
 /*
  * Returns the value of a configuration object of a string type
  * as a null-terminated string.
@@ -259,13 +259,13 @@ cfg_obj_asstring(cfg_obj_t *obj);
  */
 
 isc_boolean_t
-cfg_obj_isboolean(cfg_obj_t *obj);
+cfg_obj_isboolean(const cfg_obj_t *obj);
 /*
  * Return true iff 'obj' is of a boolean type.
  */
 
 isc_boolean_t
-cfg_obj_asboolean(cfg_obj_t *obj);
+cfg_obj_asboolean(const cfg_obj_t *obj);
 /*
  * Returns the value of a configuration object of a boolean type.
  *
@@ -277,13 +277,13 @@ cfg_obj_asboolean(cfg_obj_t *obj);
  */
 
 isc_boolean_t
-cfg_obj_issockaddr(cfg_obj_t *obj);
+cfg_obj_issockaddr(const cfg_obj_t *obj);
 /*
  * Return true iff 'obj' is a socket address.
  */
 
-isc_sockaddr_t *
-cfg_obj_assockaddr(cfg_obj_t *obj);
+const isc_sockaddr_t *
+cfg_obj_assockaddr(const cfg_obj_t *obj);
 /*
  * Returns the value of a configuration object representing a socket address.
  *
@@ -296,13 +296,13 @@ cfg_obj_assockaddr(cfg_obj_t *obj);
  */
 
 isc_boolean_t
-cfg_obj_isnetprefix(cfg_obj_t *obj);
+cfg_obj_isnetprefix(const cfg_obj_t *obj);
 /*
  * Return true iff 'obj' is a network prefix.
  */
 
 void
-cfg_obj_asnetprefix(cfg_obj_t *obj, isc_netaddr_t *netaddr,
+cfg_obj_asnetprefix(const cfg_obj_t *obj, isc_netaddr_t *netaddr,
 		    unsigned int *prefixlen);
 /*
  * Gets the value of a configuration object representing a network
@@ -315,13 +315,13 @@ cfg_obj_asnetprefix(cfg_obj_t *obj, isc_netaddr_t *netaddr,
  */
 
 isc_boolean_t
-cfg_obj_islist(cfg_obj_t *obj);
+cfg_obj_islist(const cfg_obj_t *obj);
 /*
  * Return true iff 'obj' is of list type.
  */
 
-cfg_listelt_t *
-cfg_list_first(cfg_obj_t *obj);
+const cfg_listelt_t *
+cfg_list_first(const cfg_obj_t *obj);
 /*
  * Returns the first list element in a configuration object of a list type.
  *
@@ -333,8 +333,8 @@ cfg_list_first(cfg_obj_t *obj);
  * 	or NULL if the list is empty or nonexistent.
  */
 
-cfg_listelt_t *
-cfg_list_next(cfg_listelt_t *elt);
+const cfg_listelt_t *
+cfg_list_next(const cfg_listelt_t *elt);
 /*
  * Returns the next element of a list of configuration objects.
  *
@@ -347,8 +347,8 @@ cfg_list_next(cfg_listelt_t *elt);
  * 	or NULL if there are no more elements.
  */
 
-cfg_obj_t *
-cfg_listelt_value(cfg_listelt_t *elt);
+const cfg_obj_t *
+cfg_listelt_value(const cfg_listelt_t *elt);
 /*
  * Returns the configuration object associated with cfg_listelt_t.
  *
@@ -361,7 +361,7 @@ cfg_listelt_value(cfg_listelt_t *elt);
  */
 
 void
-cfg_print(cfg_obj_t *obj,
+cfg_print(const cfg_obj_t *obj,
 	  void (*f)(void *closure, const char *text, int textlen),
 	  void *closure);
 /*
@@ -379,7 +379,7 @@ cfg_print_grammar(const cfg_type_t *type,
  */
 
 isc_boolean_t
-cfg_obj_istype(cfg_obj_t *obj, const cfg_type_t *type);
+cfg_obj_istype(const cfg_obj_t *obj, const cfg_type_t *type);
 /*
  * Return true iff 'obj' is of type 'type'. 
  */
@@ -390,7 +390,8 @@ void cfg_obj_destroy(cfg_parser_t *pctx, cfg_obj_t **obj);
  */
 
 void
-cfg_obj_log(cfg_obj_t *obj, isc_log_t *lctx, int level, const char *fmt, ...)
+cfg_obj_log(const cfg_obj_t *obj, isc_log_t *lctx, int level,
+            const char *fmt, ...)
 	ISC_FORMAT_PRINTF(4, 5);
 /*
  * Log a message concerning configuration object 'obj' to the logging
diff --git a/lib/isccfg/include/isccfg/check.h b/lib/isccfg/include/isccfg/check.h
index b45e385a10..0c9811673c 100644
--- a/lib/isccfg/include/isccfg/check.h
+++ b/lib/isccfg/include/isccfg/check.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: check.h,v 1.4.2.1 2004/03/09 06:12:31 marka Exp $ */
+/* $Id: check.h,v 1.4.2.2 2006/03/01 01:34:08 marka Exp $ */
 
 #ifndef ISCCFG_CHECK_H
 #define ISCCFG_CHECK_H 1
@@ -28,7 +28,8 @@
 ISC_LANG_BEGINDECLS
 
 isc_result_t
-cfg_check_namedconf(cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx);
+cfg_check_namedconf(const cfg_obj_t *config, isc_log_t *logctx,
+		    isc_mem_t *mctx);
 /*
  * Check the syntactic validity of a configuration parse tree generated from
  * a named.conf file.
@@ -44,7 +45,7 @@ cfg_check_namedconf(cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx);
  */
 
 isc_result_t
-cfg_check_key(cfg_obj_t *config, isc_log_t *logctx);
+cfg_check_key(const cfg_obj_t *config, isc_log_t *logctx);
 /*
  * As above, but for a single 'key' statement.
  */
diff --git a/lib/isccfg/parser.c b/lib/isccfg/parser.c
index 7d48910da4..32146a167f 100644
--- a/lib/isccfg/parser.c
+++ b/lib/isccfg/parser.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: parser.c,v 1.70.2.27 2006/01/04 23:50:17 marka Exp $ */
+/* $Id: parser.c,v 1.70.2.28 2006/03/01 01:34:07 marka Exp $ */
 
 #include 
 
@@ -101,7 +101,7 @@ typedef struct cfg_rep cfg_rep_t;
 
 typedef isc_result_t (*cfg_parsefunc_t)(cfg_parser_t *, const cfg_type_t *type,
 					cfg_obj_t **);
-typedef void	     (*cfg_printfunc_t)(cfg_printer_t *, cfg_obj_t *);
+typedef void	     (*cfg_printfunc_t)(cfg_printer_t *, const cfg_obj_t *);
 typedef void	     (*cfg_freefunc_t)(cfg_parser_t *, cfg_obj_t *);
 
 
@@ -290,7 +290,7 @@ static void
 print(cfg_printer_t *pctx, const char *text, int len);
 
 static void
-print_void(cfg_printer_t *pctx, cfg_obj_t *obj);
+print_void(cfg_printer_t *pctx, const cfg_obj_t *obj);
 
 static isc_result_t
 parse_enum_or_other(cfg_parser_t *pctx, const cfg_type_t *enumtype,
@@ -300,13 +300,13 @@ static isc_result_t
 parse_mapbody(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
 
 static void
-print_mapbody(cfg_printer_t *pctx, cfg_obj_t *obj);
+print_mapbody(cfg_printer_t *pctx, const cfg_obj_t *obj);
 
 static isc_result_t
 parse_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
 
 static void
-print_map(cfg_printer_t *pctx, cfg_obj_t *obj);
+print_map(cfg_printer_t *pctx, const cfg_obj_t *obj);
 
 static isc_result_t
 parse_named_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
@@ -318,13 +318,13 @@ static isc_result_t
 parse_list(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
 
 static void
-print_list(cfg_printer_t *pctx, cfg_obj_t *obj);
+print_list(cfg_printer_t *pctx, const cfg_obj_t *obj);
 
 static isc_result_t
 parse_tuple(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
 
 static void
-print_tuple(cfg_printer_t *pctx, cfg_obj_t *obj);
+print_tuple(cfg_printer_t *pctx, const cfg_obj_t *obj);
 
 static void
 free_tuple(cfg_parser_t *pctx, cfg_obj_t *obj);
@@ -333,10 +333,10 @@ static isc_result_t
 parse_spacelist(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
 
 static void
-print_spacelist(cfg_printer_t *pctx, cfg_obj_t *obj);
+print_spacelist(cfg_printer_t *pctx, const cfg_obj_t *obj);
 
 static void
-print_sockaddr(cfg_printer_t *pctx, cfg_obj_t *obj);
+print_sockaddr(cfg_printer_t *pctx, const cfg_obj_t *obj);
 
 static isc_result_t
 parse_addrmatchelt(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
@@ -345,7 +345,7 @@ static isc_result_t
 parse_bracketed_list(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
 
 static void
-print_bracketed_list(cfg_printer_t *pctx, cfg_obj_t *obj);
+print_bracketed_list(cfg_printer_t *pctx, const cfg_obj_t *obj);
 
 static isc_result_t
 parse_keyvalue(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
@@ -354,7 +354,7 @@ static isc_result_t
 parse_optional_keyvalue(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
 
 static void
-print_keyvalue(cfg_printer_t *pctx, cfg_obj_t *obj);
+print_keyvalue(cfg_printer_t *pctx, const cfg_obj_t *obj);
 
 static isc_result_t
 parse_symtab_elt(cfg_parser_t *pctx, const char *name,
@@ -389,10 +389,10 @@ parser_complain(cfg_parser_t *pctx, isc_boolean_t is_warning,
 		unsigned int flags, const char *format, va_list args);
 
 static void
-print_uint32(cfg_printer_t *pctx, cfg_obj_t *obj);
+print_uint32(cfg_printer_t *pctx, const cfg_obj_t *obj);
 
 static void
-print_ustring(cfg_printer_t *pctx, cfg_obj_t *obj);
+print_ustring(cfg_printer_t *pctx, const cfg_obj_t *obj);
 
 static isc_result_t
 parse_enum(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
@@ -1132,7 +1132,7 @@ static cfg_type_t cfg_type_logging = {
 /* Functions. */
 
 static void
-print_obj(cfg_printer_t *pctx, cfg_obj_t *obj) {
+print_obj(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	obj->type->print(pctx, obj);
 }
 
@@ -1175,7 +1175,7 @@ parse(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
 }
 
 void
-cfg_print(cfg_obj_t *obj,
+cfg_print(const cfg_obj_t *obj,
 	  void (*f)(void *closure, const char *text, int textlen),
 	  void *closure)
 {
@@ -1241,7 +1241,7 @@ parse_tuple(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
 }
 
 static void
-print_tuple(cfg_printer_t *pctx, cfg_obj_t *obj) {
+print_tuple(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	unsigned int i;
 	const cfg_tuplefielddef_t *fields = obj->type->of;
 	const cfg_tuplefielddef_t *f;
@@ -1275,13 +1275,13 @@ free_tuple(cfg_parser_t *pctx, cfg_obj_t *obj) {
 }
 
 isc_boolean_t
-cfg_obj_istuple(cfg_obj_t *obj) {
+cfg_obj_istuple(const cfg_obj_t *obj) {
 	REQUIRE(obj != NULL);
 	return (ISC_TF(obj->type->rep == &cfg_rep_tuple));
 }
 
-cfg_obj_t *
-cfg_tuple_get(cfg_obj_t *tupleobj, const char* name) {
+const cfg_obj_t *
+cfg_tuple_get(const cfg_obj_t *tupleobj, const char* name) {
 	unsigned int i;
 	const cfg_tuplefielddef_t *fields;
 	const cfg_tuplefielddef_t *f;
@@ -1536,13 +1536,13 @@ parse_void(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
 }
 
 static void
-print_void(cfg_printer_t *pctx, cfg_obj_t *obj) {
+print_void(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	UNUSED(pctx);
 	UNUSED(obj);
 }
 
 isc_boolean_t
-cfg_obj_isvoid(cfg_obj_t *obj) {
+cfg_obj_isvoid(const cfg_obj_t *obj) {
 	REQUIRE(obj != NULL);
 	return (ISC_TF(obj->type->rep == &cfg_rep_void));
 }
@@ -1587,18 +1587,18 @@ print_uint(cfg_printer_t *pctx, unsigned int u) {
 }
 
 static void
-print_uint32(cfg_printer_t *pctx, cfg_obj_t *obj) {
+print_uint32(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	print_uint(pctx, obj->value.uint32);
 }
 
 isc_boolean_t
-cfg_obj_isuint32(cfg_obj_t *obj) {
+cfg_obj_isuint32(const cfg_obj_t *obj) {
 	REQUIRE(obj != NULL);
 	return (ISC_TF(obj->type->rep == &cfg_rep_uint32));
 }
 
 isc_uint32_t
-cfg_obj_asuint32(cfg_obj_t *obj) {
+cfg_obj_asuint32(const cfg_obj_t *obj) {
 	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_uint32);
 	return (obj->value.uint32);
 }
@@ -1611,13 +1611,13 @@ static cfg_type_t cfg_type_uint32 = {
  * uint64
  */
 isc_boolean_t
-cfg_obj_isuint64(cfg_obj_t *obj) {
+cfg_obj_isuint64(const cfg_obj_t *obj) {
 	REQUIRE(obj != NULL);
 	return (ISC_TF(obj->type->rep == &cfg_rep_uint64));
 }
 
 isc_uint64_t
-cfg_obj_asuint64(cfg_obj_t *obj) {
+cfg_obj_asuint64(const cfg_obj_t *obj) {
 	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_uint64);
 	return (obj->value.uint64);
 }
@@ -1662,7 +1662,7 @@ parse_unitstring(char *str, isc_resourcevalue_t *valuep) {
 }
 
 static void
-print_uint64(cfg_printer_t *pctx, cfg_obj_t *obj) {
+print_uint64(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	char buf[32];
 	sprintf(buf, "%" ISC_PRINT_QUADFORMAT "u", obj->value.uint64);
 	print_cstr(pctx, buf);
@@ -1768,7 +1768,7 @@ parse_optional_keyvalue(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **
 }
 
 static void
-print_keyvalue(cfg_printer_t *pctx, cfg_obj_t *obj) {
+print_keyvalue(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	const keyword_type_t *kw = obj->type->of;
 	print_cstr(pctx, kw->name);
 	print(pctx, " ", 1);
@@ -1907,12 +1907,12 @@ parse_enum_or_other(cfg_parser_t *pctx, const cfg_type_t *enumtype,
  * Print a string object.
  */
 static void
-print_ustring(cfg_printer_t *pctx, cfg_obj_t *obj) {
+print_ustring(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	print(pctx, obj->value.string.base, obj->value.string.length);
 }
 
 static void
-print_qstring(cfg_printer_t *pctx, cfg_obj_t *obj) {
+print_qstring(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	print(pctx, "\"", 1);
 	print_ustring(pctx, obj);
 	print(pctx, "\"", 1);
@@ -1925,25 +1925,25 @@ free_string(cfg_parser_t *pctx, cfg_obj_t *obj) {
 }
 
 isc_boolean_t
-cfg_obj_isstring(cfg_obj_t *obj) {
+cfg_obj_isstring(const cfg_obj_t *obj) {
 	REQUIRE(obj != NULL);
 	return (ISC_TF(obj->type->rep == &cfg_rep_string));
 }
 
-char *
-cfg_obj_asstring(cfg_obj_t *obj) {
+const char *
+cfg_obj_asstring(const cfg_obj_t *obj) {
 	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_string);
 	return (obj->value.string.base);
 }
 
 isc_boolean_t
-cfg_obj_isboolean(cfg_obj_t *obj) {
+cfg_obj_isboolean(const cfg_obj_t *obj) {
 	REQUIRE(obj != NULL);
 	return (ISC_TF(obj->type->rep == &cfg_rep_boolean));
 }
 
 isc_boolean_t
-cfg_obj_asboolean(cfg_obj_t *obj) {
+cfg_obj_asboolean(const cfg_obj_t *obj) {
 	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_boolean);
 	return (obj->value.boolean);
 }
@@ -2005,7 +2005,7 @@ parse_boolean(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
 }
 
 static void
-print_boolean(cfg_printer_t *pctx, cfg_obj_t *obj) {
+print_boolean(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	if (obj->value.boolean)
 		print(pctx, "yes", 3);
 	else
@@ -2151,9 +2151,9 @@ parse_list(cfg_parser_t *pctx, const cfg_type_t *listtype, cfg_obj_t **ret)
 }
 
 static void
-print_list(cfg_printer_t *pctx, cfg_obj_t *obj) {
-	cfg_list_t *list = &obj->value.list;
-	cfg_listelt_t *elt;
+print_list(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	const cfg_list_t *list = &obj->value.list;
+	const cfg_listelt_t *elt;
 
 	for (elt = ISC_LIST_HEAD(*list);
 	     elt != NULL;
@@ -2176,7 +2176,7 @@ parse_bracketed_list(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret
 }
 
 static void
-print_bracketed_list(cfg_printer_t *pctx, cfg_obj_t *obj) {
+print_bracketed_list(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	print_open(pctx);
 	print_list(pctx, obj);
 	print_close(pctx);
@@ -2215,9 +2215,9 @@ parse_spacelist(cfg_parser_t *pctx, const cfg_type_t *listtype, cfg_obj_t **ret)
 }
 
 static void
-print_spacelist(cfg_printer_t *pctx, cfg_obj_t *obj) {
-	cfg_list_t *list = &obj->value.list;
-	cfg_listelt_t *elt;
+print_spacelist(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	const cfg_list_t *list = &obj->value.list;
+	const cfg_listelt_t *elt;
 
 	for (elt = ISC_LIST_HEAD(*list);
 	     elt != NULL;
@@ -2229,27 +2229,27 @@ print_spacelist(cfg_printer_t *pctx, cfg_obj_t *obj) {
 }
 
 isc_boolean_t
-cfg_obj_islist(cfg_obj_t *obj) {
+cfg_obj_islist(const cfg_obj_t *obj) {
 	REQUIRE(obj != NULL);
 	return (ISC_TF(obj->type->rep == &cfg_rep_list));
 }
 
-cfg_listelt_t *
-cfg_list_first(cfg_obj_t *obj) {
+const cfg_listelt_t *
+cfg_list_first(const cfg_obj_t *obj) {
 	REQUIRE(obj == NULL || obj->type->rep == &cfg_rep_list);
 	if (obj == NULL)
 		return (NULL);
 	return (ISC_LIST_HEAD(obj->value.list));
 }
 
-cfg_listelt_t *
-cfg_list_next(cfg_listelt_t *elt) {
+const cfg_listelt_t *
+cfg_list_next(const cfg_listelt_t *elt) {
 	REQUIRE(elt != NULL);
 	return (ISC_LIST_NEXT(elt, link));
 }
 
-cfg_obj_t *
-cfg_listelt_value(cfg_listelt_t *elt) {
+const cfg_obj_t *
+cfg_listelt_value(const cfg_listelt_t *elt) {
 	REQUIRE(elt != NULL);
 	return (elt->obj);
 }
@@ -2509,7 +2509,7 @@ parse_addressed_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
 }
 
 static void
-print_mapbody(cfg_printer_t *pctx, cfg_obj_t *obj) {
+print_mapbody(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	isc_result_t result = ISC_R_SUCCESS;
 
 	const cfg_clausedef_t * const *clauseset;
@@ -2559,7 +2559,7 @@ print_mapbody(cfg_printer_t *pctx, cfg_obj_t *obj) {
 }
 
 static void
-print_map(cfg_printer_t *pctx, cfg_obj_t *obj) {
+print_map(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	if (obj->value.map.id != NULL) {
 		print_obj(pctx, obj->value.map.id);
 		print(pctx, " ", 1);
@@ -2570,16 +2570,16 @@ print_map(cfg_printer_t *pctx, cfg_obj_t *obj) {
 }
 
 isc_boolean_t
-cfg_obj_ismap(cfg_obj_t *obj) {
+cfg_obj_ismap(const cfg_obj_t *obj) {
 	REQUIRE(obj != NULL);
 	return (ISC_TF(obj->type->rep == &cfg_rep_map));
 }
 
 isc_result_t
-cfg_map_get(cfg_obj_t *mapobj, const char* name, cfg_obj_t **obj) {
+cfg_map_get(const cfg_obj_t *mapobj, const char* name, const cfg_obj_t **obj) {
 	isc_result_t result;
 	isc_symvalue_t val;
-	cfg_map_t *map;
+	const cfg_map_t *map;
 	
 	REQUIRE(mapobj != NULL && mapobj->type->rep == &cfg_rep_map);
 	REQUIRE(name != NULL);
@@ -2594,8 +2594,8 @@ cfg_map_get(cfg_obj_t *mapobj, const char* name, cfg_obj_t **obj) {
 	return (ISC_R_SUCCESS);
 }
 
-cfg_obj_t *
-cfg_map_getname(cfg_obj_t *mapobj) {
+const cfg_obj_t *
+cfg_map_getname(const cfg_obj_t *mapobj) {
 	REQUIRE(mapobj != NULL && mapobj->type->rep == &cfg_rep_map);
 	return (mapobj->value.map.id);
 }
@@ -2936,7 +2936,7 @@ parse_querysource6(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
 }
 
 static void
-print_isc_netaddr(cfg_printer_t *pctx, isc_netaddr_t *na) {
+print_isc_netaddr(cfg_printer_t *pctx, const isc_netaddr_t *na) {
 	isc_result_t result;
 	char text[128];
 	isc_buffer_t buf;
@@ -2948,7 +2948,7 @@ print_isc_netaddr(cfg_printer_t *pctx, isc_netaddr_t *na) {
 }
 
 static void
-print_querysource(cfg_printer_t *pctx, cfg_obj_t *obj) {
+print_querysource(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	isc_netaddr_t na;
 	isc_netaddr_fromsockaddr(&na, &obj->value.sockaddr);
 	print(pctx, "address ", 8);
@@ -3038,21 +3038,21 @@ parse_netprefix(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
 }
 
 static void
-print_netprefix(cfg_printer_t *pctx, cfg_obj_t *obj) {
-	cfg_netprefix_t *p = &obj->value.netprefix;
+print_netprefix(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	const cfg_netprefix_t *p = &obj->value.netprefix;
 	print_isc_netaddr(pctx, &p->address);
 	print(pctx, "/", 1);
 	print_uint(pctx, p->prefixlen);
 }
 
 isc_boolean_t
-cfg_obj_isnetprefix(cfg_obj_t *obj) {
+cfg_obj_isnetprefix(const cfg_obj_t *obj) {
 	REQUIRE(obj != NULL);
 	return (ISC_TF(obj->type->rep == &cfg_rep_netprefix));
 }
 
 void
-cfg_obj_asnetprefix(cfg_obj_t *obj, isc_netaddr_t *netaddr,
+cfg_obj_asnetprefix(const cfg_obj_t *obj, isc_netaddr_t *netaddr,
 		    unsigned int *prefixlen) {
 	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_netprefix);
 	*netaddr = obj->value.netprefix.address;
@@ -3115,7 +3115,7 @@ static cfg_tuplefielddef_t negated_fields[] = {
 };
 
 static void
-print_negated(cfg_printer_t *pctx, cfg_obj_t *obj) {
+print_negated(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	print(pctx, "!", 1);
 	print_tuple(pctx, obj);
 }
@@ -3167,7 +3167,7 @@ parse_sockaddr(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
 }
 
 static void
-print_sockaddr(cfg_printer_t *pctx, cfg_obj_t *obj) {
+print_sockaddr(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	isc_netaddr_t netaddr;
 	in_port_t port;
 	char buf[ISC_NETADDR_FORMATSIZE];
@@ -3183,13 +3183,13 @@ print_sockaddr(cfg_printer_t *pctx, cfg_obj_t *obj) {
 }
 
 isc_boolean_t
-cfg_obj_issockaddr(cfg_obj_t *obj) {
+cfg_obj_issockaddr(const cfg_obj_t *obj) {
 	REQUIRE(obj != NULL);
 	return (ISC_TF(obj->type->rep == &cfg_rep_sockaddr));
 }
 
-isc_sockaddr_t *
-cfg_obj_assockaddr(cfg_obj_t *obj) {
+const isc_sockaddr_t *
+cfg_obj_assockaddr(const cfg_obj_t *obj) {
 	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_sockaddr);
 	return (&obj->value.sockaddr);
 }
@@ -3400,7 +3400,7 @@ parse_logfile(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
 }
 
 static void
-print_logfile(cfg_printer_t *pctx, cfg_obj_t *obj) {
+print_logfile(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	print_obj(pctx, obj->value.tuple[0]); /* file */
 	if (obj->value.tuple[1]->type->print != print_void) {
 		print(pctx, " versions ", 10);
@@ -3720,7 +3720,8 @@ parser_complain(cfg_parser_t *pctx, isc_boolean_t is_warning,
 }
 
 void
-cfg_obj_log(cfg_obj_t *obj, isc_log_t *lctx, int level, const char *fmt, ...) {
+cfg_obj_log(const cfg_obj_t *obj, isc_log_t *lctx, int level,
+	    const char *fmt, ...) {
 	va_list ap;
 	char msgbuf[2048];
 
@@ -3794,7 +3795,7 @@ free_map(cfg_parser_t *pctx, cfg_obj_t *obj) {
 }
 
 isc_boolean_t
-cfg_obj_istype(cfg_obj_t *obj, const cfg_type_t *type) {
+cfg_obj_istype(const cfg_obj_t *obj, const cfg_type_t *type) {
 	return (ISC_TF(obj->type == type));
 }
 

From 2c4ae1d331c98beba03a337a58e9b44aec98d663 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 1 Mar 2006 02:05:11 +0000
Subject: [PATCH 065/465] 1992.   [bug]           Not all incoming zone tranfer
 messages included the                         view.  [RT #15825]

---
 CHANGES         |  3 +++
 lib/dns/xfrin.c | 46 ++++++++++++++++++++++++----------------------
 2 files changed, 27 insertions(+), 22 deletions(-)

diff --git a/CHANGES b/CHANGES
index 0d7d8fd621..1493f2ae15 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+1992.	[bug]		Not all incoming zone tranfer messages included the
+			view.  [RT #15825]
+
 1991.	[cleanup]	The configuration data, once read, should be treated
 			as readonly.  Expand the use of const to enforce this
 			at compile time. [RT #15813]
diff --git a/lib/dns/xfrin.c b/lib/dns/xfrin.c
index e0595558f1..2b640eedc7 100644
--- a/lib/dns/xfrin.c
+++ b/lib/dns/xfrin.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: xfrin.c,v 1.145 2006/01/04 23:50:24 marka Exp $ */
+/* $Id: xfrin.c,v 1.146 2006/03/01 02:05:11 marka Exp $ */
 
 /*! \file */
 
@@ -224,14 +224,14 @@ static isc_result_t
 render(dns_message_t *msg, isc_mem_t *mctx, isc_buffer_t *buf);
 
 static void
-xfrin_logv(int level, dns_name_t *zonename, dns_rdataclass_t rdclass,
-	   isc_sockaddr_t *masteraddr, const char *fmt, va_list ap)
-     ISC_FORMAT_PRINTF(5, 0);
+xfrin_logv(int level, const char *zonetext, isc_sockaddr_t *masteraddr,
+	   const char *fmt, va_list ap)
+     ISC_FORMAT_PRINTF(4, 0);
 
 static void
-xfrin_log1(int level, dns_name_t *zonename, dns_rdataclass_t rdclass,
-	   isc_sockaddr_t *masteraddr, const char *fmt, ...)
-     ISC_FORMAT_PRINTF(5, 6);
+xfrin_log1(int level, const char *zonetext, isc_sockaddr_t *masteraddr,
+	   const char *fmt, ...)
+     ISC_FORMAT_PRINTF(4, 5);
 
 static void
 xfrin_log(dns_xfrin_ctx_t *xfr, int level, const char *fmt, ...)
@@ -604,9 +604,12 @@ dns_xfrin_create2(dns_zone_t *zone, dns_rdatatype_t xfrtype,
  failure:
 	if (db != NULL)
 		dns_db_detach(&db);
-	if (result != ISC_R_SUCCESS)
-		xfrin_log1(ISC_LOG_ERROR, zonename, dns_zone_getclass(zone),
-			   masteraddr, "zone transfer setup failed");
+	if (result != ISC_R_SUCCESS) {
+		char zonetext[DNS_NAME_MAXTEXT+32];
+		dns_zone_name(zone, zonetext, sizeof(zonetext));
+		xfrin_log1(ISC_LOG_ERROR, zonetext, masteraddr,
+			   "zone transfer setup failed");
+	}
 	return (result);
 }
 
@@ -1364,23 +1367,19 @@ maybe_free(dns_xfrin_ctx_t *xfr) {
  * transfer of  from 
: 
  */
 static void
-xfrin_logv(int level, dns_name_t *zonename, dns_rdataclass_t rdclass,
-	   isc_sockaddr_t *masteraddr, const char *fmt, va_list ap)
+xfrin_logv(int level, const char *zonetext, isc_sockaddr_t *masteraddr,
+	   const char *fmt, va_list ap)
 {
-	char zntext[DNS_NAME_FORMATSIZE];
 	char mastertext[ISC_SOCKADDR_FORMATSIZE];
-	char classtext[DNS_RDATACLASS_FORMATSIZE];
 	char msgtext[2048];
 
-	dns_name_format(zonename, zntext, sizeof(zntext));
-	dns_rdataclass_format(rdclass, classtext, sizeof(classtext));
 	isc_sockaddr_format(masteraddr, mastertext, sizeof(mastertext));
 	vsnprintf(msgtext, sizeof(msgtext), fmt, ap);
 
 	isc_log_write(dns_lctx, DNS_LOGCATEGORY_XFER_IN,
 		      DNS_LOGMODULE_XFER_IN, level,
-		      "transfer of '%s/%s' from %s: %s",
-		      zntext, classtext, mastertext, msgtext);
+		      "transfer of '%s' from %s: %s",
+		      zonetext, mastertext, msgtext);
 }
 
 /*
@@ -1388,8 +1387,8 @@ xfrin_logv(int level, dns_name_t *zonename, dns_rdataclass_t rdclass,
  */
 
 static void
-xfrin_log1(int level, dns_name_t *zonename, dns_rdataclass_t rdclass,
-	   isc_sockaddr_t *masteraddr, const char *fmt, ...)
+xfrin_log1(int level, const char *zonetext, isc_sockaddr_t *masteraddr,
+           const char *fmt, ...)
 {
 	va_list ap;
 
@@ -1397,7 +1396,7 @@ xfrin_log1(int level, dns_name_t *zonename, dns_rdataclass_t rdclass,
 		return;
 
 	va_start(ap, fmt);
-	xfrin_logv(level, zonename, rdclass, masteraddr, fmt, ap);
+	xfrin_logv(level, zonetext, masteraddr, fmt, ap);
 	va_end(ap);
 }
 
@@ -1409,11 +1408,14 @@ static void
 xfrin_log(dns_xfrin_ctx_t *xfr, int level, const char *fmt, ...)
 {
 	va_list ap;
+	char zonetext[DNS_NAME_MAXTEXT+32];
 
 	if (isc_log_wouldlog(dns_lctx, level) == ISC_FALSE)
 		return;
 
+	dns_zone_name(xfr->zone, zonetext, sizeof(zonetext));
+
 	va_start(ap, fmt);
-	xfrin_logv(level, &xfr->name, xfr->rdclass, &xfr->masteraddr, fmt, ap);
+	xfrin_logv(level, zonetext, &xfr->masteraddr, fmt, ap);
 	va_end(ap);
 }

From 5581e28ed8c05350ce6119230c223da60dafdbaf Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 1 Mar 2006 02:09:46 +0000
Subject: [PATCH 066/465] spelling

---
 CHANGES | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index 1493f2ae15..ac6c13eb23 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,4 @@
-1992.	[bug]		Not all incoming zone tranfer messages included the
+1992.	[bug]		Not all incoming zone transfer messages included the
 			view.  [RT #15825]
 
 1991.	[cleanup]	The configuration data, once read, should be treated

From 7042126e8a10315255144989f7723f0510558928 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 1 Mar 2006 02:20:41 +0000
Subject: [PATCH 067/465] 1993.   [bug]           Log messsage, via syslog,
 were missing the space                         after the timestamp if
 "print-time yes" was specified.                         [RT #15844]

---
 CHANGES       | 4 ++++
 lib/isc/log.c | 5 +++--
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index ac6c13eb23..530b30c160 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+1993.	[bug]		Log messsage, via syslog, were missing the space
+			after the timestamp if "print-time yes" was specified.
+			[RT #15844]
+
 1992.	[bug]		Not all incoming zone transfer messages included the
 			view.  [RT #15825]
 
diff --git a/lib/isc/log.c b/lib/isc/log.c
index 998156aeb0..dbbb43a70d 100644
--- a/lib/isc/log.c
+++ b/lib/isc/log.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: log.c,v 1.90 2005/07/12 01:00:17 marka Exp $ */
+/* $Id: log.c,v 1.91 2006/03/01 02:20:41 marka Exp $ */
 
 /*! \file
  * \author  Principal Authors: DCL */
@@ -1735,8 +1735,9 @@ isc_log_doit(isc_log_t *lctx, isc_logcategory_t *category,
 				syslog_level = syslog_map[-level];
 
 			(void)syslog(FACILITY(channel) | syslog_level,
-			       "%s%s%s%s%s%s%s%s%s",
+			       "%s%s%s%s%s%s%s%s%s%s",
 			       printtime     ? time_string	: "",
+			       printtime     ? " "		: "",
 			       printtag      ? lcfg->tag	: "",
 			       printtag      ? ": "		: "",
 			       printcategory ? category->name	: "",

From 25c18fded02c5df8391a333e90ea776b52bff079 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 1 Mar 2006 02:32:46 +0000
Subject: [PATCH 068/465] 1994.   [port]          OpenSSL 0.9.8 support. [RT
 #15694]

---
 CHANGES                   |   2 +
 config.h.in               |  11 +-
 configure                 | 354 ++++++++++++++++++++++++++++++++++----
 configure.in              |  11 +-
 lib/dns/openssldh_link.c  |  75 +++++++-
 lib/dns/openssldsa_link.c |  79 ++++++++-
 lib/dns/opensslrsa_link.c |  96 ++++++++++-
 7 files changed, 593 insertions(+), 35 deletions(-)

diff --git a/CHANGES b/CHANGES
index 530b30c160..8410931f7c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+1994.	[port]		OpenSSL 0.9.8 support. [RT #15694]
+
 1993.	[bug]		Log messsage, via syslog, were missing the space
 			after the timestamp if "print-time yes" was specified.
 			[RT #15844]
diff --git a/config.h.in b/config.h.in
index 2f304c2b64..fdfa9cd329 100644
--- a/config.h.in
+++ b/config.h.in
@@ -16,7 +16,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.h.in,v 1.78 2006/02/02 23:07:53 marka Exp $ */
+/* $Id: config.h.in,v 1.79 2006/03/01 02:32:46 marka Exp $ */
 
 /*! \file */
 
@@ -157,9 +157,15 @@ int sigwait(const unsigned int *set, int *sig);
 /* Define if you cannot bind() before connect() for TCP sockets. */
 #undef BROKEN_TCP_BIND_BEFORE_CONNECT
 
+/* Define if libcrypto has DH_generate_parameters */
+#undef HAVE_DH_GENERATE_PARAMETERS
+
 /* Define to 1 if you have the  header file. */
 #undef HAVE_DLFCN_H
 
+/* Define if libcrypto has DSA_generate_parameters */
+#undef HAVE_DSA_GENERATE_PARAMETERS
+
 /* Define to 1 if you have the  header file. */
 #undef HAVE_FCNTL_H
 
@@ -196,6 +202,9 @@ int sigwait(const unsigned int *set, int *sig);
 /* Define to 1 if you have the  header file. */
 #undef HAVE_NET_IF6_H
 
+/* Define if libcrypto has RSA_generate_key */
+#undef HAVE_RSA_GENERATE_KEY
+
 /* Define to 1 if you have the `setlocale' function. */
 #undef HAVE_SETLOCALE
 
diff --git a/configure b/configure
index ea0f9938df..925f6ba06e 100755
--- a/configure
+++ b/configure
@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 #
-# $Id: configure,v 1.390 2006/02/26 22:57:17 marka Exp $
+# $Id: configure,v 1.391 2006/03/01 02:32:46 marka Exp $
 #
 # Portions Copyright (C) 1996-2001  Nominum, Inc.
 #
@@ -29,7 +29,7 @@
 # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
 # OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-# From configure.in Revision: 1.402 .
+# From configure.in Revision: 1.403 .
 # Guess values for system-dependent variables and create Makefiles.
 # Generated by GNU Autoconf 2.59.
 #
@@ -5089,6 +5089,300 @@ fi
 rm -f conftest.err conftest.$ac_objext \
       conftest$ac_exeext conftest.$ac_ext
 
+		echo "$as_me:$LINENO: checking for DH_generate_parameters" >&5
+echo $ECHO_N "checking for DH_generate_parameters... $ECHO_C" >&6
+if test "${ac_cv_func_DH_generate_parameters+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define DH_generate_parameters to an innocuous variant, in case  declares DH_generate_parameters.
+   For example, HP-UX 11i  declares gettimeofday.  */
+#define DH_generate_parameters innocuous_DH_generate_parameters
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char DH_generate_parameters (); below.
+    Prefer  to  if __STDC__ is defined, since
+     exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include 
+#else
+# include 
+#endif
+
+#undef DH_generate_parameters
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char DH_generate_parameters ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_DH_generate_parameters) || defined (__stub___DH_generate_parameters)
+choke me
+#else
+char (*f) () = DH_generate_parameters;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != DH_generate_parameters;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_DH_generate_parameters=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_DH_generate_parameters=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_DH_generate_parameters" >&5
+echo "${ECHO_T}$ac_cv_func_DH_generate_parameters" >&6
+if test $ac_cv_func_DH_generate_parameters = yes; then
+
+cat >>confdefs.h <<\_ACEOF
+#define HAVE_DH_GENERATE_PARAMETERS 1
+_ACEOF
+
+fi
+
+		echo "$as_me:$LINENO: checking for RSA_generate_key" >&5
+echo $ECHO_N "checking for RSA_generate_key... $ECHO_C" >&6
+if test "${ac_cv_func_RSA_generate_key+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define RSA_generate_key to an innocuous variant, in case  declares RSA_generate_key.
+   For example, HP-UX 11i  declares gettimeofday.  */
+#define RSA_generate_key innocuous_RSA_generate_key
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char RSA_generate_key (); below.
+    Prefer  to  if __STDC__ is defined, since
+     exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include 
+#else
+# include 
+#endif
+
+#undef RSA_generate_key
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char RSA_generate_key ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_RSA_generate_key) || defined (__stub___RSA_generate_key)
+choke me
+#else
+char (*f) () = RSA_generate_key;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != RSA_generate_key;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_RSA_generate_key=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_RSA_generate_key=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_RSA_generate_key" >&5
+echo "${ECHO_T}$ac_cv_func_RSA_generate_key" >&6
+if test $ac_cv_func_RSA_generate_key = yes; then
+
+cat >>confdefs.h <<\_ACEOF
+#define HAVE_RSA_GENERATE_KEY 1
+_ACEOF
+
+fi
+
+		echo "$as_me:$LINENO: checking for DSA_generate_parameters" >&5
+echo $ECHO_N "checking for DSA_generate_parameters... $ECHO_C" >&6
+if test "${ac_cv_func_DSA_generate_parameters+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define DSA_generate_parameters to an innocuous variant, in case  declares DSA_generate_parameters.
+   For example, HP-UX 11i  declares gettimeofday.  */
+#define DSA_generate_parameters innocuous_DSA_generate_parameters
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char DSA_generate_parameters (); below.
+    Prefer  to  if __STDC__ is defined, since
+     exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include 
+#else
+# include 
+#endif
+
+#undef DSA_generate_parameters
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char DSA_generate_parameters ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_DSA_generate_parameters) || defined (__stub___DSA_generate_parameters)
+choke me
+#else
+char (*f) () = DSA_generate_parameters;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != DSA_generate_parameters;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_DSA_generate_parameters=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_DSA_generate_parameters=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_DSA_generate_parameters" >&5
+echo "${ECHO_T}$ac_cv_func_DSA_generate_parameters" >&6
+if test $ac_cv_func_DSA_generate_parameters = yes; then
+
+cat >>confdefs.h <<\_ACEOF
+#define HAVE_DSA_GENERATE_PARAMETERS 1
+_ACEOF
+
+fi
+
 #
 #	OpenSSLDie is new with CERT CS-2002-23.  If we see it we have may
 #	have a patched library otherwise check that we are greater than
@@ -8171,7 +8465,7 @@ ia64-*-hpux*)
   ;;
 *-*-irix6*)
   # Find out which ABI we are using.
-  echo '#line 8174 "configure"' > conftest.$ac_ext
+  echo '#line 8468 "configure"' > conftest.$ac_ext
   if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
@@ -9168,7 +9462,7 @@ fi
 
 
 # Provide some information about the compiler.
-echo "$as_me:9171:" \
+echo "$as_me:9465:" \
      "checking for Fortran 77 compiler version" >&5
 ac_compiler=`set X $ac_compile; echo $2`
 { (eval echo "$as_me:$LINENO: \"$ac_compiler --version &5\"") >&5
@@ -10229,11 +10523,11 @@ else
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:10232: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:10526: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:10236: \$? = $ac_status" >&5
+   echo "$as_me:10530: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings
@@ -10472,11 +10766,11 @@ else
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:10475: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:10769: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:10479: \$? = $ac_status" >&5
+   echo "$as_me:10773: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings
@@ -10532,11 +10826,11 @@ else
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:10535: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:10829: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:10539: \$? = $ac_status" >&5
+   echo "$as_me:10833: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -12717,7 +13011,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext < conftest.$ac_ext <&5)
+   (eval echo "\"\$as_me:15309: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:15019: \$? = $ac_status" >&5
+   echo "$as_me:15313: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings
@@ -15072,11 +15366,11 @@ else
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:15075: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:15369: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:15079: \$? = $ac_status" >&5
+   echo "$as_me:15373: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -16433,7 +16727,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext < conftest.$ac_ext <&5)
+   (eval echo "\"\$as_me:17665: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:17375: \$? = $ac_status" >&5
+   echo "$as_me:17669: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings
@@ -17428,11 +17722,11 @@ else
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:17431: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:17725: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:17435: \$? = $ac_status" >&5
+   echo "$as_me:17729: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -19467,11 +19761,11 @@ else
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:19470: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:19764: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:19474: \$? = $ac_status" >&5
+   echo "$as_me:19768: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings
@@ -19710,11 +20004,11 @@ else
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:19713: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:20007: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:19717: \$? = $ac_status" >&5
+   echo "$as_me:20011: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings
@@ -19770,11 +20064,11 @@ else
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:19773: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:20067: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:19777: \$? = $ac_status" >&5
+   echo "$as_me:20071: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -21955,7 +22249,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext < conftest.$ac_ext <flags &= ~(RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE); \
 	(rsa)->flags &= ~RSA_FLAG_BLINDING; \
 	} while (0)
+#elif defined(RSA_FLAG_NO_BLINDING)
+#define SET_FLAGS(rsa) \
+	do { \
+		(rsa)->flags &= ~RSA_FLAG_BLINDING; \
+		(rsa)->flags |= RSA_FLAG_NO_BLINDING; \
+	} while (0)
 #else
 #define SET_FLAGS(rsa) \
 	do { \
@@ -262,6 +268,94 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
 	return (ISC_TRUE);
 }
 
+#ifndef HAVE_RSA_GENERATE_KEY
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+static RSA *
+RSA_generate_key(int bits, unsigned long e_value,
+		 void (*callback)(int,int,void *), void *cb_arg)
+{
+        BN_GENCB cb;
+        size_t i;
+        RSA *rsa = RSA_new();
+        BIGNUM *e = BN_new();
+
+        if (rsa == NULL || e == NULL)
+		goto err;
+
+        /* The problem is when building with 8, 16, or 32 BN_ULONG,
+         * unsigned long can be larger */
+        for (i = 0; i < sizeof(unsigned long) * 8; i++) {
+                if ((e_value & (1UL<
Date: Wed, 1 Mar 2006 02:49:40 +0000
Subject: [PATCH 069/465] 1994.   [port]          OpenSSL 0.9.8 support. [RT
 #15694]

---
 CHANGES                   |   2 +
 config.h.in               |  11 +-
 configure                 | 352 ++++++++++++++++++++++++++++++++++----
 configure.in              |  11 +-
 lib/dns/openssldh_link.c  |  75 +++++++-
 lib/dns/openssldsa_link.c |  79 ++++++++-
 lib/dns/opensslrsa_link.c |  90 +++++++++-
 7 files changed, 586 insertions(+), 34 deletions(-)

diff --git a/CHANGES b/CHANGES
index 86bec10f5f..2805b43bfd 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+1994.	[port]		OpenSSL 0.9.8 support. [RT #15694]
+
 1991.	[cleanup]	The configuration data, once read, should be treated
 			as readonly.  Expand the use of const to enforce this
 			at compile time. [RT #15813]
diff --git a/config.h.in b/config.h.in
index 226611cd2c..b3d224e43d 100644
--- a/config.h.in
+++ b/config.h.in
@@ -16,7 +16,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.h.in,v 1.47.2.20 2006/02/02 23:13:27 marka Exp $ */
+/* $Id: config.h.in,v 1.47.2.21 2006/03/01 02:49:40 marka Exp $ */
 
 /***
  *** This file is not to be included by any public header files, because
@@ -144,9 +144,15 @@ int sigwait(const unsigned int *set, int *sig);
 /* Define if you cannot bind() before connect() for TCP sockets. */
 #undef BROKEN_TCP_BIND_BEFORE_CONNECT
 
+/* Define if libcrypto has DH_generate_parameters */
+#undef HAVE_DH_GENERATE_PARAMETERS
+
 /* Define to 1 if you have the  header file. */
 #undef HAVE_DLFCN_H
 
+/* Define if libcrypto has DSA_generate_parameters */
+#undef HAVE_DSA_GENERATE_PARAMETERS
+
 /* Define to 1 if you have the  header file. */
 #undef HAVE_FCNTL_H
 
@@ -177,6 +183,9 @@ int sigwait(const unsigned int *set, int *sig);
 /* Define to 1 if you have the  header file. */
 #undef HAVE_MEMORY_H
 
+/* Define if libcrypto has RSA_generate_key */
+#undef HAVE_RSA_GENERATE_KEY
+
 /* Define to 1 if you have the  header file. */
 #undef HAVE_STDINT_H
 
diff --git a/configure b/configure
index 6253d4007e..58e40ecb56 100755
--- a/configure
+++ b/configure
@@ -1,5 +1,5 @@
 #! /bin/sh
-# From configure.in Revision: 1.294.2.59 .
+# From configure.in Revision: 1.294.2.60 .
 # Guess values for system-dependent variables and create Makefiles.
 # Generated by GNU Autoconf 2.59.
 #
@@ -4922,6 +4922,300 @@ fi
 rm -f conftest.err conftest.$ac_objext \
       conftest$ac_exeext conftest.$ac_ext
 
+		echo "$as_me:$LINENO: checking for DH_generate_parameters" >&5
+echo $ECHO_N "checking for DH_generate_parameters... $ECHO_C" >&6
+if test "${ac_cv_func_DH_generate_parameters+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define DH_generate_parameters to an innocuous variant, in case  declares DH_generate_parameters.
+   For example, HP-UX 11i  declares gettimeofday.  */
+#define DH_generate_parameters innocuous_DH_generate_parameters
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char DH_generate_parameters (); below.
+    Prefer  to  if __STDC__ is defined, since
+     exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include 
+#else
+# include 
+#endif
+
+#undef DH_generate_parameters
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char DH_generate_parameters ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_DH_generate_parameters) || defined (__stub___DH_generate_parameters)
+choke me
+#else
+char (*f) () = DH_generate_parameters;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != DH_generate_parameters;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_DH_generate_parameters=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_DH_generate_parameters=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_DH_generate_parameters" >&5
+echo "${ECHO_T}$ac_cv_func_DH_generate_parameters" >&6
+if test $ac_cv_func_DH_generate_parameters = yes; then
+
+cat >>confdefs.h <<\_ACEOF
+#define HAVE_DH_GENERATE_PARAMETERS 1
+_ACEOF
+
+fi
+
+		echo "$as_me:$LINENO: checking for RSA_generate_key" >&5
+echo $ECHO_N "checking for RSA_generate_key... $ECHO_C" >&6
+if test "${ac_cv_func_RSA_generate_key+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define RSA_generate_key to an innocuous variant, in case  declares RSA_generate_key.
+   For example, HP-UX 11i  declares gettimeofday.  */
+#define RSA_generate_key innocuous_RSA_generate_key
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char RSA_generate_key (); below.
+    Prefer  to  if __STDC__ is defined, since
+     exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include 
+#else
+# include 
+#endif
+
+#undef RSA_generate_key
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char RSA_generate_key ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_RSA_generate_key) || defined (__stub___RSA_generate_key)
+choke me
+#else
+char (*f) () = RSA_generate_key;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != RSA_generate_key;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_RSA_generate_key=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_RSA_generate_key=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_RSA_generate_key" >&5
+echo "${ECHO_T}$ac_cv_func_RSA_generate_key" >&6
+if test $ac_cv_func_RSA_generate_key = yes; then
+
+cat >>confdefs.h <<\_ACEOF
+#define HAVE_RSA_GENERATE_KEY 1
+_ACEOF
+
+fi
+
+		echo "$as_me:$LINENO: checking for DSA_generate_parameters" >&5
+echo $ECHO_N "checking for DSA_generate_parameters... $ECHO_C" >&6
+if test "${ac_cv_func_DSA_generate_parameters+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define DSA_generate_parameters to an innocuous variant, in case  declares DSA_generate_parameters.
+   For example, HP-UX 11i  declares gettimeofday.  */
+#define DSA_generate_parameters innocuous_DSA_generate_parameters
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char DSA_generate_parameters (); below.
+    Prefer  to  if __STDC__ is defined, since
+     exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include 
+#else
+# include 
+#endif
+
+#undef DSA_generate_parameters
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char DSA_generate_parameters ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_DSA_generate_parameters) || defined (__stub___DSA_generate_parameters)
+choke me
+#else
+char (*f) () = DSA_generate_parameters;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != DSA_generate_parameters;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_DSA_generate_parameters=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_DSA_generate_parameters=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_DSA_generate_parameters" >&5
+echo "${ECHO_T}$ac_cv_func_DSA_generate_parameters" >&6
+if test $ac_cv_func_DSA_generate_parameters = yes; then
+
+cat >>confdefs.h <<\_ACEOF
+#define HAVE_DSA_GENERATE_PARAMETERS 1
+_ACEOF
+
+fi
+
 #
 #	OpenSSLDie is new with CERT CS-2002-23.  If we see it we have may
 #	have a patched library otherwise check that we are greater than
@@ -7973,7 +8267,7 @@ ia64-*-hpux*)
   ;;
 *-*-irix6*)
   # Find out which ABI we are using.
-  echo '#line 7976 "configure"' > conftest.$ac_ext
+  echo '#line 8270 "configure"' > conftest.$ac_ext
   if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
@@ -8970,7 +9264,7 @@ fi
 
 
 # Provide some information about the compiler.
-echo "$as_me:8973:" \
+echo "$as_me:9267:" \
      "checking for Fortran 77 compiler version" >&5
 ac_compiler=`set X $ac_compile; echo $2`
 { (eval echo "$as_me:$LINENO: \"$ac_compiler --version &5\"") >&5
@@ -10031,11 +10325,11 @@ else
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:10034: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:10328: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:10038: \$? = $ac_status" >&5
+   echo "$as_me:10332: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings
@@ -10274,11 +10568,11 @@ else
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:10277: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:10571: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:10281: \$? = $ac_status" >&5
+   echo "$as_me:10575: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings
@@ -10334,11 +10628,11 @@ else
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:10337: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:10631: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:10341: \$? = $ac_status" >&5
+   echo "$as_me:10635: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -12519,7 +12813,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext < conftest.$ac_ext <&5)
+   (eval echo "\"\$as_me:15111: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:14821: \$? = $ac_status" >&5
+   echo "$as_me:15115: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings
@@ -14874,11 +15168,11 @@ else
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:14877: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:15171: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:14881: \$? = $ac_status" >&5
+   echo "$as_me:15175: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -16235,7 +16529,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext < conftest.$ac_ext <&5)
+   (eval echo "\"\$as_me:17467: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:17177: \$? = $ac_status" >&5
+   echo "$as_me:17471: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings
@@ -17230,11 +17524,11 @@ else
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:17233: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:17527: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:17237: \$? = $ac_status" >&5
+   echo "$as_me:17531: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -19269,11 +19563,11 @@ else
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:19272: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:19566: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:19276: \$? = $ac_status" >&5
+   echo "$as_me:19570: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings
@@ -19512,11 +19806,11 @@ else
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:19515: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:19809: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:19519: \$? = $ac_status" >&5
+   echo "$as_me:19813: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings
@@ -19572,11 +19866,11 @@ else
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:19575: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:19869: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:19579: \$? = $ac_status" >&5
+   echo "$as_me:19873: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -21757,7 +22051,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext < conftest.$ac_ext <
Date: Wed, 1 Mar 2006 23:30:03 +0000
Subject: [PATCH 070/465] newcopyrights

---
 util/copyrights | 78 ++++++++++++++++++++++++-------------------------
 1 file changed, 39 insertions(+), 39 deletions(-)

diff --git a/util/copyrights b/util/copyrights
index 3dda56c0f8..905e599775 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -15,7 +15,7 @@
 ./bin/check/check-tool.c			C	2000,2001,2004
 ./bin/check/check-tool.h			C	2000,2001,2004
 ./bin/check/named-checkconf.8			MAN	DOCBOOK
-./bin/check/named-checkconf.c			C	1999,2000,2001,2004
+./bin/check/named-checkconf.c			C	1999,2000,2001,2004,2006
 ./bin/check/named-checkconf.docbook		SGML	2000,2001,2002,2004,2005
 ./bin/check/named-checkconf.html		HTML	DOCBOOK
 ./bin/check/named-checkzone.8			MAN	DOCBOOK
@@ -89,44 +89,44 @@
 ./bin/dnssec/win32/signzone.mak			X	2001
 ./bin/named/.cvsignore				X	1999,2000,2001,2005
 ./bin/named/Makefile.in				MAKE	1998,1999,2000,2001,2004
-./bin/named/aclconf.c				C	1999,2000,2001,2004,2005
+./bin/named/aclconf.c				C	1999,2000,2001,2004,2005,2006
 ./bin/named/client.c				C	1999,2000,2001,2002,2003,2004,2005,2006
 ./bin/named/config.c				C	2001,2002,2004,2006
 ./bin/named/control.c				C	2001,2003,2004,2005
 ./bin/named/controlconf.c			C	2001,2003,2004,2006
-./bin/named/include/named/aclconf.h		C	1999,2000,2001,2004
+./bin/named/include/named/aclconf.h		C	1999,2000,2001,2004,2006
 ./bin/named/include/named/client.h		C	1999,2000,2001,2004
-./bin/named/include/named/config.h		C	2001,2004
-./bin/named/include/named/control.h		C	2001,2003,2004
-./bin/named/include/named/globals.h		C	1999,2000,2001,2004
+./bin/named/include/named/config.h		C	2001,2004,2006
+./bin/named/include/named/control.h		C	2001,2003,2004,2006
+./bin/named/include/named/globals.h		C	1999,2000,2001,2004,2006
 ./bin/named/include/named/interfacemgr.h	C	1999,2000,2001,2004
 ./bin/named/include/named/listenlist.h		C	2000,2001,2004
 ./bin/named/include/named/log.h			C	1999,2000,2001,2004
-./bin/named/include/named/logconf.h		C	1999,2000,2001,2004
+./bin/named/include/named/logconf.h		C	1999,2000,2001,2004,2006
 ./bin/named/include/named/lwaddr.h		C	2000,2001,2004
 ./bin/named/include/named/lwdclient.h		C	2000,2001,2004
-./bin/named/include/named/lwresd.h		C	2000,2001,2004
+./bin/named/include/named/lwresd.h		C	2000,2001,2004,2006
 ./bin/named/include/named/lwsearch.h		C	2000,2001,2004
 ./bin/named/include/named/main.h		C	1999,2000,2001,2002,2004
 ./bin/named/include/named/notify.h		C	1999,2000,2001,2004
 ./bin/named/include/named/ns_smf_globals.h	C	2005
 ./bin/named/include/named/query.h		C	1999,2000,2001,2002,2004
-./bin/named/include/named/server.h		C	1999,2000,2001,2004
-./bin/named/include/named/sortlist.h		C	2000,2001,2004
-./bin/named/include/named/tkeyconf.h		C	1999,2000,2001,2004
-./bin/named/include/named/tsigconf.h		C	1999,2000,2001,2004
+./bin/named/include/named/server.h		C	1999,2000,2001,2004,2006
+./bin/named/include/named/sortlist.h		C	2000,2001,2004,2006
+./bin/named/include/named/tkeyconf.h		C	1999,2000,2001,2004,2006
+./bin/named/include/named/tsigconf.h		C	1999,2000,2001,2004,2006
 ./bin/named/include/named/types.h		C	1999,2000,2001,2004
 ./bin/named/include/named/update.h		C	1999,2000,2001,2004
 ./bin/named/include/named/xfrout.h		C	1999,2000,2001,2004
-./bin/named/include/named/zoneconf.h		C	1999,2000,2001,2002,2004
+./bin/named/include/named/zoneconf.h		C	1999,2000,2001,2002,2004,2006
 ./bin/named/interfacemgr.c			C	1999,2000,2001,2002,2004,2006
 ./bin/named/listenlist.c			C	2000,2001,2004
 ./bin/named/log.c				C	1999,2000,2001,2004
-./bin/named/logconf.c				C	1999,2000,2001,2004
+./bin/named/logconf.c				C	1999,2000,2001,2004,2006
 ./bin/named/lwaddr.c				C	2000,2001,2004
 ./bin/named/lwdclient.c				C	2000,2001,2004
 ./bin/named/lwderror.c				C	2000,2001,2004
-./bin/named/lwdgabn.c				C	2000,2001,2004
+./bin/named/lwdgabn.c				C	2000,2001,2004,2006
 ./bin/named/lwdgnba.c				C	2000,2001,2003,2004
 ./bin/named/lwdgrbn.c				C	2000,2001,2004,2006
 ./bin/named/lwdnoop.c				C	2000,2001,2004
@@ -145,9 +145,9 @@
 ./bin/named/notify.c				C	1999,2000,2001,2003,2004
 ./bin/named/query.c				C	1999,2000,2001,2002,2003,2004,2005,2006
 ./bin/named/server.c				C	1999,2000,2001,2002,2003,2004,2005,2006
-./bin/named/sortlist.c				C	2000,2001,2004
-./bin/named/tkeyconf.c				C	1999,2000,2001,2004
-./bin/named/tsigconf.c				C	1999,2000,2001,2004
+./bin/named/sortlist.c				C	2000,2001,2004,2006
+./bin/named/tkeyconf.c				C	1999,2000,2001,2004,2006
+./bin/named/tsigconf.c				C	1999,2000,2001,2004,2006
 ./bin/named/unix/.cvsignore			X	1999,2000,2001
 ./bin/named/unix/Makefile.in			MAKE	1999,2000,2001,2004
 ./bin/named/unix/include/named/os.h		C	1999,2000,2001,2002,2004
@@ -179,7 +179,7 @@
 ./bin/rndc/rndc-confgen.docbook			SGML	2001,2002,2003,2004,2005
 ./bin/rndc/rndc-confgen.html			HTML	DOCBOOK
 ./bin/rndc/rndc.8				MAN	DOCBOOK
-./bin/rndc/rndc.c				C	2000,2001,2003,2004
+./bin/rndc/rndc.c				C	2000,2001,2003,2004,2006
 ./bin/rndc/rndc.conf				CONF-C	2000,2001,2004
 ./bin/rndc/rndc.conf.5				MAN	DOCBOOK
 ./bin/rndc/rndc.conf.docbook			SGML	2000,2001,2004,2005
@@ -1568,13 +1568,13 @@
 ./lib/dns/.cvsignore				X	1999,2000,2001
 ./lib/dns/Makefile.in				MAKE	1998,1999,2000,2001,2003,2004,2006
 ./lib/dns/a6.c					C	1999,2000,2001,2004
-./lib/dns/acl.c					C	1999,2000,2001,2004
+./lib/dns/acl.c					C	1999,2000,2001,2004,2006
 ./lib/dns/adb.c					C	1999,2000,2001,2002,2003,2004,2005,2006
 ./lib/dns/api					X	1999,2000,2001,2005
 ./lib/dns/byaddr.c				C	2000,2001,2003,2004
 ./lib/dns/cache.c				C	1999,2000,2001,2002,2003,2004,2006
 ./lib/dns/callbacks.c				C	1999,2000,2001,2004
-./lib/dns/compress.c				C	1999,2000,2001,2004
+./lib/dns/compress.c				C	1999,2000,2001,2004,2006
 ./lib/dns/db.c					C	1999,2000,2001,2003,2004
 ./lib/dns/dbiterator.c				C	1999,2000,2001,2004
 ./lib/dns/dbtable.c				C	1999,2000,2001,2004
@@ -1599,14 +1599,14 @@
 ./lib/dns/include/dns/.cvsignore		X	1999,2000,2001
 ./lib/dns/include/dns/Makefile.in		MAKE	1998,1999,2000,2001,2004
 ./lib/dns/include/dns/a6.h			C	1999,2000,2001,2004
-./lib/dns/include/dns/acl.h			C	1999,2000,2001,2004
+./lib/dns/include/dns/acl.h			C	1999,2000,2001,2004,2006
 ./lib/dns/include/dns/adb.h			C	1999,2000,2001,2002,2003,2004
 ./lib/dns/include/dns/bit.h			C	2000,2001,2004
 ./lib/dns/include/dns/byaddr.h			C	2000,2001,2003,2004
-./lib/dns/include/dns/cache.h			C	1999,2000,2001,2004
+./lib/dns/include/dns/cache.h			C	1999,2000,2001,2004,2006
 ./lib/dns/include/dns/callbacks.h		C	1999,2000,2001,2002,2004
 ./lib/dns/include/dns/cert.h			C	1999,2000,2001,2004
-./lib/dns/include/dns/compress.h		C	1999,2000,2001,2002,2004
+./lib/dns/include/dns/compress.h		C	1999,2000,2001,2002,2004,2006
 ./lib/dns/include/dns/db.h			C	1999,2000,2001,2003,2004
 ./lib/dns/include/dns/dbiterator.h		C	1999,2000,2001,2004
 ./lib/dns/include/dns/dbtable.h			C	1999,2000,2001,2004
@@ -1624,9 +1624,9 @@
 ./lib/dns/include/dns/log.h			C	1999,2000,2001,2003,2004
 ./lib/dns/include/dns/lookup.h			C	2000,2001,2004
 ./lib/dns/include/dns/master.h			C	1999,2000,2001,2003,2004
-./lib/dns/include/dns/masterdump.h		C	1999,2000,2001,2004,2005
+./lib/dns/include/dns/masterdump.h		C	1999,2000,2001,2004,2005,2006
 ./lib/dns/include/dns/message.h			C	1999,2000,2001,2002,2004,2006
-./lib/dns/include/dns/name.h			C	1998,1999,2000,2001,2002,2003,2004
+./lib/dns/include/dns/name.h			C	1998,1999,2000,2001,2002,2003,2004,2006
 ./lib/dns/include/dns/ncache.h			C	1999,2000,2001,2004
 ./lib/dns/include/dns/nxt.h			C	1999,2000,2001,2004
 ./lib/dns/include/dns/peer.h			C	2000,2001,2004
@@ -1635,7 +1635,7 @@
 ./lib/dns/include/dns/rdata.h			C	1998,1999,2000,2001,2002,2003,2004
 ./lib/dns/include/dns/rdataclass.h		C	1998,1999,2000,2001,2004
 ./lib/dns/include/dns/rdatalist.h		C	1999,2000,2001,2004
-./lib/dns/include/dns/rdataset.h		C	1999,2000,2001,2002,2003,2004,2005
+./lib/dns/include/dns/rdataset.h		C	1999,2000,2001,2002,2003,2004,2005,2006
 ./lib/dns/include/dns/rdatasetiter.h		C	1999,2000,2001,2004
 ./lib/dns/include/dns/rdataslab.h		C	1999,2000,2001,2003,2004
 ./lib/dns/include/dns/rdatatype.h		C	1998,1999,2000,2001,2004
@@ -1655,11 +1655,11 @@
 ./lib/dns/include/dns/tkey.h			C	1999,2000,2001,2004
 ./lib/dns/include/dns/tsig.h			C	1999,2000,2001,2002,2004
 ./lib/dns/include/dns/ttl.h			C	1999,2000,2001,2004
-./lib/dns/include/dns/types.h			C	1998,1999,2000,2001,2004
+./lib/dns/include/dns/types.h			C	1998,1999,2000,2001,2004,2006
 ./lib/dns/include/dns/validator.h		C	2000,2001,2004
 ./lib/dns/include/dns/view.h			C	1999,2000,2001,2002,2003,2004
 ./lib/dns/include/dns/xfrin.h			C	1999,2000,2001,2004
-./lib/dns/include/dns/zone.h			C	1999,2000,2001,2002,2003,2004
+./lib/dns/include/dns/zone.h			C	1999,2000,2001,2002,2003,2004,2006
 ./lib/dns/include/dns/zonekey.h			C	2001,2004
 ./lib/dns/include/dns/zt.h			C	1999,2000,2001,2002,2004
 ./lib/dns/include/dst/.cvsignore		X	2000,2001
@@ -1677,12 +1677,12 @@
 ./lib/dns/master.c				C	1999,2000,2001,2002,2003,2004
 ./lib/dns/masterdump.c				C	1999,2000,2001,2003,2004
 ./lib/dns/message.c				C	1999,2000,2001,2002,2003,2004,2005,2006
-./lib/dns/name.c				C	1998,1999,2000,2001,2002,2003,2004,2005
+./lib/dns/name.c				C	1998,1999,2000,2001,2002,2003,2004,2005,2006
 ./lib/dns/ncache.c				C	1999,2000,2001,2002,2003,2004
 ./lib/dns/nxt.c					C	1999,2000,2001,2003,2004
 ./lib/dns/openssl_link.c			C.NAI	1999,2000,2001,2003,2004
-./lib/dns/openssldh_link.c			C.NAI	1999,2000,2001,2004
-./lib/dns/openssldsa_link.c			C.NAI	1999,2000,2001,2004
+./lib/dns/openssldh_link.c			C.NAI	1999,2000,2001,2004,2006
+./lib/dns/openssldsa_link.c			C.NAI	1999,2000,2001,2004,2006
 ./lib/dns/opensslrsa_link.c			C	2000,2001,2003,2004,2006
 ./lib/dns/peer.c				C	2000,2001,2004
 ./lib/dns/rbt.c					C	1999,2000,2001,2003,2004,2005
@@ -1779,7 +1779,7 @@
 ./lib/dns/rdata/rdatastructsuf.h		C	1999,2000,2001,2004
 ./lib/dns/rdatalist.c				C	1999,2000,2001,2003,2004
 ./lib/dns/rdatalist_p.h				C	2000,2001,2004
-./lib/dns/rdataset.c				C	1999,2000,2001,2003,2004
+./lib/dns/rdataset.c				C	1999,2000,2001,2003,2004,2006
 ./lib/dns/rdatasetiter.c			C	1999,2000,2001,2004
 ./lib/dns/rdataslab.c				C	1999,2000,2001,2003,2004
 ./lib/dns/request.c				C	2000,2001,2004,2006
@@ -1882,11 +1882,11 @@
 ./lib/isc/include/isc/rwlock.h			C	1998,1999,2000,2001,2003,2004
 ./lib/isc/include/isc/serial.h			C	1999,2000,2001,2004
 ./lib/isc/include/isc/sha1.h			C	2000,2001,2004
-./lib/isc/include/isc/sockaddr.h		C	1998,1999,2000,2001,2004
+./lib/isc/include/isc/sockaddr.h		C	1998,1999,2000,2001,2004,2006
 ./lib/isc/include/isc/socket.h			C	1998,1999,2000,2001,2004
 ./lib/isc/include/isc/stdio.h			C	2000,2001,2004
 ./lib/isc/include/isc/string.h			C	2000,2001,2004
-./lib/isc/include/isc/symtab.h			C	1996,1997,1998,1999,2000,2001,2004
+./lib/isc/include/isc/symtab.h			C	1996,1997,1998,1999,2000,2001,2004,2006
 ./lib/isc/include/isc/task.h			C	1998,1999,2000,2001,2004
 ./lib/isc/include/isc/taskpool.h		C	1999,2000,2001,2004
 ./lib/isc/include/isc/timer.h			C	1998,1999,2000,2001,2004
@@ -1941,7 +1941,7 @@
 ./lib/isc/rwlock.c				C	1998,1999,2000,2001,2003,2004,2005
 ./lib/isc/serial.c				C	1999,2000,2001,2004
 ./lib/isc/sha1.c				C	2000,2001,2003,2004
-./lib/isc/sockaddr.c				C	1999,2000,2001,2003,2004
+./lib/isc/sockaddr.c				C	1999,2000,2001,2003,2004,2006
 ./lib/isc/string.c				C	1999,2000,2001,2004
 ./lib/isc/symtab.c				C	1996,1997,1998,1999,2000,2001,2004
 ./lib/isc/task.c				C	1998,1999,2000,2001,2002,2004
@@ -2088,13 +2088,13 @@
 ./lib/isccfg/.cvsignore				X	2001
 ./lib/isccfg/Makefile.in			MAKE	2001,2003,2004
 ./lib/isccfg/api				X	2001,2005
-./lib/isccfg/check.c				C	2001,2002,2003,2004
+./lib/isccfg/check.c				C	2001,2002,2003,2004,2006
 ./lib/isccfg/include/.cvsignore			X	2001
 ./lib/isccfg/include/Makefile.in		MAKE	2001,2004
 ./lib/isccfg/include/isccfg/.cvsignore		X	2001
 ./lib/isccfg/include/isccfg/Makefile.in		MAKE	2001,2004
-./lib/isccfg/include/isccfg/cfg.h		C	2000,2001,2004
-./lib/isccfg/include/isccfg/check.h		C	2001,2004
+./lib/isccfg/include/isccfg/cfg.h		C	2000,2001,2004,2006
+./lib/isccfg/include/isccfg/check.h		C	2001,2004,2006
 ./lib/isccfg/include/isccfg/log.h		C	2001,2004
 ./lib/isccfg/log.c				C	2001,2004
 ./lib/isccfg/parser.c				C	2000,2001,2002,2003,2004,2006

From 66b384dd2541972781b0d324757c4ea7ee49d0ef Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 1 Mar 2006 23:30:21 +0000
Subject: [PATCH 071/465] newcopyrights

---
 util/copyrights | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/util/copyrights b/util/copyrights
index 4d1bd0c626..e790c0dc85 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -1799,9 +1799,9 @@
 ./lib/dns/ncache.c				C	1999,2000,2001,2002,2003,2004,2005
 ./lib/dns/nsec.c				C	1999,2000,2001,2003,2004,2005
 ./lib/dns/openssl_link.c			C.NAI	1999,2000,2001,2002,2003,2004,2005
-./lib/dns/openssldh_link.c			C.NAI	1999,2000,2001,2002,2004,2005
-./lib/dns/openssldsa_link.c			C.NAI	1999,2000,2001,2002,2004,2005
-./lib/dns/opensslrsa_link.c			C	2000,2001,2002,2003,2004,2005
+./lib/dns/openssldh_link.c			C.NAI	1999,2000,2001,2002,2004,2005,2006
+./lib/dns/openssldsa_link.c			C.NAI	1999,2000,2001,2002,2004,2005,2006
+./lib/dns/opensslrsa_link.c			C	2000,2001,2002,2003,2004,2005,2006
 ./lib/dns/order.c				C	2002,2004,2005
 ./lib/dns/peer.c				C	2000,2001,2003,2004,2005,2006
 ./lib/dns/portlist.c				C	2003,2004,2005
@@ -2048,7 +2048,7 @@
 ./lib/isc/lex.c					C	1998,1999,2000,2001,2002,2003,2004,2005
 ./lib/isc/lfsr.c				C	1999,2000,2001,2002,2004,2005
 ./lib/isc/lib.c					C	1999,2000,2001,2004,2005
-./lib/isc/log.c					C	1999,2000,2001,2002,2003,2004,2005
+./lib/isc/log.c					C	1999,2000,2001,2002,2003,2004,2005,2006
 ./lib/isc/md5.c					C	2000,2001,2004,2005
 ./lib/isc/mem.c					C	1997,1998,1999,2000,2001,2002,2003,2004,2005,2006
 ./lib/isc/mips/include/isc/atomic.h		C	2005

From a3c22658b03e8339ba72051f0fd2afe95f576d4a Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 2 Mar 2006 00:37:18 +0000
Subject: [PATCH 072/465] update copyright notice

---
 bin/check/named-checkconf.c        | 4 ++--
 bin/named/aclconf.c                | 4 ++--
 bin/named/include/named/aclconf.h  | 4 ++--
 bin/named/include/named/config.h   | 4 ++--
 bin/named/include/named/control.h  | 4 ++--
 bin/named/include/named/globals.h  | 4 ++--
 bin/named/include/named/logconf.h  | 4 ++--
 bin/named/include/named/lwresd.h   | 4 ++--
 bin/named/include/named/server.h   | 4 ++--
 bin/named/include/named/sortlist.h | 4 ++--
 bin/named/include/named/tkeyconf.h | 4 ++--
 bin/named/include/named/tsigconf.h | 4 ++--
 bin/named/include/named/zoneconf.h | 4 ++--
 bin/named/logconf.c                | 4 ++--
 bin/named/lwdgabn.c                | 4 ++--
 bin/named/sortlist.c               | 4 ++--
 bin/named/tkeyconf.c               | 4 ++--
 bin/named/tsigconf.c               | 4 ++--
 bin/rndc/rndc.c                    | 4 ++--
 lib/dns/acl.c                      | 4 ++--
 lib/dns/compress.c                 | 4 ++--
 lib/dns/include/dns/acl.h          | 4 ++--
 lib/dns/include/dns/cache.h        | 4 ++--
 lib/dns/include/dns/compress.h     | 4 ++--
 lib/dns/include/dns/masterdump.h   | 4 ++--
 lib/dns/include/dns/name.h         | 4 ++--
 lib/dns/include/dns/rdataset.h     | 4 ++--
 lib/dns/include/dns/types.h        | 4 ++--
 lib/dns/include/dns/zone.h         | 4 ++--
 lib/dns/name.c                     | 4 ++--
 lib/dns/openssldh_link.c           | 4 ++--
 lib/dns/openssldsa_link.c          | 4 ++--
 lib/dns/rdataset.c                 | 4 ++--
 lib/isc/include/isc/sockaddr.h     | 4 ++--
 lib/isc/include/isc/symtab.h       | 4 ++--
 lib/isc/sockaddr.c                 | 4 ++--
 lib/isccfg/check.c                 | 4 ++--
 lib/isccfg/include/isccfg/cfg.h    | 4 ++--
 lib/isccfg/include/isccfg/check.h  | 4 ++--
 39 files changed, 78 insertions(+), 78 deletions(-)

diff --git a/bin/check/named-checkconf.c b/bin/check/named-checkconf.c
index 98f24c3a58..16e6609ced 100644
--- a/bin/check/named-checkconf.c
+++ b/bin/check/named-checkconf.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named-checkconf.c,v 1.12.2.2 2006/03/01 01:34:04 marka Exp $ */
+/* $Id: named-checkconf.c,v 1.12.2.3 2006/03/02 00:37:17 marka Exp $ */
 
 #include 
 
diff --git a/bin/named/aclconf.c b/bin/named/aclconf.c
index c2459f2a72..48a1659c48 100644
--- a/bin/named/aclconf.c
+++ b/bin/named/aclconf.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: aclconf.c,v 1.27.2.4 2006/03/01 01:34:04 marka Exp $ */
+/* $Id: aclconf.c,v 1.27.2.5 2006/03/02 00:37:17 marka Exp $ */
 
 #include 
 
diff --git a/bin/named/include/named/aclconf.h b/bin/named/include/named/aclconf.h
index 661b22db9a..5613c1c8d2 100644
--- a/bin/named/include/named/aclconf.h
+++ b/bin/named/include/named/aclconf.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: aclconf.h,v 1.12.2.2 2006/03/01 01:34:05 marka Exp $ */
+/* $Id: aclconf.h,v 1.12.2.3 2006/03/02 00:37:17 marka Exp $ */
 
 #ifndef NS_ACLCONF_H
 #define NS_ACLCONF_H 1
diff --git a/bin/named/include/named/config.h b/bin/named/include/named/config.h
index 0d8b4560c8..e451d879c1 100644
--- a/bin/named/include/named/config.h
+++ b/bin/named/include/named/config.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.h,v 1.4.2.2 2006/03/01 01:34:05 marka Exp $ */
+/* $Id: config.h,v 1.4.2.3 2006/03/02 00:37:17 marka Exp $ */
 
 #ifndef NAMED_CONFIG_H
 #define NAMED_CONFIG_H 1
diff --git a/bin/named/include/named/control.h b/bin/named/include/named/control.h
index 880865dea1..8a22ec2bc5 100644
--- a/bin/named/include/named/control.h
+++ b/bin/named/include/named/control.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: control.h,v 1.6.2.4 2006/03/01 01:34:05 marka Exp $ */
+/* $Id: control.h,v 1.6.2.5 2006/03/02 00:37:17 marka Exp $ */
 
 #ifndef NAMED_CONTROL_H
 #define NAMED_CONTROL_H 1
diff --git a/bin/named/include/named/globals.h b/bin/named/include/named/globals.h
index 7c90132127..fe072b639f 100644
--- a/bin/named/include/named/globals.h
+++ b/bin/named/include/named/globals.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: globals.h,v 1.59.2.2 2006/03/01 01:34:05 marka Exp $ */
+/* $Id: globals.h,v 1.59.2.3 2006/03/02 00:37:17 marka Exp $ */
 
 #ifndef NAMED_GLOBALS_H
 #define NAMED_GLOBALS_H 1
diff --git a/bin/named/include/named/logconf.h b/bin/named/include/named/logconf.h
index 3ae7747475..71a313112a 100644
--- a/bin/named/include/named/logconf.h
+++ b/bin/named/include/named/logconf.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: logconf.h,v 1.10.2.2 2006/03/01 01:34:05 marka Exp $ */
+/* $Id: logconf.h,v 1.10.2.3 2006/03/02 00:37:17 marka Exp $ */
 
 #ifndef NAMED_LOGCONF_H
 #define NAMED_LOGCONF_H 1
diff --git a/bin/named/include/named/lwresd.h b/bin/named/include/named/lwresd.h
index 6a8bda51a5..9f3a92395a 100644
--- a/bin/named/include/named/lwresd.h
+++ b/bin/named/include/named/lwresd.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwresd.h,v 1.12.2.2 2006/03/01 01:34:05 marka Exp $ */
+/* $Id: lwresd.h,v 1.12.2.3 2006/03/02 00:37:17 marka Exp $ */
 
 #ifndef NAMED_LWRESD_H
 #define NAMED_LWRESD_H 1
diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h
index 06606b05c2..f7b76b76d5 100644
--- a/bin/named/include/named/server.h
+++ b/bin/named/include/named/server.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.h,v 1.58.2.4 2006/03/01 01:34:05 marka Exp $ */
+/* $Id: server.h,v 1.58.2.5 2006/03/02 00:37:17 marka Exp $ */
 
 #ifndef NAMED_SERVER_H
 #define NAMED_SERVER_H 1
diff --git a/bin/named/include/named/sortlist.h b/bin/named/include/named/sortlist.h
index 7d4e77e39e..347ad91fce 100644
--- a/bin/named/include/named/sortlist.h
+++ b/bin/named/include/named/sortlist.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sortlist.h,v 1.4.2.2 2006/03/01 01:34:05 marka Exp $ */
+/* $Id: sortlist.h,v 1.4.2.3 2006/03/02 00:37:17 marka Exp $ */
 
 #ifndef NAMED_SORTLIST_H
 #define NAMED_SORTLIST_H 1
diff --git a/bin/named/include/named/tkeyconf.h b/bin/named/include/named/tkeyconf.h
index 3946ca9ac0..4e8b7e6b2e 100644
--- a/bin/named/include/named/tkeyconf.h
+++ b/bin/named/include/named/tkeyconf.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tkeyconf.h,v 1.9.2.2 2006/03/01 01:34:05 marka Exp $ */
+/* $Id: tkeyconf.h,v 1.9.2.3 2006/03/02 00:37:17 marka Exp $ */
 
 #ifndef NS_TKEYCONF_H
 #define NS_TKEYCONF_H 1
diff --git a/bin/named/include/named/tsigconf.h b/bin/named/include/named/tsigconf.h
index 8116cbf872..567d7b9872 100644
--- a/bin/named/include/named/tsigconf.h
+++ b/bin/named/include/named/tsigconf.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tsigconf.h,v 1.9.2.2 2006/03/01 01:34:05 marka Exp $ */
+/* $Id: tsigconf.h,v 1.9.2.3 2006/03/02 00:37:17 marka Exp $ */
 
 #ifndef NS_TSIGCONF_H
 #define NS_TSIGCONF_H 1
diff --git a/bin/named/include/named/zoneconf.h b/bin/named/include/named/zoneconf.h
index 67bce66b28..ec1f06ba95 100644
--- a/bin/named/include/named/zoneconf.h
+++ b/bin/named/include/named/zoneconf.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zoneconf.h,v 1.16.2.4 2006/03/01 01:34:05 marka Exp $ */
+/* $Id: zoneconf.h,v 1.16.2.5 2006/03/02 00:37:17 marka Exp $ */
 
 #ifndef NS_ZONECONF_H
 #define NS_ZONECONF_H 1
diff --git a/bin/named/logconf.c b/bin/named/logconf.c
index d5baa0a097..3129757c33 100644
--- a/bin/named/logconf.c
+++ b/bin/named/logconf.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: logconf.c,v 1.30.2.6 2006/03/01 01:34:05 marka Exp $ */
+/* $Id: logconf.c,v 1.30.2.7 2006/03/02 00:37:17 marka Exp $ */
 
 #include 
 
diff --git a/bin/named/lwdgabn.c b/bin/named/lwdgabn.c
index 4cc2962031..3c1e993a04 100644
--- a/bin/named/lwdgabn.c
+++ b/bin/named/lwdgabn.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwdgabn.c,v 1.13.2.2 2006/03/01 01:34:05 marka Exp $ */
+/* $Id: lwdgabn.c,v 1.13.2.3 2006/03/02 00:37:17 marka Exp $ */
 
 #include 
 
diff --git a/bin/named/sortlist.c b/bin/named/sortlist.c
index 6f92af4e79..b0e5cdf8e3 100644
--- a/bin/named/sortlist.c
+++ b/bin/named/sortlist.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sortlist.c,v 1.5.2.2 2006/03/01 01:34:05 marka Exp $ */
+/* $Id: sortlist.c,v 1.5.2.3 2006/03/02 00:37:17 marka Exp $ */
 
 #include 
 
diff --git a/bin/named/tkeyconf.c b/bin/named/tkeyconf.c
index bab4585ea3..dc6b4a32b1 100644
--- a/bin/named/tkeyconf.c
+++ b/bin/named/tkeyconf.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tkeyconf.c,v 1.19.2.2 2006/03/01 01:34:05 marka Exp $ */
+/* $Id: tkeyconf.c,v 1.19.2.3 2006/03/02 00:37:17 marka Exp $ */
 
 #include 
 
diff --git a/bin/named/tsigconf.c b/bin/named/tsigconf.c
index 4a15eada9a..61da4671ab 100644
--- a/bin/named/tsigconf.c
+++ b/bin/named/tsigconf.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tsigconf.c,v 1.21.2.2 2006/03/01 01:34:05 marka Exp $ */
+/* $Id: tsigconf.c,v 1.21.2.3 2006/03/02 00:37:17 marka Exp $ */
 
 #include 
 
diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c
index ba83be1edb..e9c6f07705 100644
--- a/bin/rndc/rndc.c
+++ b/bin/rndc/rndc.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rndc.c,v 1.77.2.7 2006/03/01 01:34:05 marka Exp $ */
+/* $Id: rndc.c,v 1.77.2.8 2006/03/02 00:37:17 marka Exp $ */
 
 /*
  * Principal Author: DCL
diff --git a/lib/dns/acl.c b/lib/dns/acl.c
index 68962b6867..73deb9ba0b 100644
--- a/lib/dns/acl.c
+++ b/lib/dns/acl.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: acl.c,v 1.23.2.2 2006/03/01 01:34:05 marka Exp $ */
+/* $Id: acl.c,v 1.23.2.3 2006/03/02 00:37:17 marka Exp $ */
 
 #include 
 
diff --git a/lib/dns/compress.c b/lib/dns/compress.c
index fd241a7fb3..d09e37dda9 100644
--- a/lib/dns/compress.c
+++ b/lib/dns/compress.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: compress.c,v 1.50.2.3 2006/03/01 01:34:05 marka Exp $ */
+/* $Id: compress.c,v 1.50.2.4 2006/03/02 00:37:17 marka Exp $ */
 
 #define DNS_NAME_USEINLINE 1
 
diff --git a/lib/dns/include/dns/acl.h b/lib/dns/include/dns/acl.h
index 7a38b8d1c2..538f2bd2c7 100644
--- a/lib/dns/include/dns/acl.h
+++ b/lib/dns/include/dns/acl.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: acl.h,v 1.20.2.2 2006/03/01 01:34:05 marka Exp $ */
+/* $Id: acl.h,v 1.20.2.3 2006/03/02 00:37:17 marka Exp $ */
 
 #ifndef DNS_ACL_H
 #define DNS_ACL_H 1
diff --git a/lib/dns/include/dns/cache.h b/lib/dns/include/dns/cache.h
index 18c50cdaca..73210e06c6 100644
--- a/lib/dns/include/dns/cache.h
+++ b/lib/dns/include/dns/cache.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cache.h,v 1.17.2.2 2006/03/01 01:34:05 marka Exp $ */
+/* $Id: cache.h,v 1.17.2.3 2006/03/02 00:37:17 marka Exp $ */
 
 #ifndef DNS_CACHE_H
 #define DNS_CACHE_H 1
diff --git a/lib/dns/include/dns/compress.h b/lib/dns/include/dns/compress.h
index c514c3163b..529c02dcc2 100644
--- a/lib/dns/include/dns/compress.h
+++ b/lib/dns/include/dns/compress.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: compress.h,v 1.29.2.4 2006/03/01 01:34:05 marka Exp $ */
+/* $Id: compress.h,v 1.29.2.5 2006/03/02 00:37:17 marka Exp $ */
 
 #ifndef DNS_COMPRESS_H
 #define DNS_COMPRESS_H 1
diff --git a/lib/dns/include/dns/masterdump.h b/lib/dns/include/dns/masterdump.h
index c9efb40139..723177851a 100644
--- a/lib/dns/include/dns/masterdump.h
+++ b/lib/dns/include/dns/masterdump.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: masterdump.h,v 1.22.2.4 2006/03/01 01:34:05 marka Exp $ */
+/* $Id: masterdump.h,v 1.22.2.5 2006/03/02 00:37:17 marka Exp $ */
 
 #ifndef DNS_MASTERDUMP_H
 #define DNS_MASTERDUMP_H 1
diff --git a/lib/dns/include/dns/name.h b/lib/dns/include/dns/name.h
index fe338830f1..8507a5b4b2 100644
--- a/lib/dns/include/dns/name.h
+++ b/lib/dns/include/dns/name.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: name.h,v 1.95.2.10 2006/03/01 01:34:07 marka Exp $ */
+/* $Id: name.h,v 1.95.2.11 2006/03/02 00:37:17 marka Exp $ */
 
 #ifndef DNS_NAME_H
 #define DNS_NAME_H 1
diff --git a/lib/dns/include/dns/rdataset.h b/lib/dns/include/dns/rdataset.h
index 4854f2a8fc..829e60093a 100644
--- a/lib/dns/include/dns/rdataset.h
+++ b/lib/dns/include/dns/rdataset.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdataset.h,v 1.41.2.9 2006/03/01 01:34:07 marka Exp $ */
+/* $Id: rdataset.h,v 1.41.2.10 2006/03/02 00:37:17 marka Exp $ */
 
 #ifndef DNS_RDATASET_H
 #define DNS_RDATASET_H 1
diff --git a/lib/dns/include/dns/types.h b/lib/dns/include/dns/types.h
index caa244708e..3340724ebf 100644
--- a/lib/dns/include/dns/types.h
+++ b/lib/dns/include/dns/types.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: types.h,v 1.103.2.2 2006/03/01 01:34:07 marka Exp $ */
+/* $Id: types.h,v 1.103.2.3 2006/03/02 00:37:17 marka Exp $ */
 
 #ifndef DNS_TYPES_H
 #define DNS_TYPES_H 1
diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h
index 5a633a8e61..2826fa0276 100644
--- a/lib/dns/include/dns/zone.h
+++ b/lib/dns/include/dns/zone.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.h,v 1.106.2.10 2006/03/01 01:34:07 marka Exp $ */
+/* $Id: zone.h,v 1.106.2.11 2006/03/02 00:37:17 marka Exp $ */
 
 #ifndef DNS_ZONE_H
 #define DNS_ZONE_H 1
diff --git a/lib/dns/name.c b/lib/dns/name.c
index e4fd8f87c5..9969449295 100644
--- a/lib/dns/name.c
+++ b/lib/dns/name.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: name.c,v 1.127.2.13 2006/03/01 01:34:05 marka Exp $ */
+/* $Id: name.c,v 1.127.2.14 2006/03/02 00:37:17 marka Exp $ */
 
 #include 
 
diff --git a/lib/dns/openssldh_link.c b/lib/dns/openssldh_link.c
index 436f06982c..6f3257a8eb 100644
--- a/lib/dns/openssldh_link.c
+++ b/lib/dns/openssldh_link.c
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2001  Internet Software Consortium.
  * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
  *
@@ -18,7 +18,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: openssldh_link.c,v 1.1.2.2 2006/03/01 02:48:37 marka Exp $
+ * $Id: openssldh_link.c,v 1.1.2.3 2006/03/02 00:37:17 marka Exp $
  */
 
 #ifdef OPENSSL
diff --git a/lib/dns/openssldsa_link.c b/lib/dns/openssldsa_link.c
index b3f34df141..94c885ef77 100644
--- a/lib/dns/openssldsa_link.c
+++ b/lib/dns/openssldsa_link.c
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2001  Internet Software Consortium.
  * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
  *
@@ -16,7 +16,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: openssldsa_link.c,v 1.1.2.2 2006/03/01 02:48:37 marka Exp $ */
+/* $Id: openssldsa_link.c,v 1.1.2.3 2006/03/02 00:37:17 marka Exp $ */
 
 #ifdef OPENSSL
 
diff --git a/lib/dns/rdataset.c b/lib/dns/rdataset.c
index 534847d15c..b46eb253ba 100644
--- a/lib/dns/rdataset.c
+++ b/lib/dns/rdataset.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdataset.c,v 1.58.2.6 2006/03/01 01:34:05 marka Exp $ */
+/* $Id: rdataset.c,v 1.58.2.7 2006/03/02 00:37:17 marka Exp $ */
 
 #include 
 
diff --git a/lib/isc/include/isc/sockaddr.h b/lib/isc/include/isc/sockaddr.h
index 6bb470a43b..6d8e00b1ad 100644
--- a/lib/isc/include/isc/sockaddr.h
+++ b/lib/isc/include/isc/sockaddr.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sockaddr.h,v 1.35.2.3 2006/03/01 01:34:07 marka Exp $ */
+/* $Id: sockaddr.h,v 1.35.2.4 2006/03/02 00:37:17 marka Exp $ */
 
 #ifndef ISC_SOCKADDR_H
 #define ISC_SOCKADDR_H 1
diff --git a/lib/isc/include/isc/symtab.h b/lib/isc/include/isc/symtab.h
index b65529093e..2294fb28e5 100644
--- a/lib/isc/include/isc/symtab.h
+++ b/lib/isc/include/isc/symtab.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1996-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: symtab.h,v 1.16.2.2 2006/03/01 01:34:07 marka Exp $ */
+/* $Id: symtab.h,v 1.16.2.3 2006/03/02 00:37:17 marka Exp $ */
 
 #ifndef ISC_SYMTAB_H
 #define ISC_SYMTAB_H 1
diff --git a/lib/isc/sockaddr.c b/lib/isc/sockaddr.c
index 58b9fe6f17..95106b8330 100644
--- a/lib/isc/sockaddr.c
+++ b/lib/isc/sockaddr.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sockaddr.c,v 1.48.2.6 2006/03/01 01:34:07 marka Exp $ */
+/* $Id: sockaddr.c,v 1.48.2.7 2006/03/02 00:37:17 marka Exp $ */
 
 #include 
 
diff --git a/lib/isccfg/check.c b/lib/isccfg/check.c
index 7f09f76245..3879b056ec 100644
--- a/lib/isccfg/check.c
+++ b/lib/isccfg/check.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: check.c,v 1.14.2.27 2006/03/01 01:34:07 marka Exp $ */
+/* $Id: check.c,v 1.14.2.28 2006/03/02 00:37:18 marka Exp $ */
 
 #include 
 
diff --git a/lib/isccfg/include/isccfg/cfg.h b/lib/isccfg/include/isccfg/cfg.h
index 46c04c90b3..b95eab4bc1 100644
--- a/lib/isccfg/include/isccfg/cfg.h
+++ b/lib/isccfg/include/isccfg/cfg.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cfg.h,v 1.30.2.2 2006/03/01 01:34:08 marka Exp $ */
+/* $Id: cfg.h,v 1.30.2.3 2006/03/02 00:37:18 marka Exp $ */
 
 #ifndef ISCCFG_CFG_H
 #define ISCCFG_CFG_H 1
diff --git a/lib/isccfg/include/isccfg/check.h b/lib/isccfg/include/isccfg/check.h
index 0c9811673c..741584c300 100644
--- a/lib/isccfg/include/isccfg/check.h
+++ b/lib/isccfg/include/isccfg/check.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: check.h,v 1.4.2.2 2006/03/01 01:34:08 marka Exp $ */
+/* $Id: check.h,v 1.4.2.3 2006/03/02 00:37:18 marka Exp $ */
 
 #ifndef ISCCFG_CHECK_H
 #define ISCCFG_CHECK_H 1

From 641f68d427629200c29aa62c95e18d46fce434ab Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 2 Mar 2006 00:37:23 +0000
Subject: [PATCH 073/465] update copyright notice

---
 bin/named/include/named/control.h   | 4 ++--
 bin/named/include/named/globals.h   | 4 ++--
 bin/named/include/named/logconf.h   | 4 ++--
 bin/named/include/named/lwresd.h    | 4 ++--
 bin/named/include/named/server.h    | 4 ++--
 bin/named/include/named/sortlist.h  | 4 ++--
 bin/named/include/named/tkeyconf.h  | 4 ++--
 bin/named/include/named/tsigconf.h  | 4 ++--
 bin/named/include/named/zoneconf.h  | 4 ++--
 bin/named/logconf.c                 | 4 ++--
 bin/named/lwdgabn.c                 | 4 ++--
 bin/named/lwresd.c                  | 4 ++--
 bin/named/sortlist.c                | 4 ++--
 bin/named/tkeyconf.c                | 4 ++--
 bin/rndc/rndc.c                     | 4 ++--
 lib/bind9/include/bind9/check.h     | 4 ++--
 lib/dns/acl.c                       | 4 ++--
 lib/dns/compress.c                  | 4 ++--
 lib/dns/include/dns/acl.h           | 4 ++--
 lib/dns/include/dns/compress.h      | 4 ++--
 lib/dns/include/dns/name.h          | 4 ++--
 lib/dns/include/dns/rdataset.h      | 4 ++--
 lib/dns/openssldh_link.c            | 4 ++--
 lib/dns/openssldsa_link.c           | 4 ++--
 lib/dns/opensslrsa_link.c           | 4 ++--
 lib/dns/rdataset.c                  | 4 ++--
 lib/isc/include/isc/sockaddr.h      | 4 ++--
 lib/isc/include/isc/symtab.h        | 4 ++--
 lib/isc/log.c                       | 4 ++--
 lib/isc/sockaddr.c                  | 4 ++--
 lib/isccfg/aclconf.c                | 4 ++--
 lib/isccfg/include/isccfg/aclconf.h | 4 ++--
 lib/isccfg/include/isccfg/cfg.h     | 4 ++--
 33 files changed, 66 insertions(+), 66 deletions(-)

diff --git a/bin/named/include/named/control.h b/bin/named/include/named/control.h
index 800aaf078e..18f671215a 100644
--- a/bin/named/include/named/control.h
+++ b/bin/named/include/named/control.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: control.h,v 1.20 2006/02/28 02:39:51 marka Exp $ */
+/* $Id: control.h,v 1.21 2006/03/02 00:37:23 marka Exp $ */
 
 #ifndef NAMED_CONTROL_H
 #define NAMED_CONTROL_H 1
diff --git a/bin/named/include/named/globals.h b/bin/named/include/named/globals.h
index 0b13ee6bcc..2d33e653fe 100644
--- a/bin/named/include/named/globals.h
+++ b/bin/named/include/named/globals.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: globals.h,v 1.67 2006/02/28 02:39:51 marka Exp $ */
+/* $Id: globals.h,v 1.68 2006/03/02 00:37:23 marka Exp $ */
 
 #ifndef NAMED_GLOBALS_H
 #define NAMED_GLOBALS_H 1
diff --git a/bin/named/include/named/logconf.h b/bin/named/include/named/logconf.h
index 6b42865c15..98e6ac0a2a 100644
--- a/bin/named/include/named/logconf.h
+++ b/bin/named/include/named/logconf.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: logconf.h,v 1.14 2006/02/28 02:39:51 marka Exp $ */
+/* $Id: logconf.h,v 1.15 2006/03/02 00:37:23 marka Exp $ */
 
 #ifndef NAMED_LOGCONF_H
 #define NAMED_LOGCONF_H 1
diff --git a/bin/named/include/named/lwresd.h b/bin/named/include/named/lwresd.h
index 18056caa25..6f62ed51ae 100644
--- a/bin/named/include/named/lwresd.h
+++ b/bin/named/include/named/lwresd.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwresd.h,v 1.16 2006/02/28 02:39:51 marka Exp $ */
+/* $Id: lwresd.h,v 1.17 2006/03/02 00:37:23 marka Exp $ */
 
 #ifndef NAMED_LWRESD_H
 #define NAMED_LWRESD_H 1
diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h
index 0ccaf08edd..3463247b43 100644
--- a/bin/named/include/named/server.h
+++ b/bin/named/include/named/server.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.h,v 1.81 2006/02/28 02:39:51 marka Exp $ */
+/* $Id: server.h,v 1.82 2006/03/02 00:37:23 marka Exp $ */
 
 #ifndef NAMED_SERVER_H
 #define NAMED_SERVER_H 1
diff --git a/bin/named/include/named/sortlist.h b/bin/named/include/named/sortlist.h
index a5ab613991..ea26095c1d 100644
--- a/bin/named/include/named/sortlist.h
+++ b/bin/named/include/named/sortlist.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sortlist.h,v 1.8 2006/02/28 02:39:51 marka Exp $ */
+/* $Id: sortlist.h,v 1.9 2006/03/02 00:37:23 marka Exp $ */
 
 #ifndef NAMED_SORTLIST_H
 #define NAMED_SORTLIST_H 1
diff --git a/bin/named/include/named/tkeyconf.h b/bin/named/include/named/tkeyconf.h
index 637c0b227c..be945b4ea6 100644
--- a/bin/named/include/named/tkeyconf.h
+++ b/bin/named/include/named/tkeyconf.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tkeyconf.h,v 1.13 2006/02/28 02:39:51 marka Exp $ */
+/* $Id: tkeyconf.h,v 1.14 2006/03/02 00:37:23 marka Exp $ */
 
 #ifndef NS_TKEYCONF_H
 #define NS_TKEYCONF_H 1
diff --git a/bin/named/include/named/tsigconf.h b/bin/named/include/named/tsigconf.h
index 6472a4bd3d..1fd08f11ce 100644
--- a/bin/named/include/named/tsigconf.h
+++ b/bin/named/include/named/tsigconf.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tsigconf.h,v 1.13 2006/02/28 02:39:51 marka Exp $ */
+/* $Id: tsigconf.h,v 1.14 2006/03/02 00:37:23 marka Exp $ */
 
 #ifndef NS_TSIGCONF_H
 #define NS_TSIGCONF_H 1
diff --git a/bin/named/include/named/zoneconf.h b/bin/named/include/named/zoneconf.h
index 676f0981ab..351512f634 100644
--- a/bin/named/include/named/zoneconf.h
+++ b/bin/named/include/named/zoneconf.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zoneconf.h,v 1.23 2006/02/28 02:39:51 marka Exp $ */
+/* $Id: zoneconf.h,v 1.24 2006/03/02 00:37:23 marka Exp $ */
 
 #ifndef NS_ZONECONF_H
 #define NS_ZONECONF_H 1
diff --git a/bin/named/logconf.c b/bin/named/logconf.c
index 8d0b4b0335..bbe5b1d561 100644
--- a/bin/named/logconf.c
+++ b/bin/named/logconf.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: logconf.c,v 1.39 2006/02/28 02:39:51 marka Exp $ */
+/* $Id: logconf.c,v 1.40 2006/03/02 00:37:23 marka Exp $ */
 
 /*! \file */
 
diff --git a/bin/named/lwdgabn.c b/bin/named/lwdgabn.c
index b7c84de12b..da36d28339 100644
--- a/bin/named/lwdgabn.c
+++ b/bin/named/lwdgabn.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwdgabn.c,v 1.19 2006/02/28 02:39:51 marka Exp $ */
+/* $Id: lwdgabn.c,v 1.20 2006/03/02 00:37:23 marka Exp $ */
 
 /*! \file */
 
diff --git a/bin/named/lwresd.c b/bin/named/lwresd.c
index 3726706fd9..a3ea280656 100644
--- a/bin/named/lwresd.c
+++ b/bin/named/lwresd.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwresd.c,v 1.52 2006/02/28 02:39:51 marka Exp $ */
+/* $Id: lwresd.c,v 1.53 2006/03/02 00:37:23 marka Exp $ */
 
 /*! \file 
  * \brief
diff --git a/bin/named/sortlist.c b/bin/named/sortlist.c
index 72267e78c2..110afaf5d7 100644
--- a/bin/named/sortlist.c
+++ b/bin/named/sortlist.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sortlist.c,v 1.12 2006/02/28 02:39:51 marka Exp $ */
+/* $Id: sortlist.c,v 1.13 2006/03/02 00:37:23 marka Exp $ */
 
 /*! \file */
 
diff --git a/bin/named/tkeyconf.c b/bin/named/tkeyconf.c
index f4039c17b9..c15bf4ed96 100644
--- a/bin/named/tkeyconf.c
+++ b/bin/named/tkeyconf.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tkeyconf.c,v 1.25 2006/02/28 02:39:51 marka Exp $ */
+/* $Id: tkeyconf.c,v 1.26 2006/03/02 00:37:23 marka Exp $ */
 
 /*! \file */
 
diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c
index b0c4a3542b..838082fe16 100644
--- a/bin/rndc/rndc.c
+++ b/bin/rndc/rndc.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rndc.c,v 1.109 2006/02/28 02:39:51 marka Exp $ */
+/* $Id: rndc.c,v 1.110 2006/03/02 00:37:23 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/bind9/include/bind9/check.h b/lib/bind9/include/bind9/check.h
index 4a56724eb4..3e30f79823 100644
--- a/lib/bind9/include/bind9/check.h
+++ b/lib/bind9/include/bind9/check.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: check.h,v 1.5 2006/02/28 02:39:51 marka Exp $ */
+/* $Id: check.h,v 1.6 2006/03/02 00:37:23 marka Exp $ */
 
 #ifndef BIND9_CHECK_H
 #define BIND9_CHECK_H 1
diff --git a/lib/dns/acl.c b/lib/dns/acl.c
index 907a531079..e982674530 100644
--- a/lib/dns/acl.c
+++ b/lib/dns/acl.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: acl.c,v 1.29 2006/02/28 02:39:51 marka Exp $ */
+/* $Id: acl.c,v 1.30 2006/03/02 00:37:23 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/compress.c b/lib/dns/compress.c
index 07eea1372b..d1f5a0b4f3 100644
--- a/lib/dns/compress.c
+++ b/lib/dns/compress.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: compress.c,v 1.56 2006/02/28 02:39:51 marka Exp $ */
+/* $Id: compress.c,v 1.57 2006/03/02 00:37:23 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/include/dns/acl.h b/lib/dns/include/dns/acl.h
index fe3592fa87..34b8f9c2a7 100644
--- a/lib/dns/include/dns/acl.h
+++ b/lib/dns/include/dns/acl.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: acl.h,v 1.25 2006/02/28 02:39:51 marka Exp $ */
+/* $Id: acl.h,v 1.26 2006/03/02 00:37:23 marka Exp $ */
 
 #ifndef DNS_ACL_H
 #define DNS_ACL_H 1
diff --git a/lib/dns/include/dns/compress.h b/lib/dns/include/dns/compress.h
index e845499683..8cca74c46e 100644
--- a/lib/dns/include/dns/compress.h
+++ b/lib/dns/include/dns/compress.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: compress.h,v 1.36 2006/02/28 02:39:51 marka Exp $ */
+/* $Id: compress.h,v 1.37 2006/03/02 00:37:23 marka Exp $ */
 
 #ifndef DNS_COMPRESS_H
 #define DNS_COMPRESS_H 1
diff --git a/lib/dns/include/dns/name.h b/lib/dns/include/dns/name.h
index bcf508c48d..f6f578fe78 100644
--- a/lib/dns/include/dns/name.h
+++ b/lib/dns/include/dns/name.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: name.h,v 1.121 2006/02/28 02:39:51 marka Exp $ */
+/* $Id: name.h,v 1.122 2006/03/02 00:37:23 marka Exp $ */
 
 #ifndef DNS_NAME_H
 #define DNS_NAME_H 1
diff --git a/lib/dns/include/dns/rdataset.h b/lib/dns/include/dns/rdataset.h
index f8ffb666f2..980b870406 100644
--- a/lib/dns/include/dns/rdataset.h
+++ b/lib/dns/include/dns/rdataset.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdataset.h,v 1.57 2006/02/28 02:39:51 marka Exp $ */
+/* $Id: rdataset.h,v 1.58 2006/03/02 00:37:23 marka Exp $ */
 
 #ifndef DNS_RDATASET_H
 #define DNS_RDATASET_H 1
diff --git a/lib/dns/openssldh_link.c b/lib/dns/openssldh_link.c
index 1de0f9a5ad..369761457c 100644
--- a/lib/dns/openssldh_link.c
+++ b/lib/dns/openssldh_link.c
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2002  Internet Software Consortium.
  * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
  *
@@ -18,7 +18,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: openssldh_link.c,v 1.5 2006/03/01 02:31:40 marka Exp $
+ * $Id: openssldh_link.c,v 1.6 2006/03/02 00:37:23 marka Exp $
  */
 
 #ifdef OPENSSL
diff --git a/lib/dns/openssldsa_link.c b/lib/dns/openssldsa_link.c
index 453557870c..8dfd9b8881 100644
--- a/lib/dns/openssldsa_link.c
+++ b/lib/dns/openssldsa_link.c
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2002  Internet Software Consortium.
  * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
  *
@@ -16,7 +16,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: openssldsa_link.c,v 1.4 2006/03/01 02:31:40 marka Exp $ */
+/* $Id: openssldsa_link.c,v 1.5 2006/03/02 00:37:23 marka Exp $ */
 
 #ifdef OPENSSL
 
diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
index e2cb7ba50e..87845993af 100644
--- a/lib/dns/opensslrsa_link.c
+++ b/lib/dns/opensslrsa_link.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -17,7 +17,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: opensslrsa_link.c,v 1.6 2006/03/01 02:31:40 marka Exp $
+ * $Id: opensslrsa_link.c,v 1.7 2006/03/02 00:37:23 marka Exp $
  */
 #ifdef OPENSSL
 
diff --git a/lib/dns/rdataset.c b/lib/dns/rdataset.c
index 7ae14ca15c..661343c9b5 100644
--- a/lib/dns/rdataset.c
+++ b/lib/dns/rdataset.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdataset.c,v 1.76 2006/02/28 02:39:51 marka Exp $ */
+/* $Id: rdataset.c,v 1.77 2006/03/02 00:37:23 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/include/isc/sockaddr.h b/lib/isc/include/isc/sockaddr.h
index 472714ca69..71823db3ae 100644
--- a/lib/isc/include/isc/sockaddr.h
+++ b/lib/isc/include/isc/sockaddr.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sockaddr.h,v 1.50 2006/02/28 02:39:52 marka Exp $ */
+/* $Id: sockaddr.h,v 1.51 2006/03/02 00:37:23 marka Exp $ */
 
 #ifndef ISC_SOCKADDR_H
 #define ISC_SOCKADDR_H 1
diff --git a/lib/isc/include/isc/symtab.h b/lib/isc/include/isc/symtab.h
index 5d4efa0785..1f6db60331 100644
--- a/lib/isc/include/isc/symtab.h
+++ b/lib/isc/include/isc/symtab.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1996-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: symtab.h,v 1.20 2006/02/28 02:39:52 marka Exp $ */
+/* $Id: symtab.h,v 1.21 2006/03/02 00:37:23 marka Exp $ */
 
 #ifndef ISC_SYMTAB_H
 #define ISC_SYMTAB_H 1
diff --git a/lib/isc/log.c b/lib/isc/log.c
index dbbb43a70d..2c9d26dc73 100644
--- a/lib/isc/log.c
+++ b/lib/isc/log.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: log.c,v 1.91 2006/03/01 02:20:41 marka Exp $ */
+/* $Id: log.c,v 1.92 2006/03/02 00:37:23 marka Exp $ */
 
 /*! \file
  * \author  Principal Authors: DCL */
diff --git a/lib/isc/sockaddr.c b/lib/isc/sockaddr.c
index 8a8f926c0e..280f38854b 100644
--- a/lib/isc/sockaddr.c
+++ b/lib/isc/sockaddr.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sockaddr.c,v 1.66 2006/02/28 02:39:52 marka Exp $ */
+/* $Id: sockaddr.c,v 1.67 2006/03/02 00:37:23 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/isccfg/aclconf.c b/lib/isccfg/aclconf.c
index 4154a9fea6..c5de6781a5 100644
--- a/lib/isccfg/aclconf.c
+++ b/lib/isccfg/aclconf.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: aclconf.c,v 1.6 2006/02/28 02:39:52 marka Exp $ */
+/* $Id: aclconf.c,v 1.7 2006/03/02 00:37:23 marka Exp $ */
 
 #include 
 
diff --git a/lib/isccfg/include/isccfg/aclconf.h b/lib/isccfg/include/isccfg/aclconf.h
index df26ef89ce..39679a3907 100644
--- a/lib/isccfg/include/isccfg/aclconf.h
+++ b/lib/isccfg/include/isccfg/aclconf.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: aclconf.h,v 1.5 2006/02/28 02:39:52 marka Exp $ */
+/* $Id: aclconf.h,v 1.6 2006/03/02 00:37:23 marka Exp $ */
 
 #ifndef ISCCFG_ACLCONF_H
 #define ISCCFG_ACLCONF_H 1
diff --git a/lib/isccfg/include/isccfg/cfg.h b/lib/isccfg/include/isccfg/cfg.h
index c0b26bfea6..5c0ca5f6d0 100644
--- a/lib/isccfg/include/isccfg/cfg.h
+++ b/lib/isccfg/include/isccfg/cfg.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cfg.h,v 1.38 2006/02/28 02:39:52 marka Exp $ */
+/* $Id: cfg.h,v 1.39 2006/03/02 00:37:23 marka Exp $ */
 
 #ifndef ISCCFG_CFG_H
 #define ISCCFG_CFG_H 1

From 9a8cec4995c1586d27e95f13d421e4de61a97eb5 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 2 Mar 2006 01:45:46 +0000
Subject: [PATCH 074/465] 1995.   [bug]           'host' was reporting multiple
 "is an alias" messages.                         [RT #15702]

---
 CHANGES        |  3 +++
 bin/dig/host.c | 38 +++++++++++++++++++++++++++++++++++---
 2 files changed, 38 insertions(+), 3 deletions(-)

diff --git a/CHANGES b/CHANGES
index 8410931f7c..bd3663d551 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+1995.	[bug]		'host' was reporting multiple "is an alias" messages.
+			[RT #15702]
+
 1994.	[port]		OpenSSL 0.9.8 support. [RT #15694]
 
 1993.	[bug]		Log messsage, via syslog, were missing the space
diff --git a/bin/dig/host.c b/bin/dig/host.c
index d40516f6b8..2ed358d250 100644
--- a/bin/dig/host.c
+++ b/bin/dig/host.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: host.c,v 1.106 2005/08/25 00:40:49 marka Exp $ */
+/* $Id: host.c,v 1.107 2006/03/02 01:45:46 marka Exp $ */
 
 /*! \file */
 
@@ -39,6 +39,7 @@
 #include 
 #include 
 #include 
+#include 
 
 #include 
 
@@ -355,6 +356,32 @@ printrdata(dns_message_t *msg, dns_rdataset_t *rdataset, dns_name_t *owner,
 	return (ISC_R_SUCCESS);
 }
 
+static void
+chase_cnamechain(dns_message_t *msg, dns_name_t *qname) {
+	isc_result_t result;
+	dns_rdataset_t *rdataset;
+	dns_rdata_cname_t cname;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	unsigned int i = msg->counts[DNS_SECTION_ANSWER];
+
+ 	while (i-- > 0) {
+		rdataset = NULL;
+		result = dns_message_findname(msg, DNS_SECTION_ANSWER, qname,
+					      dns_rdatatype_cname, 0, NULL,
+					      &rdataset);
+		if (result != ISC_R_SUCCESS)
+			return;
+		result = dns_rdataset_first(rdataset);
+		check_result(result, "dns_rdataset_first");
+		dns_rdata_reset(&rdata);
+		dns_rdataset_current(rdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &cname, NULL);
+		check_result(result, "dns_rdata_tostruct");
+		dns_name_copy(&cname.cname, qname, NULL);
+		dns_rdata_freestruct(&cname);
+	}
+}
+
 isc_result_t
 printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
 	isc_boolean_t did_flag = ISC_FALSE;
@@ -393,10 +420,15 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
 	if (default_lookups && query->lookup->rdtype == dns_rdatatype_a) {
 		char namestr[DNS_NAME_FORMATSIZE];
 		dig_lookup_t *lookup;
+		dns_fixedname_t fixed;
+		dns_name_t *name;
 
 		/* Add AAAA and MX lookups. */
-
-		dns_name_format(query->lookup->name, namestr, sizeof(namestr));
+		dns_fixedname_init(&fixed);
+		name = dns_fixedname_name(&fixed);
+		dns_name_copy(query->lookup->name, name, NULL);
+		chase_cnamechain(msg, name);
+		dns_name_format(name, namestr, sizeof(namestr));
 		lookup = clone_lookup(query->lookup, ISC_FALSE);
 		if (lookup != NULL) {
 			strncpy(lookup->textname, namestr,

From f27eae9cfeb5b6c3c38ead6a7a0b1dd36bba691d Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 2 Mar 2006 01:57:20 +0000
Subject: [PATCH 075/465] 1996.   [bug]           nsupdate: if a zone has been
 specified it should                         appear in the output of 'show'.
 [RT #15797]

---
 CHANGES                       |  3 ++
 bin/nsupdate/nsupdate.c       | 53 ++++++++++++++++++++++++++---------
 lib/dns/include/dns/message.h | 21 +++++++++++++-
 lib/dns/message.c             | 14 ++++++++-
 lib/dns/win32/libdns.def      |  1 +
 5 files changed, 77 insertions(+), 15 deletions(-)

diff --git a/CHANGES b/CHANGES
index bd3663d551..9614aa698e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+1996.	[bug]		nsupdate: if a zone has been specified it should
+			appear in the output of 'show'. [RT #15797]
+
 1995.	[bug]		'host' was reporting multiple "is an alias" messages.
 			[RT #15702]
 
diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
index 568dc72408..f55bc6fc1a 100644
--- a/bin/nsupdate/nsupdate.c
+++ b/bin/nsupdate/nsupdate.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsupdate.c,v 1.142 2006/01/27 02:35:14 marka Exp $ */
+/* $Id: nsupdate.c,v 1.143 2006/03/02 01:57:20 marka Exp $ */
 
 /*! \file */
 
@@ -1421,6 +1421,41 @@ evaluate_update(char *cmdline) {
 	return (update_addordelete(cmdline, isdelete));
 }
 
+static void
+setzone(dns_name_t *zonename) {
+	isc_result_t result;
+	dns_name_t *name = NULL;
+	dns_rdataset_t *rdataset = NULL;
+
+	result = dns_message_firstname(updatemsg, DNS_SECTION_ZONE);
+	if (result == ISC_R_SUCCESS) {
+		dns_message_currentname(updatemsg, DNS_SECTION_ZONE, &name);
+		dns_message_removename(updatemsg, name, DNS_SECTION_ZONE);
+		for (rdataset = ISC_LIST_HEAD(name->list);
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_HEAD(name->list)) {
+			ISC_LIST_UNLINK(name->list, rdataset, link);
+			dns_rdataset_disassociate(rdataset);
+			dns_message_puttemprdataset(updatemsg, &rdataset);
+		}
+		dns_message_puttempname(updatemsg, &name);
+	}
+
+	if (zonename != NULL) {
+		result = dns_message_gettempname(updatemsg, &name);
+		check_result(result, "dns_message_gettempname");
+		dns_name_init(name, NULL);
+		dns_name_clone(zonename, name);
+		result = dns_message_gettemprdataset(updatemsg, &rdataset);
+		check_result(result, "dns_message_gettemprdataset");
+		dns_rdataset_makequestion(rdataset, getzoneclass(),
+					  dns_rdatatype_soa);
+		ISC_LIST_INIT(name->list);
+		ISC_LIST_APPEND(name->list, rdataset, link);
+		dns_message_addname(updatemsg, name, DNS_SECTION_ZONE);
+	}
+}
+
 static void
 show_message(dns_message_t *msg) {
 	isc_result_t result;
@@ -1428,6 +1463,9 @@ show_message(dns_message_t *msg) {
 	int bufsz;
 
 	ddebug("show_message()");
+
+	setzone(userzone);
+
 	bufsz = INITTEXT;
 	do { 
 		if (bufsz > MAXTEXT) {
@@ -1653,22 +1691,11 @@ send_update(dns_name_t *zonename, isc_sockaddr_t *master,
 {
 	isc_result_t result;
 	dns_request_t *request = NULL;
-	dns_name_t *name = NULL;
-	dns_rdataset_t *rdataset = NULL;
 	unsigned int options = 0;
 
 	ddebug("send_update()");
 
-	result = dns_message_gettempname(updatemsg, &name);
-	check_result(result, "dns_message_gettempname");
-	dns_name_init(name, NULL);
-	dns_name_clone(zonename, name);
-	result = dns_message_gettemprdataset(updatemsg, &rdataset);
-	check_result(result, "dns_message_gettemprdataset");
-	dns_rdataset_makequestion(rdataset, getzoneclass(), dns_rdatatype_soa);
-	ISC_LIST_INIT(name->list);
-	ISC_LIST_APPEND(name->list, rdataset, link);
-	dns_message_addname(updatemsg, name, DNS_SECTION_ZONE);
+	setzone(zonename);
 
 	if (usevc)
 		options |= DNS_REQUESTOPT_TCP;
diff --git a/lib/dns/include/dns/message.h b/lib/dns/include/dns/message.h
index 953b14e613..2467ecdd64 100644
--- a/lib/dns/include/dns/message.h
+++ b/lib/dns/include/dns/message.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: message.h,v 1.119 2006/02/28 02:39:51 marka Exp $ */
+/* $Id: message.h,v 1.120 2006/03/02 01:57:20 marka Exp $ */
 
 #ifndef DNS_MESSAGE_H
 #define DNS_MESSAGE_H 1
@@ -769,6 +769,25 @@ dns_message_addname(dns_message_t *msg, dns_name_t *name,
  *\li	'section' be a named section.
  */
 
+void
+dns_message_removename(dns_message_t *msg, dns_name_t *name,
+                       dns_section_t section);
+/*%<
+ * Remove a existing name from a given section.
+ *
+ * It is the caller's responsibility to ensure the name is part of the
+ * given section.
+ *
+ * Requires:
+ *
+ *\li	'msg' be valid, and be a renderable message.
+ *
+ *\li	'name' be a valid absolute name.
+ *
+ *\li	'section' be a named section.
+ */
+
+
 /*
  * LOANOUT FUNCTIONS
  *
diff --git a/lib/dns/message.c b/lib/dns/message.c
index e518b35e70..27f2109f26 100644
--- a/lib/dns/message.c
+++ b/lib/dns/message.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: message.c,v 1.231 2006/02/28 02:39:51 marka Exp $ */
+/* $Id: message.c,v 1.232 2006/03/02 01:57:20 marka Exp $ */
 
 /*! \file */
 
@@ -2284,6 +2284,18 @@ dns_message_addname(dns_message_t *msg, dns_name_t *name,
 	ISC_LIST_APPEND(msg->sections[section], name, link);
 }
 
+void
+dns_message_removename(dns_message_t *msg, dns_name_t *name,
+		       dns_section_t section)
+{
+	REQUIRE(msg != NULL);
+	REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTRENDER);
+	REQUIRE(name != NULL);
+	REQUIRE(VALID_NAMED_SECTION(section));
+
+	ISC_LIST_UNLINK(msg->sections[section], name, link);
+}
+
 isc_result_t
 dns_message_gettempname(dns_message_t *msg, dns_name_t **item) {
 	REQUIRE(DNS_MESSAGE_VALID(msg));
diff --git a/lib/dns/win32/libdns.def b/lib/dns/win32/libdns.def
index 2a85e20707..193d5543fd 100644
--- a/lib/dns/win32/libdns.def
+++ b/lib/dns/win32/libdns.def
@@ -276,6 +276,7 @@ dns_message_puttemprdata
 dns_message_puttemprdatalist
 dns_message_puttemprdataset
 dns_message_rechecksig
+dns_message_removename
 dns_message_renderbegin
 dns_message_renderchangebuffer
 dns_message_renderend

From 1d7b3b6dac1a0c6c586808c2add2ca2bef80512f Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 2 Mar 2006 23:00:32 +0000
Subject: [PATCH 076/465] 1997.   [bug]           Named was failing to replace
 negative cache entries                         when a positive one for the
 type was learnt.                         [RT #15818]

---
 CHANGES         |  4 ++++
 lib/dns/rbtdb.c | 61 ++++++++++++++++++++++++++++++++-----------------
 2 files changed, 44 insertions(+), 21 deletions(-)

diff --git a/CHANGES b/CHANGES
index 9614aa698e..9bdf3fd2c2 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+1997.	[bug]		Named was failing to replace negative cache entries
+			when a positive one for the type was learnt.
+			[RT #15818]
+
 1996.	[bug]		nsupdate: if a zone has been specified it should
 			appear in the output of 'show'. [RT #15797]
 
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index e7643fb0be..84194ea266 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbtdb.c,v 1.226 2006/02/16 00:59:38 marka Exp $ */
+/* $Id: rbtdb.c,v 1.227 2006/03/02 23:00:32 marka Exp $ */
 
 /*! \file */
 
@@ -3331,7 +3331,7 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 	rdatasetheader_t *header, *header_prev, *header_next;
 	rdatasetheader_t *found, *nsheader;
 	rdatasetheader_t *foundsig, *nssig, *cnamesig;
-	rbtdb_rdatatype_t sigtype, nsectype;
+	rbtdb_rdatatype_t sigtype, negtype;
 
 	UNUSED(version);
 
@@ -3408,7 +3408,7 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 	found = NULL;
 	foundsig = NULL;
 	sigtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, type);
-	nsectype = RBTDB_RDATATYPE_VALUE(0, type);
+	negtype = RBTDB_RDATATYPE_VALUE(0, type);
 	nsheader = NULL;
 	nssig = NULL;
 	cnamesig = NULL;
@@ -3491,7 +3491,7 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 				 */
 				foundsig = header;
 			} else if (header->type == RBTDB_RDATATYPE_NCACHEANY ||
-				   header->type == nsectype) {
+				   header->type == negtype) {
 				/*
 				 * We've found a negative cache entry.
 				 */
@@ -4138,7 +4138,7 @@ cache_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
 	dns_rbtnode_t *rbtnode = (dns_rbtnode_t *)node;
 	rdatasetheader_t *header, *header_next, *found, *foundsig;
-	rbtdb_rdatatype_t matchtype, sigmatchtype, nsectype;
+	rbtdb_rdatatype_t matchtype, sigmatchtype, negtype;
 	isc_result_t result;
 	nodelock_t *lock;
 	isc_rwlocktype_t locktype;
@@ -4160,7 +4160,7 @@ cache_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	found = NULL;
 	foundsig = NULL;
 	matchtype = RBTDB_RDATATYPE_VALUE(type, covers);
-	nsectype = RBTDB_RDATATYPE_VALUE(0, type);
+	negtype = RBTDB_RDATATYPE_VALUE(0, type);
 	if (covers == 0)
 		sigmatchtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, type);
 	else
@@ -4192,7 +4192,7 @@ cache_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 			if (header->type == matchtype)
 				found = header;
 			else if (header->type == RBTDB_RDATATYPE_NCACHEANY ||
-				 header->type == nsectype)
+				 header->type == negtype)
 				found = header;
 			else if (header->type == sigmatchtype)
 				foundsig = header;
@@ -4370,7 +4370,8 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 	isc_boolean_t header_nx;
 	isc_boolean_t newheader_nx;
 	isc_boolean_t merge;
-	dns_rdatatype_t nsectype, rdtype, covers;
+	dns_rdatatype_t rdtype, covers;
+	rbtdb_rdatatype_t negtype;
 	dns_trust_t trust;
 
 	/*
@@ -4408,7 +4409,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 	newheader_nx = NONEXISTENT(newheader) ? ISC_TRUE : ISC_FALSE;
 	topheader_prev = NULL;
 
-	nsectype = 0;
+	negtype = 0;
 	if (rbtversion == NULL && !newheader_nx) {
 		rdtype = RBTDB_RDATATYPE_BASE(newheader->type);
 		if (rdtype == 0) {
@@ -4418,12 +4419,13 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 			covers = RBTDB_RDATATYPE_EXT(newheader->type);
 			if (covers == dns_rdatatype_any) {
 				/*
-				 * We're adding an NXDOMAIN negative cache
-				 * entry.
+				 * We're adding an negative cache entry
+				 * which covers all types (NXDOMAIN,
+				 * NODATA(QTYPE=ANY)).
 				 *
 				 * We make all other data stale so that the
 				 * only rdataset that can be found at this
-				 * node is the NXDOMAIN negative cache entry.
+				 * node is the negative cache entry.
 				 */
 				for (topheader = rbtnode->data;
 				     topheader != NULL;
@@ -4435,17 +4437,19 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 				rbtnode->dirty = 1;
 				goto find_header;
 			}
-			nsectype = RBTDB_RDATATYPE_VALUE(covers, 0);
+			negtype = RBTDB_RDATATYPE_VALUE(covers, 0);
 		} else {
 			/*
 			 * We're adding something that isn't a
 			 * negative cache entry.  Look for an extant
-			 * non-stale NXDOMAIN negative cache entry.
+			 * non-stale NXDOMAIN/NODATA(QTYPE=ANY) negative
+			 * cache entry.
 			 */
 			for (topheader = rbtnode->data;
 			     topheader != NULL;
 			     topheader = topheader->next) {
-				if (NXDOMAIN(topheader))
+				if (topheader->type == 
+				    RBTDB_RDATATYPE_NCACHEANY)
 					break;
 			}
 			if (topheader != NULL && EXISTS(topheader) &&
@@ -4455,7 +4459,8 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 				 */
 				if (trust < topheader->trust) {
 					/*
-					 * The NXDOMAIN is more trusted.
+					 * The NXDOMAIN/NODATA(QTYPE=ANY)
+					 * is more trusted.
 					 */
 					
 					free_rdataset(rbtdb->common.mctx,
@@ -4468,7 +4473,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 				}
 				/*
 				 * The new rdataset is better.  Expire the
-				 * NXDOMAIN.
+				 * NXDOMAIN/NODATA(QTYPE=ANY).
 				 */
 				topheader->ttl = 0;
 				topheader->attributes |= RDATASET_ATTR_STALE;
@@ -4476,7 +4481,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 				topheader = NULL;
 				goto find_header;
 			}
-			nsectype = RBTDB_RDATATYPE_VALUE(0, rdtype);
+			negtype = RBTDB_RDATATYPE_VALUE(0, rdtype);
 		}
 	}
 
@@ -4484,7 +4489,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 	     topheader != NULL;
 	     topheader = topheader->next) {
 		if (topheader->type == newheader->type ||
-		    topheader->type == nsectype)
+		    topheader->type == negtype)
 			break;
 		topheader_prev = topheader;
 	}
@@ -4650,6 +4655,10 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 			rbtnode->dirty = 1;
 			if (changed != NULL)
 				changed->dirty = ISC_TRUE;
+			if (rbtversion == NULL) {
+				header->ttl = 0;
+				header->attributes |= RDATASET_ATTR_STALE;
+			}
 		}
 	} else {
 		/*
@@ -5819,7 +5828,8 @@ rdatasetiter_next(dns_rdatasetiter_t *iterator) {
 	rdatasetheader_t *header, *top_next;
 	rbtdb_serial_t serial;
 	isc_stdtime_t now;
-	rbtdb_rdatatype_t type;
+	rbtdb_rdatatype_t type, negtype;
+	dns_rdatatype_t rdtype, covers;
 
 	header = rbtiterator->current;
 	if (header == NULL)
@@ -5837,9 +5847,18 @@ rdatasetiter_next(dns_rdatasetiter_t *iterator) {
 		  isc_rwlocktype_read);
 
 	type = header->type;
+	rdtype = RBTDB_RDATATYPE_BASE(header->type);
+	if (rdtype == 0) {
+		covers = RBTDB_RDATATYPE_EXT(header->type);
+		negtype = RBTDB_RDATATYPE_VALUE(covers, 0);
+	} else 
+		negtype = RBTDB_RDATATYPE_VALUE(0, rdtype);
 	for (header = header->next; header != NULL; header = top_next) {
 		top_next = header->next;
-		if (header->type != type) {
+		/*
+		 * If not walking back up the down list.
+		 */
+		if (header->type != type && header->type != negtype) {
 			do {
 				if (header->serial <= serial &&
 				    !IGNORE(header)) {

From 2bd075a6af74b45c2459e731478d242313cd00f9 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 2 Mar 2006 23:16:56 +0000
Subject: [PATCH 077/465] 1997.   [bug]           Named was failing to replace
 negative cache entries                         when a positive one for the
 type was learnt.                         [RT #15818]

---
 CHANGES         |  4 ++++
 lib/dns/rbtdb.c | 61 ++++++++++++++++++++++++++++++++-----------------
 2 files changed, 44 insertions(+), 21 deletions(-)

diff --git a/CHANGES b/CHANGES
index 2805b43bfd..5a82d59e52 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+1997.	[bug]		Named was failing to replace negative cache entries
+			when a positive one for the type was learnt.
+			[RT #15818]
+
 1994.	[port]		OpenSSL 0.9.8 support. [RT #15694]
 
 1991.	[cleanup]	The configuration data, once read, should be treated
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index 726f216a96..cdb12259eb 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbtdb.c,v 1.168.2.25 2006/01/06 00:01:41 marka Exp $ */
+/* $Id: rbtdb.c,v 1.168.2.26 2006/03/02 23:16:56 marka Exp $ */
 
 /*
  * Principal Author: Bob Halley
@@ -2718,7 +2718,7 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 	rdatasetheader_t *header, *header_prev, *header_next;
 	rdatasetheader_t *found, *nsheader;
 	rdatasetheader_t *foundsig, *nssig, *cnamesig;
-	rbtdb_rdatatype_t sigtype, nxtype;
+	rbtdb_rdatatype_t sigtype, negtype;
 
 	UNUSED(version);
 
@@ -2786,7 +2786,7 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 	found = NULL;
 	foundsig = NULL;
 	sigtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_sig, type);
-	nxtype = RBTDB_RDATATYPE_VALUE(0, type);
+	negtype = RBTDB_RDATATYPE_VALUE(0, type);
 	nsheader = NULL;
 	nssig = NULL;
 	cnamesig = NULL;
@@ -2859,7 +2859,7 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 				 */
 				foundsig = header;
 			} else if (header->type == RBTDB_RDATATYPE_NCACHEANY ||
-				   header->type == nxtype) {
+				   header->type == negtype) {
 				/*
 				 * We've found a negative cache entry.
 				 */
@@ -3471,7 +3471,7 @@ cache_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
 	dns_rbtnode_t *rbtnode = (dns_rbtnode_t *)node;
 	rdatasetheader_t *header, *header_next, *found, *foundsig;
-	rbtdb_rdatatype_t matchtype, sigmatchtype, nxtype;
+	rbtdb_rdatatype_t matchtype, sigmatchtype, negtype;
 	isc_result_t result;
 
 	REQUIRE(VALID_RBTDB(rbtdb));
@@ -3489,7 +3489,7 @@ cache_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	found = NULL;
 	foundsig = NULL;
 	matchtype = RBTDB_RDATATYPE_VALUE(type, covers);
-	nxtype = RBTDB_RDATATYPE_VALUE(0, type);
+	negtype = RBTDB_RDATATYPE_VALUE(0, type);
 	if (covers == 0)
 		sigmatchtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_sig, type);
 	else
@@ -3513,7 +3513,7 @@ cache_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 			if (header->type == matchtype)
 				found = header;
 			else if (header->type == RBTDB_RDATATYPE_NCACHEANY ||
-				 header->type == nxtype)
+				 header->type == negtype)
 				found = header;
 			else if (header->type == sigmatchtype)
 				foundsig = header;
@@ -3689,7 +3689,8 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 	isc_boolean_t header_nx;
 	isc_boolean_t newheader_nx;
 	isc_boolean_t merge;
-	dns_rdatatype_t nxtype, rdtype, covers;
+	dns_rdatatype_t rdtype, covers;
+	rbtdb_rdatatype_t negtype;
 	dns_trust_t trust;
 
 	/*
@@ -3727,7 +3728,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 	newheader_nx = NONEXISTENT(newheader) ? ISC_TRUE : ISC_FALSE;
 	topheader_prev = NULL;
 
-	nxtype = 0;
+	negtype = 0;
 	if (rbtversion == NULL && !newheader_nx) {
 		rdtype = RBTDB_RDATATYPE_BASE(newheader->type);
 		if (rdtype == 0) {
@@ -3737,12 +3738,13 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 			covers = RBTDB_RDATATYPE_EXT(newheader->type);
 			if (covers == dns_rdatatype_any) {
 				/*
-				 * We're adding an NXDOMAIN negative cache
-				 * entry.
+				 * We're adding an negative cache entry
+				 * which covers all types (NXDOMAIN,
+				 * NODATA(QTYPE=ANY)).
 				 *
 				 * We make all other data stale so that the
 				 * only rdataset that can be found at this
-				 * node is the NXDOMAIN negative cache entry.
+				 * node is the negative cache entry.
 				 */
 				for (topheader = rbtnode->data;
 				     topheader != NULL;
@@ -3754,17 +3756,19 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 				rbtnode->dirty = 1;
 				goto find_header;
 			}
-			nxtype = RBTDB_RDATATYPE_VALUE(covers, 0);
+			negtype = RBTDB_RDATATYPE_VALUE(covers, 0);
 		} else {
 			/*
 			 * We're adding something that isn't a
 			 * negative cache entry.  Look for an extant
-			 * non-stale NXDOMAIN negative cache entry.
+			 * non-stale NXDOMAIN/NODATA(QTYPE=ANY) negative
+			 * cache entry.
 			 */
 			for (topheader = rbtnode->data;
 			     topheader != NULL;
 			     topheader = topheader->next) {
-				if (NXDOMAIN(topheader))
+				if (topheader->type ==
+				    RBTDB_RDATATYPE_NCACHEANY)
 					break;
 			}
 			if (topheader != NULL && EXISTS(topheader) &&
@@ -3774,7 +3778,8 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 				 */
 				if (trust < topheader->trust) {
 					/*
-					 * The NXDOMAIN is more trusted.
+					 * The NXDOMAIN/NODATA(QTYPE=ANY)
+					 * is more trusted.
 					 */
 					free_rdataset(rbtdb->common.mctx,
 						      newheader);
@@ -3786,7 +3791,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 				}
 				/*
 				 * The new rdataset is better.  Expire the
-				 * NXDOMAIN.
+				 * NXDOMAIN/NODATA(QTYPE=ANY).
 				 */
 				topheader->ttl = 0;
 				topheader->attributes |= RDATASET_ATTR_STALE;
@@ -3794,7 +3799,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 				topheader = NULL;
 				goto find_header;
 			}
-			nxtype = RBTDB_RDATATYPE_VALUE(0, rdtype);
+			negtype = RBTDB_RDATATYPE_VALUE(0, rdtype);
 		}
 	}
 
@@ -3802,7 +3807,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 	     topheader != NULL;
 	     topheader = topheader->next) {
 		if (topheader->type == newheader->type ||
-		    topheader->type == nxtype)
+		    topheader->type == negtype)
 			break;
 		topheader_prev = topheader;
 	}
@@ -3956,6 +3961,10 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 			rbtnode->dirty = 1;
 			if (changed != NULL)
 				changed->dirty = ISC_TRUE;
+			if (rbtversion == NULL) {
+				header->ttl = 0;
+				header->attributes |= RDATASET_ATTR_STALE;
+			}
 		}
 	} else {
 		/*
@@ -4943,7 +4952,8 @@ rdatasetiter_next(dns_rdatasetiter_t *iterator) {
 	rdatasetheader_t *header, *top_next;
 	rbtdb_serial_t serial;
 	isc_stdtime_t now;
-	rbtdb_rdatatype_t type;
+	rbtdb_rdatatype_t type, negtype;
+	dns_rdatatype_t rdtype, covers;
 
 	header = rbtiterator->current;
 	if (header == NULL)
@@ -4960,9 +4970,18 @@ rdatasetiter_next(dns_rdatasetiter_t *iterator) {
 	LOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
 
 	type = header->type;
+	rdtype = RBTDB_RDATATYPE_BASE(header->type);
+	if (rdtype == 0) {
+		covers = RBTDB_RDATATYPE_EXT(header->type);
+		negtype = RBTDB_RDATATYPE_VALUE(covers, 0);
+	} else 
+		negtype = RBTDB_RDATATYPE_VALUE(0, rdtype);
 	for (header = header->next; header != NULL; header = top_next) {
 		top_next = header->next;
-		if (header->type != type) {
+		/*
+		 * If not walking back up the down list.
+		 */
+		if (header->type != type && header->type != negtype) {
 			do {
 				if (header->serial <= serial &&
 				    !IGNORE(header)) {

From b6d199bd6a505d84093874339056d9df4d21dfbc Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 2 Mar 2006 23:25:05 +0000
Subject: [PATCH 078/465] 1998.   [bug]           Restrict handling of fifos as
 sockets to just SunOS.                         This allows named to connect
 to entropy gathering                         daemons that use fifos instead
 of sockets. [RT #15840]

---
 CHANGES                | 4 ++++
 lib/isc/unix/entropy.c | 4 ++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index 9bdf3fd2c2..3abd6ae9ed 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+1998.	[bug]		Restrict handling of fifos as sockets to just SunOS.
+			This allows named to connect to entropy gathering
+			daemons that use fifos instead of sockets. [RT #15840]
+
 1997.	[bug]		Named was failing to replace negative cache entries
 			when a positive one for the type was learnt.
 			[RT #15818]
diff --git a/lib/isc/unix/entropy.c b/lib/isc/unix/entropy.c
index 2fe3bab27f..e3a3a201f4 100644
--- a/lib/isc/unix/entropy.c
+++ b/lib/isc/unix/entropy.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: entropy.c,v 1.76 2006/01/06 00:01:44 marka Exp $ */
+/* $Id: entropy.c,v 1.77 2006/03/02 23:25:05 marka Exp $ */
 
 /* \file unix/entropy.c
  * \brief
@@ -504,7 +504,7 @@ isc_entropy_createfilesource(isc_entropy_t *ent, const char *fname) {
 	if (S_ISSOCK(_stat.st_mode))
 		is_usocket = ISC_TRUE;
 #endif
-#if defined(S_ISFIFO)
+#if defined(S_ISFIFO) && defined(sun)
 	if (S_ISFIFO(_stat.st_mode))
 		is_usocket = ISC_TRUE;
 #endif

From c069a20053d41ae299eb9457e50ea44ae9f73ed2 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 2 Mar 2006 23:30:24 +0000
Subject: [PATCH 079/465] newcopyrights

---
 util/copyrights | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/util/copyrights b/util/copyrights
index e790c0dc85..497ac2dec1 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -36,7 +36,7 @@
 ./bin/dig/dig.html				HTML	DOCBOOK
 ./bin/dig/dighost.c				C	2000,2001,2002,2003,2004,2005,2006
 ./bin/dig/host.1				MAN	DOCBOOK
-./bin/dig/host.c				C	2000,2001,2002,2003,2004,2005
+./bin/dig/host.c				C	2000,2001,2002,2003,2004,2005,2006
 ./bin/dig/host.docbook				SGML	2000,2001,2002,2004,2005
 ./bin/dig/host.html				HTML	DOCBOOK
 ./bin/dig/include/dig/dig.h			C	2000,2001,2002,2003,2004,2005,2006

From fb9395c8dd2267c2dfded51dd29c80135bb11f8d Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 2 Mar 2006 23:48:50 +0000
Subject: [PATCH 080/465] update copyright notice

---
 bin/dig/host.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/bin/dig/host.c b/bin/dig/host.c
index 2ed358d250..1582f31ce8 100644
--- a/bin/dig/host.c
+++ b/bin/dig/host.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: host.c,v 1.107 2006/03/02 01:45:46 marka Exp $ */
+/* $Id: host.c,v 1.108 2006/03/02 23:48:50 marka Exp $ */
 
 /*! \file */
 

From d76ed813a51465e5c47d521ab09ea20c06f1428d Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 3 Mar 2006 00:43:35 +0000
Subject: [PATCH 081/465] 1999.   [func]          Implement "rrset-order
 fixed". [RT #13662]

---
 CHANGES                                       |   2 +
 bin/named/config.c                            |   4 +-
 bin/named/query.c                             |   4 +-
 bin/named/update.c                            |   6 +-
 bin/named/xfrout.c                            |   5 +-
 bin/tests/system/conf.sh.in                   |   6 +-
 bin/tests/system/rrsetorder/clean.sh          |  22 ++
 .../system/rrsetorder/dig.out.cyclic.good1    |   4 +
 .../system/rrsetorder/dig.out.cyclic.good2    |   4 +
 .../system/rrsetorder/dig.out.cyclic.good3    |   4 +
 .../system/rrsetorder/dig.out.cyclic.good4    |   4 +
 .../system/rrsetorder/dig.out.fixed.good      |   4 +
 .../system/rrsetorder/dig.out.random.good1    |   4 +
 .../system/rrsetorder/dig.out.random.good10   |   4 +
 .../system/rrsetorder/dig.out.random.good11   |   4 +
 .../system/rrsetorder/dig.out.random.good12   |   4 +
 .../system/rrsetorder/dig.out.random.good13   |   4 +
 .../system/rrsetorder/dig.out.random.good14   |   4 +
 .../system/rrsetorder/dig.out.random.good15   |   4 +
 .../system/rrsetorder/dig.out.random.good16   |   4 +
 .../system/rrsetorder/dig.out.random.good17   |   4 +
 .../system/rrsetorder/dig.out.random.good18   |   4 +
 .../system/rrsetorder/dig.out.random.good19   |   4 +
 .../system/rrsetorder/dig.out.random.good2    |   4 +
 .../system/rrsetorder/dig.out.random.good20   |   4 +
 .../system/rrsetorder/dig.out.random.good21   |   4 +
 .../system/rrsetorder/dig.out.random.good22   |   4 +
 .../system/rrsetorder/dig.out.random.good23   |   4 +
 .../system/rrsetorder/dig.out.random.good24   |   4 +
 .../system/rrsetorder/dig.out.random.good3    |   4 +
 .../system/rrsetorder/dig.out.random.good4    |   4 +
 .../system/rrsetorder/dig.out.random.good5    |   4 +
 .../system/rrsetorder/dig.out.random.good6    |   4 +
 .../system/rrsetorder/dig.out.random.good7    |   4 +
 .../system/rrsetorder/dig.out.random.good8    |   4 +
 .../system/rrsetorder/dig.out.random.good9    |   4 +
 bin/tests/system/rrsetorder/ns1/named.conf    |  43 +++
 bin/tests/system/rrsetorder/ns1/root.db       |  40 +++
 bin/tests/system/rrsetorder/ns2/named.conf    |  45 +++
 bin/tests/system/rrsetorder/ns3/named.conf    |  44 +++
 bin/tests/system/rrsetorder/tests.sh          | 329 ++++++++++++++++++
 bin/tests/system/start.pl                     |   6 +-
 bin/tests/system/stop.pl                      |   4 +-
 lib/bind9/check.c                             |   7 +-
 lib/dns/include/dns/rdataset.h                |   6 +-
 lib/dns/masterdump.c                          |   3 +-
 lib/dns/rbtdb.c                               |  69 ++--
 lib/dns/rdataslab.c                           | 269 ++++++++++++--
 48 files changed, 944 insertions(+), 86 deletions(-)
 create mode 100644 bin/tests/system/rrsetorder/clean.sh
 create mode 100644 bin/tests/system/rrsetorder/dig.out.cyclic.good1
 create mode 100644 bin/tests/system/rrsetorder/dig.out.cyclic.good2
 create mode 100644 bin/tests/system/rrsetorder/dig.out.cyclic.good3
 create mode 100644 bin/tests/system/rrsetorder/dig.out.cyclic.good4
 create mode 100644 bin/tests/system/rrsetorder/dig.out.fixed.good
 create mode 100644 bin/tests/system/rrsetorder/dig.out.random.good1
 create mode 100644 bin/tests/system/rrsetorder/dig.out.random.good10
 create mode 100644 bin/tests/system/rrsetorder/dig.out.random.good11
 create mode 100644 bin/tests/system/rrsetorder/dig.out.random.good12
 create mode 100644 bin/tests/system/rrsetorder/dig.out.random.good13
 create mode 100644 bin/tests/system/rrsetorder/dig.out.random.good14
 create mode 100644 bin/tests/system/rrsetorder/dig.out.random.good15
 create mode 100644 bin/tests/system/rrsetorder/dig.out.random.good16
 create mode 100644 bin/tests/system/rrsetorder/dig.out.random.good17
 create mode 100644 bin/tests/system/rrsetorder/dig.out.random.good18
 create mode 100644 bin/tests/system/rrsetorder/dig.out.random.good19
 create mode 100644 bin/tests/system/rrsetorder/dig.out.random.good2
 create mode 100644 bin/tests/system/rrsetorder/dig.out.random.good20
 create mode 100644 bin/tests/system/rrsetorder/dig.out.random.good21
 create mode 100644 bin/tests/system/rrsetorder/dig.out.random.good22
 create mode 100644 bin/tests/system/rrsetorder/dig.out.random.good23
 create mode 100644 bin/tests/system/rrsetorder/dig.out.random.good24
 create mode 100644 bin/tests/system/rrsetorder/dig.out.random.good3
 create mode 100644 bin/tests/system/rrsetorder/dig.out.random.good4
 create mode 100644 bin/tests/system/rrsetorder/dig.out.random.good5
 create mode 100644 bin/tests/system/rrsetorder/dig.out.random.good6
 create mode 100644 bin/tests/system/rrsetorder/dig.out.random.good7
 create mode 100644 bin/tests/system/rrsetorder/dig.out.random.good8
 create mode 100644 bin/tests/system/rrsetorder/dig.out.random.good9
 create mode 100644 bin/tests/system/rrsetorder/ns1/named.conf
 create mode 100644 bin/tests/system/rrsetorder/ns1/root.db
 create mode 100644 bin/tests/system/rrsetorder/ns2/named.conf
 create mode 100644 bin/tests/system/rrsetorder/ns3/named.conf
 create mode 100644 bin/tests/system/rrsetorder/tests.sh

diff --git a/CHANGES b/CHANGES
index 3abd6ae9ed..bc6d0e6ef2 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+1999.	[func]		Implement "rrset-order fixed". [RT #13662]
+
 1998.	[bug]		Restrict handling of fifos as sockets to just SunOS.
 			This allows named to connect to entropy gathering
 			daemons that use fifos instead of sockets. [RT #15840]
diff --git a/bin/named/config.c b/bin/named/config.c
index 7cf5d3c841..cf9300b262 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.c,v 1.69 2006/02/28 02:39:51 marka Exp $ */
+/* $Id: config.c,v 1.70 2006/03/03 00:43:34 marka Exp $ */
 
 /*! \file */
 
@@ -80,7 +80,7 @@ options {\n\
 #endif
 "\
 	recursive-clients 1000;\n\
-	rrset-order {order cyclic;};\n\
+	rrset-order {type NS order random; order cyclic; };\n\
 	serial-queries 20;\n\
 	serial-query-rate 20;\n\
 	server-id none;\n\
diff --git a/bin/named/query.c b/bin/named/query.c
index 098cb6d824..6981cd4e52 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: query.c,v 1.281 2006/02/28 02:39:51 marka Exp $ */
+/* $Id: query.c,v 1.282 2006/03/03 00:43:34 marka Exp $ */
 
 /*! \file */
 
@@ -1914,6 +1914,8 @@ query_addrdataset(ns_client_t *client, dns_name_t *fname,
 		rdataset->attributes |= dns_order_find(client->view->order,
 						       fname, rdataset->type,
 						       rdataset->rdclass);
+	rdataset->attributes |= DNS_RDATASETATTR_LOADORDER;
+
 	if (NOADDITIONAL(client))
 		return;
 
diff --git a/bin/named/update.c b/bin/named/update.c
index b7a2c99b96..8e083dd0d0 100644
--- a/bin/named/update.c
+++ b/bin/named/update.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: update.c,v 1.127 2006/01/06 00:01:44 marka Exp $ */
+/* $Id: update.c,v 1.128 2006/03/03 00:43:34 marka Exp $ */
 
 #include 
 
@@ -1311,8 +1311,8 @@ static isc_result_t
 namelist_append_name(dns_diff_t *list, dns_name_t *name) {
 	isc_result_t result;
 	dns_difftuple_t *tuple = NULL;
-	static dns_rdata_t dummy_rdata = { NULL, 0, 0, 0, 0,
-					   { (void*)(-1), (void*)(-1) } };
+	static dns_rdata_t dummy_rdata = DNS_RDATA_INIT;
+
 	CHECK(dns_difftuple_create(list->mctx, DNS_DIFFOP_EXISTS, name, 0,
 				   &dummy_rdata, &tuple));
 	dns_diff_append(list, &tuple);
diff --git a/bin/named/xfrout.c b/bin/named/xfrout.c
index 9a72341672..2e9017dac7 100644
--- a/bin/named/xfrout.c
+++ b/bin/named/xfrout.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: xfrout.c,v 1.121 2005/10/14 01:14:07 marka Exp $ */
+/* $Id: xfrout.c,v 1.122 2006/03/03 00:43:34 marka Exp $ */
 
 #include 
 
@@ -200,7 +200,7 @@ db_rr_iterator_first(db_rr_iterator_t *it) {
 			continue;
 		}
 		dns_rdatasetiter_current(it->rdatasetit, &it->rdataset);
-
+		it->rdataset.attributes |= DNS_RDATASETATTR_LOADORDER;
 		it->result = dns_rdataset_first(&it->rdataset);
 		return (it->result);
 	}
@@ -250,6 +250,7 @@ db_rr_iterator_next(db_rr_iterator_t *it) {
 		if (it->result != ISC_R_SUCCESS)
 			return (it->result);
 		dns_rdatasetiter_current(it->rdatasetit, &it->rdataset);
+		it->rdataset.attributes |= DNS_RDATASETATTR_LOADORDER;
 		it->result = dns_rdataset_first(&it->rdataset);
 		if (it->result != ISC_R_SUCCESS)
 			return (it->result);
diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
index 838b0072f0..e07a266aa6 100644
--- a/bin/tests/system/conf.sh.in
+++ b/bin/tests/system/conf.sh.in
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: conf.sh.in,v 1.33 2005/09/05 00:10:53 marka Exp $
+# $Id: conf.sh.in,v 1.34 2006/03/03 00:43:34 marka Exp $
 
 #
 # Common configuration data for system tests, to be sourced into
@@ -44,8 +44,8 @@ CHECKCONF=$TOP/bin/check/named-checkconf
 # load on the machine to make it unusable to other users.
 # v6synth
 SUBDIRS="cacheclean checkconf checknames dnssec forward glue ixfr limits
-    lwresd masterfile masterformat notify nsupdate resolver sortlist stub
-    tkey unknown upforwd views xfer xferquota zonechecks"
+    lwresd masterfile masterformat notify nsupdate resolver rrsetorder
+    sortlist stub tkey unknown upforwd views xfer xferquota zonechecks"
 
 # PERL will be an empty string if no perl interpreter was found.
 PERL=@PERL@
diff --git a/bin/tests/system/rrsetorder/clean.sh b/bin/tests/system/rrsetorder/clean.sh
new file mode 100644
index 0000000000..92f47f2ec2
--- /dev/null
+++ b/bin/tests/system/rrsetorder/clean.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+#
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: clean.sh,v 1.2 2006/03/03 00:43:34 marka Exp $
+
+rm -f dig.out.cyclic dig.out.fixed dig.out.random
+rm -f ns2/root.bk
+rm -f ns?/named.run ns?/named.core
+
diff --git a/bin/tests/system/rrsetorder/dig.out.cyclic.good1 b/bin/tests/system/rrsetorder/dig.out.cyclic.good1
new file mode 100644
index 0000000000..d2ca6fc366
--- /dev/null
+++ b/bin/tests/system/rrsetorder/dig.out.cyclic.good1
@@ -0,0 +1,4 @@
+1.2.3.1
+1.2.3.4
+1.2.3.3
+1.2.3.2
diff --git a/bin/tests/system/rrsetorder/dig.out.cyclic.good2 b/bin/tests/system/rrsetorder/dig.out.cyclic.good2
new file mode 100644
index 0000000000..c25c75601e
--- /dev/null
+++ b/bin/tests/system/rrsetorder/dig.out.cyclic.good2
@@ -0,0 +1,4 @@
+1.2.3.4
+1.2.3.3
+1.2.3.2
+1.2.3.1
diff --git a/bin/tests/system/rrsetorder/dig.out.cyclic.good3 b/bin/tests/system/rrsetorder/dig.out.cyclic.good3
new file mode 100644
index 0000000000..e8deb6717d
--- /dev/null
+++ b/bin/tests/system/rrsetorder/dig.out.cyclic.good3
@@ -0,0 +1,4 @@
+1.2.3.3
+1.2.3.2
+1.2.3.1
+1.2.3.4
diff --git a/bin/tests/system/rrsetorder/dig.out.cyclic.good4 b/bin/tests/system/rrsetorder/dig.out.cyclic.good4
new file mode 100644
index 0000000000..3b27693958
--- /dev/null
+++ b/bin/tests/system/rrsetorder/dig.out.cyclic.good4
@@ -0,0 +1,4 @@
+1.2.3.2
+1.2.3.1
+1.2.3.4
+1.2.3.3
diff --git a/bin/tests/system/rrsetorder/dig.out.fixed.good b/bin/tests/system/rrsetorder/dig.out.fixed.good
new file mode 100644
index 0000000000..eaf9c63152
--- /dev/null
+++ b/bin/tests/system/rrsetorder/dig.out.fixed.good
@@ -0,0 +1,4 @@
+1.2.3.4
+1.2.3.3
+1.2.3.1
+1.2.3.2
diff --git a/bin/tests/system/rrsetorder/dig.out.random.good1 b/bin/tests/system/rrsetorder/dig.out.random.good1
new file mode 100644
index 0000000000..c272c756e2
--- /dev/null
+++ b/bin/tests/system/rrsetorder/dig.out.random.good1
@@ -0,0 +1,4 @@
+1.2.3.1
+1.2.3.2
+1.2.3.3
+1.2.3.4
diff --git a/bin/tests/system/rrsetorder/dig.out.random.good10 b/bin/tests/system/rrsetorder/dig.out.random.good10
new file mode 100644
index 0000000000..6a39e3f3eb
--- /dev/null
+++ b/bin/tests/system/rrsetorder/dig.out.random.good10
@@ -0,0 +1,4 @@
+1.2.3.2
+1.2.3.3
+1.2.3.4
+1.2.3.1
diff --git a/bin/tests/system/rrsetorder/dig.out.random.good11 b/bin/tests/system/rrsetorder/dig.out.random.good11
new file mode 100644
index 0000000000..efbc79247e
--- /dev/null
+++ b/bin/tests/system/rrsetorder/dig.out.random.good11
@@ -0,0 +1,4 @@
+1.2.3.2
+1.2.3.4
+1.2.3.1
+1.2.3.3
diff --git a/bin/tests/system/rrsetorder/dig.out.random.good12 b/bin/tests/system/rrsetorder/dig.out.random.good12
new file mode 100644
index 0000000000..c859a2e6d8
--- /dev/null
+++ b/bin/tests/system/rrsetorder/dig.out.random.good12
@@ -0,0 +1,4 @@
+1.2.3.2
+1.2.3.4
+1.2.3.3
+1.2.3.1
diff --git a/bin/tests/system/rrsetorder/dig.out.random.good13 b/bin/tests/system/rrsetorder/dig.out.random.good13
new file mode 100644
index 0000000000..49bf54b2a9
--- /dev/null
+++ b/bin/tests/system/rrsetorder/dig.out.random.good13
@@ -0,0 +1,4 @@
+1.2.3.3
+1.2.3.1
+1.2.3.2
+1.2.3.4
diff --git a/bin/tests/system/rrsetorder/dig.out.random.good14 b/bin/tests/system/rrsetorder/dig.out.random.good14
new file mode 100644
index 0000000000..974aa898ee
--- /dev/null
+++ b/bin/tests/system/rrsetorder/dig.out.random.good14
@@ -0,0 +1,4 @@
+1.2.3.3
+1.2.3.1
+1.2.3.4
+1.2.3.2
diff --git a/bin/tests/system/rrsetorder/dig.out.random.good15 b/bin/tests/system/rrsetorder/dig.out.random.good15
new file mode 100644
index 0000000000..e8deb6717d
--- /dev/null
+++ b/bin/tests/system/rrsetorder/dig.out.random.good15
@@ -0,0 +1,4 @@
+1.2.3.3
+1.2.3.2
+1.2.3.1
+1.2.3.4
diff --git a/bin/tests/system/rrsetorder/dig.out.random.good16 b/bin/tests/system/rrsetorder/dig.out.random.good16
new file mode 100644
index 0000000000..f4670876fe
--- /dev/null
+++ b/bin/tests/system/rrsetorder/dig.out.random.good16
@@ -0,0 +1,4 @@
+1.2.3.3
+1.2.3.2
+1.2.3.4
+1.2.3.1
diff --git a/bin/tests/system/rrsetorder/dig.out.random.good17 b/bin/tests/system/rrsetorder/dig.out.random.good17
new file mode 100644
index 0000000000..6082a255fc
--- /dev/null
+++ b/bin/tests/system/rrsetorder/dig.out.random.good17
@@ -0,0 +1,4 @@
+1.2.3.3
+1.2.3.4
+1.2.3.1
+1.2.3.2
diff --git a/bin/tests/system/rrsetorder/dig.out.random.good18 b/bin/tests/system/rrsetorder/dig.out.random.good18
new file mode 100644
index 0000000000..07eefa0ec3
--- /dev/null
+++ b/bin/tests/system/rrsetorder/dig.out.random.good18
@@ -0,0 +1,4 @@
+1.2.3.3
+1.2.3.4
+1.2.3.2
+1.2.3.1
diff --git a/bin/tests/system/rrsetorder/dig.out.random.good19 b/bin/tests/system/rrsetorder/dig.out.random.good19
new file mode 100644
index 0000000000..a5530c658f
--- /dev/null
+++ b/bin/tests/system/rrsetorder/dig.out.random.good19
@@ -0,0 +1,4 @@
+1.2.3.4
+1.2.3.1
+1.2.3.2
+1.2.3.3
diff --git a/bin/tests/system/rrsetorder/dig.out.random.good2 b/bin/tests/system/rrsetorder/dig.out.random.good2
new file mode 100644
index 0000000000..00da93a4d4
--- /dev/null
+++ b/bin/tests/system/rrsetorder/dig.out.random.good2
@@ -0,0 +1,4 @@
+1.2.3.1
+1.2.3.2
+1.2.3.4
+1.2.3.3
diff --git a/bin/tests/system/rrsetorder/dig.out.random.good20 b/bin/tests/system/rrsetorder/dig.out.random.good20
new file mode 100644
index 0000000000..6dcf6daf9d
--- /dev/null
+++ b/bin/tests/system/rrsetorder/dig.out.random.good20
@@ -0,0 +1,4 @@
+1.2.3.4
+1.2.3.1
+1.2.3.3
+1.2.3.2
diff --git a/bin/tests/system/rrsetorder/dig.out.random.good21 b/bin/tests/system/rrsetorder/dig.out.random.good21
new file mode 100644
index 0000000000..9dcc63f21a
--- /dev/null
+++ b/bin/tests/system/rrsetorder/dig.out.random.good21
@@ -0,0 +1,4 @@
+1.2.3.4
+1.2.3.2
+1.2.3.1
+1.2.3.3
diff --git a/bin/tests/system/rrsetorder/dig.out.random.good22 b/bin/tests/system/rrsetorder/dig.out.random.good22
new file mode 100644
index 0000000000..4c51aa6075
--- /dev/null
+++ b/bin/tests/system/rrsetorder/dig.out.random.good22
@@ -0,0 +1,4 @@
+1.2.3.4
+1.2.3.2
+1.2.3.3
+1.2.3.1
diff --git a/bin/tests/system/rrsetorder/dig.out.random.good23 b/bin/tests/system/rrsetorder/dig.out.random.good23
new file mode 100644
index 0000000000..eaf9c63152
--- /dev/null
+++ b/bin/tests/system/rrsetorder/dig.out.random.good23
@@ -0,0 +1,4 @@
+1.2.3.4
+1.2.3.3
+1.2.3.1
+1.2.3.2
diff --git a/bin/tests/system/rrsetorder/dig.out.random.good24 b/bin/tests/system/rrsetorder/dig.out.random.good24
new file mode 100644
index 0000000000..c25c75601e
--- /dev/null
+++ b/bin/tests/system/rrsetorder/dig.out.random.good24
@@ -0,0 +1,4 @@
+1.2.3.4
+1.2.3.3
+1.2.3.2
+1.2.3.1
diff --git a/bin/tests/system/rrsetorder/dig.out.random.good3 b/bin/tests/system/rrsetorder/dig.out.random.good3
new file mode 100644
index 0000000000..4d50059a55
--- /dev/null
+++ b/bin/tests/system/rrsetorder/dig.out.random.good3
@@ -0,0 +1,4 @@
+1.2.3.1
+1.2.3.3
+1.2.3.2
+1.2.3.4
diff --git a/bin/tests/system/rrsetorder/dig.out.random.good4 b/bin/tests/system/rrsetorder/dig.out.random.good4
new file mode 100644
index 0000000000..0b34afab17
--- /dev/null
+++ b/bin/tests/system/rrsetorder/dig.out.random.good4
@@ -0,0 +1,4 @@
+1.2.3.1
+1.2.3.3
+1.2.3.4
+1.2.3.2
diff --git a/bin/tests/system/rrsetorder/dig.out.random.good5 b/bin/tests/system/rrsetorder/dig.out.random.good5
new file mode 100644
index 0000000000..efe0e253d4
--- /dev/null
+++ b/bin/tests/system/rrsetorder/dig.out.random.good5
@@ -0,0 +1,4 @@
+1.2.3.1
+1.2.3.4
+1.2.3.2
+1.2.3.3
diff --git a/bin/tests/system/rrsetorder/dig.out.random.good6 b/bin/tests/system/rrsetorder/dig.out.random.good6
new file mode 100644
index 0000000000..d2ca6fc366
--- /dev/null
+++ b/bin/tests/system/rrsetorder/dig.out.random.good6
@@ -0,0 +1,4 @@
+1.2.3.1
+1.2.3.4
+1.2.3.3
+1.2.3.2
diff --git a/bin/tests/system/rrsetorder/dig.out.random.good7 b/bin/tests/system/rrsetorder/dig.out.random.good7
new file mode 100644
index 0000000000..0d8312a214
--- /dev/null
+++ b/bin/tests/system/rrsetorder/dig.out.random.good7
@@ -0,0 +1,4 @@
+1.2.3.2
+1.2.3.1
+1.2.3.3
+1.2.3.4
diff --git a/bin/tests/system/rrsetorder/dig.out.random.good8 b/bin/tests/system/rrsetorder/dig.out.random.good8
new file mode 100644
index 0000000000..3b27693958
--- /dev/null
+++ b/bin/tests/system/rrsetorder/dig.out.random.good8
@@ -0,0 +1,4 @@
+1.2.3.2
+1.2.3.1
+1.2.3.4
+1.2.3.3
diff --git a/bin/tests/system/rrsetorder/dig.out.random.good9 b/bin/tests/system/rrsetorder/dig.out.random.good9
new file mode 100644
index 0000000000..61192afb51
--- /dev/null
+++ b/bin/tests/system/rrsetorder/dig.out.random.good9
@@ -0,0 +1,4 @@
+1.2.3.2
+1.2.3.3
+1.2.3.1
+1.2.3.4
diff --git a/bin/tests/system/rrsetorder/ns1/named.conf b/bin/tests/system/rrsetorder/ns1/named.conf
new file mode 100644
index 0000000000..a5a94fb179
--- /dev/null
+++ b/bin/tests/system/rrsetorder/ns1/named.conf
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) 2006  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf,v 1.2 2006/03/03 00:43:35 marka Exp $ */
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port 5300;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	rrset-order {
+		name "fixed.example" order fixed;
+		name "random.example" order random;
+		name "cyclic.example" order cyclic;
+		type NS order random;
+		order cyclic;
+	};
+};
+
+zone "." {
+	type master;
+	file "root.db";
+};
diff --git a/bin/tests/system/rrsetorder/ns1/root.db b/bin/tests/system/rrsetorder/ns1/root.db
new file mode 100644
index 0000000000..f3606c0457
--- /dev/null
+++ b/bin/tests/system/rrsetorder/ns1/root.db
@@ -0,0 +1,40 @@
+; Copyright (C) 2006  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: root.db,v 1.2 2006/03/03 00:43:35 marka Exp $
+
+$TTL 3600
+.                       SOA	hostmaster.isc.org. a.root-servers.nil. (
+				2000042100
+				600
+				600
+				1200
+				600 )
+.                       NS      a.root-servers.nil.
+a.root-servers.nil	A       10.53.0.1
+;
+fixed.example.		A	1.2.3.4
+fixed.example.		A	1.2.3.3
+fixed.example.		A	1.2.3.1
+fixed.example.		A	1.2.3.2
+;
+random.example.		A	1.2.3.1
+random.example.		A	1.2.3.2
+random.example.		A	1.2.3.3
+random.example.		A	1.2.3.4
+;
+cyclic.example.		A	1.2.3.4
+cyclic.example.		A	1.2.3.3
+cyclic.example.		A	1.2.3.2
+cyclic.example.		A	1.2.3.1
diff --git a/bin/tests/system/rrsetorder/ns2/named.conf b/bin/tests/system/rrsetorder/ns2/named.conf
new file mode 100644
index 0000000000..bf0d1c1d7b
--- /dev/null
+++ b/bin/tests/system/rrsetorder/ns2/named.conf
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) 2006  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf,v 1.2 2006/03/03 00:43:35 marka Exp $ */
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port 5300;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	// flush-zones-on-shutdown yes;
+	rrset-order {
+		name "fixed.example" order fixed;
+		name "random.example" order random;
+		name "cyclic.example" order cyclic;
+		type NS order random;
+		order cyclic;
+	};
+};
+
+zone "." {
+	type slave;
+	masters { 10.53.0.1; };
+	file "root.bk";
+};
diff --git a/bin/tests/system/rrsetorder/ns3/named.conf b/bin/tests/system/rrsetorder/ns3/named.conf
new file mode 100644
index 0000000000..88bb88bf41
--- /dev/null
+++ b/bin/tests/system/rrsetorder/ns3/named.conf
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2006  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf,v 1.2 2006/03/03 00:43:35 marka Exp $ */
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port 5300;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify yes;
+	rrset-order {
+		name "fixed.example" order fixed;
+		name "random.example" order random;
+		name "cyclic.example" order cyclic;
+		type NS order random;
+		order cyclic;
+	};
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
diff --git a/bin/tests/system/rrsetorder/tests.sh b/bin/tests/system/rrsetorder/tests.sh
new file mode 100644
index 0000000000..99f2414ac5
--- /dev/null
+++ b/bin/tests/system/rrsetorder/tests.sh
@@ -0,0 +1,329 @@
+#!/bin/sh
+#
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: tests.sh,v 1.2 2006/03/03 00:43:34 marka Exp $
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+status=0
+
+#
+#
+#
+echo "I: Checking order fixed (master)"
+ret=0
+for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
+do
+$DIG +nosea +nocomm +nocmd +noquest +noadd +noauth +nocomm +nostat +short \
+	-p 5300 @10.53.0.1 fixed.example > dig.out.fixed || ret=1
+cmp -s dig.out.fixed dig.out.fixed.good || ret=1
+done
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+#
+#
+#
+echo "I: Checking order cyclic (master)"
+ret=0
+match1=0
+match2=0
+match3=0
+match4=0
+for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
+do
+$DIG +nosea +nocomm +nocmd +noquest +noadd +noauth +nocomm +nostat +short \
+	-p 5300 @10.53.0.1 cyclic.example > dig.out.cyclic || ret=1
+cmp -s dig.out.cyclic dig.out.cyclic.good1 || \
+cmp -s dig.out.cyclic dig.out.cyclic.good2 || \
+cmp -s dig.out.cyclic dig.out.cyclic.good3 || \
+cmp -s dig.out.cyclic dig.out.cyclic.good4 || \
+ret=1
+
+cmp -s dig.out.cyclic dig.out.cyclic.good1 && match1=1
+cmp -s dig.out.cyclic dig.out.cyclic.good2 && match2=1
+cmp -s dig.out.cyclic dig.out.cyclic.good3 && match3=1
+cmp -s dig.out.cyclic dig.out.cyclic.good4 && match4=1
+
+done
+match=`expr $match1 + $match2 + $match3 + $match4`
+if [ $match != 4 ]; then ret=1; fi
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I: Checking order random (master)"
+ret=0
+for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
+do
+	eval match$i=0
+done
+for i in a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 9
+do
+$DIG +nosea +nocomm +nocmd +noquest +noadd +noauth +nocomm +nostat +short \
+	-p 5300 @10.53.0.1 random.example > dig.out.random || ret=1
+	match=0
+	for j in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
+	do
+		eval "cmp -s dig.out.random dig.out.random.good$j && match$j=1 match=1"
+		if [ $match -eq 1 ]; then break; fi
+	done
+	if [ $match -eq 0 ]; then ret=1; fi
+done
+match=0
+for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
+do
+	eval "match=\`expr \$match + \$match$i\`"
+done
+echo "I: Random selection return $match of 24 possible orders in 36 samples"
+if [ $match -lt 8 ]; then echo ret=1; fi
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+#
+#
+#
+echo "I: Checking order fixed (slave)"
+ret=0
+for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
+do
+$DIG +nosea +nocomm +nocmd +noquest +noadd +noauth +nocomm +nostat +short \
+	-p 5300 @10.53.0.2 fixed.example > dig.out.fixed || ret=1
+cmp -s dig.out.fixed dig.out.fixed.good || ret=1
+done
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+#
+#
+#
+echo "I: Checking order cyclic (slave)"
+ret=0
+match1=0
+match2=0
+match3=0
+match4=0
+for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
+do
+$DIG +nosea +nocomm +nocmd +noquest +noadd +noauth +nocomm +nostat +short \
+	-p 5300 @10.53.0.2 cyclic.example > dig.out.cyclic || ret=1
+cmp -s dig.out.cyclic dig.out.cyclic.good1 || \
+cmp -s dig.out.cyclic dig.out.cyclic.good2 || \
+cmp -s dig.out.cyclic dig.out.cyclic.good3 || \
+cmp -s dig.out.cyclic dig.out.cyclic.good4 || \
+ret=1
+
+cmp -s dig.out.cyclic dig.out.cyclic.good1 && match1=1
+cmp -s dig.out.cyclic dig.out.cyclic.good2 && match2=1
+cmp -s dig.out.cyclic dig.out.cyclic.good3 && match3=1
+cmp -s dig.out.cyclic dig.out.cyclic.good4 && match4=1
+
+done
+match=`expr $match1 + $match2 + $match3 + $match4`
+if [ $match != 4 ]; then ret=1; fi
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I: Checking order random (slave)"
+ret=0
+for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
+do
+	eval match$i=0
+done
+for i in a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 9
+do
+$DIG +nosea +nocomm +nocmd +noquest +noadd +noauth +nocomm +nostat +short \
+	-p 5300 @10.53.0.2 random.example > dig.out.random || ret=1
+	match=0
+	for j in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
+	do
+		eval "cmp -s dig.out.random dig.out.random.good$j && match$j=1 match=1"
+		if [ $match -eq 1 ]; then break; fi
+	done
+	if [ $match -eq 0 ]; then ret=1; fi
+done
+match=0
+for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
+do
+eval "match=\`expr \$match + \$match$i\`"
+done
+echo "I: Random selection return $match of 24 possible orders in 36 samples"
+if [ $match -lt 8 ]; then echo ret=1; fi
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I: Shutting down slave"
+
+(cd ..; sh stop.sh rrsetorder ns2 )
+
+echo "I: Checking for slave's on disk copy of zone"
+
+if [ ! -f ns2/root.bk ]
+then
+	echo "I:failed";
+	status=`expr $status + 1`
+fi
+
+echo "I: Re-starting slave"
+
+(cd ..; sh start.sh --noclean rrsetorder ns2 )
+
+#
+#
+#
+echo "I: Checking order fixed (slave loaded from disk)"
+ret=0
+for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
+do
+$DIG +nosea +nocomm +nocmd +noquest +noadd +noauth +nocomm +nostat +short \
+	-p 5300 @10.53.0.2 fixed.example > dig.out.fixed || ret=1
+cmp -s dig.out.fixed dig.out.fixed.good || ret=1
+done
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+#
+#
+#
+echo "I: Checking order cyclic (slave loaded from disk)"
+ret=0
+match1=0
+match2=0
+match3=0
+match4=0
+for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
+do
+$DIG +nosea +nocomm +nocmd +noquest +noadd +noauth +nocomm +nostat +short \
+	-p 5300 @10.53.0.2 cyclic.example > dig.out.cyclic || ret=1
+cmp -s dig.out.cyclic dig.out.cyclic.good1 || \
+cmp -s dig.out.cyclic dig.out.cyclic.good2 || \
+cmp -s dig.out.cyclic dig.out.cyclic.good3 || \
+cmp -s dig.out.cyclic dig.out.cyclic.good4 || \
+ret=1
+
+cmp -s dig.out.cyclic dig.out.cyclic.good1 && match1=1
+cmp -s dig.out.cyclic dig.out.cyclic.good2 && match2=1
+cmp -s dig.out.cyclic dig.out.cyclic.good3 && match3=1
+cmp -s dig.out.cyclic dig.out.cyclic.good4 && match4=1
+
+done
+match=`expr $match1 + $match2 + $match3 + $match4`
+if [ $match != 4 ]; then ret=1; fi
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I: Checking order random (slave loaded from disk)"
+ret=0
+for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
+do
+	eval match$i=0
+done
+for i in a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 9
+do
+$DIG +nosea +nocomm +nocmd +noquest +noadd +noauth +nocomm +nostat +short \
+	-p 5300 @10.53.0.2 random.example > dig.out.random || ret=1
+	match=0
+	for j in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
+	do
+		eval "cmp -s dig.out.random dig.out.random.good$j && match$j=1 match=1"
+		if [ $match -eq 1 ]; then break; fi
+	done
+	if [ $match -eq 0 ]; then ret=1; fi
+done
+match=0
+for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
+do
+eval "match=\`expr \$match + \$match$i\`"
+done
+echo "I: Random selection return $match of 24 possible orders in 36 samples"
+if [ $match -lt 8 ]; then echo ret=1; fi
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+#
+#
+#
+echo "I: Checking order fixed (cache)"
+ret=0
+for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
+do
+$DIG +nosea +nocomm +nocmd +noquest +noadd +noauth +nocomm +nostat +short \
+	-p 5300 @10.53.0.3 fixed.example > dig.out.fixed || ret=1
+cmp -s dig.out.fixed dig.out.fixed.good || ret=1
+done
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+#
+#
+#
+echo "I: Checking order cyclic (cache)"
+ret=0
+match1=0
+match2=0
+match3=0
+match4=0
+for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
+do
+$DIG +nosea +nocomm +nocmd +noquest +noadd +noauth +nocomm +nostat +short \
+	-p 5300 @10.53.0.3 cyclic.example > dig.out.cyclic || ret=1
+cmp -s dig.out.cyclic dig.out.cyclic.good1 || \
+cmp -s dig.out.cyclic dig.out.cyclic.good2 || \
+cmp -s dig.out.cyclic dig.out.cyclic.good3 || \
+cmp -s dig.out.cyclic dig.out.cyclic.good4 || \
+ret=1
+
+cmp -s dig.out.cyclic dig.out.cyclic.good1 && match1=1
+cmp -s dig.out.cyclic dig.out.cyclic.good2 && match2=1
+cmp -s dig.out.cyclic dig.out.cyclic.good3 && match3=1
+cmp -s dig.out.cyclic dig.out.cyclic.good4 && match4=1
+
+done
+match=`expr $match1 + $match2 + $match3 + $match4`
+if [ $match != 4 ]; then ret=1; fi
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I: Checking order random (cache)"
+ret=0
+for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
+do
+	eval match$i=0
+done
+for i in a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 9
+do
+$DIG +nosea +nocomm +nocmd +noquest +noadd +noauth +nocomm +nostat +short \
+	-p 5300 @10.53.0.3 random.example > dig.out.random || ret=1
+	match=0
+	for j in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
+	do
+		eval "cmp -s dig.out.random dig.out.random.good$j && match$j=1 match=1"
+		if [ $match -eq 1 ]; then break; fi
+	done
+	if [ $match -eq 0 ]; then ret=1; fi
+done
+match=0
+for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
+do
+eval "match=\`expr \$match + \$match$i\`"
+done
+echo "I: Random selection return $match of 24 possible orders in 36 samples"
+if [ $match -lt 8 ]; then echo ret=1; fi
+if [ $ret != 0 ]; then echo "I:failed"; fi
+
+status=`expr $status + $ret`
+echo "I:exit status: $status"
+exit $status
diff --git a/bin/tests/system/start.pl b/bin/tests/system/start.pl
index 1826f11bab..c51b5f4884 100644
--- a/bin/tests/system/start.pl
+++ b/bin/tests/system/start.pl
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: start.pl,v 1.7 2005/06/12 00:03:20 marka Exp $
+# $Id: start.pl,v 1.8 2006/03/03 00:43:34 marka Exp $
 
 # Framework for starting test servers.
 # Based on the type of server specified, check for port availability, remove
@@ -47,8 +47,8 @@ if (!$test) {
 if (!-d $test) {
 	print "No test directory: \"$test\"\n";
 }
-if ($server && !-d $server) {
-	print "No server directory: \"$test\"\n";
+if ($server && !-d "$test/$server") {
+	print "No server directory: \"$test/$server\"\n";
 }
 
 # Global variables
diff --git a/bin/tests/system/stop.pl b/bin/tests/system/stop.pl
index 9fc51194d4..25d73b1e12 100644
--- a/bin/tests/system/stop.pl
+++ b/bin/tests/system/stop.pl
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: stop.pl,v 1.8 2005/09/30 00:39:50 marka Exp $
+# $Id: stop.pl,v 1.9 2006/03/03 00:43:34 marka Exp $
 
 # Framework for stopping test servers
 # Based on the type of server specified, signal the server to stop, wait
@@ -50,7 +50,7 @@ my $errors = 0;
 
 die "$usage\n" unless defined($test);
 die "No test directory: \"$test\"\n" unless (-d $test);
-die "No server directory: \"$server\"\n" if (defined($server) && !-d $server);
+die "No server directory: \"$server\"\n" if (defined($server) && !-d "$test/$server");
     
 # Global variables
 my $testdir = abs_path($test);
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index 32a65d6101..1d5c6bf8d8 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: check.c,v 1.70 2006/02/28 02:39:51 marka Exp $ */
+/* $Id: check.c,v 1.71 2006/03/03 00:43:35 marka Exp $ */
 
 /*! \file */
 
@@ -121,10 +121,7 @@ check_orderent(const cfg_obj_t *ent, isc_log_t *logctx) {
 	    cfg_obj_log(ent, logctx, ISC_LOG_ERROR,
 			"rrset-order: missing ordering");
 		result = ISC_R_FAILURE;
-	} else if (strcasecmp(cfg_obj_asstring(obj), "fixed") == 0) {
-		cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
-			    "rrset-order: order 'fixed' not fully implemented");
-	} else if (/* strcasecmp(cfg_obj_asstring(obj), "fixed") != 0 && */
+	} else if (strcasecmp(cfg_obj_asstring(obj), "fixed") != 0 &&
 		   strcasecmp(cfg_obj_asstring(obj), "random") != 0 &&
 		   strcasecmp(cfg_obj_asstring(obj), "cyclic") != 0) {
 		cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
diff --git a/lib/dns/include/dns/rdataset.h b/lib/dns/include/dns/rdataset.h
index 980b870406..a24b1be8ef 100644
--- a/lib/dns/include/dns/rdataset.h
+++ b/lib/dns/include/dns/rdataset.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdataset.h,v 1.58 2006/03/02 00:37:23 marka Exp $ */
+/* $Id: rdataset.h,v 1.59 2006/03/03 00:43:35 marka Exp $ */
 
 #ifndef DNS_RDATASET_H
 #define DNS_RDATASET_H 1
@@ -161,6 +161,9 @@ struct dns_rdataset {
  * \def DNS_RDATASETATTR_TTLADJUSTED
  *	Used by message.c to indicate that the rdataset's rdata had differing
  *	TTL values, and the rdataset->ttl holds the smallest.
+ *
+ * \def DNS_RDATASETATTR_LOADORDER
+ *	Output the RRset in load order.
  */
 
 #define DNS_RDATASETATTR_QUESTION	0x00000001
@@ -180,6 +183,7 @@ struct dns_rdataset {
 #define DNS_RDATASETATTR_NOQNAME	0x00004000
 #define DNS_RDATASETATTR_CHECKNAMES	0x00008000	/*%< Used by resolver. */
 #define DNS_RDATASETATTR_REQUIREDGLUE	0x00010000
+#define DNS_RDATASETATTR_LOADORDER	0x00020000
 
 /*%
  * _OMITDNSSEC:
diff --git a/lib/dns/masterdump.c b/lib/dns/masterdump.c
index f6da7838bc..c8abeca9d4 100644
--- a/lib/dns/masterdump.c
+++ b/lib/dns/masterdump.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: masterdump.c,v 1.83 2005/11/30 03:33:49 marka Exp $ */
+/* $Id: masterdump.c,v 1.84 2006/03/03 00:43:35 marka Exp $ */
 
 /*! \file */
 
@@ -358,6 +358,7 @@ rdataset_totext(dns_rdataset_t *rdataset,
 
 	REQUIRE(DNS_RDATASET_VALID(rdataset));
 
+	rdataset->attributes |= DNS_RDATASETATTR_LOADORDER;
 	result = dns_rdataset_first(rdataset);
 	REQUIRE(result == ISC_R_SUCCESS);
 
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index 84194ea266..dc76fe69dc 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbtdb.c,v 1.227 2006/03/02 23:00:32 marka Exp $ */
+/* $Id: rbtdb.c,v 1.228 2006/03/03 00:43:35 marka Exp $ */
 
 /*! \file */
 
@@ -856,7 +856,7 @@ free_acachearray(isc_mem_t *mctx, rdatasetheader_t *header,
 {
 	unsigned int count;
 	unsigned int i;
-	unsigned char *raw;
+	unsigned char *raw;	/* RDATASLAB */
 
 	/*
 	 * The caller must be holding the corresponding node lock.
@@ -1816,7 +1816,7 @@ bind_rdataset(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
 	      rdatasetheader_t *header, isc_stdtime_t now,
 	      dns_rdataset_t *rdataset)
 {
-	unsigned char *raw;
+	unsigned char *raw;	/* RDATASLAB */
 
 	/*
 	 * Caller must be holding the node reader lock.
@@ -1924,7 +1924,7 @@ static inline isc_boolean_t
 valid_glue(rbtdb_search_t *search, dns_name_t *name, rbtdb_rdatatype_t type,
 	   dns_rbtnode_t *node)
 {
-	unsigned char *raw;
+	unsigned char *raw;	/* RDATASLAB */
 	unsigned int count, size;
 	dns_name_t ns_name;
 	isc_boolean_t valid = ISC_FALSE;
@@ -1953,12 +1953,12 @@ valid_glue(rbtdb_search_t *search, dns_name_t *name, rbtdb_rdatatype_t type,
 	header = search->zonecut_rdataset;
 	raw = (unsigned char *)header + sizeof(*header);
 	count = raw[0] * 256 + raw[1];
-	raw += 2;
+	raw += 2 + (4 * count);
 
 	while (count > 0) {
 		count--;
 		size = raw[0] * 256 + raw[1];
-		raw += 2;
+		raw += 4;
 		region.base = raw;
 		region.length = size;
 		raw += size;
@@ -5619,7 +5619,7 @@ rdataset_disassociate(dns_rdataset_t *rdataset) {
 
 static isc_result_t
 rdataset_first(dns_rdataset_t *rdataset) {
-	unsigned char *raw = rdataset->private3;
+	unsigned char *raw = rdataset->private3;	/* RDATASLAB */
 	unsigned int count;
 
 	count = raw[0] * 256 + raw[1];
@@ -5627,11 +5627,20 @@ rdataset_first(dns_rdataset_t *rdataset) {
 		rdataset->private5 = NULL;
 		return (ISC_R_NOMORE);
 	}
-	raw += 2;
+	
+	if ((rdataset->attributes & DNS_RDATASETATTR_LOADORDER) == 0)
+		raw += 2 + (4 * count);
+	else
+		raw += 2;
+
 	/*
-	 * The privateuint4 field is the number of rdata beyond the cursor
-	 * position, so we decrement the total count by one before storing
-	 * it.
+	 * The privateuint4 field is the number of rdata beyond the
+	 * cursor position, so we decrement the total count by one
+	 * before storing it.
+	 *
+	 * If DNS_RDATASETATTR_LOADORDER is not set 'raw' points to the
+	 * first record.  If DNS_RDATASETATTR_LOADORDER is set 'raw' points
+	 * to the first entry in the offset table.
 	 */
 	count--;
 	rdataset->privateuint4 = count;
@@ -5644,30 +5653,40 @@ static isc_result_t
 rdataset_next(dns_rdataset_t *rdataset) {
 	unsigned int count;
 	unsigned int length;
-	unsigned char *raw;
+	unsigned char *raw;	/* RDATASLAB */
 
 	count = rdataset->privateuint4;
 	if (count == 0)
 		return (ISC_R_NOMORE);
 	count--;
 	rdataset->privateuint4 = count;
-	raw = rdataset->private5;
-	length = raw[0] * 256 + raw[1];
-	raw += length + 2;
-	rdataset->private5 = raw;
+
+	if ((rdataset->attributes & DNS_RDATASETATTR_LOADORDER) == 0) {
+		raw = rdataset->private5;
+		length = raw[0] * 256 + raw[1];
+		raw += length + 4;
+		rdataset->private5 = raw;
+	} else
+		rdataset->private5 += 4;
 
 	return (ISC_R_SUCCESS);
 }
 
 static void
 rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
-	unsigned char *raw = rdataset->private5;
+	unsigned char *raw = rdataset->private5;	/* RDATASLAB */
+	unsigned int offset;
 	isc_region_t r;
 
 	REQUIRE(raw != NULL);
 
+	if ((rdataset->attributes & DNS_RDATASETATTR_LOADORDER) != 0) {
+		offset = (raw[0] << 24) + (raw[1] << 16) +
+			 (raw[2] << 8) + raw[3];
+		raw = rdataset->private3 + offset;
+	}
 	r.length = raw[0] * 256 + raw[1];
-	raw += 2;
+	raw += 4;
 	r.base = raw;
 	dns_rdata_fromregion(rdata, rdataset->rdclass, rdataset->type, &r);
 }
@@ -5690,7 +5709,7 @@ rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target) {
 
 static unsigned int
 rdataset_count(dns_rdataset_t *rdataset) {
-	unsigned char *raw = rdataset->private3;
+	unsigned char *raw = rdataset->private3;	/* RDATASLAB */
 	unsigned int count;
 
 	count = raw[0] * 256 + raw[1];
@@ -6346,7 +6365,7 @@ rdataset_getadditional(dns_rdataset_t *rdataset, dns_rdatasetadditional_t type,
 {
 	dns_rbtdb_t *rbtdb = rdataset->private1;
 	dns_rbtnode_t *rbtnode = rdataset->private2;
-	unsigned char *raw = rdataset->private3;
+	unsigned char *raw = rdataset->private3;	/* RDATASLAB */
 	unsigned int current_count = rdataset->privateuint4;
 	unsigned int count;
 	rdatasetheader_t *header;
@@ -6361,7 +6380,7 @@ rdataset_getadditional(dns_rdataset_t *rdataset, dns_rdatasetadditional_t type,
 
 	header = (struct rdatasetheader *)(raw - sizeof(*header));
 
-	total_count = rdataset_count(rdataset);
+	total_count = raw[0] * 256 + raw[1];
 	INSIST(total_count > current_count);
 	count = total_count - current_count - 1;
 
@@ -6488,7 +6507,7 @@ rdataset_setadditional(dns_rdataset_t *rdataset, dns_rdatasetadditional_t type,
 {
 	dns_rbtdb_t *rbtdb = rdataset->private1;
 	dns_rbtnode_t *rbtnode = rdataset->private2;
-	unsigned char *raw = rdataset->private3;
+	unsigned char *raw = rdataset->private3;	/* RDATASLAB */
 	unsigned int current_count = rdataset->privateuint4;
 	rdatasetheader_t *header;
 	unsigned int total_count, count;
@@ -6505,7 +6524,7 @@ rdataset_setadditional(dns_rdataset_t *rdataset, dns_rdatasetadditional_t type,
 
 	header = (struct rdatasetheader *)(raw - sizeof(*header));
 
-	total_count = rdataset_count(rdataset);
+	total_count = raw[0] * 256 + raw[1];
 	INSIST(total_count > current_count);
 	count = total_count - current_count - 1; /* should be private data */
 
@@ -6613,7 +6632,7 @@ rdataset_putadditional(dns_acache_t *acache, dns_rdataset_t *rdataset,
 { 
 	dns_rbtdb_t *rbtdb = rdataset->private1;
 	dns_rbtnode_t *rbtnode = rdataset->private2;
-	unsigned char *raw = rdataset->private3;
+	unsigned char *raw = rdataset->private3;	/* RDATASLAB */
 	unsigned int current_count = rdataset->privateuint4;
 	rdatasetheader_t *header;
 	nodelock_t *nodelock;
@@ -6630,7 +6649,7 @@ rdataset_putadditional(dns_acache_t *acache, dns_rdataset_t *rdataset,
 
 	header = (struct rdatasetheader *)(raw - sizeof(*header));
 
-	total_count = rdataset_count(rdataset);
+	total_count = raw[0] * 256 + raw[1];
 	INSIST(total_count > current_count);
 	count = total_count - current_count - 1;
 
diff --git a/lib/dns/rdataslab.c b/lib/dns/rdataslab.c
index 7713244ec1..db120db567 100644
--- a/lib/dns/rdataslab.c
+++ b/lib/dns/rdataslab.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdataslab.c,v 1.38 2005/04/29 00:22:51 marka Exp $ */
+/* $Id: rdataslab.c,v 1.39 2006/03/03 00:43:35 marka Exp $ */
 
 /*! \file */
 
@@ -33,25 +33,95 @@
 #include 
 #include 
 
+/*
+ * The rdataslab structure allows iteration to occur in both load order
+ * and DNSSEC order.  The structure is as follows:
+ *
+ *	header		(reservelen bytes)
+ *	record count	(2 bytes)
+ *	offset table	(4 x record count bytes in load order)
+ *	data records
+ *		data length	(2 bytes)
+ *		order		(2 bytes)
+ *		data		(data length bytes)
+ *
+ * Offsets are from the end of the header.
+ *
+ * Load order traversal is performed by walking the offset table to find
+ * the start of the record.
+ *
+ * DNSSEC order traversal is performed by walking the data records.
+ *
+ * The order is stored with record to allow for efficient reconstuction of
+ * of the offset table following a merge or subtraction.
+ *
+ * The iterator methods here currently only support DNSSEC order iteration.
+ *
+ * The iterator methods in rbtdb support both load order and DNSSEC order
+ * iteration.
+ *
+ * WARNING:
+ *	rbtdb.c directly interacts with the slab's raw structures.  If the
+ *	structure changes then rbtdb.c also needs to be updated to reflect
+ *	the changes.  See the areas tagged with "RDATASLAB".
+ */
+
+struct xrdata {
+	dns_rdata_t	rdata;
+	unsigned int	order;
+};
+
 /*% Note: the "const void *" are just to make qsort happy.  */
 static int
 compare_rdata(const void *p1, const void *p2) {
-	const dns_rdata_t *rdata1 = p1;
-	const dns_rdata_t *rdata2 = p2;
-	return (dns_rdata_compare(rdata1, rdata2));
+	const struct xrdata *x1 = p1;
+	const struct xrdata *x2 = p2;
+	return (dns_rdata_compare(&x1->rdata, &x2->rdata));
+}
+
+static void
+fillin_offsets(unsigned char *offsetbase, unsigned int *offsettable,
+	       unsigned length)
+{
+	unsigned int i, j;
+	unsigned char *raw;
+
+	for (i = 0, j = 0; i < length; i++) {
+
+		if (offsettable[i] == 0)
+			continue;
+
+		/*
+		 * Fill in offset table.
+		 */
+		raw = &offsetbase[j*4 + 2];
+		*raw++ = (offsettable[i] & 0xff000000) >> 24;
+		*raw++ = (offsettable[i] & 0xff0000) >> 16;
+		*raw++ = (offsettable[i] & 0xff00) >> 8;
+		*raw = offsettable[i] & 0xff;
+
+		/*
+		 * Fill in table index.
+		 */
+		raw = offsetbase + offsettable[i] + 2;
+		*raw++ = (j & 0xff00) >> 8;
+		*raw = j++ & 0xff;
+	}
 }
 
 isc_result_t
 dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
 			   isc_region_t *region, unsigned int reservelen)
 {
-	dns_rdata_t    *rdatas;
+	struct xrdata  *x;
 	unsigned char  *rawbuf;
+	unsigned char  *offsetbase;
 	unsigned int	buflen;
 	isc_result_t	result;
 	unsigned int	nitems;
 	unsigned int	nalloc;
 	unsigned int	i;
+	unsigned int   *offsettable;
 
 	buflen = reservelen + 2;
 
@@ -60,8 +130,11 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
 	if (nitems == 0)
 		return (ISC_R_FAILURE);
 
-	rdatas = isc_mem_get(mctx, nalloc * sizeof(dns_rdata_t));
-	if (rdatas == NULL)
+	if (nalloc > 0xffff)
+		return (ISC_R_NOSPACE);
+
+	x = isc_mem_get(mctx, nalloc * sizeof(struct xrdata));
+	if (x == NULL)
 		return (ISC_R_NOMEMORY);
 
 	/*
@@ -72,8 +145,9 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
 		goto free_rdatas;
 	for (i = 0; i < nalloc && result == ISC_R_SUCCESS; i++) {
 		INSIST(result == ISC_R_SUCCESS);
-		dns_rdata_init(&rdatas[i]);
-		dns_rdataset_current(rdataset, &rdatas[i]);
+		dns_rdata_init(&x[i].rdata);
+		dns_rdataset_current(rdataset, &x[i].rdata);
+		x[i].order = i;
 		result = dns_rdataset_next(rdataset);
 	}
 	if (result != ISC_R_NOMORE)
@@ -87,7 +161,10 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
 		goto free_rdatas;
 	}
 
-	qsort(rdatas, nalloc, sizeof(dns_rdata_t), compare_rdata);
+	/*
+	 * Put into DNSSEC order.
+	 */
+	qsort(x, nalloc, sizeof(struct xrdata), compare_rdata);
 
 	/*
 	 * Remove duplicates and compute the total storage required.
@@ -95,20 +172,27 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
 	 * If an rdata is not a duplicate, accumulate the storage size
 	 * required for the rdata.  We do not store the class, type, etc,
 	 * just the rdata, so our overhead is 2 bytes for the number of
-	 * records, and 2 for each rdata length, and then the rdata itself.
+	 * records, and 8 for each rdata, (length(2), offset(4) and order(2))
+	 * and then the rdata itself.
 	 */
 	for (i = 1; i < nalloc; i++) {
-		if (compare_rdata(&rdatas[i-1], &rdatas[i]) == 0) {
-			rdatas[i-1].data = NULL;
-			rdatas[i-1].length = 0;
+		if (compare_rdata(&x[i-1].rdata, &x[i].rdata) == 0) {
+			x[i-1].rdata.data = NULL;
+			x[i-1].rdata.length = 0;
+			/*
+			 * Preserve the least order so A, B, A -> A, B
+			 * after duplicate removal.
+			 */
+			if (x[i-1].order < x[i].order)
+				x[i].order = x[i-1].order;
 			nitems--;
 		} else
-			buflen += (2 + rdatas[i-1].length);
+			buflen += (8 + x[i-1].rdata.length);
 	}
 	/*
 	 * Don't forget the last item!
 	 */
-	buflen += (2 + rdatas[i-1].length);
+	buflen += (8 + x[i-1].rdata.length);
 
 	/*
 	 * Ensure that singleton types are actually singletons.
@@ -131,26 +215,47 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
 		result = ISC_R_NOMEMORY;
 		goto free_rdatas;
 	}
+	
+	/* Allocate temporary offset table. */
+	offsettable = isc_mem_get(mctx, nalloc * sizeof(unsigned int));
+	if (offsettable == NULL) {
+		isc_mem_put(mctx, rawbuf, buflen);
+		result = ISC_R_NOMEMORY;
+		goto free_rdatas;
+	}
+	memset(offsettable, 0, nalloc * sizeof(unsigned int));
 
 	region->base = rawbuf;
 	region->length = buflen;
 
 	rawbuf += reservelen;
+	offsetbase = rawbuf;
 
 	*rawbuf++ = (nitems & 0xff00) >> 8;
 	*rawbuf++ = (nitems & 0x00ff);
+
+	/* Skip load order table.  Filled in later. */
+	rawbuf += nitems * 4;
+
 	for (i = 0; i < nalloc; i++) {
-		if (rdatas[i].data == NULL)
+		if (x[i].rdata.data == NULL)
 			continue;
-		*rawbuf++ = (rdatas[i].length & 0xff00) >> 8;
-		*rawbuf++ = (rdatas[i].length & 0x00ff);
-		memcpy(rawbuf, rdatas[i].data, rdatas[i].length);
-		rawbuf += rdatas[i].length;
+		offsettable[x[i].order] = rawbuf - offsetbase;
+		*rawbuf++ = (x[i].rdata.length & 0xff00) >> 8;
+		*rawbuf++ = (x[i].rdata.length & 0x00ff);
+		rawbuf += 2;	/* filled in later */
+		memcpy(rawbuf, x[i].rdata.data, x[i].rdata.length);
+		rawbuf += x[i].rdata.length;
 	}
+	
+	fillin_offsets(offsetbase, offsettable, nalloc);
+
+	isc_mem_put(mctx, offsettable, nalloc * sizeof(unsigned int));
+
 	result = ISC_R_SUCCESS;
 
  free_rdatas:
-	isc_mem_put(mctx, rdatas, nalloc * sizeof(dns_rdata_t));
+	isc_mem_put(mctx, x, nalloc * sizeof(struct xrdata));
 	return (result);
 }
 
@@ -169,7 +274,7 @@ rdataset_first(dns_rdataset_t *rdataset) {
 		rdataset->private5 = NULL;
 		return (ISC_R_NOMORE);
 	}
-	raw += 2;
+	raw += 2 + (4 * count);
 	/*
 	 * The privateuint4 field is the number of rdata beyond the cursor
 	 * position, so we decrement the total count by one before storing
@@ -195,7 +300,7 @@ rdataset_next(dns_rdataset_t *rdataset) {
 	rdataset->privateuint4 = count;
 	raw = rdataset->private5;
 	length = raw[0] * 256 + raw[1];
-	raw += length + 2;
+	raw += length + 4;
 	rdataset->private5 = raw;
 
 	return (ISC_R_SUCCESS);
@@ -209,7 +314,7 @@ rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
 	REQUIRE(raw != NULL);
 
 	r.length = raw[0] * 256 + raw[1];
-	raw += 2;
+	raw += 4;
 	r.base = raw;
 	dns_rdata_fromregion(rdata, rdataset->rdclass, rdataset->type, &r);
 }
@@ -285,11 +390,12 @@ dns_rdataslab_size(unsigned char *slab, unsigned int reservelen) {
 	current = slab + reservelen;
 	count = *current++ * 256;
 	count += *current++;
+	current += (4 * count);
 	while (count > 0) {
 		count--;
 		length = *current++ * 256;
 		length += *current++;
-		current += length;
+		current += length + 2;
 	}
 
 	return ((unsigned int)(current - slab));
@@ -311,6 +417,7 @@ rdata_from_slab(unsigned char **current,
 
 	region.length = *tcurrent++ * 256;
 	region.length += *tcurrent++;
+	tcurrent += 2;
 	region.base = tcurrent;
 	tcurrent += region.length;
 	dns_rdata_fromregion(rdata, rdclass, type, ®ion);
@@ -330,15 +437,22 @@ rdata_in_slab(unsigned char *slab, unsigned int reservelen,
 	unsigned int count, i;
 	unsigned char *current;
 	dns_rdata_t trdata = DNS_RDATA_INIT;
+	int n;
 
 	current = slab + reservelen;
 	count = *current++ * 256;
 	count += *current++;
 
+	current += (4 * count);
+
 	for (i = 0; i < count; i++) {
 		rdata_from_slab(¤t, rdclass, type, &trdata);
-		if (dns_rdata_compare(&trdata, rdata) == 0)
+		
+		n = dns_rdata_compare(&trdata, rdata);
+		if (n == 0)
 			return (ISC_TRUE);
+		if (n > 0)	/* In DNSSEC order. */
+			break;
 		dns_rdata_reset(&trdata);
 	}
 	return (ISC_FALSE);
@@ -359,6 +473,11 @@ dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
 	unsigned int oadded = 0;
 	unsigned int nadded = 0;
 	unsigned int nncount = 0;
+	unsigned int oncount;
+	unsigned int norder = 0;
+	unsigned int oorder = 0;
+	unsigned char *offsetbase;
+	unsigned int *offsettable;
 
 	/*
 	 * XXX  Need parameter to allow "delete rdatasets in nslab" merge,
@@ -371,12 +490,16 @@ dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
 	ocurrent = oslab + reservelen;
 	ocount = *ocurrent++ * 256;
 	ocount += *ocurrent++;
+	ocurrent += (4 * ocount);
 	ostart = ocurrent;
 	ncurrent = nslab + reservelen;
 	ncount = *ncurrent++ * 256;
 	ncount += *ncurrent++;
+	ncurrent += (4 * ncount);
 	INSIST(ocount > 0 && ncount > 0);
 
+	oncount = ncount;
+
 	/*
 	 * Yes, this is inefficient!
 	 */
@@ -388,8 +511,8 @@ dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
 	for (count = 0; count < ocount; count++) {
 		length = *ocurrent++ * 256;
 		length += *ocurrent++;
-		olength += length + 2;
-		ocurrent += length;
+		olength += length + 8;
+		ocurrent += length + 2;
 	}
 
 	/*
@@ -405,6 +528,7 @@ dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
 	do {
 		nregion.length = *ncurrent++ * 256;
 		nregion.length += *ncurrent++;
+		ncurrent += 2;
 		nregion.base = ncurrent;
 		dns_rdata_init(&nrdata);
 		dns_rdata_fromregion(&nrdata, rdclass, type, &nregion);
@@ -413,7 +537,7 @@ dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
 			/*
 			 * This rdata isn't in the old slab.
 			 */
-			tlength += nregion.length + 2;
+			tlength += nregion.length + 8;
 			tcount++;
 			nncount++;
 			added_something = ISC_TRUE;
@@ -441,6 +565,9 @@ dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
 		return (DNS_R_SINGLETON);
 	}
 
+	if (tcount > 0xffff)
+		return (ISC_R_NOSPACE);
+
 	/*
 	 * Copy the reserved area from the new slab.
 	 */
@@ -449,6 +576,7 @@ dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
 		return (ISC_R_NOMEMORY);
 	memcpy(tstart, nslab, reservelen);
 	tcurrent = tstart + reservelen;
+	offsetbase = tcurrent;
 
 	/*
 	 * Write the new count.
@@ -456,17 +584,36 @@ dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
 	*tcurrent++ = (tcount & 0xff00) >> 8;
 	*tcurrent++ = (tcount & 0x00ff);
 
+	/*
+	 * Skip offset table.
+	 */
+	tcurrent += (tcount * 4);
+
+	offsettable = isc_mem_get(mctx,
+				  (ocount + oncount) * sizeof(unsigned int));
+	if (offsettable == NULL) {
+		isc_mem_put(mctx, tstart, tlength);
+		return (ISC_R_NOMEMORY);
+	}
+	memset(offsettable, 0, (ocount + oncount) * sizeof(unsigned int));
+
 	/*
 	 * Merge the two slabs.
 	 */
 	ocurrent = ostart;
 	INSIST(ocount != 0);
+	oorder = ocurrent[2] * 256 + ocurrent[3];
+	INSIST(oorder < ocount);
 	rdata_from_slab(&ocurrent, rdclass, type, &ordata);
 
 	ncurrent = nslab + reservelen + 2;
+	ncurrent += (4 * oncount);
+
 	if (ncount > 0) {
 		do {
 			dns_rdata_reset(&nrdata);
+			norder = ncurrent[2] * 256 + ncurrent[3];
+			INSIST(norder < oncount);
        			rdata_from_slab(&ncurrent, rdclass, type, &nrdata);
 		} while (rdata_in_slab(oslab, reservelen, rdclass,
 				       type, &nrdata));
@@ -481,27 +628,35 @@ dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
 		else
 			fromold = ISC_TF(compare_rdata(&ordata, &nrdata) < 0);
 		if (fromold) {
+			offsettable[oorder] = tcurrent - offsetbase;
 			length = ordata.length;
 			*tcurrent++ = (length & 0xff00) >> 8;
 			*tcurrent++ = (length & 0x00ff);
+			tcurrent += 2;	/* fill in later */
 			memcpy(tcurrent, ordata.data, length);
 			tcurrent += length;
 			oadded++;
 			if (oadded < ocount) {
 				dns_rdata_reset(&ordata);
+				oorder = ocurrent[2] * 256 + ocurrent[3];
+				INSIST(oorder < ocount);
        				rdata_from_slab(&ocurrent, rdclass, type,
 						&ordata);
 			}
 		} else {
+			offsettable[ocount + norder] = tcurrent - offsetbase;
 			length = nrdata.length;
 			*tcurrent++ = (length & 0xff00) >> 8;
 			*tcurrent++ = (length & 0x00ff);
+			tcurrent += 2;	/* fill in later */
 			memcpy(tcurrent, nrdata.data, length);
 			tcurrent += length;
 			nadded++;
 			if (nadded < ncount) {
 				do {
 					dns_rdata_reset(&nrdata);
+					norder = ncurrent[2] * 256 + ncurrent[3];
+					INSIST(norder < oncount);
        					rdata_from_slab(&ncurrent, rdclass,
 							type, &nrdata);
 				} while (rdata_in_slab(oslab, reservelen,
@@ -511,6 +666,11 @@ dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
 		}
 	}
 
+	fillin_offsets(offsetbase, offsettable, ocount + oncount);
+
+	isc_mem_put(mctx, offsettable,
+		    (ocount + oncount) * sizeof(unsigned int));
+
 	INSIST(tcurrent == tstart + tlength);
 
 	*tslabp = tstart;
@@ -525,9 +685,12 @@ dns_rdataslab_subtract(unsigned char *mslab, unsigned char *sslab,
 		       unsigned int flags, unsigned char **tslabp)
 {
 	unsigned char *mcurrent, *sstart, *scurrent, *tstart, *tcurrent;
-	unsigned int mcount, scount, rcount ,count, tlength, tcount;
+	unsigned int mcount, scount, rcount ,count, tlength, tcount, i;
 	dns_rdata_t srdata = DNS_RDATA_INIT;
 	dns_rdata_t mrdata = DNS_RDATA_INIT;
+	unsigned char *offsetbase;
+	unsigned int *offsettable;
+	unsigned int order;
 
 	REQUIRE(tslabp != NULL && *tslabp == NULL);
 	REQUIRE(mslab != NULL && sslab != NULL);
@@ -538,7 +701,6 @@ dns_rdataslab_subtract(unsigned char *mslab, unsigned char *sslab,
 	scurrent = sslab + reservelen;
 	scount = *scurrent++ * 256;
 	scount += *scurrent++;
-	sstart = scurrent;
 	INSIST(mcount > 0 && scount > 0);
 
 	/*
@@ -552,11 +714,15 @@ dns_rdataslab_subtract(unsigned char *mslab, unsigned char *sslab,
 	tcount = 0;
 	rcount = 0;
 
+	mcurrent += 4 * mcount;
+	scurrent += 4 * scount;
+	sstart = scurrent;
+
 	/*
 	 * Add in the length of rdata in the mslab that aren't in
 	 * the sslab.
 	 */
-	do {
+	for (i = 0; i < mcount; i++) {
 		unsigned char *mrdatabegin = mcurrent;
 		rdata_from_slab(&mcurrent, rdclass, type, &mrdata);
 		scurrent = sstart;
@@ -575,9 +741,10 @@ dns_rdataslab_subtract(unsigned char *mslab, unsigned char *sslab,
 			tcount++;
 		} else
 			rcount++;
-		mcount--;
 		dns_rdata_reset(&mrdata);
-	} while (mcount > 0);
+	}
+
+	tlength += (4 * tcount);
 
 	/*
 	 * Check that all the records originally existed.  The numeric
@@ -606,6 +773,14 @@ dns_rdataslab_subtract(unsigned char *mslab, unsigned char *sslab,
 		return (ISC_R_NOMEMORY);
 	memcpy(tstart, mslab, reservelen);
 	tcurrent = tstart + reservelen;
+	offsetbase = tcurrent;
+
+	offsettable = isc_mem_get(mctx, mcount * sizeof(unsigned int));
+	if (offsettable == NULL) {
+		isc_mem_put(mctx, tstart, tlength);
+		return (ISC_R_NOMEMORY);
+	}
+	memset(offsettable, 0, mcount * sizeof(unsigned int));
 
 	/*
 	 * Write the new count.
@@ -613,14 +788,19 @@ dns_rdataslab_subtract(unsigned char *mslab, unsigned char *sslab,
 	*tcurrent++ = (tcount & 0xff00) >> 8;
 	*tcurrent++ = (tcount & 0x00ff);
 
+	tcurrent += (4 * tcount);
+
 	/*
 	 * Copy the parts of mslab not in sslab.
 	 */
 	mcurrent = mslab + reservelen;
 	mcount = *mcurrent++ * 256;
 	mcount += *mcurrent++;
-	do {
+	mcurrent += (4 * mcount);
+	for (i = 0; i < mcount; i++) {
 		unsigned char *mrdatabegin = mcurrent;
+		order = mcurrent[2] * 256 + mcurrent[3];
+		INSIST(order < mcount);
 		rdata_from_slab(&mcurrent, rdclass, type, &mrdata);
 		scurrent = sstart;
 		for (count = 0; count < scount; count++) {
@@ -635,12 +815,16 @@ dns_rdataslab_subtract(unsigned char *mslab, unsigned char *sslab,
 			 * copied to the tslab.
 			 */
 			unsigned int length = mcurrent - mrdatabegin;
+			offsettable[order] = tcurrent - offsetbase;
 			memcpy(tcurrent, mrdatabegin, length);
 			tcurrent += length;
 		}
 		dns_rdata_reset(&mrdata);
-		mcount--;
-	} while (mcount > 0);
+	}
+
+	fillin_offsets(offsetbase, offsettable, mcount);
+
+	isc_mem_put(mctx, offsettable, mcount * sizeof(unsigned int));
 
 	INSIST(tcurrent == tstart + tlength);
 
@@ -668,6 +852,9 @@ dns_rdataslab_equal(unsigned char *slab1, unsigned char *slab2,
 	if (count1 != count2)
 		return (ISC_FALSE);
 
+	current1 += (4 * count1);
+	current2 += (4 * count2);
+
 	while (count1 > 0) {
 		length1 = *current1++ * 256;
 		length1 += *current1++;
@@ -675,6 +862,9 @@ dns_rdataslab_equal(unsigned char *slab1, unsigned char *slab2,
 		length2 = *current2++ * 256;
 		length2 += *current2++;
 
+		current1 += 2;
+		current2 += 2;
+
 		if (length1 != length2 ||
 		    memcmp(current1, current2, length1) != 0)
 			return (ISC_FALSE);
@@ -708,6 +898,9 @@ dns_rdataslab_equalx(unsigned char *slab1, unsigned char *slab2,
 	if (count1 != count2)
 		return (ISC_FALSE);
 
+	current1 += (4 * count1);
+	current2 += (4 * count2);
+
 	while (count1-- > 0) {
 		rdata_from_slab(¤t1, rdclass, type, &rdata1);
 		rdata_from_slab(¤t2, rdclass, type, &rdata2);

From 92eb0a6068a0778a0844fb065a9913fe507ce2ba Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 3 Mar 2006 03:02:55 +0000
Subject: [PATCH 082/465] use (char *) for pointer arithmetic

---
 lib/dns/rbtdb.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index dc76fe69dc..77c1150d28 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbtdb.c,v 1.228 2006/03/03 00:43:35 marka Exp $ */
+/* $Id: rbtdb.c,v 1.229 2006/03/03 03:02:55 marka Exp $ */
 
 /*! \file */
 
@@ -5667,7 +5667,7 @@ rdataset_next(dns_rdataset_t *rdataset) {
 		raw += length + 4;
 		rdataset->private5 = raw;
 	} else
-		rdataset->private5 += 4;
+		rdataset->private5 = (char*)rdataset->private5 + 4;
 
 	return (ISC_R_SUCCESS);
 }
@@ -5683,7 +5683,7 @@ rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
 	if ((rdataset->attributes & DNS_RDATASETATTR_LOADORDER) != 0) {
 		offset = (raw[0] << 24) + (raw[1] << 16) +
 			 (raw[2] << 8) + raw[3];
-		raw = rdataset->private3 + offset;
+		raw = (char *)rdataset->private3 + offset;
 	}
 	r.length = raw[0] * 256 + raw[1];
 	raw += 4;

From 1c25cad9bde2e81f84f102c016ecae01eac6b0d1 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 3 Mar 2006 03:29:40 +0000
Subject: [PATCH 083/465] add -Wpointer-arith to gcc

---
 configure             | 6 +++---
 configure.in          | 4 ++--
 lib/bind/configure    | 4 ++--
 lib/bind/configure.in | 4 ++--
 4 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/configure b/configure
index 925f6ba06e..c6fc4e5e76 100755
--- a/configure
+++ b/configure
@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 #
-# $Id: configure,v 1.391 2006/03/01 02:32:46 marka Exp $
+# $Id: configure,v 1.392 2006/03/03 03:29:39 marka Exp $
 #
 # Portions Copyright (C) 1996-2001  Nominum, Inc.
 #
@@ -29,7 +29,7 @@
 # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
 # OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-# From configure.in Revision: 1.403 .
+# From configure.in Revision: 1.404 .
 # Guess values for system-dependent variables and create Makefiles.
 # Generated by GNU Autoconf 2.59.
 #
@@ -7506,7 +7506,7 @@ MKDEPCFLAGS="-M"
 IRIX_DNSSEC_WARNINGS_HACK=""
 
 if test "X$GCC" = "Xyes"; then
-	STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat"
+	STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith"
 	case "$host" in
 	*-hp-hpux*)
 		LDFLAGS="-Wl,+vnocompatwarnings $LDFLAGS"
diff --git a/configure.in b/configure.in
index 1cd37801f3..5cc629cd74 100644
--- a/configure.in
+++ b/configure.in
@@ -18,7 +18,7 @@ AC_DIVERT_PUSH(1)dnl
 esyscmd([sed "s/^/# /" COPYRIGHT])dnl
 AC_DIVERT_POP()dnl
 
-AC_REVISION($Revision: 1.403 $)
+AC_REVISION($Revision: 1.404 $)
 
 AC_INIT(lib/dns/name.c)
 AC_PREREQ(2.59)
@@ -810,7 +810,7 @@ MKDEPCFLAGS="-M"
 IRIX_DNSSEC_WARNINGS_HACK=""
 
 if test "X$GCC" = "Xyes"; then
-	STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat"
+	STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith"
 	case "$host" in
 	*-hp-hpux*)
 		LDFLAGS="-Wl,+vnocompatwarnings $LDFLAGS"
diff --git a/lib/bind/configure b/lib/bind/configure
index 65bca20b04..3de6eb378b 100644
--- a/lib/bind/configure
+++ b/lib/bind/configure
@@ -1,5 +1,5 @@
 #! /bin/sh
-# From configure.in Revision: 1.114 .
+# From configure.in Revision: 1.115 .
 # Guess values for system-dependent variables and create Makefiles.
 # Generated by GNU Autoconf 2.59.
 #
@@ -6403,7 +6403,7 @@ MKDEPCFLAGS="-M"
 IRIX_DNSSEC_WARNINGS_HACK=""
 
 if test "X$GCC" = "Xyes"; then
-	STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings"
+	STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wpointer-arith"
 else
 	case $host in
 	*-dec-osf*)
diff --git a/lib/bind/configure.in b/lib/bind/configure.in
index 860bdfc4e0..04777bf322 100644
--- a/lib/bind/configure.in
+++ b/lib/bind/configure.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-AC_REVISION($Revision: 1.114 $)
+AC_REVISION($Revision: 1.115 $)
 
 AC_INIT(resolv/herror.c)
 AC_PREREQ(2.13)
@@ -513,7 +513,7 @@ MKDEPCFLAGS="-M"
 IRIX_DNSSEC_WARNINGS_HACK=""
 
 if test "X$GCC" = "Xyes"; then
-	STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings"
+	STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wpointer-arith"
 else
 	case $host in
 	*-dec-osf*)

From 5e260c1547a3250649bfa300f4ba9c7a45f93316 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 3 Mar 2006 03:32:31 +0000
Subject: [PATCH 084/465] add -Wpointer-arith to gcc

---
 configure             | 4 ++--
 configure.in          | 4 ++--
 lib/bind/configure    | 6 +++---
 lib/bind/configure.in | 4 ++--
 4 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/configure b/configure
index 58e40ecb56..c2b4f6a015 100755
--- a/configure
+++ b/configure
@@ -1,5 +1,5 @@
 #! /bin/sh
-# From configure.in Revision: 1.294.2.60 .
+# From configure.in Revision: 1.294.2.61 .
 # Guess values for system-dependent variables and create Makefiles.
 # Generated by GNU Autoconf 2.59.
 #
@@ -7297,7 +7297,7 @@ MKDEPCFLAGS="-M"
 IRIX_DNSSEC_WARNINGS_HACK=""
 
 if test "X$GCC" = "Xyes"; then
-	STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat"
+	STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith"
 	case "$host" in
 	*-hp-hpux*)
 		LDFLAGS="-Wl,+vnocompatwarnings $LDFLAGS"
diff --git a/configure.in b/configure.in
index 603ec6337a..79c08310d0 100644
--- a/configure.in
+++ b/configure.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-AC_REVISION($Revision: 1.294.2.60 $)
+AC_REVISION($Revision: 1.294.2.61 $)
 
 AC_INIT(lib/dns/name.c)
 AC_PREREQ(2.13)
@@ -717,7 +717,7 @@ MKDEPCFLAGS="-M"
 IRIX_DNSSEC_WARNINGS_HACK=""
 
 if test "X$GCC" = "Xyes"; then
-	STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat"
+	STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith"
 	case "$host" in
 	*-hp-hpux*)
 		LDFLAGS="-Wl,+vnocompatwarnings $LDFLAGS"
diff --git a/lib/bind/configure b/lib/bind/configure
index f7b9b45205..1af8593ffa 100644
--- a/lib/bind/configure
+++ b/lib/bind/configure
@@ -1,5 +1,5 @@
 #! /bin/sh
-# From configure.in Revision: 1.83.2.27 .
+# From configure.in Revision: 1.83.2.28 .
 # Guess values for system-dependent variables and create Makefiles.
 # Generated by GNU Autoconf 2.59.
 #
@@ -6403,7 +6403,7 @@ MKDEPCFLAGS="-M"
 IRIX_DNSSEC_WARNINGS_HACK=""
 
 if test "X$GCC" = "Xyes"; then
-	STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings"
+	STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wpointer-arith"
 else
 	case $host in
 	*-dec-osf*)
@@ -12350,7 +12350,7 @@ echo "${ECHO_T}$lt_cv_dlopen_self_static" >&6
 fi
 
 
-# Report which librarie types wil actually be built
+# Report which libraries types will actually be built
 echo "$as_me:$LINENO: checking if libtool supports shared libraries" >&5
 echo $ECHO_N "checking if libtool supports shared libraries... $ECHO_C" >&6
 echo "$as_me:$LINENO: result: $can_build_shared" >&5
diff --git a/lib/bind/configure.in b/lib/bind/configure.in
index 520d320cbc..e4b6cbe26e 100644
--- a/lib/bind/configure.in
+++ b/lib/bind/configure.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-AC_REVISION($Revision: 1.83.2.27 $)
+AC_REVISION($Revision: 1.83.2.28 $)
 
 AC_INIT(resolv/herror.c)
 AC_PREREQ(2.13)
@@ -513,7 +513,7 @@ MKDEPCFLAGS="-M"
 IRIX_DNSSEC_WARNINGS_HACK=""
 
 if test "X$GCC" = "Xyes"; then
-	STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings"
+	STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wpointer-arith"
 else
 	case $host in
 	*-dec-osf*)

From 10b03beca1396a3f60d120a95f33d0b76342e6ec Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 3 Mar 2006 04:46:14 +0000
Subject: [PATCH 085/465] (char *) -> (unsigned char *)

---
 lib/dns/rbtdb.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index 77c1150d28..a6416fe656 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbtdb.c,v 1.229 2006/03/03 03:02:55 marka Exp $ */
+/* $Id: rbtdb.c,v 1.230 2006/03/03 04:46:14 marka Exp $ */
 
 /*! \file */
 
@@ -5667,7 +5667,7 @@ rdataset_next(dns_rdataset_t *rdataset) {
 		raw += length + 4;
 		rdataset->private5 = raw;
 	} else
-		rdataset->private5 = (char*)rdataset->private5 + 4;
+		rdataset->private5 = (unsigned char *)rdataset->private5 + 4;
 
 	return (ISC_R_SUCCESS);
 }
@@ -5683,7 +5683,7 @@ rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
 	if ((rdataset->attributes & DNS_RDATASETATTR_LOADORDER) != 0) {
 		offset = (raw[0] << 24) + (raw[1] << 16) +
 			 (raw[2] << 8) + raw[3];
-		raw = (char *)rdataset->private3 + offset;
+		raw = (unsigned char *)rdataset->private3 + offset;
 	}
 	r.length = raw[0] * 256 + raw[1];
 	raw += 4;

From 2db74d9dd500a3bfe6ff660b27ef28a44aa3b24e Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 3 Mar 2006 23:30:03 +0000
Subject: [PATCH 086/465] newcopyrights

---
 util/copyrights | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/util/copyrights b/util/copyrights
index 905e599775..4a8627b7d1 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -1170,8 +1170,8 @@
 ./lib/bind/bsd/utimes.c				X	2001
 ./lib/bind/bsd/writev.c				X	2001
 ./lib/bind/config.h.in				X	2001,2005
-./lib/bind/configure				X	2001,2005
-./lib/bind/configure.in				SH	2001,2004,2005
+./lib/bind/configure				X	2001,2005,2006
+./lib/bind/configure.in				SH	2001,2004,2005,2006
 ./lib/bind/dst/.cvsignore			X	2001
 ./lib/bind/dst/Makefile.in			MAKE	2001,2004
 ./lib/bind/dst/dst_api.c			X	2001,2005

From 10ea6fe0f54d489f06f378875b5919c003501c15 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Sat, 4 Mar 2006 07:09:17 +0000
Subject: [PATCH 087/465] new draft

---
 doc/draft/draft-ietf-dnsext-dhcid-rr-09.txt | 562 ----------------
 doc/draft/draft-ietf-dnsext-dhcid-rr-12.txt | 674 ++++++++++++++++++++
 2 files changed, 674 insertions(+), 562 deletions(-)
 delete mode 100644 doc/draft/draft-ietf-dnsext-dhcid-rr-09.txt
 create mode 100644 doc/draft/draft-ietf-dnsext-dhcid-rr-12.txt

diff --git a/doc/draft/draft-ietf-dnsext-dhcid-rr-09.txt b/doc/draft/draft-ietf-dnsext-dhcid-rr-09.txt
deleted file mode 100644
index 2cd972473d..0000000000
--- a/doc/draft/draft-ietf-dnsext-dhcid-rr-09.txt
+++ /dev/null
@@ -1,562 +0,0 @@
-
-
-
-
-DNSEXT                                                          M. Stapp
-Internet-Draft                                       Cisco Systems, Inc.
-Expires: August 13, 2005                                        T. Lemon
-                                                           A. Gustafsson
-                                                           Nominum, Inc.
-                                                        February 9, 2005
-
-
-           A DNS RR for Encoding DHCP Information (DHCID RR)
-                  
-
-Status of this Memo
-
-   This document is an Internet-Draft and is subject to all provisions
-   of Section 3 of RFC 3667.  By submitting this Internet-Draft, each
-   author represents that any applicable patent or other IPR claims of
-   which he or she is aware have been or will be disclosed, and any of
-   which he or she become aware will be disclosed, in accordance with
-   RFC 3668.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as
-   Internet-Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on August 13, 2005.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2005).
-
-Abstract
-
-   It is possible for multiple DHCP clients to attempt to update the
-   same DNS FQDN as they obtain DHCP leases.  Whether the DHCP server or
-   the clients themselves perform the DNS updates, conflicts can arise.
-   To resolve such conflicts, "Resolution of DNS Name Conflicts" [1]
-
-
-
-Stapp, et al.            Expires August 13, 2005                [Page 1]
-
-Internet-Draft                The DHCID RR                 February 2005
-
-
-   proposes storing client identifiers in the DNS to unambiguously
-   associate domain names with the DHCP clients to which they refer.
-   This memo defines a distinct RR type for this purpose for use by DHCP
-   clients and servers, the "DHCID" RR.
-
-Table of Contents
-
-   1.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  3
-   2.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
-   3.  The DHCID RR . . . . . . . . . . . . . . . . . . . . . . . . .  3
-     3.1   DHCID RDATA format . . . . . . . . . . . . . . . . . . . .  4
-     3.2   DHCID Presentation Format  . . . . . . . . . . . . . . . .  4
-     3.3   The DHCID RR Type Codes  . . . . . . . . . . . . . . . . .  4
-     3.4   Computation of the RDATA . . . . . . . . . . . . . . . . .  4
-     3.5   Examples . . . . . . . . . . . . . . . . . . . . . . . . .  5
-       3.5.1   Example 1  . . . . . . . . . . . . . . . . . . . . . .  6
-       3.5.2   Example 2  . . . . . . . . . . . . . . . . . . . . . .  6
-   4.  Use of the DHCID RR  . . . . . . . . . . . . . . . . . . . . .  6
-   5.  Updater Behavior . . . . . . . . . . . . . . . . . . . . . . .  6
-   6.  Security Considerations  . . . . . . . . . . . . . . . . . . .  7
-   7.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . .  7
-   8.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . .  7
-   9.  References . . . . . . . . . . . . . . . . . . . . . . . . . .  8
-     9.1   Normative References . . . . . . . . . . . . . . . . . . .  8
-     9.2   Informative References . . . . . . . . . . . . . . . . . .  8
-       Authors' Addresses . . . . . . . . . . . . . . . . . . . . . .  9
-       Intellectual Property and Copyright Statements . . . . . . . . 10
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Stapp, et al.            Expires August 13, 2005                [Page 2]
-
-Internet-Draft                The DHCID RR                 February 2005
-
-
-1.  Terminology
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in RFC 2119 [2].
-
-2.  Introduction
-
-   A set of procedures to allow DHCP [7] clients and servers to
-   automatically update the DNS (RFC 1034 [3], RFC 1035 [4]) is proposed
-   in "Resolution of DNS Name Conflicts" [1].
-
-   Conflicts can arise if multiple DHCP clients wish to use the same DNS
-   name.  To resolve such conflicts, "Resolution of DNS Name Conflicts"
-   [1] proposes storing client identifiers in the DNS to unambiguously
-   associate domain names with the DHCP clients using them.  In the
-   interest of clarity, it is preferable for this DHCP information to
-   use a distinct RR type.  This memo defines a distinct RR for this
-   purpose for use by DHCP clients or servers, the "DHCID" RR.
-
-   In order to avoid exposing potentially sensitive identifying
-   information, the data stored is the result of a one-way MD5 [5] hash
-   computation.  The hash includes information from the DHCP client's
-   REQUEST message as well as the domain name itself, so that the data
-   stored in the DHCID RR will be dependent on both the client
-   identification used in the DHCP protocol interaction and the domain
-   name.  This means that the DHCID RDATA will vary if a single client
-   is associated over time with more than one name.  This makes it
-   difficult to 'track' a client as it is associated with various domain
-   names.
-
-   The MD5 hash algorithm has been shown to be weaker than the SHA-1
-   algorithm; it could therefore be argued that SHA-1 is a better
-   choice.  However, SHA-1 is significantly slower than MD5.  A
-   successful attack of MD5's weakness does not reveal the original data
-   that was used to generate the signature, but rather provides a new
-   set of input data that will produce the same signature.  Because we
-   are using the MD5 hash to conceal the original data, the fact that an
-   attacker could produce a different plaintext resulting in the same
-   MD5 output is not significant concern.
-
-3.  The DHCID RR
-
-   The DHCID RR is defined with mnemonic DHCID and type code [TBD].  The
-   DHCID RR is only defined in the IN class.  DHCID RRs cause no
-   additional section processing.  The DHCID RR is not a singleton type.
-
-
-
-
-
-Stapp, et al.            Expires August 13, 2005                [Page 3]
-
-Internet-Draft                The DHCID RR                 February 2005
-
-
-3.1  DHCID RDATA format
-
-   The RDATA section of a DHCID RR in transmission contains RDLENGTH
-   bytes of binary data.  The format of this data and its interpretation
-   by DHCP servers and clients are described below.
-
-   DNS software should consider the RDATA section to be opaque.  DHCP
-   clients or servers use the DHCID RR to associate a DHCP client's
-   identity with a DNS name, so that multiple DHCP clients and servers
-   may deterministically perform dynamic DNS updates to the same zone.
-   From the updater's perspective, the DHCID resource record RDATA
-   consists of a 16-bit identifier type, in network byte order, followed
-   by one or more bytes representing the actual identifier:
-
-     	< 16 bits >	DHCP identifier used
-     	< n bytes >	MD5 digest
-
-
-3.2  DHCID Presentation Format
-
-   In DNS master files, the RDATA is represented as a single block in
-   base 64 encoding identical to that used for representing binary data
-   in RFC 2535 [8].  The data may be divided up into any number of white
-   space separated substrings, down to single base 64 digits, which are
-   concatenated to form the complete RDATA.  These substrings can span
-   lines using the standard parentheses.
-
-3.3  The DHCID RR Type Codes
-
-   The DHCID RR Type Code specifies what data from the DHCP client's
-   request was used as input into the hash function.  The type codes are
-   defined in a registry maintained by IANA, as specified in Section 7.
-   The initial list of assigned values for the type code is:
-
-   0x0000 = htype, chaddr from a DHCPv4 client's DHCPREQUEST [7].
-   0x0001 = The data portion from a DHCPv4 client's Client Identifier
-      option [9].
-   0x0002 = The client's DUID (i.e., the data portion of a DHCPv6
-      client's Client Identifier option [10] or the DUID field from a
-      DHCPv4 client's Client Identifier option [12]).
-
-   0x0003 - 0xfffe = Available to be assigned by IANA.
-
-   0xffff = RESERVED
-
-3.4  Computation of the RDATA
-
-   The DHCID RDATA is formed by concatenating the two type bytes with
-
-
-
-Stapp, et al.            Expires August 13, 2005                [Page 4]
-
-Internet-Draft                The DHCID RR                 February 2005
-
-
-   some variable-length identifying data.
-
-       < type > < data >
-
-   The RDATA for all type codes other than 0xffff, which is reserved for
-   future expansion, is formed by concatenating the two type bytes and a
-   16-byte MD5 hash value.  The input to the hash function is defined to
-   be:
-
-       data = MD5(< identifier > < FQDN >)
-
-   The FQDN is represented in the buffer in unambiguous canonical form
-   as described in RFC 2535 [8], section 8.1.  The type code and the
-   identifier are related as specified in Section 3.3: the type code
-   describes the source of the identifier.
-
-   When the updater is using the client's link-layer address as the
-   identifier, the first two bytes of the DHCID RDATA MUST be zero.  To
-   generate the rest of the resource record, the updater computes a
-   one-way hash using the MD5 algorithm across a buffer containing the
-   client's network hardware type, link-layer address, and the FQDN
-   data.  Specifically, the first byte of the buffer contains the
-   network hardware type as it appeared in the DHCP 'htype' field of the
-   client's DHCPREQUEST message.  All of the significant bytes of the
-   chaddr field in the client's DHCPREQUEST message follow, in the same
-   order in which the bytes appear in the DHCPREQUEST message.  The
-   number of significant bytes in the 'chaddr' field is specified in the
-   'hlen' field of the DHCPREQUEST message.  The FQDN data, as specified
-   above, follows.
-
-   When the updater is using the DHCPv4 Client Identifier option sent by
-   the client in its DHCPREQUEST message, the first two bytes of the
-   DHCID RR MUST be 0x0001, in network byte order.  The rest of the
-   DHCID RR MUST contain the results of computing an MD5 hash across the
-   payload of the option, followed by the FQDN.  The payload of the
-   option consists of the bytes of the option following the option code
-   and length.
-
-   When the updater is using the DHCPv6 DUID sent by the client in its
-   REQUEST message, the first two bytes of the DHCID RR MUST be 0x0002,
-   in network byte order.  The rest of the DHCID RR MUST contain the
-   results of computing an MD5 hash across the payload of the option,
-   followed by the FQDN.  The payload of the option consists of the
-   bytes of the option following the option code and length.
-
-3.5  Examples
-
-
-
-
-
-Stapp, et al.            Expires August 13, 2005                [Page 5]
-
-Internet-Draft                The DHCID RR                 February 2005
-
-
-3.5.1  Example 1
-
-   A DHCP server allocating the IPv4 address 10.0.0.1 to a client with
-   Ethernet MAC address 01:02:03:04:05:06 using domain name
-   "client.example.com" uses the client's link-layer address to identify
-   the client.  The DHCID RDATA is composed by setting the two type
-   bytes to zero, and performing an MD5 hash computation across a buffer
-   containing the Ethernet MAC type byte, 0x01, the six bytes of MAC
-   address, and the domain name (represented as specified in
-   Section 3.4).
-
-     client.example.com.	A   	10.0.0.1
-     client.example.com. 	DHCID 	AAAUMru0ZM5OK/PdVAJgZ/HU
-
-
-3.5.2  Example 2
-
-   A DHCP server allocates the IPv4 address 10.0.12.99 to a client which
-   included the DHCP client-identifier option data 01:07:08:09:0a:0b:0c
-   in its DHCP request.  The server updates the name "chi.example.com"
-   on the client's behalf, and uses the DHCP client identifier option
-   data as input in forming a DHCID RR.  The DHCID RDATA is formed by
-   setting the two type bytes to the value 0x0001, and performing an MD5
-   hash computation across a buffer containing the seven bytes from the
-   client-id option and the FQDN (represented as specified in
-   Section 3.4).
-
-     chi.example.com.	A    	10.0.12.99
-     chi.example.com.	DHCID 	AAHdd5jiQ3kEjANDm82cbObk\012
-
-
-4.  Use of the DHCID RR
-
-   This RR MUST NOT be used for any purpose other than that detailed in
-   "Resolution of DNS Name Conflicts" [1].  Although this RR contains
-   data that is opaque to DNS servers, the data must be consistent
-   across all entities that update and interpret this record.
-   Therefore, new data formats may only be defined through actions of
-   the DHC Working Group, as a result of revising [1].
-
-5.  Updater Behavior
-
-   The data in the DHCID RR allows updaters to determine whether more
-   than one DHCP client desires to use a particular FQDN.  This allows
-   site administrators to establish policy about DNS updates.  The DHCID
-   RR does not establish any policy itself.
-
-   Updaters use data from a DHCP client's request and the domain name
-
-
-
-Stapp, et al.            Expires August 13, 2005                [Page 6]
-
-Internet-Draft                The DHCID RR                 February 2005
-
-
-   that the client desires to use to compute a client identity hash, and
-   then compare that hash to the data in any DHCID RRs on the name that
-   they wish to associate with the client's IP address.  If an updater
-   discovers DHCID RRs whose RDATA does not match the client identity
-   that they have computed, the updater SHOULD conclude that a different
-   client is currently associated with the name in question.  The
-   updater SHOULD then proceed according to the site's administrative
-   policy.  That policy might dictate that a different name be selected,
-   or it might permit the updater to continue.
-
-6.  Security Considerations
-
-   The DHCID record as such does not introduce any new security problems
-   into the DNS.  In order to avoid exposing private information about
-   DHCP clients to public scrutiny, a one-way hash is used to obscure
-   all client information.  In order to make it difficult to 'track' a
-   client by examining the names associated with a particular hash
-   value, the FQDN is included in the hash computation.  Thus, the RDATA
-   is dependent on both the DHCP client identification data and on each
-   FQDN associated with the client.
-
-   Administrators should be wary of permitting unsecured DNS updates to
-   zones which are exposed to the global Internet.  Both DHCP clients
-   and servers SHOULD use some form of update authentication (e.g., TSIG
-   [11]) when performing DNS updates.
-
-7.  IANA Considerations
-
-   IANA is requested to allocate an RR type number for the DHCID record
-   type.
-
-   This specification defines a new number-space for the 16-bit type
-   codes associated with the DHCID RR.  IANA is requested to establish a
-   registry of the values for this number-space.
-
-   Three initial values are assigned in Section 3.3, and the value
-   0xFFFF is reserved for future use.  New DHCID RR type codes are
-   tentatively assigned after the specification for the associated type
-   code, published as an Internet Draft, has received expert review by a
-   designated expert.  The final assignment of DHCID RR type codes is
-   through Standards Action, as defined in RFC 2434 [6].
-
-8.  Acknowledgements
-
-   Many thanks to Josh Littlefield, Olafur Gudmundsson, Bernie Volz, and
-   Ralph Droms for their review and suggestions.
-
-
-
-
-
-Stapp, et al.            Expires August 13, 2005                [Page 7]
-
-Internet-Draft                The DHCID RR                 February 2005
-
-
-9.  References
-
-9.1  Normative References
-
-   [1]  Stapp, M. and B. Volz, "Resolution of DNS Name Conflicts Among
-        DHCP Clients (draft-ietf-dhc-dns-resolution-*)", July 2004.
-
-   [2]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
-        Levels", BCP 14, RFC 2119, March 1997.
-
-   [3]  Mockapetris, P., "Domain names - concepts and facilities",
-        STD 13, RFC 1034, November 1987.
-
-   [4]  Mockapetris, P., "Domain names - implementation and
-        specification", STD 13, RFC 1035, November 1987.
-
-   [5]  Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, April
-        1992.
-
-   [6]  Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA
-        Considerations Section in RFCs", BCP 26, RFC 2434, October 1998.
-
-9.2  Informative References
-
-   [7]   Droms, R., "Dynamic Host Configuration Protocol", RFC 2131,
-         March 1997.
-
-   [8]   Eastlake, D., "Domain Name System Security Extensions",
-         RFC 2535, March 1999.
-
-   [9]   Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor
-         Extensions", RFC 2132, March 1997.
-
-   [10]  Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C. and M.
-         Carney, "Dynamic Host Configuration Protocol for IPv6
-         (DHCPv6)", RFC 3315, July 2003.
-
-   [11]  Vixie, P., Gudmundsson, O., Eastlake, D. and B. Wellington,
-         "Secret Key Transaction Authentication for DNS (TSIG)",
-         RFC 2845, May 2000.
-
-   [12]  Lemon, T. and B. Sommerfeld, "Node-Specific Client Identifiers
-         for DHCPv4 (draft-ietf-dhc-3315id-for-v4-*)", February 2004.
-
-
-
-
-
-
-
-
-Stapp, et al.            Expires August 13, 2005                [Page 8]
-
-Internet-Draft                The DHCID RR                 February 2005
-
-
-Authors' Addresses
-
-   Mark Stapp
-   Cisco Systems, Inc.
-   1414 Massachusetts Ave.
-   Boxborough, MA  01719
-   USA
-
-   Phone: 978.936.1535
-   Email: mjs@cisco.com
-
-
-   Ted Lemon
-   Nominum, Inc.
-   950 Charter St.
-   Redwood City, CA  94063
-   USA
-
-   Email: mellon@nominum.com
-
-
-   Andreas Gustafsson
-   Nominum, Inc.
-   950 Charter St.
-   Redwood City, CA  94063
-   USA
-
-   Email: gson@nominum.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Stapp, et al.            Expires August 13, 2005                [Page 9]
-
-Internet-Draft                The DHCID RR                 February 2005
-
-
-Intellectual Property Statement
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-
-Disclaimer of Validity
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Copyright Statement
-
-   Copyright (C) The Internet Society (2005).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-
-Acknowledgment
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-Stapp, et al.            Expires August 13, 2005               [Page 10]
-
-
diff --git a/doc/draft/draft-ietf-dnsext-dhcid-rr-12.txt b/doc/draft/draft-ietf-dnsext-dhcid-rr-12.txt
new file mode 100644
index 0000000000..07749d9549
--- /dev/null
+++ b/doc/draft/draft-ietf-dnsext-dhcid-rr-12.txt
@@ -0,0 +1,674 @@
+
+
+
+
+DNSEXT                                                          M. Stapp
+Internet-Draft                                       Cisco Systems, Inc.
+Expires: September 1, 2006                                      T. Lemon
+                                                           Nominum, Inc.
+                                                           A. Gustafsson
+                                          Araneus Information Systems Oy
+                                                       February 28, 2006
+
+
+           A DNS RR for Encoding DHCP Information (DHCID RR)
+                  
+
+Status of this Memo
+
+   By submitting this Internet-Draft, each author represents that any
+   applicable patent or other IPR claims of which he or she is aware
+   have been or will be disclosed, and any of which he or she becomes
+   aware will be disclosed, in accordance with Section 6 of BCP 79.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   This Internet-Draft will expire on September 1, 2006.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2006).
+
+Abstract
+
+   It is possible for DHCP clients to attempt to update the same DNS
+   FQDN or attempt to update a DNS FQDN that has been added to the DNS
+   for another purpose as they obtain DHCP leases.  Whether the DHCP
+   server or the clients themselves perform the DNS updates, conflicts
+   can arise.  To resolve such conflicts, "Resolution of DNS Name
+
+
+
+Stapp, et al.           Expires September 1, 2006               [Page 1]
+
+Internet-Draft                The DHCID RR                 February 2006
+
+
+   Conflicts" [1] proposes storing client identifiers in the DNS to
+   unambiguously associate domain names with the DHCP clients to which
+   they refer.  This memo defines a distinct RR type for this purpose
+   for use by DHCP clients and servers, the "DHCID" RR.
+
+
+Table of Contents
+
+   1.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  3
+   2.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
+   3.  The DHCID RR . . . . . . . . . . . . . . . . . . . . . . . . .  3
+     3.1.  DHCID RDATA format . . . . . . . . . . . . . . . . . . . .  3
+     3.2.  DHCID Presentation Format  . . . . . . . . . . . . . . . .  4
+     3.3.  The DHCID RR Identifier Type Codes . . . . . . . . . . . .  4
+     3.4.  The DHCID RR Digest Type Code  . . . . . . . . . . . . . .  4
+     3.5.  Computation of the RDATA . . . . . . . . . . . . . . . . .  5
+       3.5.1.  Using the Client's DUID  . . . . . . . . . . . . . . .  5
+       3.5.2.  Using the Client Identifier Option . . . . . . . . . .  5
+       3.5.3.  Using the Client's htype and chaddr  . . . . . . . . .  6
+     3.6.  Examples . . . . . . . . . . . . . . . . . . . . . . . . .  6
+       3.6.1.  Example 1  . . . . . . . . . . . . . . . . . . . . . .  6
+       3.6.2.  Example 2  . . . . . . . . . . . . . . . . . . . . . .  6
+       3.6.3.  Example 3  . . . . . . . . . . . . . . . . . . . . . .  7
+   4.  Use of the DHCID RR  . . . . . . . . . . . . . . . . . . . . .  7
+   5.  Updater Behavior . . . . . . . . . . . . . . . . . . . . . . .  8
+   6.  Security Considerations  . . . . . . . . . . . . . . . . . . .  8
+   7.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . .  8
+   8.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . .  9
+   9.  References . . . . . . . . . . . . . . . . . . . . . . . . . .  9
+     9.1.  Normative References . . . . . . . . . . . . . . . . . . .  9
+     9.2.  Informative References . . . . . . . . . . . . . . . . . . 10
+   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 11
+   Intellectual Property and Copyright Statements . . . . . . . . . . 12
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Stapp, et al.           Expires September 1, 2006               [Page 2]
+
+Internet-Draft                The DHCID RR                 February 2006
+
+
+1.  Terminology
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in RFC 2119 [2].
+
+
+2.  Introduction
+
+   A set of procedures to allow DHCP [6] [10] clients and servers to
+   automatically update the DNS (RFC 1034 [3], RFC 1035 [4]) is proposed
+   in "Resolution of DNS Name Conflicts" [1].
+
+   Conflicts can arise if multiple DHCP clients wish to use the same DNS
+   name or a DHCP client attempts to use a name added for another
+   purpose.  To resolve such conflicts, "Resolution of DNS Name
+   Conflicts" [1] proposes storing client identifiers in the DNS to
+   unambiguously associate domain names with the DHCP clients using
+   them.  In the interest of clarity, it is preferable for this DHCP
+   information to use a distinct RR type.  This memo defines a distinct
+   RR for this purpose for use by DHCP clients or servers, the "DHCID"
+   RR.
+
+   In order to obscure potentially sensitive client identifying
+   information, the data stored is the result of a one-way SHA-256 hash
+   computation.  The hash includes information from the DHCP client's
+   message as well as the domain name itself, so that the data stored in
+   the DHCID RR will be dependent on both the client identification used
+   in the DHCP protocol interaction and the domain name.  This means
+   that the DHCID RDATA will vary if a single client is associated over
+   time with more than one name.  This makes it difficult to 'track' a
+   client as it is associated with various domain names.
+
+
+3.  The DHCID RR
+
+   The DHCID RR is defined with mnemonic DHCID and type code [TBD].  The
+   DHCID RR is only defined in the IN class.  DHCID RRs cause no
+   additional section processing.  The DHCID RR is not a singleton type.
+
+3.1.  DHCID RDATA format
+
+   The RDATA section of a DHCID RR in transmission contains RDLENGTH
+   octets of binary data.  The format of this data and its
+   interpretation by DHCP servers and clients are described below.
+
+   DNS software should consider the RDATA section to be opaque.  DHCP
+   clients or servers use the DHCID RR to associate a DHCP client's
+
+
+
+Stapp, et al.           Expires September 1, 2006               [Page 3]
+
+Internet-Draft                The DHCID RR                 February 2006
+
+
+   identity with a DNS name, so that multiple DHCP clients and servers
+   may deterministically perform dynamic DNS updates to the same zone.
+   From the updater's perspective, the DHCID resource record RDATA
+   consists of a 2-octet identifier type, in network byte order,
+   followed by a 1-octet digest type, followed by one or more octets
+   representing the actual identifier:
+
+           < 2 octets >    Identifier type code
+           < 1 octet >     Digest type code
+           < n octets >    Digest (length depends on digest type)
+
+3.2.  DHCID Presentation Format
+
+   In DNS master files, the RDATA is represented as a single block in
+   base 64 encoding identical to that used for representing binary data
+   in RFC 3548 [7].  The data may be divided up into any number of white
+   space separated substrings, down to single base 64 digits, which are
+   concatenated to form the complete RDATA.  These substrings can span
+   lines using the standard parentheses.
+
+3.3.  The DHCID RR Identifier Type Codes
+
+   The DHCID RR Identifier Type Code specifies what data from the DHCP
+   client's request was used as input into the hash function.  The
+   identifier type codes are defined in a registry maintained by IANA,
+   as specified in Section 7.  The initial list of assigned values for
+   the identifier type code is:
+
+   0x0000 = htype, chaddr from a DHCPv4 client's DHCPREQUEST [6].
+   0x0001 = The data octets (i.e., the Type and Client-Identifier
+      fields) from a DHCPv4 client's Client Identifier option [9].
+   0x0002 = The client's DUID (i.e., the data octets of a DHCPv6
+      client's Client Identifier option [10] or the DUID field from a
+      DHCPv4 client's Client Identifier option [12]).
+
+   0x0003 - 0xfffe = Available to be assigned by IANA.
+
+   0xffff = RESERVED
+
+3.4.  The DHCID RR Digest Type Code
+
+   The DHCID RR Digest Type Code is an identifier for the digest
+   algorithm used.  The digest is calculated over an identifier and the
+   canonical FQDN as described in the next section.
+
+   The digest type codes are defined in a registry maintained by IANA,
+   as specified in Section 7.  The initial list of assigned values for
+   the digest type codes is: value 0 is reserved and value 1 is SHA-256.
+
+
+
+Stapp, et al.           Expires September 1, 2006               [Page 4]
+
+Internet-Draft                The DHCID RR                 February 2006
+
+
+   Reserving other types requires IETF standards action.  Defining new
+   values will also require IETF standards action to document how DNS
+   updaters are to deal with multiple digest types.
+
+3.5.  Computation of the RDATA
+
+   The DHCID RDATA is formed by concatenating the 2-octet identifier
+   type code with variable-length data.
+
+   The RDATA for all type codes other than 0xffff, which is reserved for
+   future expansion, is formed by concatenating the 2-octet identifier
+   type code, the 1-octet digest type code, and the digest value (32
+   octets for SHA-256).
+
+       < identifier-type > < digest-type > < digest >
+
+   The input to the digest hash function is defined to be:
+
+       digest = SHA-256(< identifier > < FQDN >)
+
+   The FQDN is represented in the buffer in unambiguous canonical form
+   as described in RFC 4034 [8], section 6.1.  The identifier type code
+   and the identifier are related as specified in Section 3.3: the
+   identifier type code describes the source of the identifier.
+
+   A DHCPv4 updater uses the 0x0002 type code if a Client Identifier
+   option is present in the DHCPv4 messages and it is encoded as
+   specified in [12].  Otherwise, the updater uses 0x0001 if a Client
+   Identifier option is present and 0x0000 if not.
+
+   A DHCPv6 updater always uses the 0x0002 type code.
+
+3.5.1.  Using the Client's DUID
+
+   When the updater is using the Client's DUID (either from a DHCPv6
+   Client Identifier option or from a portion of the DHCPv4 Client
+   Identifier option encoded as specified in [12]), the first two octets
+   of the DHCID RR MUST be 0x0002, in network byte order.  The third
+   octet is the digest type code (1 for SHA-256).  The rest of the DHCID
+   RR MUST contain the results of computing the SHA-256 hash across the
+   octets of the DUID followed by the FQDN.
+
+3.5.2.  Using the Client Identifier Option
+
+   When the updater is using the DHCPv4 Client Identifier option sent by
+   the client in its DHCPREQUEST message, the first two octets of the
+   DHCID RR MUST be 0x0001, in network byte order.  The third octet is
+   the digest type code (1 for SHA-256).  The rest of the DHCID RR MUST
+
+
+
+Stapp, et al.           Expires September 1, 2006               [Page 5]
+
+Internet-Draft                The DHCID RR                 February 2006
+
+
+   contain the results of computing the SHA-256 hash across the data
+   octets (i.e., the Type and Client-Identifier fields) of the option,
+   followed by the FQDN.
+
+3.5.3.  Using the Client's htype and chaddr
+
+   When the updater is using the client's link-layer address as the
+   identifier, the first two octets of the DHCID RDATA MUST be zero.
+   The third octet is the digest type code (1 for SHA-256).  To generate
+   the rest of the resource record, the updater computes a one-way hash
+   using the SHA-256 algorithm across a buffer containing the client's
+   network hardware type, link-layer address, and the FQDN data.
+   Specifically, the first octet of the buffer contains the network
+   hardware type as it appeared in the DHCP 'htype' field of the
+   client's DHCPREQUEST message.  All of the significant octets of the
+   'chaddr' field in the client's DHCPREQUEST message follow, in the
+   same order in which the octets appear in the DHCPREQUEST message.
+   The number of significant octets in the 'chaddr' field is specified
+   in the 'hlen' field of the DHCPREQUEST message.  The FQDN data, as
+   specified above, follows.
+
+3.6.  Examples
+
+3.6.1.  Example 1
+
+   A DHCP server allocating the IPv4 address 10.0.0.1 to a client with
+   Ethernet MAC address 01:02:03:04:05:06 using domain name
+   "client.example.com" uses the client's link-layer address to identify
+   the client.  The DHCID RDATA is composed by setting the two type
+   octets to zero, the 1-octet digest type to 1 for SHA-256, and
+   performing an SHA-256 hash computation across a buffer containing the
+   Ethernet MAC type octet, 0x01, the six octets of MAC address, and the
+   domain name (represented as specified in Section 3.5).
+
+     client.example.com.   A       10.0.0.1
+     client.example.com.   DHCID   ( AAABxLmlskllE0MVjd57zHcWmEH3pCQ6V
+                                     ytcKD//7es/deY= )
+
+   If the DHCID RR type is not supported, the RDATA would be encoded
+   [13] as:
+
+     \# 35 ( 000001c4b9a5b249651343158dde7bcc77169841f7a4243a572b5c283
+             fffedeb3f75e6 )
+
+3.6.2.  Example 2
+
+   A DHCP server allocates the IPv4 address 10.0.12.99 to a client which
+   included the DHCP client-identifier option data 01:07:08:09:0a:0b:0c
+
+
+
+Stapp, et al.           Expires September 1, 2006               [Page 6]
+
+Internet-Draft                The DHCID RR                 February 2006
+
+
+   in its DHCP request.  The server updates the name "chi.example.com"
+   on the client's behalf, and uses the DHCP client identifier option
+   data as input in forming a DHCID RR.  The DHCID RDATA is formed by
+   setting the two type octets to the value 0x0001, the 1-octet digest
+   type to 1 for SHA-256, and performing a SHA-256 hash computation
+   across a buffer containing the seven octets from the client-id option
+   and the FQDN (represented as specified in Section 3.5).
+
+     chi.example.com.      A       10.0.12.99
+     chi.example.com.      DHCID   ( AAEBOSD+XR3Os/0LozeXVqcNc7FwCfQdW
+                                     L3b/NaiUDlW2No= )
+
+   If the DHCID RR type is not supported, the RDATA would be encoded
+   [13] as:
+
+     \# 35 ( 0001013920fe5d1dceb3fd0ba3379756a70d73b17009f41d58bddbfcd
+             6a2503956d8da )
+
+3.6.3.  Example 3
+
+   A DHCP server allocates the IPv6 address 2000::1234:5678 to a client
+   which included the DHCPv6 client-identifier option data 00:01:00:06:
+   41:2d:f1:66:01:02:03:04:05:06 in its DHCPv6 request.  The server
+   updates the name "chi6.example.com" on the client's behalf, and uses
+   the DHCP client identifier option data as input in forming a DHCID
+   RR.  The DHCID RDATA is formed by setting the two type octets to the
+   value 0x0002, the 1-octet digest type to 1 for SHA-256, and
+   performing a SHA-256 hash computation across a buffer containing the
+   14 octets from the client-id option and the FQDN (represented as
+   specified in Section 3.5).
+
+     chi6.example.com.     AAAA    2000::1234:5678
+     chi6.example.com.     DHCID   ( AAIBY2/AuCccgoJbsaxcQc9TUapptP69l
+                                     OjxfNuVAA2kjEA= )
+
+   If the DHCID RR type is not supported, the RDATA would be encoded
+   [13] as:
+
+     \# 35 ( 000201636fc0b8271c82825bb1ac5c41cf5351aa69b4febd94e8f17cd
+             b95000da48c40 )
+
+
+4.  Use of the DHCID RR
+
+   This RR MUST NOT be used for any purpose other than that detailed in
+   "Resolution of DNS Name Conflicts" [1].  Although this RR contains
+   data that is opaque to DNS servers, the data must be consistent
+   across all entities that update and interpret this record.
+
+
+
+Stapp, et al.           Expires September 1, 2006               [Page 7]
+
+Internet-Draft                The DHCID RR                 February 2006
+
+
+   Therefore, new data formats may only be defined through actions of
+   the DHC Working Group, as a result of revising [1].
+
+
+5.  Updater Behavior
+
+   The data in the DHCID RR allows updaters to determine whether more
+   than one DHCP client desires to use a particular FQDN.  This allows
+   site administrators to establish policy about DNS updates.  The DHCID
+   RR does not establish any policy itself.
+
+   Updaters use data from a DHCP client's request and the domain name
+   that the client desires to use to compute a client identity hash, and
+   then compare that hash to the data in any DHCID RRs on the name that
+   they wish to associate with the client's IP address.  If an updater
+   discovers DHCID RRs whose RDATA does not match the client identity
+   that they have computed, the updater SHOULD conclude that a different
+   client is currently associated with the name in question.  The
+   updater SHOULD then proceed according to the site's administrative
+   policy.  That policy might dictate that a different name be selected,
+   or it might permit the updater to continue.
+
+
+6.  Security Considerations
+
+   The DHCID record as such does not introduce any new security problems
+   into the DNS.  In order to obscure the client's identity information,
+   a one-way hash is used.  And, in order to make it difficult to
+   'track' a client by examining the names associated with a particular
+   hash value, the FQDN is included in the hash computation.  Thus, the
+   RDATA is dependent on both the DHCP client identification data and on
+   each FQDN associated with the client.
+
+   However, it should be noted that an attacker that has some knowledge,
+   such as of MAC addresses commonly used in DHCP client identification
+   data, may be able to discover the client's DHCP identify by using a
+   brute-force attack.  Even without any additional knowledge, the
+   number of unknown bits used in computing the hash is typically only
+   48 to 80.
+
+   Administrators should be wary of permitting unsecured DNS updates to
+   zones, whether or not they are exposed to the global Internet.  Both
+   DHCP clients and servers SHOULD use some form of update
+   authentication (e.g., TSIG [11]) when performing DNS updates.
+
+
+7.  IANA Considerations
+
+
+
+
+Stapp, et al.           Expires September 1, 2006               [Page 8]
+
+Internet-Draft                The DHCID RR                 February 2006
+
+
+   IANA is requested to allocate a DNS RR type number for the DHCID
+   record type.
+
+   This specification defines a new number-space for the 2-octet
+   identifier type codes associated with the DHCID RR.  IANA is
+   requested to establish a registry of the values for this number-
+   space.  Three initial values are assigned in Section 3.3, and the
+   value 0xFFFF is reserved for future use.  New DHCID RR identifier
+   type codes are assigned through Standards Action, as defined in RFC
+   2434 [5].
+
+   This specification defines a new number-space for the 1-octet digest
+   type codes associated with the DHCID RR.  IANA is requested to
+   establish a registry of the values for this number-space.  Two
+   initial values are assigned in Section 3.4.  New DHCID RR digest type
+   codes are assigned through Standards Action, as defined in RFC 2434
+   [5].
+
+
+8.  Acknowledgements
+
+   Many thanks to Harald Alvestrand, Ralph Droms, Olafur Gudmundsson,
+   Sam Hartman, Josh Littlefield, Pekka Savola, and especially Bernie
+   Volz for their review and suggestions.
+
+
+9.  References
+
+9.1.  Normative References
+
+   [1]  Stapp, M. and B. Volz, "Resolution of DNS Name Conflicts Among
+        DHCP Clients (draft-ietf-dhc-dns-resolution-*)", February 2006.
+
+   [2]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
+        Levels", BCP 14, RFC 2119, March 1997.
+
+   [3]  Mockapetris, P., "Domain names - concepts and facilities",
+        STD 13, RFC 1034, November 1987.
+
+   [4]  Mockapetris, P., "Domain names - implementation and
+        specification", STD 13, RFC 1035, November 1987.
+
+   [5]  Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA
+        Considerations Section in RFCs", BCP 26, RFC 2434, October 1998.
+
+
+
+
+
+
+
+Stapp, et al.           Expires September 1, 2006               [Page 9]
+
+Internet-Draft                The DHCID RR                 February 2006
+
+
+9.2.  Informative References
+
+   [6]   Droms, R., "Dynamic Host Configuration Protocol", RFC 2131,
+         March 1997.
+
+   [7]   Josefsson, S., "The Base16, Base32, and Base64 Data Encodings",
+         RFC 3548, July 2003.
+
+   [8]   Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+         "Resource Records for the DNS Security Extensions", RFC 4034,
+         March 2005.
+
+   [9]   Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor
+         Extensions", RFC 2132, March 1997.
+
+   [10]  Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., and M.
+         Carney, "Dynamic Host Configuration Protocol for IPv6
+         (DHCPv6)", RFC 3315, July 2003.
+
+   [11]  Vixie, P., Gudmundsson, O., Eastlake, D., and B. Wellington,
+         "Secret Key Transaction Authentication for DNS (TSIG)",
+         RFC 2845, May 2000.
+
+   [12]  Lemon, T. and B. Sommerfeld, "Node-specific Client Identifiers
+         for Dynamic Host Configuration Protocol Version Four (DHCPv4)",
+         RFC 4361, February 2006.
+
+   [13]  Gustafsson, A., "Handling of Unknown DNS Resource Record (RR)
+         Types", RFC 3597, September 2003.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Stapp, et al.           Expires September 1, 2006              [Page 10]
+
+Internet-Draft                The DHCID RR                 February 2006
+
+
+Authors' Addresses
+
+   Mark Stapp
+   Cisco Systems, Inc.
+   1414 Massachusetts Ave.
+   Boxborough, MA  01719
+   USA
+
+   Phone: 978.936.1535
+   Email: mjs@cisco.com
+
+
+   Ted Lemon
+   Nominum, Inc.
+   950 Charter St.
+   Redwood City, CA  94063
+   USA
+
+   Email: mellon@nominum.com
+
+
+   Andreas Gustafsson
+   Araneus Information Systems Oy
+   Ulappakatu 1
+   02320 Espoo
+   Finland
+
+   Email: gson@araneus.fi
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Stapp, et al.           Expires September 1, 2006              [Page 11]
+
+Internet-Draft                The DHCID RR                 February 2006
+
+
+Intellectual Property Statement
+
+   The IETF takes no position regarding the validity or scope of any
+   Intellectual Property Rights or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; nor does it represent that it has
+   made any independent effort to identify any such rights.  Information
+   on the procedures with respect to rights in RFC documents can be
+   found in BCP 78 and BCP 79.
+
+   Copies of IPR disclosures made to the IETF Secretariat and any
+   assurances of licenses to be made available, or the result of an
+   attempt made to obtain a general license or permission for the use of
+   such proprietary rights by implementers or users of this
+   specification can be obtained from the IETF on-line IPR repository at
+   http://www.ietf.org/ipr.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights that may cover technology that may be required to implement
+   this standard.  Please address the information to the IETF at
+   ietf-ipr@ietf.org.
+
+
+Disclaimer of Validity
+
+   This document and the information contained herein are provided on an
+   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Copyright Statement
+
+   Copyright (C) The Internet Society (2006).  This document is subject
+   to the rights, licenses and restrictions contained in BCP 78, and
+   except as set forth therein, the authors retain all their rights.
+
+
+Acknowledgment
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+Stapp, et al.           Expires September 1, 2006              [Page 12]
+
+

From 7e1a8f402e3881388db37152f71c698cb1f1c426 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Sun, 5 Mar 2006 11:25:02 +0000
Subject: [PATCH 088/465] newcopyrights

---
 util/copyrights | 49 ++++++++++++++++++++++++++++++++++++++++++-------
 1 file changed, 42 insertions(+), 7 deletions(-)

diff --git a/util/copyrights b/util/copyrights
index 497ac2dec1..e0a59d949a 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -146,7 +146,7 @@
 ./bin/named/win32/named.mak			X	2001,2005
 ./bin/named/win32/ntservice.c			C	1999,2000,2001,2002,2004
 ./bin/named/win32/os.c				C	1999,2000,2001,2002,2004,2005
-./bin/named/xfrout.c				C	1999,2000,2001,2002,2003,2004,2005
+./bin/named/xfrout.c				C	1999,2000,2001,2002,2003,2004,2005,2006
 ./bin/named/zoneconf.c				C	1999,2000,2001,2002,2003,2004,2005,2006
 ./bin/nsupdate/.cvsignore			X	2000,2001
 ./bin/nsupdate/Makefile.in			MAKE	2000,2001,2002,2004
@@ -439,7 +439,7 @@
 ./bin/tests/system/common/controls.conf		CONF-C	2000,2001,2004
 ./bin/tests/system/common/rndc.conf		CONF-C	2000,2001,2004
 ./bin/tests/system/common/root.hint		ZONE	2000,2001,2004
-./bin/tests/system/conf.sh.in			SH	2000,2001,2002,2003,2004,2005
+./bin/tests/system/conf.sh.in			SH	2000,2001,2002,2003,2004,2005,2006
 ./bin/tests/system/dialup/ns1/.cvsignore	X	2000,2001
 ./bin/tests/system/dialup/ns1/example.db	ZONE	2000,2001,2004
 ./bin/tests/system/dialup/ns1/named.conf	CONF-C	2000,2001,2004
@@ -642,6 +642,41 @@
 ./bin/tests/system/resolver/ns1/root.hint	ZONE	2000,2001,2004
 ./bin/tests/system/resolver/prereq.sh		SH	2000,2001,2004
 ./bin/tests/system/resolver/tests.sh		SH	2000,2001,2004
+./bin/tests/system/rrsetorder/clean.sh		SH	2006
+./bin/tests/system/rrsetorder/dig.out.cyclic.good1	X	2006
+./bin/tests/system/rrsetorder/dig.out.cyclic.good2	X	2006
+./bin/tests/system/rrsetorder/dig.out.cyclic.good3	X	2006
+./bin/tests/system/rrsetorder/dig.out.cyclic.good4	X	2006
+./bin/tests/system/rrsetorder/dig.out.fixed.good	X	2006
+./bin/tests/system/rrsetorder/dig.out.random.good1	X	2006
+./bin/tests/system/rrsetorder/dig.out.random.good10	X	2006
+./bin/tests/system/rrsetorder/dig.out.random.good11	X	2006
+./bin/tests/system/rrsetorder/dig.out.random.good12	X	2006
+./bin/tests/system/rrsetorder/dig.out.random.good13	X	2006
+./bin/tests/system/rrsetorder/dig.out.random.good14	X	2006
+./bin/tests/system/rrsetorder/dig.out.random.good15	X	2006
+./bin/tests/system/rrsetorder/dig.out.random.good16	X	2006
+./bin/tests/system/rrsetorder/dig.out.random.good17	X	2006
+./bin/tests/system/rrsetorder/dig.out.random.good18	X	2006
+./bin/tests/system/rrsetorder/dig.out.random.good19	X	2006
+./bin/tests/system/rrsetorder/dig.out.random.good2	X	2006
+./bin/tests/system/rrsetorder/dig.out.random.good20	X	2006
+./bin/tests/system/rrsetorder/dig.out.random.good21	X	2006
+./bin/tests/system/rrsetorder/dig.out.random.good22	X	2006
+./bin/tests/system/rrsetorder/dig.out.random.good23	X	2006
+./bin/tests/system/rrsetorder/dig.out.random.good24	X	2006
+./bin/tests/system/rrsetorder/dig.out.random.good3	X	2006
+./bin/tests/system/rrsetorder/dig.out.random.good4	X	2006
+./bin/tests/system/rrsetorder/dig.out.random.good5	X	2006
+./bin/tests/system/rrsetorder/dig.out.random.good6	X	2006
+./bin/tests/system/rrsetorder/dig.out.random.good7	X	2006
+./bin/tests/system/rrsetorder/dig.out.random.good8	X	2006
+./bin/tests/system/rrsetorder/dig.out.random.good9	X	2006
+./bin/tests/system/rrsetorder/ns1/named.conf	CONF-C	2006
+./bin/tests/system/rrsetorder/ns1/root.db	ZONE	2006
+./bin/tests/system/rrsetorder/ns2/named.conf	CONF-C	2006
+./bin/tests/system/rrsetorder/ns3/named.conf	CONF-C	2006
+./bin/tests/system/rrsetorder/tests.sh		SH	2006
 ./bin/tests/system/run.sh			SH	2000,2001,2004
 ./bin/tests/system/runall.sh			SH	2000,2001,2004
 ./bin/tests/system/send.pl			PERL	2001,2004
@@ -652,9 +687,9 @@
 ./bin/tests/system/sortlist/ns1/named.conf	CONF-C	2000,2001,2004
 ./bin/tests/system/sortlist/ns1/root.db		ZONE	2000,2001,2004
 ./bin/tests/system/sortlist/tests.sh		SH	2000,2001,2004
-./bin/tests/system/start.pl			SH	2001,2004,2005
+./bin/tests/system/start.pl			SH	2001,2004,2005,2006
 ./bin/tests/system/start.sh			SH	2001,2004
-./bin/tests/system/stop.pl			SH	2001,2004,2005
+./bin/tests/system/stop.pl			SH	2001,2004,2005,2006
 ./bin/tests/system/stop.sh			SH	2001,2004
 ./bin/tests/system/stress/clean.sh		SH	2000,2001,2004
 ./bin/tests/system/stress/ns1/.cvsignore	X	2000,2001
@@ -1259,7 +1294,7 @@
 ./lib/bind/bsd/writev.c				X	2001,2005
 ./lib/bind/config.h.in				X	2001,2005
 ./lib/bind/configure				X	2001,2005,2006
-./lib/bind/configure.in				SH	2001,2004,2005
+./lib/bind/configure.in				SH	2001,2004,2005,2006
 ./lib/bind/dst/.cvsignore			X	2001
 ./lib/bind/dst/Makefile.in			MAKE	2001,2004
 ./lib/bind/dst/dst_api.c			X	2001,2005
@@ -1793,7 +1828,7 @@
 ./lib/dns/log.c					C	1999,2000,2001,2003,2004,2005
 ./lib/dns/lookup.c				C	2000,2001,2003,2004,2005
 ./lib/dns/master.c				C	1999,2000,2001,2002,2003,2004,2005
-./lib/dns/masterdump.c				C	1999,2000,2001,2002,2003,2004,2005
+./lib/dns/masterdump.c				C	1999,2000,2001,2002,2003,2004,2005,2006
 ./lib/dns/message.c				C	1999,2000,2001,2002,2003,2004,2005,2006
 ./lib/dns/name.c				C	1998,1999,2000,2001,2002,2003,2004,2005,2006
 ./lib/dns/ncache.c				C	1999,2000,2001,2002,2003,2004,2005
@@ -1922,7 +1957,7 @@
 ./lib/dns/rdatalist_p.h				C	2000,2001,2004,2005
 ./lib/dns/rdataset.c				C	1999,2000,2001,2002,2003,2004,2005,2006
 ./lib/dns/rdatasetiter.c			C	1999,2000,2001,2004,2005
-./lib/dns/rdataslab.c				C	1999,2000,2001,2002,2003,2004,2005
+./lib/dns/rdataslab.c				C	1999,2000,2001,2002,2003,2004,2005,2006
 ./lib/dns/request.c				C	2000,2001,2002,2004,2005,2006
 ./lib/dns/resolver.c				C	1999,2000,2001,2002,2003,2004,2005,2006
 ./lib/dns/result.c				C	1998,1999,2000,2001,2002,2003,2004,2005

From 0eabe488ed2cef6e111a8f1ee6f9770c564368da Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Sun, 5 Mar 2006 23:58:49 +0000
Subject: [PATCH 089/465] update copyright notice

---
 lib/bind/configure.in | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/bind/configure.in b/lib/bind/configure.in
index e4b6cbe26e..d5c6df35be 100644
--- a/lib/bind/configure.in
+++ b/lib/bind/configure.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-AC_REVISION($Revision: 1.83.2.28 $)
+AC_REVISION($Revision: 1.83.2.29 $)
 
 AC_INIT(resolv/herror.c)
 AC_PREREQ(2.13)

From ea8874ec3578a02d5d71b08217ac74d7588db10a Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Sun, 5 Mar 2006 23:58:52 +0000
Subject: [PATCH 090/465] update copyright notice

---
 bin/named/xfrout.c                   | 4 ++--
 bin/tests/system/conf.sh.in          | 4 ++--
 bin/tests/system/rrsetorder/clean.sh | 4 ++--
 bin/tests/system/rrsetorder/tests.sh | 4 ++--
 bin/tests/system/start.pl            | 4 ++--
 bin/tests/system/stop.pl             | 4 ++--
 lib/bind/configure.in                | 4 ++--
 lib/dns/masterdump.c                 | 4 ++--
 lib/dns/rdataslab.c                  | 4 ++--
 9 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/bin/named/xfrout.c b/bin/named/xfrout.c
index 2e9017dac7..02f4f21d89 100644
--- a/bin/named/xfrout.c
+++ b/bin/named/xfrout.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: xfrout.c,v 1.122 2006/03/03 00:43:34 marka Exp $ */
+/* $Id: xfrout.c,v 1.123 2006/03/05 23:58:52 marka Exp $ */
 
 #include 
 
diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
index e07a266aa6..04d0bf4bde 100644
--- a/bin/tests/system/conf.sh.in
+++ b/bin/tests/system/conf.sh.in
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000-2003  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: conf.sh.in,v 1.34 2006/03/03 00:43:34 marka Exp $
+# $Id: conf.sh.in,v 1.35 2006/03/05 23:58:52 marka Exp $
 
 #
 # Common configuration data for system tests, to be sourced into
diff --git a/bin/tests/system/rrsetorder/clean.sh b/bin/tests/system/rrsetorder/clean.sh
index 92f47f2ec2..75b98cb848 100644
--- a/bin/tests/system/rrsetorder/clean.sh
+++ b/bin/tests/system/rrsetorder/clean.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2006  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: clean.sh,v 1.2 2006/03/03 00:43:34 marka Exp $
+# $Id: clean.sh,v 1.3 2006/03/05 23:58:52 marka Exp $
 
 rm -f dig.out.cyclic dig.out.fixed dig.out.random
 rm -f ns2/root.bk
diff --git a/bin/tests/system/rrsetorder/tests.sh b/bin/tests/system/rrsetorder/tests.sh
index 99f2414ac5..92c73847f6 100644
--- a/bin/tests/system/rrsetorder/tests.sh
+++ b/bin/tests/system/rrsetorder/tests.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2006  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.2 2006/03/03 00:43:34 marka Exp $
+# $Id: tests.sh,v 1.3 2006/03/05 23:58:52 marka Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
diff --git a/bin/tests/system/start.pl b/bin/tests/system/start.pl
index c51b5f4884..69e19e5c9f 100644
--- a/bin/tests/system/start.pl
+++ b/bin/tests/system/start.pl
@@ -1,6 +1,6 @@
 #!/usr/bin/perl -w
 #
-# Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: start.pl,v 1.8 2006/03/03 00:43:34 marka Exp $
+# $Id: start.pl,v 1.9 2006/03/05 23:58:52 marka Exp $
 
 # Framework for starting test servers.
 # Based on the type of server specified, check for port availability, remove
diff --git a/bin/tests/system/stop.pl b/bin/tests/system/stop.pl
index 25d73b1e12..82954e46b7 100644
--- a/bin/tests/system/stop.pl
+++ b/bin/tests/system/stop.pl
@@ -1,6 +1,6 @@
 #!/usr/bin/perl -w
 #
-# Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: stop.pl,v 1.9 2006/03/03 00:43:34 marka Exp $
+# $Id: stop.pl,v 1.10 2006/03/05 23:58:52 marka Exp $
 
 # Framework for stopping test servers
 # Based on the type of server specified, signal the server to stop, wait
diff --git a/lib/bind/configure.in b/lib/bind/configure.in
index 04777bf322..0fae2f5772 100644
--- a/lib/bind/configure.in
+++ b/lib/bind/configure.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-AC_REVISION($Revision: 1.115 $)
+AC_REVISION($Revision: 1.116 $)
 
 AC_INIT(resolv/herror.c)
 AC_PREREQ(2.13)
diff --git a/lib/dns/masterdump.c b/lib/dns/masterdump.c
index c8abeca9d4..a78c322bec 100644
--- a/lib/dns/masterdump.c
+++ b/lib/dns/masterdump.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: masterdump.c,v 1.84 2006/03/03 00:43:35 marka Exp $ */
+/* $Id: masterdump.c,v 1.85 2006/03/05 23:58:52 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/rdataslab.c b/lib/dns/rdataslab.c
index db120db567..4b50602c03 100644
--- a/lib/dns/rdataslab.c
+++ b/lib/dns/rdataslab.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdataslab.c,v 1.39 2006/03/03 00:43:35 marka Exp $ */
+/* $Id: rdataslab.c,v 1.40 2006/03/05 23:58:52 marka Exp $ */
 
 /*! \file */
 

From ac124a78a097a0840992c5726cbbdaf1448b6ab3 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Mon, 6 Mar 2006 01:06:48 +0000
Subject: [PATCH 091/465] 2000.   [bug]           memmove()/strtol() fix was
 incomplete. [#RT 15812]

---
 CHANGES      |  2 ++
 configure    | 10 +++++-----
 configure.in |  8 ++++----
 3 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/CHANGES b/CHANGES
index bc6d0e6ef2..ef65e72a7f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+2000.	[bug]		memmove()/strtol() fix was incomplete. [#RT 15812]
+
 1999.	[func]		Implement "rrset-order fixed". [RT #13662]
 
 1998.	[bug]		Restrict handling of fifos as sockets to just SunOS.
diff --git a/configure b/configure
index c6fc4e5e76..4137fefc1c 100755
--- a/configure
+++ b/configure
@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 #
-# $Id: configure,v 1.392 2006/03/03 03:29:39 marka Exp $
+# $Id: configure,v 1.393 2006/03/06 01:06:48 marka Exp $
 #
 # Portions Copyright (C) 1996-2001  Nominum, Inc.
 #
@@ -29,7 +29,7 @@
 # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
 # OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-# From configure.in Revision: 1.404 .
+# From configure.in Revision: 1.405 .
 # Guess values for system-dependent variables and create Makefiles.
 # Generated by GNU Autoconf 2.59.
 #
@@ -25916,12 +25916,12 @@ echo "$as_me:$LINENO: result: $ac_cv_func_strtoul" >&5
 echo "${ECHO_T}$ac_cv_func_strtoul" >&6
 if test $ac_cv_func_strtoul = yes; then
   ISC_PLATFORM_NEEDSTRTOUL="#undef ISC_PLATFORM_NEEDSTRTOUL"
-	 LWRES_PLATFORM_NEEDSTRTOUL="#undef ISC_PLATFORM_NEEDSTRTOUL"
+	 LWRES_PLATFORM_NEEDSTRTOUL="#undef LWRES_PLATFORM_NEEDSTRTOUL"
 	 GENRANDOMLIB=""
 else
   ISC_PLATFORM_NEEDSTRTOUL="#define ISC_PLATFORM_NEEDSTRTOUL 1"
-	 LWRES_PLATFORM_NEEDSTRTOUL="#define ISC_PLATFORM_NEEDSTRTOUL 1"
-	 "GENRANDOMLIB=${ISCLIBS}"
+	 LWRES_PLATFORM_NEEDSTRTOUL="#define LWRES_PLATFORM_NEEDSTRTOUL 1"
+	 GENRANDOMLIB="${ISCLIBS}"
 fi
 
 
diff --git a/configure.in b/configure.in
index 5cc629cd74..f13dba5ed4 100644
--- a/configure.in
+++ b/configure.in
@@ -18,7 +18,7 @@ AC_DIVERT_PUSH(1)dnl
 esyscmd([sed "s/^/# /" COPYRIGHT])dnl
 AC_DIVERT_POP()dnl
 
-AC_REVISION($Revision: 1.404 $)
+AC_REVISION($Revision: 1.405 $)
 
 AC_INIT(lib/dns/name.c)
 AC_PREREQ(2.59)
@@ -1589,11 +1589,11 @@ AC_SUBST(ISC_PLATFORM_NEEDMEMMOVE)
 
 AC_CHECK_FUNC(strtoul,
 	[ISC_PLATFORM_NEEDSTRTOUL="#undef ISC_PLATFORM_NEEDSTRTOUL"
-	 LWRES_PLATFORM_NEEDSTRTOUL="#undef ISC_PLATFORM_NEEDSTRTOUL"
+	 LWRES_PLATFORM_NEEDSTRTOUL="#undef LWRES_PLATFORM_NEEDSTRTOUL"
 	 GENRANDOMLIB=""],
 	[ISC_PLATFORM_NEEDSTRTOUL="#define ISC_PLATFORM_NEEDSTRTOUL 1"
-	 LWRES_PLATFORM_NEEDSTRTOUL="#define ISC_PLATFORM_NEEDSTRTOUL 1"
-	 "GENRANDOMLIB=${ISCLIBS}"])
+	 LWRES_PLATFORM_NEEDSTRTOUL="#define LWRES_PLATFORM_NEEDSTRTOUL 1"
+	 GENRANDOMLIB="${ISCLIBS}"])
 AC_SUBST(ISC_PLATFORM_NEEDSTRTOUL)
 AC_SUBST(LWRES_PLATFORM_NEEDSTRTOUL)
 AC_SUBST(GENRANDOMLIB)

From 59d84d1b077678cb77f6cbcc53d8cfa60ff69cb7 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Mon, 6 Mar 2006 01:27:52 +0000
Subject: [PATCH 092/465] 2001.   [func]          Check the KSK flag when
 updating a secure dynamic zone.                         New zone option
 "update-check-ksk yes;".  [RT #15817]

---
 CHANGES                             |  5 ++-
 bin/named/config.c                  |  3 +-
 bin/named/named.conf.docbook        |  5 ++-
 bin/named/update.c                  | 65 +++++++++++++++++++++++++++--
 bin/named/zoneconf.c                |  8 +++-
 bin/tests/system/dnssec/ns3/sign.sh |  7 ++--
 doc/arm/Bv9ARM-book.xml             | 29 ++++++++++++-
 lib/bind9/check.c                   |  3 +-
 lib/dns/dnssec.c                    | 10 ++---
 lib/dns/include/dns/zone.h          |  3 +-
 lib/isccfg/namedconf.c              |  3 +-
 11 files changed, 121 insertions(+), 20 deletions(-)

diff --git a/CHANGES b/CHANGES
index ef65e72a7f..c009a27026 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,7 @@
-2000.	[bug]		memmove()/strtol() fix was incomplete. [#RT 15812]
+2001.	[func]		Check the KSK flag when updating a secure dynamic zone.
+			New zone option "update-check-ksk yes;".  [RT #15817]
+
+2000.	[bug]		memmove()/strtol() fix was incomplete. [RT #15812]
 
 1999.	[func]		Implement "rrset-order fixed". [RT #13662]
 
diff --git a/bin/named/config.c b/bin/named/config.c
index cf9300b262..1e9b94ff0f 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.c,v 1.70 2006/03/03 00:43:34 marka Exp $ */
+/* $Id: config.c,v 1.71 2006/03/06 01:27:51 marka Exp $ */
 
 /*! \file */
 
@@ -175,6 +175,7 @@ options {\n\
 	check-mx-cname warn;\n\
 	check-srv-cname warn;\n\
 	zero-no-soa-ttl yes;\n\
+	update-check-ksk yes;\n\
 };\n\
 "
 
diff --git a/bin/named/named.conf.docbook b/bin/named/named.conf.docbook
index 091a659887..3bc7561627 100644
--- a/bin/named/named.conf.docbook
+++ b/bin/named/named.conf.docbook
@@ -17,7 +17,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   
     Aug 13, 2004
@@ -280,6 +280,7 @@ options {
 	allow-transfer { address_match_element; ... };
 	allow-update { address_match_element; ... };
 	allow-update-forwarding { address_match_element; ... };
+	update-check-ksk boolean;
 
 	notify notifytype;
 	notify-source ( ipv4_address | * )  port ( integer | * ) ;
@@ -426,6 +427,7 @@ view string optional_class
 	allow-transfer { address_match_element; ... };
 	allow-update { address_match_element; ... };
 	allow-update-forwarding { address_match_element; ... };
+	update-check-ksk boolean;
 
 	notify notifytype;
 	notify-source ( ipv4_address | * )  port ( integer | * ) ;
@@ -511,6 +513,7 @@ zone string optional_class
 		( name | subdomain | wildcard | self ) string
 		rrtypelist; ...
 	};
+	update-check-ksk boolean;
 
 	notify notifytype;
 	notify-source ( ipv4_address | * )  port ( integer | * ) ;
diff --git a/bin/named/update.c b/bin/named/update.c
index 8e083dd0d0..515d753fed 100644
--- a/bin/named/update.c
+++ b/bin/named/update.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: update.c,v 1.128 2006/03/03 00:43:34 marka Exp $ */
+/* $Id: update.c,v 1.129 2006/03/06 01:27:51 marka Exp $ */
 
 #include 
 
@@ -31,6 +31,7 @@
 #include 
 #include 
 #include 
+#include 
 #include 
 #include 
 #include 
@@ -1604,6 +1605,44 @@ find_zone_keys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
 	return (result);
 }
 
+static isc_boolean_t
+ksk_sanity(dns_db_t *db, dns_dbversion_t *ver) {
+	isc_boolean_t ret = ISC_FALSE;
+	isc_boolean_t have_ksk = ISC_FALSE, have_nonksk = ISC_FALSE;
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+	dns_rdataset_t rdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_dnskey_t dnskey;
+
+	dns_rdataset_init(&rdataset);
+	CHECK(dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node));
+	CHECK(dns_db_findrdataset(db, node, ver, dns_rdatatype_dnskey, 0, 0,
+				   &rdataset, NULL));
+	CHECK(dns_rdataset_first(&rdataset));
+	while (result == ISC_R_SUCCESS && (!have_ksk || !have_nonksk)) {
+		dns_rdataset_current(&rdataset, &rdata);
+		CHECK(dns_rdata_tostruct(&rdata, &dnskey, NULL));
+		if ((dnskey.flags & (DNS_KEYFLAG_OWNERMASK|DNS_KEYTYPE_NOAUTH))
+				 == DNS_KEYOWNER_ZONE) {
+			if ((dnskey.flags & DNS_KEYFLAG_KSK) != 0)
+				have_ksk = ISC_TRUE;
+			else
+				have_nonksk = ISC_TRUE;
+		}
+		dns_rdata_reset(&rdata);
+		result = dns_rdataset_next(&rdataset);
+	}
+	if (have_ksk && have_nonksk)
+		ret = ISC_TRUE;
+ failure:
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	return (ret);
+}
+
 /*%
  * Add RRSIG records for an RRset, recording the change in "diff".
  */
@@ -1611,7 +1650,7 @@ static isc_result_t
 add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 	 dns_rdatatype_t type, dns_diff_t *diff, dst_key_t **keys,
 	 unsigned int nkeys, isc_mem_t *mctx, isc_stdtime_t inception,
-	 isc_stdtime_t expire)
+	 isc_stdtime_t expire, isc_boolean_t check_ksk)
 {
 	isc_result_t result;
 	dns_dbnode_t *node = NULL;
@@ -1632,6 +1671,11 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 	dns_db_detachnode(db, &node);
 
 	for (i = 0; i < nkeys; i++) {
+		
+		if (check_ksk && type != dns_rdatatype_dnskey &&
+		    (dst_key_flags(keys[i]) & DNS_KEYFLAG_KSK) != 0)
+			continue;
+		
 		/* Calculate the signature, creating a RRSIG RDATA. */
 		CHECK(dns_dnssec_sign(name, &rdataset, keys[i],
 				      &inception, &expire,
@@ -1685,6 +1729,7 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	dns_rdata_t rdata = DNS_RDATA_INIT;
 	dns_rdataset_t rdataset;
 	dns_dbnode_t *node = NULL;
+	isc_boolean_t check_ksk;
 
 	dns_diff_init(client->mctx, &diffnames);
 	dns_diff_init(client->mctx, &affected);
@@ -1705,6 +1750,17 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	inception = now - 3600; /* Allow for some clock skew. */
 	expire = now + sigvalidityinterval;
 
+	/*
+	 * Do we look at the KSK flag on the DNSKEY to determining which
+	 * keys sign which RRsets?  First check the zone option then
+	 * check the keys flags to make sure atleast one has a ksk set
+	 * and one doesn't.
+	 */
+	check_ksk = ISC_TF((dns_zone_getoptions(zone) &
+			    DNS_ZONEOPT_UPDATECHECKKSK) != 0);
+	if (check_ksk)
+		check_ksk = ksk_sanity(db, newver);
+
 	/*
 	 * Get the NSEC's TTL from the SOA MINIMUM field.
 	 */
@@ -1764,7 +1820,7 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 				CHECK(add_sigs(db, newver, name, type,
 					       &sig_diff, zone_keys, nkeys,
 					       client->mctx, inception,
-					       expire));
+					       expire, check_ksk));
 			}
 		skip:
 			/* Skip any other updates to the same RRset. */
@@ -1949,7 +2005,8 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 		} else if (t->op == DNS_DIFFOP_ADD) {
 			CHECK(add_sigs(db, newver, &t->name, dns_rdatatype_nsec,
 				       &sig_diff, zone_keys, nkeys,
-				       client->mctx, inception, expire));
+				       client->mctx, inception, expire,
+				       check_ksk));
 		} else {
 			INSIST(0);
 		}
diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
index ad1f6c1823..d7cb752f74 100644
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zoneconf.c,v 1.131 2006/02/28 02:39:51 marka Exp $ */
+/* $Id: zoneconf.c,v 1.132 2006/03/06 01:27:52 marka Exp $ */
 
 /*% */
 
@@ -720,6 +720,12 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 			INSIST(0);
 		dns_zone_setoption(zone, DNS_ZONEOPT_WARNSRVCNAME, warn);
 		dns_zone_setoption(zone, DNS_ZONEOPT_IGNORESRVCNAME, ignore);
+
+		obj = NULL;
+		result = ns_config_get(maps, "update-check-ksk", &obj);
+		INSIST(result == ISC_R_SUCCESS);
+		dns_zone_setoption(zone, DNS_ZONEOPT_UPDATECHECKKSK, 
+				   cfg_obj_asboolean(obj));
 	}
 
 	/*
diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh
index e06cfa9658..68ea50997d 100644
--- a/bin/tests/system/dnssec/ns3/sign.sh
+++ b/bin/tests/system/dnssec/ns3/sign.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: sign.sh,v 1.20 2006/01/04 00:37:24 marka Exp $
+# $Id: sign.sh,v 1.21 2006/03/06 01:27:52 marka Exp $
 
 RANDFILE=../random.data
 
@@ -43,9 +43,10 @@ zone=dynamic.example.
 infile=dynamic.example.db.in
 zonefile=dynamic.example.db
 
-keyname=`$KEYGEN -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
+keyname1=`$KEYGEN -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
+keyname2=`$KEYGEN -r $RANDFILE -a RSAMD5 -b 1024 -n zone -f KSK $zone`
 
-cat $infile $keyname.key >$zonefile
+cat $infile $keyname1.key $keyname2.key >$zonefile
 
 $SIGNER -r $RANDFILE -o $zone $zonefile > /dev/null
 
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 8f44de9b72..14958e5e70 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   BIND 9 Administrator Reference Manual
 
@@ -4416,6 +4416,7 @@ category notify { null; };
      allow-recursion { address_match_list }; 
      allow-update { address_match_list }; 
      allow-update-forwarding { address_match_list }; 
+     update-check-ksk yes_or_no; 
      allow-v6-synthesis { address_match_list }; 
      blackhole { address_match_list }; 
      avoid-v4-udp-ports { port_list }; 
@@ -5638,6 +5639,21 @@ options {
 	        
 	      
 	    
+
+	    
+	      update-check-ksk
+	      
+	        
+		  When regenerating the RRSIGs following a UPDATE
+		  request to a secure zone, check the KSK flag on
+		  the DNSKEY RR to determine if this key should be
+		  used to generate the RRSIG.  This flag is ignored
+		  if there are not DNSKEY RRs both with and without
+		  a KSK.  Default yes.
+		
+	      
+	    
+
           
 
         
@@ -8004,6 +8020,7 @@ zone zone_name class allow-query { address_match_list }; 
      allow-transfer { address_match_list }; 
      allow-update-forwarding { address_match_list }; 
+     update-check-ksk yes_or_no; 
      also-notify { ip_addr port ip_port ;  ip_addr port ip_port ; ...  }; 
      check-names (warn|fail|ignore) ; 
      dialup dialup_option ; 
@@ -8489,6 +8506,16 @@ zone zone_name class
               
 
+	      
+	        update-check-ksk
+                
+                  
+                    See the description of
+                    update-check-ksk in .
+                  
+                
+              
+
               
                 database
                 
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index 1d5c6bf8d8..cef648a6eb 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: check.c,v 1.71 2006/03/03 00:43:35 marka Exp $ */
+/* $Id: check.c,v 1.72 2006/03/06 01:27:52 marka Exp $ */
 
 /*! \file */
 
@@ -933,6 +933,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 	{ "check-mx-cname", MASTERZONE },
 	{ "check-srv-cname", MASTERZONE },
 	{ "masterfile-format", MASTERZONE | SLAVEZONE | STUBZONE | HINTZONE },
+	{ "update-check-ksk", MASTERZONE },
 	};
 
 	static optionstable dialups[] = {
diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
index 958f9482d9..83a621831d 100644
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: dnssec.c,v 1.85 2005/11/30 03:33:49 marka Exp $
+ * $Id: dnssec.c,v 1.86 2006/03/06 01:27:52 marka Exp $
  */
 
 /*! \file */
@@ -520,10 +520,10 @@ dns_dnssec_verify(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
 
 isc_result_t
 dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver,
-			dns_dbnode_t *node, dns_name_t *name,
-			const char *directory, isc_mem_t *mctx,
-			unsigned int maxkeys, dst_key_t **keys,
-			unsigned int *nkeys)
+			 dns_dbnode_t *node, dns_name_t *name,
+			 const char *directory, isc_mem_t *mctx,
+			 unsigned int maxkeys, dst_key_t **keys,
+			 unsigned int *nkeys)
 {
 	dns_rdataset_t rdataset;
 	dns_rdata_t rdata = DNS_RDATA_INIT;
diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h
index 7d8502e4e5..c2a1bf499a 100644
--- a/lib/dns/include/dns/zone.h
+++ b/lib/dns/include/dns/zone.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.h,v 1.143 2006/02/28 02:39:51 marka Exp $ */
+/* $Id: zone.h,v 1.144 2006/03/06 01:27:52 marka Exp $ */
 
 #ifndef DNS_ZONE_H
 #define DNS_ZONE_H 1
@@ -65,6 +65,7 @@ typedef enum {
 #define DNS_ZONEOPT_IGNOREMXCNAME 0x00100000U	/*%< ignore MX CNAME check */
 #define DNS_ZONEOPT_WARNSRVCNAME  0x00200000U	/*%< warn on SRV CNAME check */
 #define DNS_ZONEOPT_IGNORESRVCNAME 0x00400000U	/*%< ignore SRV CNAME check */
+#define DNS_ZONEOPT_UPDATECHECKKSK 0x00800000U	/*%< check dnskey KSK flag */
 
 #ifndef NOMINUM_PUBLIC
 /*
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index b4cd481cf2..84fb1e0b14 100644
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: namedconf.c,v 1.66 2006/02/28 02:39:52 marka Exp $ */
+/* $Id: namedconf.c,v 1.67 2006/03/06 01:27:52 marka Exp $ */
 
 /*! \file */
 
@@ -844,6 +844,7 @@ zone_clauses[] = {
 	{ "check-srv-cname", &cfg_type_checkmode, 0 },
 	{ "check-sibling", &cfg_type_boolean, 0 },
 	{ "zero-no-soa-ttl", &cfg_type_boolean, 0 },
+	{ "update-check-ksk", &cfg_type_boolean, 0 },
 	{ NULL, NULL, 0 }
 };
 

From daba3af103617ce4dd49bfdd0d9e07df7f22d08d Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Mon, 6 Mar 2006 02:22:36 +0000
Subject: [PATCH 093/465] 2002    [bug]           libbind: tighten the
 constraints on when                         struct addrinfo._ai_pad exists. 
 [RT #15783]

---
 CHANGES                    | 3 +++
 lib/bind/include/netdb.h   | 4 ++--
 lib/bind/irs/getaddrinfo.c | 6 +++---
 3 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/CHANGES b/CHANGES
index c009a27026..2a59d0613c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2002	[bug]		libbind: tighten the constraints on when
+			struct addrinfo._ai_pad exists.  [RT #15783]
+
 2001.	[func]		Check the KSK flag when updating a secure dynamic zone.
 			New zone option "update-check-ksk yes;".  [RT #15817]
 
diff --git a/lib/bind/include/netdb.h b/lib/bind/include/netdb.h
index f2751b00c2..baef1002db 100644
--- a/lib/bind/include/netdb.h
+++ b/lib/bind/include/netdb.h
@@ -86,7 +86,7 @@
 
 /*
  *      @(#)netdb.h	8.1 (Berkeley) 6/2/93
- *	$Id: netdb.h,v 1.17 2005/04/27 04:56:15 sra Exp $
+ *	$Id: netdb.h,v 1.18 2006/03/06 02:22:36 marka Exp $
  */
 
 #ifndef _NETDB_H_
@@ -175,7 +175,7 @@ struct	addrinfo {
 	int		ai_socktype;	/*%< SOCK_xxx */
 	int		ai_protocol;	/*%< 0 or IPPROTO_xxx for IPv4 and IPv6 */
 #if defined(sun) && defined(_SOCKLEN_T)
-#ifdef __sparc9
+#ifdef __sparcv9
 	int		_ai_pad;
 #endif
 	socklen_t	ai_addrlen;
diff --git a/lib/bind/irs/getaddrinfo.c b/lib/bind/irs/getaddrinfo.c
index fe04f0903a..a1ea15d684 100644
--- a/lib/bind/irs/getaddrinfo.c
+++ b/lib/bind/irs/getaddrinfo.c
@@ -336,7 +336,7 @@ getaddrinfo(hostname, servname, hints, res)
 	pai->ai_family = PF_UNSPEC;
 	pai->ai_socktype = ANY;
 	pai->ai_protocol = ANY;
-#ifdef __sparcv9
+#if defined(sun) && defined(_SOCKLEN_T) && defined(__sparcv9)
 	/*
 	 * clear _ai_pad to preserve binary
 	 * compatibility with previously compiled 64-bit
@@ -344,7 +344,7 @@ getaddrinfo(hostname, servname, hints, res)
 	 * guaranteeing the upper 32-bits are empty.
 	 */
 	pai->_ai_pad = 0;
-#endif /* __sparcv9 */
+#endif
 	pai->ai_addrlen = 0;
 	pai->ai_canonname = NULL;
 	pai->ai_addr = NULL;
@@ -369,7 +369,7 @@ getaddrinfo(hostname, servname, hints, res)
 		}
 		memcpy(pai, hints, sizeof(*pai));
 
-#ifdef __sparcv9
+#if defined(sun) && defined(_SOCKLEN_T) && defined(__sparcv9)
 		/*
 		 * We need to clear _ai_pad to preserve binary
 		 * compatibility.  See prior comment.

From 083a5588a3488b6335ee7bafa505d00644c7c58d Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Mon, 6 Mar 2006 02:23:19 +0000
Subject: [PATCH 094/465] regen

---
 bin/named/named.conf.5           |  5 +-
 bin/named/named.conf.html        | 13 +++--
 doc/arm/Bv9ARM.ch06.html         | 86 +++++++++++++++++++-------------
 doc/arm/Bv9ARM.ch07.html         | 14 +++---
 doc/arm/Bv9ARM.ch08.html         | 18 +++----
 doc/arm/Bv9ARM.ch09.html         | 18 +++----
 doc/arm/Bv9ARM.html              | 40 +++++++--------
 doc/arm/man.dig.html             | 20 ++++----
 doc/arm/man.dnssec-keygen.html   | 14 +++---
 doc/arm/man.dnssec-signzone.html | 12 ++---
 doc/arm/man.host.html            | 10 ++--
 doc/arm/man.named-checkconf.html | 12 ++---
 doc/arm/man.named-checkzone.html | 12 ++---
 doc/arm/man.named.html           | 16 +++---
 doc/arm/man.rndc-confgen.html    | 12 ++---
 doc/arm/man.rndc.conf.html       | 12 ++---
 doc/arm/man.rndc.html            | 12 ++---
 doc/misc/options                 |  4 ++
 18 files changed, 178 insertions(+), 152 deletions(-)

diff --git a/bin/named/named.conf.5 b/bin/named/named.conf.5
index b0f0ee737a..7b072eb1ad 100644
--- a/bin/named/named.conf.5
+++ b/bin/named/named.conf.5
@@ -12,7 +12,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: named.conf.5,v 1.16 2006/01/06 01:55:38 marka Exp $
+.\" $Id: named.conf.5,v 1.17 2006/03/06 02:23:19 marka Exp $
 .\"
 .hy 0
 .ad l
@@ -231,6 +231,7 @@ options {
 	allow\-transfer { \fIaddress_match_element\fR; ... };
 	allow\-update { \fIaddress_match_element\fR; ... };
 	allow\-update\-forwarding { \fIaddress_match_element\fR; ... };
+	update\-check\-ksk \fIboolean\fR;
 	notify \fInotifytype\fR;
 	notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
 	notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
@@ -360,6 +361,7 @@ view \fIstring\fR \fIoptional_class\fR {
 	allow\-transfer { \fIaddress_match_element\fR; ... };
 	allow\-update { \fIaddress_match_element\fR; ... };
 	allow\-update\-forwarding { \fIaddress_match_element\fR; ... };
+	update\-check\-ksk \fIboolean\fR;
 	notify \fInotifytype\fR;
 	notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
 	notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
@@ -433,6 +435,7 @@ zone \fIstring\fR \fIoptional_class\fR {
 		( name | subdomain | wildcard | self ) \fIstring\fR
 		\fIrrtypelist\fR; ...
 	};
+	update\-check\-ksk \fIboolean\fR;
 	notify \fInotifytype\fR;
 	notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
 	notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
diff --git a/bin/named/named.conf.html b/bin/named/named.conf.html
index bfef54eeb7..d972941712 100644
--- a/bin/named/named.conf.html
+++ b/bin/named/named.conf.html
@@ -13,7 +13,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -252,6 +252,7 @@ options
 	allow-transfer { address_match_element; ... };

 	allow-update { address_match_element; ... };

 	allow-update-forwarding { address_match_element; ... };

+	update-check-ksk boolean;

 

 	notify notifytype;

 	notify-source ( ipv4_address | * ) [ port ( integer | * ) ];

@@ -310,7 +311,7 @@ options
 

 

 

-
VIEW

+
VIEW

 


 view string optional_class {

 	match-clients { address_match_element; ... };

@@ -397,6 +398,7 @@ view
 	allow-transfer { address_match_element; ... };

 	allow-update { address_match_element; ... };

 	allow-update-forwarding { address_match_element; ... };

+	update-check-ksk boolean;

 

 	notify notifytype;

 	notify-source ( ipv4_address | * ) [ port ( integer | * ) ];

@@ -447,7 +449,7 @@ view
 

 

 

-
ZONE

+
ZONE

 


 zone string optional_class {

 	type ( master | slave | stub | hint |

@@ -481,6 +483,7 @@ zone
 		( name | subdomain | wildcard | self ) string

 		rrtypelist; ...

 	};

+	update-check-ksk boolean;

 

 	notify notifytype;

 	notify-source ( ipv4_address | * ) [ port ( integer | * ) ];

@@ -530,12 +533,12 @@ zone
 

 

 

-
FILES

+
FILES

 
/etc/named.conf
     

 

 

-
SEE ALSO

+
SEE ALSO

 
named(8),
       rndc(8),
       BIND 9 Administrator Reference Manual.
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index 0e95897b36..4636d40bb6 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -77,23 +77,23 @@
 
server Statement Grammar

 
server Statement Definition and
             Usage

-
trusted-keys Statement Grammar

-
trusted-keys Statement Definition
+
trusted-keys Statement Grammar

+
trusted-keys Statement Definition
             and Usage

 
view Statement Grammar

-
view Statement Definition and Usage

+
view Statement Definition and Usage

 
zone
             Statement Grammar

-
zone Statement Definition and Usage

+
zone Statement Definition and Usage

 
-
Zone File

+
Zone File

 

 
Types of Resource Records and When to Use Them

-
Discussion of MX Records

+
Discussion of MX Records

 
Setting TTLs

-
Inverse Mapping in IPv4

-
Other Zone File Directives

-
BIND Master File Extension: the  $GENERATE Directive

+
Inverse Mapping in IPv4

+
Other Zone File Directives

+
BIND Master File Extension: the  $GENERATE Directive

 
Additional File Formats

 

 
@@ -1773,6 +1773,7 @@ category notify { null; };
     [ allow-recursion { address_match_list }; ]
     [ allow-update { address_match_list }; ]
     [ allow-update-forwarding { address_match_list }; ]
+    [ update-check-ksk yes_or_no; ]
     [ allow-v6-synthesis { address_match_list }; ]
     [ blackhole { address_match_list }; ]
     [ avoid-v4-udp-ports { port_list }; ]
@@ -2740,11 +2741,20 @@ options {
                   When caching a negative response to a SOA query
                   set the TTL to zero.  Default no.
                 

+
update-check-ksk

+

+                  When regenerating the RRSIGs following a UPDATE
+                  request to a secure zone, check the KSK flag on
+                  the DNSKEY RR to determine if this key should be
+                  used to generate the RRSIG.  This flag is ignored
+                  if there are not DNSKEY RRs both with and without
+                  a KSK.  Default yes.
+                

 

 
 

 

-Forwarding

+Forwarding

 

             The forwarding facility can be used to create a large site-wide
             cache on a few servers, reducing traffic over links to external
@@ -2788,7 +2798,7 @@ options {
 
 

 

-Dual-stack Servers

+Dual-stack Servers

 

             Dual-stack servers are used as servers of last resort to work
             around
@@ -2953,7 +2963,7 @@ options {
 
 

 

-Interfaces

+Interfaces

 

             The interfaces and ports that the server will answer queries
             from may be specified using the listen-on option. listen-on takes
@@ -3033,7 +3043,7 @@ listen-on-v6 port 1234 { !2001:db8::/32; any; };
 
 

 

-Query Address

+Query Address

 

             If the server doesn't know the answer to a question, it will
             query other name servers. query-source specifies
@@ -3313,7 +3323,7 @@ query-source-v6 address * port *;
 
 

 

-Bad UDP Port Lists

+Bad UDP Port Lists

 
avoid-v4-udp-ports
             and avoid-v6-udp-ports specify a list
             of IPv4 and IPv6 UDP ports that will not be used as system
@@ -3327,7 +3337,7 @@ query-source-v6 address * port *;
 
 

 

-Operating System Resource Limits

+Operating System Resource Limits

 

             The server's usage of many system resources can be limited.
             Scaled values are allowed when specifying resource limits.  For
@@ -3387,7 +3397,7 @@ query-source-v6 address * port *;
 
 

 

-Server  Resource Limits

+Server  Resource Limits

 

             The following options set limits on the server's
             resource consumption that are enforced internally by the
@@ -3465,7 +3475,7 @@ query-source-v6 address * port *;
 
 

 

-Periodic Task Intervals

+Periodic Task Intervals

 

 
cleaning-interval

 

@@ -4500,7 +4510,7 @@ query-source-v6 address * port *;
 

 

 

-trusted-keys Statement Grammar

+trusted-keys Statement Grammar

 
trusted-keys {
     string number number number string ;
     [ string number number number string ; [...]]
@@ -4509,7 +4519,7 @@ query-source-v6 address * port *;
 
 

 

-trusted-keys Statement Definition
+trusted-keys Statement Definition
             and Usage

 

             The trusted-keys statement defines
@@ -4552,7 +4562,7 @@ query-source-v6 address * port *;
 

 

 

-view Statement Definition and Usage

+view Statement Definition and Usage

 

             The view statement is a powerful
             feature
@@ -4716,6 +4726,7 @@ zone zone_name [ allow-query { address_match_list }; ]
     [ allow-transfer { address_match_list }; ]
     [ allow-update-forwarding { address_match_list }; ]
+    [ update-check-ksk yes_or_no; ]
     [ also-notify { ip_addr [port ip_port] ; [ ip_addr [port ip_port] ; ... ] }; ]
     [ check-names (warn|fail|ignore) ; ]
     [ dialup dialup_option ; ]
@@ -4802,10 +4813,10 @@ zone zone_name [
 

 

-zone Statement Definition and Usage

+zone Statement Definition and Usage

 

 

-Zone Types

+Zone Types

 

 
 

@@ -5014,7 +5025,7 @@ zone zone_name [
 

 

-Class

+Class

 

               The zone's name may optionally be followed by a class. If
               a class is not specified, class IN (for Internet),
@@ -5036,7 +5047,7 @@ zone zone_name [
 

 

-Zone Options

+Zone Options

 

 
journal

 

@@ -5128,6 +5139,11 @@ zone zone_name [zero-no-soa-ttl in the section called “Boolean Options”.
                   

+
update-check-ksk

+

+                    See the description of
+                    update-check-ksk in the section called “Boolean Options”.
+                  

 
database

 

 

@@ -5514,7 +5530,7 @@ zone zone_name [
 

 

-Zone File

+Zone File

 

 

 Types of Resource Records and When to Use Them

@@ -5527,7 +5543,7 @@ zone zone_name [
 

 

-Resource Records

+Resource Records

 

               A domain name identifies a node.  Each node has a set of
               resource information, which may be empty.  The set of resource
@@ -6178,7 +6194,7 @@ zone zone_name [
 

 

-Textual expression of RRs

+Textual expression of RRs

 

               RRs are represented in binary form in the packets of the DNS
               protocol, and are usually represented in highly encoded form
@@ -6381,7 +6397,7 @@ zone zone_name [
 

 

-Discussion of MX Records

+Discussion of MX Records

 

             As described above, domain servers store information as a
             series of resource records, each of which contains a particular
@@ -6639,7 +6655,7 @@ zone zone_name [
 

 

-Inverse Mapping in IPv4

+Inverse Mapping in IPv4

 

             Reverse name resolution (that is, translation from IP address
             to name) is achieved by means of the in-addr.arpa domain
@@ -6700,7 +6716,7 @@ zone zone_name [
 

 

-Other Zone File Directives

+Other Zone File Directives

 

             The Master File Format was initially defined in RFC 1035 and
             has subsequently been extended. While the Master File Format
@@ -6715,7 +6731,7 @@ zone zone_name [
 

 

-The $ORIGIN Directive

+The $ORIGIN Directive

 

               Syntax: $ORIGIN
               domain-name
@@ -6743,7 +6759,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 

 

-The $INCLUDE Directive

+The $INCLUDE Directive

 

               Syntax: $INCLUDE
               filename
@@ -6779,7 +6795,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 

 

-The $TTL Directive

+The $TTL Directive

 

               Syntax: $TTL
               default-ttl
@@ -6798,7 +6814,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 

 

-BIND Master File Extension: the  $GENERATE Directive

+BIND Master File Extension: the  $GENERATE Directive

 

             Syntax: $GENERATE
             range
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index 8532121d59..23a7081d0e 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -46,10 +46,10 @@
 
Table of Contents

 

 
Access Control Lists

-
chroot and setuid

+
chroot and setuid

 

-
The chroot Environment

-
Using the setuid Function

+
The chroot Environment

+
Using the setuid Function

 

 
Dynamic Update Security

 

@@ -116,7 +116,7 @@ zone "example.com" {
 
 

 

-chroot and setuid

+chroot and setuid

 

           On UNIX servers, it is possible to run BIND in a chrooted environment
           (chroot()) by specifying the "-t"
@@ -139,7 +139,7 @@ zone "example.com" {
         

 

 

-The chroot Environment

+The chroot Environment

 

             In order for a chroot() environment
             to
@@ -167,7 +167,7 @@ zone "example.com" {
 
 

 

-Using the setuid Function

+Using the setuid Function

 

             Prior to running the named daemon,
             use
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index fa5dfbbbdf..4fbdc75243 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,18 +45,18 @@
 

 
Table of Contents

 

-
Common Problems

-
It's not working; how can I figure out what's wrong?

-
Incrementing and Changing the Serial Number

-
Where Can I Get Help?

+
Common Problems

+
It's not working; how can I figure out what's wrong?

+
Incrementing and Changing the Serial Number

+
Where Can I Get Help?

 

 

 

 

-Common Problems

+Common Problems

 

 

-It's not working; how can I figure out what's wrong?

+It's not working; how can I figure out what's wrong?

 

             The best solution to solving installation and
             configuration issues is to take preventative measures by setting
@@ -68,7 +68,7 @@
 
 

 

-Incrementing and Changing the Serial Number

+Incrementing and Changing the Serial Number

 

           Zone serial numbers are just numbers-they aren't date
           related.  A lot of people set them to a number that represents a
@@ -95,7 +95,7 @@
 
 

 

-Where Can I Get Help?

+Where Can I Get Help?

 

           The Internet Systems Consortium
           (ISC) offers a wide range
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index 10ab69b026..b4795fbb69 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,21 +45,21 @@
 

 
Table of Contents

 

-
Acknowledgments

+
Acknowledgments

 
A Brief History of the DNS and BIND

-
General DNS Reference Information

+
General DNS Reference Information

 
IPv6 addresses (AAAA)

 
Bibliography (and Suggested Reading)

 

 
Request for Comments (RFCs)

 
Internet Drafts

-
Other Documents About BIND

+
Other Documents About BIND

 

 

 

 

 

-Acknowledgments

+Acknowledgments

 

 

 A Brief History of the DNS and BIND

@@ -145,7 +145,7 @@
 

 

 

-General DNS Reference Information

+General DNS Reference Information

 

 

 IPv6 addresses (AAAA)

@@ -232,7 +232,7 @@
           

 

 

-Bibliography

+Bibliography

 

 
Standards

 
[RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 

@@ -417,11 +417,11 @@
 

 

 

-Other Documents About BIND

+Other Documents About BIND

 

 

 

-Bibliography

+Bibliography

 
Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 

 
 
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index 44a795f67c..a2168ac984 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -155,54 +155,54 @@
 
server Statement Grammar

 
server Statement Definition and
             Usage

-
trusted-keys Statement Grammar

-
trusted-keys Statement Definition
+
trusted-keys Statement Grammar

+
trusted-keys Statement Definition
             and Usage

 
view Statement Grammar

-
view Statement Definition and Usage

+
view Statement Definition and Usage

 
zone
             Statement Grammar

-
zone Statement Definition and Usage

+
zone Statement Definition and Usage

 
-
Zone File

+
Zone File

 

 
Types of Resource Records and When to Use Them

-
Discussion of MX Records

+
Discussion of MX Records

 
Setting TTLs

-
Inverse Mapping in IPv4

-
Other Zone File Directives

-
BIND Master File Extension: the  $GENERATE Directive

+
Inverse Mapping in IPv4

+
Other Zone File Directives

+
BIND Master File Extension: the  $GENERATE Directive

 
Additional File Formats

 

 
 
7. BIND 9 Security Considerations

 

 
Access Control Lists

-
chroot and setuid

+
chroot and setuid

 

-
The chroot Environment

-
Using the setuid Function

+
The chroot Environment

+
Using the setuid Function

 

 
Dynamic Update Security

 

 
8. Troubleshooting

 

-
Common Problems

-
It's not working; how can I figure out what's wrong?

-
Incrementing and Changing the Serial Number

-
Where Can I Get Help?

+
Common Problems

+
It's not working; how can I figure out what's wrong?

+
Incrementing and Changing the Serial Number

+
Where Can I Get Help?

 

 
A. Appendices

 

-
Acknowledgments

+
Acknowledgments

 
A Brief History of the DNS and BIND

-
General DNS Reference Information

+
General DNS Reference Information

 
IPv6 addresses (AAAA)

 
Bibliography (and Suggested Reading)

 

 
Request for Comments (RFCs)

 
Internet Drafts

-
Other Documents About BIND

+
Other Documents About BIND

 

 

 
I. Manual pages

diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index fed8ea416b..4dc7251d6a 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -52,7 +52,7 @@
 
dig  [global-queryopt...] [query...]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dig
       (domain information groper) is a flexible tool
       for interrogating DNS name servers.  It performs DNS lookups and
@@ -91,7 +91,7 @@
     

 

 

-
SIMPLE USAGE

+
SIMPLE USAGE

 

       A typical invocation of dig looks like:
       

@@ -137,7 +137,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

       The -b option sets the source IP address of the query
       to address.  This must be a valid
@@ -237,7 +237,7 @@
     

 

 

-
QUERY OPTIONS

+
QUERY OPTIONS

 
dig
       provides a number of query options which affect
       the way in which lookups are made and the results displayed.  Some of
@@ -556,7 +556,7 @@
     

 

 

-
MULTIPLE QUERIES

+
MULTIPLE QUERIES

 

       The BIND 9 implementation of dig 
       supports
@@ -602,7 +602,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
IDN SUPPORT

+
IDN SUPPORT

 

       If dig has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names.
@@ -616,14 +616,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
FILES

+
FILES

 
/etc/resolv.conf
     

 
${HOME}/.digrc
     

 

 

-
SEE ALSO

+
SEE ALSO

 
host(1),
       named(8),
       dnssec-keygen(8),
@@ -631,7 +631,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
BUGS

+
BUGS

 

       There are probably too many query options.
     

diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index 14f1aece73..882d8e2c70 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
dnssec-keygen  {-a algorithm} {-b keysize} {-n nametype} [-c class] [-e] [-f flag] [-g generator] [-h] [-k] [-p protocol] [-r randomdev] [-s strength] [-t type] [-v level] {name}

 

 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-keygen
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC <TBA\>.  It can also generate keys for use with
@@ -58,7 +58,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a algorithm

 

@@ -166,7 +166,7 @@
 

 

 

-
GENERATED KEYS

+
GENERATED KEYS

 

       When dnssec-keygen completes
       successfully,
@@ -212,7 +212,7 @@
     

 

 

-
EXAMPLE

+
EXAMPLE

 

       To generate a 768-bit DSA key for the domain
       example.com, the following command would be
@@ -233,7 +233,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
       RFC 2535,
@@ -242,7 +242,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index 889f4f9b4c..8f4e80fc04 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
dnssec-signzone  [-a] [-c class] [-d directory] [-e end-time] [-f output-file] [-g] [-h] [-k key] [-l domain] [-i interval] [-I input-format] [-j jitter] [-n nthreads] [-o origin] [-O output-format] [-p] [-r randomdev] [-s start-time] [-t] [-v level] [-z] {zonefile} [key...]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-signzone
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
@@ -61,7 +61,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a

 

@@ -238,7 +238,7 @@
 

 

 

-
EXAMPLE

+
EXAMPLE

 

       The following command signs the example.com
       zone with the DSA key generated in the dnssec-keygen
@@ -264,14 +264,14 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 2535.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html
index ea7608884d..2ae1dfd684 100644
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
host  [-aCdlnrsTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-m flag] [-4] [-6] {name} [server]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
host
       is a simple utility for performing DNS lookups.
       It is normally used to convert names to IP addresses and vice versa.
@@ -202,7 +202,7 @@
     

 

 

-
IDN SUPPORT

+
IDN SUPPORT

 

       If host has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names. 
@@ -216,12 +216,12 @@
     

 

 

-
FILES

+
FILES

 
/etc/resolv.conf
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dig(1),
       named(8).
     

diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index 2737ab24c9..6c0df90b71 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,14 +50,14 @@
 
named-checkconf  [-v] [-j] [-t directory] {filename} [-z]

 

 

-
DESCRIPTION

+
DESCRIPTION

 
named-checkconf
       checks the syntax, but not the semantics, of a named
       configuration file.
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-t directory

 

@@ -88,20 +88,20 @@
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 
named-checkconf
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
named(8),
       BIND 9 Administrator Reference Manual.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index ec17b59925..2a3c994d99 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -51,7 +51,7 @@
 
named-compilezone  [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-i mode] [-k mode] [-m mode] [-n mode] [-o filename] [-s style] [-t directory] [-w directory] [-D] [-W mode] {zonename} {filename}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
named-checkzone
       checks the syntax and integrity of a zone file.  It performs the
       same checks as named does when loading a
@@ -71,7 +71,7 @@
      

 

 

-
OPTIONS

+
OPTIONS

 

 
-d

 

@@ -251,21 +251,21 @@
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 
named-checkzone
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
named(8),
       RFC 1035,
       BIND 9 Administrator Reference Manual.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index ff6a1f4b14..b6ff2153d5 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
named  [-4] [-6] [-c config-file] [-d debug-level] [-f] [-g] [-n #cpus] [-p port] [-s] [-t directory] [-u user] [-v] [-x cache-file]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
named
       is a Domain Name System (DNS) server,
       part of the BIND 9 distribution from ISC.  For more
@@ -65,7 +65,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-4

 

@@ -198,7 +198,7 @@
 

 

 

-
SIGNALS

+
SIGNALS

 

       In routine operation, signals should not be used to control
       the nameserver; rndc should be used
@@ -219,7 +219,7 @@
     

 

 

-
CONFIGURATION

+
CONFIGURATION

 

       The named configuration file is too complex
       to describe in detail here.  A complete description is provided
@@ -228,7 +228,7 @@
     

 

 

-
FILES

+
FILES

 

 
/etc/named.conf

 

@@ -241,7 +241,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
RFC 1033,
       RFC 1034,
       RFC 1035,
@@ -251,7 +251,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index 5cc468e90d..fcde9d6997 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -48,7 +48,7 @@
 
rndc-confgen  [-a] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc-confgen
       generates configuration files
       for rndc.  It can be used as a
@@ -64,7 +64,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a

 

@@ -171,7 +171,7 @@
 

 

 

-
EXAMPLES

+
EXAMPLES

 

       To allow rndc to be used with
       no manual configuration, run
@@ -188,7 +188,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc(8),
       rndc.conf(5),
       named(8),
@@ -196,7 +196,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index 82db8b60fe..9af82644a3 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
rndc.conf 

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc.conf is the configuration file
       for rndc, the BIND 9 name server control
       utility.  This file has a similar structure and syntax to
@@ -135,7 +135,7 @@
     

 

 

-
EXAMPLE

+
EXAMPLE

 
       options {
         default-server  localhost;
@@ -209,7 +209,7 @@
     

 

 

-
NAME SERVER CONFIGURATION

+
NAME SERVER CONFIGURATION

 

       The name server must be configured to accept rndc connections and
       to recognize the key specified in the rndc.conf
@@ -219,7 +219,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc(8),
       rndc-confgen(8),
       mmencode(1),
@@ -227,7 +227,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index 10c4626a01..5a2c5a5599 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
rndc  [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-V] [-y key_id] {command}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc
       controls the operation of a name
       server.  It supersedes the ndc utility
@@ -79,7 +79,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-b source-address

 

@@ -152,7 +152,7 @@
     

 

 

-
LIMITATIONS

+
LIMITATIONS

 
rndc
       does not yet support all the commands of
       the BIND 8 ndc utility.
@@ -166,7 +166,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc.conf(5),
       named(8),
       named.conf(5)
@@ -175,7 +175,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/misc/options b/doc/misc/options
index 78ff106530..e934d9d198 100644
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -145,6 +145,7 @@ options {
         check-srv-cname ( fail | warn | ignore );
         check-sibling ;
         zero-no-soa-ttl ;
+        update-check-ksk ;
 };
 
 controls {
@@ -247,6 +248,7 @@ view   {
                 check-srv-cname ( fail | warn | ignore );
                 check-sibling ;
                 zero-no-soa-ttl ;
+                update-check-ksk ;
         };
         dlz  {
                 database ;
@@ -370,6 +372,7 @@ view   {
         check-srv-cname ( fail | warn | ignore );
         check-sibling ;
         zero-no-soa-ttl ;
+        update-check-ksk ;
         database ;
 };
 
@@ -446,6 +449,7 @@ zone   {
         check-srv-cname ( fail | warn | ignore );
         check-sibling ;
         zero-no-soa-ttl ;
+        update-check-ksk ;
 };
 
 dlz  {

From 275c45d0148a8b97c193945b9b1f09cc79881022 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Mon, 6 Mar 2006 02:26:19 +0000
Subject: [PATCH 095/465] 2002    [bug]           libbind: tighten the
 constraints on when                         struct addrinfo._ai_pad exists. 
 [RT #15783]

---
 CHANGES                    | 3 +++
 lib/bind/include/netdb.h   | 4 ++--
 lib/bind/irs/getaddrinfo.c | 6 +++---
 3 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/CHANGES b/CHANGES
index 5a82d59e52..1353afa76b 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2002	[bug]		libbind: tighten the constraints on when
+			struct addrinfo._ai_pad exists.  [RT #15783]
+
 1997.	[bug]		Named was failing to replace negative cache entries
 			when a positive one for the type was learnt.
 			[RT #15818]
diff --git a/lib/bind/include/netdb.h b/lib/bind/include/netdb.h
index a521d32b99..ad8156a70a 100644
--- a/lib/bind/include/netdb.h
+++ b/lib/bind/include/netdb.h
@@ -86,7 +86,7 @@
 
 /*
  *      @(#)netdb.h	8.1 (Berkeley) 6/2/93
- *	$Id: netdb.h,v 1.12.2.6 2004/11/30 01:15:58 marka Exp $
+ *	$Id: netdb.h,v 1.12.2.7 2006/03/06 02:26:19 marka Exp $
  */
 
 #ifndef _NETDB_H_
@@ -175,7 +175,7 @@ struct	addrinfo {
 	int		ai_socktype;	/* SOCK_xxx */
 	int		ai_protocol;	/* 0 or IPPROTO_xxx for IPv4 and IPv6 */
 #if defined(sun) && defined(_SOCKLEN_T)
-#ifdef __sparc9
+#ifdef __sparcv9
 	int		_ai_pad;
 #endif
 	socklen_t	ai_addrlen;
diff --git a/lib/bind/irs/getaddrinfo.c b/lib/bind/irs/getaddrinfo.c
index 4f741a8e7d..d80f298bf2 100644
--- a/lib/bind/irs/getaddrinfo.c
+++ b/lib/bind/irs/getaddrinfo.c
@@ -332,7 +332,7 @@ getaddrinfo(hostname, servname, hints, res)
 	pai->ai_family = PF_UNSPEC;
 	pai->ai_socktype = ANY;
 	pai->ai_protocol = ANY;
-#ifdef __sparcv9
+#if defined(sun) && defined(_SOCKLEN_T) && defined(__sparcv9)
 	/*
 	 * clear _ai_pad to preserve binary
 	 * compatibility with previously compiled 64-bit
@@ -340,7 +340,7 @@ getaddrinfo(hostname, servname, hints, res)
 	 * guaranteeing the upper 32-bits are empty.
 	 */
 	pai->_ai_pad = 0;
-#endif /* __sparcv9 */
+#endif
 	pai->ai_addrlen = 0;
 	pai->ai_canonname = NULL;
 	pai->ai_addr = NULL;
@@ -365,7 +365,7 @@ getaddrinfo(hostname, servname, hints, res)
 		}
 		memcpy(pai, hints, sizeof(*pai));
 
-#ifdef __sparcv9
+#if defined(sun) && defined(_SOCKLEN_T) && defined(__sparcv9)
 		/*
 		 * We need to clear _ai_pad to preserve binary
 		 * compatibility.  See prior comment.

From 13e074871034cd4eb60ff7ed846eaecc3bd7a91e Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Mon, 6 Mar 2006 23:30:04 +0000
Subject: [PATCH 096/465] newcopyrights

---
 util/copyrights | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/util/copyrights b/util/copyrights
index 4a8627b7d1..6ab2b131c6 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -1201,7 +1201,7 @@
 ./lib/bind/include/isc/memcluster.h		X	2001
 ./lib/bind/include/isc/misc.h			X	2001
 ./lib/bind/include/isc/tree.h			X	2001
-./lib/bind/include/netdb.h			X	2001
+./lib/bind/include/netdb.h			X	2001,2006
 ./lib/bind/include/netgroup.h			X	2001
 ./lib/bind/include/res_update.h			X	2001
 ./lib/bind/include/resolv.h			X	2001,2005
@@ -1243,7 +1243,7 @@
 ./lib/bind/irs/gen_pr.c				X	2001
 ./lib/bind/irs/gen_pw.c				X	2001
 ./lib/bind/irs/gen_sv.c				X	2001
-./lib/bind/irs/getaddrinfo.c			X	2001,2005
+./lib/bind/irs/getaddrinfo.c			X	2001,2005,2006
 ./lib/bind/irs/getgrent.c			X	2001
 ./lib/bind/irs/getgrent_r.c			X	2001
 ./lib/bind/irs/gethostent.c			X	2001,2006

From 7f2adb8556a4b86134b7af2d00955c56130d78ae Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Mon, 6 Mar 2006 23:30:28 +0000
Subject: [PATCH 097/465] newcopyrights

---
 util/copyrights | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/util/copyrights b/util/copyrights
index e0a59d949a..26e6a8f9d9 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -1324,7 +1324,7 @@
 ./lib/bind/include/isc/memcluster.h		X	2001,2005
 ./lib/bind/include/isc/misc.h			X	2001,2005
 ./lib/bind/include/isc/tree.h			X	2001,2005
-./lib/bind/include/netdb.h			X	2001,2005
+./lib/bind/include/netdb.h			X	2001,2005,2006
 ./lib/bind/include/netgroup.h			X	2001,2005
 ./lib/bind/include/res_update.h			X	2001,2005
 ./lib/bind/include/resolv.h			X	2001,2005
@@ -1366,7 +1366,7 @@
 ./lib/bind/irs/gen_pr.c				X	2001,2005
 ./lib/bind/irs/gen_pw.c				X	2001,2005
 ./lib/bind/irs/gen_sv.c				X	2001,2005
-./lib/bind/irs/getaddrinfo.c			X	2001,2005
+./lib/bind/irs/getaddrinfo.c			X	2001,2005,2006
 ./lib/bind/irs/getgrent.c			X	2001,2005
 ./lib/bind/irs/getgrent_r.c			X	2001,2005
 ./lib/bind/irs/gethostent.c			X	2001,2005,2006
@@ -1724,7 +1724,7 @@
 ./lib/dns/diff.c				C	2000,2001,2002,2003,2004,2005
 ./lib/dns/dispatch.c				C	1999,2000,2001,2002,2003,2004,2005,2006
 ./lib/dns/dlz.c					C.PORTION	1999,2000,2001,2005
-./lib/dns/dnssec.c				C	1999,2000,2001,2002,2003,2004,2005
+./lib/dns/dnssec.c				C	1999,2000,2001,2002,2003,2004,2005,2006
 ./lib/dns/ds.c					C	2002,2003,2004,2005,2006
 ./lib/dns/dst_api.c				C.NAI	1999,2000,2001,2002,2003,2004,2005,2006
 ./lib/dns/dst_internal.h			C.NAI	2000,2001,2002,2004,2005,2006

From 8dd468a6f3b3758426766d05b7be84d839b6c4d9 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 7 Mar 2006 00:25:48 +0000
Subject: [PATCH 098/465] new draft

---
 doc/draft/draft-ietf-dnsop-serverid-04.txt | 616 --------------------
 doc/draft/draft-ietf-dnsop-serverid-06.txt | 618 +++++++++++++++++++++
 2 files changed, 618 insertions(+), 616 deletions(-)
 delete mode 100644 doc/draft/draft-ietf-dnsop-serverid-04.txt
 create mode 100644 doc/draft/draft-ietf-dnsop-serverid-06.txt

diff --git a/doc/draft/draft-ietf-dnsop-serverid-04.txt b/doc/draft/draft-ietf-dnsop-serverid-04.txt
deleted file mode 100644
index 242aa9ea62..0000000000
--- a/doc/draft/draft-ietf-dnsop-serverid-04.txt
+++ /dev/null
@@ -1,616 +0,0 @@
-
-
-Network Working Group                                           S. Woolf
-Internet-Draft                         Internet Systems Consortium, Inc.
-Expires: September 14, 2005                                    D. Conrad
-                                                           Nominum, Inc.
-                                                          March 13, 2005
-
-
-                Identifying an Authoritative Name Server
-                      draft-ietf-dnsop-serverid-04
-
-Status of this Memo
-
-   This document is an Internet-Draft and is subject to all provisions
-   of Section 3 of RFC 3667.  By submitting this Internet-Draft, each
-   author represents that any applicable patent or other IPR claims of
-   which he or she is aware have been or will be disclosed, and any of
-   which he or she become aware will be disclosed, in accordance with
-   RFC 3668.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as
-   Internet-Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on September 14, 2005.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2005).
-
-Abstract
-
-   With the increased use of DNS anycast, load balancing, and other
-   mechanisms allowing more than one DNS name server to share a single
-   IP address, it is sometimes difficult to tell which of a pool of name
-   servers has answered a particular query.  A standardized mechanism to
-   determine the identity of a name server responding to a particular
-
-
-
-Woolf & Conrad         Expires September 14, 2005               [Page 1]
-
-Internet-Draft    Identifying an Authoritative Name Server    March 2005
-
-
-   query would be useful, particularly as a diagnostic aid.  Existing ad
-   hoc mechanisms for addressing this concern are not adequate.  This
-   document attempts to describe the common ad hoc solution to this
-   problem, including its advantages and disadvantages, and to
-   characterize an improved mechanism.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Woolf & Conrad         Expires September 14, 2005               [Page 2]
-
-Internet-Draft    Identifying an Authoritative Name Server    March 2005
-
-
-1.  Introduction
-
-   With the increased use of DNS anycast, load balancing, and other
-   mechanisms allowing more than one DNS name server to share a single
-   IP address, it is sometimes difficult to tell which of a pool of name
-   servers has answered a particular query.  A standardized mechanism to
-   determine the identity of a name server responding to a particular
-   query would be useful, particularly as a diagnostic aid.
-
-   Unfortunately, existing ad-hoc mechanisms for providing such
-   identification have some shortcomings, not the least of which is the
-   lack of prior analysis of exactly how such a mechanism should be
-   designed and deployed.  This document describes the existing
-   convention used in one widely deployed implementation of the DNS
-   protocol and discusses requirements for an improved solution to the
-   problem.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Woolf & Conrad         Expires September 14, 2005               [Page 3]
-
-Internet-Draft    Identifying an Authoritative Name Server    March 2005
-
-
-2.  Rationale
-
-   Identifying which name server is responding to queries is often
-   useful, particularly in attempting to diagnose name server
-   difficulties.  However, relying on the IP address of the name server
-   has become more problematic due the deployment of various load
-   balancing solutions, including the use of shared unicast addresses as
-   documented in [RFC3258].
-
-   An unfortunate side effect of these load balancing solutions, and
-   some changes in management practices as the public Internet has
-   evolved, is that traditional methods of determining which server is
-   responding can be unreliable.  Specifically, non-DNS methods such as
-   ICMP ping, TCP connections, or non-DNS UDP packets (such as those
-   generated by tools such as "traceroute"), etc., can end up going to a
-   different server than that which receives the DNS queries.
-
-   There is a well-known and frequently-used technique for determining
-   an identity for a nameserver more specific than the
-   possibly-non-unique "server that answered my query".  The widespread
-   use of the existing convention suggests a need for a documented,
-   interoperable means of querying the identity of a nameserver that may
-   be part of an anycast or load-balancing cluster.  At the same time,
-   however, it also has some drawbacks that argue against standardizing
-   it as it's been practiced so far.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Woolf & Conrad         Expires September 14, 2005               [Page 4]
-
-Internet-Draft    Identifying an Authoritative Name Server    March 2005
-
-
-3.  Existing Conventions
-
-   Recent versions of the commonly deployed Berkeley Internet Name
-   Domain implementation of the DNS protocol suite from the Internet
-   Software Consortium [BIND] support a way of identifying a particular
-   server via the use of a standard, if somewhat unusual, DNS query.
-   Specifically, a query to a late model BIND server for a TXT resource
-   record in class 3 (CHAOS) for the domain name "HOSTNAME.BIND." will
-   return a string that can be configured by the name server
-   administrator to provide a unique identifier for the responding
-   server (defaulting to the value of a gethostname() call).  This
-   mechanism, which is an extension of the BIND convention of using
-   CHAOS class TXT RR queries to sub-domains of the "BIND." domain for
-   version information, has been copied by several name server vendors.
-
-   For reference, the other well-known name used by recent versions of
-   BIND within the CHAOS class "BIND." domain is "VERSION.BIND."  A
-   query for a TXT RR for this name will return an administratively
-   defined string which defaults to the version of the server
-   responding.  This is, however, not generally implemented by other
-   vendors.
-
-3.1  Advantages
-
-   There are several valuable attributes to this mechanism, which
-   account for its usefulness.
-   1.  The "hostname.bind" query response mechanism is within the DNS
-       protocol itself.  An identification mechanism that relies on the
-       DNS protocol is more likely to be successful (although not
-       guaranteed) in going to the same machine as a "normal" DNS query.
-   2.  Since the identity information is requested and returned within
-       the DNS protocol, it doesn't require allowing any other query
-       mechanism to the server, such as holes in firewalls for
-       otherwise-unallowed ICMP Echo requests.  Thus it does not require
-       any special exceptions to site security policy.
-   3.  It is simple to configure.  An administrator can easily turn on
-       this feature and control the results of the relevant query.
-   4.  It allows the administrator complete control of what information
-       is given out in the response, minimizing passive leakage of
-       implementation or configuration details.  Such details are often
-       considered sensitive by infrastructure operators.
-
-3.2  Disadvantages
-
-   At the same time, there are some forbidding drawbacks to the
-   VERSION.BIND mechanism that argue against standardizing it as it
-   currently operates.
-
-
-
-
-Woolf & Conrad         Expires September 14, 2005               [Page 5]
-
-Internet-Draft    Identifying an Authoritative Name Server    March 2005
-
-
-   1.  It requires an additional query to correlate between the answer
-       to a DNS query under normal conditions and the supposed identity
-       of the server receiving the query.  There are a number of
-       situations in which this simply isn't reliable.
-   2.  It reserves an entire class in the DNS (CHAOS) for what amounts
-       to one zone.  While CHAOS class is defined in [RFC1034] and
-       [RFC1035], it's not clear that supporting it solely for this
-       purpose is a good use of the namespace or of implementation
-       effort.
-   3.  It is implementation specific.  BIND is one DNS implementation.
-       At the time of this writing, it is probably the most prevalent
-       for authoritative servers.  This does not justify standardizing
-       on its ad hoc solution to a problem shared across many operators
-       and implementors.
-
-   The first of the listed disadvantages is technically the most
-   serious.  It argues for an attempt to design a good answer to the
-   problem that "I need to know what nameserver is answering my
-   queries", not simply a convenient one.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Woolf & Conrad         Expires September 14, 2005               [Page 6]
-
-Internet-Draft    Identifying an Authoritative Name Server    March 2005
-
-
-4.  Characteristics of an Implementation Neutral Convention
-
-   The discussion above of advantages and disadvantages to the
-   HOSTNAME.BIND mechanism suggest some requirements for a better
-   solution to the server identification problem.  These are summarized
-   here as guidelines for any effort to provide appropriate protocol
-   extensions:
-   1.  The mechanism adopted MUST be in-band for the DNS protocol.  That
-       is, it needs to allow the query for the server's identifying
-       information to be part of a normal, operational query.  It SHOULD
-       also permit a separate, dedicated query for the server's
-       identifying information.
-   2.  The new mechanism SHOULD not require dedicated namespaces or
-       other reserved values outside of the existing protocol mechanisms
-       for these, i.e.  the OPT pseudo-RR.  In particular, it should not
-       propagate the existing drawback of requiring support for a CLASS
-       and top level domain in the authoritative server (or the querying
-       tool) to be useful.
-   3.  Support for the identification functionality SHOULD be easy to
-       implement and easy to enable.  It MUST be easy to disable and
-       SHOULD lend itself to access controls on who can query for it.
-   4.  It should be possible to return a unique identifier for a server
-       without requiring the exposure of information that may be
-       non-public and considered sensitive by the operator, such as a
-       hostname or unicast IP address maintained for administrative
-       purposes.
-   5.  The identification mechanism SHOULD NOT be
-       implementation-specific.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Woolf & Conrad         Expires September 14, 2005               [Page 7]
-
-Internet-Draft    Identifying an Authoritative Name Server    March 2005
-
-
-5.  IANA Considerations
-
-   This document proposes no specific IANA action.  Protocol extensions,
-   if any, to meet the requirements described are out of scope for this
-   document.  Should such extensions be specified and adopted by normal
-   IETF process, the specification will include appropriate guidance to
-   IANA.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Woolf & Conrad         Expires September 14, 2005               [Page 8]
-
-Internet-Draft    Identifying an Authoritative Name Server    March 2005
-
-
-6.  Security Considerations
-
-   Providing identifying information as to which server is responding to
-   a particular query from a particular location in the Internet can be
-   seen as information leakage and thus a security risk.  This motivates
-   the suggestion above that a new mechanism for server identification
-   allow the administrator to disable the functionality altogether or
-   partially restrict availability of the data.  It also suggests that
-   the serverid data should not be readily correlated with a hostname or
-   unicast IP address that may be considered private to the nameserver
-   operator's management infrastructure.
-
-   Propagation of protocol or service meta-data can sometimes expose the
-   application to denial of service or other attack.  As DNS is a
-   critically important infrastructure service for the production
-   Internet, extra care needs to be taken against this risk for
-   designers, implementors, and operators of a new mechanism for server
-   identification.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Woolf & Conrad         Expires September 14, 2005               [Page 9]
-
-Internet-Draft    Identifying an Authoritative Name Server    March 2005
-
-
-7.  Acknowledgements
-
-   The technique for host identification documented here was initially
-   implemented by Paul Vixie of the Internet Software Consortium in the
-   Berkeley Internet Name Daemon package.  Comments and questions on
-   earlier drafts were provided by Bob Halley, Brian Wellington, Andreas
-   Gustafsson, Ted Hardie, Chris Yarnell, Randy Bush, and members of the
-   ICANN Root Server System Advisory Committee.  The newest version
-   takes a significantly different direction from previous versions,
-   owing to discussion among contributors to the DNSOP working group and
-   others, particularly Olafur Gudmundsson, Ed Lewis, Bill Manning, Sam
-   Weiler, and Rob Austein.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Woolf & Conrad         Expires September 14, 2005              [Page 10]
-
-Internet-Draft    Identifying an Authoritative Name Server    March 2005
-
-
-Intellectual Property Statement
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-
-Disclaimer of Validity
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Copyright Statement
-
-   Copyright (C) The Internet Society (2005).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-
-Acknowledgment
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-Woolf & Conrad         Expires September 14, 2005              [Page 11]
-
-
diff --git a/doc/draft/draft-ietf-dnsop-serverid-06.txt b/doc/draft/draft-ietf-dnsop-serverid-06.txt
new file mode 100644
index 0000000000..c6ec7e42a5
--- /dev/null
+++ b/doc/draft/draft-ietf-dnsop-serverid-06.txt
@@ -0,0 +1,618 @@
+
+
+
+
+Network Working Group                                           S. Woolf
+Internet-Draft                         Internet Systems Consortium, Inc.
+Expires: September 6, 2006                                     D. Conrad
+                                                           Nominum, Inc.
+                                                           March 5, 2006
+
+
+    Requirements for a Mechanism Identifying a Name Server Instance
+                      draft-ietf-dnsop-serverid-06
+
+Status of this Memo
+
+   By submitting this Internet-Draft, each author represents that any
+   applicable patent or other IPR claims of which he or she is aware
+   have been or will be disclosed, and any of which he or she becomes
+   aware will be disclosed, in accordance with Section 6 of BCP 79.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   This Internet-Draft will expire on September 6, 2006.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2006).
+
+Abstract
+
+   With the increased use of DNS anycast, load balancing, and other
+   mechanisms allowing more than one DNS name server to share a single
+   IP address, it is sometimes difficult to tell which of a pool of name
+   servers has answered a particular query.  A standardized mechanism to
+   determine the identity of a name server responding to a particular
+   query would be useful, particularly as a diagnostic aid for
+   administrators.  Existing ad hoc mechanisms for addressing this need
+
+
+
+Woolf & Conrad          Expires September 6, 2006               [Page 1]
+
+Internet-Draft                  Serverid                      March 2006
+
+
+   have some shortcomings, not the least of which is the lack of prior
+   analysis of exactly how such a mechanism should be designed and
+   deployed.  This document describes the existing convention used in
+   some widely deployed implementations of the DNS protocol, including
+   advantages and disadvantages, and discusses some attributes of an
+   improved mechanism.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Woolf & Conrad          Expires September 6, 2006               [Page 2]
+
+Internet-Draft                  Serverid                      March 2006
+
+
+1.  Introduction and Rationale
+
+   Identifying which name server is responding to queries is often
+   useful, particularly in attempting to diagnose name server
+   difficulties.  This is most obviously useful for authoritative
+   nameservers in the attempt to diagnose the source or prevalence of
+   inaccurate data, but can also conceivably be useful for caching
+   resolvers in similar and other situations.  Furthermore, the ability
+   to identify which server is responding to a query has become more
+   useful as DNS has become more critical to more Internet users, and as
+   network and server deployment topologies have become more complex.
+
+   The traditional means for determining which of several possible
+   servers is answering a query has traditionally been based on the use
+   of the server's IP address as a unique identifier.  However, the
+   modern Internet has seen the deployment of various load balancing,
+   fault-tolerance, or attack-resistance schemes such as shared use of
+   unicast IP addresses as documented in [RFC3258].  An unfortunate side
+   effect of these schemes has been to make the use of IP addresses as
+   identifiers somewhat problematic.  Specifically, a dedicated DNS
+   query may not go to the same server as answered a previous query,
+   even though sent to the same IP address.  Non-DNS methods such as
+   ICMP ping, TCP connections, or non-DNS UDP packets (such as those
+   generated by tools like "traceroute"), etc., may well be even less
+   certain to reach the same server as the one which receives the DNS
+   queries.
+
+   There is a well-known and frequently-used technique for determining
+   an identity for a nameserver more specific than the possibly-non-
+   unique "server that answered the query I sent to IP address XXX".
+   The widespread use of the existing convention suggests a need for a
+   documented, interoperable means of querying the identity of a
+   nameserver that may be part of an anycast or load-balancing cluster.
+   At the same time, however, it also has some drawbacks that argue
+   against standardizing it as it's been practiced so far.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Woolf & Conrad          Expires September 6, 2006               [Page 3]
+
+Internet-Draft                  Serverid                      March 2006
+
+
+2.  Existing Conventions
+
+   For some time, the commonly deployed Berkeley Internet Name Domain
+   implementation of the DNS protocol suite from the Internet Systems
+   Consortium [BIND] has supported a way of identifying a particular
+   server via the use of a standards-compliant, if somewhat unusual, DNS
+   query.  Specifically, a query to a recent BIND server for a TXT
+   resource record in class 3 (CHAOS) for the domain name
+   "HOSTNAME.BIND." will return a string that can be configured by the
+   name server administrator to provide a unique identifier for the
+   responding server.  (The value defaults to the result of a
+   gethostname() call).  This mechanism, which is an extension of the
+   BIND convention of using CHAOS class TXT RR queries to sub-domains of
+   the "BIND." domain for version information, has been copied by
+   several name server vendors.
+
+   A refinement to the BIND-based mechanism, which dropped the
+   implementation-specific string, replaces ".BIND" with ".SERVER".
+   Thus the query string to learn the unique name of a server may be
+   queried as "ID.SERVER".
+
+   (For reference, the other well-known name used by recent versions of
+   BIND within the CHAOS class "BIND." domain is "VERSION.BIND."  A
+   query for a CHAOS TXT RR for this name will return an
+   administratively defined string which defaults to the version of the
+   server responding.  This is, however, not generally implemented by
+   other vendors.)
+
+2.1.  Advantages
+
+   There are several valuable attributes to this mechanism, which
+   account for its usefulness.
+
+   1.  The "HOSTNAME.BIND" or "ID.SERVER" query response mechanism is
+       within the DNS protocol itself.  An identification mechanism that
+       relies on the DNS protocol is more likely to be successful
+       (although not guaranteed) in going to the same system as a
+       "normal" DNS query.
+
+   2.  Since the identity information is requested and returned within
+       the DNS protocol, it doesn't require allowing any other query
+       mechanism to the server, such as holes in firewalls for
+       otherwise-unallowed ICMP Echo requests.  Thus it is likely to
+       reach the same server over a path subject to the same routing,
+       resource, and security policy as the query, without any special
+       exceptions to site security policy.
+
+
+
+
+
+Woolf & Conrad          Expires September 6, 2006               [Page 4]
+
+Internet-Draft                  Serverid                      March 2006
+
+
+   3.  It is simple to configure.  An administrator can easily turn on
+       this feature and control the results of the relevant query.
+
+   4.  It allows the administrator complete control of what information
+       is given out in the response, minimizing passive leakage of
+       implementation or configuration details.  Such details are often
+       considered sensitive by infrastructure operators.
+
+   5.  Hypothetically, since it's an ordinary DNS record and the
+       relevant DNSSEC RRs are class independent, the id.server response
+       RR could be signed, which has the advantages described in
+       [RFC4033].
+
+2.2.  Disadvantages
+
+   At the same time, there are some serious drawbacks to the CHAOS/TXT
+   query mechanism that argue against standardizing it as it currently
+   operates.
+
+   1.  It requires an additional query to correlate between the answer
+       to a DNS query under normal conditions and the supposed identity
+       of the server receiving the query.  There are a number of
+       situations in which this simply isn't reliable.
+
+   2.  It reserves an entire class in the DNS (CHAOS) for what amounts
+       to one zone.  While CHAOS class is defined in [RFC1034] and
+       [RFC1035], it's not clear that supporting it solely for this
+       purpose is a good use of the namespace or of implementation
+       effort.
+
+   3.  The initial and still common form, using .BIND, is implementation
+       specific.  BIND is one DNS implementation.  At the time of this
+       writing, it is probably the most prevalent for authoritative
+       servers.  This does not justify standardizing on its ad hoc
+       solution to a problem shared across many operators and
+       implementors.  Meanwhile, the proposed refinement changes the
+       string but preserves the ad hoc CHAOS/TXT mechanism.
+
+   4.  There is no convention or shared understanding of what
+       information an answer to such a query for a server identity could
+       or should include, including a possible encoding or
+       authentication mechanism.
+
+   The first of the listed disadvantages may be technically the most
+   serious.  It argues for an attempt to design a good answer to the
+   problem that "I need to know what nameserver is answering my
+   queries", not simply a convenient one.
+
+
+
+
+Woolf & Conrad          Expires September 6, 2006               [Page 5]
+
+Internet-Draft                  Serverid                      March 2006
+
+
+2.3.  Characteristics of an Implementation Neutral Convention
+
+   The discussion above of advantages and disadvantages to the
+   HOSTNAME.BIND mechanism suggest some requirements for a better
+   solution to the server identification problem.  These are summarized
+   here as guidelines for any effort to provide appropriate protocol
+   extensions:
+
+   1.  The mechanism adopted must be in-band for the DNS protocol.  That
+       is, it needs to allow the query for the server's identifying
+       information to be part of a normal, operational query.  It should
+       also permit a separate, dedicated query for the server's
+       identifying information.  But it should preserve the ability of
+       the CHAOS/TXT query-based mechanism to work through firewalls and
+       in other situations where only DNS can be relied upon to reach
+       the server of interest.
+
+   2.  The new mechanism should not require dedicated namespaces or
+       other reserved values outside of the existing protocol mechanisms
+       for these, i.e. the OPT pseudo-RR.  In particular, it should not
+       propagate the existing drawback of requiring support for a CLASS
+       and top level domain in the authoritative server (or the querying
+       tool) to be useful.
+
+   3.  Support for the identification functionality should be easy to
+       implement and easy to enable.  It must be easy to disable and
+       should lend itself to access controls on who can query for it.
+
+   4.  It should be possible to return a unique identifier for a server
+       without requiring the exposure of information that may be non-
+       public and considered sensitive by the operator, such as a
+       hostname or unicast IP address maintained for administrative
+       purposes.
+
+   5.  It should be possible to authenticate the received data by some
+       mechanism analogous to those provided by DNSSEC.  In this
+       context, the need could be met by including encryption options in
+       the specification of a new mechanism.
+
+   6.  The identification mechanism should not be implementation-
+       specific.
+
+
+
+
+
+
+
+
+
+
+Woolf & Conrad          Expires September 6, 2006               [Page 6]
+
+Internet-Draft                  Serverid                      March 2006
+
+
+3.  IANA Considerations
+
+   This document proposes no specific IANA action.  Protocol extensions,
+   if any, to meet the requirements described are out of scope for this
+   document.  A proposed extension, specified and adopted by normal IETF
+   process, is described in [NSID], including relevant IANA action.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Woolf & Conrad          Expires September 6, 2006               [Page 7]
+
+Internet-Draft                  Serverid                      March 2006
+
+
+4.  Security Considerations
+
+   Providing identifying information as to which server is responding to
+   a particular query from a particular location in the Internet can be
+   seen as information leakage and thus a security risk.  This motivates
+   the suggestion above that a new mechanism for server identification
+   allow the administrator to disable the functionality altogether or
+   partially restrict availability of the data.  It also suggests that
+   the serverid data should not be readily correlated with a hostname or
+   unicast IP address that may be considered private to the nameserver
+   operator's management infrastructure.
+
+   Propagation of protocol or service meta-data can sometimes expose the
+   application to denial of service or other attack.  As DNS is a
+   critically important infrastructure service for the production
+   Internet, extra care needs to be taken against this risk for
+   designers, implementors, and operators of a new mechanism for server
+   identification.
+
+   Both authentication and confidentiality of serverid data are
+   potentially of interest to administrators-- that is, operators may
+   wish to make serverid data available and reliable to themselves and
+   their chosen associates only.  This would imply both an ability to
+   authenticate it to themselves and keep it private from arbitrary
+   other parties.  This led to Characteristics 4 and 5 of an improved
+   solution.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Woolf & Conrad          Expires September 6, 2006               [Page 8]
+
+Internet-Draft                  Serverid                      March 2006
+
+
+5.  Acknowledgements
+
+   The technique for host identification documented here was initially
+   implemented by Paul Vixie of the Internet Software Consortium in the
+   Berkeley Internet Name Daemon package.  Comments and questions on
+   earlier drafts were provided by Bob Halley, Brian Wellington, Andreas
+   Gustafsson, Ted Hardie, Chris Yarnell, Randy Bush, and members of the
+   ICANN Root Server System Advisory Committee.  The newest version
+   takes a significantly different direction from previous versions,
+   owing to discussion among contributors to the DNSOP working group and
+   others, particularly Olafur Gudmundsson, Ed Lewis, Bill Manning, Sam
+   Weiler, and Rob Austein.
+
+6.  References
+
+   [1]  Mockapetris, P., "Domain Names - Concepts and Facilities",
+        RFC 1034, STD 0013, November 1987.
+
+   [2]  Mockapetris, P., "Domain Names - Implementation and
+        Specification", RFC 1035, STD 0013, November 1987.
+
+   [3]  Hardie, T., "Distributing Authoritative Name Servers via Shared
+        Unicast Addresses", RFC 3258, April 2002.
+
+   [4]  ISC, "BIND 9 Configuration Reference".
+
+   [5]  Austein, S., "DNS Name Server Identifier Option (NSID)",
+        Internet Drafts http://www.ietf.org/internet-drafts/
+        draft-ietf-dnsext-nsid-01.txt, January 2006.
+
+   [6]  Arends, R., Austein, S., Larson, M., Massey, D., and S. Rose,
+        "DNS Security Introduction and Requirements", RFC 4033,
+        March 2005.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Woolf & Conrad          Expires September 6, 2006               [Page 9]
+
+Internet-Draft                  Serverid                      March 2006
+
+
+Authors' Addresses
+
+   Suzanne Woolf
+   Internet Systems Consortium, Inc.
+   950 Charter Street
+   Redwood City, CA  94063
+   US
+
+   Phone: +1 650 423-1333
+   Email: woolf@isc.org
+   URI:   http://www.isc.org/
+
+
+   David Conrad
+   Nominum, Inc.
+   2385 Bay Road
+   Redwood City, CA  94063
+   US
+
+   Phone: +1 1 650 381 6003
+   Email: david.conrad@nominum.com
+   URI:   http://www.nominum.com/
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Woolf & Conrad          Expires September 6, 2006              [Page 10]
+
+Internet-Draft                  Serverid                      March 2006
+
+
+Intellectual Property Statement
+
+   The IETF takes no position regarding the validity or scope of any
+   Intellectual Property Rights or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; nor does it represent that it has
+   made any independent effort to identify any such rights.  Information
+   on the procedures with respect to rights in RFC documents can be
+   found in BCP 78 and BCP 79.
+
+   Copies of IPR disclosures made to the IETF Secretariat and any
+   assurances of licenses to be made available, or the result of an
+   attempt made to obtain a general license or permission for the use of
+   such proprietary rights by implementers or users of this
+   specification can be obtained from the IETF on-line IPR repository at
+   http://www.ietf.org/ipr.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights that may cover technology that may be required to implement
+   this standard.  Please address the information to the IETF at
+   ietf-ipr@ietf.org.
+
+
+Disclaimer of Validity
+
+   This document and the information contained herein are provided on an
+   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Copyright Statement
+
+   Copyright (C) The Internet Society (2006).  This document is subject
+   to the rights, licenses and restrictions contained in BCP 78, and
+   except as set forth therein, the authors retain all their rights.
+
+
+Acknowledgment
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+Woolf & Conrad          Expires September 6, 2006              [Page 11]
+
+

From e1fd585739b1457c0fa176f5d80d3088b1bc27c3 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 7 Mar 2006 00:34:55 +0000
Subject: [PATCH 099/465] update copyright notice

---
 lib/dns/dnssec.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
index 83a621831d..729b196f22 100644
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: dnssec.c,v 1.86 2006/03/06 01:27:52 marka Exp $
+ * $Id: dnssec.c,v 1.87 2006/03/07 00:34:55 marka Exp $
  */
 
 /*! \file */

From 366c60aa36ab9aed1af0a9a68663059db7507b1f Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 7 Mar 2006 04:58:51 +0000
Subject: [PATCH 100/465] tidy up

---
 lib/dns/rbtdb.c | 21 ++++++++++++++-------
 1 file changed, 14 insertions(+), 7 deletions(-)

diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index a6416fe656..cea5516a8f 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbtdb.c,v 1.230 2006/03/03 04:46:14 marka Exp $ */
+/* $Id: rbtdb.c,v 1.231 2006/03/07 04:58:51 marka Exp $ */
 
 /*! \file */
 
@@ -5661,13 +5661,15 @@ rdataset_next(dns_rdataset_t *rdataset) {
 	count--;
 	rdataset->privateuint4 = count;
 
+	/*
+	 * Skip forward one record (length + 4) or one offset (4).
+	 */
+	raw = rdataset->private5;
 	if ((rdataset->attributes & DNS_RDATASETATTR_LOADORDER) == 0) {
-		raw = rdataset->private5;
 		length = raw[0] * 256 + raw[1];
-		raw += length + 4;
-		rdataset->private5 = raw;
-	} else
-		rdataset->private5 = (unsigned char *)rdataset->private5 + 4;
+		raw += length;
+	}
+	rdataset->private5 = raw + 4;
 
 	return (ISC_R_SUCCESS);
 }
@@ -5680,10 +5682,15 @@ rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
 
 	REQUIRE(raw != NULL);
 
+	/*
+	 * Find the start of the record if not already in private5
+	 * then skip the length and order fields.
+	 */
 	if ((rdataset->attributes & DNS_RDATASETATTR_LOADORDER) != 0) {
 		offset = (raw[0] << 24) + (raw[1] << 16) +
 			 (raw[2] << 8) + raw[3];
-		raw = (unsigned char *)rdataset->private3 + offset;
+		raw = rdataset->private3;
+		raw += offset;
 	}
 	r.length = raw[0] * 256 + raw[1];
 	raw += 4;

From 6de9371826bd253eb29aa3965ef03670d9d0a06d Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 8 Mar 2006 03:12:24 +0000
Subject: [PATCH 101/465] 2003.   [bug]           libbind: The DNS name/address
 lookup functions could                         occasionally follow a random
 pointer due to                         structures not being completely
 zeroed. [RT #15806]

---
 CHANGES               |  6 +++++-
 lib/bind/irs/dns_ho.c | 12 ++++++------
 2 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/CHANGES b/CHANGES
index 2a59d0613c..acf2a42829 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
-2002	[bug]		libbind: tighten the constraints on when
+2003.	[bug]		libbind: The DNS name/address lookup functions could
+			occasionally follow a random pointer due to
+			structures not being completely zeroed. [RT #15806]
+
+2002.	[bug]		libbind: tighten the constraints on when
 			struct addrinfo._ai_pad exists.  [RT #15783]
 
 2001.	[func]		Check the KSK flag when updating a secure dynamic zone.
diff --git a/lib/bind/irs/dns_ho.c b/lib/bind/irs/dns_ho.c
index 96769d47a5..617b697040 100644
--- a/lib/bind/irs/dns_ho.c
+++ b/lib/bind/irs/dns_ho.c
@@ -52,7 +52,7 @@
 /* BIND Id: gethnamaddr.c,v 8.15 1996/05/22 04:56:30 vixie Exp $ */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: dns_ho.c,v 1.18 2005/10/11 00:10:14 marka Exp $";
+static const char rcsid[] = "$Id: dns_ho.c,v 1.19 2006/03/08 03:12:24 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* Imports. */
@@ -258,7 +258,7 @@ ho_byname2(struct irs_ho *this, const char *name, int af)
 		errno = ENOMEM;
 		goto cleanup;
 	}
-	memset(q, 0, sizeof(q));
+	memset(q, 0, sizeof(*q));
 
 	switch (af) {
 	case AF_INET:
@@ -349,8 +349,8 @@ ho_byaddr(struct irs_ho *this, const void *addr, int len, int af)
 		errno = ENOMEM;
 		goto cleanup;
 	}
-	memset(q, 0, sizeof(q));
-	memset(q2, 0, sizeof(q2));
+	memset(q, 0, sizeof(*q));
+	memset(q2, 0, sizeof(*q2));
 
 	if (af == AF_INET6 && len == IN6ADDRSZ &&
 	    (!memcmp(uaddr, mapped, sizeof mapped) ||
@@ -574,8 +574,8 @@ ho_addrinfo(struct irs_ho *this, const char *name, const struct addrinfo *pai)
 		errno = ENOMEM;
 		goto cleanup;
 	}
-	memset(q, 0, sizeof(q2));
-	memset(q2, 0, sizeof(q2));
+	memset(q, 0, sizeof(*q2));
+	memset(q2, 0, sizeof(*q2));
 
 	switch (pai->ai_family) {
 	case AF_UNSPEC:

From ba0a6299a6161234371d2d722fb63d9d9f233200 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 8 Mar 2006 03:43:29 +0000
Subject: [PATCH 102/465] 2003.   [bug]           libbind: The DNS name/address
 lookup functions could                         occasionally follow a random
 pointer due to                         structures not being completely
 zeroed. [RT #15806]

---
 CHANGES               |  6 +++++-
 lib/bind/irs/dns_ho.c | 12 ++++++------
 2 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/CHANGES b/CHANGES
index 1353afa76b..7de9e719f7 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
-2002	[bug]		libbind: tighten the constraints on when
+2003.	[bug]		libbind: The DNS name/address lookup functions could
+			occasionally follow a random pointer due to
+			structures not being completely zeroed. [RT #15806]
+
+2002.	[bug]		libbind: tighten the constraints on when
 			struct addrinfo._ai_pad exists.  [RT #15783]
 
 1997.	[bug]		Named was failing to replace negative cache entries
diff --git a/lib/bind/irs/dns_ho.c b/lib/bind/irs/dns_ho.c
index f2f08dbce8..6ba003d40b 100644
--- a/lib/bind/irs/dns_ho.c
+++ b/lib/bind/irs/dns_ho.c
@@ -52,7 +52,7 @@
 /* BIND Id: gethnamaddr.c,v 8.15 1996/05/22 04:56:30 vixie Exp $ */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: dns_ho.c,v 1.5.2.13 2005/10/11 00:56:04 marka Exp $";
+static const char rcsid[] = "$Id: dns_ho.c,v 1.5.2.14 2006/03/08 03:43:29 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* Imports. */
@@ -260,7 +260,7 @@ ho_byname2(struct irs_ho *this, const char *name, int af)
 		errno = ENOMEM;
 		goto cleanup;
 	}
-	memset(q, 0, sizeof(q));
+	memset(q, 0, sizeof(*q));
 
 	switch (af) {
 	case AF_INET:
@@ -352,8 +352,8 @@ ho_byaddr(struct irs_ho *this, const void *addr, int len, int af)
 		errno = ENOMEM;
 		goto cleanup;
 	}
-	memset(q, 0, sizeof(q));
-	memset(q2, 0, sizeof(q2));
+	memset(q, 0, sizeof(*q));
+	memset(q2, 0, sizeof(*q2));
 
 	if (af == AF_INET6 && len == IN6ADDRSZ &&
 	    (!memcmp(uaddr, mapped, sizeof mapped) ||
@@ -578,8 +578,8 @@ ho_addrinfo(struct irs_ho *this, const char *name, const struct addrinfo *pai)
 		errno = ENOMEM;
 		goto cleanup;
 	}
-	memset(q, 0, sizeof(q2));
-	memset(q2, 0, sizeof(q2));
+	memset(q, 0, sizeof(*q2));
+	memset(q2, 0, sizeof(*q2));
 
 	switch (pai->ai_family) {
 	case AF_UNSPEC:

From 1412643ba5bcc735c3731d8cebf71fd76eedec91 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 8 Mar 2006 03:51:01 +0000
Subject: [PATCH 103/465] 2004.   [bug]           dns_tsig_sign() could pass a
 NULL pointer to                         dst_context_destroy() when cleaning
 up after a                         error. [RT #15835]

---
 CHANGES        |  4 ++++
 lib/dns/tsig.c | 17 ++++++++---------
 2 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/CHANGES b/CHANGES
index acf2a42829..2de65a62e5 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+2004.	[bug]		dns_tsig_sign() could pass a NULL pointer to
+			dst_context_destroy() when cleaning up after a
+			error. [RT #15835]
+
 2003.	[bug]		libbind: The DNS name/address lookup functions could
 			occasionally follow a random pointer due to
 			structures not being completely zeroed. [RT #15806]
diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
index fe91525852..ff1c798bc5 100644
--- a/lib/dns/tsig.c
+++ b/lib/dns/tsig.c
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: tsig.c,v 1.124 2006/01/27 23:57:46 marka Exp $
+ * $Id: tsig.c,v 1.125 2006/03/08 03:51:01 marka Exp $
  */
 /*! \file */
 #include 
@@ -765,7 +765,7 @@ dns_tsig_sign(dns_message_t *msg) {
 		goto cleanup_signature;
 	ret = isc_buffer_allocate(msg->mctx, &dynbuf, 512);
 	if (ret != ISC_R_SUCCESS)
-		goto cleanup_signature;
+		goto cleanup_rdata;
 	ret = dns_rdata_fromstruct(rdata, dns_rdataclass_any,
 				   dns_rdatatype_tsig, &tsig, dynbuf);
 	if (ret != ISC_R_SUCCESS)
@@ -781,7 +781,7 @@ dns_tsig_sign(dns_message_t *msg) {
 	owner = NULL;
 	ret = dns_message_gettempname(msg, &owner);
 	if (ret != ISC_R_SUCCESS)
-		goto cleanup_context;
+		goto cleanup_rdata;
 	dns_name_init(owner, NULL);
 	ret = dns_name_dup(&key->name, msg->mctx, owner);
 	if (ret != ISC_R_SUCCESS)
@@ -813,18 +813,17 @@ dns_tsig_sign(dns_message_t *msg) {
 	dns_message_puttemprdatalist(msg, &datalist);
  cleanup_owner:
 	dns_message_puttempname(msg, &owner);
-	goto cleanup_context;
-
+	goto cleanup_rdata;
  cleanup_dynbuf:
 	isc_buffer_free(&dynbuf);
+ cleanup_rdata:
+	dns_message_puttemprdata(msg, &rdata);
  cleanup_signature:
 	if (tsig.signature != NULL)
 		isc_mem_put(mctx, tsig.signature, sigsize);
-
  cleanup_context:
-	if (rdata != NULL)
-		dns_message_puttemprdata(msg, &rdata);
-	dst_context_destroy(&ctx);
+	if (ctx != NULL)
+		dst_context_destroy(&ctx);
 	return (ret);
 }
 

From ae9e705032a1547c9fc847e2bc7cf4d818272b05 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 8 Mar 2006 03:56:21 +0000
Subject: [PATCH 104/465] 2004.   [bug]           dns_tsig_sign() could pass a
 NULL pointer to                         dst_context_destroy() when cleaning
 up after a                         error. [RT #15835]

---
 CHANGES        |  4 ++++
 lib/dns/tsig.c | 17 ++++++++---------
 2 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/CHANGES b/CHANGES
index 7de9e719f7..8da76f664c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+2004.	[bug]		dns_tsig_sign() could pass a NULL pointer to
+			dst_context_destroy() when cleaning up after a
+			error. [RT #15835]
+
 2003.	[bug]		libbind: The DNS name/address lookup functions could
 			occasionally follow a random pointer due to
 			structures not being completely zeroed. [RT #15806]
diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
index e51442482b..3105c0eb53 100644
--- a/lib/dns/tsig.c
+++ b/lib/dns/tsig.c
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: tsig.c,v 1.112.2.8 2006/01/04 23:50:17 marka Exp $
+ * $Id: tsig.c,v 1.112.2.9 2006/03/08 03:56:21 marka Exp $
  */
 
 #include 
@@ -559,7 +559,7 @@ dns_tsig_sign(dns_message_t *msg) {
 		goto cleanup_signature;
 	ret = isc_buffer_allocate(msg->mctx, &dynbuf, 512);
 	if (ret != ISC_R_SUCCESS)
-		goto cleanup_signature;
+		goto cleanup_rdata;
 	ret = dns_rdata_fromstruct(rdata, dns_rdataclass_any,
 				   dns_rdatatype_tsig, &tsig, dynbuf);
 	if (ret != ISC_R_SUCCESS)
@@ -575,7 +575,7 @@ dns_tsig_sign(dns_message_t *msg) {
 	owner = NULL;
 	ret = dns_message_gettempname(msg, &owner);
 	if (ret != ISC_R_SUCCESS)
-		goto cleanup_context;
+		goto cleanup_rdata;
 	dns_name_init(owner, NULL);
 	ret = dns_name_dup(&key->name, msg->mctx, owner);
 	if (ret != ISC_R_SUCCESS)
@@ -606,18 +606,17 @@ dns_tsig_sign(dns_message_t *msg) {
 	dns_message_puttemprdatalist(msg, &datalist);
  cleanup_owner:
 	dns_message_puttempname(msg, &owner);
-	goto cleanup_context;
-
+	goto cleanup_rdata;
  cleanup_dynbuf:
 	isc_buffer_free(&dynbuf);
+ cleanup_rdata:
+	dns_message_puttemprdata(msg, &rdata);
  cleanup_signature:
 	if (tsig.signature != NULL)
 		isc_mem_put(mctx, tsig.signature, sigsize);
-
  cleanup_context:
-	if (rdata != NULL)
-		dns_message_puttemprdata(msg, &rdata);
-	dst_context_destroy(&ctx);
+	if (ctx != NULL)
+		dst_context_destroy(&ctx);
 	return (ret);
 }
 

From 5929cde251d6d971fda14ac9ea927035421f6480 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 8 Mar 2006 04:06:12 +0000
Subject: [PATCH 105/465] 2005.   [bug]           libbind: Retransmission
 timeouts should be                         based on which attempt it is to
 the nameserver                         and not the nameserver itself. [RT
 #13548]

---
 CHANGES                    |  4 ++++
 lib/bind/resolv/res_send.c | 14 +++++++-------
 2 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/CHANGES b/CHANGES
index 2de65a62e5..0705700295 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+2005.	[bug]		libbind: Retransmission timeouts should be
+			based on which attempt it is to the nameserver
+			and not the nameserver itself. [RT #13548]
+
 2004.	[bug]		dns_tsig_sign() could pass a NULL pointer to
 			dst_context_destroy() when cleaning up after a
 			error. [RT #15835]
diff --git a/lib/bind/resolv/res_send.c b/lib/bind/resolv/res_send.c
index 493fba9b8c..b1219a3d8b 100644
--- a/lib/bind/resolv/res_send.c
+++ b/lib/bind/resolv/res_send.c
@@ -70,7 +70,7 @@
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static const char sccsid[] = "@(#)res_send.c	8.1 (Berkeley) 6/4/93";
-static const char rcsid[] = "$Id: res_send.c,v 1.15 2005/08/15 02:00:01 marka Exp $";
+static const char rcsid[] = "$Id: res_send.c,v 1.16 2006/03/08 04:06:12 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /*! \file
@@ -131,7 +131,7 @@ static struct sockaddr * get_nsaddr __P((res_state, size_t));
 static int		send_vc(res_state, const u_char *, int,
 				u_char *, int, int *, int);
 static int		send_dg(res_state, const u_char *, int,
-				u_char *, int, int *, int,
+				u_char *, int, int *, int, int,
 				int *, int *);
 static void		Aerror(const res_state, FILE *, const char *, int,
 			       const struct sockaddr *, int);
@@ -463,7 +463,7 @@ res_nsend(res_state statp,
 		} else {
 			/* Use datagrams. */
 			n = send_dg(statp, buf, buflen, ans, anssiz, &terrno,
-				    ns, &v_circuit, &gotsomewhere);
+				    ns, try, &v_circuit, &gotsomewhere);
 			if (n < 0)
 				goto fail;
 			if (n == 0)
@@ -771,9 +771,9 @@ send_vc(res_state statp,
 }
 
 static int
-send_dg(res_state statp,
-	const u_char *buf, int buflen, u_char *ans, int anssiz,
-	int *terrno, int ns, int *v_circuit, int *gotsomewhere)
+send_dg(res_state statp, const u_char *buf, int buflen, u_char *ans,
+	int anssiz, int *terrno, int ns, int try, int *v_circuit,
+	int *gotsomewhere)
 {
 	const HEADER *hp = (const HEADER *) buf;
 	HEADER *anhp = (HEADER *) ans;
@@ -854,7 +854,7 @@ send_dg(res_state statp,
 	/*
 	 * Wait for reply.
 	 */
-	seconds = (statp->retrans << ns);
+	seconds = (statp->retrans << try);
 	if (ns > 0)
 		seconds /= statp->nscount;
 	if (seconds <= 0)

From f678d94a8a508a45ef7d2ae02a30fd464e084320 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 8 Mar 2006 04:14:10 +0000
Subject: [PATCH 106/465] 2005.   [bug]           libbind: Retransmission
 timeouts should be                         based on which attempt it is to
 the nameserver                         and not the nameserver itself. [RT
 #13548]

---
 CHANGES                    |  4 ++++
 lib/bind/resolv/res_send.c | 14 +++++++-------
 2 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/CHANGES b/CHANGES
index 8da76f664c..bfd8023539 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+2005.	[bug]		libbind: Retransmission timeouts should be
+			based on which attempt it is to the nameserver
+			and not the nameserver itself. [RT #13548]
+
 2004.	[bug]		dns_tsig_sign() could pass a NULL pointer to
 			dst_context_destroy() when cleaning up after a
 			error. [RT #15835]
diff --git a/lib/bind/resolv/res_send.c b/lib/bind/resolv/res_send.c
index 413eff0d62..8e5420d722 100644
--- a/lib/bind/resolv/res_send.c
+++ b/lib/bind/resolv/res_send.c
@@ -70,7 +70,7 @@
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static const char sccsid[] = "@(#)res_send.c	8.1 (Berkeley) 6/4/93";
-static const char rcsid[] = "$Id: res_send.c,v 1.5.2.9 2005/08/15 02:05:45 marka Exp $";
+static const char rcsid[] = "$Id: res_send.c,v 1.5.2.10 2006/03/08 04:14:10 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /*
@@ -130,7 +130,7 @@ static struct sockaddr * get_nsaddr __P((res_state, size_t));
 static int		send_vc(res_state, const u_char *, int,
 				u_char *, int, int *, int);
 static int		send_dg(res_state, const u_char *, int,
-				u_char *, int, int *, int,
+				u_char *, int, int *, int, int,
 				int *, int *);
 static void		Aerror(const res_state, FILE *, const char *, int,
 			       const struct sockaddr *, int);
@@ -458,7 +458,7 @@ res_nsend(res_state statp,
 		} else {
 			/* Use datagrams. */
 			n = send_dg(statp, buf, buflen, ans, anssiz, &terrno,
-				    ns, &v_circuit, &gotsomewhere);
+				    ns, try, &v_circuit, &gotsomewhere);
 			if (n < 0)
 				goto fail;
 			if (n == 0)
@@ -766,9 +766,9 @@ send_vc(res_state statp,
 }
 
 static int
-send_dg(res_state statp,
-	const u_char *buf, int buflen, u_char *ans, int anssiz,
-	int *terrno, int ns, int *v_circuit, int *gotsomewhere)
+send_dg(res_state statp, const u_char *buf, int buflen, u_char *ans,
+	int anssiz, int *terrno, int ns, int try, int *v_circuit,
+	int *gotsomewhere)
 {
 	const HEADER *hp = (const HEADER *) buf;
 	HEADER *anhp = (HEADER *) ans;
@@ -849,7 +849,7 @@ send_dg(res_state statp,
 	/*
 	 * Wait for reply.
 	 */
-	seconds = (statp->retrans << ns);
+	seconds = (statp->retrans << try);
 	if (ns > 0)
 		seconds /= statp->nscount;
 	if (seconds <= 0)

From 130cdefb3bfc79118d6047324cfb1f55848047bd Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 8 Mar 2006 23:30:03 +0000
Subject: [PATCH 107/465] newcopyrights

---
 util/copyrights | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/util/copyrights b/util/copyrights
index 6ab2b131c6..30031e1442 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -1227,7 +1227,7 @@
 ./lib/bind/irs/Makefile.in			MAKE	2001,2004
 ./lib/bind/irs/dns.c				X	2001
 ./lib/bind/irs/dns_gr.c				X	2001
-./lib/bind/irs/dns_ho.c				X	2001,2005
+./lib/bind/irs/dns_ho.c				X	2001,2005,2006
 ./lib/bind/irs/dns_nw.c				X	2001
 ./lib/bind/irs/dns_p.h				X	2001
 ./lib/bind/irs/dns_pr.c				X	2001
@@ -1562,7 +1562,7 @@
 ./lib/bind/resolv/res_mkupdate.h		X	2001
 ./lib/bind/resolv/res_private.h			X	2001
 ./lib/bind/resolv/res_query.c			X	2001
-./lib/bind/resolv/res_send.c			X	2001,2005
+./lib/bind/resolv/res_send.c			X	2001,2005,2006
 ./lib/bind/resolv/res_sendsigned.c		X	2001,2005
 ./lib/bind/resolv/res_update.c			X	2001
 ./lib/dns/.cvsignore				X	1999,2000,2001

From 9cd148558bfff691175a58245e10aede0f550442 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 8 Mar 2006 23:30:28 +0000
Subject: [PATCH 108/465] newcopyrights

---
 util/copyrights | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/util/copyrights b/util/copyrights
index 26e6a8f9d9..6823c8b410 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -1350,7 +1350,7 @@
 ./lib/bind/irs/Makefile.in			MAKE	2001,2004
 ./lib/bind/irs/dns.c				X	2001,2005
 ./lib/bind/irs/dns_gr.c				X	2001,2005
-./lib/bind/irs/dns_ho.c				X	2001,2005
+./lib/bind/irs/dns_ho.c				X	2001,2005,2006
 ./lib/bind/irs/dns_nw.c				X	2001,2005
 ./lib/bind/irs/dns_p.h				X	2001,2005
 ./lib/bind/irs/dns_pr.c				X	2001,2005
@@ -1686,7 +1686,7 @@
 ./lib/bind/resolv/res_mkupdate.h		X	2001,2005
 ./lib/bind/resolv/res_private.h			X	2001,2005
 ./lib/bind/resolv/res_query.c			X	2001,2005
-./lib/bind/resolv/res_send.c			X	2001,2005
+./lib/bind/resolv/res_send.c			X	2001,2005,2006
 ./lib/bind/resolv/res_sendsigned.c		X	2001,2005
 ./lib/bind/resolv/res_update.c			X	2001,2005
 ./lib/bind9/.cvsignore				X	2001

From fe6f384b2efde528dabbf822634eedc020be67e0 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 9 Mar 2006 03:30:18 +0000
Subject: [PATCH 109/465] 2006.   [security]      Allow-query-cache and
 allow-recursion now default                         to the builtin acls
 "localnets" and "localhost".

                        This is being done to make caching servers less
                        attractive as reflective amplifying targets for
                        spoofed traffic.  This still leave authoritative
                        servers exposed.

                        The best fix is for full BCP 38 deployment to
                        remove spoofed traffic.
---
 CHANGES                 |  11 ++++
 bin/named/config.c      |   5 +-
 bin/named/server.c      |  14 ++++-
 doc/arm/Bv9ARM-book.xml | 128 +++++++++++++++++++---------------------
 4 files changed, 86 insertions(+), 72 deletions(-)

diff --git a/CHANGES b/CHANGES
index 0705700295..6dfae786e8 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,14 @@
+2006.	[security]	Allow-query-cache and allow-recursion now default
+			to the builtin acls "localnets" and "localhost".
+
+			This is being done to make caching servers less
+			attractive as reflective amplifying targets for
+			spoofed traffic.  This still leave authoritative
+			servers exposed.
+
+			The best fix is for full BCP 38 deployment to
+			remove spoofed traffic.
+
 2005.	[bug]		libbind: Retransmission timeouts should be
 			based on which attempt it is to the nameserver
 			and not the nameserver itself. [RT #13548]
diff --git a/bin/named/config.c b/bin/named/config.c
index 1e9b94ff0f..c20e6019a1 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.c,v 1.71 2006/03/06 01:27:51 marka Exp $ */
+/* $Id: config.c,v 1.72 2006/03/09 03:30:18 marka Exp $ */
 
 /*! \file */
 
@@ -103,7 +103,8 @@ options {\n\
 	/* view */\n\
 	allow-notify {none;};\n\
 	allow-update-forwarding {none;};\n\
-	allow-recursion {any;};\n\
+	allow-query-cache { localnets; localhost; };\n\
+	allow-recursion { localnets; localhost; };\n\
 #	allow-v6-synthesis ;\n\
 #	sortlist \n\
 #	topology \n\
diff --git a/bin/named/server.c b/bin/named/server.c
index fa62826319..7fdbdaf5ff 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.c,v 1.459 2006/02/28 02:39:51 marka Exp $ */
+/* $Id: server.c,v 1.460 2006/03/09 03:30:18 marka Exp $ */
 
 /*! \file */
 
@@ -1430,8 +1430,9 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	CHECK(configure_view_acl(vconfig, config, "allow-query-cache",
 				 actx, ns_g_mctx, &view->queryacl));
 	if (view->queryacl == NULL)
-		CHECK(configure_view_acl(vconfig, config, "allow-query",
-					 actx, ns_g_mctx, &view->queryacl));
+		CHECK(configure_view_acl(NULL, ns_g_defaults,
+					 "allow-query-cache", actx,
+					 ns_g_mctx, &view->queryacl));
 
 	if (strcmp(view->name, "_bind") != 0)
 		CHECK(configure_view_acl(vconfig, config, "allow-recursion",
@@ -1450,6 +1451,13 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 			      "both \"recursion no;\" and \"allow-recursion\" "
 			      "active%s%s", forview, viewname);
 
+	/*
+	 * Set default "allow-recursion" acl.
+	 */
+	if (view->recursionacl == NULL && view->recursion)
+		CHECK(configure_view_acl(NULL, ns_g_defaults, "allow-recursion",
+					 actx, ns_g_mctx, &view->recursionacl));
+
 	CHECK(configure_view_acl(vconfig, config, "sortlist",
 				 actx, ns_g_mctx, &view->sortlist));
 
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 14958e5e70..c3d888ea46 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   BIND 9 Administrator Reference Manual
 
@@ -3069,20 +3069,21 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
             and whether the element was negated.
           
 
-          
-            When used as an access control list, a non-negated match allows
-            access and a negated match denies access. If there is no match,
-            access is denied. The clauses allow-notify,
-            allow-query, allow-query-cache,
-            allow-transfer,
-            allow-update, allow-update-forwarding,
-            and blackhole all use address match
-            lists.
-            Similarly, the listen-on option will cause the server to not
-            accept
-            queries on any of the machine's addresses which do not match the
-            list.
-          
+	  
+	    When used as an access control list, a non-negated match
+	    allows access and a negated match denies access. If
+	    there is no match, access is denied. The clauses
+	    allow-notify,
+	    allow-query,
+	    allow-query-cache,
+	    allow-transfer,
+	    allow-update,
+	    allow-update-forwarding, and
+	    blackhole all use address match
+	    lists.  Similarly, the listen-on option will cause the
+	    server to not accept queries on any of the machine's
+	    addresses which do not match the list.
+	  
 
           
             Because of the first-match aspect of the algorithm, an element
@@ -5772,64 +5773,57 @@ options {
               
             
 
-            
-              allow-query
-              
-                
-                  Specifies which hosts are allowed to
-                  ask ordinary DNS questions. allow-query may also
-                  be specified in the zone
-                  statement, in which
-                  case it overrides the options allow-query statement.
-                  allow-query-cache may also be
-                  specified and will
-                  overrides access to the cache.
-                  If not specified, the default is to allow queries from all
-                  hosts.
-                
-              
-            
+	    
+	      allow-query
+	      
+		
+		  Specifies which hosts are allowed to ask ordinary
+		  DNS questions. allow-query may
+		  also be specified in the zone
+		  statement, in which case it overrides the
+		  options allow-query statement.
+		  If not specified, the default is to allow queries
+		  from all hosts.
+		
+		
+		  
+		    allow-query-cache is now
+		    used to specify access to the cache.
+		  
+		
+	      
+	    
 
-            
-              allow-query-cache
-              
-                
-                  Specifies which hosts are allowed to get answers
-                  from the cache.  If not set allow-query applies.
-                
-                
-                  The recommended way to set query access to the cache is now
-                  via
-                  allow-query-cache rather than
-                  allow-query.
-                  Inheritance from allow-query
-                  has been retained for
-                  backwards compatability.
-                
-                
-                  
-                    If allow-query-cache is set
-                    at the options
-                    level and not set in the view it will still override a
-                    allow-query set at the view
-                    level.
-                  
-                
-              
-            
+	    
+	      allow-query-cache
+	      
+		
+		  Specifies which hosts are allowed to get answers
+		  from the cache. The default is the builtin acls
+		  localnets and
+		  localhost.
+		
+		
+		  The way to set query access to the cache is now
+		  via allow-query-cache.
+		  This differs from earlier versions which used
+		  allow-query.
+		
+	      
+	    
 
             
               allow-recursion
               
                 
-                  Specifies which hosts are allowed to
-                  make recursive queries through this server. If not
-                  specified, the
-                  default is to allow recursive queries from all hosts.
-                  Note that disallowing recursive queries for a host does not
-                  prevent the
-                  host from retrieving data that is already in the server's
-                  cache.
+		  Specifies which hosts are allowed to make recursive
+		  queries through this server. If not specified,
+		  the default is to allow recursive queries from
+		  the builtin acls localnets and
+		  localhost.
+		  Note that disallowing recursive queries for a
+		  host does not prevent the host from retrieving
+		  data that is already in the server's cache.
                 
               
             

From 035992291cb70ec3be4046fcea921b4a6acb1c77 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 9 Mar 2006 05:04:38 +0000
Subject: [PATCH 110/465] regen

---
 doc/arm/Bv9ARM.ch06.html         | 158 +++++++++++++++----------------
 doc/arm/Bv9ARM.ch07.html         |  14 +--
 doc/arm/Bv9ARM.ch08.html         |  18 ++--
 doc/arm/Bv9ARM.ch09.html         |  18 ++--
 doc/arm/Bv9ARM.html              |  40 ++++----
 doc/arm/man.dig.html             |  20 ++--
 doc/arm/man.dnssec-keygen.html   |  14 +--
 doc/arm/man.dnssec-signzone.html |  12 +--
 doc/arm/man.host.html            |  10 +-
 doc/arm/man.named-checkconf.html |  12 +--
 doc/arm/man.named-checkzone.html |  12 +--
 doc/arm/man.named.html           |  16 ++--
 doc/arm/man.rndc-confgen.html    |  12 +--
 doc/arm/man.rndc.conf.html       |  12 +--
 doc/arm/man.rndc.html            |  12 +--
 15 files changed, 188 insertions(+), 192 deletions(-)

diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index 4636d40bb6..45a21abc27 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -77,23 +77,23 @@
 
server Statement Grammar

 
server Statement Definition and
             Usage

-
trusted-keys Statement Grammar

-
trusted-keys Statement Definition
+
trusted-keys Statement Grammar

+
trusted-keys Statement Definition
             and Usage

 
view Statement Grammar

-
view Statement Definition and Usage

+
view Statement Definition and Usage

 
zone
             Statement Grammar

-
zone Statement Definition and Usage

+
zone Statement Definition and Usage

 
-
Zone File

+
Zone File

 

 
Types of Resource Records and When to Use Them

-
Discussion of MX Records

+
Discussion of MX Records

 
Setting TTLs

-
Inverse Mapping in IPv4

-
Other Zone File Directives

-
BIND Master File Extension: the  $GENERATE Directive

+
Inverse Mapping in IPv4

+
Other Zone File Directives

+
BIND Master File Extension: the  $GENERATE Directive

 
Additional File Formats

 

 
@@ -483,18 +483,19 @@
             and whether the element was negated.
           

 

-            When used as an access control list, a non-negated match allows
-            access and a negated match denies access. If there is no match,
-            access is denied. The clauses allow-notify,
-            allow-query, allow-query-cache,
+            When used as an access control list, a non-negated match
+            allows access and a negated match denies access. If
+            there is no match, access is denied. The clauses
+            allow-notify,
+            allow-query,
+            allow-query-cache,
             allow-transfer,
-            allow-update, allow-update-forwarding,
-            and blackhole all use address match
-            lists.
-            Similarly, the listen-on option will cause the server to not
-            accept
-            queries on any of the machine's addresses which do not match the
-            list.
+            allow-update,
+            allow-update-forwarding, and
+            blackhole all use address match
+            lists.  Similarly, the listen-on option will cause the
+            server to not accept queries on any of the machine's
+            addresses which do not match the list.
           

 

             Because of the first-match aspect of the algorithm, an element
@@ -2845,54 +2846,49 @@ options {
                   only from a zone's master.
                 

 
allow-query

-

-                  Specifies which hosts are allowed to
-                  ask ordinary DNS questions. allow-query may also
-                  be specified in the zone
-                  statement, in which
-                  case it overrides the options allow-query statement.
-                  allow-query-cache may also be
-                  specified and will
-                  overrides access to the cache.
-                  If not specified, the default is to allow queries from all
-                  hosts.
-                

-
allow-query-cache

 

 

-                  Specifies which hosts are allowed to get answers
-                  from the cache.  If not set allow-query applies.
-                

-

-                  The recommended way to set query access to the cache is now
-                  via
-                  allow-query-cache rather than
-                  allow-query.
-                  Inheritance from allow-query
-                  has been retained for
-                  backwards compatability.
+                  Specifies which hosts are allowed to ask ordinary
+                  DNS questions. allow-query may
+                  also be specified in the zone
+                  statement, in which case it overrides the
+                  options allow-query statement.
+                  If not specified, the default is to allow queries
+                  from all hosts.
                 

 

 
Note

 

-                    If allow-query-cache is set
-                    at the options
-                    level and not set in the view it will still override a
-                    allow-query set at the view
-                    level.
+                    allow-query-cache is now
+                    used to specify access to the cache.
                   

 

 

+
allow-query-cache

+

+

+                  Specifies which hosts are allowed to get answers
+                  from the cache. The default is the builtin acls
+                  localnets and
+                  localhost.
+                

+

+                  The way to set query access to the cache is now
+                  via allow-query-cache.
+                  This differs from earlier versions which used
+                  allow-query.
+                

+

 
allow-recursion

 

-                  Specifies which hosts are allowed to
-                  make recursive queries through this server. If not
-                  specified, the
-                  default is to allow recursive queries from all hosts.
-                  Note that disallowing recursive queries for a host does not
-                  prevent the
-                  host from retrieving data that is already in the server's
-                  cache.
+                  Specifies which hosts are allowed to make recursive
+                  queries through this server. If not specified,
+                  the default is to allow recursive queries from
+                  the builtin acls localnets and
+                  localhost.
+                  Note that disallowing recursive queries for a
+                  host does not prevent the host from retrieving
+                  data that is already in the server's cache.
                 

 
allow-update

 

@@ -2963,7 +2959,7 @@ options {
 

 

 

-Interfaces

+Interfaces

 

             The interfaces and ports that the server will answer queries
             from may be specified using the listen-on option. listen-on takes
@@ -3043,7 +3039,7 @@ listen-on-v6 port 1234 { !2001:db8::/32; any; };
 
 

 

-Query Address

+Query Address

 

             If the server doesn't know the answer to a question, it will
             query other name servers. query-source specifies
@@ -3323,7 +3319,7 @@ query-source-v6 address * port *;
 
 

 

-Bad UDP Port Lists

+Bad UDP Port Lists

 
avoid-v4-udp-ports
             and avoid-v6-udp-ports specify a list
             of IPv4 and IPv6 UDP ports that will not be used as system
@@ -3337,7 +3333,7 @@ query-source-v6 address * port *;
 
 

 

-Operating System Resource Limits

+Operating System Resource Limits

 

             The server's usage of many system resources can be limited.
             Scaled values are allowed when specifying resource limits.  For
@@ -3397,7 +3393,7 @@ query-source-v6 address * port *;
 
 

 

-Server  Resource Limits

+Server  Resource Limits

 

             The following options set limits on the server's
             resource consumption that are enforced internally by the
@@ -3475,7 +3471,7 @@ query-source-v6 address * port *;
 
 

 

-Periodic Task Intervals

+Periodic Task Intervals

 

 
cleaning-interval

 

@@ -4510,7 +4506,7 @@ query-source-v6 address * port *;
 

 

 

-trusted-keys Statement Grammar

+trusted-keys Statement Grammar

 
trusted-keys {
     string number number number string ;
     [ string number number number string ; [...]]
@@ -4519,7 +4515,7 @@ query-source-v6 address * port *;
 
 

 

-trusted-keys Statement Definition
+trusted-keys Statement Definition
             and Usage

 

             The trusted-keys statement defines
@@ -4562,7 +4558,7 @@ query-source-v6 address * port *;
 

 

 

-view Statement Definition and Usage

+view Statement Definition and Usage

 

             The view statement is a powerful
             feature
@@ -4813,10 +4809,10 @@ zone zone_name [
 

 

-zone Statement Definition and Usage

+zone Statement Definition and Usage

 

 

-Zone Types

+Zone Types

 

 
 

@@ -5025,7 +5021,7 @@ zone zone_name [
 

 

-Class

+Class

 

               The zone's name may optionally be followed by a class. If
               a class is not specified, class IN (for Internet),
@@ -5047,7 +5043,7 @@ zone zone_name [
 

 

-Zone Options

+Zone Options

 

 
journal

 

@@ -5530,7 +5526,7 @@ zone zone_name [
 

 

-Zone File

+Zone File

 

 

 Types of Resource Records and When to Use Them

@@ -5543,7 +5539,7 @@ zone zone_name [
 

 

-Resource Records

+Resource Records

 

               A domain name identifies a node.  Each node has a set of
               resource information, which may be empty.  The set of resource
@@ -6194,7 +6190,7 @@ zone zone_name [
 

 

-Textual expression of RRs

+Textual expression of RRs

 

               RRs are represented in binary form in the packets of the DNS
               protocol, and are usually represented in highly encoded form
@@ -6397,7 +6393,7 @@ zone zone_name [
 

 

-Discussion of MX Records

+Discussion of MX Records

 

             As described above, domain servers store information as a
             series of resource records, each of which contains a particular
@@ -6655,7 +6651,7 @@ zone zone_name [
 

 

-Inverse Mapping in IPv4

+Inverse Mapping in IPv4

 

             Reverse name resolution (that is, translation from IP address
             to name) is achieved by means of the in-addr.arpa domain
@@ -6716,7 +6712,7 @@ zone zone_name [
 

 

-Other Zone File Directives

+Other Zone File Directives

 

             The Master File Format was initially defined in RFC 1035 and
             has subsequently been extended. While the Master File Format
@@ -6731,7 +6727,7 @@ zone zone_name [
 

 

-The $ORIGIN Directive

+The $ORIGIN Directive

 

               Syntax: $ORIGIN
               domain-name
@@ -6759,7 +6755,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 

 

-The $INCLUDE Directive

+The $INCLUDE Directive

 

               Syntax: $INCLUDE
               filename
@@ -6795,7 +6791,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 

 

-The $TTL Directive

+The $TTL Directive

 

               Syntax: $TTL
               default-ttl
@@ -6814,7 +6810,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 

 

-BIND Master File Extension: the  $GENERATE Directive

+BIND Master File Extension: the  $GENERATE Directive

 

             Syntax: $GENERATE
             range
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index 23a7081d0e..c70af245b8 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -46,10 +46,10 @@
 
Table of Contents

 

 
Access Control Lists

-
chroot and setuid

+
chroot and setuid

 

-
The chroot Environment

-
Using the setuid Function

+
The chroot Environment

+
Using the setuid Function

 

 
Dynamic Update Security

 

@@ -116,7 +116,7 @@ zone "example.com" {
 
 

 

-chroot and setuid

+chroot and setuid

 

           On UNIX servers, it is possible to run BIND in a chrooted environment
           (chroot()) by specifying the "-t"
@@ -139,7 +139,7 @@ zone "example.com" {
         

 

 

-The chroot Environment

+The chroot Environment

 

             In order for a chroot() environment
             to
@@ -167,7 +167,7 @@ zone "example.com" {
 
 

 

-Using the setuid Function

+Using the setuid Function

 

             Prior to running the named daemon,
             use
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index 4fbdc75243..47dc6ff828 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,18 +45,18 @@
 

 
Table of Contents

 

-
Common Problems

-
It's not working; how can I figure out what's wrong?

-
Incrementing and Changing the Serial Number

-
Where Can I Get Help?

+
Common Problems

+
It's not working; how can I figure out what's wrong?

+
Incrementing and Changing the Serial Number

+
Where Can I Get Help?

 

 

 

 

-Common Problems

+Common Problems

 

 

-It's not working; how can I figure out what's wrong?

+It's not working; how can I figure out what's wrong?

 

             The best solution to solving installation and
             configuration issues is to take preventative measures by setting
@@ -68,7 +68,7 @@
 
 

 

-Incrementing and Changing the Serial Number

+Incrementing and Changing the Serial Number

 

           Zone serial numbers are just numbers-they aren't date
           related.  A lot of people set them to a number that represents a
@@ -95,7 +95,7 @@
 
 

 

-Where Can I Get Help?

+Where Can I Get Help?

 

           The Internet Systems Consortium
           (ISC) offers a wide range
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index b4795fbb69..a23e4b17b9 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,21 +45,21 @@
 

 
Table of Contents

 

-
Acknowledgments

+
Acknowledgments

 
A Brief History of the DNS and BIND

-
General DNS Reference Information

+
General DNS Reference Information

 
IPv6 addresses (AAAA)

 
Bibliography (and Suggested Reading)

 

 
Request for Comments (RFCs)

 
Internet Drafts

-
Other Documents About BIND

+
Other Documents About BIND

 

 

 

 

 

-Acknowledgments

+Acknowledgments

 

 

 A Brief History of the DNS and BIND

@@ -145,7 +145,7 @@
 

 

 

-General DNS Reference Information

+General DNS Reference Information

 

 

 IPv6 addresses (AAAA)

@@ -232,7 +232,7 @@
           

 

 

-Bibliography

+Bibliography

 

 
Standards

 
[RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 

@@ -417,11 +417,11 @@
 

 

 

-Other Documents About BIND

+Other Documents About BIND

 

 

 

-Bibliography

+Bibliography

 
Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 

 
 
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index a2168ac984..7a0cd55707 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -155,54 +155,54 @@
 
server Statement Grammar

 
server Statement Definition and
             Usage

-
trusted-keys Statement Grammar

-
trusted-keys Statement Definition
+
trusted-keys Statement Grammar

+
trusted-keys Statement Definition
             and Usage

 
view Statement Grammar

-
view Statement Definition and Usage

+
view Statement Definition and Usage

 
zone
             Statement Grammar

-
zone Statement Definition and Usage

+
zone Statement Definition and Usage

 
-
Zone File

+
Zone File

 

 
Types of Resource Records and When to Use Them

-
Discussion of MX Records

+
Discussion of MX Records

 
Setting TTLs

-
Inverse Mapping in IPv4

-
Other Zone File Directives

-
BIND Master File Extension: the  $GENERATE Directive

+
Inverse Mapping in IPv4

+
Other Zone File Directives

+
BIND Master File Extension: the  $GENERATE Directive

 
Additional File Formats

 

 
 
7. BIND 9 Security Considerations

 

 
Access Control Lists

-
chroot and setuid

+
chroot and setuid

 

-
The chroot Environment

-
Using the setuid Function

+
The chroot Environment

+
Using the setuid Function

 

 
Dynamic Update Security

 

 
8. Troubleshooting

 

-
Common Problems

-
It's not working; how can I figure out what's wrong?

-
Incrementing and Changing the Serial Number

-
Where Can I Get Help?

+
Common Problems

+
It's not working; how can I figure out what's wrong?

+
Incrementing and Changing the Serial Number

+
Where Can I Get Help?

 

 
A. Appendices

 

-
Acknowledgments

+
Acknowledgments

 
A Brief History of the DNS and BIND

-
General DNS Reference Information

+
General DNS Reference Information

 
IPv6 addresses (AAAA)

 
Bibliography (and Suggested Reading)

 

 
Request for Comments (RFCs)

 
Internet Drafts

-
Other Documents About BIND

+
Other Documents About BIND

 

 

 
I. Manual pages

diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index 4dc7251d6a..68ce6e153b 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -52,7 +52,7 @@
 
dig  [global-queryopt...] [query...]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dig
       (domain information groper) is a flexible tool
       for interrogating DNS name servers.  It performs DNS lookups and
@@ -91,7 +91,7 @@
     

 

 

-
SIMPLE USAGE

+
SIMPLE USAGE

 

       A typical invocation of dig looks like:
       

@@ -137,7 +137,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

       The -b option sets the source IP address of the query
       to address.  This must be a valid
@@ -237,7 +237,7 @@
     

 

 

-
QUERY OPTIONS

+
QUERY OPTIONS

 
dig
       provides a number of query options which affect
       the way in which lookups are made and the results displayed.  Some of
@@ -556,7 +556,7 @@
     

 

 

-
MULTIPLE QUERIES

+
MULTIPLE QUERIES

 

       The BIND 9 implementation of dig 
       supports
@@ -602,7 +602,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
IDN SUPPORT

+
IDN SUPPORT

 

       If dig has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names.
@@ -616,14 +616,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
FILES

+
FILES

 
/etc/resolv.conf
     

 
${HOME}/.digrc
     

 

 

-
SEE ALSO

+
SEE ALSO

 
host(1),
       named(8),
       dnssec-keygen(8),
@@ -631,7 +631,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
BUGS

+
BUGS

 

       There are probably too many query options.
     

diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index 882d8e2c70..8f317bb15a 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
dnssec-keygen  {-a algorithm} {-b keysize} {-n nametype} [-c class] [-e] [-f flag] [-g generator] [-h] [-k] [-p protocol] [-r randomdev] [-s strength] [-t type] [-v level] {name}

 

 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-keygen
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC <TBA\>.  It can also generate keys for use with
@@ -58,7 +58,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a algorithm

 

@@ -166,7 +166,7 @@
 

 

 

-
GENERATED KEYS

+
GENERATED KEYS

 

       When dnssec-keygen completes
       successfully,
@@ -212,7 +212,7 @@
     

 

 

-
EXAMPLE

+
EXAMPLE

 

       To generate a 768-bit DSA key for the domain
       example.com, the following command would be
@@ -233,7 +233,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
       RFC 2535,
@@ -242,7 +242,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index 8f4e80fc04..b56bc0fa30 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
dnssec-signzone  [-a] [-c class] [-d directory] [-e end-time] [-f output-file] [-g] [-h] [-k key] [-l domain] [-i interval] [-I input-format] [-j jitter] [-n nthreads] [-o origin] [-O output-format] [-p] [-r randomdev] [-s start-time] [-t] [-v level] [-z] {zonefile} [key...]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-signzone
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
@@ -61,7 +61,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a

 

@@ -238,7 +238,7 @@
 

 

 

-
EXAMPLE

+
EXAMPLE

 

       The following command signs the example.com
       zone with the DSA key generated in the dnssec-keygen
@@ -264,14 +264,14 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 2535.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html
index 2ae1dfd684..c51c92ab4f 100644
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
host  [-aCdlnrsTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-m flag] [-4] [-6] {name} [server]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
host
       is a simple utility for performing DNS lookups.
       It is normally used to convert names to IP addresses and vice versa.
@@ -202,7 +202,7 @@
     

 

 

-
IDN SUPPORT

+
IDN SUPPORT

 

       If host has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names. 
@@ -216,12 +216,12 @@
     

 

 

-
FILES

+
FILES

 
/etc/resolv.conf
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dig(1),
       named(8).
     

diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index 6c0df90b71..7a1f1fa84f 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,14 +50,14 @@
 
named-checkconf  [-v] [-j] [-t directory] {filename} [-z]

 

 

-
DESCRIPTION

+
DESCRIPTION

 
named-checkconf
       checks the syntax, but not the semantics, of a named
       configuration file.
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-t directory

 

@@ -88,20 +88,20 @@
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 
named-checkconf
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
named(8),
       BIND 9 Administrator Reference Manual.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index 2a3c994d99..809de257db 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -51,7 +51,7 @@
 
named-compilezone  [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-i mode] [-k mode] [-m mode] [-n mode] [-o filename] [-s style] [-t directory] [-w directory] [-D] [-W mode] {zonename} {filename}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
named-checkzone
       checks the syntax and integrity of a zone file.  It performs the
       same checks as named does when loading a
@@ -71,7 +71,7 @@
      

 

 

-
OPTIONS

+
OPTIONS

 

 
-d

 

@@ -251,21 +251,21 @@
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 
named-checkzone
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
named(8),
       RFC 1035,
       BIND 9 Administrator Reference Manual.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index b6ff2153d5..606b0f598e 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
named  [-4] [-6] [-c config-file] [-d debug-level] [-f] [-g] [-n #cpus] [-p port] [-s] [-t directory] [-u user] [-v] [-x cache-file]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
named
       is a Domain Name System (DNS) server,
       part of the BIND 9 distribution from ISC.  For more
@@ -65,7 +65,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-4

 

@@ -198,7 +198,7 @@
 

 

 

-
SIGNALS

+
SIGNALS

 

       In routine operation, signals should not be used to control
       the nameserver; rndc should be used
@@ -219,7 +219,7 @@
     

 

 

-
CONFIGURATION

+
CONFIGURATION

 

       The named configuration file is too complex
       to describe in detail here.  A complete description is provided
@@ -228,7 +228,7 @@
     

 

 

-
FILES

+
FILES

 

 
/etc/named.conf

 

@@ -241,7 +241,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
RFC 1033,
       RFC 1034,
       RFC 1035,
@@ -251,7 +251,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index fcde9d6997..e0a1a53189 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -48,7 +48,7 @@
 
rndc-confgen  [-a] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc-confgen
       generates configuration files
       for rndc.  It can be used as a
@@ -64,7 +64,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a

 

@@ -171,7 +171,7 @@
 

 

 

-
EXAMPLES

+
EXAMPLES

 

       To allow rndc to be used with
       no manual configuration, run
@@ -188,7 +188,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc(8),
       rndc.conf(5),
       named(8),
@@ -196,7 +196,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index 9af82644a3..79949c33ce 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
rndc.conf 

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc.conf is the configuration file
       for rndc, the BIND 9 name server control
       utility.  This file has a similar structure and syntax to
@@ -135,7 +135,7 @@
     

 

 

-
EXAMPLE

+
EXAMPLE

 
       options {
         default-server  localhost;
@@ -209,7 +209,7 @@
     

 

 

-
NAME SERVER CONFIGURATION

+
NAME SERVER CONFIGURATION

 

       The name server must be configured to accept rndc connections and
       to recognize the key specified in the rndc.conf
@@ -219,7 +219,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc(8),
       rndc-confgen(8),
       mmencode(1),
@@ -227,7 +227,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index 5a2c5a5599..76a9081838 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
rndc  [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-V] [-y key_id] {command}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc
       controls the operation of a name
       server.  It supersedes the ndc utility
@@ -79,7 +79,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-b source-address

 

@@ -152,7 +152,7 @@
     

 

 

-
LIMITATIONS

+
LIMITATIONS

 
rndc
       does not yet support all the commands of
       the BIND 8 ndc utility.
@@ -166,7 +166,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc.conf(5),
       named(8),
       named.conf(5)
@@ -175,7 +175,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 


From 93875126dc022d4cbd94d8a83eff6c8e20607a36 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 9 Mar 2006 21:58:57 +0000
Subject: [PATCH 111/465] new draft

---
 ...-02.txt => draft-ietf-dnsext-nsec3-04.txt} | 1510 ++++++++++-------
 ...dnsop-dnssec-operational-practices-08.txt} |  864 ++++++----
 2 files changed, 1383 insertions(+), 991 deletions(-)
 rename doc/draft/{draft-ietf-dnsext-nsec3-02.txt => draft-ietf-dnsext-nsec3-04.txt} (59%)
 rename doc/draft/{draft-ietf-dnsop-dnssec-operational-practices-07.txt => draft-ietf-dnsop-dnssec-operational-practices-08.txt} (84%)

diff --git a/doc/draft/draft-ietf-dnsext-nsec3-02.txt b/doc/draft/draft-ietf-dnsext-nsec3-04.txt
similarity index 59%
rename from doc/draft/draft-ietf-dnsext-nsec3-02.txt
rename to doc/draft/draft-ietf-dnsext-nsec3-04.txt
index cc3c276b99..8c6c5b1ba0 100644
--- a/doc/draft/draft-ietf-dnsext-nsec3-02.txt
+++ b/doc/draft/draft-ietf-dnsext-nsec3-04.txt
@@ -3,14 +3,13 @@
 
 Network Working Group                                          B. Laurie
 Internet-Draft                                                 G. Sisson
-Expires: December 3, 2005                                        Nominet
-                                                               R. Arends
-                                                    Telematica Instituut
-                                                               june 2005
+Expires: August 5, 2006                                        R. Arends
+                                                                 Nominet
+                                                           February 2006
 
 
              DNSSEC Hash Authenticated Denial of Existence
-                       draft-ietf-dnsext-nsec3-02
+                       draft-ietf-dnsext-nsec3-04
 
 Status of this Memo
 
@@ -35,96 +34,89 @@ Status of this Memo
    The list of Internet-Draft Shadow Directories can be accessed at
    http://www.ietf.org/shadow.html.
 
-   This Internet-Draft will expire on December 3, 2005.
+   This Internet-Draft will expire on August 5, 2006.
 
 Copyright Notice
 
-   Copyright (C) The Internet Society (2005).
+   Copyright (C) The Internet Society (2006).
 
 Abstract
 
-   The DNS Security (DNSSEC) NSEC resource record (RR) is intended to be
-   used to provide authenticated denial of existence of DNS ownernames
-   and types; however, it permits any user to traverse a zone and obtain
-   a listing of all ownernames.
-
-   A complete zone file can be used either directly as a source of
+   The DNS Security Extensions introduces the NSEC resource record for
+   authenticated denial of existence.  This document introduces a new
+   resource record as an alternative to NSEC that provides measures
+   against zone enumeration and allows for gradual expansion of
+   delegation-centric zones.
 
 
 
-Laurie, et al.          Expires December 3, 2005                [Page 1]
+
+
+Laurie, et al.           Expires August 5, 2006                 [Page 1]
 
-Internet-Draft                    nsec3                        june 2005
+Internet-Draft                    nsec3                    February 2006
 
 
-   probable e-mail addresses for spam, or indirectly as a key for
-   multiple WHOIS queries to reveal registrant data which many
-   registries (particularly in Europe) may be under strict legal
-   obligations to protect.  Many registries therefore prohibit copying
-   of their zone file; however the use of NSEC RRs renders policies
-   unenforceable.
-
-   This document proposes a scheme which obscures original ownernames
-   while permitting authenticated denial of existence of non-existent
-   names.  Non-authoritative delegation point NS RR types may be
-   excluded.
-
 Table of Contents
 
    1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
-     1.1   Rationale  . . . . . . . . . . . . . . . . . . . . . . . .  4
-     1.2   Reserved Words . . . . . . . . . . . . . . . . . . . . . .  4
-     1.3   Terminology  . . . . . . . . . . . . . . . . . . . . . . .  4
-   2.  The NSEC3 Resource Record  . . . . . . . . . . . . . . . . . .  5
-     2.1   NSEC3 RDATA Wire Format  . . . . . . . . . . . . . . . . .  5
-       2.1.1   The Authoritative Only Flag Field  . . . . . . . . . .  6
-       2.1.2   The Hash Function Field  . . . . . . . . . . . . . . .  6
-       2.1.3   The Iterations Field . . . . . . . . . . . . . . . . .  7
-       2.1.4   The Salt Length Field  . . . . . . . . . . . . . . . .  7
-       2.1.5   The Salt Field . . . . . . . . . . . . . . . . . . . .  7
-       2.1.6   The Next Hashed Ownername Field  . . . . . . . . . . .  7
-       2.1.7   The list of Type Bit Map(s) Field  . . . . . . . . . .  8
-     2.2   The NSEC3 RR Presentation Format . . . . . . . . . . . . .  9
-   3.  Creating Additional NSEC3 RRs for Empty Non Terminals  . . . .  9
-   4.  Calculation of the Hash  . . . . . . . . . . . . . . . . . . . 10
-   5.  Including NSEC3 RRs in a Zone  . . . . . . . . . . . . . . . . 10
-   6.  Special Considerations . . . . . . . . . . . . . . . . . . . . 11
-     6.1   Delegation Points  . . . . . . . . . . . . . . . . . . . . 11
-       6.1.1   Unsigned Delegations . . . . . . . . . . . . . . . . . 11
-     6.2   Proving Nonexistence . . . . . . . . . . . . . . . . . . . 12
-     6.3   Salting  . . . . . . . . . . . . . . . . . . . . . . . . . 13
-     6.4   Hash Collision . . . . . . . . . . . . . . . . . . . . . . 13
-       6.4.1   Avoiding Hash Collisions during generation . . . . . . 14
-       6.4.2   Second Preimage Requirement Analysis . . . . . . . . . 14
-       6.4.3   Possible Hash Value Truncation Method  . . . . . . . . 14
-   7.  Performance Considerations . . . . . . . . . . . . . . . . . . 15
-   8.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 15
-   9.  Security Considerations  . . . . . . . . . . . . . . . . . . . 15
-   10.   References . . . . . . . . . . . . . . . . . . . . . . . . . 16
-     10.1  Normative References . . . . . . . . . . . . . . . . . . . 16
-     10.2  Informative References . . . . . . . . . . . . . . . . . . 17
-       Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 17
-   A.  Example Zone . . . . . . . . . . . . . . . . . . . . . . . . . 18
+     1.1.  Rationale  . . . . . . . . . . . . . . . . . . . . . . . .  4
+     1.2.  Reserved Words . . . . . . . . . . . . . . . . . . . . . .  4
+     1.3.  Terminology  . . . . . . . . . . . . . . . . . . . . . . .  4
+   2.  NSEC versus NSEC3  . . . . . . . . . . . . . . . . . . . . . .  5
+   3.  The NSEC3 Resource Record  . . . . . . . . . . . . . . . . . .  5
+     3.1.  NSEC3 RDATA Wire Format  . . . . . . . . . . . . . . . . .  6
+       3.1.1.  The Hash Function Field  . . . . . . . . . . . . . . .  6
+       3.1.2.  The Opt-In Flag Field  . . . . . . . . . . . . . . . .  7
+       3.1.3.  The Iterations Field . . . . . . . . . . . . . . . . .  8
+       3.1.4.  The Salt Length Field  . . . . . . . . . . . . . . . .  8
+       3.1.5.  The Salt Field . . . . . . . . . . . . . . . . . . . .  8
+       3.1.6.  The Next Hashed Ownername Field  . . . . . . . . . . .  9
+       3.1.7.  The Type Bit Maps Field  . . . . . . . . . . . . . . .  9
+     3.2.  The NSEC3 RR Presentation Format . . . . . . . . . . . . . 10
+   4.  Creating Additional NSEC3 RRs for Empty Non-Terminals  . . . . 11
+   5.  Calculation of the Hash  . . . . . . . . . . . . . . . . . . . 11
+   6.  Including NSEC3 RRs in a Zone  . . . . . . . . . . . . . . . . 11
+   7.  Responding to NSEC3 Queries  . . . . . . . . . . . . . . . . . 12
+   8.  Special Considerations . . . . . . . . . . . . . . . . . . . . 13
+     8.1.  Proving Nonexistence . . . . . . . . . . . . . . . . . . . 13
+     8.2.  Salting  . . . . . . . . . . . . . . . . . . . . . . . . . 14
+     8.3.  Iterations . . . . . . . . . . . . . . . . . . . . . . . . 15
+     8.4.  Hash Collision . . . . . . . . . . . . . . . . . . . . . . 16
+       8.4.1.  Avoiding Hash Collisions during generation . . . . . . 16
+       8.4.2.  Second Preimage Requirement Analysis . . . . . . . . . 16
+       8.4.3.  Possible Hash Value Truncation Method  . . . . . . . . 17
+       8.4.4.  Server Response to a Run-time Collision  . . . . . . . 17
+       8.4.5.  Parameters that Cover the Zone . . . . . . . . . . . . 18
+   9.  Performance Considerations . . . . . . . . . . . . . . . . . . 18
+   10. IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 18
+   11. Security Considerations  . . . . . . . . . . . . . . . . . . . 18
+   12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 21
+     12.1. Normative References . . . . . . . . . . . . . . . . . . . 21
+     12.2. Informative References . . . . . . . . . . . . . . . . . . 22
+   Editorial Comments . . . . . . . . . . . . . . . . . . . . . . . .
+   Appendix A.  Example Zone  . . . . . . . . . . . . . . . . . . . . 22
+   Appendix B.  Example Responses . . . . . . . . . . . . . . . . . . 27
+     B.1.  answer . . . . . . . . . . . . . . . . . . . . . . . . . . 27
+       B.1.1.  Authenticating the Example DNSKEY RRset  . . . . . . . 29
+     B.2.  Name Error . . . . . . . . . . . . . . . . . . . . . . . . 30
+     B.3.  No Data Error  . . . . . . . . . . . . . . . . . . . . . . 32
+       B.3.1.  No Data Error, Empty Non-Terminal  . . . . . . . . . . 33
+     B.4.  Referral to Signed Zone  . . . . . . . . . . . . . . . . . 34
+     B.5.  Referral to Unsigned Zone using the Opt-In Flag  . . . . . 35
+     B.6.  Wildcard Expansion . . . . . . . . . . . . . . . . . . . . 36
 
 
 
-Laurie, et al.          Expires December 3, 2005                [Page 2]
+Laurie, et al.           Expires August 5, 2006                 [Page 2]
 
-Internet-Draft                    nsec3                        june 2005
+Internet-Draft                    nsec3                    February 2006
 
 
-   B.  Example Responses  . . . . . . . . . . . . . . . . . . . . . . 23
-     B.1   answer . . . . . . . . . . . . . . . . . . . . . . . . . . 23
-       B.1.1   Authenticating the Example DNSKEY RRset  . . . . . . . 25
-     B.2   Name Error . . . . . . . . . . . . . . . . . . . . . . . . 26
-     B.3   No Data Error  . . . . . . . . . . . . . . . . . . . . . . 28
-       B.3.1   No Data Error, Empty Non-Terminal  . . . . . . . . . . 29
-     B.4   Referral to Signed Zone  . . . . . . . . . . . . . . . . . 30
-     B.5   Referral to Unsigned Zone using Opt-In . . . . . . . . . . 31
-     B.6   Wildcard Expansion . . . . . . . . . . . . . . . . . . . . 32
-     B.7   Wildcard No Data Error . . . . . . . . . . . . . . . . . . 34
-     B.8   DS Child Zone No Data Error  . . . . . . . . . . . . . . . 35
-       Intellectual Property and Copyright Statements . . . . . . . . 37
+     B.7.  Wildcard No Data Error . . . . . . . . . . . . . . . . . . 38
+     B.8.  DS Child Zone No Data Error  . . . . . . . . . . . . . . . 39
+   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 41
+   Intellectual Property and Copyright Statements . . . . . . . . . . 42
 
 
 
@@ -164,20 +156,22 @@ Internet-Draft                    nsec3                        june 2005
 
 
 
-Laurie, et al.          Expires December 3, 2005                [Page 3]
+
+
+
+
+
+
+
+
+Laurie, et al.           Expires August 5, 2006                 [Page 3]
 
-Internet-Draft                    nsec3                        june 2005
+Internet-Draft                    nsec3                    February 2006
 
 
 1.  Introduction
 
-   The DNS Security Extensions (DNSSEC) introduced the NSEC Resource
-   Record (RR) for authenticated denial of existence.  This document
-   introduces a new RR as an alternative to NSEC that provides measures
-   against zone traversal and allows for gradual expansion of
-   delegation-centric zones.
-
-1.1  Rationale
+1.1.  Rationale
 
    The DNS Security Extensions included the NSEC RR to provide
    authenticated denial of existence.  Though the NSEC RR meets the
@@ -185,106 +179,136 @@ Internet-Draft                    nsec3                        june 2005
    side-effect in that the contents of a zone can be enumerated.  This
    property introduces undesired policy issues.
 
+   An enumerated zone can be used either directly as a source of
+   probable e-mail addresses for spam, or indirectly as a key for
+   multiple WHOIS queries to reveal registrant data which many
+   registries may be under strict legal obligations to protect.  Many
+   registries therefore prohibit copying of their zone file; however the
+   use of NSEC RRs renders these policies unenforceable.
+
    A second problem was the requirement that the existence of all record
-   types in a zone - including delegation point NS record types - must
-   be accounted for, despite the fact that delegation point NS RRsets
-   are not authoritative and not signed.  This requirement has a side-
-   effect that the overhead of delegation-centric signed zones is not
-   related to the increase in security of subzones.  This requirement
-   does not allow delegation-centric zones size to grow in relation to
-   the growth of signed subzones.
+   types in a zone - including unsigned delegation points - must be
+   accounted for, despite the fact that unsigned delegation point
+   records are not signed.  This requirement has a side-effect that the
+   overhead of signed zones is not related to the increase in security
+   of subzones.  This requirement does not allow the zones' size to grow
+   in relation to the growth of signed subzones.
 
-   In the past, solutions have been proposed as a measure against these
-   side effects but at the time were regarded as secondary over the need
-   to have a stable DNSSEC specification.  With (draft-vixie-dnssec-ter)
-   a graceful transition path to future enhancements is introduced,
-   while current DNSSEC deployment can continue.  This document presents
-   the NSEC3 Resource Record which mitigates these issues with the NSEC
-   RR.
+   In the past, solutions (draft-ietf-dnsext-dnssec-opt-in) have been
+   proposed as a measure against these side effects but at the time were
+   regarded as secondary over the need to have a stable DNSSEC
+   specification.  With (draft-vixie-dnssec-ter) [14] a graceful
+   transition path to future enhancements is introduced, while current
+   DNSSEC deployment can continue.  This document presents the NSEC3
+   Resource Record which mitigates these issues with the NSEC RR.
 
-   The reader is assumed to be familiar with the basic DNS concepts
-   described in RFC1034 [RFC1034], RFC1035 [RFC1035] and subsequent RFCs
-   that update them:  RFC2136 [RFC2136], RFC2181 [RFC2181] and RFC2308
-   [RFC2308].
+   The reader is assumed to be familiar with the basic DNS and DNSSEC
+   concepts described in RFC 1034 [1], RFC 1035 [2], RFC 4033 [3], RFC
+   4034 [4], RFC 4035 [5] and subsequent RFCs that update them: RFC 2136
+   [6], RFC2181 [7] and RFC2308 [8].
 
-1.2  Reserved Words
+1.2.  Reserved Words
 
    The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
    "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in RFC 2119 [RFC2119].
+   document are to be interpreted as described in RFC 2119 [9].
 
-1.3  Terminology
+1.3.  Terminology
+
+   The practice of discovering the contents of a zone, i.e. enumerating
+   the domains within a zone, is known as "zone enumeration".  Zone
+
+
+
+Laurie, et al.           Expires August 5, 2006                 [Page 4]
+
+Internet-Draft                    nsec3                    February 2006
+
+
+   enumeration was not practical prior to the introduction of DNSSEC.
 
    In this document the term "original ownername" refers to a standard
    ownername.  Because this proposal uses the result of a hash function
-
-
-
-Laurie, et al.          Expires December 3, 2005                [Page 4]
-
-Internet-Draft                    nsec3                        june 2005
-
-
    over the original (unmodified) ownername, this result is referred to
    as "hashed ownername".
 
-   "Canonical ordering of the zone" means the order in which hashed
-   ownernames are arranged according to their numerical value, treating
-   the leftmost (lowest numbered) byte as the most significant byte.
+   "Hash order" means the order in which hashed ownernames are arranged
+   according to their numerical value, treating the leftmost (lowest
+   numbered) octet as the most significant octet.  Note that this is the
+   same as the canonical ordering specified in RFC 4034 [4].
 
-2.  The NSEC3 Resource Record
+   An "empty non-terminal" is a domain name that owns no resource
+   records but has subdomains that do.
+
+   The "closest encloser" of a (nonexistent) domain name is the longest
+   domain name, including empty non-terminals, that matches the
+   rightmost part of the nonexistent domain name.
+
+   "Base32 encoding" is "Base 32 Encoding with Extended Hex Alphabet" as
+   specified in RFC 3548bis [15].
+
+
+2.  NSEC versus NSEC3
+
+   This document does NOT obsolete the NSEC record, but gives an
+   alternative for authenticated denial of existence.  NSEC and NSEC3
+   RRs can not co-exist in a zone.  See draft-vixie-dnssec-ter [14] for
+   a signaling mechanism to allow for graceful transition towards NSEC3.
+
+
+3.  The NSEC3 Resource Record
 
    The NSEC3 RR provides Authenticated Denial of Existence for DNS
    Resource Record Sets.
 
-   The NSEC3 Resource Record lists RR types present at the NSEC3 RR's
-   original ownername.  It includes the next hashed ownername in the
-   canonical ordering of the zone.  The complete set of NSEC3 RRs in a
-   zone indicates which RRsets exist for the original ownername of the
-   RRset and form a chain of hashed ownernames in the zone.  This
-   information is used to provide authenticated denial of existence for
-   DNS data, as described in RFC 4035 [RFC4035].  Unsigned delegation
-   point NS RRsets can optionally be excluded.  To provide protection
-   against zone traversal, the ownernames used in the NSEC3 RR are
-   cryptographic hashes of the original ownername prepended to the name
-   of the zone.  The NSEC3 RR indicates which hash function is used to
-   construct the hash, which salt is used, and how many iterations of
-   the hash function are performed over the original ownername.
+   The NSEC3 Resource Record (RR) lists RR types present at the NSEC3
+   RR's original ownername.  It includes the next hashed ownername in
+   the hash order of the zone.  The complete set of NSEC3 RRs in a zone
+   indicates which RRsets exist for the original ownername of the RRset
+   and form a chain of hashed ownernames in the zone.  This information
+   is used to provide authenticated denial of existence for DNS data, as
+   described in RFC 4035 [5].  To provide protection against zone
+   enumeration, the ownernames used in the NSEC3 RR are cryptographic
+   hashes of the original ownername prepended to the name of the zone.
+   The NSEC3 RR indicates which hash function is used to construct the
+   hash, which salt is used, and how many iterations of the hash
+   function are performed over the original ownername.  The hashing
+
+
+
+Laurie, et al.           Expires August 5, 2006                 [Page 5]
+
+Internet-Draft                    nsec3                    February 2006
+
+
+   technique is described fully in Section 5.
+
+   Hashed ownernames of unsigned delegations may be excluded from the
+   chain.  An NSEC3 record which span covers the hash of an unsigned
+   delegation's ownername is referred to as an Opt-In NSEC3 record and
+   is indicated by the presence of a flag.
 
    The ownername for the NSEC3 RR is the base32 encoding of the hashed
-   ownername.
+   ownername prepended to the name of the zone..
 
    The type value for the NSEC3 RR is XX.
 
-   The NSEC3 RR RDATA format is class independent.
+   The NSEC3 RR RDATA format is class independent and is described
+   below.
+
+   The class MUST be the same as the original ownername's class.
 
    The NSEC3 RR SHOULD have the same TTL value as the SOA minimum TTL
-   field.  This is in the spirit of negative caching [RFC2308].
+   field.  This is in the spirit of negative caching [8].
 
-2.1  NSEC3 RDATA Wire Format
+3.1.  NSEC3 RDATA Wire Format
 
    The RDATA of the NSEC3 RR is as shown below:
 
-
-
-
-
-
-
-
-
-
-
-
-Laurie, et al.          Expires December 3, 2005                [Page 5]
-
-Internet-Draft                    nsec3                        june 2005
-
-
                         1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |A|Hash Function|                  Iterations                   |
+   | Hash Function |O|                Iterations                   |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |  Salt Length  |                     Salt                      /
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
@@ -293,113 +317,168 @@ Internet-Draft                    nsec3                        june 2005
    /                         Type Bit Maps                         /
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 
+   "O" is the Opt-In Flag field.
 
-2.1.1  The Authoritative Only Flag Field
-
-   The Authoritative Only Flag field indicates whether the Type Bit Maps
-   include delegation point NS record types.
-
-   If the flag is set to 1, the NS RR type bit for a delegation point
-   ownername SHOULD be clear when the NSEC3 RR is generated.  The NS RR
-   type bit MUST be ignored during processing of the NSEC3 RR.  The NS
-   RR type bit has no meaning in this context (it is not authoritative),
-   hence the NSEC3 does not contest the existence of a NS RRset for this
-   ownername.  When a delegation is not secured, there exist no DS RR
-   type nor any other authoritative types for this delegation, hence the
-   unsecured delegation has no NSEC3 record associated.  Please see the
-   Special Consideration section for implications for unsigned
-   delegations.
-
-   If the flag is set to 0, the NS RR type bit for a delegation point
-   ownername MUST be set if the NSEC3 covers a delegation, even though
-   the NS RR itself is not authoritative.  This implies that all
-   delegations, signed or unsigned, have an NSEC3 record associated.
-   This behaviour is identical to NSEC behaviour.
-
-2.1.2  The Hash Function Field
+3.1.1.  The Hash Function Field
 
    The Hash Function field identifies the cryptographic hash function
    used to construct the hash-value.
 
-   This document defines Value 1 for SHA-1 and Value 127 for
-   experimental.  All other values are reserved.
+   The values are as defined for the DS record (see RFC 3658 [10]).
 
-   On reception, a resolver MUST discard an NSEC3 RR with an unknown
-   hash function value.
+   On reception, a resolver MUST ignore an NSEC3 RR with an unknown hash
+   function value.
 
 
 
 
-
-
-Laurie, et al.          Expires December 3, 2005                [Page 6]
+Laurie, et al.           Expires August 5, 2006                 [Page 6]
 
-Internet-Draft                    nsec3                        june 2005
+Internet-Draft                    nsec3                    February 2006
 
 
-2.1.3  The Iterations Field
+3.1.2.  The Opt-In Flag Field
+
+   The Opt-In Flag field indicates whether this NSEC3 RR covers unsigned
+   delegations.
+
+   In DNSSEC, NS RRsets at delegation points are not signed, and may be
+   accompanied by a DS record.  The security status of the subzone is
+   determined by the presence or absence of the DS RRset,
+   cryptographically proven by the NSEC record or the signed DS RRset.
+   The presence of the Opt-In flag expands this definition by allowing
+   insecure delegations to exist within an otherwise signed zone without
+   the corresponding NSEC3 record at the delegation's (hashed) owner
+   name.  These delegations are proven insecure by using a covering
+   NSEC3 record.
+
+   Resolvers must be able to distinguish between NSEC3 records and
+   Opt-In NSEC3 records.  This is accomplished by setting the Opt-In
+   flag of the NSEC3 records that cover (or potentially cover) insecure
+   delegation nodes.
+
+   An Opt-In NSEC3 record does not assert the existence or non-existence
+   of the insecure delegations that it covers.  This allows for the
+   addition or removal of these delegations without recalculating or
+   resigning records in the NSEC3 chain.  However, Opt-In NSEC3 records
+   do assert the (non)existence of other, authoritative RRsets.
+
+   An Opt-In NSEC3 record MAY have the same original owner name as an
+   insecure delegation.  In this case, the delegation is proven insecure
+   by the lack of a DS bit in type map and the signed NSEC3 record does
+   assert the existence of the delegation.
+
+   Zones using Opt-In MAY contain a mixture of Opt-In NSEC3 records and
+   non-Opt-In NSEC3 records.  If an NSEC3 record is not Opt-In, there
+   MUST NOT be any hashed ownernames of insecure delegations (nor any
+   other records) between it and the RRsets indicated by the 'Next
+   Hashed Ownername' in the NSEC3 RDATA.  If it is Opt-In, there MUST
+   only be hashed ownernames of insecure delegations between it and the
+   next node indicated by the 'Next Hashed Ownername' in the NSEC3
+   RDATA.
+
+   In summary,
+   o  An Opt-In NSEC3 type is identified by an Opt-In Flag field value
+      of 1.
+   o  A non Opt-In NSEC3 type is identified by an Opt-In Flag field
+      value of 0.
+   and,
+
+
+
+
+
+Laurie, et al.           Expires August 5, 2006                 [Page 7]
+
+Internet-Draft                    nsec3                    February 2006
+
+
+   o  An Opt-In NSEC3 record does not assert the non-existence of a hash
+      ownername between its ownername and next hashed ownername,
+      although it does assert that any hashed name in this span MUST be
+      of an insecure delegation.
+   o  An Opt-In NSEC3 record does assert the (non)existence of RRsets
+      with the same hashed owner name.
+
+3.1.3.  The Iterations Field
 
    The Iterations field defines the number of times the hash has been
    iterated.  More iterations results in greater resiliency of the hash
    value against dictionary attacks, but at a higher cost for both the
-   server and resolver.
+   server and resolver.  See Section 5 for details of this field's use.
 
-2.1.4  The Salt Length Field
+   Iterations make an attack more costly by making the hash computation
+   more computationally intensive, e.g. by iterating the hash function a
+   number of times.
+
+   When generating a few hashes this performance loss will not be a
+   problem, as a validator can handle a delay of a few milliseconds.
+   But when doing a dictionary attack it will also multiply the attack
+   workload by a factor, which is a problem for the attacker.
+
+3.1.4.  The Salt Length Field
 
    The salt length field defines the length of the salt in octets.
 
-2.1.5  The Salt Field
+3.1.5.  The Salt Field
 
    The Salt field is not present when the Salt Length Field has a value
    of 0.
 
-   The Salt field is prepended to the original ownername before hashing
-   in order to defend against precalculated dictionary attacks.
+   The Salt field is appended to the original ownername before hashing
+   in order to defend against precalculated dictionary attacks.  See
+   Section 5 for details on how the salt is used.
 
-   The salt is also prepended during iterations of the hash function.
+   Salt is used to make dictionary attacks using precomputation more
+   costly.  A dictionary can only be computed after the attacker has the
+   salt, hence a new salt means that the dictionary has to be
+   regenerated with the new salt.
+
+   There MUST be a complete set of NSEC3 records covering the entire
+   zone that use the same salt value.  The requirement exists so that,
+   given any qname within a zone, at least one covering NSEC3 RRset may
+   be found.  While it may be theoretically possible to produce a set of
+   NSEC3s that use different salts that cover the entire zone, it is
+   computationally infeasible to generate such a set.  See Section 8.2
+   for further discussion.
+
+
+
+Laurie, et al.           Expires August 5, 2006                 [Page 8]
+
+Internet-Draft                    nsec3                    February 2006
 
-   Note that although it is theoretically possible to cover the entire
-   possible ownername space with different salt values, it is
-   computationally infeasible to do so, and so there MUST be at least
-   one salt which is the same for all NSEC3 records.  This means that no
-   matter what name is asked for in a query, it is guaranteed to be
-   possible to find a covering NSEC3 record.  Note that this does not
-   preclude the use of two different salts at the same time - indeed
-   this may well occur naturally, due to rolling the salt value
-   periodically.
 
    The salt value SHOULD be changed from time to time - this is to
    prevent the use of a precomputed dictionary to reduce the cost of
    enumeration.
 
-2.1.6  The Next Hashed Ownername Field
+3.1.6.  The Next Hashed Ownername Field
 
-   The Next Hashed Ownername field contains the hash of the ownername of
-   the next RR in the canonical ordering of the hashed ownernames of the
-   zone.  The value of the Next Hashed Ownername Field in the last NSEC3
-   record in the zone is the same as the ownername of the first NSEC3 RR
-   in the zone in canonical order.
-
-   Hashed ownernames of RRsets not authoritative for the given zone
-   (such as glue records) MUST NOT be listed in the Next Hashed
-   Ownername unless at least one authoritative RRset exists at the same
-   ownername.
-
-
-
-
-Laurie, et al.          Expires December 3, 2005                [Page 7]
-
-Internet-Draft                    nsec3                        june 2005
+   The Next Hashed Ownername field contains the next hashed ownername in
+   hash order.  That is, given the set of all hashed owernames, the Next
+   Hashed Ownername contains the hash value that immediately follows the
+   owner hash value for the given NSEC3 record.  The value of the Next
+   Hashed Ownername Field in the last NSEC3 record in the zone is the
+   same as the ownername of the first NSEC3 RR in the zone in hash
+   order.
 
+   Hashed ownernames of glue RRsets MUST NOT be listed in the Next
+   Hashed Ownername unless at least one authoritative RRset exists at
+   the same ownername.  Hashed ownernames of delegation NS RRsets MUST
+   be listed if the Opt-In bit is clear.
 
    Note that the Next Hashed Ownername field is not encoded, unlike the
-   NSEC3 RR's ownername.  It is the unmodified binary hash value.
+   NSEC3 RR's ownername.  It is the unmodified binary hash value.  It
+   does not include the name of the containing zone.
 
-2.1.7  The list of Type Bit Map(s) Field
+   The length of this field is the length of the hash value produced by
+   the hash function selected by the Hash Function field.
+
+3.1.7.  The Type Bit Maps Field
 
    The Type Bit Maps field identifies the RRset types which exist at the
-   NSEC3 RR's ownername.
+   NSEC3 RR's original ownername.
 
    The Type bits for the NSEC3 RR and RRSIG RR MUST be set during
    generation, and MUST be ignored during processing.
@@ -418,6 +497,14 @@ Internet-Draft                    nsec3                        june 2005
 
    Type Bit Map(s) Field = ( Window Block # | Bitmap Length | Bitmap ) +
 
+
+
+
+Laurie, et al.           Expires August 5, 2006                 [Page 9]
+
+Internet-Draft                    nsec3                    February 2006
+
+
    Each bitmap encodes the low-order 8 bits of RR types within the
    window block, in network bit order.  The first bit is bit 0.  For
    window block 0, bit 1 corresponds to RR type 1 (A), bit 2 corresponds
@@ -427,30 +514,14 @@ Internet-Draft                    nsec3                        june 2005
    RR's ownername.  If a bit is set to 0, it indicates that no RRset of
    that type is present for the NSEC3 RR's ownername.
 
-   The RR type 2 (NS) is authoritative at the apex of a zone and is not
-   authoritative at delegation points.  If the Authoritative Only Flag
-   is set to 1, the delegation point NS RR type MUST NOT be included in
-   the type bit maps.  If the Authoritative Only Flag is set to 0, the
-   NS RR type at a delegation point MUST be included in the type bit
-   maps.
-
    Since bit 0 in window block 0 refers to the non-existing RR type 0,
    it MUST be set to 0.  After verification, the validator MUST ignore
    the value of bit 0 in window block 0.
 
-   Bits representing Meta-TYPEs or QTYPEs as specified in RFC 2929
-   [RFC2929] (section 3.1) or within the range reserved for assignment
-   only to QTYPEs and Meta-TYPEs MUST be set to 0, since they do not
-
-
-
-Laurie, et al.          Expires December 3, 2005                [Page 8]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-   appear in zone data.  If encountered, they must be ignored upon
-   reading.
+   Bits representing Meta-TYPEs or QTYPEs as specified in RFC 2929 [11]
+   (section 3.1) or within the range reserved for assignment only to
+   QTYPEs and Meta-TYPEs MUST be set to 0, since they do not appear in
+   zone data.  If encountered, they must be ignored upon reading.
 
    Blocks with no types present MUST NOT be included.  Trailing zero
    octets in the bitmap MUST be omitted.  The length of each block's
@@ -459,15 +530,15 @@ Internet-Draft                    nsec3                        june 2005
    NSEC3 RR's actual ownername.  Trailing zero octets not specified MUST
    be interpreted as zero octets.
 
-2.2  The NSEC3 RR Presentation Format
+3.2.  The NSEC3 RR Presentation Format
 
    The presentation format of the RDATA portion is as follows:
 
-   The Authoritative Only Field is represented as an unsigned decimal
-   integer.  The value are either 0 or 1.
+   The Opt-In Flag Field is represented as an unsigned decimal integer.
+   The value is either 0 or 1.
 
-   The Hash field is presented as the name of the hash or as an unsigned
-   decimal integer.  The value has a maximum of 127.
+   The Hash field is presented as a mnemonic of the hash or as an
+   unsigned decimal integer.  The value has a maximum of 127.
 
    The Iterations field is presented as an unsigned decimal integer.
 
@@ -475,39 +546,42 @@ Internet-Draft                    nsec3                        june 2005
 
    The Salt field is represented as a sequence of case-insensitive
    hexadecimal digits.  Whitespace is not allowed within the sequence.
-   The Salt Field is represented as 00 when the Salt Length field has
-   value 0.
+   The Salt Field is represented as "-" (without the quotes) when the
+   Salt Length field has value 0.
 
    The Next Hashed Ownername field is represented as a sequence of case-
-   insensitive base32 digits.  Whitespace is allowed within the
-   sequence.
+   insensitive base32 digits, without whitespace.
 
-   The List of Type Bit Map(s) Field is represented as a sequence of RR
-   type mnemonics.  When the mnemonic is not known, the TYPE
-   representation as described in RFC 3597 [RFC3597] (section 5) MUST be
-   used.
+   The Type Bit Maps Field is represented as a sequence of RR type
 
-3.  Creating Additional NSEC3 RRs for Empty Non Terminals
+
+
+Laurie, et al.           Expires August 5, 2006                [Page 10]
+
+Internet-Draft                    nsec3                    February 2006
+
+
+   mnemonics.  When the mnemonic is not known, the TYPE representation
+   as described in RFC 3597 [12] (section 5) MUST be used.
+
+
+4.  Creating Additional NSEC3 RRs for Empty Non-Terminals
 
    In order to prove the non-existence of a record that might be covered
    by a wildcard, it is necessary to prove the existence of its closest
-   encloser.  A closest encloser might be an Empty Non Terminal.
+   encloser.  A closest encloser might be an empty non-terminal.
 
-   Additional NSEC3 RRs are synthesized which cover every existing
-   intermediate label level.  Additional NSEC3 RRs are identical in
-   format to NSEC3 RRs that cover existing RRs in the zone.  The
-   difference is that the type-bit-maps only indicate the existence of
+   Additional NSEC3 RRs are generated for empty non-terminals.  These
+   additional NSEC3 RRs are identical in format to NSEC3 RRs that cover
+   existing RRs in the zone except that their type-maps only indicated
+   the existence of an NSEC3 RRset and an RRSIG RRset.
+
+   This relaxes the requirement in Section 2.3 of RFC4035 that NSEC RRs
+   not appear at names that did not exist before the zone was signed.
+   [Comment.1]
 
 
-
-Laurie, et al.          Expires December 3, 2005                [Page 9]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-   an NSEC3 RR type and an RRSIG RR type.
-
-4.  Calculation of the Hash
+5.  Calculation of the Hash
 
    Define H(x) to be the hash of x using the hash function selected by
    the NSEC3 record and || to indicate concatenation.  Then define:
@@ -529,15 +603,27 @@ Internet-Draft                    nsec3                        june 2005
    3.  If the ownername is a wildcard name, the ownername is in its
        original unexpanded form, including the "*" label (no wildcard
        substitution);
+   This form is as defined in section 6.2 of RFC 4034 ([4]).
 
-5.  Including NSEC3 RRs in a Zone
 
-   Each owner name in the zone which has authoritative data or a secured
-   delegation point NS RRset MUST have an NSEC3 resource record.
+6.  Including NSEC3 RRs in a Zone
 
-   An unsecured delegation point NS RRset MAY have an NSEC3 resource
-   record.  This is different from NSEC records where an unsecured
-   delegation point NS RRset MUST have an NSEC record.
+   Each ownername within the zone that owns authoritative RRsets MUST
+
+
+
+Laurie, et al.           Expires August 5, 2006                [Page 11]
+
+Internet-Draft                    nsec3                    February 2006
+
+
+   have a corresponding NSEC3 RR.  Ownernames that correspond to
+   unsigned delegations MAY have a corresponding NSEC3 RR, however, if
+   there is not, there MUST be a covering NSEC3 RR with the Opt-In flag
+   set to 1.  Other non-authoritative RRs are not included in the set of
+   NSEC3 RRs.
+
+   Each empty non-terminal MUST have an NSEC3 record.
 
    The TTL value for any NSEC3 RR SHOULD be the same as the minimum TTL
    value field in the zone SOA RR.
@@ -546,109 +632,85 @@ Internet-Draft                    nsec3                        june 2005
    indicate the presence of both the NSEC3 RR type itself and its
    corresponding RRSIG RR type.
 
-   The bitmap for the NSEC3 RR at a delegation point requires special
-   attention.  Bits corresponding to the delegation NS RRset and any
-   RRsets for which the parent zone has authoritative data MUST be set;
-   bits corresponding to any non-NS RRset for which the parent is not
-   authoritative MUST be clear.
-
    The following steps describe the proper construction of NSEC3
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 10]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-   records.
-   1.  For each unique original owner name in the zone, add an NSEC3
-       RRset.  This includes NSEC3 RRsets for unsigned delegation point
-       NS RRsets, unless the policy is to have Authoritative Only NSEC3
-       RRsets.  The ownername of the NSEC3 RR is the hashed equivalent
-       of the original owner name, prepended to the zone name.
-   2.  For each RRset at the original owner, set the corresponding bit
-       in the type bit map.
+   records.  [Comment.2]
+   1.  For each unique original ownername in the zone, add an NSEC3
+       RRset.  If Opt-In is being used, ownernames of unsigned
+       delegations may be excluded, but must be considered for empty-
+       non-terminals.  The ownername of the NSEC3 RR is the hashed
+       equivalent of the original owner name, prepended to the zone
+       name.  The Next Hashed Ownername field is left blank for the
+       moment.  If Opt-In is being used, set the Opt-In bit to one.
+   2.  For each RRset at the original owner name, set the corresponding
+       bit in the type bit map.
    3.  If the difference in number of labels between the apex and the
        original ownername is greater then 1, additional NSEC3s need to
        be added for every empty non-terminal between the apex and the
-       original ownername.
-   4.  Sort the set of NSEC3 RRs.
-   5.  In each NSEC3 RR, insert the Next Hashed Ownername.  The Next
-       Hashed Ownername of the last NSEC3 in the zone contains the value
-       of the hashed ownername of the first NSEC3 in the zone.
-   6.  If the policy is to have authoritative only, set the
-       Authoritative Only bit in those NSEC3 RRs that cover unsecured
-       delegation points.
+       original ownername.  This process may generate NSEC3 RRs with
+       duplicate hashed ownernames.
+   4.  Sort the set of NSEC3 RRs into hash order.  Hash order is the
+       ascending numerical order of the non-encoded hash values.
+   5.  Combine NSEC3 RRs with identical hashed ownernames by replacing
+       with a single NSEC3 RR with the type map consisting of the union
+       of the types represented by the set of NSEC3 RRs.
+   6.  In each NSEC3 RR, insert the Next Hashed Ownername by using the
+       value of the next NSEC3 RR in hash order.  The Next Hashed
+       Ownername of the last NSEC3 in the zone contains the value of the
+       hashed ownername of the first NSEC3 in the hash order.
 
-6.  Special Considerations
+
+7.  Responding to NSEC3 Queries
+
+   Since NSEC3 ownernames are not represented in the NSEC3 chain like
+   other zone ownernames, direct queries for NSEC3 ownernames present a
+   special case.
+
+
+
+
+Laurie, et al.           Expires August 5, 2006                [Page 12]
+
+Internet-Draft                    nsec3                    February 2006
+
+
+   The special case arises when the following are all true:
+   o  The QNAME equals an existing NSEC3 ownername, and
+   o  There are no other record types that exist at QNAME, and
+   o  The QTYPE does not equal NSEC3.
+   These conditions describe a particular case: the answer should be a
+   NOERROR/NODATA response, but there is no NSEC3 RRset for H(QNAME) to
+   include in the authority section.
+
+   However, the NSEC3 RRset with ownername equal to QNAME is able to
+   prove its own existence.  Thus, when answering this query, the
+   authoritative server MUST include the NSEC3 RRset whose ownername
+   equals QNAME.  This RRset proves that QNAME is an existing name with
+   types NSEC3 and RRSIG.  The authoritative server MUST also include
+   the NSEC3 RRset that covers the hash of QNAME.  This RRset proves
+   that no other types exist.
+
+   When validating a NOERROR/NODATA response, validators MUST check for
+   a NSEC3 RRset with ownername equals to QNAME, and MUST accept that
+   (validated) NSEC3 RRset as proof that QNAME exists.  The validator
+   MUST also check for an NSEC3 RRset that covers the hash of QNAME as
+   proof that QTYPE doesn't exist.
+
+   Other cases where the QNAME equals an existing NSEC3 ownername may be
+   answered normally.
+
+
+8.  Special Considerations
 
    The following paragraphs clarify specific behaviour explain special
    considerations for implementations.
 
-6.1  Delegation Points
-
-   This proposal introduces the Authoritative Only Flag which indicates
-   whether non authoritative delegation point NS records are included in
-   the type bit Maps.  As discussed in paragraph 2.1.1, a flag value of
-   0 indicates that the interpretation of the type bit maps is identical
-   to NSEC records.
-
-   The following subsections describe behaviour when the flag value is
-   1.
-
-6.1.1  Unsigned Delegations
-
-   Delegation point NS records are not authoritative.  They are
-   authoritative in the delegated zone.  No other data exists at the
-   ownername of an unsigned delegation point.
-
-   Since no authoritative data exist at this ownername, it is excluded
-   from the NSEC3 chain.  This is an optimization, since it relieves the
-   zone of including an NSEC3 record and its associated signature for
-   this name.
-
-   An NSEC3 that denies existence of ownernames between X and X' with
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 11]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-   the Authoritative Only Flag set to 1 can not be used to prove the
-   presence or the absence of delegation point NS records for unsigned
-   delegations in the interval (X, X').  The Authoritative Only Flag
-   effectively states No Contest on the presence of delegation point NS
-   resource records.
-
-   Since proof is absent, there exists a new attack vector.  Unsigned
-   delegation point NS records can be deleted during a man in the middle
-   attack, effectively denying existence of the delegation.  This is a
-   form of Denial of Service, where the victim has no information it is
-   under attack, since all signatures are valid and the fabricated
-   response form is a known type of response.
-
-   The only possible mitigation is to either not use this method, hence
-   proving existence or absence of unsigned delegations, or to sign all
-   delegations, regardless of whether the delegated zone is signed or
-   not.
-
-   A second attack vector exists in that an adversary is able to
-   successfully fabricate an (unsigned) response claiming a nonexistent
-   delegation exists.
-
-   The only possible mitigation is to mandate the signing of all
-   delegations.
-
-6.2  Proving Nonexistence
+8.1.  Proving Nonexistence
 
    If a wildcard resource record appears in a zone, its asterisk label
    is treated as a literal symbol and is treated in the same way as any
-   other ownername for purposes of generating NSEC3 RRs.  RFC 4035
-   [RFC4035] describes the impact of wildcards on authenticated denial
-   of existence.
+   other ownername for purposes of generating NSEC3 RRs.  RFC 4035 [5]
+   describes the impact of wildcards on authenticated denial of
+   existence.
 
    In order to prove there exist no RRs for a domain, as well as no
    source of synthesis, an RR must be shown for the closest encloser,
@@ -659,20 +721,20 @@ Internet-Draft                    nsec3                        june 2005
    omega.alfa.beta.example, and the closest encloser is beta.example
    (the nearest ancestor to omega.alfa.beta.example), then the server
    should return an NSEC3 that demonstrates the nonexistence of
+
+
+
+Laurie, et al.           Expires August 5, 2006                [Page 13]
+
+Internet-Draft                    nsec3                    February 2006
+
+
    alfa.beta.example, an NSEC3 that demonstrates the nonexistence of
    *.beta.example, and an NSEC3 that demonstrates the existence of
    beta.example.  This takes between one and three NSEC3 records, since
    a single record can, by chance, prove more than one of these facts.
 
    When a verifier checks this response, then the existence of
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 12]
-
-Internet-Draft                    nsec3                        june 2005
-
-
    beta.example together with the non-existence of alfa.beta.example
    proves that the closest encloser is indeed beta.example.  The non-
    existence of *.beta.example shows that there is no wildcard at the
@@ -697,21 +759,106 @@ Internet-Draft                    nsec3                        june 2005
    the resolver tries MUST be the apex of the zone, since names above
    the apex could be denied by one of the returned NSEC3s.
 
-6.3  Salting
+8.2.  Salting
 
    Augmenting original ownernames with salt before hashing increases the
    cost of a dictionary of pre-generated hash-values.  For every bit of
-   salt, the cost of the dictionary doubles.  The NSEC3 RR can use a
-   maximum of 2040 bits of salt, multiplying the cost by 2^2040.
+   salt, the cost of a precomputed dictionary doubles (because there
+   must be an entry for each word combined with each possible salt
+   value).  The NSEC3 RR can use a maximum of 2040 bits (255 octets) of
+   salt, multiplying the cost by 2^2040.  This means that an attacker
+   must, in practice, recompute the dictionary each time the salt is
+   changed.
 
-   There MUST be a complete set of NSEC3s for the zone using the same
-   salt value.  The salt value for each NSEC3 RR MUST be equal for a
-   single version of the zone.
+   There MUST be at least one complete set of NSEC3s for the zone using
+   the same salt value.
 
-   The salt SHOULD be changed every time the zone is resigned to prevent
-   precomputation using a single salt.
+   The salt SHOULD be changed periodically to prevent precomputation
+   using a single salt.  It is RECOMMENDED that the salt be changed for
+   every resigning.
 
-6.4  Hash Collision
+
+
+
+Laurie, et al.           Expires August 5, 2006                [Page 14]
+
+Internet-Draft                    nsec3                    February 2006
+
+
+   Note that this could cause a resolver to see records with different
+   salt values for the same zone.  This is harmless, since each record
+   stands alone (that is, it denies the set of ownernames whose hashes,
+   using the salt in the NSEC3 record, fall between the two hashes in
+   the NSEC3 record) - it is only the server that needs a complete set
+   of NSEC3 records with the same salt in order to be able to answer
+   every possible query.
+
+   There is no prohibition with having NSEC3 with different salts within
+   the same zone.  However, in order for authoritative servers to be
+   able to consistently find covering NSEC3 RRs, the authoritative
+   server MUST choose a single set of parameters (algorithm, salt, and
+   iterations) to use when selecting NSEC3s.  In the absence of any
+   other metadata, the server does this by using the parameters from the
+   zone apex NSEC3, recognizable by the presence of the SOA bit in the
+   type map.  If there is more than one NSEC3 record that meets this
+   description, then the server may arbitrarily choose one.  Because of
+   this, if there is a zone apex NSEC3 RR within a zone, it MUST be part
+   of a complete NSEC3 set.  Conversely, if there exists an incomplete
+   set of NSEC3 RRs using the same parameters within a zone, there MUST
+   NOT be an NSEC3 RR using those parameters with the SOA bit set.
+
+8.3.  Iterations
+
+   Setting the number of iterations used allows the zone owner to choose
+   the cost of computing a hash, and so the cost of generating a
+   dictionary.  Note that this is distinct from the effect of salt,
+   which prevents the use of a single precomputed dictionary for all
+   time.
+
+   Obviously the number of iterations also affects the zone owner's cost
+   of signing the zone as well as the verifiers cost of verifying the
+   zone.  We therefore impose an upper limit on the number of
+   iterations.  We base this on the number of iterations that
+   approximately doubles the cost of signing the zone.
+
+   A zone owner MUST NOT use a value higher than shown in the table
+   below for iterations.  A resolver MAY treat a response with a higher
+   value as bogus.
+
+                       +--------------+------------+
+                       | RSA Key Size | Iterations |
+                       +--------------+------------+
+                       | 1024         | 3,000      |
+                       | 2048         | 20,000     |
+                       | 4096         | 150,000    |
+                       +--------------+------------+
+
+
+
+
+Laurie, et al.           Expires August 5, 2006                [Page 15]
+
+Internet-Draft                    nsec3                    February 2006
+
+
+                       +--------------+------------+
+                       | DSA Key Size | Iterations |
+                       +--------------+------------+
+                       | 1024         | 1,500      |
+                       | 2048         | 5,000      |
+                       +--------------+------------+
+
+   This table is based on 150,000 SHA-1's per second, 50 RSA signs per
+   second for 1024 bit keys, 7 signs per second for 2048 bit keys, 1
+   sign per second for 4096 bit keys, 100 DSA signs per second for 1024
+   bit keys and 30 signs per second for 2048 bit keys.
+
+   Note that since RSA verifications are 10-100 times faster than
+   signatures (depending on key size), in the case of RSA the legal
+   values of iterations can substantially increase the cost of
+   verification.
+
+8.4.  Hash Collision
 
    Hash collisions occur when different messages have the same hash
    value.  The expected number of domain names needed to give a 1 in 2
@@ -721,31 +868,19 @@ Internet-Draft                    nsec3                        june 2005
    assessing possible damage in the event of an attack using hash
    collisions.
 
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 13]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-6.4.1  Avoiding Hash Collisions during generation
+8.4.1.  Avoiding Hash Collisions during generation
 
    During generation of NSEC3 RRs, hash values are supposedly unique.
    In the (academic) case of a collision occurring, an alternative salt
-   SHOULD be chosen and all hash values SHOULD be regenerated.
+   MUST be chosen and all hash values MUST be regenerated.
 
-   If hash values are not regenerated on collision, the NSEC3 RR MUST
-   list all authoritative RR types that exist for both owners, to avoid
-   a replay attack, spoofing an existing type as non-existent.
-
-6.4.2  Second Preimage Requirement Analysis
+8.4.2.  Second Preimage Requirement Analysis
 
    A cryptographic hash function has a second-preimage resistance
    property.  The second-preimage resistance property means that it is
    computationally infeasible to find another message with the same hash
    value as a given message, i.e. given preimage X, to find a second
-   preimage X' <> X such that hash(X) = hash(X').  The work factor for
+   preimage X' != X such that hash(X) = hash(X').  The work factor for
    finding a second preimage is of the order of 2^160 for SHA-1.  To
    mount an attack using an existing NSEC3 RR, an adversary needs to
    find a second preimage.
@@ -754,12 +889,20 @@ Internet-Draft                    nsec3                        june 2005
    the actual damage is that a response message can be generated which
    claims that a certain QNAME (i.e. the second pre-image) does exist,
    while in reality QNAME does not exist (a false positive), which will
+
+
+
+Laurie, et al.           Expires August 5, 2006                [Page 16]
+
+Internet-Draft                    nsec3                    February 2006
+
+
    either cause a security aware resolver to re-query for the non-
    existent name, or to fail the initial query.  Note that the adversary
    can't mount this attack on an existing name but only on a name that
    the adversary can't choose and does not yet exist.
 
-6.4.3  Possible Hash Value Truncation Method
+8.4.3.  Possible Hash Value Truncation Method
 
    The previous sections outlined the low probability and low impact of
    a second-preimage attack.  When impact and probability are low, while
@@ -768,22 +911,16 @@ Internet-Draft                    nsec3                        june 2005
    hashed labels.  In general, if a cryptographic hash is truncated to n
    bits, then the expected number of domains required to give a 1 in 2
    probability of a single collision is approximately 2^(n/2) and the
-   work factor to produce a second preimage resistance is 2^n.
+   work factor to produce a second preimage is 2^n.
 
    An extreme hash value truncation would be truncating to the shortest
-   possible unique label value.  Considering that hash values are
-   presented in base32, which represents 5 bits per label character,
-   truncation must be done on a 5 bit boundary.  This would be unwise,
-   since the work factor to produce collisions would then approximate
-   the size of the zone.
-
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 14]
-
-Internet-Draft                    nsec3                        june 2005
-
+   possible unique label value.  This would be unwise, since the work
+   factor to produce second preimages would then approximate the size of
+   the zone (sketch of proof: if the zone has k entries, then the length
+   of the names when truncated down to uniqueness should be proportional
+   to log_2(k).  Since the work factor to produce a second pre-image is
+   2^n for an n-bit hash, then in this case it is 2^(C log_2(k)) (where
+   C is some constant), i.e.  C'k - a work factor of k).
 
    Though the mentioned truncation can be maximized to a certain
    extreme, the probability of collision increases exponentially for
@@ -793,20 +930,52 @@ Internet-Draft                    nsec3                        june 2005
    course, the size of the corresponding RRSIG RR is not reduced, so
    truncation is of limited benefit.
 
-   Truncation could be signalled simply by reducing the length of the
+   Truncation could be signaled simply by reducing the length of the
    first label in the ownername.  Note that there would have to be a
    corresponding reduction in the length of the Next Hashed Ownername
    field.
 
-7.  Performance Considerations
+8.4.4.  Server Response to a Run-time Collision
 
-   Iterated hashes will obviously impose a performance penalty on both
-   authoritative servers and resolvers.  Therefore, the number of
-   iterations should be carefully chosen.  In particular it should be
-   noted that a high value for iterations gives an attacker a very good
-   denial of service attack, since the attacker need not bother to
-   verify the results of their queries, and hence has no performance
-   penalty of his own.
+   In the astronomically unlikely event that a server is unable to prove
+   nonexistence because the hash of the name that does not exist
+   collides with a name that does exist, the server is obviously broken,
+   and should, therefore, return a response with an RCODE of 2 (server
+   failure).
+
+
+
+
+
+
+Laurie, et al.           Expires August 5, 2006                [Page 17]
+
+Internet-Draft                    nsec3                    February 2006
+
+
+8.4.5.  Parameters that Cover the Zone
+
+   Secondary servers (and perhaps other entities) need to reliably
+   determine which NSEC3 parameters (that is, hash, salt and iterations)
+   are present at every hashed ownername, in order to be able to choose
+   an appropriate set of NSEC3 records for negative responses.  This is
+   indicated by the parameters at the apex: any set of parameters that
+   is used in an NSEC3 record whose original ownername is the apex of
+   the zone MUST be present throughout the zone.
+
+   A method to determine which NSEC3 in a complete chain corresponds to
+   the apex is to look for a NSEC3 RRset which has the SOA bit set in
+   the RDATA bit type maps field.
+
+
+9.  Performance Considerations
+
+   Iterated hashes impose a performance penalty on both authoritative
+   servers and resolvers.  Therefore, the number of iterations should be
+   carefully chosen.  In particular it should be noted that a high value
+   for iterations gives an attacker a very good denial of service
+   attack, since the attacker need not bother to verify the results of
+   their queries, and hence has no performance penalty of his own.
 
    On the other hand, nameservers with low query rates and limited
    bandwidth are already subject to a bandwidth based denial of service
@@ -816,39 +985,45 @@ Internet-Draft                    nsec3                        june 2005
    enumerate their namespace without significantly increasing their
    vulnerability to denial of service attacks.
 
-8.  IANA Considerations
 
-   IANA has to create a new registry for NSEC3 Hash Functions.  The
-   range for this registry is 0-127.  Value 0 is the identity function.
-   Value 1 is SHA-1.  Values 2-126 are Reserved For Future Use. Value
-   127 is marked as Experimental.
+10.  IANA Considerations
 
-9.  Security Considerations
+   IANA needs to allocate a RR type code for NSEC3 from the standard RR
+   type space (type XXX requested).  IANA needs to open a new registry
+   for the NSEC3 Hash Functions.  The range for this registry is 0-127.
+   Defined types are:
+
+      0 is reserved.
+      1 is SHA-1 ([13]).
+      127 is experimental.
+
+
+11.  Security Considerations
 
    The NSEC3 records are still susceptible to dictionary attacks (i.e.
+
+
+
+Laurie, et al.           Expires August 5, 2006                [Page 18]
+
+Internet-Draft                    nsec3                    February 2006
+
+
    the attacker retrieves all the NSEC3 records, then calculates the
    hashes of all likely domain names, comparing against the hashes found
    in the NSEC3 records, and thus enumerating the zone).  These are
-   substantially more expensive than traversing the original NSEC
+   substantially more expensive than enumerating the original NSEC
    records would have been, and in any case, such an attack could also
    be used directly against the name server itself by performing queries
    for all likely names, though this would obviously be more detectable.
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 15]
-
-Internet-Draft                    nsec3                        june 2005
-
-
    The expense of this off-line attack can be chosen by setting the
    number of iterations in the NSEC3 RR.
 
-   High-value domains are also susceptible to a precalculated dictionary
-   attack - that is, a list of hashes for all likely names is computed
-   once, then NSEC3 is scanned periodically and compared against the
-   precomputed hashes.  This attack is prevented by changing the salt on
-   a regular basis.
+   Domains are also susceptible to a precalculated dictionary attack -
+   that is, a list of hashes for all likely names is computed once, then
+   NSEC3 is scanned periodically and compared against the precomputed
+   hashes.  This attack is prevented by changing the salt on a regular
+   basis.
 
    Walking the NSEC3 RRs will reveal the total number of records in the
    zone, and also what types they are.  This could be mitigated by
@@ -860,84 +1035,80 @@ Internet-Draft                    nsec3                        june 2005
    fantastically unlikely, and, in any case, DNSSEC already relies on
    SHA-1 to not collide.
 
-10.  References
+   Responses to queries where QNAME equals an NSEC3 ownername that has
+   no other types may be undetectably changed from a NOERROR/NODATA
+   response to a NAME ERROR response.
 
-10.1  Normative References
+   The Opt-In Flag (O) allows for unsigned names, in the form of
+   delegations to unsigned subzones, to exist within an otherwise signed
+   zone.  All unsigned names are, by definition, insecure, and their
+   validity or existence cannot by cryptographically proven.
 
-   [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",
-              STD 13, RFC 1034, November 1987.
+   In general:
+      Records with unsigned names (whether existing or not) suffer from
+      the same vulnerabilities as records in an unsigned zone.  These
+      vulnerabilities are described in more detail in [16] (note in
+      particular sections 2.3, "Name Games" and 2.6, "Authenticated
+      Denial").
+      Records with signed names have the same security whether or not
+      Opt-In is used.
 
-   [RFC1035]  Mockapetris, P., "Domain names - implementation and
-              specification", STD 13, RFC 1035, November 1987.
-
-   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
-              Requirement Levels", BCP 14, RFC 2119, March 1997.
-
-   [RFC2136]  Vixie, P., Thomson, S., Rekhter, Y., and J. Bound,
-              "Dynamic Updates in the Domain Name System (DNS UPDATE)",
-              RFC 2136, April 1997.
-
-   [RFC2181]  Elz, R. and R. Bush, "Clarifications to the DNS
-              Specification", RFC 2181, July 1997.
-
-   [RFC2308]  Andrews, M., "Negative Caching of DNS Queries (DNS
-              NCACHE)", RFC 2308, March 1998.
-
-   [RFC2929]  Eastlake, D., Brunner-Williams, E., and B. Manning,
-              "Domain Name System (DNS) IANA Considerations", BCP 42,
-              RFC 2929, September 2000.
-
-   [RFC3597]  Gustafsson, A., "Handling of Unknown DNS Resource Record
-              (RR) Types", RFC 3597, September 2003.
+   Note that with or without Opt-In, an insecure delegation may be
+   undetectably altered by an attacker.  Because of this, the primary
+   difference in security when using Opt-In is the loss of the ability
+   to prove the existence or nonexistence of an insecure delegation
 
 
 
-Laurie, et al.          Expires December 3, 2005               [Page 16]
+Laurie, et al.           Expires August 5, 2006                [Page 19]
 
-Internet-Draft                    nsec3                        june 2005
+Internet-Draft                    nsec3                    February 2006
 
 
-   [RFC4033]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
-              Rose, "DNS Security Introduction and Requirements",
-              RFC 4033, March 2005.
+   within the span of an Opt-In NSEC3 record.
 
-   [RFC4034]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
-              Rose, "Resource Records for the DNS Security Extensions",
-              RFC 4034, March 2005.
+   In particular, this means that a malicious entity may be able to
+   insert or delete records with unsigned names.  These records are
+   normally NS records, but this also includes signed wildcard
+   expansions (while the wildcard record itself is signed, its expanded
+   name is an unsigned name).
 
-   [RFC4035]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
-              Rose, "Protocol Modifications for the DNS Security
-              Extensions", RFC 4035, March 2005.
+   For example, if a resolver received the following response from the
+   example zone above:
 
-10.2  Informative References
+   Example S.1: Response to query for WWW.DOES-NOT-EXIST.EXAMPLE.  A
 
-   [I-D.ietf-dnsext-trustupdate-threshold]
-              Ihren, J., "An In-Band Rollover Mechanism and an Out-Of-
-              Band Priming Method for DNSSEC  Trust Anchors.",
-              draft-ietf-dnsext-trustupdate-threshold-00 (work in
-              progress), October 2004.
+           RCODE=NOERROR
 
-   [RFC2026]  Bradner, S., "The Internet Standards Process -- Revision
-              3", BCP 9, RFC 2026, October 1996.
+           Answer Section:
 
-   [RFC2418]  Bradner, S., "IETF Working Group Guidelines and
-              Procedures", BCP 25, RFC 2418, September 1998.
+           Authority Section:
+           DOES-NOT-EXIST.EXAMPLE. NS     NS.FORGED.
+           EXAMPLE.                NSEC   FIRST-SECURE.EXAMPLE. SOA NS \
+                                          RRSIG DNSKEY
+           abcd...                 RRSIG  NSEC3 ...
+
+           Additional Section:
+
+   The resolver would have no choice but to accept that the referral to
+   NS.FORGED. is valid.  If a wildcard existed that would have been
+   expanded to cover "WWW.DOES-NOT-EXIST.EXAMPLE.", an attacker could
+   have undetectably removed it and replaced it with the forged
+   delegation.
+
+   Note that being able to add a delegation is functionally equivalent
+   to being able to add any record type: an attacker merely has to forge
+   a delegation to nameserver under his/her control and place whatever
+   records needed at the subzone apex.
+
+   While in particular cases, this issue may not present a significant
+   security problem, in general it should not be lightly dismissed.
+   Therefore, it is strongly RECOMMENDED that Opt-In be used sparingly.
+   In particular, zone signing tools SHOULD NOT default to using Opt-In,
+   and MAY choose to not support Opt-In at all.
 
 
-Authors' Addresses
-
-   Ben Laurie
-   Nominet
-   17 Perryn Road
-   London  W3 7LR
-   England
-
-   Phone: +44 (20) 8735 0686
-   Email: ben@algroup.co.uk
-
-
-   Geoffrey Sisson
-   Nominet
+12.  References
 
 
 
@@ -945,28 +1116,95 @@ Authors' Addresses
 
 
 
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 17]
+Laurie, et al.           Expires August 5, 2006                [Page 20]
 
-Internet-Draft                    nsec3                        june 2005
+Internet-Draft                    nsec3                    February 2006
 
 
-   Roy Arends
-   Telematica Instituut
-   Brouwerijstraat 1
-   7523 XC  Enschede
-   The Netherlands
+12.1.  Normative References
+
+   [1]   Mockapetris, P., "Domain names - concepts and facilities",
+         STD 13, RFC 1034, November 1987.
+
+   [2]   Mockapetris, P., "Domain names - implementation and
+         specification", STD 13, RFC 1035, November 1987.
+
+   [3]   Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+         "DNS Security Introduction and Requirements", RFC 4033,
+         March 2005.
+
+   [4]   Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+         "Resource Records for the DNS Security Extensions", RFC 4034,
+         March 2005.
+
+   [5]   Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+         "Protocol Modifications for the DNS Security Extensions",
+         RFC 4035, March 2005.
+
+   [6]   Vixie, P., Thomson, S., Rekhter, Y., and J. Bound, "Dynamic
+         Updates in the Domain Name System (DNS UPDATE)", RFC 2136,
+         April 1997.
+
+   [7]   Elz, R. and R. Bush, "Clarifications to the DNS Specification",
+         RFC 2181, July 1997.
+
+   [8]   Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)",
+         RFC 2308, March 1998.
+
+   [9]   Bradner, S., "Key words for use in RFCs to Indicate Requirement
+         Levels", BCP 14, RFC 2119, March 1997.
+
+   [10]  Gudmundsson, O., "Delegation Signer (DS) Resource Record (RR)",
+         RFC 3658, December 2003.
+
+   [11]  Eastlake, D., Brunner-Williams, E., and B. Manning, "Domain
+         Name System (DNS) IANA Considerations", BCP 42, RFC 2929,
+         September 2000.
+
+   [12]  Gustafsson, A., "Handling of Unknown DNS Resource Record (RR)
+         Types", RFC 3597, September 2003.
+
+   [13]  Eastlake, D. and P. Jones, "US Secure Hash Algorithm 1 (SHA1)",
+         RFC 3174, September 2001.
+
+
+
+
+
+
+Laurie, et al.           Expires August 5, 2006                [Page 21]
+
+Internet-Draft                    nsec3                    February 2006
+
+
+12.2.  Informative References
+
+   [14]  Vixie, P., "Extending DNSSEC-BIS (DNSSEC-TER)",
+         draft-vixie-dnssec-ter-01 (work in progress), June 2004.
+
+   [15]  Josefsson, Ed., S,., "The Base16, Base32, and Base64 Data
+         Encodings.", draft-josefsson-rfc3548bis-00 (work in progress),
+         October 2005.
+
+   [16]  Atkins, D. and R. Austein, "Threat Analysis of the Domain Name
+         System (DNS)", RFC 3833, August 2004.
+
+Editorial Comments
+
+   [Comment.1]  Although, strictly speaking, the names *did* exist.
+
+   [Comment.2]  Note that this method makes it impossible to detect
+                (extremely unlikely) hash collisions.
 
-   Phone: +31 (53) 485 0485
-   Email: roy.arends@telin.nl
 
 Appendix A.  Example Zone
 
    This is a zone showing its NSEC3 records.  They can also be used as
    test vectors for the hash algorithm.
 
+   The data in the example zone is currently broken, as it uses a
+   different base32 alphabet.  This shall be fixed in the next release.
+
 
    example.       3600 IN SOA ns1.example. bugs.x.w.example. (
                               1
@@ -987,6 +1225,14 @@ Appendix A.  Example Zone
                               m7g2zM8q3Qpsm/gYIXSF2Rhj6lAG7esR/X9d
                               1SH5r/wfjuCg+g== )
                   3600 MX     1 xx.example.
+
+
+
+Laurie, et al.           Expires August 5, 2006                [Page 22]
+
+Internet-Draft                    nsec3                    February 2006
+
+
                   3600 RRSIG  MX 5 1 3600 20050712112304 (
                               20050612112304 62699 example.
                               L/ZDLMSZJKITmSxmM9Kni37/wKQsdSg6FT0l
@@ -1001,14 +1247,6 @@ Appendix A.  Example Zone
                               AQO0gEmbZUL6xbD/xQczHbnwYnf+jQjwz/sU
                               5k44rHTt0Ty+3aOdYoome9TjGMhwkkGby1TL
                               ExXT48OGGdbfIme5
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 18]
-
-Internet-Draft                    nsec3                        june 2005
-
-
                               ) ; Key ID = 62699
                   3600 RRSIG  DNSKEY 5 1 3600 20050712112304 (
                               20050612112304 62699 example.
@@ -1043,6 +1281,14 @@ Internet-Draft                    nsec3                        june 2005
                   3600 DS     58470 5 1 3079F1593EBAD6DC121E202A8B
                               766A6A4837206C )
                   3600 RRSIG  DS 5 2 3600 20050712112304 (
+
+
+
+Laurie, et al.           Expires August 5, 2006                [Page 23]
+
+Internet-Draft                    nsec3                    February 2006
+
+
                               20050612112304 62699 example.
                               QavhbsSmEvJLSUzGoTpsV3SKXCpaL1UO3Ehn
                               cB0ObBIlex/Zs9kJyG/9uW1cYYt/1wvgzmX2
@@ -1057,14 +1303,6 @@ Internet-Draft                    nsec3                        june 2005
                               ZXW5S+1VjMZYzQ== )
                   3600 HINFO  "KLH-10" "ITS"
                   3600 RRSIG  HINFO 5 2 3600 20050712112304 (
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 19]
-
-Internet-Draft                    nsec3                        june 2005
-
-
                               20050612112304 62699 example.
                               AR0hG/Z/e+vlRhxRQSVIFORzrJTBpdNHhwUk
                               tiuqg+zGqKK84eIqtrqXelcE2szKnF3YPneg
@@ -1099,6 +1337,14 @@ Internet-Draft                    nsec3                        june 2005
                               OwQBGbOegrW/Zw== )
    jt4bbfokgbmr57qx4nqucvvn7fmo6ab6.example. 3600 NSEC3  0 1 1 (
                               deadbeaf
+
+
+
+Laurie, et al.           Expires August 5, 2006                [Page 24]
+
+Internet-Draft                    nsec3                    February 2006
+
+
                               kcll7fqfnisuhfekckeeqnmbbd4maanu
                               NSEC3 RRSIG )
                   3600 RRSIG  NSEC3 5 2 3600 20050712112304 (
@@ -1113,14 +1359,6 @@ Internet-Draft                    nsec3                        june 2005
                   3600 RRSIG  NSEC3 5 2 3600 20050712112304 (
                               20050612112304 62699 example.
                               d0g8MTOvVwByOAIwvYV9JrTHwJof1VhnMKuA
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 20]
-
-Internet-Draft                    nsec3                        june 2005
-
-
                               IBj6Xaeney86RBZYgg7Qyt9WnQSK3uCEeNpx
                               TOLtc5jPrkL4zQ== )
    n42hbhnjj333xdxeybycax5ufvntux5d.example. 3600 NSEC3  0 1 1 (
@@ -1155,6 +1393,14 @@ Internet-Draft                    nsec3                        june 2005
                               AkeTJu3J3auUiA== )
    vhgwr2qgykdkf4m6iv6vkagbxozphazr.example. 3600 NSEC3  0 1 1 (
                               deadbeaf
+
+
+
+Laurie, et al.           Expires August 5, 2006                [Page 25]
+
+Internet-Draft                    nsec3                    February 2006
+
+
                               wbyijvpnyj33pcpi3i44ecnibnaj7eiw
                               HINFO A AAAA NSEC3 RRSIG )
                   3600 RRSIG  NSEC3 5 2 3600 20050712112304 (
@@ -1169,14 +1415,6 @@ Internet-Draft                    nsec3                        june 2005
                               xGfJLF5A4deRu5f0hvxhAFDCcXfIASj7z0wQ
                               gQlgxEwhvQDEaQ== )
    x.w.example.   3600 MX     1 xx.example.
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 21]
-
-Internet-Draft                    nsec3                        june 2005
-
-
                   3600 RRSIG  MX 5 3 3600 20050712112304 (
                               20050612112304 62699 example.
                               s1XQ/8SlViiEDik9edYs1Ooe3XiXo453Dg7w
@@ -1211,6 +1449,14 @@ Internet-Draft                    nsec3                        june 2005
                               KMf4DgNBDj+dIQ== )
                   3600 AAAA   2001:db8:0:0:0:0:f00:baaa
                   3600 RRSIG  AAAA 5 2 3600 20050712112304 (
+
+
+
+Laurie, et al.           Expires August 5, 2006                [Page 26]
+
+Internet-Draft                    nsec3                    February 2006
+
+
                               20050612112304 62699 example.
                               rto7afZkXYB17IfmQCT5QoEMMrlkeOoAGXzo
                               w8Wmcg86Fc+MQP0hyXFScI1gYNSgSSoDMXIy
@@ -1226,19 +1472,12 @@ Internet-Draft                    nsec3                        june 2005
                               OcFlrPGPMm48/A== )
 
 
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 22]
-
-Internet-Draft                    nsec3                        june 2005
-
-
 Appendix B.  Example Responses
 
    The examples in this section show response messages using the signed
    zone example in Appendix A.
 
-B.1  answer
+B.1.  answer
 
    A successful query to an authoritative server.
 
@@ -1269,24 +1508,9 @@ B.1  answer
 
 
 
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 23]
+Laurie, et al.           Expires August 5, 2006                [Page 27]
 
-Internet-Draft                    nsec3                        june 2005
+Internet-Draft                    nsec3                    February 2006
 
 
    ;; Header: QR AA DO RCODE=0
@@ -1340,9 +1564,9 @@ Internet-Draft                    nsec3                        june 2005
 
 
 
-Laurie, et al.          Expires December 3, 2005               [Page 24]
+Laurie, et al.           Expires August 5, 2006                [Page 28]
 
-Internet-Draft                    nsec3                        june 2005
+Internet-Draft                    nsec3                    February 2006
 
 
    The query returned an MX RRset for "x.w.example".  The corresponding
@@ -1360,7 +1584,7 @@ Internet-Draft                    nsec3                        june 2005
    falls between the signature inception and expiration dates, the
    signature is authenticated.
 
-B.1.1  Authenticating the Example DNSKEY RRset
+B.1.1.  Authenticating the Example DNSKEY RRset
 
    This example shows the logical authentication process that starts
    from a configured root DNSKEY RRset (or DS RRset) and moves down the
@@ -1396,9 +1620,9 @@ B.1.1  Authenticating the Example DNSKEY RRset
 
 
 
-Laurie, et al.          Expires December 3, 2005               [Page 25]
+Laurie, et al.           Expires August 5, 2006                [Page 29]
 
-Internet-Draft                    nsec3                        june 2005
+Internet-Draft                    nsec3                    February 2006
 
 
    DNSKEY RRset uses algorithm 5 and has a key tag of 62699.  This
@@ -1407,7 +1631,7 @@ Internet-Draft                    nsec3                        june 2005
    then each DNSKEY RR is tried, and the answer is authenticated if any
    of the matching DNSKEY RRs validate the signature as described above.
 
-B.2  Name Error
+B.2.  Name Error
 
    An authoritative name error.  The NSEC3 RRs prove that the name does
    not exist and that no covering wildcard exists.
@@ -1452,9 +1676,9 @@ B.2  Name Error
 
 
 
-Laurie, et al.          Expires December 3, 2005               [Page 26]
+Laurie, et al.           Expires August 5, 2006                [Page 30]
 
-Internet-Draft                    nsec3                        june 2005
+Internet-Draft                    nsec3                    February 2006
 
 
    ;; Header: QR AA DO RCODE=3
@@ -1508,19 +1732,22 @@ Internet-Draft                    nsec3                        june 2005
 
 
 
-Laurie, et al.          Expires December 3, 2005               [Page 27]
+Laurie, et al.           Expires August 5, 2006                [Page 31]
 
-Internet-Draft                    nsec3                        june 2005
+Internet-Draft                    nsec3                    February 2006
 
 
    above.  At least one of the owner names of the NSEC3 RRs will match
    the closest encloser.  At least one of the NSEC3 RRs prove that there
    exists no longer name.  At least one of the NSEC3 RRs prove that
    there exists no wildcard RRsets that should have been expanded.  The
-   closest encloser can be found by hasing the apex ownername (The SOA
+   closest encloser can be found by hashing the apex ownername (The SOA
    RR's ownername, or the ownername of the DNSKEY RRset referred by an
    RRSIG RR), matching it to the ownername of one of the NSEC3 RRs, and
-   if that fails, continue by adding labels.
+   if that fails, continue by adding labels.  In other words, the
+   resolver first hashes example, checks for a matching NSEC3 ownername,
+   then hashes w.example, checks, and finally hashes w.x.example and
+   checks.
 
    In the above example, the name 'x.w.example' hashes to
    '7nomf47k3vlidh4vxahhpp47l3tgv7a2'.  This indicates that this might
@@ -1531,7 +1758,7 @@ Internet-Draft                    nsec3                        june 2005
    these hashed ownernames do not exists, since the names are within the
    given intervals.
 
-B.3  No Data Error
+B.3.  No Data Error
 
    A "no data" response.  The NSEC3 RR proves that the name exists and
    that the requested RR type does not.
@@ -1561,12 +1788,9 @@ B.3  No Data Error
 
 
 
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 28]
+Laurie, et al.           Expires August 5, 2006                [Page 32]
 
-Internet-Draft                    nsec3                        june 2005
+Internet-Draft                    nsec3                    February 2006
 
 
    ;; Header: QR AA DO RCODE=0
@@ -1610,7 +1834,7 @@ Internet-Draft                    nsec3                        june 2005
    by verifying the NSEC3 RR.  The NSEC3 RR is authenticated in a manner
    identical to that of the MX RRset discussed above.
 
-B.3.1  No Data Error, Empty Non-Terminal
+B.3.1.  No Data Error, Empty Non-Terminal
 
    A "no data" response because of an empty non-terminal.  The NSEC3 RR
    proves that the name exists and that the requested RR type does not.
@@ -1620,9 +1844,9 @@ B.3.1  No Data Error, Empty Non-Terminal
 
 
 
-Laurie, et al.          Expires December 3, 2005               [Page 29]
+Laurie, et al.           Expires August 5, 2006                [Page 33]
 
-Internet-Draft                    nsec3                        june 2005
+Internet-Draft                    nsec3                    February 2006
 
 
    ;; Header: QR AA DO RCODE=0
@@ -1667,7 +1891,7 @@ Internet-Draft                    nsec3                        june 2005
    proving a No Data Error.  This example is solely mentioned to be
    complete.
 
-B.4  Referral to Signed Zone
+B.4.  Referral to Signed Zone
 
    Referral to a signed zone.  The DS RR contains the data which the
    resolver will need to validate the corresponding DNSKEY RR in the
@@ -1676,9 +1900,9 @@ B.4  Referral to Signed Zone
 
 
 
-Laurie, et al.          Expires December 3, 2005               [Page 30]
+Laurie, et al.           Expires August 5, 2006                [Page 34]
 
-Internet-Draft                    nsec3                        june 2005
+Internet-Draft                    nsec3                    February 2006
 
 
    ;; Header: QR DO RCODE=0
@@ -1720,11 +1944,10 @@ Internet-Draft                    nsec3                        june 2005
    all keys in the "a.example" DNSKEY RRset are considered
    authenticated.
 
-B.5  Referral to Unsigned Zone using Opt-In
+B.5.  Referral to Unsigned Zone using the Opt-In Flag
 
-   Referral to an unsigned zone using Opt-In.  The NSEC3 RR proves that
-   nothing for this delegation was signed in the parent zone.  There is
-   no proof that the delegation exists
+   The NSEC3 RR proves that nothing for this delegation was signed in
+   the parent zone.  There is no proof that the delegation exists
 
 
 
@@ -1732,9 +1955,10 @@ B.5  Referral to Unsigned Zone using Opt-In
 
 
 
-Laurie, et al.          Expires December 3, 2005               [Page 31]
+
+Laurie, et al.           Expires August 5, 2006                [Page 35]
 
-Internet-Draft                    nsec3                        june 2005
+Internet-Draft                    nsec3                    February 2006
 
 
    ;; Header: QR DO RCODE=0
@@ -1770,7 +1994,7 @@ Internet-Draft                    nsec3                        june 2005
    the NSEC3 opt-in bit is set.  The NSEC3 RR is authenticated in a
    manner identical to that of the MX RRset discussed above.
 
-B.6  Wildcard Expansion
+B.6.  Wildcard Expansion
 
    A successful query that was answered via wildcard expansion.  The
    label count in the answer's RRSIG RR indicates that a wildcard RRset
@@ -1788,9 +2012,9 @@ B.6  Wildcard Expansion
 
 
 
-Laurie, et al.          Expires December 3, 2005               [Page 32]
+Laurie, et al.           Expires August 5, 2006                [Page 36]
 
-Internet-Draft                    nsec3                        june 2005
+Internet-Draft                    nsec3                    February 2006
 
 
    ;; Header: QR AA DO RCODE=0
@@ -1844,9 +2068,9 @@ Internet-Draft                    nsec3                        june 2005
 
 
 
-Laurie, et al.          Expires December 3, 2005               [Page 33]
+Laurie, et al.           Expires August 5, 2006                [Page 37]
 
-Internet-Draft                    nsec3                        june 2005
+Internet-Draft                    nsec3                    February 2006
 
 
    signed by an "example" DNSKEY with algorithm 5 and key tag 62699.
@@ -1863,7 +2087,7 @@ Internet-Draft                    nsec3                        june 2005
    could have been used to answer this query, and the NSEC3 RR must also
    be authenticated before the answer is considered valid.
 
-B.7  Wildcard No Data Error
+B.7.  Wildcard No Data Error
 
    A "no data" response for a name covered by a wildcard.  The NSEC3 RRs
    prove that the matching wildcard name does not have any RRs of the
@@ -1900,9 +2124,9 @@ B.7  Wildcard No Data Error
 
 
 
-Laurie, et al.          Expires December 3, 2005               [Page 34]
+Laurie, et al.           Expires August 5, 2006                [Page 38]
 
-Internet-Draft                    nsec3                        june 2005
+Internet-Draft                    nsec3                    February 2006
 
 
    ;; Header: QR AA DO RCODE=0
@@ -1943,7 +2167,7 @@ Internet-Draft                    nsec3                        june 2005
    not exist and no wildcard applies.  The negative reply is
    authenticated by verifying both NSEC3 RRs.
 
-B.8  DS Child Zone No Data Error
+B.8.  DS Child Zone No Data Error
 
    A "no data" response for a QTYPE=DS query that was mistakenly sent to
    a name server for the child zone.
@@ -1956,9 +2180,9 @@ B.8  DS Child Zone No Data Error
 
 
 
-Laurie, et al.          Expires December 3, 2005               [Page 35]
+Laurie, et al.           Expires August 5, 2006                [Page 39]
 
-Internet-Draft                    nsec3                        june 2005
+Internet-Draft                    nsec3                    February 2006
 
 
    ;; Header: QR AA DO RCODE=0
@@ -2012,9 +2236,65 @@ Internet-Draft                    nsec3                        june 2005
 
 
 
-Laurie, et al.          Expires December 3, 2005               [Page 36]
+Laurie, et al.           Expires August 5, 2006                [Page 40]
 
-Internet-Draft                    nsec3                        june 2005
+Internet-Draft                    nsec3                    February 2006
+
+
+Authors' Addresses
+
+   Ben Laurie
+   Nominet
+   17 Perryn Road
+   London  W3 7LR
+   England
+
+   Phone: +44 (20) 8735 0686
+   Email: ben@algroup.co.uk
+
+
+   Geoffrey Sisson
+   Nominet
+
+
+   Roy Arends
+   Nominet
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Laurie, et al.           Expires August 5, 2006                [Page 41]
+
+Internet-Draft                    nsec3                    February 2006
 
 
 Intellectual Property Statement
@@ -2055,7 +2335,7 @@ Disclaimer of Validity
 
 Copyright Statement
 
-   Copyright (C) The Internet Society (2005).  This document is subject
+   Copyright (C) The Internet Society (2006).  This document is subject
    to the rights, licenses and restrictions contained in BCP 78, and
    except as set forth therein, the authors retain all their rights.
 
@@ -2068,5 +2348,5 @@ Acknowledgment
 
 
 
-Laurie, et al.          Expires December 3, 2005               [Page 37]
+Laurie, et al.           Expires August 5, 2006                [Page 42]
 
diff --git a/doc/draft/draft-ietf-dnsop-dnssec-operational-practices-07.txt b/doc/draft/draft-ietf-dnsop-dnssec-operational-practices-08.txt
similarity index 84%
rename from doc/draft/draft-ietf-dnsop-dnssec-operational-practices-07.txt
rename to doc/draft/draft-ietf-dnsop-dnssec-operational-practices-08.txt
index 56e5791ae9..8ca68a8b2b 100644
--- a/doc/draft/draft-ietf-dnsop-dnssec-operational-practices-07.txt
+++ b/doc/draft/draft-ietf-dnsop-dnssec-operational-practices-08.txt
@@ -4,11 +4,11 @@
 DNSOP                                                         O. Kolkman
 Internet-Draft                                                 R. Gieben
 Obsoletes: 2541 (if approved)                                 NLnet Labs
-Expires: August 25, 2006                               February 21, 2006
+Expires: September 7, 2006                                 March 6, 2006
 
 
                       DNSSEC Operational Practices
-          draft-ietf-dnsop-dnssec-operational-practices-07.txt
+          draft-ietf-dnsop-dnssec-operational-practices-08.txt
 
 Status of this Memo
 
@@ -33,7 +33,7 @@ Status of this Memo
    The list of Internet-Draft Shadow Directories can be accessed at
    http://www.ietf.org/shadow.html.
 
-   This Internet-Draft will expire on August 25, 2006.
+   This Internet-Draft will expire on September 7, 2006.
 
 Copyright Notice
 
@@ -52,9 +52,14 @@ Abstract
 
 
 
-Kolkman & Gieben         Expires August 25, 2006                [Page 1]
+Kolkman & Gieben        Expires September 7, 2006               [Page 1]
 
-Internet-Draft        DNSSEC Operational Practices         February 2006
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
+   This document obsoletes RFC 2541, as it covers more operational
+   ground and gives more up to date requirements with respect to key
+   sizes and the new DNSSEC specification.
 
 
 Table of Contents
@@ -66,58 +71,59 @@ Table of Contents
    3.  Keys Generation and Storage  . . . . . . . . . . . . . . . . .  6
      3.1.  Zone and Key Signing Keys  . . . . . . . . . . . . . . . .  6
        3.1.1.  Motivations for the KSK and ZSK Separation . . . . . .  7
-       3.1.2.  KSKs for High Level Zones  . . . . . . . . . . . . . .  7
+       3.1.2.  KSKs for High Level Zones  . . . . . . . . . . . . . .  8
      3.2.  Key Generation . . . . . . . . . . . . . . . . . . . . . .  8
-     3.3.  Key Effectivity Period . . . . . . . . . . . . . . . . . .  8
+     3.3.  Key Effectivity Period . . . . . . . . . . . . . . . . . .  9
      3.4.  Key Algorithm  . . . . . . . . . . . . . . . . . . . . . .  9
      3.5.  Key Sizes  . . . . . . . . . . . . . . . . . . . . . . . . 10
-     3.6.  Private Key Storage  . . . . . . . . . . . . . . . . . . . 11
+     3.6.  Private Key Storage  . . . . . . . . . . . . . . . . . . . 12
    4.  Signature generation, Key Rollover and Related Policies  . . . 12
      4.1.  Time in DNSSEC . . . . . . . . . . . . . . . . . . . . . . 12
-       4.1.1.  Time Considerations  . . . . . . . . . . . . . . . . . 12
+       4.1.1.  Time Considerations  . . . . . . . . . . . . . . . . . 13
      4.2.  Key Rollovers  . . . . . . . . . . . . . . . . . . . . . . 14
-       4.2.1.  Zone signing Key Rollovers . . . . . . . . . . . . . . 14
-       4.2.2.  Key signing Key Rollovers  . . . . . . . . . . . . . . 18
-       4.2.3.  Difference Between ZSK and KSK Rollovers . . . . . . . 19
-       4.2.4.  Automated Key Rollovers  . . . . . . . . . . . . . . . 20
-     4.3.  Planning for Emergency Key Rollover  . . . . . . . . . . . 21
-       4.3.1.  KSK Compromise . . . . . . . . . . . . . . . . . . . . 21
-       4.3.2.  ZSK Compromise . . . . . . . . . . . . . . . . . . . . 23
-       4.3.3.  Compromises of Keys Anchored in Resolvers  . . . . . . 23
-     4.4.  Parental Policies  . . . . . . . . . . . . . . . . . . . . 23
+       4.2.1.  Zone Signing Key Rollovers . . . . . . . . . . . . . . 15
+       4.2.2.  Key Signing Key Rollovers  . . . . . . . . . . . . . . 19
+       4.2.3.  Difference Between ZSK and KSK Rollovers . . . . . . . 20
+       4.2.4.  Automated Key Rollovers  . . . . . . . . . . . . . . . 21
+     4.3.  Planning for Emergency Key Rollover  . . . . . . . . . . . 22
+       4.3.1.  KSK Compromise . . . . . . . . . . . . . . . . . . . . 22
+       4.3.2.  ZSK Compromise . . . . . . . . . . . . . . . . . . . . 24
+       4.3.3.  Compromises of Keys Anchored in Resolvers  . . . . . . 24
+     4.4.  Parental Policies  . . . . . . . . . . . . . . . . . . . . 24
        4.4.1.  Initial Key Exchanges and Parental Policies
-               Considerations . . . . . . . . . . . . . . . . . . . . 23
-       4.4.2.  Storing Keys or Hashes?  . . . . . . . . . . . . . . . 24
-       4.4.3.  Security Lameness  . . . . . . . . . . . . . . . . . . 24
-       4.4.4.  DS Signature Validity Period . . . . . . . . . . . . . 25
-   5.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 25
-   6.  Security Considerations  . . . . . . . . . . . . . . . . . . . 26
-   7.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 26
-   8.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 26
-     8.1.  Normative References . . . . . . . . . . . . . . . . . . . 26
-     8.2.  Informative References . . . . . . . . . . . . . . . . . . 27
-   Appendix A.  Terminology . . . . . . . . . . . . . . . . . . . . . 28
-   Appendix B.  Zone signing Key Rollover Howto . . . . . . . . . . . 29
-   Appendix C.  Typographic Conventions . . . . . . . . . . . . . . . 29
-   Appendix D.  Document Details and Changes  . . . . . . . . . . . . 31
-     D.1.  draft-ietf-dnsop-dnssec-operational-practices-00 . . . . . 31
-     D.2.  draft-ietf-dnsop-dnssec-operational-practices-01 . . . . . 31
-     D.3.  draft-ietf-dnsop-dnssec-operational-practices-02 . . . . . 31
-     D.4.  draft-ietf-dnsop-dnssec-operational-practices-03 . . . . . 32
-     D.5.  draft-ietf-dnsop-dnssec-operational-practices-04 . . . . . 32
+               Considerations . . . . . . . . . . . . . . . . . . . . 24
+       4.4.2.  Storing Keys or Hashes?  . . . . . . . . . . . . . . . 25
+       4.4.3.  Security Lameness  . . . . . . . . . . . . . . . . . . 25
+       4.4.4.  DS Signature Validity Period . . . . . . . . . . . . . 26
+   5.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 26
+   6.  Security Considerations  . . . . . . . . . . . . . . . . . . . 27
+   7.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 27
+   8.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 27
+     8.1.  Normative References . . . . . . . . . . . . . . . . . . . 27
+     8.2.  Informative References . . . . . . . . . . . . . . . . . . 28
+   Appendix A.  Terminology . . . . . . . . . . . . . . . . . . . . . 29
+   Appendix B.  Zone Signing Key Rollover Howto . . . . . . . . . . . 30
+   Appendix C.  Typographic Conventions . . . . . . . . . . . . . . . 31
+   Appendix D.  Document Details and Changes  . . . . . . . . . . . . 33
 
 
 
-Kolkman & Gieben         Expires August 25, 2006                [Page 2]
+Kolkman & Gieben        Expires September 7, 2006               [Page 2]
 
-Internet-Draft        DNSSEC Operational Practices         February 2006
+Internet-Draft        DNSSEC Operational Practices            March 2006
 
 
-     D.6.  draft-ietf-dnsop-dnssec-operational-practices-05 . . . . . 32
-     D.7.  draft-ietf-dnsop-dnssec-operational-practices-06 . . . . . 32
-     D.8.  draft-ietf-dnsop-dnssec-operational-practices-07 . . . . . 32
-   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 33
-   Intellectual Property and Copyright Statements . . . . . . . . . . 34
+     D.1.  draft-ietf-dnsop-dnssec-operational-practices-00 . . . . . 33
+     D.2.  draft-ietf-dnsop-dnssec-operational-practices-01 . . . . . 33
+     D.3.  draft-ietf-dnsop-dnssec-operational-practices-02 . . . . . 33
+     D.4.  draft-ietf-dnsop-dnssec-operational-practices-03 . . . . . 33
+     D.5.  draft-ietf-dnsop-dnssec-operational-practices-04 . . . . . 34
+     D.6.  draft-ietf-dnsop-dnssec-operational-practices-05 . . . . . 34
+     D.7.  draft-ietf-dnsop-dnssec-operational-practices-06 . . . . . 34
+     D.8.  draft-ietf-dnsop-dnssec-operational-practices-07 . . . . . 34
+     D.9.  draft-ietf-dnsop-dnssec-operational-practices-08 . . . . . 34
+   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 35
+   Intellectual Property and Copyright Statements . . . . . . . . . . 36
 
 
 
@@ -158,19 +164,20 @@ Internet-Draft        DNSSEC Operational Practices         February 2006
 
 
 
-
-
-
-
-
-
-Kolkman & Gieben         Expires August 25, 2006                [Page 3]
+Kolkman & Gieben        Expires September 7, 2006               [Page 3]
 
-Internet-Draft        DNSSEC Operational Practices         February 2006
+Internet-Draft        DNSSEC Operational Practices            March 2006
 
 
 1.  Introduction
 
+   This document describes how to run a DNSSEC (DNS SECure) enabled
+   environment.  It is intended for operators who have knowledge of the
+   DNS (see RFC 1034 [1] and RFC 1035 [2]) and want deploy DNSSEC.  See
+   RFC 4033 [4] for an introduction into DNSSEC and RFC 4034 [5] for the
+   newly introduced Resource Records and finally RFC 4035 [6] for the
+   protocol changes.
+
    During workshops and early operational deployment tests, operators
    and system administrators have gained experience about operating the
    DNS with security extensions (DNSSEC).  This document translates
@@ -200,31 +207,30 @@ Internet-Draft        DNSSEC Operational Practices         February 2006
    Appendix C.
 
    Since this is a document with operational suggestions and there are
-   no protocol specifications, the RFC2119 [3] language does not apply.
+   no protocol specifications, the RFC 2119 [9] language does not apply.
 
-   This document obsoletes RFC2541 [6].
+   This document obsoletes RFC 2541 [12].
 
 1.1.  The Use of the Term 'key'
 
    It is assumed that the reader is familiar with the concept of
    asymmetric keys on which DNSSEC is based (Public Key Cryptography
-   [12]).  Therefore, this document will use the term 'key' rather
+   [18]).  Therefore, this document will use the term 'key' rather
    loosely.  Where it is written that 'a key is used to sign data' it is
+
+
+
+Kolkman & Gieben        Expires September 7, 2006               [Page 4]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
    assumed that the reader understands that it is the private part of
    the key pair that is used for signing.  It is also assumed that the
    reader understands that the public part of the key pair is published
    in the DNSKEY resource record and that it is the public part that is
    used in key exchanges.
 
-
-
-
-
-Kolkman & Gieben         Expires August 25, 2006                [Page 4]
-
-Internet-Draft        DNSSEC Operational Practices         February 2006
-
-
 1.2.  Time Definitions
 
    In this document we will be using a number of time related terms.
@@ -239,7 +245,7 @@ Internet-Draft        DNSSEC Operational Practices         February 2006
          replaced with a new signature (made with the same key).  This
          replacement takes place by publishing the relevant RRSIG in the
          master zone file.
-         After one stopped publishing an RRSIG in a zone it may take a
+         After one stops publishing an RRSIG in a zone it may take a
          while before the RRSIG has expired from caches and has actually
          been removed from the DNS.
    o  "Key effectivity period"
@@ -250,22 +256,31 @@ Internet-Draft        DNSSEC Operational Practices         February 2006
          the key.
          The key effectivity period can span multiple signature validity
          periods.
-   o  "Maximum/Minimum Zone TTL"
+   o  "Maximum/Minimum Zone Time to Live (TTL)"
          The maximum or minimum value of the TTLs from the complete set
          of RRs in a zone.  Note that the minimum TTL is not the same as
-         the MINIMUM field in the SOA RR.  See [5] for more information.
+         the MINIMUM field in the SOA RR.  See [11] for more
+         information.
 
 
 2.  Keeping the Chain of Trust Intact
 
    Maintaining a valid chain of trust is important because broken chains
-   of trust will result in data being marked as Bogus (as defined in [2]
+   of trust will result in data being marked as Bogus (as defined in [4]
    section 5), which may cause entire (sub)domains to become invisible
    to verifying clients.  The administrators of secured zones have to
    realize that their zone is, to verifying clients, part of a chain of
    trust.
 
    As mentioned in the introduction, the procedures herein are intended
+
+
+
+Kolkman & Gieben        Expires September 7, 2006               [Page 5]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
    to ensure that maintenance of zones, such as re-signing or key
    rollovers, will be transparent to the verifying clients on the
    Internet.
@@ -273,20 +288,12 @@ Internet-Draft        DNSSEC Operational Practices         February 2006
    Administrators of secured zones will have to keep in mind that data
    published on an authoritative primary server will not be immediately
    seen by verifying clients; it may take some time for the data to be
-
-
-
-Kolkman & Gieben         Expires August 25, 2006                [Page 5]
-
-Internet-Draft        DNSSEC Operational Practices         February 2006
-
-
    transferred to other secondary authoritative nameservers and clients
    may be fetching data from caching non-authoritative servers.  In this
    light it is good to note that the time for a zone transfer from
-   master to slave is negligible when using NOTIFY and IXFR, increasing
-   by reliance on AXFR, and more if you rely on the SOA timing
-   parameters for zone refresh.
+   master to slave is negligible when using NOTIFY [8] and IXFR [7],
+   increasing by reliance on AXFR, and more if you rely on the SOA
+   timing parameters for zone refresh.
 
    For the verifying clients it is important that data from secured
    zones can be used to build chains of trust regardless of whether the
@@ -317,11 +324,19 @@ Internet-Draft        DNSSEC Operational Practices         February 2006
    The DNSSEC validation protocol does not distinguish between different
    types of DNSKEYs.  All DNSKEYs can be used during the validation.  In
    practice operators use Key Signing and Zone Signing Keys and use the
-   so-called (Secure Entry Point) SEP [1] flag to distinguish between
+   so-called (Secure Entry Point) SEP [3] flag to distinguish between
    them during operations.  The dynamics and considerations are
    discussed below.
 
    To make zone re-signing and key rollover procedures easier to
+
+
+
+Kolkman & Gieben        Expires September 7, 2006               [Page 6]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
    implement, it is possible to use one or more keys as Key Signing Keys
    (KSK).  These keys will only sign the apex DNSKEY RRSet in a zone.
    Other keys can be used to sign all the RRSets in a zone and are
@@ -329,14 +344,6 @@ Internet-Draft        DNSSEC Operational Practices         February 2006
    that KSKs are the subset of keys that are used for key exchanges with
    the parent and potentially for configuration as trusted anchors - the
    SEP keys.  In this document we assume a one-to-one mapping between
-
-
-
-Kolkman & Gieben         Expires August 25, 2006                [Page 6]
-
-Internet-Draft        DNSSEC Operational Practices         February 2006
-
-
    KSK and SEP keys and we assume the SEP flag to be set on all KSKs.
 
 3.1.1.  Motivations for the KSK and ZSK Separation
@@ -378,6 +385,14 @@ Internet-Draft        DNSSEC Operational Practices         February 2006
    verifying resolvers that have the particular key configured as secure
    entry points.  Hence, the key effectivity period of these keys can
    and should be made much longer.  Although, given a long enough key,
+
+
+
+Kolkman & Gieben        Expires September 7, 2006               [Page 7]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
    the Key Effectivity Period can be on the order of years we suggest
    planning for a key effectivity of the order of a few months so that a
    key rollover remains an operational routine.
@@ -385,14 +400,6 @@ Internet-Draft        DNSSEC Operational Practices         February 2006
 3.1.2.  KSKs for High Level Zones
 
    Higher level zones are generally more sensitive than lower level
-
-
-
-Kolkman & Gieben         Expires August 25, 2006                [Page 7]
-
-Internet-Draft        DNSSEC Operational Practices         February 2006
-
-
    zones.  Anyone controlling or breaking the security of a zone thereby
    obtains authority over all of its sub domains (except in the case of
    resolvers that have locally configured the public key of a sub
@@ -422,8 +429,8 @@ Internet-Draft        DNSSEC Operational Practices         February 2006
    The strongest algorithms used with the longest keys are still of no
    use if an adversary can guess enough to lower the size of the likely
    key space so that it can be exhaustively searched.  Technical
-   suggestions for the generation of random keys will be found in
-   RFC4086 [9].  One should carefully assess if the random number
+   suggestions for the generation of random keys will be found in RFC
+   4086 [15].  One should carefully assess if the random number
    generator used during key generation adheres to these suggestions.
 
    Keys with a long effectivity period are particularly sensitive as
@@ -433,6 +440,15 @@ Internet-Draft        DNSSEC Operational Practices         February 2006
    from the network via an air gap or, at a minimum, high level secure
    hardware.
 
+
+
+
+
+Kolkman & Gieben        Expires September 7, 2006               [Page 8]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
 3.3.  Key Effectivity Period
 
    For various reasons keys in DNSSEC need to be changed once in a
@@ -441,14 +457,6 @@ Internet-Draft        DNSSEC Operational Practices         February 2006
    espionage, or cryptanalysis.  Furthermore when key rollovers are too
    rare an event, they will not become part of the operational habit and
    there is risk that nobody on-site will remember the procedure for
-
-
-
-Kolkman & Gieben         Expires August 25, 2006                [Page 8]
-
-Internet-Draft        DNSSEC Operational Practices         February 2006
-
-
    rollover when the need is there.
 
    From a purely operational perspective a reasonable key effectivity
@@ -456,8 +464,7 @@ Internet-Draft        DNSSEC Operational Practices         February 2006
    them after 12 months.  An intended key effectivity period of a month
    is reasonable for Zone Signing Keys.
 
-   For a key sizes that matches these effectivity periods see
-   Section 3.5.
+   For key sizes that matches these effectivity periods see Section 3.5.
 
    As argued in Section 3.1.2 securely updating trust anchors will be
    extremely difficult.  On the other hand the "operational habit"
@@ -481,44 +488,45 @@ Internet-Draft        DNSSEC Operational Practices         February 2006
    RSA has been developed in an open and transparent manner.  As the
    patent on RSA expired in 2000, its use is now also free.
 
-   DSA has been developed by NIST.  The creation of signatures is
-   roughly done at the same speed as with RSA, but is 10 to 40 times as
-   slow for verification [12].
+   DSA has been developed by NIST.  The creation of signatures takes
+   roughly the same time as with RSA, but is 10 to 40 times as slow for
+   verification [18].
 
    We suggest the use of RSA/SHA-1 as the preferred algorithm for the
    key.  The current known attacks on RSA can be defeated by making your
    key longer.  As the MD5 hashing algorithm is showing (theoretical)
    cracks, we recommend the usage of SHA-1.
 
+
+
+
+Kolkman & Gieben        Expires September 7, 2006               [Page 9]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
    At the time of publication it is known that the SHA-1 hash has
    cryptanalysis issues.  There is work in progress on addressing these
-   issues.  We recommend to use public key algorithms based on hashes
-   stronger than SHA-1, e.g.  SHA-256, as soon as these algorithms are
-   available in protocol specifications (See [14] and [15] ) and
-   implementations.
-
-
-
-
-Kolkman & Gieben         Expires August 25, 2006                [Page 9]
-
-Internet-Draft        DNSSEC Operational Practices         February 2006
-
+   issues.  We recommend the use of public key algorithms based on
+   hashes stronger than SHA-1, e.g.  SHA-256, as soon as these
+   algorithms are available in protocol specifications (See [20] and
+   [21] ) and implementations.
 
 3.5.  Key Sizes
 
    When choosing key sizes, zone administrators will need to take into
    account how long a key will be used, how much data will be signed
-   during the key publication period (See Section 8.10 of [12]) and,
+   during the key publication period (See Section 8.10 of [18]) and,
    optionally, how large the key size of the parent is.  As the chain of
-   trust really is "a chain", it does not make much sense in making one
-   of the keys in the chain several times larger then the others.  As
+   trust really is "a chain", there is not much sense in making one of
+   the keys in the chain several times larger then the others.  As
    always, it's the weakest link that defines the strength of the entire
    chain.  Also see Section 3.1.1 for a discussion of how keys serving
    different roles (ZSK v.  KSK) may need different key sizes.
 
-   Generating a key of the correct size is a difficult problem, RFC3766
-   [8] tries to deal with that problem.  Paragraph 1 of that RFC states:
+   Generating a key of the correct size is a difficult problem, RFC 3766
+   [14] tries to deal with that problem.  The first part of the
+   selection procedure in Section 1 of the RFC states:
 
       1. Determine the attack resistance necessary to satisfy the
          security requirements of the application.  Do this by
@@ -531,11 +539,28 @@ Internet-Draft        DNSSEC Operational Practices         February 2006
          for system security.  The 90 bit number should be increased
          by about 2/3 bit/year, or about 96 bits in 2005.
 
-   [8] goes on to explain how this number "n" can be used to calculate
+   [14] goes on to explain how this number "n" can be used to calculate
    the key sizes in public key cryptography.  This culminated in the
    table given below (slightly modified for our purpose):
 
 
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben        Expires September 7, 2006              [Page 10]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
       +-------------+-----------+--------------+
       | System      |           |              |
       | requirement | Symmetric | RSA or DSA   |
@@ -553,14 +578,6 @@ Internet-Draft        DNSSEC Operational Practices         February 2006
       +-------------+-----------+--------------+
 
    The key sizes given are rather large.  This is because these keys are
-
-
-
-Kolkman & Gieben         Expires August 25, 2006               [Page 10]
-
-Internet-Draft        DNSSEC Operational Practices         February 2006
-
-
    resilient against a trillionaire attacker.  Assuming this rich
    attacker will not attack your key and that the key is rolled over
    once a year, we come to the following recommendations about KSK
@@ -580,7 +597,7 @@ Internet-Draft        DNSSEC Operational Practices         February 2006
 
    Note that nobody can see into the future, and that these key sizes
    are only provided here as a guide.  Further information can be found
-   in [11] and Section 7.5 of [12].  It should be noted though that [11]
+   in [17] and Section 7.5 of [18].  It should be noted though that [17]
    is already considered overly optimistic about what key sizes are
    considered safe.
 
@@ -590,6 +607,16 @@ Internet-Draft        DNSSEC Operational Practices         February 2006
    validate and create RRSIGs increases with larger keys, so don't
    needlessly double your key sizes.
 
+
+
+
+
+
+Kolkman & Gieben        Expires September 7, 2006              [Page 11]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
 3.6.  Private Key Storage
 
    It is recommended that, where possible, zone private keys and the
@@ -599,7 +626,7 @@ Internet-Draft        DNSSEC Operational Practices         February 2006
    zone by adding RRSIG and NSEC RRs.  Then the augmented file can be
    transferred.
 
-   When relying on dynamic update to manage a signed zone [4], be aware
+   When relying on dynamic update to manage a signed zone [10], be aware
    that at least one private key of the zone will have to reside on the
    master server.  This key is only as secure as the amount of exposure
    the server receives to unknown clients and the security of the host.
@@ -609,14 +636,6 @@ Internet-Draft        DNSSEC Operational Practices         February 2006
    set, although its name appears in the SOA RRs MNAME field.  The
    nameservers in the NS RR set are able to receive zone updates through
    NOTIFY, IXFR, AXFR or an out-of-band distribution mechanism.  This
-
-
-
-Kolkman & Gieben         Expires August 25, 2006               [Page 11]
-
-Internet-Draft        DNSSEC Operational Practices         February 2006
-
-
    approach is known as the "hidden master" setup.
 
    The ideal situation is to have a one way information flow to the
@@ -633,7 +652,7 @@ Internet-Draft        DNSSEC Operational Practices         February 2006
    network.  Operators are advised to take security measures to shield
    unauthorized access to the master copy.
 
-   For dynamically updated secured zones [4] both the master copy and
+   For dynamically updated secured zones [10] both the master copy and
    the private key that is used to update signatures on updated RRs will
    need to be on-line.
 
@@ -645,9 +664,17 @@ Internet-Draft        DNSSEC Operational Practices         February 2006
    Without DNSSEC all times in DNS are relative.  The SOA fields
    REFRESH, RETRY and EXPIRATION are timers used to determine the time
    elapsed after a slave server synchronized with a master server.  The
-   Time to Live (TTL) value and the SOA RR minimum TTL parameter [5] are
-   used to determine how long a forwarder should cache data after it has
-   been fetched from an authoritative server.  By using a signature
+   Time to Live (TTL) value and the SOA RR minimum TTL parameter [11]
+
+
+
+Kolkman & Gieben        Expires September 7, 2006              [Page 12]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
+   are used to determine how long a forwarder should cache data after it
+   has been fetched from an authoritative server.  By using a signature
    validity period, DNSSEC introduces the notion of an absolute time in
    the DNS.  Signatures in DNSSEC have an expiration date after which
    the signature is marked as invalid and the signed data is to be
@@ -662,17 +689,9 @@ Internet-Draft        DNSSEC Operational Practices         February 2006
          If the TTL would be of similar order as the signature validity
          period, then all RRSets fetched during the validity period
          would be cached until the signature expiration time.  Section
-         7.1 of [2] suggests that "the resolver may use the time
+         7.1 of [4] suggests that "the resolver may use the time
          remaining before expiration of the signature validity period of
          a signed RRSet as an upper bound for the TTL".  As a result
-
-
-
-Kolkman & Gieben         Expires August 25, 2006               [Page 12]
-
-Internet-Draft        DNSSEC Operational Practices         February 2006
-
-
          query load on authoritative servers would peak at signature
          expiration time, as this is also the time at which records
          simultaneously expire from caches.
@@ -687,8 +706,8 @@ Internet-Draft        DNSSEC Operational Practices         February 2006
          caches.  This in turn may lead to peaks in the load on
          authoritative servers.
    o  We suggest the minimum zone TTL to be long enough to both fetch
-      and verifying all the RRs in the trust chain.  In workshop
-      environments it has been demonstrated [13] that a low TTL (under 5
+      and verify all the RRs in the trust chain.  In workshop
+      environments it has been demonstrated [19] that a low TTL (under 5
       to 10 minutes) caused disruptions because of the following two
       problems:
          1.  During validation, some data may expire before the
@@ -700,6 +719,16 @@ Internet-Draft        DNSSEC Operational Practices         February 2006
          2.  Frequent verification causes load on recursive nameservers.
          Data at delegation points, DSs, DNSKEYs and RRSIGs benefit from
          caching.  The TTL on those should be relatively long.
+
+
+
+
+
+Kolkman & Gieben        Expires September 7, 2006              [Page 13]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
    o  Slave servers will need to be able to fetch newly signed zones
       well before the RRSIGs in the zone served by the slave server pass
       their signature expiration time.
@@ -719,16 +748,6 @@ Internet-Draft        DNSSEC Operational Practices         February 2006
          the signatures expire well before the SOA expiration timer
          counts down to zero.  It is not possible to completely prevent
          this from happening by tweaking the SOA parameters.
-
-
-
-
-
-Kolkman & Gieben         Expires August 25, 2006               [Page 13]
-
-Internet-Draft        DNSSEC Operational Practices         February 2006
-
-
          However, the effects can be minimized where the SOA expiration
          time is equal or shorter than the signature validity period.
          The consequence of an authoritative server not being able to
@@ -758,6 +777,14 @@ Internet-Draft        DNSSEC Operational Practices         February 2006
    rollovers -- or supercessions, as they are sometimes called -- are a
    fact of life when using DNSSEC.  Zone administrators who are in the
    process of rolling their keys have to take into account that data
+
+
+
+Kolkman & Gieben        Expires September 7, 2006              [Page 14]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
    published in previous versions of their zone still lives in caches.
    When deploying DNSSEC, this becomes an important consideration;
    ignoring data that may be in caches may lead to loss of service for
@@ -771,20 +798,12 @@ Internet-Draft        DNSSEC Operational Practices         February 2006
    signed with a new key against an old key that lives in a local cache,
    also resulting in data being marked Bogus.
 
-4.2.1.  Zone signing Key Rollovers
+4.2.1.  Zone Signing Key Rollovers
 
    For zone signing key rollovers there are two ways to make sure that
    during the rollover data still cached can be verified with the new
    key sets or newly generated signatures can be verified with the keys
    still in caches.  One schema, described in Section 4.2.1.2, uses
-
-
-
-Kolkman & Gieben         Expires August 25, 2006               [Page 14]
-
-Internet-Draft        DNSSEC Operational Practices         February 2006
-
-
    double signatures; the other uses key pre-publication
    (Section 4.2.1.1).  The pros, cons and recommendations are described
    in Section 4.2.1.3.
@@ -801,6 +820,8 @@ Internet-Draft        DNSSEC Operational Practices         February 2006
    as is the case with the double signature ZSK rollover.  A small
    "HOWTO" for this kind of rollover can be found in Appendix B.
 
+   Pre-publish Key Rollover involves four stages as follows:
+
     initial         new DNSKEY       new RRSIGs      DNSKEY removal
 
     SOA0            SOA1             SOA2            SOA3
@@ -813,6 +834,13 @@ Internet-Draft        DNSSEC Operational Practices         February 2006
     RRSIG10(DNSKEY) RRSIG10(DNSKEY)  RRSIG11(DNSKEY) RRSIG11(DNSKEY)
 
 
+
+
+Kolkman & Gieben        Expires September 7, 2006              [Page 15]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
    initial: Initial version of the zone: DNSKEY 1 is the key signing
       key.  DNSKEY 10 is used to sign all the data of the zone, the zone
       signing key.
@@ -833,14 +861,6 @@ Internet-Draft        DNSSEC Operational Practices         February 2006
       previous version of the zone to expire from old caches i.e. the
       time it takes for this zone to propagate to all authoritative
       servers plus the Maximum Zone TTL value of any of the data in the
-
-
-
-Kolkman & Gieben         Expires August 25, 2006               [Page 15]
-
-Internet-Draft        DNSSEC Operational Practices         February 2006
-
-
       previous version of the zone.
    DNSKEY removal: DNSKEY 10 is removed from the zone.  The key set, now
       only containing DNSKEY 1 and DNSKEY 11 is re-signed with the
@@ -853,6 +873,30 @@ Internet-Draft        DNSSEC Operational Practices         February 2006
    (II)":
 
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben        Expires September 7, 2006              [Page 16]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
        initial             new RRSIGs          new DNSKEY
 
        SOA0                SOA1                SOA2
@@ -865,7 +909,7 @@ Internet-Draft        DNSSEC Operational Practices         February 2006
        RRSIG10(DNSKEY)     RRSIG11(DNSKEY)     RRSIG11(DNSKEY)
 
 
-       new RRSIGs (II)       new DNSKEY (II)
+       new RRSIGs (II)     new DNSKEY (II)
 
        SOA3                SOA4
        RRSIG12(SOA3)       RRSIG12(SOA4)
@@ -877,29 +921,41 @@ Internet-Draft        DNSSEC Operational Practices         February 2006
        RRSIG12(DNSKEY)     RRSIG12(DNSKEY)
 
 
+   Pre-Publish Key Rollover, showing two rollovers.
+
    Note that the key introduced in the "new DNSKEY" phase is not used
    for production yet; the private key can thus be stored in a
    physically secure manner and does not need to be 'fetched' every time
    a zone needs to be signed.
 
-4.2.1.2.  Double Signature Zone signing Key Rollover
+4.2.1.2.  Double Signature Zone Signing Key Rollover
 
    This section shows how to perform a ZSK key rollover using the double
    zone data signature scheme, aptly named "double sig rollover".
 
    During the "new DNSKEY" stage the new version of the zone file will
    need to propagate to all authoritative servers and the data that
-
-
-
-Kolkman & Gieben         Expires August 25, 2006               [Page 16]
-
-Internet-Draft        DNSSEC Operational Practices         February 2006
-
-
    exists in (distant) caches will need to expire, requiring at least
    the maximum Zone TTL.
 
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben        Expires September 7, 2006              [Page 17]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
+   Double Signature Zone Signing Key Rollover involves three stages as
+   follows:
+
        initial             new DNSKEY         DNSKEY removal
 
        SOA0                SOA1               SOA2
@@ -919,9 +975,9 @@ Internet-Draft        DNSSEC Operational Practices         February 2006
    new DNSKEY: At the "New DNSKEY" stage (SOA serial 1) DNSKEY 11 is
       introduced into the key set and all the data in the zone is signed
       with DNSKEY 10 and DNSKEY 11.  The rollover period will need to
-      exist until all data from version 0 of the zone has expired from
-      remote caches.  This will take at least the maximum Zone TTL of
-      version 0 of the zone.
+      continue until all data from version 0 of the zone has expired
+      from remote caches.  This will take at least the maximum Zone TTL
+      of version 0 of the zone.
    DNSKEY removal: DNSKEY 10 is removed from the zone.  All the
       signatures from DNSKEY 10 are removed from the zone.  The key set,
       now only containing DNSKEY 11, is re-signed with DNSKEY 1.
@@ -948,9 +1004,9 @@ Internet-Draft        DNSSEC Operational Practices         February 2006
 
 
 
-Kolkman & Gieben         Expires August 25, 2006               [Page 17]
+Kolkman & Gieben        Expires September 7, 2006              [Page 18]
 
-Internet-Draft        DNSSEC Operational Practices         February 2006
+Internet-Draft        DNSSEC Operational Practices            March 2006
 
 
 4.2.1.3.  Pros and Cons of the Schemes
@@ -967,7 +1023,7 @@ Internet-Draft        DNSSEC Operational Practices         February 2006
       have very big zones.  An advantage is that it only requires three
       steps.
 
-4.2.2.  Key signing Key Rollovers
+4.2.2.  Key Signing Key Rollovers
 
    For the rollover of a key signing key the same considerations as for
    the rollover of a zone signing key apply.  However we can use a
@@ -996,19 +1052,23 @@ Internet-Draft        DNSSEC Operational Practices         February 2006
                        RRSIG2 (DNSKEY)  -------->
        RRSIG10(DNSKEY) RRSIG10(DNSKEY)  -------->       RRSIG10(DNSKEY)
 
+   Stages of Deployment for Key Signing Key Rollover.
+
+
+
+
+
+
+
+Kolkman & Gieben        Expires September 7, 2006              [Page 19]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
    initial: Initial version of the zone.  The parental DS points to
       DNSKEY1.  Before the rollover starts the child will have to verify
       what the TTL is of the DS RR that points to DNSKEY1 - it is needed
       during the rollover and we refer to the value as TTL_DS.
-
-
-
-
-Kolkman & Gieben         Expires August 25, 2006               [Page 18]
-
-Internet-Draft        DNSSEC Operational Practices         February 2006
-
-
    new DNSKEY: During the "new DNSKEY" phase the zone administrator
       generates a second KSK, DNSKEY2.  The key is provided to the
       parent and the child will have to wait until a new DS RR has been
@@ -1043,10 +1103,11 @@ Internet-Draft        DNSSEC Operational Practices         February 2006
 
    As the KSK is used to validate the key set and because the KSK is not
    changed during a ZSK rollover, a cache is able to validate the new
-   key set of the zone.  The pre-publish method would work for a KSK
-   rollover.  The records that are to be pre-published are the parental
-   DS RRs.  The pre-publish method has some drawbacks for KSKs.  We
-   first describe the rollover scheme and then indicate these drawbacks.
+   key set of the zone.  The pre-publish method would also work for a
+   KSK rollover.  The records that are to be pre-published are the
+   parental DS RRs.  The pre-publish method has some drawbacks for KSKs.
+   We first describe the rollover scheme and then indicate these
+   drawbacks.
 
 
 
@@ -1055,14 +1116,9 @@ Internet-Draft        DNSSEC Operational Practices         February 2006
 
 
 
-
-
-
-
-
-Kolkman & Gieben         Expires August 25, 2006               [Page 19]
+Kolkman & Gieben        Expires September 7, 2006              [Page 20]
 
-Internet-Draft        DNSSEC Operational Practices         February 2006
+Internet-Draft        DNSSEC Operational Practices            March 2006
 
 
      initial         new DS           new DNSKEY      DS/DNSKEY removal
@@ -1085,6 +1141,8 @@ Internet-Draft        DNSSEC Operational Practices         February 2006
      RRSIG1 (DNSKEY) -------->        RRSIG2(DNSKEY)  RRSIG2 (DNSKEY)
      RRSIG10(DNSKEY) -------->        RRSIG10(DNSKEY) RRSIG10(DNSKEY)
 
+   Stages of Deployment for a Pre-publish Key Signing Key rollover.
+
    When the child zone wants to roll it notifies the parent during the
    "new DS" phase and submits the new key (or the corresponding DS) to
    the parent.  The parent publishes DS1 and DS2, pointing to DNSKEY1
@@ -1111,16 +1169,16 @@ Internet-Draft        DNSSEC Operational Practices         February 2006
    o  A KSK rollover needs interaction between parent and child.  Data
       exchange is needed to provide the new keys to the parent,
       consequently, this data must be authenticated and integrity must
-      be guaranteed in order to avoid attacks on the rollover.
 
 
 
-
-Kolkman & Gieben         Expires August 25, 2006               [Page 20]
+Kolkman & Gieben        Expires September 7, 2006              [Page 21]
 
-Internet-Draft        DNSSEC Operational Practices         February 2006
+Internet-Draft        DNSSEC Operational Practices            March 2006
 
 
+      be guaranteed in order to avoid attacks on the rollover.
+
 4.3.  Planning for Emergency Key Rollover
 
    This section deals with preparation for a possible key compromise.
@@ -1167,16 +1225,16 @@ Internet-Draft        DNSSEC Operational Practices         February 2006
    -- however the chain of trust of this particular key is broken).
 
    Note that an attacker's zone still uses the compromised KSK and the
+
+
+
+Kolkman & Gieben        Expires September 7, 2006              [Page 22]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
    presence of a parental DS would cause the data in this zone to appear
    as valid.  Removing the compromised key would cause the attacker's
-
-
-
-Kolkman & Gieben         Expires August 25, 2006               [Page 21]
-
-Internet-Draft        DNSSEC Operational Practices         February 2006
-
-
    zone to appear as valid and the child's zone as Bogus.  Therefore we
    advise not to remove the KSK before the parent has a DS to a new KSK
    in place.
@@ -1207,7 +1265,7 @@ Internet-Draft        DNSSEC Operational Practices         February 2006
    An additional danger of a key compromise is that the compromised key
    could be used to facilitate a legitimate DNSKEY/DS rollover and/or
    nameserver changes at the parent.  When that happens the domain may
-   be in dispute.  An authenticated out of band and secure notify
+   be in dispute.  An authenticated out-of-band and secure notify
    mechanism to contact a parent is needed in this case.
 
    Note that this is only a problem when the DNSKEY and or DS records
@@ -1223,16 +1281,17 @@ Internet-Draft        DNSSEC Operational Practices         February 2006
    In the method that causes the child zone to appear as 'Bogus' to
    validating resolvers, the child zone replaces the current KSK with a
    new one and resigns the key set.  Next it sends the DS of the new key
+
+
+
+Kolkman & Gieben        Expires September 7, 2006              [Page 23]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
    to the parent.  Only after the parent has placed the new DS in the
    zone, the child's chain of trust is repaired.
 
-
-
-Kolkman & Gieben         Expires August 25, 2006               [Page 22]
-
-Internet-Draft        DNSSEC Operational Practices         February 2006
-
-
    An alternative method of breaking the chain of trust is by removing
    the DS RRs from the parent zone altogether.  As a result the child
    zone would become insecure.
@@ -1263,8 +1322,8 @@ Internet-Draft        DNSSEC Operational Practices         February 2006
    be authenticated e.g. by using digital signatures.
 
    End-users faced with the task of updating an anchored key should
-   always validate the new key.  New keys should be authenticated out of
-   band, for example, looking them up on an SSL secured announcement
+   always validate the new key.  New keys should be authenticated out-
+   of-band, for example, looking them up on an SSL secured announcement
    website.
 
 4.4.  Parental Policies
@@ -1278,29 +1337,29 @@ Internet-Draft        DNSSEC Operational Practices         February 2006
    authorization mechanisms used for the exchange of delegation
    information between parent and child.  I.e. there is no implicit need
    in DNSSEC to make the authentication process stronger than it was in
+
+
+
+Kolkman & Gieben        Expires September 7, 2006              [Page 24]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
    DNS.
 
    Using the DNS itself as the source for the actual DNSKEY material,
+   with an out-of-band check on the validity of the DNSKEY, has the
+   benefit that it reduces the chances of user error.  A DNSKEY query
+   tool can make use of the SEP bit [3] to select the proper key from a
+   DNSSEC key set; thereby reducing the chance that the wrong DNSKEY is
+   sent.  It can validate the self-signature over a key; thereby
+   verifying the ownership of the private key material.  Fetching the
+   DNSKEY from the DNS ensures that the chain of trust remains intact
+   once the parent publishes the DS RR indicating the child is secure.
 
-
-
-Kolkman & Gieben         Expires August 25, 2006               [Page 23]
-
-Internet-Draft        DNSSEC Operational Practices         February 2006
-
-
-   with an off-band check on the validity of the DNSKEY, has the benefit
-   that it reduces the chances of user error.  A DNSKEY query tool can
-   make use of the SEP bit [1] to select the proper key from a DNSSEC
-   key set; thereby reducing the chance that the wrong DNSKEY is sent.
-   It can validate the self-signature over a key; thereby verifying the
-   ownership of the private key material.  Fetching the DNSKEY from the
-   DNS ensures that the chain of trust remains intact once the parent
-   publishes the DS RR indicating the child is secure.
-
-   Note: the off-band verification is still needed when the key-material
-   is fetched via the DNS.  The parent can never be sure whether the
-   DNSKEY RRs have been spoofed or not.
+   Note: the out-of-band verification is still needed when the key-
+   material is fetched via the DNS.  The parent can never be sure
+   whether the DNSKEY RRs have been spoofed or not.
 
 4.4.2.  Storing Keys or Hashes?
 
@@ -1324,7 +1383,7 @@ Internet-Draft        DNSSEC Operational Practices         February 2006
    registrant and registry; Will the child zone administrator be able to
    upload DS RRs with unknown hash algorithms or does the interface only
    allow DNSKEYs?  In the registry-registrar model one can use the
-   DNSSEC EPP protocol extension [10] which allows transfer of DS RRs
+   DNSSEC EPP protocol extension [16] which allows transfer of DS RRs
    and optionally DNSKEY RRs.
 
 4.4.3.  Security Lameness
@@ -1334,17 +1393,17 @@ Internet-Draft        DNSSEC Operational Practices         February 2006
    child's zone may be marked as "Bogus" by verifying DNS clients.
 
    As part of a comprehensive delegation check the parent could, at key
+
+
+
+Kolkman & Gieben        Expires September 7, 2006              [Page 25]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
    exchange time, verify that the child's key is actually configured in
    the DNS.  However if a parent does not understand the hashing
    algorithm used by child the parental checks are limited to only
-
-
-
-Kolkman & Gieben         Expires August 25, 2006               [Page 24]
-
-Internet-Draft        DNSSEC Operational Practices         February 2006
-
-
    comparing the key id.
 
    Child zones should be very careful removing DNSKEY material,
@@ -1393,12 +1452,9 @@ Internet-Draft        DNSSEC Operational Practices         February 2006
 
 
 
-
-
-
-Kolkman & Gieben         Expires August 25, 2006               [Page 25]
+Kolkman & Gieben        Expires September 7, 2006              [Page 26]
 
-Internet-Draft        DNSSEC Operational Practices         February 2006
+Internet-Draft        DNSSEC Operational Practices            March 2006
 
 
 6.  Security Considerations
@@ -1423,8 +1479,7 @@ Internet-Draft        DNSSEC Operational Practices         February 2006
    Olivier Courtay, Sam Weiler, Jelte Jansen, Niall O'Reilly, Holger
    Zuleger, Ed Lewis, Hilarie Orman, Marcos Sanz and Peter Koch.
 
-   Some material in this document has been shamelessly copied from
-   RFC2541 [6] by Donald Eastlake.
+   Some material in this document has been copied from RFC 2541 [12].
 
    Mike StJohns designed the key exchange between parent and child
    mentioned in the last paragraph of Section 4.2.2
@@ -1443,76 +1498,96 @@ Internet-Draft        DNSSEC Operational Practices         February 2006
 
 8.1.  Normative References
 
-   [1]  Kolkman, O., Schlyter, J., and E. Lewis, "Domain Name System KEY
+   [1]  Mockapetris, P., "Domain names - concepts and facilities",
+        STD 13, RFC 1034, November 1987.
+
+   [2]  Mockapetris, P., "Domain names - implementation and
+        specification", STD 13, RFC 1035, November 1987.
+
+   [3]  Kolkman, O., Schlyter, J., and E. Lewis, "Domain Name System KEY
+
+
+
+Kolkman & Gieben        Expires September 7, 2006              [Page 27]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
         (DNSKEY) Resource Record (RR) Secure Entry Point (SEP) Flag",
         RFC 3757, May 2004.
 
-   [2]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+   [4]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
         "DNS Security Introduction and Requirements", RFC 4033,
-
-
-
-Kolkman & Gieben         Expires August 25, 2006               [Page 26]
-
-Internet-Draft        DNSSEC Operational Practices         February 2006
-
-
         March 2005.
 
+   [5]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+        "Resource Records for the DNS Security Extensions", RFC 4034,
+        March 2005.
+
+   [6]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+        "Protocol Modifications for the DNS Security Extensions",
+        RFC 4035, March 2005.
+
 8.2.  Informative References
 
-   [3]   Bradner, S., "Key words for use in RFCs to Indicate Requirement
+   [7]   Ohta, M., "Incremental Zone Transfer in DNS", RFC 1995,
+         August 1996.
+
+   [8]   Vixie, P., "A Mechanism for Prompt Notification of Zone Changes
+         (DNS NOTIFY)", RFC 1996, August 1996.
+
+   [9]   Bradner, S., "Key words for use in RFCs to Indicate Requirement
          Levels", BCP 14, RFC 2119, March 1997.
 
-   [4]   Eastlake, D., "Secure Domain Name System Dynamic Update",
+   [10]  Eastlake, D., "Secure Domain Name System Dynamic Update",
          RFC 2137, April 1997.
 
-   [5]   Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)",
+   [11]  Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)",
          RFC 2308, March 1998.
 
-   [6]   Eastlake, D., "DNS Security Operational Considerations",
+   [12]  Eastlake, D., "DNS Security Operational Considerations",
          RFC 2541, March 1999.
 
-   [7]   Gudmundsson, O., "Delegation Signer (DS) Resource Record (RR)",
+   [13]  Gudmundsson, O., "Delegation Signer (DS) Resource Record (RR)",
          RFC 3658, December 2003.
 
-   [8]   Orman, H. and P. Hoffman, "Determining Strengths For Public
+   [14]  Orman, H. and P. Hoffman, "Determining Strengths For Public
          Keys Used For Exchanging Symmetric Keys", BCP 86, RFC 3766,
          April 2004.
 
-   [9]   Eastlake, D., Schiller, J., and S. Crocker, "Randomness
+   [15]  Eastlake, D., Schiller, J., and S. Crocker, "Randomness
          Requirements for Security", BCP 106, RFC 4086, June 2005.
 
-   [10]  Hollenbeck, S., "Domain Name System (DNS) Security Extensions
-         Mapping for the Extensible  Provisioning Protocol (EPP)",
-         draft-hollenbeck-epp-secdns-07 (work in progress), March 2005.
+   [16]  Hollenbeck, S., "Domain Name System (DNS) Security Extensions
+         Mapping for the Extensible Provisioning Protocol (EPP)",
+         RFC 4310, December 2005.
 
-   [11]  Lenstra, A. and E. Verheul, "Selecting Cryptographic Key
+
+
+Kolkman & Gieben        Expires September 7, 2006              [Page 28]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
+   [17]  Lenstra, A. and E. Verheul, "Selecting Cryptographic Key
          Sizes", The Journal of Cryptology 14 (255-293), 2001.
 
-   [12]  Schneier, B., "Applied Cryptography: Protocols, Algorithms, and
-         Source Code in C", 1996.
+   [18]  Schneier, B., "Applied Cryptography: Protocols, Algorithms, and
+         Source Code in C", ISBN (hardcover) 0-471-12845-7, ISBN
+         (paperback) 0-471-59756-2, Published by John Wiley & Sons Inc.,
+         1996.
 
-   [13]  Rose, S., "NIST DNSSEC workshop notes", June 2001.
+   [19]  Rose, S., "NIST DNSSEC workshop notes", June 2001.
 
-   [14]  Jansen, J., "Use of RSA/SHA-256 DNSKEY and RRSIG Resource
+   [20]  Jansen, J., "Use of RSA/SHA-256 DNSKEY and RRSIG Resource
          Records in DNSSEC", draft-ietf-dnsext-dnssec-rsasha256-00.txt
          (work in progress), January 2006.
 
-   [15]  Hardaker, W., "Use of SHA-256 in DNSSEC Delegation Signer (DS)
+   [21]  Hardaker, W., "Use of SHA-256 in DNSSEC Delegation Signer (DS)
          Resource Records (RRs)", draft-ietf-dnsext-ds-sha256-04.txt
          (work in progress), January 2006.
 
 
-
-
-
-
-Kolkman & Gieben         Expires August 25, 2006               [Page 27]
-
-Internet-Draft        DNSSEC Operational Practices         February 2006
-
-
 Appendix A.  Terminology
 
    In this document there is some jargon used that is defined in other
@@ -1523,33 +1598,44 @@ Appendix A.  Terminology
 
    Anchored Key: A DNSKEY configured in resolvers around the globe.
       This key is hard to update, hence the term anchored.
-   Bogus: Also see Section 5 of [2].  An RRSet in DNSSEC is marked
+   Bogus: Also see Section 5 of [4].  An RRSet in DNSSEC is marked
       "Bogus" when a signature of a RRSet does not validate against a
       DNSKEY.
    Key Signing Key or KSK: A Key Signing Key (KSK) is a key that is used
       exclusively for signing the apex key set.  The fact that a key is
       a KSK is only relevant to the signing tool.
    Key size: The term 'key size' can be substituted by 'modulus size'
-      throughout the document.  It is mathematical more correct to use
+      throughout the document.  It is mathematically more correct to use
       modulus size, but as this is a document directed at operators we
       feel more at ease with the term key size.
    Private and Public Keys: DNSSEC secures the DNS through the use of
       public key cryptography.  Public key cryptography is based on the
-      existence of two (mathematical related) keys, a public key and a
+      existence of two (mathematically related) keys, a public key and a
       private key.  The public keys are published in the DNS by use of
       the DNSKEY Resource Record (DNSKEY RR).  Private keys should
       remain private.
+
+
+
+
+
+
+Kolkman & Gieben        Expires September 7, 2006              [Page 29]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
    Key Rollover: A key rollover (also called key supercession in some
       environments) is the act of replacing one key pair by another at
       the end of a key effectivity period.
    Secure Entry Point key or SEP Key: A KSK that has a parental DS
       record pointing to it or is configured as a trust anchor.
       Although not required by the protocol we recommend that the SEP
-      flag [1] is set on these keys.
+      flag [3] is set on these keys.
    Self-signature: This is only applies to signatures over DNSKEYs; a
       signature made with DNSKEY x, over DNSKEY x is called a self-
       signature.  Note: without further information self-signatures
-      convey no trust, they are usefull to check the authenticity of the
+      convey no trust, they are useful to check the authenticity of the
       DNSKEY, i.e. they can be used as a hash.
    Singing the Zone File: The term used for the event where an
       administrator joyfully signs its zone file while producing melodic
@@ -1558,17 +1644,6 @@ Appendix A.  Terminology
       signs the Resource Record sets in a zone.  A signer may be
       configured to sign only parts of the zone e.g. only those RRSets
       for which existing signatures are about to expire.
-
-
-
-
-
-
-Kolkman & Gieben         Expires August 25, 2006               [Page 28]
-
-Internet-Draft        DNSSEC Operational Practices         February 2006
-
-
    Zone Signing Key or ZSK: A Zone Signing Key (ZSK) is a key that is
       used for signing all data in a zone.  The fact that a key is a ZSK
       is only relevant to the signing tool.
@@ -1576,7 +1651,7 @@ Internet-Draft        DNSSEC Operational Practices         February 2006
       and publishing it on the primary authoritative server.
 
 
-Appendix B.  Zone signing Key Rollover Howto
+Appendix B.  Zone Signing Key Rollover Howto
 
    Using the pre-published signature scheme and the most conservative
    method to assure oneself that data does not live in caches, here
@@ -1596,6 +1671,16 @@ Appendix B.  Zone signing Key Rollover Howto
    Step 2: Then start using the key that was marked as "published" to
       sign your data i.e. mark it as "active".  Stop using the key that
       was marked as "active", mark it as "rolled".
+
+
+
+
+
+Kolkman & Gieben        Expires September 7, 2006              [Page 30]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
    Step 3: It is safe to engage in a new rollover (Step 1) after at
       least one "signature validity period".
 
@@ -1613,18 +1698,6 @@ Appendix C.  Typographic Conventions
       to just "A".
    Signature notation: Signatures are denoted as RRSIGx(RRSet), which
       means that RRSet is signed with DNSKEYx.
-
-
-
-
-
-
-
-Kolkman & Gieben         Expires August 25, 2006               [Page 29]
-
-Internet-Draft        DNSSEC Operational Practices         February 2006
-
-
    Zone representation: Using the above notation we have simplified the
       representation of a signed zone by leaving out all unnecessary
       details such as the names and by representing all data by "SOAx"
@@ -1633,6 +1706,37 @@ Internet-Draft        DNSSEC Operational Practices         February 2006
    Using this notation the following signed zone:
 
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben        Expires September 7, 2006              [Page 31]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
    example.net.      86400  IN SOA  ns.example.net. bert.example.net. (
                             2006022100   ; serial
                             86400        ; refresh (  24 hours)
@@ -1648,11 +1752,9 @@ Internet-Draft        DNSSEC Operational Practices         February 2006
                                   20130407213204 14 example.net.
                                   SO5epiJei19AjXoUpFnQ ... )
                      86400  DNSKEY  256 3 5 (
-                                  EtRB9MP5/AvOuVO0I8XDxy0... )
-                                    ; key id = 14
+                                  EtRB9MP5/AvOuVO0I8XDxy0... ) ; id = 14
                      86400  DNSKEY  257 3 5 (
-                                  gsPW/Yy19GzYIY+Gnr8HABU... )
-                                    ; key id = 15
+                                  gsPW/Yy19GzYIY+Gnr8HABU... ) ; id = 15
                      86400  RRSIG   DNSKEY 5 2 86400 20130522213204 (
                                   20130422213204 14 example.net.
                                   J4zCe8QX4tXVGjV4e1r9... )
@@ -1674,16 +1776,8 @@ Internet-Draft        DNSSEC Operational Practices         February 2006
 
    is reduced to the following representation:
 
-
-
-Kolkman & Gieben         Expires August 25, 2006               [Page 30]
-
-Internet-Draft        DNSSEC Operational Practices         February 2006
-
-
        SOA2006022100
        RRSIG14(SOA2006022100)
-
        DNSKEY14
        DNSKEY15
 
@@ -1691,6 +1785,14 @@ Internet-Draft        DNSSEC Operational Practices         February 2006
        RRSIG15(KEY)
 
    The rest of the zone data has the same signature as the SOA record,
+
+
+
+Kolkman & Gieben        Expires September 7, 2006              [Page 32]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
    i.e a RRSIG created with DNSKEY 14.
 
 
@@ -1727,16 +1829,6 @@ D.3.  draft-ietf-dnsop-dnssec-operational-practices-02
    Added Automatic rollover requirements from I-D.ietf-dnsop-key-
    rollover-requirements.
 
-
-
-
-
-
-Kolkman & Gieben         Expires August 25, 2006               [Page 31]
-
-Internet-Draft        DNSSEC Operational Practices         February 2006
-
-
 D.4.  draft-ietf-dnsop-dnssec-operational-practices-03
 
    Added the definition of Key effectivity period and used that term
@@ -1745,11 +1837,18 @@ D.4.  draft-ietf-dnsop-dnssec-operational-practices-03
    Modified the order of the sections, based on a suggestion by Rip
    Loomis.
 
-   Included parts from RFC2541 [6].  Most of its ground was already
-   covered.  This document obsoletes RFC2541 [6].  Section 3.1.2
-   deserves some review as it in contrast to RFC2541 does _not_ give
+   Included parts from RFC 2541 [12].  Most of its ground was already
+   covered.  This document obsoletes RFC 2541 [12].  Section 3.1.2
+   deserves some review as it in contrast to RFC 2541 does _not_ give
    recomendations about root-zone keys.
 
+
+
+Kolkman & Gieben        Expires September 7, 2006              [Page 33]
+
+Internet-Draft        DNSSEC Operational Practices            March 2006
+
+
    added a paragraph to Section 4.4.4
 
 D.5.  draft-ietf-dnsop-dnssec-operational-practices-04
@@ -1784,13 +1883,26 @@ D.8.  draft-ietf-dnsop-dnssec-operational-practices-07
 
    SHA-1/SHA-256 remarks added
 
+D.9.  draft-ietf-dnsop-dnssec-operational-practices-08
+
+   IESG comments applied.  Added headers and some captions to the tables
+   and applied all the nits.
+
+   IESG DISCUSS comments applied
 
 
 
 
-Kolkman & Gieben         Expires August 25, 2006               [Page 32]
+
+
+
+
+
+
+
+Kolkman & Gieben        Expires September 7, 2006              [Page 34]
 
-Internet-Draft        DNSSEC Operational Practices         February 2006
+Internet-Draft        DNSSEC Operational Practices            March 2006
 
 
 Authors' Addresses
@@ -1844,9 +1956,9 @@ Authors' Addresses
 
 
 
-Kolkman & Gieben         Expires August 25, 2006               [Page 33]
+Kolkman & Gieben        Expires September 7, 2006              [Page 35]
 
-Internet-Draft        DNSSEC Operational Practices         February 2006
+Internet-Draft        DNSSEC Operational Practices            March 2006
 
 
 Intellectual Property Statement
@@ -1900,5 +2012,5 @@ Acknowledgment
 
 
 
-Kolkman & Gieben         Expires August 25, 2006               [Page 34]
+Kolkman & Gieben        Expires September 7, 2006              [Page 36]
 

From cfe92110ce4eaf19f7f3255d2961710879bdc9dd Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 9 Mar 2006 23:21:54 +0000
Subject: [PATCH 112/465] 2007.   [func]          It is now possible to
 explicitly enable DNSSEC                         validation.  default
 dnssec-validation no; to                         be changed to yes in 9.5.0. 
 [RT #15674]

---
 CHANGES                                |  4 +++
 bin/named/config.c                     |  5 ++--
 bin/named/named.conf.docbook           |  4 ++-
 bin/named/query.c                      |  8 ++++--
 bin/named/server.c                     |  7 +++++-
 bin/tests/system/dlv/ns5/named.conf    |  3 ++-
 bin/tests/system/dnssec/ns1/named.conf |  3 ++-
 bin/tests/system/dnssec/ns2/named.conf |  3 ++-
 bin/tests/system/dnssec/ns3/named.conf |  3 ++-
 bin/tests/system/dnssec/ns4/named.conf |  3 ++-
 bin/tests/system/dnssec/ns5/named.conf |  3 ++-
 bin/tests/system/dnssec/ns6/named.conf |  3 ++-
 bin/tests/system/lwresd/ns1/named.conf |  3 ++-
 doc/arm/Bv9ARM-book.xml                | 15 +++++++++++-
 lib/bind9/check.c                      | 31 ++++++++++++++++++++++-
 lib/dns/include/dns/view.h             |  3 ++-
 lib/dns/resolver.c                     | 34 ++++++++++++++------------
 lib/dns/view.c                         |  3 ++-
 lib/isccfg/namedconf.c                 |  3 ++-
 19 files changed, 107 insertions(+), 34 deletions(-)

diff --git a/CHANGES b/CHANGES
index 6dfae786e8..294b8cf2b1 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+2007.	[func]		It is now possible to explicitly enable DNSSEC
+			validation.  default dnssec-validation no; to
+			be changed to yes in 9.5.0.  [RT #15674]
+
 2006.	[security]	Allow-query-cache and allow-recursion now default
 			to the builtin acls "localnets" and "localhost".
 
diff --git a/bin/named/config.c b/bin/named/config.c
index c20e6019a1..198322b794 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.c,v 1.72 2006/03/09 03:30:18 marka Exp $ */
+/* $Id: config.c,v 1.73 2006/03/09 23:21:53 marka Exp $ */
 
 /*! \file */
 
@@ -135,7 +135,8 @@ options {\n\
 	use-additional-cache true;\n\
 	acache-cleaning-interval 60;\n\
 	max-acache-size 0;\n\
-	dnssec-enable no; /* Make yes for 9.4. */ \n\
+	dnssec-enable yes;\n\
+	dnssec-validation no; /* Make yes for 9.5. */ \n\
 	dnssec-accept-expired no;\n\
 	clients-per-query 10;\n\
 	max-clients-per-query 100;\n\
diff --git a/bin/named/named.conf.docbook b/bin/named/named.conf.docbook
index 3bc7561627..1ba25acf88 100644
--- a/bin/named/named.conf.docbook
+++ b/bin/named/named.conf.docbook
@@ -17,7 +17,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   
     Aug 13, 2004
@@ -263,6 +263,7 @@ options {
 	root-delegation-only  exclude { quoted_string; ... } ;
 	disable-algorithms string { string; ... };
 	dnssec-enable boolean;
+	dnssec-validation boolean;
 	dnssec-lookaside string trust-anchor string;
 	dnssec-must-be-secure string boolean;
 	dnssec-accept-expired boolean;
@@ -410,6 +411,7 @@ view string optional_class
 	root-delegation-only  exclude { quoted_string; ... } ;
 	disable-algorithms string { string; ... };
 	dnssec-enable boolean;
+	dnssec-validation boolean;
 	dnssec-lookaside string trust-anchor string;
 	dnssec-must-be-secure string boolean;
 	dnssec-accept-expired boolean;
diff --git a/bin/named/query.c b/bin/named/query.c
index 6981cd4e52..e8d3ca7f74 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: query.c,v 1.282 2006/03/03 00:43:34 marka Exp $ */
+/* $Id: query.c,v 1.283 2006/03/09 23:21:53 marka Exp $ */
 
 /*! \file */
 
@@ -4527,13 +4527,17 @@ ns_query_start(ns_client_t *client) {
 	 * If the client has requested that DNSSEC checking be disabled,
 	 * allow lookups to return pending data and instruct the resolver
 	 * to return data before validation has completed.
+	 *
+	 * We don't need to set DNS_DBFIND_PENDINGOK when validation is
+	 * disabled as there will be no pending data.
 	 */
 	if (message->flags & DNS_MESSAGEFLAG_CD ||
 	    qtype == dns_rdatatype_rrsig)
 	{
 		client->query.dboptions |= DNS_DBFIND_PENDINGOK;
 		client->query.fetchoptions |= DNS_FETCHOPT_NOVALIDATE;
-	}
+	} else if (!client->view->enablevalidation)
+		client->query.fetchoptions |= DNS_FETCHOPT_NOVALIDATE;
 
 	/*
 	 * Allow glue NS records to be added to the authority section
diff --git a/bin/named/server.c b/bin/named/server.c
index 7fdbdaf5ff..8b5dbe2a2b 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.c,v 1.460 2006/03/09 03:30:18 marka Exp $ */
+/* $Id: server.c,v 1.461 2006/03/09 23:21:53 marka Exp $ */
 
 /*! \file */
 
@@ -1493,6 +1493,11 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	INSIST(result == ISC_R_SUCCESS);
 	view->acceptexpired = cfg_obj_asboolean(obj);
 
+	obj = NULL;
+	result = ns_config_get(maps, "dnssec-validation", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	view->enablevalidation = cfg_obj_asboolean(obj);
+
 	obj = NULL;
 	result = ns_config_get(maps, "dnssec-lookaside", &obj);
 	if (result == ISC_R_SUCCESS) {
diff --git a/bin/tests/system/dlv/ns5/named.conf b/bin/tests/system/dlv/ns5/named.conf
index ebe0cb426a..3cdf71493a 100644
--- a/bin/tests/system/dlv/ns5/named.conf
+++ b/bin/tests/system/dlv/ns5/named.conf
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.3 2004/06/04 02:31:41 marka Exp $ */
+/* $Id: named.conf,v 1.4 2006/03/09 23:21:53 marka Exp $ */
 
 /*
  * Choose a keyname that is unlikely to clash with any real key names.
@@ -58,6 +58,7 @@ options {
 	recursion yes;
 	notify yes;
 	dnssec-enable yes;
+	dnssec-validation yes;
 	dnssec-lookaside "." trust-anchor "dlv.utld";
 };
 
diff --git a/bin/tests/system/dnssec/ns1/named.conf b/bin/tests/system/dnssec/ns1/named.conf
index 833e9375d7..f27ebaf39f 100644
--- a/bin/tests/system/dnssec/ns1/named.conf
+++ b/bin/tests/system/dnssec/ns1/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.20 2004/03/10 02:19:53 marka Exp $ */
+/* $Id: named.conf,v 1.21 2006/03/09 23:21:53 marka Exp $ */
 
 // NS1
 
@@ -32,6 +32,7 @@ options {
 	recursion no;
 	notify yes;
 	dnssec-enable yes;
+	dnssec-validation yes;
 };
 
 zone "." {
diff --git a/bin/tests/system/dnssec/ns2/named.conf b/bin/tests/system/dnssec/ns2/named.conf
index 66f33bf692..abb3b20d63 100644
--- a/bin/tests/system/dnssec/ns2/named.conf
+++ b/bin/tests/system/dnssec/ns2/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.24 2004/05/05 01:32:57 marka Exp $ */
+/* $Id: named.conf,v 1.25 2006/03/09 23:21:53 marka Exp $ */
 
 // NS2
 
@@ -32,6 +32,7 @@ options {
 	recursion no;
 	notify yes;
 	dnssec-enable yes;
+	dnssec-validation yes;
 };
 
 zone "." {
diff --git a/bin/tests/system/dnssec/ns3/named.conf b/bin/tests/system/dnssec/ns3/named.conf
index 71e88928e8..6455101b32 100644
--- a/bin/tests/system/dnssec/ns3/named.conf
+++ b/bin/tests/system/dnssec/ns3/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.27 2004/05/05 01:32:57 marka Exp $ */
+/* $Id: named.conf,v 1.28 2006/03/09 23:21:53 marka Exp $ */
 
 // NS3
 
@@ -32,6 +32,7 @@ options {
 	recursion no;
 	notify yes;
 	dnssec-enable yes;
+	dnssec-validation yes;
 };
 
 zone "." {
diff --git a/bin/tests/system/dnssec/ns4/named.conf b/bin/tests/system/dnssec/ns4/named.conf
index 040e481e4c..25b4138d8e 100644
--- a/bin/tests/system/dnssec/ns4/named.conf
+++ b/bin/tests/system/dnssec/ns4/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.23 2004/04/15 23:40:23 marka Exp $ */
+/* $Id: named.conf,v 1.24 2006/03/09 23:21:53 marka Exp $ */
 
 // NS4
 
@@ -31,6 +31,7 @@ options {
 	listen-on-v6 { none; };
 	recursion yes;
 	dnssec-enable yes;
+	dnssec-validation yes;
 	dnssec-must-be-secure mustbesecure.example yes;
 };
 
diff --git a/bin/tests/system/dnssec/ns5/named.conf b/bin/tests/system/dnssec/ns5/named.conf
index 29191295a3..09237206be 100644
--- a/bin/tests/system/dnssec/ns5/named.conf
+++ b/bin/tests/system/dnssec/ns5/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.20 2004/03/10 02:19:54 marka Exp $ */
+/* $Id: named.conf,v 1.21 2006/03/09 23:21:53 marka Exp $ */
 
 // NS5
 
@@ -31,6 +31,7 @@ options {
 	listen-on-v6 { none; };
 	recursion yes;
 	dnssec-enable yes;
+	dnssec-validation yes;
 };
 
 zone "." {
diff --git a/bin/tests/system/dnssec/ns6/named.conf b/bin/tests/system/dnssec/ns6/named.conf
index 4fcd5894b4..ed6413196c 100644
--- a/bin/tests/system/dnssec/ns6/named.conf
+++ b/bin/tests/system/dnssec/ns6/named.conf
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.7 2004/06/04 02:31:41 marka Exp $ */
+/* $Id: named.conf,v 1.8 2006/03/09 23:21:53 marka Exp $ */
 
 // NS6
 
@@ -32,6 +32,7 @@ options {
 	notify yes;
 	disable-algorithms . { DSA; };
 	dnssec-enable yes;
+	dnssec-validation yes;
 	dnssec-lookaside . trust-anchor dlv;
 };
 
diff --git a/bin/tests/system/lwresd/ns1/named.conf b/bin/tests/system/lwresd/ns1/named.conf
index f04aa97c4f..6dbfef307a 100644
--- a/bin/tests/system/lwresd/ns1/named.conf
+++ b/bin/tests/system/lwresd/ns1/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.15 2004/03/10 02:19:54 marka Exp $ */
+/* $Id: named.conf,v 1.16 2006/03/09 23:21:54 marka Exp $ */
 
 controls { /* empty */ };
 
@@ -30,6 +30,7 @@ options {
 	recursion no;
 	notify no;
 	dnssec-enable yes;
+	dnssec-validation yes;
 };
 
 zone "." {
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index c3d888ea46..55285f1db0 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   BIND 9 Administrator Reference Manual
 
@@ -4393,6 +4393,7 @@ category notify { null; };
      use-id-pool yes_or_no; 
      maintain-ixfr-base yes_or_no; 
      dnssec-enable yes_or_no; 
+     dnssec-validation yes_or_no; 
      dnssec-lookaside domain trust-anchor domain; 
      dnssec-must-be-secure domain yes_or_no; 
      dnssec-accept-expired yes_or_no; 
@@ -5484,6 +5485,18 @@ options {
                 
                   Enable DNSSEC support in named.  Unless set to yes
                   named behaves as if it does not support DNSSEC.
+                  The default is yes.
+                
+              
+            
+
+            
+              dnssec-validation
+              
+                
+                  Enable DNSSEC validation in named.
+		  Note dnssec-enable also needs to be
+		  set to yes to be effective.
                   The default is no.
                 
               
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index cef648a6eb..5e2e3ef760 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: check.c,v 1.72 2006/03/06 01:27:52 marka Exp $ */
+/* $Id: check.c,v 1.73 2006/03/09 23:21:54 marka Exp $ */
 
 /*! \file */
 
@@ -1394,6 +1394,8 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 	isc_result_t result = ISC_R_SUCCESS;
 	isc_result_t tresult = ISC_R_SUCCESS;
 	cfg_aclconfctx_t actx;
+	cfg_obj_t *obj;
+	isc_boolean_t enablednssec, enablevalidation;
 
 	/*
 	 * Check that all zone statements are syntactically correct and
@@ -1499,6 +1501,33 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 			result = ISC_R_FAILURE;
 	}
 
+	/*
+	 * Check that dnssec-enable/dnssec-validation are sensible.
+	 */
+	obj = NULL;
+	if (voptions != NULL)
+		(void)cfg_map_get(voptions, "dnssec-enable", &obj);
+	if (obj == NULL)
+		(void)cfg_map_get(config, "dnssec-enable", &obj);
+	if (obj == NULL)
+		enablednssec = ISC_TRUE;
+	else
+		enablednssec = cfg_obj_asboolean(obj);
+
+	obj = NULL;
+	if (voptions != NULL)
+		(void)cfg_map_get(voptions, "dnssec-validation", &obj);
+	if (obj == NULL)
+		(void)cfg_map_get(config, "dnssec-validation", &obj);
+	if (obj == NULL)
+		enablevalidation = ISC_FALSE;	/* XXXMPA Change for 9.5. */
+	else
+		enablevalidation = cfg_obj_asboolean(obj);
+
+	if (enablevalidation && !enablednssec)
+		cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
+			    "'dnssec-validation yes;' and 'dnssec-enable no;'");
+
 	if (voptions != NULL)
 		tresult = check_options(voptions, logctx, mctx);
 	else
diff --git a/lib/dns/include/dns/view.h b/lib/dns/include/dns/view.h
index fa00fa96bd..debe893a1c 100644
--- a/lib/dns/include/dns/view.h
+++ b/lib/dns/include/dns/view.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: view.h,v 1.100 2006/01/05 00:01:46 marka Exp $ */
+/* $Id: view.h,v 1.101 2006/03/09 23:21:54 marka Exp $ */
 
 #ifndef DNS_VIEW_H
 #define DNS_VIEW_H 1
@@ -112,6 +112,7 @@ struct dns_view {
 	isc_boolean_t			additionalfromauth;
 	isc_boolean_t			minimalresponses;
 	isc_boolean_t			enablednssec;
+	isc_boolean_t			enablevalidation;
 	isc_boolean_t			acceptexpired;
 	dns_transfer_format_t		transfer_format;
 	dns_acl_t *			queryacl;
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 14c895befa..191552b4f2 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resolver.c,v 1.329 2006/02/17 00:24:21 marka Exp $ */
+/* $Id: resolver.c,v 1.330 2006/03/09 23:21:54 marka Exp $ */
 
 /*! \file */
 
@@ -3536,14 +3536,16 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
 	/*
 	 * Is DNSSEC validation required for this name?
 	 */
-	result = dns_keytable_issecuredomain(res->view->secroots, name,
-					     &secure_domain);
-	if (result != ISC_R_SUCCESS)
-		return (result);
+	if (res->view->enablevalidation) {
+		result = dns_keytable_issecuredomain(res->view->secroots, name,
+						     &secure_domain);
+		if (result != ISC_R_SUCCESS)
+			return (result);
 
-	if (!secure_domain && res->view->dlv != NULL) {
-		valoptions = DNS_VALIDATOR_DLV;
-		secure_domain = ISC_TRUE;
+		if (!secure_domain && res->view->dlv != NULL) {
+			valoptions = DNS_VALIDATOR_DLV;
+			secure_domain = ISC_TRUE;
+		}
 	}
 
 	if ((fctx->options & DNS_FETCHOPT_NOVALIDATE) != 0)
@@ -3955,14 +3957,16 @@ ncache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
 	/*
 	 * Is DNSSEC validation required for this name?
 	 */
-	result = dns_keytable_issecuredomain(res->view->secroots, name,
-					     &secure_domain);
-	if (result != ISC_R_SUCCESS)
-		return (result);
+	if (fctx->res->view->enablevalidation) {
+		result = dns_keytable_issecuredomain(res->view->secroots, name,
+						     &secure_domain);
+		if (result != ISC_R_SUCCESS)
+			return (result);
 
-	if (!secure_domain && res->view->dlv != NULL) {
-		valoptions = DNS_VALIDATOR_DLV;
-		secure_domain = ISC_TRUE;
+		if (!secure_domain && res->view->dlv != NULL) {
+			valoptions = DNS_VALIDATOR_DLV;
+			secure_domain = ISC_TRUE;
+		}
 	}
 
 	if ((fctx->options & DNS_FETCHOPT_NOVALIDATE) != 0)
diff --git a/lib/dns/view.c b/lib/dns/view.c
index 9dc53a702a..cddcb7a114 100644
--- a/lib/dns/view.c
+++ b/lib/dns/view.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: view.c,v 1.136 2006/01/05 00:01:46 marka Exp $ */
+/* $Id: view.c,v 1.137 2006/03/09 23:21:54 marka Exp $ */
 
 /*! \file */
 
@@ -160,6 +160,7 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 	view->additionalfromcache = ISC_TRUE;
 	view->additionalfromauth = ISC_TRUE;
 	view->enablednssec = ISC_TRUE;
+	view->enablevalidation = ISC_TRUE;
 	view->acceptexpired = ISC_FALSE;
 	view->minimalresponses = ISC_FALSE;
 	view->transfer_format = dns_one_answer;
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index 84fb1e0b14..a37285d703 100644
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: namedconf.c,v 1.67 2006/03/06 01:27:52 marka Exp $ */
+/* $Id: namedconf.c,v 1.68 2006/03/09 23:21:54 marka Exp $ */
 
 /*! \file */
 
@@ -768,6 +768,7 @@ view_clauses[] = {
 	{ "disable-algorithms", &cfg_type_disablealgorithm,
 	  CFG_CLAUSEFLAG_MULTI },
 	{ "dnssec-enable", &cfg_type_boolean, 0 },
+	{ "dnssec-validation", &cfg_type_boolean, 0 },
 	{ "dnssec-lookaside", &cfg_type_lookaside, CFG_CLAUSEFLAG_MULTI },
 	{ "dnssec-must-be-secure",  &cfg_type_mustbesecure,
 	   CFG_CLAUSEFLAG_MULTI },

From 3a9a66b32adf379e680d18e92428058910880119 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 9 Mar 2006 23:30:22 +0000
Subject: [PATCH 113/465] newcopyrights

---
 util/copyrights | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/util/copyrights b/util/copyrights
index 6823c8b410..6e07828870 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -469,7 +469,7 @@
 ./bin/tests/system/dlv/ns4/hints		ZONE	2004
 ./bin/tests/system/dlv/ns4/named.conf		CONF-C	2004
 ./bin/tests/system/dlv/ns5/hints		ZONE	2004
-./bin/tests/system/dlv/ns5/named.conf		CONF-C	2004
+./bin/tests/system/dlv/ns5/named.conf		CONF-C	2004,2006
 ./bin/tests/system/dlv/ns5/rndc.conf		CONF-C	2004
 ./bin/tests/system/dlv/setup.sh			SH	2004
 ./bin/tests/system/dlv/tests.sh			SH	2004
@@ -477,7 +477,7 @@
 ./bin/tests/system/dnssec/clean.sh		SH	2000,2001,2002,2004
 ./bin/tests/system/dnssec/dnssec_update_test.pl	PERL	2002,2004
 ./bin/tests/system/dnssec/ns1/.cvsignore	X	2000,2001
-./bin/tests/system/dnssec/ns1/named.conf	CONF-C	2000,2001,2004
+./bin/tests/system/dnssec/ns1/named.conf	CONF-C	2000,2001,2004,2006
 ./bin/tests/system/dnssec/ns1/root.db.in	ZONE	2000,2001,2004
 ./bin/tests/system/dnssec/ns1/sign.sh		SH	2000,2001,2002,2003,2004,2006
 ./bin/tests/system/dnssec/ns2/.cvsignore	X	2000,2001
@@ -485,7 +485,7 @@
 ./bin/tests/system/dnssec/ns2/dst.example.db.in	ZONE	2004
 ./bin/tests/system/dnssec/ns2/example.db.in	ZONE	2000,2001,2002,2004
 ./bin/tests/system/dnssec/ns2/insecure.secure.example.db	ZONE	2000,2001,2004
-./bin/tests/system/dnssec/ns2/named.conf	CONF-C	2000,2001,2002,2004
+./bin/tests/system/dnssec/ns2/named.conf	CONF-C	2000,2001,2002,2004,2006
 ./bin/tests/system/dnssec/ns2/private.secure.example.db.in	ZONE	2000,2001,2004
 ./bin/tests/system/dnssec/ns2/rfc2335.example.db	ZONE	2004
 ./bin/tests/system/dnssec/ns2/sign.sh		SH	2000,2001,2002,2003,2004,2006
@@ -494,15 +494,15 @@
 ./bin/tests/system/dnssec/ns3/dynamic.example.db.in	ZONE	2002,2004
 ./bin/tests/system/dnssec/ns3/insecure.example.db	ZONE	2000,2001,2004
 ./bin/tests/system/dnssec/ns3/keyless.example.db.in	ZONE	2001,2002,2004
-./bin/tests/system/dnssec/ns3/named.conf	CONF-C	2000,2001,2002,2004
+./bin/tests/system/dnssec/ns3/named.conf	CONF-C	2000,2001,2002,2004,2006
 ./bin/tests/system/dnssec/ns3/secure.example.db.in	ZONE	2000,2001,2004
 ./bin/tests/system/dnssec/ns3/sign.sh		SH	2000,2001,2002,2004,2006
 ./bin/tests/system/dnssec/ns4/.cvsignore	X	2000,2001
-./bin/tests/system/dnssec/ns4/named.conf	CONF-C	2000,2001,2004
+./bin/tests/system/dnssec/ns4/named.conf	CONF-C	2000,2001,2004,2006
 ./bin/tests/system/dnssec/ns5/.cvsignore	X	2000,2001
-./bin/tests/system/dnssec/ns5/named.conf	CONF-C	2000,2001,2004
+./bin/tests/system/dnssec/ns5/named.conf	CONF-C	2000,2001,2004,2006
 ./bin/tests/system/dnssec/ns5/trusted.conf.bad	CONF-C	2000,2001,2004
-./bin/tests/system/dnssec/ns6/named.conf	CONF-C	2004
+./bin/tests/system/dnssec/ns6/named.conf	CONF-C	2004,2006
 ./bin/tests/system/dnssec/prereq.sh		SH	2000,2001,2002,2004,2006
 ./bin/tests/system/dnssec/setup.sh		SH	2000,2001,2004
 ./bin/tests/system/dnssec/tests.sh		SH	2000,2001,2002,2004,2005,2006
@@ -568,7 +568,7 @@
 ./bin/tests/system/lwresd/ns1/example2.db	ZONE	2000,2001,2002,2004
 ./bin/tests/system/lwresd/ns1/ip6.arpa.db	ZONE	2000,2001,2002,2004
 ./bin/tests/system/lwresd/ns1/ip6.int.db	ZONE	2000,2001,2002,2004
-./bin/tests/system/lwresd/ns1/named.conf	CONF-C	2000,2001,2004
+./bin/tests/system/lwresd/ns1/named.conf	CONF-C	2000,2001,2004,2006
 ./bin/tests/system/lwresd/ns1/root.db		ZONE	2000,2001,2004
 ./bin/tests/system/lwresd/resolv.conf		CONF-SH	2000,2001,2004
 ./bin/tests/system/lwresd/tests.sh		SH	2000,2001,2004

From d2ef84e07b67e72a4bd9c729c6b8228067d17584 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 9 Mar 2006 23:39:00 +0000
Subject: [PATCH 114/465] 2008.   [func]          It is now posssible to
 enable/disable DNSSEC                         validation from rndc.  This is
 useful for the                         mobile hosts where the current
 connection point                         breaks DNSSEC (firewall/proxy).  [RT
 #15592]

                                rndc validation newstate [view]
---
 CHANGES                           |  7 ++++
 bin/named/control.c               |  4 ++-
 bin/named/include/named/control.h |  3 +-
 bin/named/include/named/server.h  |  8 ++++-
 bin/named/query.c                 |  4 ++-
 bin/named/server.c                | 59 ++++++++++++++++++++++++++++++-
 bin/rndc/rndc.c                   |  4 ++-
 lib/dns/validator.c               | 50 ++++----------------------
 8 files changed, 89 insertions(+), 50 deletions(-)

diff --git a/CHANGES b/CHANGES
index 294b8cf2b1..9301170dd8 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,10 @@
+2008.	[func]		It is now posssible to enable/disable DNSSEC
+			validation from rndc.  This is useful for the
+			mobile hosts where the current connection point
+			breaks DNSSEC (firewall/proxy).  [RT #15592]
+
+				rndc validation newstate [view]
+
 2007.	[func]		It is now possible to explicitly enable DNSSEC
 			validation.  default dnssec-validation no; to
 			be changed to yes in 9.5.0.  [RT #15674]
diff --git a/bin/named/control.c b/bin/named/control.c
index e8b055daa7..e92b25a4cf 100644
--- a/bin/named/control.c
+++ b/bin/named/control.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: control.c,v 1.26 2005/04/29 00:36:15 marka Exp $ */
+/* $Id: control.c,v 1.27 2006/03/09 23:39:00 marka Exp $ */
 
 /*! \file */
 
@@ -172,6 +172,8 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) {
 		result = ISC_R_SUCCESS;
 	} else if (command_compare(command, NS_COMMAND_NOTIFY)) {
 		result = ns_server_notifycommand(ns_g_server, command, text);
+	} else if (command_compare(command, NS_COMMAND_VALIDATION)) {
+		result = ns_server_validation(ns_g_server, command);
 	} else {
 		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 			      NS_LOGMODULE_CONTROL, ISC_LOG_WARNING,
diff --git a/bin/named/include/named/control.h b/bin/named/include/named/control.h
index 18f671215a..08c6b30632 100644
--- a/bin/named/include/named/control.h
+++ b/bin/named/include/named/control.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: control.h,v 1.21 2006/03/02 00:37:23 marka Exp $ */
+/* $Id: control.h,v 1.22 2006/03/09 23:39:00 marka Exp $ */
 
 #ifndef NAMED_CONTROL_H
 #define NAMED_CONTROL_H 1
@@ -54,6 +54,7 @@
 #define NS_COMMAND_RECURSING	"recursing"
 #define NS_COMMAND_NULL		"null"
 #define NS_COMMAND_NOTIFY	"notify"
+#define NS_COMMAND_VALIDATION	"validation"
 
 isc_result_t
 ns_controls_create(ns_server_t *server, ns_controls_t **ctrlsp);
diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h
index 3463247b43..bb14786a37 100644
--- a/bin/named/include/named/server.h
+++ b/bin/named/include/named/server.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.h,v 1.82 2006/03/02 00:37:23 marka Exp $ */
+/* $Id: server.h,v 1.83 2006/03/09 23:39:00 marka Exp $ */
 
 #ifndef NAMED_SERVER_H
 #define NAMED_SERVER_H 1
@@ -221,4 +221,10 @@ ns_server_dumprecursing(ns_server_t *server);
 void
 ns_add_reserved_dispatch(ns_server_t *server, const isc_sockaddr_t *addr);
 
+/*%
+ * Enable or disable dnssec validation.
+ */
+isc_result_t
+ns_server_validation(ns_server_t *server, char *args);
+
 #endif /* NAMED_SERVER_H */
diff --git a/bin/named/query.c b/bin/named/query.c
index e8d3ca7f74..4744655834 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: query.c,v 1.283 2006/03/09 23:21:53 marka Exp $ */
+/* $Id: query.c,v 1.284 2006/03/09 23:39:00 marka Exp $ */
 
 /*! \file */
 
@@ -4424,6 +4424,8 @@ ns_query_start(ns_client_t *client) {
 	if (!client->view->enablednssec) {
 		message->flags &= ~DNS_MESSAGEFLAG_CD;
 		client->extflags &= ~DNS_MESSAGEEXTFLAG_DO;
+		if (client->opt != NULL)
+			client->opt->ttl &= ~DNS_MESSAGEEXTFLAG_DO;
 	}
 
 	if ((message->flags & DNS_MESSAGEFLAG_RD) != 0)
diff --git a/bin/named/server.c b/bin/named/server.c
index 8b5dbe2a2b..94e0c0cb9f 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.c,v 1.461 2006/03/09 23:21:53 marka Exp $ */
+/* $Id: server.c,v 1.462 2006/03/09 23:39:00 marka Exp $ */
 
 /*! \file */
 
@@ -1552,6 +1552,10 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 		result = ns_config_get(maps, "dnssec-must-be-secure", &obj);
 		if (result == ISC_R_SUCCESS)
 			CHECK(mustbesecure(obj, view->resolver));
+	} else {
+		if (view->secroots != NULL)
+			dns_keytable_detach(&view->secroots);
+		dns_resolver_resetmustbesecure(view->resolver);
 	}
 
 	obj = NULL;
@@ -4503,6 +4507,59 @@ ns_server_setdebuglevel(ns_server_t *server, char *args) {
 	return (ISC_R_SUCCESS);
 }
 
+isc_result_t
+ns_server_validation(ns_server_t *server, char *args) {
+	char *ptr, *viewname;
+	dns_view_t *view;
+	isc_boolean_t changed = ISC_FALSE;
+	isc_result_t result;
+	isc_boolean_t enable;
+
+	/* Skip the command name. */
+	ptr = next_token(&args, " \t");
+	if (ptr == NULL)
+		return (ISC_R_UNEXPECTEDEND);
+
+	/* Find out what we are to do. */
+	ptr = next_token(&args, " \t");
+	if (ptr == NULL)
+		return (ISC_R_UNEXPECTEDEND);
+
+	if (!strcasecmp(ptr, "on") || !strcasecmp(ptr, "yes") ||
+	    !strcasecmp(ptr, "enable") || !strcasecmp(ptr, "true"))
+		enable = ISC_TRUE;
+	else if (!strcasecmp(ptr, "off") || !strcasecmp(ptr, "no") ||
+		 !strcasecmp(ptr, "disable") || !strcasecmp(ptr, "false"))
+		enable = ISC_FALSE;
+	else
+		return (DNS_R_SYNTAX);
+
+	/* Look for the view name. */
+	viewname = next_token(&args, " \t");
+
+	result = isc_task_beginexclusive(server->task);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	for (view = ISC_LIST_HEAD(server->viewlist);
+	     view != NULL;
+	     view = ISC_LIST_NEXT(view, link))
+	{
+		if (viewname != NULL && strcasecmp(viewname, view->name) != 0)
+			continue;
+		result = dns_view_flushcache(view);
+		if (result != ISC_R_SUCCESS)
+			goto out;
+		view->enablevalidation = enable;
+		changed = ISC_TRUE;
+	}
+	if (changed)
+		result = ISC_R_SUCCESS;
+	else
+		result = ISC_R_FAILURE;
+ out:
+	isc_task_endexclusive(server->task);	
+	return (result);
+}
+
 isc_result_t
 ns_server_flushcache(ns_server_t *server, char *args) {
 	char *ptr, *viewname;
diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c
index 838082fe16..d4d37e416c 100644
--- a/bin/rndc/rndc.c
+++ b/bin/rndc/rndc.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rndc.c,v 1.110 2006/03/02 00:37:23 marka Exp $ */
+/* $Id: rndc.c,v 1.111 2006/03/09 23:39:00 marka Exp $ */
 
 /*! \file */
 
@@ -132,6 +132,8 @@ command is one of the following:\n\
 		Flush the given name from the server's cache(s)\n\
   status	Display status of the server.\n\
   recursing	Dump the queries that are currently recursing (named.recursing)\n\
+  validation newstate [view]\n\
+		Enable / disable DNSSEC validation.\n\
   *restart	Restart the server.\n\
 \n\
 * == not yet implemented\n\
diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index d21abb5376..605f4282a9 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.c,v 1.143 2006/02/26 22:54:47 marka Exp $ */
+/* $Id: validator.c,v 1.144 2006/03/09 23:39:00 marka Exp $ */
 
 /*! \file */
 
@@ -71,9 +71,9 @@
  * validator_start -> nsecvalidate -> proveunsecure -> startfinddlvsep ->
  *	dlv_validator_start -> validator_start -> nsecvalidate -> proveunsecure
  *
- * \li When called without a rdataset and with DNS_VALIDATOR_DLV:
- * validator_start -> startfinddlvsep -> dlv_validator_start ->
- *	validator_start -> nsecvalidate -> proveunsecure
+ * Note: there isn't a case for DNS_VALIDATOR_DLV here as we want nsecvalidate()
+ * to always validate the authority section even when it does not contain
+ * signatures.
  *
  * validator_start: determines what type of validation to do.
  * validate: attempts to perform a positive validation.
@@ -92,7 +92,6 @@
 						 * have attempted a verify. */
 #define VALATTR_INSECURITY		0x0010	/*%< Attempting proveunsecure. */
 #define VALATTR_DLVTRIED		0x0020	/*%< Looked for a DLV record. */
-#define VALATTR_AUTHNONPENDING		0x0040	/*%< Tidy up pending auth. */
 
 /*!
  * NSEC proofs to be looked for.
@@ -157,18 +156,11 @@ dlv_validator_start(dns_validator_t *val);
 static isc_result_t
 finddlvsep(dns_validator_t *val, isc_boolean_t resume);
 
-static void
-auth_nonpending(dns_message_t *message);
-
 static isc_result_t
 startfinddlvsep(dns_validator_t *val, dns_name_t *unsecure);
 
 /*%
  * Mark the RRsets as a answer.
- *
- * If VALATTR_AUTHNONPENDING is set then this is a negative answer
- * in a insecure zone.  We need to mark any pending RRsets as
- * dns_trust_authauthority answers (this is deferred from resolver.c).
  */
 static inline void
 markanswer(dns_validator_t *val) {
@@ -177,9 +169,6 @@ markanswer(dns_validator_t *val) {
 		val->event->rdataset->trust = dns_trust_answer;
 	if (val->event->sigrdataset != NULL)
 		val->event->sigrdataset->trust = dns_trust_answer;
-	if (val->event->message != NULL &&
-	    (val->attributes & VALATTR_AUTHNONPENDING) != 0)
-		auth_nonpending(val->event->message);
 }
 
 static void
@@ -218,31 +207,6 @@ exit_check(dns_validator_t *val) {
 	return (ISC_TRUE);
 }
 
-/*%
- * Mark pending answers in the authority section as dns_trust_authauthority.
- */
-static void
-auth_nonpending(dns_message_t *message) {
-	isc_result_t result;
-	dns_name_t *name;
-	dns_rdataset_t *rdataset;
-
-	for (result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
-	     result == ISC_R_SUCCESS;
-	     result = dns_message_nextname(message, DNS_SECTION_AUTHORITY))
-	{
-		name = NULL;
-		dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
-		for (rdataset = ISC_LIST_HEAD(name->list);
-		     rdataset != NULL;
-		     rdataset = ISC_LIST_NEXT(rdataset, link))
-		{
-			if (rdataset->trust == dns_trust_pending)
-				rdataset->trust = dns_trust_authauthority;
-		}
-	}
-}
-
 /*%
  * Look in the NSEC record returned from a DS query to see if there is
  * a NS RRset at this name.  If it is found we are at a delegation point.
@@ -2136,8 +2100,6 @@ nsecvalidate(dns_validator_t *val, isc_boolean_t resume) {
 				    sigrdataset->covers == rdataset->type)
 					break;
 			}
-			if (sigrdataset == NULL)
-				continue;
 			/*
 			 * If a signed zone is missing the zone key, bad
 			 * things could happen.  A query for data in the zone
@@ -2226,7 +2188,6 @@ nsecvalidate(dns_validator_t *val, isc_boolean_t resume) {
 
 	validator_log(val, ISC_LOG_DEBUG(3),
 		      "nonexistence proof(s) not found");
-	val->attributes |= VALATTR_AUTHNONPENDING;
 	val->attributes |= VALATTR_INSECURITY;
 	return (proveunsecure(val, ISC_FALSE));
 }
@@ -2753,7 +2714,8 @@ validator_start(isc_task_t *task, isc_event_t *event) {
 
 	LOCK(&val->lock);
 
-	if ((val->options & DNS_VALIDATOR_DLV) != 0) {
+	if ((val->options & DNS_VALIDATOR_DLV) != 0 &&
+	     val->event->rdataset != NULL) {
 		validator_log(val, ISC_LOG_DEBUG(3), "looking for DLV");
 		result = startfinddlvsep(val, dns_rootname);
 	} else if (val->event->rdataset != NULL &&

From 84910d09ee8244027c7031e03999bc60a3d63adb Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 9 Mar 2006 23:57:56 +0000
Subject: [PATCH 115/465] 2009.   [bug]           libbind: coverity fixes. [RT
 #15808]

---
 CHANGES                          |  2 ++
 bin/named/named.docbook          | 12 +++++++++---
 lib/bind/dst/dst_api.c           | 23 +++++++++++++----------
 lib/bind/dst/hmac_link.c         | 25 ++++++++++++++-----------
 lib/bind/irs/dns.c               |  4 ++--
 lib/bind/irs/dns_ho.c            | 12 +++++-------
 lib/bind/irs/gai_strerror.c      | 25 +++++++++++++++++++------
 lib/bind/irs/gen_ho.c            |  4 +---
 lib/bind/irs/getaddrinfo.c       |  9 +++------
 lib/bind/irs/irp.c               |  5 ++++-
 lib/bind/irs/irp_nw.c            |  4 +++-
 lib/bind/irs/irpmarshall.c       |  6 +++---
 lib/bind/irs/irs_data.c          | 20 ++++++++++++++------
 lib/bind/irs/lcl_ho.c            |  4 ++--
 lib/bind/irs/lcl_pr.c            | 10 +++++++++-
 lib/bind/isc/ev_connects.c       | 10 +++++-----
 lib/bind/isc/eventlib.c          |  9 +++------
 lib/bind/isc/eventlib_p.h        |  4 +++-
 lib/bind/isc/heap.c              | 10 +++++++---
 lib/bind/nameser/ns_sign.c       |  7 +++++--
 lib/bind/nameser/ns_verify.c     |  6 ++++--
 lib/bind/resolv/mtctxres.c       |  7 ++++---
 lib/bind/resolv/res_sendsigned.c |  5 +++--
 lib/dns/masterdump.c             |  5 +++--
 24 files changed, 140 insertions(+), 88 deletions(-)

diff --git a/CHANGES b/CHANGES
index 9301170dd8..58dece775c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+2009.	[bug]		libbind: coverity fixes. [RT #15808]
+
 2008.	[func]		It is now posssible to enable/disable DNSSEC
 			validation from rndc.  This is useful for the
 			mobile hosts where the current connection point
diff --git a/bin/named/named.docbook b/bin/named/named.docbook
index bb7dcb4293..c43e3571ff 100644
--- a/bin/named/named.docbook
+++ b/bin/named/named.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   
     June 30, 2000
@@ -351,10 +351,16 @@
       RFC 1034,
       RFC 1035,
       
-        rndc8
+        rndc
+	8
       ,
       
-        lwresd8
+        lwresd
+	8
+      ,
+      
+	named.conf
+	5
       ,
       BIND 9 Administrator Reference Manual.
     
diff --git a/lib/bind/dst/dst_api.c b/lib/bind/dst/dst_api.c
index 3234b29691..d08570cd69 100644
--- a/lib/bind/dst/dst_api.c
+++ b/lib/bind/dst/dst_api.c
@@ -1,5 +1,5 @@
 #ifndef LINT
-static const char rcsid[] = "$Header: /u0/home/explorer/proj/ISC/git-conversion/cvsroot/bind9/lib/bind/dst/Attic/dst_api.c,v 1.14 2005/10/11 00:10:13 marka Exp $";
+static const char rcsid[] = "$Header: /u0/home/explorer/proj/ISC/git-conversion/cvsroot/bind9/lib/bind/dst/Attic/dst_api.c,v 1.15 2006/03/09 23:57:56 marka Exp $";
 #endif
 
 /*
@@ -170,6 +170,10 @@ dst_s_get_key_struct(const char *name, const int alg, const int flags,
 
 	memset(new_key, 0, sizeof(*new_key));
 	new_key->dk_key_name = strdup(name);
+	if (new_key->dk_key_name == NULL) {
+		free(new_key);
+		return (NULL);
+	}
 	new_key->dk_alg = alg;
 	new_key->dk_flags = flags;
 	new_key->dk_proto = protocol;
@@ -649,11 +653,13 @@ dst_dnskey_to_key(const char *in_name, const u_char *rdata, const int len)
 			 alg));
 		return (NULL);
 	}
-	if ((key_st = dst_s_get_key_struct(in_name, alg, 0, 0, 0)) == NULL)
-		return (NULL);
 
 	if (in_name == NULL)
 		return (NULL);
+
+	if ((key_st = dst_s_get_key_struct(in_name, alg, 0, 0, 0)) == NULL)
+		return (NULL);
+
 	key_st->dk_id = dst_s_dns_key_id(rdata, len);
 	key_st->dk_flags = dst_s_get_int16(rdata);
 	key_st->dk_proto = (u_int16_t) rdata[DST_KEY_PROT];
@@ -764,13 +770,11 @@ dst_buffer_to_key(const char *key_name,		/*!< name of the key  */
 		return (NULL);
 	}
 
-	dkey = dst_s_get_key_struct(key_name, alg, flags, 
-					     protocol, -1);
+	dkey = dst_s_get_key_struct(key_name, alg, flags, protocol, -1);
 
-	if (dkey == NULL)
-		return (NULL);
-	if (dkey->dk_func == NULL || dkey->dk_func->from_dns_key == NULL)
-		return NULL;
+	if (dkey == NULL || dkey->dk_func == NULL ||
+	    dkey->dk_func->from_dns_key == NULL) 
+		return (dst_free_key(dkey));
 
 	if (dkey->dk_func->from_dns_key(dkey, key_buf, key_len) < 0) {
 		EREPORT(("dst_buffer_to_key(): dst_buffer_to_hmac failed\n"));
@@ -1003,7 +1007,6 @@ dst_free_key(DST_KEY *f_key)
 	else {
 		EREPORT(("dst_free_key(): Unknown key alg %d\n",
 			 f_key->dk_alg));
-		free(f_key->dk_KEY_struct);	/*%< SHOULD NOT happen */
 	}
 	if (f_key->dk_KEY_struct) {
 		free(f_key->dk_KEY_struct);
diff --git a/lib/bind/dst/hmac_link.c b/lib/bind/dst/hmac_link.c
index 3987a84c08..8d58bdec33 100644
--- a/lib/bind/dst/hmac_link.c
+++ b/lib/bind/dst/hmac_link.c
@@ -1,6 +1,6 @@
 #ifdef HMAC_MD5
 #ifndef LINT
-static const char rcsid[] = "$Header: /u0/home/explorer/proj/ISC/git-conversion/cvsroot/bind9/lib/bind/dst/Attic/hmac_link.c,v 1.5 2005/07/28 06:51:46 marka Exp $";
+static const char rcsid[] = "$Header: /u0/home/explorer/proj/ISC/git-conversion/cvsroot/bind9/lib/bind/dst/Attic/hmac_link.c,v 1.6 2006/03/09 23:57:56 marka Exp $";
 #endif
 /*
  * Portions Copyright (c) 1995-1998 by Trusted Information Systems, Inc.
@@ -93,6 +93,9 @@ dst_hmac_md5_sign(const int mode, DST_KEY *d_key, void **context,
 	int sign_len = 0;
 	MD5_CTX *ctx = NULL;
 
+	if (d_key == NULL || d_key->dk_KEY_struct == NULL)
+		return (-1);
+
 	if (mode & SIG_MODE_INIT) 
 		ctx = (MD5_CTX *) malloc(sizeof(*ctx));
 	else if (context)
@@ -100,8 +103,6 @@ dst_hmac_md5_sign(const int mode, DST_KEY *d_key, void **context,
 	if (ctx == NULL) 
 		return (-1);
 
-	if (d_key == NULL || d_key->dk_KEY_struct == NULL)
-		return (-1);
 	key = (HMAC_Key *) d_key->dk_KEY_struct;
 
 	if (mode & SIG_MODE_INIT) {
@@ -160,6 +161,9 @@ dst_hmac_md5_verify(const int mode, DST_KEY *d_key, void **context,
 	HMAC_Key *key;
 	MD5_CTX *ctx = NULL;
 
+	if (d_key == NULL || d_key->dk_KEY_struct == NULL)
+		return (-1);
+
 	if (mode & SIG_MODE_INIT) 
 		ctx = (MD5_CTX *) malloc(sizeof(*ctx));
 	else if (context)
@@ -167,9 +171,6 @@ dst_hmac_md5_verify(const int mode, DST_KEY *d_key, void **context,
 	if (ctx == NULL) 
 		return (-1);
 
-	if (d_key == NULL || d_key->dk_KEY_struct == NULL)
-		return (-1);
-
 	key = (HMAC_Key *) d_key->dk_KEY_struct;
 	if (mode & SIG_MODE_INIT) {
 		MD5Init(ctx);
@@ -272,7 +273,7 @@ dst_buffer_to_hmac_md5(DST_KEY *dkey, const u_char *key, const int keylen)
 
 static int
 dst_hmac_md5_key_to_file_format(const DST_KEY *dkey, char *buff,
-			    const int buff_len)
+			        const int buff_len)
 {
 	char *bp;
 	int len, b_len, i, key_len;
@@ -288,7 +289,7 @@ dst_hmac_md5_key_to_file_format(const DST_KEY *dkey, char *buff,
 	/* write file header */
 	sprintf(buff, key_file_fmt_str, KEY_FILE_FORMAT, KEY_HMAC_MD5, "HMAC");
 
-	bp = (char *) strchr(buff, '\0');
+	bp = buff + strlen(buff);
 	b_len = buff_len - (bp - buff);
 
 	memset(key, 0, HMAC_LEN);
@@ -333,9 +334,9 @@ dst_hmac_md5_key_from_file_format(DST_KEY *dkey, const char *buff,
 {
 	const char *p = buff, *eol;
 	u_char key[HMAC_LEN+1];	/* b64_pton needs more than 64 bytes do decode
-							 * it should probably be fixed rather than doing
-							 * this
-							 */
+				 * it should probably be fixed rather than doing
+				 * this
+				 */
 	u_char *tmp;
 	int key_len, len;
 
@@ -354,6 +355,8 @@ dst_hmac_md5_key_from_file_format(DST_KEY *dkey, const char *buff,
 		return (-4);
 	len = eol - p;
 	tmp = malloc(len + 2);
+	if (tmp == NULL)
+		return (-5);
 	memcpy(tmp, p, len);
 	*(tmp + len) = 0x0;
 	key_len = b64_pton((char *)tmp, key, HMAC_LEN+1);	/*%< see above */
diff --git a/lib/bind/irs/dns.c b/lib/bind/irs/dns.c
index d2d3373861..cbea94680e 100644
--- a/lib/bind/irs/dns.c
+++ b/lib/bind/irs/dns.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: dns.c,v 1.4 2005/04/27 04:56:21 sra Exp $";
+static const char rcsid[] = "$Id: dns.c,v 1.5 2006/03/09 23:57:56 marka Exp $";
 #endif
 
 /*! \file
@@ -115,7 +115,7 @@ dns_res_get(struct irs_acc *this) {
 		res = (struct __res_state *)malloc(sizeof *res);
 		if (res == NULL)
 			return (NULL);
-		memset(dns->res, 0, sizeof *dns->res);
+		memset(res, 0, sizeof *res);
 		dns_res_set(this, res, free);
 	}
 
diff --git a/lib/bind/irs/dns_ho.c b/lib/bind/irs/dns_ho.c
index 617b697040..d586bad32b 100644
--- a/lib/bind/irs/dns_ho.c
+++ b/lib/bind/irs/dns_ho.c
@@ -52,7 +52,7 @@
 /* BIND Id: gethnamaddr.c,v 8.15 1996/05/22 04:56:30 vixie Exp $ */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: dns_ho.c,v 1.19 2006/03/08 03:12:24 marka Exp $";
+static const char rcsid[] = "$Id: dns_ho.c,v 1.20 2006/03/09 23:57:56 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* Imports. */
@@ -216,8 +216,7 @@ ho_close(struct irs_ho *this) {
 	ho_minimize(this);
 	if (pvt->res && pvt->free_res)
 		(*pvt->free_res)(pvt->res);
-	if (pvt)
-		memput(pvt, sizeof *pvt);
+	memput(pvt, sizeof *pvt);
 	memput(this, sizeof *this);
 }
 
@@ -645,10 +644,9 @@ ho_addrinfo(struct irs_ho *this, const char *name, const struct addrinfo *pai)
 		if (ai) {
 			querystate = RESQRY_SUCCESS;
 			cur->ai_next = ai;
-			while (cur && cur->ai_next)
+			while (cur->ai_next)
 				cur = cur->ai_next;
-		}
-		else
+		} else
 			querystate = RESQRY_FAIL;
 	}
 
@@ -944,7 +942,7 @@ gethostans(struct irs_ho *this,
 				continue;
 			}
 			if (ret_aip) { /*%< need addrinfo. keep it. */
-				while (cur && cur->ai_next)
+				while (cur->ai_next)
 					cur = cur->ai_next;
 			} else if (cur->ai_next) { /*%< need hostent */
 				struct addrinfo *aip = cur->ai_next;
diff --git a/lib/bind/irs/gai_strerror.c b/lib/bind/irs/gai_strerror.c
index dc2e341749..29196a0a15 100644
--- a/lib/bind/irs/gai_strerror.c
+++ b/lib/bind/irs/gai_strerror.c
@@ -65,18 +65,26 @@ gai_strerror(int ecode) {
 
 #ifdef DO_PTHREADS
         if (!once) {
-                pthread_mutex_lock(&lock);
-                if (!once++)
-                        pthread_key_create(&key, free);
-                pthread_mutex_unlock(&lock);
+                if (pthread_mutex_lock(&lock) != 0)
+			goto unknown;
+                if (!once) {
+                        if (pthread_key_create(&key, free) != 0)
+				goto unknown;
+			once = 1;
+		}
+                if (pthread_mutex_unlock(&lock) != 0)
+			goto unknown;
         }
 
 	buf = pthread_getspecific(key);
         if (buf == NULL) {
 		buf = malloc(EAI_BUFSIZE);
                 if (buf == NULL)
-                        return ("unknown error");
-                pthread_setspecific(key, buf);
+                        goto unknown;
+                if (pthread_setspecific(key, buf) != 0) {
+			free(buf);
+			goto unknown;
+		}
         }
 #endif
 	/* 
@@ -85,6 +93,11 @@ gai_strerror(int ecode) {
 	 */
 	sprintf(buf, "%s: %d", gai_errlist[gai_nerr - 1], ecode);
 	return (buf);
+
+#ifdef DO_PTHREADS
+ unknown:
+	return ("unknown error");
+#endif
 }
 
 /*! \file */
diff --git a/lib/bind/irs/gen_ho.c b/lib/bind/irs/gen_ho.c
index 59060cd3b3..d38ea26b86 100644
--- a/lib/bind/irs/gen_ho.c
+++ b/lib/bind/irs/gen_ho.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: gen_ho.c,v 1.4 2005/04/27 04:56:23 sra Exp $";
+static const char rcsid[] = "$Id: gen_ho.c,v 1.5 2006/03/09 23:57:56 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* Imports */
@@ -371,8 +371,6 @@ ho_addrinfo(struct irs_ho *this, const char *name, const struct addrinfo *pai)
 	}
 	if (softerror != 0 && pvt->res->res_h_errno == HOST_NOT_FOUND)
 		RES_SET_H_ERRNO(pvt->res, therrno);
-	if (rval)
-		freeaddrinfo(rval);
 	return (NULL);
 }
 
diff --git a/lib/bind/irs/getaddrinfo.c b/lib/bind/irs/getaddrinfo.c
index a1ea15d684..e27037c9a2 100644
--- a/lib/bind/irs/getaddrinfo.c
+++ b/lib/bind/irs/getaddrinfo.c
@@ -579,9 +579,6 @@ getaddrinfo(hostname, servname, hints, res)
 	}
 
 	freeaddrinfo(afai);	/*%< afai must not be NULL at this point. */
-	/* we must not have got any errors. */
-	if (error != 0) /*%< just for diagnosis */
-		abort();
 
 	if (sentinel.ai_next) {
 good:
@@ -807,7 +804,7 @@ explore_numeric(pai, hostname, servname, res)
 			    pai->ai_family == PF_UNSPEC /*?*/) {
 				GET_AI(cur->ai_next, afd, pton);
 				GET_PORT(cur->ai_next, servname);
-				while (cur && cur->ai_next)
+				while (cur->ai_next)
 					cur = cur->ai_next;
 			} else
 				ERR(EAI_FAMILY);	/*xxx*/
@@ -820,7 +817,7 @@ explore_numeric(pai, hostname, servname, res)
 			    pai->ai_family == PF_UNSPEC /*?*/) {
 				GET_AI(cur->ai_next, afd, pton);
 				GET_PORT(cur->ai_next, servname);
-				while (cur && cur->ai_next)
+				while (cur->ai_next)
 					cur = cur->ai_next;
 			} else
 				ERR(EAI_FAMILY);	/*xxx*/
@@ -1204,7 +1201,7 @@ hostent2addrinfo(hp, pai)
 			 */
 			GET_CANONNAME(cur->ai_next, hp->h_name);
 		}
-		while (cur && cur->ai_next) /*%< no need to loop, actually. */
+		while (cur->ai_next) /*%< no need to loop, actually. */
 			cur = cur->ai_next;
 		continue;
 
diff --git a/lib/bind/irs/irp.c b/lib/bind/irs/irp.c
index e4915aebd3..3bd43783cd 100644
--- a/lib/bind/irs/irp.c
+++ b/lib/bind/irs/irp.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: irp.c,v 1.8 2006/02/26 22:54:47 marka Exp $";
+static const char rcsid[] = "$Id: irp.c,v 1.9 2006/03/09 23:57:56 marka Exp $";
 #endif
 
 /* Imports */
@@ -414,6 +414,9 @@ irs_irp_read_body(struct irp_p *pvt, size_t *size) {
 	char *buffer = memget(len);
 	int idx = 0;
 
+	if (buffer == NULL)
+		return (NULL);
+
 	for (;;) {
 		if (irs_irp_read_line(pvt, line, sizeof line) <= 0 ||
 		    strchr(line, '\n') == NULL)
diff --git a/lib/bind/irs/irp_nw.c b/lib/bind/irs/irp_nw.c
index 7146817f3b..eb4654f9b9 100644
--- a/lib/bind/irs/irp_nw.c
+++ b/lib/bind/irs/irp_nw.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: irp_nw.c,v 1.3 2005/04/27 04:56:28 sra Exp $";
+static const char rcsid[] = "$Id: irp_nw.c,v 1.4 2006/03/09 23:57:56 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #if 0
@@ -297,6 +297,8 @@ nw_next(struct irs_nw *this) {
 		nw = NULL;
 	}
 
+	if (body != NULL)
+		memput(body, bodylen);
 	return (nw);
 }
 
diff --git a/lib/bind/irs/irpmarshall.c b/lib/bind/irs/irpmarshall.c
index 4f0a9fbfb6..85ffff1866 100644
--- a/lib/bind/irs/irpmarshall.c
+++ b/lib/bind/irs/irpmarshall.c
@@ -49,7 +49,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: irpmarshall.c,v 1.6 2005/04/27 04:56:29 sra Exp $";
+static const char rcsid[] = "$Id: irpmarshall.c,v 1.7 2006/03/09 23:57:56 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #if 0
@@ -994,7 +994,7 @@ irp_unmarshall_ho(struct hostent *ho, char *buffer) {
 	int hoaddrtype;
 	int holength;
 	long t;
-	char *name = NULL;
+	char *name;
 	char **aliases = NULL;
 	char **hohaddrlist = NULL;
 	size_t hoaddrsize;
@@ -1117,6 +1117,7 @@ irp_unmarshall_ho(struct hostent *ho, char *buffer) {
 	errno = myerrno;
 
 	if (name != NULL) free(name);
+	free_array(hohaddrlist, 0);
 	free_array(aliases, 0);
 
 	return (-1);
@@ -1285,7 +1286,6 @@ irp_unmarshall_ng(const char **hostp, const char **userp, const char **domainp,
 
 	if (host != NULL) free(host);
 	if (user != NULL) free(user);
-	if (domain != NULL) free(domain);
 
 	return (-1);
 }
diff --git a/lib/bind/irs/irs_data.c b/lib/bind/irs/irs_data.c
index ed484d2209..ca18394527 100644
--- a/lib/bind/irs/irs_data.c
+++ b/lib/bind/irs/irs_data.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: irs_data.c,v 1.9 2005/04/27 04:56:30 sra Exp $";
+static const char rcsid[] = "$Id: irs_data.c,v 1.10 2006/03/09 23:57:56 marka Exp $";
 #endif
 
 #include "port_before.h"
@@ -129,10 +129,15 @@ net_data_init(const char *conf_file) {
 	struct net_data *net_data;
 
 	if (!once) {
-		pthread_mutex_lock(&keylock);
-		if (!once++)
-			pthread_key_create(&key, net_data_destroy);
-		pthread_mutex_unlock(&keylock);
+		if (pthread_mutex_lock(&keylock) != 0)
+			return (NULL);
+		if (!once) {
+			if (pthread_key_create(&key, net_data_destroy) != 0)
+				return (NULL);
+			once = 1;
+		}
+		if (pthread_mutex_unlock(&keylock) != 0)
+			return (NULL);
 	}
 	net_data = pthread_getspecific(key);
 #endif
@@ -142,7 +147,10 @@ net_data_init(const char *conf_file) {
 		if (net_data == NULL)
 			return (NULL);
 #ifdef	DO_PTHREADS
-		pthread_setspecific(key, net_data);
+		if (pthread_setspecific(key, net_data) != 0) {
+			net_data_destroy(net_data);
+			return (NULL);
+		}
 #endif
 	}
 
diff --git a/lib/bind/irs/lcl_ho.c b/lib/bind/irs/lcl_ho.c
index 806ffcda67..6c5246a5c4 100644
--- a/lib/bind/irs/lcl_ho.c
+++ b/lib/bind/irs/lcl_ho.c
@@ -52,7 +52,7 @@
 /* BIND Id: gethnamaddr.c,v 8.15 1996/05/22 04:56:30 vixie Exp $ */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: lcl_ho.c,v 1.4 2005/04/27 04:56:30 sra Exp $";
+static const char rcsid[] = "$Id: lcl_ho.c,v 1.5 2006/03/09 23:57:56 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* Imports. */
@@ -541,7 +541,7 @@ ho_addrinfo(struct irs_ho *this, const char *name, const struct addrinfo *pai)
 		ai = hostent2addrinfo(hp, pai);
 		if (ai) {
 			cur->ai_next = ai;
-			while (cur && cur->ai_next)
+			while (cur->ai_next)
 				cur = cur->ai_next;
 		}
 	}
diff --git a/lib/bind/irs/lcl_pr.c b/lib/bind/irs/lcl_pr.c
index 92e399051e..622158eb17 100644
--- a/lib/bind/irs/lcl_pr.c
+++ b/lib/bind/irs/lcl_pr.c
@@ -49,7 +49,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: lcl_pr.c,v 1.3 2005/04/27 04:56:31 sra Exp $";
+static const char rcsid[] = "$Id: lcl_pr.c,v 1.4 2006/03/09 23:57:56 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* extern */
@@ -85,6 +85,7 @@ static const char rcsid[] = "$Id: lcl_pr.c,v 1.3 2005/04/27 04:56:31 sra Exp $";
 struct pvt {
 	FILE *		fp;
 	char		line[BUFSIZ+1];
+	char *		dbuf;
 	struct protoent	proto;
 	char *		proto_aliases[MAXALIASES];
 };
@@ -141,6 +142,8 @@ pr_close(struct irs_pr *this) {
 
 	if (pvt->fp)
 		(void) fclose(pvt->fp);
+	if (pvt->dbuf)
+		free(pvt->dbuf);
 	memput(pvt, sizeof *pvt);
 	memput(this, sizeof *this);
 }
@@ -202,6 +205,10 @@ pr_next(struct irs_pr *this) {
 		pr_rewind(this);
 	if (!pvt->fp)
 		return (NULL);
+	if (pvt->dbuf) {
+		free(pvt->dbuf);
+		pvt->dbuf = NULL;
+	}
 	bufp = pvt->line;
 	bufsiz = BUFSIZ;
 	offset = 0;
@@ -270,6 +277,7 @@ pr_next(struct irs_pr *this) {
 		}
 	}
 	*q = NULL;
+	pvt->dbuf = dbuf;
 	return (&pvt->proto);
 }
 
diff --git a/lib/bind/isc/ev_connects.c b/lib/bind/isc/ev_connects.c
index 013dd5cb84..38dfdbe512 100644
--- a/lib/bind/isc/ev_connects.c
+++ b/lib/bind/isc/ev_connects.c
@@ -20,7 +20,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: ev_connects.c,v 1.7 2005/07/08 04:30:21 marka Exp $";
+static const char rcsid[] = "$Id: ev_connects.c,v 1.8 2006/03/09 23:57:56 marka Exp $";
 #endif
 
 /* Import. */
@@ -69,7 +69,7 @@ evListen(evContext opaqueCtx, int fd, int maxconn,
 
 	OKNEW(new);
 	new->flags = EV_CONN_LISTEN;
-	OK(mode = fcntl(fd, F_GETFL, NULL));	/*%< side effect: validate fd. */
+	OKFREE(mode = fcntl(fd, F_GETFL, NULL), new);	/*%< side effect: validate fd. */
 	/*
 	 * Remember the nonblocking status.  We assume that either evSelectFD
 	 * has not been done to this fd, or that if it has then the caller
@@ -80,13 +80,13 @@ evListen(evContext opaqueCtx, int fd, int maxconn,
 	if ((mode & PORT_NONBLOCK) == 0) {
 #ifdef USE_FIONBIO_IOCTL
 		int on = 1;
-		OK(ioctl(fd, FIONBIO, (char *)&on));
+		OKFREE(ioctl(fd, FIONBIO, (char *)&on), new);
 #else
-		OK(fcntl(fd, F_SETFL, mode | PORT_NONBLOCK));
+		OKFREE(fcntl(fd, F_SETFL, mode | PORT_NONBLOCK), new);
 #endif
 		new->flags |= EV_CONN_BLOCK;
 	}
-	OK(listen(fd, maxconn));
+	OKFREE(listen(fd, maxconn), new);
 	if (evSelectFD(opaqueCtx, fd, EV_READ, listener, new, &new->file) < 0){
 		int save = errno;
 
diff --git a/lib/bind/isc/eventlib.c b/lib/bind/isc/eventlib.c
index 37f3789c8c..be4a7848b9 100644
--- a/lib/bind/isc/eventlib.c
+++ b/lib/bind/isc/eventlib.c
@@ -20,7 +20,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: eventlib.c,v 1.9 2005/07/28 06:51:49 marka Exp $";
+static const char rcsid[] = "$Id: eventlib.c,v 1.10 2006/03/09 23:57:56 marka Exp $";
 #endif
 
 #include "port_before.h"
@@ -783,13 +783,10 @@ pselect(int nfds, void *rfds, void *wfds, void *efds,
 		pnfds = 0;
 	}
 	n = poll(fds, pnfds, polltimeout);
-	/*
-	 * pselect() should return the total number of events on the file
-	 * desriptors, not just the count of fd:s with activity. Hence,
-	 * traverse the pollfds array and count the events.
-	 */
 	if (n > 0) {
 		int     i, e;
+
+		INSIST(ctx != NULL);
 		for (e = 0, i = ctx->firstfd; i <= ctx->fdMax; i++) {
 			if (ctx->pollfds[i].fd < 0)
 				continue;
diff --git a/lib/bind/isc/eventlib_p.h b/lib/bind/isc/eventlib_p.h
index 9eedff9383..0a3614ab23 100644
--- a/lib/bind/isc/eventlib_p.h
+++ b/lib/bind/isc/eventlib_p.h
@@ -19,7 +19,7 @@
  * \brief private interfaces for eventlib
  * \author vix 09sep95 [initial]
  *
- * $Id: eventlib_p.h,v 1.8 2005/07/28 06:51:49 marka Exp $
+ * $Id: eventlib_p.h,v 1.9 2006/03/09 23:57:56 marka Exp $
  */
 
 #ifndef _EVENTLIB_P_H
@@ -46,6 +46,8 @@
 #define	EV_MASK_ALL	(EV_READ | EV_WRITE | EV_EXCEPT)
 #define EV_ERR(e)		return (errno = (e), -1)
 #define OK(x)		if ((x) < 0) EV_ERR(errno); else (void)NULL
+#define OKFREE(x, y)	if ((x) < 0) { FREE((y)); EV_ERR(errno); } \
+			else (void)NULL
 
 #define	NEW(p)		if (((p) = memget(sizeof *(p))) != NULL) \
 				FILL(p); \
diff --git a/lib/bind/isc/heap.c b/lib/bind/isc/heap.c
index ae645ae966..3d22b6fc71 100644
--- a/lib/bind/isc/heap.c
+++ b/lib/bind/isc/heap.c
@@ -26,7 +26,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: heap.c,v 1.3 2005/04/27 04:56:38 sra Exp $";
+static const char rcsid[] = "$Id: heap.c,v 1.4 2006/03/09 23:57:56 marka Exp $";
 #endif /* not lint */
 
 #include "port_before.h"
@@ -54,9 +54,13 @@ heap_new(heap_higher_priority_func higher_priority, heap_index_func index,
 	 int array_size_increment) {
 	heap_context ctx;
 
-	ctx = (heap_context)malloc(sizeof (struct heap_context));
-	if (ctx == NULL || higher_priority == NULL)
+	if (higher_priority == NULL)
 		return (NULL);
+
+	ctx = (heap_context)malloc(sizeof (struct heap_context));
+	if (ctx == NULL)
+		return (NULL);
+
 	ctx->array_size = 0;
 	if (array_size_increment == 0)
 		ctx->array_size_increment = ARRAY_SIZE_INCREMENT;
diff --git a/lib/bind/nameser/ns_sign.c b/lib/bind/nameser/ns_sign.c
index 724e17daae..5748a090d9 100644
--- a/lib/bind/nameser/ns_sign.c
+++ b/lib/bind/nameser/ns_sign.c
@@ -16,7 +16,7 @@
  */
 
 #ifndef lint
-static const char rcsid[] = "$Id: ns_sign.c,v 1.5 2005/04/27 04:56:40 sra Exp $";
+static const char rcsid[] = "$Id: ns_sign.c,v 1.6 2006/03/09 23:57:56 marka Exp $";
 #endif
 
 /* Import. */
@@ -91,7 +91,7 @@ ns_sign2(u_char *msg, int *msglen, int msgsize, int error, void *k,
 {
 	HEADER *hp = (HEADER *)msg;
 	DST_KEY *key = (DST_KEY *)k;
-	u_char *cp = msg + *msglen, *eob = msg + msgsize;
+	u_char *cp, *eob;
 	u_char *lenp;
 	u_char *alg;
 	int n;
@@ -102,6 +102,9 @@ ns_sign2(u_char *msg, int *msglen, int msgsize, int error, void *k,
 	if (msg == NULL || msglen == NULL || sig == NULL || siglen == NULL)
 		return (-1);
 
+	cp = msg + *msglen;
+	eob = msg + msgsize;
+
 	/* Name. */
 	if (key != NULL && error != ns_r_badsig && error != ns_r_badkey) {
 		n = ns_name_pton(key->dk_key_name, name, sizeof name);
diff --git a/lib/bind/nameser/ns_verify.c b/lib/bind/nameser/ns_verify.c
index 7356173b95..97c012db8f 100644
--- a/lib/bind/nameser/ns_verify.c
+++ b/lib/bind/nameser/ns_verify.c
@@ -16,7 +16,7 @@
  */
 
 #ifndef lint
-static const char rcsid[] = "$Id: ns_verify.c,v 1.4 2005/10/11 00:10:15 marka Exp $";
+static const char rcsid[] = "$Id: ns_verify.c,v 1.5 2006/03/09 23:57:56 marka Exp $";
 #endif
 
 /* Import. */
@@ -344,7 +344,7 @@ ns_verify_tcp(u_char *msg, int *msglen, ns_tcp_tsig_state *state,
 	HEADER *hp = (HEADER *)msg;
 	u_char *recstart, *sigstart;
 	unsigned int sigfieldlen, otherfieldlen;
-	u_char *cp, *eom = msg + *msglen, *cp2;
+	u_char *cp, *eom, *cp2;
 	char name[MAXDNAME], alg[MAXDNAME];
 	u_char buf[MAXDNAME];
 	int n, type, length, fudge, error;
@@ -353,6 +353,8 @@ ns_verify_tcp(u_char *msg, int *msglen, ns_tcp_tsig_state *state,
 	if (msg == NULL || msglen == NULL || state == NULL)
 		return (-1);
 
+	eom = msg + *msglen;
+
 	state->counter++;
 	if (state->counter == 0)
 		return (ns_verify(msg, msglen, state->key,
diff --git a/lib/bind/resolv/mtctxres.c b/lib/bind/resolv/mtctxres.c
index f33cf11e3f..635bbd4400 100644
--- a/lib/bind/resolv/mtctxres.c
+++ b/lib/bind/resolv/mtctxres.c
@@ -106,9 +106,10 @@ ___mtctxres(void) {
 	 */
 	if (!mt_key_initialized) {
 		static pthread_mutex_t keylock = PTHREAD_MUTEX_INITIALIZER;
-                pthread_mutex_lock(&keylock);
-		_mtctxres_init();
-                pthread_mutex_unlock(&keylock);
+                if (pthread_mutex_lock(&keylock) == 0) {
+			_mtctxres_init();
+			(void) pthread_mutex_unlock(&keylock);
+		}
 	}
 
 	/*
diff --git a/lib/bind/resolv/res_sendsigned.c b/lib/bind/resolv/res_sendsigned.c
index 2a4a6efd5e..63ae07ce3d 100644
--- a/lib/bind/resolv/res_sendsigned.c
+++ b/lib/bind/resolv/res_sendsigned.c
@@ -52,6 +52,7 @@ res_nsendsigned(res_state statp, const u_char *msg, int msglen,
 	bufsize = msglen + 1024;
 	newmsg = (u_char *) malloc(bufsize);
 	if (newmsg == NULL) {
+		free(nstatp);
 		errno = ENOMEM;
 		return (-1);
 	}
@@ -102,11 +103,11 @@ res_nsendsigned(res_state statp, const u_char *msg, int msglen,
 retry:
 
 	len = res_nsend(nstatp, newmsg, newmsglen, answer, anslen);
-	if (ret < 0) {
+	if (len < 0) {
 		free (nstatp);
 		free (newmsg);
 		dst_free_key(dstkey);
-		return (ret);
+		return (len);
 	}
 
 	ret = ns_verify(answer, &len, dstkey, sig, siglen,
diff --git a/lib/dns/masterdump.c b/lib/dns/masterdump.c
index a78c322bec..988574fa7f 100644
--- a/lib/dns/masterdump.c
+++ b/lib/dns/masterdump.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: masterdump.c,v 1.85 2006/03/05 23:58:52 marka Exp $ */
+/* $Id: masterdump.c,v 1.86 2006/03/09 23:57:56 marka Exp $ */
 
 /*! \file */
 
@@ -1411,7 +1411,8 @@ dumptostreaminc(dns_dumpctx_t *dctx) {
 				      "dumptostreaminc(%p) new nodes -> %d\n",
 				      dctx, dctx->nodes);
 		}
-		dns_dbiterator_pause(dctx->dbiter);
+		result = dns_dbiterator_pause(dctx->dbiter);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
 		result = DNS_R_CONTINUE;
 	} else if (result == ISC_R_NOMORE)
 		result = ISC_R_SUCCESS;

From d0a89b3828d8f1c47603e10a18a9e24f38b8a426 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 10 Mar 2006 00:18:22 +0000
Subject: [PATCH 116/465] 2009. [bug] libbind: coverity fixes. [RT #15808]

---
 CHANGES                          |  2 ++
 lib/bind/dst/dst_api.c           | 23 +++++++++++++----------
 lib/bind/dst/hmac_link.c         | 25 ++++++++++++++-----------
 lib/bind/irs/dns.c               |  4 ++--
 lib/bind/irs/dns_ho.c            | 12 +++++-------
 lib/bind/irs/gai_strerror.c      | 25 +++++++++++++++++++------
 lib/bind/irs/gen_ho.c            |  4 +---
 lib/bind/irs/getaddrinfo.c       | 10 +++-------
 lib/bind/irs/irp.c               |  5 ++++-
 lib/bind/irs/irp_nw.c            |  4 +++-
 lib/bind/irs/irpmarshall.c       |  6 +++---
 lib/bind/irs/irs_data.c          | 20 ++++++++++++++------
 lib/bind/irs/lcl_ho.c            |  4 ++--
 lib/bind/irs/lcl_pr.c            | 10 +++++++++-
 lib/bind/isc/ev_connects.c       | 10 +++++-----
 lib/bind/isc/eventlib.c          |  9 +++------
 lib/bind/isc/eventlib_p.h        |  4 +++-
 lib/bind/isc/heap.c              | 10 +++++++---
 lib/bind/nameser/ns_sign.c       |  7 +++++--
 lib/bind/nameser/ns_verify.c     |  6 ++++--
 lib/bind/resolv/mtctxres.c       |  7 ++++---
 lib/bind/resolv/res_sendsigned.c |  5 +++--
 22 files changed, 128 insertions(+), 84 deletions(-)

diff --git a/CHANGES b/CHANGES
index bfd8023539..b939c7d35b 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+2009.	[bug]		libbind: coverity fixes. [RT #15808]
+
 2005.	[bug]		libbind: Retransmission timeouts should be
 			based on which attempt it is to the nameserver
 			and not the nameserver itself. [RT #13548]
diff --git a/lib/bind/dst/dst_api.c b/lib/bind/dst/dst_api.c
index 7ed69fc5ae..c026ea8985 100644
--- a/lib/bind/dst/dst_api.c
+++ b/lib/bind/dst/dst_api.c
@@ -1,5 +1,5 @@
 #ifndef LINT
-static const char rcsid[] = "$Header: /u0/home/explorer/proj/ISC/git-conversion/cvsroot/bind9/lib/bind/dst/Attic/dst_api.c,v 1.4.2.9 2005/10/11 00:56:04 marka Exp $";
+static const char rcsid[] = "$Header: /u0/home/explorer/proj/ISC/git-conversion/cvsroot/bind9/lib/bind/dst/Attic/dst_api.c,v 1.4.2.10 2006/03/10 00:18:22 marka Exp $";
 #endif
 
 /*
@@ -170,6 +170,10 @@ dst_s_get_key_struct(const char *name, const int alg, const int flags,
 
 	memset(new_key, 0, sizeof(*new_key));
 	new_key->dk_key_name = strdup(name);
+	if (new_key->dk_key_name == NULL) {
+		free(new_key);
+		return (NULL);
+	}
 	new_key->dk_alg = alg;
 	new_key->dk_flags = flags;
 	new_key->dk_proto = protocol;
@@ -655,11 +659,13 @@ dst_dnskey_to_key(const char *in_name, const u_char *rdata, const int len)
 			 alg));
 		return (NULL);
 	}
-	if ((key_st = dst_s_get_key_struct(in_name, alg, 0, 0, 0)) == NULL)
-		return (NULL);
 
 	if (in_name == NULL)
 		return (NULL);
+
+	if ((key_st = dst_s_get_key_struct(in_name, alg, 0, 0, 0)) == NULL)
+		return (NULL);
+
 	key_st->dk_id = dst_s_dns_key_id(rdata, len);
 	key_st->dk_flags = dst_s_get_int16(rdata);
 	key_st->dk_proto = (u_int16_t) rdata[DST_KEY_PROT];
@@ -772,13 +778,11 @@ dst_buffer_to_key(const char *key_name,		/* name of the key */
 		return (NULL);
 	}
 
-	dkey = dst_s_get_key_struct(key_name, alg, flags, 
-					     protocol, -1);
+	dkey = dst_s_get_key_struct(key_name, alg, flags, protocol, -1);
 
-	if (dkey == NULL)
-		return (NULL);
-	if (dkey->dk_func == NULL || dkey->dk_func->from_dns_key == NULL)
-		return NULL;
+	if (dkey == NULL || dkey->dk_func == NULL ||
+	    dkey->dk_func->from_dns_key == NULL) 
+		return (dst_free_key(dkey));
 
 	if (dkey->dk_func->from_dns_key(dkey, key_buf, key_len) < 0) {
 		EREPORT(("dst_buffer_to_key(): dst_buffer_to_hmac failed\n"));
@@ -1013,7 +1017,6 @@ dst_free_key(DST_KEY *f_key)
 	else {
 		EREPORT(("dst_free_key(): Unknown key alg %d\n",
 			 f_key->dk_alg));
-		free(f_key->dk_KEY_struct);	/* SHOULD NOT happen */
 	}
 	if (f_key->dk_KEY_struct) {
 		free(f_key->dk_KEY_struct);
diff --git a/lib/bind/dst/hmac_link.c b/lib/bind/dst/hmac_link.c
index 1488ba1f82..050951fa58 100644
--- a/lib/bind/dst/hmac_link.c
+++ b/lib/bind/dst/hmac_link.c
@@ -1,6 +1,6 @@
 #ifdef HMAC_MD5
 #ifndef LINT
-static const char rcsid[] = "$Header: /u0/home/explorer/proj/ISC/git-conversion/cvsroot/bind9/lib/bind/dst/Attic/hmac_link.c,v 1.2.2.2 2005/07/28 07:48:16 marka Exp $";
+static const char rcsid[] = "$Header: /u0/home/explorer/proj/ISC/git-conversion/cvsroot/bind9/lib/bind/dst/Attic/hmac_link.c,v 1.2.2.3 2006/03/10 00:18:22 marka Exp $";
 #endif
 /*
  * Portions Copyright (c) 1995-1998 by Trusted Information Systems, Inc.
@@ -93,6 +93,9 @@ dst_hmac_md5_sign(const int mode, DST_KEY *d_key, void **context,
 	int sign_len = 0;
 	MD5_CTX *ctx = NULL;
 
+	if (d_key == NULL || d_key->dk_KEY_struct == NULL)
+		return (-1);
+
 	if (mode & SIG_MODE_INIT) 
 		ctx = (MD5_CTX *) malloc(sizeof(*ctx));
 	else if (context)
@@ -100,8 +103,6 @@ dst_hmac_md5_sign(const int mode, DST_KEY *d_key, void **context,
 	if (ctx == NULL) 
 		return (-1);
 
-	if (d_key == NULL || d_key->dk_KEY_struct == NULL)
-		return (-1);
 	key = (HMAC_Key *) d_key->dk_KEY_struct;
 
 	if (mode & SIG_MODE_INIT) {
@@ -160,6 +161,9 @@ dst_hmac_md5_verify(const int mode, DST_KEY *d_key, void **context,
 	HMAC_Key *key;
 	MD5_CTX *ctx = NULL;
 
+	if (d_key == NULL || d_key->dk_KEY_struct == NULL)
+		return (-1);
+
 	if (mode & SIG_MODE_INIT) 
 		ctx = (MD5_CTX *) malloc(sizeof(*ctx));
 	else if (context)
@@ -167,9 +171,6 @@ dst_hmac_md5_verify(const int mode, DST_KEY *d_key, void **context,
 	if (ctx == NULL) 
 		return (-1);
 
-	if (d_key == NULL || d_key->dk_KEY_struct == NULL)
-		return (-1);
-
 	key = (HMAC_Key *) d_key->dk_KEY_struct;
 	if (mode & SIG_MODE_INIT) {
 		MD5Init(ctx);
@@ -272,7 +273,7 @@ dst_buffer_to_hmac_md5(DST_KEY *dkey, const u_char *key, const int keylen)
 
 static int
 dst_hmac_md5_key_to_file_format(const DST_KEY *dkey, char *buff,
-			    const int buff_len)
+			        const int buff_len)
 {
 	char *bp;
 	int len, b_len, i, key_len;
@@ -289,7 +290,7 @@ dst_hmac_md5_key_to_file_format(const DST_KEY *dkey, char *buff,
 	/* write file header */
 	sprintf(buff, key_file_fmt_str, KEY_FILE_FORMAT, KEY_HMAC_MD5, "HMAC");
 
-	bp = (char *) strchr(buff, '\0');
+	bp = buff + strlen(buff);
 	b_len = buff_len - (bp - buff);
 
 	memset(key, 0, HMAC_LEN);
@@ -334,9 +335,9 @@ dst_hmac_md5_key_from_file_format(DST_KEY *dkey, const char *buff,
 {
 	const char *p = buff, *eol;
 	u_char key[HMAC_LEN+1];	/* b64_pton needs more than 64 bytes do decode
-							 * it should probably be fixed rather than doing
-							 * this
-							 */
+				 * it should probably be fixed rather than doing
+				 * this
+				 */
 	u_char *tmp;
 	int key_len, len;
 
@@ -355,6 +356,8 @@ dst_hmac_md5_key_from_file_format(DST_KEY *dkey, const char *buff,
 		return (-4);
 	len = eol - p;
 	tmp = malloc(len + 2);
+	if (tmp == NULL)
+		return (-5);
 	memcpy(tmp, p, len);
 	*(tmp + len) = 0x0;
 	key_len = b64_pton((char *)tmp, key, HMAC_LEN+1);	/* see above */
diff --git a/lib/bind/irs/dns.c b/lib/bind/irs/dns.c
index dbd3063479..b8f8aed16d 100644
--- a/lib/bind/irs/dns.c
+++ b/lib/bind/irs/dns.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: dns.c,v 1.1.2.2 2004/03/17 00:40:11 marka Exp $";
+static const char rcsid[] = "$Id: dns.c,v 1.1.2.3 2006/03/10 00:18:22 marka Exp $";
 #endif
 
 /*
@@ -114,7 +114,7 @@ dns_res_get(struct irs_acc *this) {
 		res = (struct __res_state *)malloc(sizeof *res);
 		if (res == NULL)
 			return (NULL);
-		memset(dns->res, 0, sizeof *dns->res);
+		memset(res, 0, sizeof *res);
 		dns_res_set(this, res, free);
 	}
 
diff --git a/lib/bind/irs/dns_ho.c b/lib/bind/irs/dns_ho.c
index 6ba003d40b..1896b54d5b 100644
--- a/lib/bind/irs/dns_ho.c
+++ b/lib/bind/irs/dns_ho.c
@@ -52,7 +52,7 @@
 /* BIND Id: gethnamaddr.c,v 8.15 1996/05/22 04:56:30 vixie Exp $ */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: dns_ho.c,v 1.5.2.14 2006/03/08 03:43:29 marka Exp $";
+static const char rcsid[] = "$Id: dns_ho.c,v 1.5.2.15 2006/03/10 00:18:22 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* Imports. */
@@ -218,8 +218,7 @@ ho_close(struct irs_ho *this) {
 	ho_minimize(this);
 	if (pvt->res && pvt->free_res)
 		(*pvt->free_res)(pvt->res);
-	if (pvt)
-		memput(pvt, sizeof *pvt);
+	memput(pvt, sizeof *pvt);
 	memput(this, sizeof *this);
 }
 
@@ -649,10 +648,9 @@ ho_addrinfo(struct irs_ho *this, const char *name, const struct addrinfo *pai)
 		if (ai) {
 			querystate = RESQRY_SUCCESS;
 			cur->ai_next = ai;
-			while (cur && cur->ai_next)
+			while (cur->ai_next)
 				cur = cur->ai_next;
-		}
-		else
+		} else
 			querystate = RESQRY_FAIL;
 	}
 
@@ -948,7 +946,7 @@ gethostans(struct irs_ho *this,
 				continue;
 			}
 			if (ret_aip) { /* need addrinfo. keep it. */
-				while (cur && cur->ai_next)
+				while (cur->ai_next)
 					cur = cur->ai_next;
 			} else if (cur->ai_next) { /* need hostent */
 				struct addrinfo *aip = cur->ai_next;
diff --git a/lib/bind/irs/gai_strerror.c b/lib/bind/irs/gai_strerror.c
index 6aeaaa1910..0492f8f49a 100644
--- a/lib/bind/irs/gai_strerror.c
+++ b/lib/bind/irs/gai_strerror.c
@@ -66,18 +66,26 @@ gai_strerror(int ecode) {
 
 #ifdef DO_PTHREADS
         if (!once) {
-                pthread_mutex_lock(&lock);
-                if (!once++)
-                        pthread_key_create(&key, free);
-                pthread_mutex_unlock(&lock);
+                if (pthread_mutex_lock(&lock) != 0)
+			goto unknown;
+                if (!once) {
+                        if (pthread_key_create(&key, free) != 0)
+				goto unknown;
+			once = 1;
+		}
+                if (pthread_mutex_unlock(&lock) != 0)
+			goto unknown;
         }
 
 	buf = pthread_getspecific(key);
         if (buf == NULL) {
 		buf = malloc(EAI_BUFSIZE);
                 if (buf == NULL)
-                        return ("unknown error");
-                pthread_setspecific(key, buf);
+                        goto unknown;
+                if (pthread_setspecific(key, buf) != 0) {
+			free(buf);
+			goto unknown;
+		}
         }
 #endif
 	/* 
@@ -86,4 +94,9 @@ gai_strerror(int ecode) {
 	 */
 	sprintf(buf, "%s: %d", gai_errlist[gai_nerr - 1], ecode);
 	return (buf);
+
+#ifdef DO_PTHREADS
+ unknown:
+	return ("unknown error");
+#endif
 }
diff --git a/lib/bind/irs/gen_ho.c b/lib/bind/irs/gen_ho.c
index eaad3313d1..ba5667c78d 100644
--- a/lib/bind/irs/gen_ho.c
+++ b/lib/bind/irs/gen_ho.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: gen_ho.c,v 1.1.2.2 2004/03/17 01:54:19 marka Exp $";
+static const char rcsid[] = "$Id: gen_ho.c,v 1.1.2.3 2006/03/10 00:18:22 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* Imports */
@@ -371,8 +371,6 @@ ho_addrinfo(struct irs_ho *this, const char *name, const struct addrinfo *pai)
 	}
 	if (softerror != 0 && pvt->res->res_h_errno == HOST_NOT_FOUND)
 		RES_SET_H_ERRNO(pvt->res, therrno);
-	if (rval)
-		freeaddrinfo(rval);
 	return (NULL);
 }
 
diff --git a/lib/bind/irs/getaddrinfo.c b/lib/bind/irs/getaddrinfo.c
index d80f298bf2..39617e46ca 100644
--- a/lib/bind/irs/getaddrinfo.c
+++ b/lib/bind/irs/getaddrinfo.c
@@ -576,10 +576,6 @@ getaddrinfo(hostname, servname, hints, res)
 
 	freeaddrinfo(afai);	/* afai must not be NULL at this point. */
 
-	/* we must not have got any errors. */
-	if (error != 0) /* just for diagnosis */
-		abort();
-
 	if (sentinel.ai_next) {
 good:
 		*res = sentinel.ai_next;
@@ -804,7 +800,7 @@ explore_numeric(pai, hostname, servname, res)
 			    pai->ai_family == PF_UNSPEC /*?*/) {
 				GET_AI(cur->ai_next, afd, pton);
 				GET_PORT(cur->ai_next, servname);
-				while (cur && cur->ai_next)
+				while (cur->ai_next)
 					cur = cur->ai_next;
 			} else
 				ERR(EAI_FAMILY);	/*xxx*/
@@ -817,7 +813,7 @@ explore_numeric(pai, hostname, servname, res)
 			    pai->ai_family == PF_UNSPEC /*?*/) {
 				GET_AI(cur->ai_next, afd, pton);
 				GET_PORT(cur->ai_next, servname);
-				while (cur && cur->ai_next)
+				while (cur->ai_next)
 					cur = cur->ai_next;
 			} else
 				ERR(EAI_FAMILY);	/*xxx*/
@@ -1202,7 +1198,7 @@ hostent2addrinfo(hp, pai)
 			 */
 			GET_CANONNAME(cur->ai_next, hp->h_name);
 		}
-		while (cur && cur->ai_next) /* no need to loop, actually. */
+		while (cur->ai_next) /* no need to loop, actually. */
 			cur = cur->ai_next;
 		continue;
 
diff --git a/lib/bind/irs/irp.c b/lib/bind/irs/irp.c
index 433264ba0b..bc0ecb4172 100644
--- a/lib/bind/irs/irp.c
+++ b/lib/bind/irs/irp.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: irp.c,v 1.3.2.4 2006/02/26 23:07:35 marka Exp $";
+static const char rcsid[] = "$Id: irp.c,v 1.3.2.5 2006/03/10 00:18:22 marka Exp $";
 #endif
 
 /* Imports */
@@ -425,6 +425,9 @@ irs_irp_read_body(struct irp_p *pvt, size_t *size) {
 	char *buffer = memget(len);
 	int idx = 0;
 
+	if (buffer == NULL)
+		return (NULL);
+
 	for (;;) {
 		if (irs_irp_read_line(pvt, line, sizeof line) <= 0 ||
 		    strchr(line, '\n') == NULL)
diff --git a/lib/bind/irs/irp_nw.c b/lib/bind/irs/irp_nw.c
index ed7bd1811e..1815557be7 100644
--- a/lib/bind/irs/irp_nw.c
+++ b/lib/bind/irs/irp_nw.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: irp_nw.c,v 1.1.2.1 2004/03/09 09:17:31 marka Exp $";
+static const char rcsid[] = "$Id: irp_nw.c,v 1.1.2.2 2006/03/10 00:18:22 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #if 0
@@ -319,6 +319,8 @@ nw_next(struct irs_nw *this) {
 		nw = NULL;
 	}
 
+	if (body != NULL)
+		memput(body, bodylen);
 	return (nw);
 }
 
diff --git a/lib/bind/irs/irpmarshall.c b/lib/bind/irs/irpmarshall.c
index 8776b16e4f..a08163c9bb 100644
--- a/lib/bind/irs/irpmarshall.c
+++ b/lib/bind/irs/irpmarshall.c
@@ -49,7 +49,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: irpmarshall.c,v 1.3.2.3 2004/03/17 01:15:47 marka Exp $";
+static const char rcsid[] = "$Id: irpmarshall.c,v 1.3.2.4 2006/03/10 00:18:22 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #if 0
@@ -1020,7 +1020,7 @@ irp_unmarshall_ho(struct hostent *ho, char *buffer) {
 	int hoaddrtype;
 	int holength;
 	long t;
-	char *name = NULL;
+	char *name;
 	char **aliases = NULL;
 	char **hohaddrlist = NULL;
 	size_t hoaddrsize;
@@ -1143,6 +1143,7 @@ irp_unmarshall_ho(struct hostent *ho, char *buffer) {
 	errno = myerrno;
 
 	if (name != NULL) free(name);
+	free_array(hohaddrlist, 0);
 	free_array(aliases, 0);
 
 	return (-1);
@@ -1313,7 +1314,6 @@ irp_unmarshall_ng(const char **hostp, const char **userp, const char **domainp,
 
 	if (host != NULL) free(host);
 	if (user != NULL) free(user);
-	if (domain != NULL) free(domain);
 
 	return (-1);
 }
diff --git a/lib/bind/irs/irs_data.c b/lib/bind/irs/irs_data.c
index 7bdd350dfa..e65e62581d 100644
--- a/lib/bind/irs/irs_data.c
+++ b/lib/bind/irs/irs_data.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: irs_data.c,v 1.3.2.5 2004/11/30 01:15:59 marka Exp $";
+static const char rcsid[] = "$Id: irs_data.c,v 1.3.2.6 2006/03/10 00:18:22 marka Exp $";
 #endif
 
 #include "port_before.h"
@@ -128,10 +128,15 @@ net_data_init(const char *conf_file) {
 	struct net_data *net_data;
 
 	if (!once) {
-		pthread_mutex_lock(&keylock);
-		if (!once++)
-			pthread_key_create(&key, net_data_destroy);
-		pthread_mutex_unlock(&keylock);
+		if (pthread_mutex_lock(&keylock) != 0)
+			return (NULL);
+		if (!once) {
+			if (pthread_key_create(&key, net_data_destroy) != 0)
+				return (NULL);
+			once = 1;
+		}
+		if (pthread_mutex_unlock(&keylock) != 0)
+			return (NULL);
 	}
 	net_data = pthread_getspecific(key);
 #endif
@@ -141,7 +146,10 @@ net_data_init(const char *conf_file) {
 		if (net_data == NULL)
 			return (NULL);
 #ifdef	DO_PTHREADS
-		pthread_setspecific(key, net_data);
+		if (pthread_setspecific(key, net_data) != 0) {
+			net_data_destroy(net_data);
+			return (NULL);
+		}
 #endif
 	}
 
diff --git a/lib/bind/irs/lcl_ho.c b/lib/bind/irs/lcl_ho.c
index 865566179a..4d91dcc810 100644
--- a/lib/bind/irs/lcl_ho.c
+++ b/lib/bind/irs/lcl_ho.c
@@ -52,7 +52,7 @@
 /* BIND Id: gethnamaddr.c,v 8.15 1996/05/22 04:56:30 vixie Exp $ */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: lcl_ho.c,v 1.1.2.2 2004/03/17 00:40:13 marka Exp $";
+static const char rcsid[] = "$Id: lcl_ho.c,v 1.1.2.3 2006/03/10 00:18:22 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* Imports. */
@@ -541,7 +541,7 @@ ho_addrinfo(struct irs_ho *this, const char *name, const struct addrinfo *pai)
 		ai = hostent2addrinfo(hp, pai);
 		if (ai) {
 			cur->ai_next = ai;
-			while (cur && cur->ai_next)
+			while (cur->ai_next)
 				cur = cur->ai_next;
 		}
 	}
diff --git a/lib/bind/irs/lcl_pr.c b/lib/bind/irs/lcl_pr.c
index 8acd07000e..a291b83b27 100644
--- a/lib/bind/irs/lcl_pr.c
+++ b/lib/bind/irs/lcl_pr.c
@@ -49,7 +49,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: lcl_pr.c,v 1.1.2.1 2004/03/09 09:17:33 marka Exp $";
+static const char rcsid[] = "$Id: lcl_pr.c,v 1.1.2.2 2006/03/10 00:18:22 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* extern */
@@ -85,6 +85,7 @@ static const char rcsid[] = "$Id: lcl_pr.c,v 1.1.2.1 2004/03/09 09:17:33 marka E
 struct pvt {
 	FILE *		fp;
 	char		line[BUFSIZ+1];
+	char *		dbuf;
 	struct protoent	proto;
 	char *		proto_aliases[MAXALIASES];
 };
@@ -141,6 +142,8 @@ pr_close(struct irs_pr *this) {
 
 	if (pvt->fp)
 		(void) fclose(pvt->fp);
+	if (pvt->dbuf)
+		free(pvt->dbuf);
 	memput(pvt, sizeof *pvt);
 	memput(this, sizeof *this);
 }
@@ -202,6 +205,10 @@ pr_next(struct irs_pr *this) {
 		pr_rewind(this);
 	if (!pvt->fp)
 		return (NULL);
+	if (pvt->dbuf) {
+		free(pvt->dbuf);
+		pvt->dbuf = NULL;
+	}
 	bufp = pvt->line;
 	bufsiz = BUFSIZ;
 	offset = 0;
@@ -270,6 +277,7 @@ pr_next(struct irs_pr *this) {
 		}
 	}
 	*q = NULL;
+	pvt->dbuf = dbuf;
 	return (&pvt->proto);
 }
 
diff --git a/lib/bind/isc/ev_connects.c b/lib/bind/isc/ev_connects.c
index bfa58318a9..ddb49932f5 100644
--- a/lib/bind/isc/ev_connects.c
+++ b/lib/bind/isc/ev_connects.c
@@ -20,7 +20,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: ev_connects.c,v 1.4.2.2 2005/07/08 05:02:53 marka Exp $";
+static const char rcsid[] = "$Id: ev_connects.c,v 1.4.2.3 2006/03/10 00:18:22 marka Exp $";
 #endif
 
 /* Import. */
@@ -69,7 +69,7 @@ evListen(evContext opaqueCtx, int fd, int maxconn,
 
 	OKNEW(new);
 	new->flags = EV_CONN_LISTEN;
-	OK(mode = fcntl(fd, F_GETFL, NULL));	/* side effect: validate fd. */
+	OKFREE(mode = fcntl(fd, F_GETFL, NULL), new);	/* side effect: validate fd. */
 	/*
 	 * Remember the nonblocking status.  We assume that either evSelectFD
 	 * has not been done to this fd, or that if it has then the caller
@@ -80,13 +80,13 @@ evListen(evContext opaqueCtx, int fd, int maxconn,
 	if ((mode & PORT_NONBLOCK) == 0) {
 #ifdef USE_FIONBIO_IOCTL
 		int on = 1;
-		OK(ioctl(fd, FIONBIO, (char *)&on));
+		OKFREE(ioctl(fd, FIONBIO, (char *)&on), new);
 #else
-		OK(fcntl(fd, F_SETFL, mode | PORT_NONBLOCK));
+		OKFREE(fcntl(fd, F_SETFL, mode | PORT_NONBLOCK), new);
 #endif
 		new->flags |= EV_CONN_BLOCK;
 	}
-	OK(listen(fd, maxconn));
+	OKFREE(listen(fd, maxconn), new);
 	if (evSelectFD(opaqueCtx, fd, EV_READ, listener, new, &new->file) < 0){
 		int save = errno;
 
diff --git a/lib/bind/isc/eventlib.c b/lib/bind/isc/eventlib.c
index f1339bb6b5..ff84da8caa 100644
--- a/lib/bind/isc/eventlib.c
+++ b/lib/bind/isc/eventlib.c
@@ -20,7 +20,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: eventlib.c,v 1.2.2.6 2005/07/28 07:48:19 marka Exp $";
+static const char rcsid[] = "$Id: eventlib.c,v 1.2.2.7 2006/03/10 00:18:22 marka Exp $";
 #endif
 
 #include "port_before.h"
@@ -784,13 +784,10 @@ pselect(int nfds, void *rfds, void *wfds, void *efds,
 		pnfds = 0;
 	}
 	n = poll(fds, pnfds, polltimeout);
-	/*
-	 * pselect() should return the total number of events on the file
-	 * desriptors, not just the count of fd:s with activity. Hence,
-	 * traverse the pollfds array and count the events.
-	 */
 	if (n > 0) {
 		int     i, e;
+
+		INSIST(ctx != NULL);
 		for (e = 0, i = ctx->firstfd; i <= ctx->fdMax; i++) {
 			if (ctx->pollfds[i].fd < 0)
 				continue;
diff --git a/lib/bind/isc/eventlib_p.h b/lib/bind/isc/eventlib_p.h
index 609a0344cc..e8d244309a 100644
--- a/lib/bind/isc/eventlib_p.h
+++ b/lib/bind/isc/eventlib_p.h
@@ -18,7 +18,7 @@
 /* eventlib_p.h - private interfaces for eventlib
  * vix 09sep95 [initial]
  *
- * $Id: eventlib_p.h,v 1.3.2.4 2005/07/28 07:48:20 marka Exp $
+ * $Id: eventlib_p.h,v 1.3.2.5 2006/03/10 00:18:22 marka Exp $
  */
 
 #ifndef _EVENTLIB_P_H
@@ -45,6 +45,8 @@
 #define	EV_MASK_ALL	(EV_READ | EV_WRITE | EV_EXCEPT)
 #define EV_ERR(e)		return (errno = (e), -1)
 #define OK(x)		if ((x) < 0) EV_ERR(errno); else (void)NULL
+#define OKFREE(x, y)	if ((x) < 0) { FREE((y)); EV_ERR(errno); } \
+			else (void)NULL
 
 #define	NEW(p)		if (((p) = memget(sizeof *(p))) != NULL) \
 				FILL(p); \
diff --git a/lib/bind/isc/heap.c b/lib/bind/isc/heap.c
index 24aded77f6..c998e75b27 100644
--- a/lib/bind/isc/heap.c
+++ b/lib/bind/isc/heap.c
@@ -26,7 +26,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: heap.c,v 1.1.2.1 2004/03/09 09:17:35 marka Exp $";
+static const char rcsid[] = "$Id: heap.c,v 1.1.2.2 2006/03/10 00:18:22 marka Exp $";
 #endif /* not lint */
 
 #include "port_before.h"
@@ -54,9 +54,13 @@ heap_new(heap_higher_priority_func higher_priority, heap_index_func index,
 	 int array_size_increment) {
 	heap_context ctx;
 
-	ctx = (heap_context)malloc(sizeof (struct heap_context));
-	if (ctx == NULL || higher_priority == NULL)
+	if (higher_priority == NULL)
 		return (NULL);
+
+	ctx = (heap_context)malloc(sizeof (struct heap_context));
+	if (ctx == NULL)
+		return (NULL);
+
 	ctx->array_size = 0;
 	if (array_size_increment == 0)
 		ctx->array_size_increment = ARRAY_SIZE_INCREMENT;
diff --git a/lib/bind/nameser/ns_sign.c b/lib/bind/nameser/ns_sign.c
index 8a13b80639..b1f77fc365 100644
--- a/lib/bind/nameser/ns_sign.c
+++ b/lib/bind/nameser/ns_sign.c
@@ -16,7 +16,7 @@
  */
 
 #ifndef lint
-static const char rcsid[] = "$Id: ns_sign.c,v 1.1.2.3 2004/03/09 09:17:37 marka Exp $";
+static const char rcsid[] = "$Id: ns_sign.c,v 1.1.2.4 2006/03/10 00:18:22 marka Exp $";
 #endif
 
 /* Import. */
@@ -89,7 +89,7 @@ ns_sign2(u_char *msg, int *msglen, int msgsize, int error, void *k,
 {
 	HEADER *hp = (HEADER *)msg;
 	DST_KEY *key = (DST_KEY *)k;
-	u_char *cp = msg + *msglen, *eob = msg + msgsize;
+	u_char *cp, *eob;
 	u_char *lenp;
 	u_char *alg;
 	int n;
@@ -100,6 +100,9 @@ ns_sign2(u_char *msg, int *msglen, int msgsize, int error, void *k,
 	if (msg == NULL || msglen == NULL || sig == NULL || siglen == NULL)
 		return (-1);
 
+	cp = msg + *msglen;
+	eob = msg + msgsize;
+
 	/* Name. */
 	if (key != NULL && error != ns_r_badsig && error != ns_r_badkey) {
 		n = ns_name_pton(key->dk_key_name, name, sizeof name);
diff --git a/lib/bind/nameser/ns_verify.c b/lib/bind/nameser/ns_verify.c
index ca840541d2..964edd8925 100644
--- a/lib/bind/nameser/ns_verify.c
+++ b/lib/bind/nameser/ns_verify.c
@@ -16,7 +16,7 @@
  */
 
 #ifndef lint
-static const char rcsid[] = "$Id: ns_verify.c,v 1.1.2.2 2005/10/11 00:56:05 marka Exp $";
+static const char rcsid[] = "$Id: ns_verify.c,v 1.1.2.3 2006/03/10 00:18:22 marka Exp $";
 #endif
 
 /* Import. */
@@ -343,7 +343,7 @@ ns_verify_tcp(u_char *msg, int *msglen, ns_tcp_tsig_state *state,
 	HEADER *hp = (HEADER *)msg;
 	u_char *recstart, *sigstart;
 	unsigned int sigfieldlen, otherfieldlen;
-	u_char *cp, *eom = msg + *msglen, *cp2;
+	u_char *cp, *eom, *cp2;
 	char name[MAXDNAME], alg[MAXDNAME];
 	u_char buf[MAXDNAME];
 	int n, type, length, fudge, error;
@@ -352,6 +352,8 @@ ns_verify_tcp(u_char *msg, int *msglen, ns_tcp_tsig_state *state,
 	if (msg == NULL || msglen == NULL || state == NULL)
 		return (-1);
 
+	eom = msg + *msglen;
+
 	state->counter++;
 	if (state->counter == 0)
 		return (ns_verify(msg, msglen, state->key,
diff --git a/lib/bind/resolv/mtctxres.c b/lib/bind/resolv/mtctxres.c
index f33cf11e3f..635bbd4400 100644
--- a/lib/bind/resolv/mtctxres.c
+++ b/lib/bind/resolv/mtctxres.c
@@ -106,9 +106,10 @@ ___mtctxres(void) {
 	 */
 	if (!mt_key_initialized) {
 		static pthread_mutex_t keylock = PTHREAD_MUTEX_INITIALIZER;
-                pthread_mutex_lock(&keylock);
-		_mtctxres_init();
-                pthread_mutex_unlock(&keylock);
+                if (pthread_mutex_lock(&keylock) == 0) {
+			_mtctxres_init();
+			(void) pthread_mutex_unlock(&keylock);
+		}
 	}
 
 	/*
diff --git a/lib/bind/resolv/res_sendsigned.c b/lib/bind/resolv/res_sendsigned.c
index d1d2274575..93ad5c9795 100644
--- a/lib/bind/resolv/res_sendsigned.c
+++ b/lib/bind/resolv/res_sendsigned.c
@@ -52,6 +52,7 @@ res_nsendsigned(res_state statp, const u_char *msg, int msglen,
 	bufsize = msglen + 1024;
 	newmsg = (u_char *) malloc(bufsize);
 	if (newmsg == NULL) {
+		free(nstatp);
 		errno = ENOMEM;
 		return (-1);
 	}
@@ -102,11 +103,11 @@ res_nsendsigned(res_state statp, const u_char *msg, int msglen,
 retry:
 
 	len = res_nsend(nstatp, newmsg, newmsglen, answer, anslen);
-	if (ret < 0) {
+	if (len < 0) {
 		free (nstatp);
 		free (newmsg);
 		dst_free_key(dstkey);
-		return (ret);
+		return (len);
 	}
 
 	ret = ns_verify(answer, &len, dstkey, sig, siglen,

From c9ebeaf5f05c2f862d91ac8da18f02581727e720 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 10 Mar 2006 00:20:14 +0000
Subject: [PATCH 117/465] newcopyrights

---
 util/copyrights | 36 ++++++++++++++++++------------------
 1 file changed, 18 insertions(+), 18 deletions(-)

diff --git a/util/copyrights b/util/copyrights
index 30031e1442..3ffef4ef04 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -1174,9 +1174,9 @@
 ./lib/bind/configure.in				SH	2001,2004,2005,2006
 ./lib/bind/dst/.cvsignore			X	2001
 ./lib/bind/dst/Makefile.in			MAKE	2001,2004
-./lib/bind/dst/dst_api.c			X	2001,2005
+./lib/bind/dst/dst_api.c			X	2001,2005,2006
 ./lib/bind/dst/dst_internal.h			X	2001
-./lib/bind/dst/hmac_link.c			X	2001,2005
+./lib/bind/dst/hmac_link.c			X	2001,2005,2006
 ./lib/bind/dst/md5.h				X	2001,2005
 ./lib/bind/dst/md5_dgst.c			X	2001,2005
 ./lib/bind/dst/md5_locl.h			X	2001
@@ -1225,7 +1225,7 @@
 ./lib/bind/inet/nsap_addr.c			X	2001,2005
 ./lib/bind/irs/.cvsignore			X	2001
 ./lib/bind/irs/Makefile.in			MAKE	2001,2004
-./lib/bind/irs/dns.c				X	2001
+./lib/bind/irs/dns.c				X	2001,2006
 ./lib/bind/irs/dns_gr.c				X	2001
 ./lib/bind/irs/dns_ho.c				X	2001,2005,2006
 ./lib/bind/irs/dns_nw.c				X	2001
@@ -1233,10 +1233,10 @@
 ./lib/bind/irs/dns_pr.c				X	2001
 ./lib/bind/irs/dns_pw.c				X	2001
 ./lib/bind/irs/dns_sv.c				X	2001
-./lib/bind/irs/gai_strerror.c			X	2001
+./lib/bind/irs/gai_strerror.c			X	2001,2006
 ./lib/bind/irs/gen.c				X	2001
 ./lib/bind/irs/gen_gr.c				X	2001
-./lib/bind/irs/gen_ho.c				X	2001
+./lib/bind/irs/gen_ho.c				X	2001,2006
 ./lib/bind/irs/gen_ng.c				X	2001
 ./lib/bind/irs/gen_nw.c				X	2001
 ./lib/bind/irs/gen_p.h				X	2001
@@ -1265,22 +1265,22 @@
 ./lib/bind/irs/irp_gr.c				X	2001
 ./lib/bind/irs/irp_ho.c				X	2001
 ./lib/bind/irs/irp_ng.c				X	2001
-./lib/bind/irs/irp_nw.c				X	2001
+./lib/bind/irs/irp_nw.c				X	2001,2006
 ./lib/bind/irs/irp_p.h				X	2001
 ./lib/bind/irs/irp_pr.c				X	2001
 ./lib/bind/irs/irp_pw.c				X	2001
 ./lib/bind/irs/irp_sv.c				X	2001
-./lib/bind/irs/irpmarshall.c			X	2001
-./lib/bind/irs/irs_data.c			X	2001
+./lib/bind/irs/irpmarshall.c			X	2001,2006
+./lib/bind/irs/irs_data.c			X	2001,2006
 ./lib/bind/irs/irs_data.h			X	2001
 ./lib/bind/irs/irs_p.h				X	2001
 ./lib/bind/irs/lcl.c				X	2001
 ./lib/bind/irs/lcl_gr.c				X	2001
-./lib/bind/irs/lcl_ho.c				X	2001
+./lib/bind/irs/lcl_ho.c				X	2001,2006
 ./lib/bind/irs/lcl_ng.c				X	2001
 ./lib/bind/irs/lcl_nw.c				X	2001
 ./lib/bind/irs/lcl_p.h				X	2001
-./lib/bind/irs/lcl_pr.c				X	2001
+./lib/bind/irs/lcl_pr.c				X	2001,2006
 ./lib/bind/irs/lcl_pw.c				X	2001
 ./lib/bind/irs/lcl_sv.c				X	2001
 ./lib/bind/irs/nis.c				X	2001
@@ -1306,15 +1306,15 @@
 ./lib/bind/isc/ctl_p.c				X	2001
 ./lib/bind/isc/ctl_p.h				X	2001
 ./lib/bind/isc/ctl_srvr.c			X	2001
-./lib/bind/isc/ev_connects.c			X	2001,2005
+./lib/bind/isc/ev_connects.c			X	2001,2005,2006
 ./lib/bind/isc/ev_files.c			X	2001,2005
 ./lib/bind/isc/ev_streams.c			X	2001
 ./lib/bind/isc/ev_timers.c			X	2001
 ./lib/bind/isc/ev_waits.c			X	2001
-./lib/bind/isc/eventlib.c			X	2001,2005
+./lib/bind/isc/eventlib.c			X	2001,2005,2006
 ./lib/bind/isc/eventlib.mdoc			X	2001
-./lib/bind/isc/eventlib_p.h			X	2001,2005
-./lib/bind/isc/heap.c				X	2001
+./lib/bind/isc/eventlib_p.h			X	2001,2005,2006
+./lib/bind/isc/heap.c				X	2001,2006
 ./lib/bind/isc/heap.mdoc			X	2001
 ./lib/bind/isc/hex.c				X	2001,2006
 ./lib/bind/isc/logging.c			X	2001
@@ -1338,9 +1338,9 @@
 ./lib/bind/nameser/ns_parse.c			X	2001,2005
 ./lib/bind/nameser/ns_print.c			X	2001
 ./lib/bind/nameser/ns_samedomain.c		X	2001
-./lib/bind/nameser/ns_sign.c			X	2001
+./lib/bind/nameser/ns_sign.c			X	2001,2006
 ./lib/bind/nameser/ns_ttl.c			X	2001,2005
-./lib/bind/nameser/ns_verify.c			X	2001,2005
+./lib/bind/nameser/ns_verify.c			X	2001,2005,2006
 ./lib/bind/port/.cvsignore			X	2001
 ./lib/bind/port/Makefile.in			MAKE	2001,2004
 ./lib/bind/port/aix32/.cvsignore		X	2001
@@ -1550,7 +1550,7 @@
 ./lib/bind/resolv/.cvsignore			X	2001
 ./lib/bind/resolv/Makefile.in			MAKE	2001,2004,2005
 ./lib/bind/resolv/herror.c			X	2001
-./lib/bind/resolv/mtctxres.c			X	2005
+./lib/bind/resolv/mtctxres.c			X	2005,2006
 ./lib/bind/resolv/res_comp.c			X	2001,2005
 ./lib/bind/resolv/res_data.c			X	2001
 ./lib/bind/resolv/res_debug.c			X	2001,2005
@@ -1563,7 +1563,7 @@
 ./lib/bind/resolv/res_private.h			X	2001
 ./lib/bind/resolv/res_query.c			X	2001
 ./lib/bind/resolv/res_send.c			X	2001,2005,2006
-./lib/bind/resolv/res_sendsigned.c		X	2001,2005
+./lib/bind/resolv/res_sendsigned.c		X	2001,2005,2006
 ./lib/bind/resolv/res_update.c			X	2001
 ./lib/dns/.cvsignore				X	1999,2000,2001
 ./lib/dns/Makefile.in				MAKE	1998,1999,2000,2001,2003,2004,2006

From dd9ad704c3800e3ab07ede8595871eac79984871 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 10 Mar 2006 00:20:39 +0000
Subject: [PATCH 118/465] newcopyrights

---
 util/copyrights | 40 ++++++++++++++++++++--------------------
 1 file changed, 20 insertions(+), 20 deletions(-)

diff --git a/util/copyrights b/util/copyrights
index 6e07828870..0a859d2fd5 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -78,7 +78,7 @@
 ./bin/named/builtin.c				C	2001,2002,2003,2004,2005
 ./bin/named/client.c				C	1999,2000,2001,2002,2003,2004,2005,2006
 ./bin/named/config.c				C	2001,2002,2003,2004,2005,2006
-./bin/named/control.c				C	2001,2002,2003,2004,2005
+./bin/named/control.c				C	2001,2002,2003,2004,2005,2006
 ./bin/named/controlconf.c			C	2001,2002,2003,2004,2005,2006
 ./bin/named/include/named/builtin.h		C	2001,2004,2005
 ./bin/named/include/named/client.h		C	1999,2000,2001,2002,2003,2004,2005
@@ -126,7 +126,7 @@
 ./bin/named/named.conf.5			MAN	DOCBOOK
 ./bin/named/named.conf.docbook			SGML	2004,2005,2006
 ./bin/named/named.conf.html			HTML	DOCBOOK
-./bin/named/named.docbook			SGML	2000,2001,2003,2004,2005
+./bin/named/named.docbook			SGML	2000,2001,2003,2004,2005,2006
 ./bin/named/named.html				HTML	DOCBOOK
 ./bin/named/notify.c				C	1999,2000,2001,2002,2003,2004,2005
 ./bin/named/query.c				C	1999,2000,2001,2002,2003,2004,2005,2006
@@ -1297,9 +1297,9 @@
 ./lib/bind/configure.in				SH	2001,2004,2005,2006
 ./lib/bind/dst/.cvsignore			X	2001
 ./lib/bind/dst/Makefile.in			MAKE	2001,2004
-./lib/bind/dst/dst_api.c			X	2001,2005
+./lib/bind/dst/dst_api.c			X	2001,2005,2006
 ./lib/bind/dst/dst_internal.h			X	2001,2005
-./lib/bind/dst/hmac_link.c			X	2001,2005
+./lib/bind/dst/hmac_link.c			X	2001,2005,2006
 ./lib/bind/dst/md5.h				X	2001,2005
 ./lib/bind/dst/md5_dgst.c			X	2001,2005
 ./lib/bind/dst/md5_locl.h			X	2001,2005
@@ -1348,7 +1348,7 @@
 ./lib/bind/inet/nsap_addr.c			X	2001,2005
 ./lib/bind/irs/.cvsignore			X	2001
 ./lib/bind/irs/Makefile.in			MAKE	2001,2004
-./lib/bind/irs/dns.c				X	2001,2005
+./lib/bind/irs/dns.c				X	2001,2005,2006
 ./lib/bind/irs/dns_gr.c				X	2001,2005
 ./lib/bind/irs/dns_ho.c				X	2001,2005,2006
 ./lib/bind/irs/dns_nw.c				X	2001,2005
@@ -1356,10 +1356,10 @@
 ./lib/bind/irs/dns_pr.c				X	2001,2005
 ./lib/bind/irs/dns_pw.c				X	2001,2005
 ./lib/bind/irs/dns_sv.c				X	2001,2005
-./lib/bind/irs/gai_strerror.c			X	2001,2005
+./lib/bind/irs/gai_strerror.c			X	2001,2005,2006
 ./lib/bind/irs/gen.c				X	2001,2005
 ./lib/bind/irs/gen_gr.c				X	2001,2005
-./lib/bind/irs/gen_ho.c				X	2001,2005
+./lib/bind/irs/gen_ho.c				X	2001,2005,2006
 ./lib/bind/irs/gen_ng.c				X	2001,2005
 ./lib/bind/irs/gen_nw.c				X	2001,2005
 ./lib/bind/irs/gen_p.h				X	2001,2005
@@ -1388,22 +1388,22 @@
 ./lib/bind/irs/irp_gr.c				X	2001,2005
 ./lib/bind/irs/irp_ho.c				X	2001,2005
 ./lib/bind/irs/irp_ng.c				X	2001,2005
-./lib/bind/irs/irp_nw.c				X	2001,2005
+./lib/bind/irs/irp_nw.c				X	2001,2005,2006
 ./lib/bind/irs/irp_p.h				X	2001,2005
 ./lib/bind/irs/irp_pr.c				X	2001,2005
 ./lib/bind/irs/irp_pw.c				X	2001,2005
 ./lib/bind/irs/irp_sv.c				X	2001,2005
-./lib/bind/irs/irpmarshall.c			X	2001,2005
-./lib/bind/irs/irs_data.c			X	2001,2005
+./lib/bind/irs/irpmarshall.c			X	2001,2005,2006
+./lib/bind/irs/irs_data.c			X	2001,2005,2006
 ./lib/bind/irs/irs_data.h			X	2001,2005
 ./lib/bind/irs/irs_p.h				X	2001,2005
 ./lib/bind/irs/lcl.c				X	2001,2005
 ./lib/bind/irs/lcl_gr.c				X	2001,2005
-./lib/bind/irs/lcl_ho.c				X	2001,2005
+./lib/bind/irs/lcl_ho.c				X	2001,2005,2006
 ./lib/bind/irs/lcl_ng.c				X	2001,2005
 ./lib/bind/irs/lcl_nw.c				X	2001,2005
 ./lib/bind/irs/lcl_p.h				X	2001,2005
-./lib/bind/irs/lcl_pr.c				X	2001,2005
+./lib/bind/irs/lcl_pr.c				X	2001,2005,2006
 ./lib/bind/irs/lcl_pw.c				X	2001,2005
 ./lib/bind/irs/lcl_sv.c				X	2001,2005
 ./lib/bind/irs/nis.c				X	2001,2005
@@ -1429,15 +1429,15 @@
 ./lib/bind/isc/ctl_p.c				X	2001,2005
 ./lib/bind/isc/ctl_p.h				X	2001,2005
 ./lib/bind/isc/ctl_srvr.c			X	2001,2005
-./lib/bind/isc/ev_connects.c			X	2001,2005
+./lib/bind/isc/ev_connects.c			X	2001,2005,2006
 ./lib/bind/isc/ev_files.c			X	2001,2005
 ./lib/bind/isc/ev_streams.c			X	2001,2005
 ./lib/bind/isc/ev_timers.c			X	2001,2005
 ./lib/bind/isc/ev_waits.c			X	2001,2005
-./lib/bind/isc/eventlib.c			X	2001,2005
+./lib/bind/isc/eventlib.c			X	2001,2005,2006
 ./lib/bind/isc/eventlib.mdoc			X	2001
-./lib/bind/isc/eventlib_p.h			X	2001,2005
-./lib/bind/isc/heap.c				X	2001,2005
+./lib/bind/isc/eventlib_p.h			X	2001,2005,2006
+./lib/bind/isc/heap.c				X	2001,2005,2006
 ./lib/bind/isc/heap.mdoc			X	2001
 ./lib/bind/isc/hex.c				X	2001,2005,2006
 ./lib/bind/isc/logging.c			X	2001,2005
@@ -1461,9 +1461,9 @@
 ./lib/bind/nameser/ns_parse.c			X	2001,2005
 ./lib/bind/nameser/ns_print.c			X	2001,2005
 ./lib/bind/nameser/ns_samedomain.c		X	2001,2005
-./lib/bind/nameser/ns_sign.c			X	2001,2005
+./lib/bind/nameser/ns_sign.c			X	2001,2005,2006
 ./lib/bind/nameser/ns_ttl.c			X	2001,2005
-./lib/bind/nameser/ns_verify.c			X	2001,2005
+./lib/bind/nameser/ns_verify.c			X	2001,2005,2006
 ./lib/bind/port/.cvsignore			X	2001
 ./lib/bind/port/Makefile.in			MAKE	2001,2004
 ./lib/bind/port/aix32/.cvsignore		X	2001
@@ -1674,7 +1674,7 @@
 ./lib/bind/resolv/.cvsignore			X	2001
 ./lib/bind/resolv/Makefile.in			MAKE	2001,2004,2005
 ./lib/bind/resolv/herror.c			X	2001,2005
-./lib/bind/resolv/mtctxres.c			X	2005
+./lib/bind/resolv/mtctxres.c			X	2005,2006
 ./lib/bind/resolv/res_comp.c			X	2001,2005
 ./lib/bind/resolv/res_data.c			X	2001,2005
 ./lib/bind/resolv/res_debug.c			X	2001,2005
@@ -1687,7 +1687,7 @@
 ./lib/bind/resolv/res_private.h			X	2001,2005
 ./lib/bind/resolv/res_query.c			X	2001,2005
 ./lib/bind/resolv/res_send.c			X	2001,2005,2006
-./lib/bind/resolv/res_sendsigned.c		X	2001,2005
+./lib/bind/resolv/res_sendsigned.c		X	2001,2005,2006
 ./lib/bind/resolv/res_update.c			X	2001,2005
 ./lib/bind9/.cvsignore				X	2001
 ./lib/bind9/Makefile.in				MAKE	2001,2004

From d6b5e0b0e8a4e3e927f8d47ca82c3e7f42e0f4bb Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 10 Mar 2006 00:23:21 +0000
Subject: [PATCH 119/465] update copyright notice

---
 bin/named/control.c                    | 4 ++--
 bin/named/named.docbook                | 5 +++--
 bin/tests/system/dlv/ns5/named.conf    | 4 ++--
 bin/tests/system/dnssec/ns1/named.conf | 4 ++--
 bin/tests/system/dnssec/ns2/named.conf | 4 ++--
 bin/tests/system/dnssec/ns3/named.conf | 4 ++--
 bin/tests/system/dnssec/ns4/named.conf | 4 ++--
 bin/tests/system/dnssec/ns5/named.conf | 4 ++--
 bin/tests/system/dnssec/ns6/named.conf | 4 ++--
 bin/tests/system/lwresd/ns1/named.conf | 4 ++--
 10 files changed, 21 insertions(+), 20 deletions(-)

diff --git a/bin/named/control.c b/bin/named/control.c
index e92b25a4cf..04fe5c2fe0 100644
--- a/bin/named/control.c
+++ b/bin/named/control.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: control.c,v 1.27 2006/03/09 23:39:00 marka Exp $ */
+/* $Id: control.c,v 1.28 2006/03/10 00:23:21 marka Exp $ */
 
 /*! \file */
 
diff --git a/bin/named/named.docbook b/bin/named/named.docbook
index c43e3571ff..bc595e0da8 100644
--- a/bin/named/named.docbook
+++ b/bin/named/named.docbook
@@ -2,7 +2,7 @@
                "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
 	       []>
 
 
-
+
 
   
     June 30, 2000
@@ -39,6 +39,7 @@
     
       2004
       2005
+      2006
       Internet Systems Consortium, Inc. ("ISC")
     
     
diff --git a/bin/tests/system/dlv/ns5/named.conf b/bin/tests/system/dlv/ns5/named.conf
index 3cdf71493a..a8143f2789 100644
--- a/bin/tests/system/dlv/ns5/named.conf
+++ b/bin/tests/system/dlv/ns5/named.conf
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.4 2006/03/09 23:21:53 marka Exp $ */
+/* $Id: named.conf,v 1.5 2006/03/10 00:23:21 marka Exp $ */
 
 /*
  * Choose a keyname that is unlikely to clash with any real key names.
diff --git a/bin/tests/system/dnssec/ns1/named.conf b/bin/tests/system/dnssec/ns1/named.conf
index f27ebaf39f..aad55b6227 100644
--- a/bin/tests/system/dnssec/ns1/named.conf
+++ b/bin/tests/system/dnssec/ns1/named.conf
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.21 2006/03/09 23:21:53 marka Exp $ */
+/* $Id: named.conf,v 1.22 2006/03/10 00:23:21 marka Exp $ */
 
 // NS1
 
diff --git a/bin/tests/system/dnssec/ns2/named.conf b/bin/tests/system/dnssec/ns2/named.conf
index abb3b20d63..80da8ba133 100644
--- a/bin/tests/system/dnssec/ns2/named.conf
+++ b/bin/tests/system/dnssec/ns2/named.conf
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.25 2006/03/09 23:21:53 marka Exp $ */
+/* $Id: named.conf,v 1.26 2006/03/10 00:23:21 marka Exp $ */
 
 // NS2
 
diff --git a/bin/tests/system/dnssec/ns3/named.conf b/bin/tests/system/dnssec/ns3/named.conf
index 6455101b32..e7eee8b908 100644
--- a/bin/tests/system/dnssec/ns3/named.conf
+++ b/bin/tests/system/dnssec/ns3/named.conf
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.28 2006/03/09 23:21:53 marka Exp $ */
+/* $Id: named.conf,v 1.29 2006/03/10 00:23:21 marka Exp $ */
 
 // NS3
 
diff --git a/bin/tests/system/dnssec/ns4/named.conf b/bin/tests/system/dnssec/ns4/named.conf
index 25b4138d8e..8736e69c3f 100644
--- a/bin/tests/system/dnssec/ns4/named.conf
+++ b/bin/tests/system/dnssec/ns4/named.conf
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.24 2006/03/09 23:21:53 marka Exp $ */
+/* $Id: named.conf,v 1.25 2006/03/10 00:23:21 marka Exp $ */
 
 // NS4
 
diff --git a/bin/tests/system/dnssec/ns5/named.conf b/bin/tests/system/dnssec/ns5/named.conf
index 09237206be..7bc0d5c5e4 100644
--- a/bin/tests/system/dnssec/ns5/named.conf
+++ b/bin/tests/system/dnssec/ns5/named.conf
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.21 2006/03/09 23:21:53 marka Exp $ */
+/* $Id: named.conf,v 1.22 2006/03/10 00:23:21 marka Exp $ */
 
 // NS5
 
diff --git a/bin/tests/system/dnssec/ns6/named.conf b/bin/tests/system/dnssec/ns6/named.conf
index ed6413196c..c775d2766e 100644
--- a/bin/tests/system/dnssec/ns6/named.conf
+++ b/bin/tests/system/dnssec/ns6/named.conf
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.8 2006/03/09 23:21:53 marka Exp $ */
+/* $Id: named.conf,v 1.9 2006/03/10 00:23:21 marka Exp $ */
 
 // NS6
 
diff --git a/bin/tests/system/lwresd/ns1/named.conf b/bin/tests/system/lwresd/ns1/named.conf
index 6dbfef307a..e3d9efdf23 100644
--- a/bin/tests/system/lwresd/ns1/named.conf
+++ b/bin/tests/system/lwresd/ns1/named.conf
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.16 2006/03/09 23:21:54 marka Exp $ */
+/* $Id: named.conf,v 1.17 2006/03/10 00:23:21 marka Exp $ */
 
 controls { /* empty */ };
 

From ecffc3aae3e72c5c65b1911ec3f4e1d180dc4bbc Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 10 Mar 2006 03:49:57 +0000
Subject: [PATCH 120/465] win32

---
 config.h.win32           | 11 ++++-
 lib/dns/win32/libdns.def |  6 +++
 lib/isc/sha2.c           | 95 +++++++++++++++++++++++++++++++++++++---
 lib/isc/win32/libisc.def | 40 +++++++++++++++++
 lib/isc/win32/libisc.dsp | 16 +++++++
 lib/isc/win32/libisc.mak | 48 ++++++++++++++++++++
 6 files changed, 210 insertions(+), 6 deletions(-)

diff --git a/config.h.win32 b/config.h.win32
index ab3f7a9f06..007490bbab 100644
--- a/config.h.win32
+++ b/config.h.win32
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.h.win32,v 1.11 2004/05/03 23:54:37 marka Exp $ */
+/* $Id: config.h.win32,v 1.12 2006/03/10 03:49:57 marka Exp $ */
 
 /*
  * win32 configuration file
@@ -104,6 +104,15 @@
 /* Define if you have h_errno */
 #define HAVE_H_ERRNO
 
+/* Define if you have RSA_generate_key(). */
+#define HAVE_RSA_GENERATE_KEY
+
+/* Define if you have DSA_generate_parameters(). */
+#define HAVE_DSA_GENERATE_PARAMETERS
+
+/* Define if you have DH_generate_parameters(). */
+#define HAVE_DH_GENERATE_PARAMETERS
+
 #define ISC_PLATFORM_NEEDSTRLCAT
 
 #define ISC_PLATFORM_NEEDSTRLCPY
diff --git a/lib/dns/win32/libdns.def b/lib/dns/win32/libdns.def
index 193d5543fd..fbdce93ec7 100644
--- a/lib/dns/win32/libdns.def
+++ b/lib/dns/win32/libdns.def
@@ -352,6 +352,7 @@ dns_peer_attach
 dns_peer_detach
 dns_peer_getbogus
 dns_peer_getkey
+dns_peer_getmaxudp
 dns_peer_getprovideixfr
 dns_peer_getrequestixfr
 dns_peer_getsupportedns
@@ -361,7 +362,10 @@ dns_peer_new
 dns_peer_setbogus
 dns_peer_setkey
 dns_peer_setkeybycharp
+dns_peer_setmaxudp
+dns_peer_setnotifysource
 dns_peer_setprovideixfr
+dns_peer_setquerysource
 dns_peer_setrequestixfr
 dns_peer_setsupportedns
 dns_peer_settransferformat
@@ -631,6 +635,7 @@ dns_zone_fulldumptostream
 dns_zone_getchecknames
 dns_zone_getclass
 dns_zone_getdb
+dns_zone_getdbtype
 dns_zone_getfile
 dns_zone_getforwardacl
 dns_zone_getidlein
@@ -780,6 +785,7 @@ dst_key_name
 dst_key_paramcompare
 dst_key_proto
 dst_key_secretsize
+dst_key_setbits
 dst_key_sigsize
 dst_key_size
 dst_key_tobuffer
diff --git a/lib/isc/sha2.c b/lib/isc/sha2.c
index c05844f4ac..67fe3d0b09 100644
--- a/lib/isc/sha2.c
+++ b/lib/isc/sha2.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sha2.c,v 1.8 2006/02/24 00:03:15 marka Exp $ */
+/* $Id: sha2.c,v 1.9 2006/03/10 03:49:57 marka Exp $ */
 
 /*	$FreeBSD: src/sys/crypto/sha2/sha2.c,v 1.2.2.2 2002/03/05 08:36:47 ume Exp $	*/
 /*	$KAME: sha2.c,v 1.8 2001/11/08 01:07:52 itojun Exp $	*/
@@ -136,6 +136,16 @@
 	tmp = (tmp >> 16) | (tmp << 16); \
 	(x) = ((tmp & 0xff00ff00UL) >> 8) | ((tmp & 0x00ff00ffUL) << 8); \
 }
+#ifdef WIN32
+#define REVERSE64(w,x)	{ \
+	isc_uint64_t tmp = (w); \
+	tmp = (tmp >> 32) | (tmp << 32); \
+	tmp = ((tmp & 0xff00ff00ff00ff00UL) >> 8) | \
+	      ((tmp & 0x00ff00ff00ff00ffUL) << 8); \
+	(x) = ((tmp & 0xffff0000ffff0000UL) >> 16) | \
+	      ((tmp & 0x0000ffff0000ffffUL) << 16); \
+}
+#else
 #define REVERSE64(w,x)	{ \
 	isc_uint64_t tmp = (w); \
 	tmp = (tmp >> 32) | (tmp << 32); \
@@ -144,6 +154,7 @@
 	(x) = ((tmp & 0xffff0000ffff0000ULL) >> 16) | \
 	      ((tmp & 0x0000ffff0000ffffULL) << 16); \
 }
+#endif
 #endif /* BYTE_ORDER == LITTLE_ENDIAN */
 
 /*
@@ -245,6 +256,75 @@ static const isc_uint32_t sha256_initial_hash_value[8] = {
 	0x5be0cd19UL
 };
 
+#ifdef WIN32
+/* Hash constant words K for SHA-384 and SHA-512: */
+static const isc_uint64_t K512[80] = {
+	0x428a2f98d728ae22UL, 0x7137449123ef65cdUL,
+	0xb5c0fbcfec4d3b2fUL, 0xe9b5dba58189dbbcUL,
+	0x3956c25bf348b538UL, 0x59f111f1b605d019UL,
+	0x923f82a4af194f9bUL, 0xab1c5ed5da6d8118UL,
+	0xd807aa98a3030242UL, 0x12835b0145706fbeUL,
+	0x243185be4ee4b28cUL, 0x550c7dc3d5ffb4e2UL,
+	0x72be5d74f27b896fUL, 0x80deb1fe3b1696b1UL,
+	0x9bdc06a725c71235UL, 0xc19bf174cf692694UL,
+	0xe49b69c19ef14ad2UL, 0xefbe4786384f25e3UL,
+	0x0fc19dc68b8cd5b5UL, 0x240ca1cc77ac9c65UL,
+	0x2de92c6f592b0275UL, 0x4a7484aa6ea6e483UL,
+	0x5cb0a9dcbd41fbd4UL, 0x76f988da831153b5UL,
+	0x983e5152ee66dfabUL, 0xa831c66d2db43210UL,
+	0xb00327c898fb213fUL, 0xbf597fc7beef0ee4UL,
+	0xc6e00bf33da88fc2UL, 0xd5a79147930aa725UL,
+	0x06ca6351e003826fUL, 0x142929670a0e6e70UL,
+	0x27b70a8546d22ffcUL, 0x2e1b21385c26c926UL,
+	0x4d2c6dfc5ac42aedUL, 0x53380d139d95b3dfUL,
+	0x650a73548baf63deUL, 0x766a0abb3c77b2a8UL,
+	0x81c2c92e47edaee6UL, 0x92722c851482353bUL,
+	0xa2bfe8a14cf10364UL, 0xa81a664bbc423001UL,
+	0xc24b8b70d0f89791UL, 0xc76c51a30654be30UL,
+	0xd192e819d6ef5218UL, 0xd69906245565a910UL,
+	0xf40e35855771202aUL, 0x106aa07032bbd1b8UL,
+	0x19a4c116b8d2d0c8UL, 0x1e376c085141ab53UL,
+	0x2748774cdf8eeb99UL, 0x34b0bcb5e19b48a8UL,
+	0x391c0cb3c5c95a63UL, 0x4ed8aa4ae3418acbUL,
+	0x5b9cca4f7763e373UL, 0x682e6ff3d6b2b8a3UL,
+	0x748f82ee5defb2fcUL, 0x78a5636f43172f60UL,
+	0x84c87814a1f0ab72UL, 0x8cc702081a6439ecUL,
+	0x90befffa23631e28UL, 0xa4506cebde82bde9UL,
+	0xbef9a3f7b2c67915UL, 0xc67178f2e372532bUL,
+	0xca273eceea26619cUL, 0xd186b8c721c0c207UL,
+	0xeada7dd6cde0eb1eUL, 0xf57d4f7fee6ed178UL,
+	0x06f067aa72176fbaUL, 0x0a637dc5a2c898a6UL,
+	0x113f9804bef90daeUL, 0x1b710b35131c471bUL,
+	0x28db77f523047d84UL, 0x32caab7b40c72493UL,
+	0x3c9ebe0a15c9bebcUL, 0x431d67c49c100d4cUL,
+	0x4cc5d4becb3e42b6UL, 0x597f299cfc657e2aUL,
+	0x5fcb6fab3ad6faecUL, 0x6c44198c4a475817UL
+};
+
+/* Initial hash value H for SHA-384: */
+static const isc_uint64_t sha384_initial_hash_value[8] = {
+	0xcbbb9d5dc1059ed8UL,
+	0x629a292a367cd507UL,
+	0x9159015a3070dd17UL,
+	0x152fecd8f70e5939UL,
+	0x67332667ffc00b31UL,
+	0x8eb44a8768581511UL,
+	0xdb0c2e0d64f98fa7UL,
+	0x47b5481dbefa4fa4UL
+};
+
+/* Initial hash value H for SHA-512: */
+static const isc_uint64_t sha512_initial_hash_value[8] = {
+	0x6a09e667f3bcc908U,
+	0xbb67ae8584caa73bUL,
+	0x3c6ef372fe94f82bUL,
+	0xa54ff53a5f1d36f1UL,
+	0x510e527fade682d1UL,
+	0x9b05688c2b3e6c1fUL,
+	0x1f83d9abfb41bd6bUL,
+	0x5be0cd19137e2179UL
+};
+#else
 /* Hash constant words K for SHA-384 and SHA-512: */
 static const isc_uint64_t K512[80] = {
 	0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
@@ -312,6 +392,7 @@ static const isc_uint64_t sha512_initial_hash_value[8] = {
 	0x1f83d9abfb41bd6bULL,
 	0x5be0cd19137e2179ULL
 };
+#endif
 
 /*
  * Constant used by SHA256/384/512_End() functions for converting the
@@ -581,7 +662,8 @@ isc_sha256_update(isc_sha256_t *context, const isc_uint8_t *data, size_t len) {
 	/* Sanity check: */
 	REQUIRE(context != (isc_sha256_t *)0 && data != (isc_uint8_t*)0);
 
-	usedspace = (context->bitcount >> 3) % ISC_SHA256_BLOCK_LENGTH;
+	usedspace = (unsigned int)((context->bitcount >> 3) %
+				   ISC_SHA256_BLOCK_LENGTH);
 	if (usedspace > 0) {
 		/* Calculate how much free space is available in the buffer */
 		freespace = ISC_SHA256_BLOCK_LENGTH - usedspace;
@@ -630,7 +712,8 @@ isc_sha256_final(isc_uint8_t digest[], isc_sha256_t *context) {
 
 	/* If no digest buffer is passed, we don't bother doing this: */
 	if (digest != (isc_uint8_t*)0) {
-		usedspace = (context->bitcount >> 3) % ISC_SHA256_BLOCK_LENGTH;
+		usedspace = (unsigned int)((context->bitcount >> 3) %
+					   ISC_SHA256_BLOCK_LENGTH);
 #if BYTE_ORDER == LITTLE_ENDIAN
 		/* Convert FROM host byte order */
 		REVERSE64(context->bitcount,context->bitcount);
@@ -918,7 +1001,8 @@ void isc_sha512_update(isc_sha512_t *context, const isc_uint8_t *data, size_t le
 	/* Sanity check: */
 	REQUIRE(context != (isc_sha512_t *)0 && data != (isc_uint8_t*)0);
 
-	usedspace = (context->bitcount[0] >> 3) % ISC_SHA512_BLOCK_LENGTH;
+	usedspace = (unsigned int)((context->bitcount[0] >> 3) %
+				   ISC_SHA512_BLOCK_LENGTH);
 	if (usedspace > 0) {
 		/* Calculate how much free space is available in the buffer */
 		freespace = ISC_SHA512_BLOCK_LENGTH - usedspace;
@@ -960,7 +1044,8 @@ void isc_sha512_update(isc_sha512_t *context, const isc_uint8_t *data, size_t le
 void isc_sha512_last(isc_sha512_t *context) {
 	unsigned int	usedspace;
 
-	usedspace = (context->bitcount[0] >> 3) % ISC_SHA512_BLOCK_LENGTH;
+	usedspace = (unsigned int)((context->bitcount[0] >> 3) %
+				    ISC_SHA512_BLOCK_LENGTH);
 #if BYTE_ORDER == LITTLE_ENDIAN
 	/* Convert FROM host byte order */
 	REVERSE64(context->bitcount[0],context->bitcount[0]);
diff --git a/lib/isc/win32/libisc.def b/lib/isc/win32/libisc.def
index 85dea64c77..64026833aa 100644
--- a/lib/isc/win32/libisc.def
+++ b/lib/isc/win32/libisc.def
@@ -132,6 +132,32 @@ isc_hmacmd5_invalidate
 isc_hmacmd5_sign
 isc_hmacmd5_update
 isc_hmacmd5_verify
+isc_hmacmd5_verify2
+isc_hmacsha1_init
+isc_hmacsha1_invalidate
+isc_hmacsha1_sign
+isc_hmacsha1_update
+isc_hmacsha1_verify
+isc_hmacsha224_init
+isc_hmacsha224_invalidate
+isc_hmacsha224_sign
+isc_hmacsha224_update
+isc_hmacsha224_verify
+isc_hmacsha256_init
+isc_hmacsha256_invalidate
+isc_hmacsha256_sign
+isc_hmacsha256_update
+isc_hmacsha256_verify
+isc_hmacsha384_init
+isc_hmacsha384_invalidate
+isc_hmacsha384_sign
+isc_hmacsha384_update
+isc_hmacsha384_verify
+isc_hmacsha512_init
+isc_hmacsha512_invalidate
+isc_hmacsha512_sign
+isc_hmacsha512_update
+isc_hmacsha512_verify
 isc_interfaceiter_create
 isc_interfaceiter_current
 isc_interfaceiter_destroy
@@ -201,6 +227,7 @@ isc_md5_init
 isc_md5_invalidate
 isc_md5_update
 isc_mem_attach
+isc_mem_checkdestroyed
 isc_mem_create
 isc_mem_create2
 isc_mem_createx
@@ -308,6 +335,18 @@ isc_sha1_final
 isc_sha1_init
 isc_sha1_invalidate
 isc_sha1_update
+isc_sha224_final
+isc_sha224_init
+isc_sha224_update
+isc_sha256_final
+isc_sha256_init
+isc_sha256_update
+isc_sha384_final
+isc_sha384_init
+isc_sha384_update
+isc_sha512_final
+isc_sha512_init
+isc_sha512_update
 isc_sockaddr_any
 isc_sockaddr_any6
 isc_sockaddr_anyofpf
@@ -428,6 +467,7 @@ isc_win32os_versioncheck
 openlog
 syslog
 
+
 ; Exported Data
 
 EXPORTS
diff --git a/lib/isc/win32/libisc.dsp b/lib/isc/win32/libisc.dsp
index 163515420e..4da135e855 100644
--- a/lib/isc/win32/libisc.dsp
+++ b/lib/isc/win32/libisc.dsp
@@ -293,6 +293,10 @@ SOURCE=..\include\isc\hmacmd5.h
 # End Source File
 # Begin Source File
 
+SOURCE=..\include\isc\hmacsha.h
+# End Source File
+# Begin Source File
+
 SOURCE=.\include\isc\int.h
 # End Source File
 # Begin Source File
@@ -453,6 +457,10 @@ SOURCE=..\include\isc\sha1.h
 # End Source File
 # Begin Source File
 
+SOURCE=..\include\isc\sha2.h
+# End Source File
+# Begin Source File
+
 SOURCE=..\include\isc\sockaddr.h
 # End Source File
 # Begin Source File
@@ -589,6 +597,10 @@ SOURCE=..\hmacmd5.c
 # End Source File
 # Begin Source File
 
+SOURCE=..\hmacsha.c
+# End Source File
+# Begin Source File
+
 SOURCE=..\inet_aton.c
 # End Source File
 # Begin Source File
@@ -685,6 +697,10 @@ SOURCE=..\sha1.c
 # End Source File
 # Begin Source File
 
+SOURCE=..\sha2.c
+# End Source File
+# Begin Source File
+
 SOURCE=..\sockaddr.c
 # End Source File
 # Begin Source File
diff --git a/lib/isc/win32/libisc.mak b/lib/isc/win32/libisc.mak
index 0f1ac8694a..ca241d7d83 100644
--- a/lib/isc/win32/libisc.mak
+++ b/lib/isc/win32/libisc.mak
@@ -58,6 +58,7 @@ CLEAN :
 	-@erase "$(INTDIR)\heap.obj"
 	-@erase "$(INTDIR)\hex.obj"
 	-@erase "$(INTDIR)\hmacmd5.obj"
+	-@erase "$(INTDIR)\hmacsha.obj"
 	-@erase "$(INTDIR)\inet_aton.obj"
 	-@erase "$(INTDIR)\inet_ntop.obj"
 	-@erase "$(INTDIR)\inet_pton.obj"
@@ -90,6 +91,7 @@ CLEAN :
 	-@erase "$(INTDIR)\rwlock.obj"
 	-@erase "$(INTDIR)\serial.obj"
 	-@erase "$(INTDIR)\sha1.obj"
+	-@erase "$(INTDIR)\sha2.obj"
 	-@erase "$(INTDIR)\sockaddr.obj"
 	-@erase "$(INTDIR)\socket.obj"
 	-@erase "$(INTDIR)\stdio.obj"
@@ -161,6 +163,7 @@ LINK32_OBJS= \
 	"$(INTDIR)\heap.obj" \
 	"$(INTDIR)\hex.obj" \
 	"$(INTDIR)\hmacmd5.obj" \
+	"$(INTDIR)\hmacsha.obj" \
 	"$(INTDIR)\inet_aton.obj" \
 	"$(INTDIR)\inet_ntop.obj" \
 	"$(INTDIR)\inet_pton.obj" \
@@ -183,6 +186,7 @@ LINK32_OBJS= \
 	"$(INTDIR)\rwlock.obj" \
 	"$(INTDIR)\serial.obj" \
 	"$(INTDIR)\sha1.obj" \
+	"$(INTDIR)\sha2.obj" \
 	"$(INTDIR)\sockaddr.obj" \
 	"$(INTDIR)\string.obj" \
 	"$(INTDIR)\symtab.obj" \
@@ -249,6 +253,8 @@ CLEAN :
 	-@erase "$(INTDIR)\hex.sbr"
 	-@erase "$(INTDIR)\hmacmd5.obj"
 	-@erase "$(INTDIR)\hmacmd5.sbr"
+	-@erase "$(INTDIR)\hmacsha.obj"
+	-@erase "$(INTDIR)\hmacsha.sbr"
 	-@erase "$(INTDIR)\inet_aton.obj"
 	-@erase "$(INTDIR)\inet_aton.sbr"
 	-@erase "$(INTDIR)\inet_ntop.obj"
@@ -313,6 +319,8 @@ CLEAN :
 	-@erase "$(INTDIR)\serial.sbr"
 	-@erase "$(INTDIR)\sha1.obj"
 	-@erase "$(INTDIR)\sha1.sbr"
+	-@erase "$(INTDIR)\sha2.obj"
+	-@erase "$(INTDIR)\sha2.sbr"
 	-@erase "$(INTDIR)\sockaddr.obj"
 	-@erase "$(INTDIR)\sockaddr.sbr"
 	-@erase "$(INTDIR)\socket.obj"
@@ -398,6 +406,7 @@ BSC32_SBRS= \
 	"$(INTDIR)\heap.sbr" \
 	"$(INTDIR)\hex.sbr" \
 	"$(INTDIR)\hmacmd5.sbr" \
+	"$(INTDIR)\hmacsha.sbr" \
 	"$(INTDIR)\inet_aton.sbr" \
 	"$(INTDIR)\inet_ntop.sbr" \
 	"$(INTDIR)\inet_pton.sbr" \
@@ -420,6 +429,7 @@ BSC32_SBRS= \
 	"$(INTDIR)\rwlock.sbr" \
 	"$(INTDIR)\serial.sbr" \
 	"$(INTDIR)\sha1.sbr" \
+	"$(INTDIR)\sha2.sbr" \
 	"$(INTDIR)\sockaddr.sbr" \
 	"$(INTDIR)\string.sbr" \
 	"$(INTDIR)\symtab.sbr" \
@@ -476,6 +486,7 @@ LINK32_OBJS= \
 	"$(INTDIR)\heap.obj" \
 	"$(INTDIR)\hex.obj" \
 	"$(INTDIR)\hmacmd5.obj" \
+	"$(INTDIR)\hmacsha.obj" \
 	"$(INTDIR)\inet_aton.obj" \
 	"$(INTDIR)\inet_ntop.obj" \
 	"$(INTDIR)\inet_pton.obj" \
@@ -498,6 +509,7 @@ LINK32_OBJS= \
 	"$(INTDIR)\rwlock.obj" \
 	"$(INTDIR)\serial.obj" \
 	"$(INTDIR)\sha1.obj" \
+	"$(INTDIR)\sha2.obj" \
 	"$(INTDIR)\sockaddr.obj" \
 	"$(INTDIR)\string.obj" \
 	"$(INTDIR)\symtab.obj" \
@@ -1169,6 +1181,24 @@ SOURCE=..\hmacmd5.c
 	$(CPP) $(CPP_PROJ) $(SOURCE)
 
 
+!ENDIF 
+
+SOURCE=..\hmacsha.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\hmacsha.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\hmacsha.obj"	"$(INTDIR)\hmacsha.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
 !ENDIF 
 
 SOURCE=..\inet_aton.c
@@ -1601,6 +1631,24 @@ SOURCE=..\sha1.c
 	$(CPP) $(CPP_PROJ) $(SOURCE)
 
 
+!ENDIF 
+
+SOURCE=..\sha2.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\sha2.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\sha2.obj"	"$(INTDIR)\sha2.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
 !ENDIF 
 
 SOURCE=..\sockaddr.c

From 1b0a1b6d994d736ccb243886c3ba188978003641 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 10 Mar 2006 04:12:20 +0000
Subject: [PATCH 121/465] newcopyrights

---
 util/copyrights | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/util/copyrights b/util/copyrights
index 0a859d2fd5..9cce250359 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -856,7 +856,7 @@
 ./bin/win32/BINDInstall/resource.h		X	2001,2005
 ./config.guess					X	1999,2000,2001
 ./config.h.in					X	1999,2000,2001,2005,2006
-./config.h.win32				C	1999,2000,2001,2004
+./config.h.win32				C	1999,2000,2001,2004,2006
 ./config.sub					X	1999,2000,2001
 ./config.threads.in				X	2005
 ./configure					X	1998,1999,2000,2001,2005,2006
@@ -2225,10 +2225,10 @@
 ./lib/isc/win32/interfaceiter.c			C	1999,2000,2001,2004
 ./lib/isc/win32/ipv6.c				C	1999,2000,2001,2004
 ./lib/isc/win32/keyboard.c			C	2000,2001,2004
-./lib/isc/win32/libisc.def			X	2001,2005
-./lib/isc/win32/libisc.dsp			X	2001,2005
+./lib/isc/win32/libisc.def			X	2001,2005,2006
+./lib/isc/win32/libisc.dsp			X	2001,2005,2006
 ./lib/isc/win32/libisc.dsw			X	2001
-./lib/isc/win32/libisc.mak			X	2001,2005
+./lib/isc/win32/libisc.mak			X	2001,2005,2006
 ./lib/isc/win32/net.c				C	1999,2000,2001,2002,2003,2004,2005
 ./lib/isc/win32/netdb.h				C	2000,2001,2004
 ./lib/isc/win32/ntgroups.c			C	2001,2004

From 584993eaf78a38b61fd82f45a5f3c1823814cc23 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 10 Mar 2006 04:15:11 +0000
Subject: [PATCH 122/465] update copyright notice

---
 config.h.win32 | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/config.h.win32 b/config.h.win32
index 007490bbab..0b84479d8d 100644
--- a/config.h.win32
+++ b/config.h.win32
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.h.win32,v 1.12 2006/03/10 03:49:57 marka Exp $ */
+/* $Id: config.h.win32,v 1.13 2006/03/10 04:15:11 marka Exp $ */
 
 /*
  * win32 configuration file

From adc8179d404bc24e3ba67f2453b6121e5c61f79e Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 10 Mar 2006 05:00:23 +0000
Subject: [PATCH 123/465] const

---
 lib/bind9/check.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index 5e2e3ef760..5db9b81ac2 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: check.c,v 1.73 2006/03/09 23:21:54 marka Exp $ */
+/* $Id: check.c,v 1.74 2006/03/10 05:00:23 marka Exp $ */
 
 /*! \file */
 
@@ -1394,7 +1394,7 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 	isc_result_t result = ISC_R_SUCCESS;
 	isc_result_t tresult = ISC_R_SUCCESS;
 	cfg_aclconfctx_t actx;
-	cfg_obj_t *obj;
+	const cfg_obj_t *obj;
 	isc_boolean_t enablednssec, enablevalidation;
 
 	/*

From 4ddfa1a217ea1151850b4745edead99f0d69498b Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 10 Mar 2006 05:00:29 +0000
Subject: [PATCH 124/465] update

---
 lib/bind/api | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/bind/api b/lib/bind/api
index dcc846ea52..a23ecb3d2b 100644
--- a/lib/bind/api
+++ b/lib/bind/api
@@ -1,3 +1,3 @@
 LIBINTERFACE = 4
-LIBREVISION = 2
+LIBREVISION = 3
 LIBAGE = 0

From 47d3ffceac0cfd987fc4476233d9859aa3875e28 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 10 Mar 2006 23:30:03 +0000
Subject: [PATCH 125/465] newcopyrights

---
 util/copyrights | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/util/copyrights b/util/copyrights
index 3ffef4ef04..0f8750cd2f 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -1150,7 +1150,7 @@
 ./lib/bind/Makefile.in				MAKE	2001,2002,2003,2004,2005
 ./lib/bind/README				X	2001
 ./lib/bind/aclocal.m4				X	2001
-./lib/bind/api					X	2001,2005
+./lib/bind/api					X	2001,2005,2006
 ./lib/bind/bsd/.cvsignore			X	2001
 ./lib/bind/bsd/Makefile.in			MAKE	2001,2004
 ./lib/bind/bsd/daemon.c				X	2001

From f051d76c87e055c6ea3879e0c97a76609df915cc Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Sat, 11 Mar 2006 02:07:53 +0000
Subject: [PATCH 126/465] regen

---
 bin/named/named.8                |  5 +-
 bin/named/named.conf.5           |  4 +-
 bin/named/named.conf.html        | 12 +++--
 bin/named/named.html             | 19 ++++----
 doc/arm/Bv9ARM.ch06.html         | 78 ++++++++++++++++++--------------
 doc/arm/Bv9ARM.ch07.html         | 14 +++---
 doc/arm/Bv9ARM.ch08.html         | 18 ++++----
 doc/arm/Bv9ARM.ch09.html         | 18 ++++----
 doc/arm/Bv9ARM.html              | 40 ++++++++--------
 doc/arm/man.dig.html             | 20 ++++----
 doc/arm/man.dnssec-keygen.html   | 14 +++---
 doc/arm/man.dnssec-signzone.html | 12 ++---
 doc/arm/man.host.html            | 10 ++--
 doc/arm/man.named-checkconf.html | 12 ++---
 doc/arm/man.named-checkzone.html | 12 ++---
 doc/arm/man.named.html           | 17 +++----
 doc/arm/man.rndc-confgen.html    | 12 ++---
 doc/arm/man.rndc.conf.html       | 12 ++---
 doc/arm/man.rndc.html            | 12 ++---
 doc/misc/options                 |  2 +
 20 files changed, 180 insertions(+), 163 deletions(-)

diff --git a/bin/named/named.8 b/bin/named/named.8
index 07243664ca..75fa11becf 100644
--- a/bin/named/named.8
+++ b/bin/named/named.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: named.8,v 1.27 2005/10/13 03:13:58 marka Exp $
+.\" $Id: named.8,v 1.28 2006/03/11 02:07:52 marka Exp $
 .\"
 .hy 0
 .ad l
@@ -176,6 +176,7 @@ RFC 1034,
 RFC 1035,
 \fBrndc\fR(8),
 \fBlwresd\fR(8),
+\fBnamed.conf\fR(5),
 BIND 9 Administrator Reference Manual.
 .SH "AUTHOR"
 .PP
diff --git a/bin/named/named.conf.5 b/bin/named/named.conf.5
index 7b072eb1ad..ad840d9c9d 100644
--- a/bin/named/named.conf.5
+++ b/bin/named/named.conf.5
@@ -12,7 +12,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: named.conf.5,v 1.17 2006/03/06 02:23:19 marka Exp $
+.\" $Id: named.conf.5,v 1.18 2006/03/11 02:07:52 marka Exp $
 .\"
 .hy 0
 .ad l
@@ -217,6 +217,7 @@ options {
 	root\-delegation\-only [ exclude { \fIquoted_string\fR; ... } ];
 	disable\-algorithms \fIstring\fR { \fIstring\fR; ... };
 	dnssec\-enable \fIboolean\fR;
+	dnssec\-validation \fIboolean\fR;
 	dnssec\-lookaside \fIstring\fR trust\-anchor \fIstring\fR;
 	dnssec\-must\-be\-secure \fIstring\fR \fIboolean\fR;
 	dnssec\-accept\-expired \fIboolean\fR;
@@ -347,6 +348,7 @@ view \fIstring\fR \fIoptional_class\fR {
 	root\-delegation\-only [ exclude { \fIquoted_string\fR; ... } ];
 	disable\-algorithms \fIstring\fR { \fIstring\fR; ... };
 	dnssec\-enable \fIboolean\fR;
+	dnssec\-validation \fIboolean\fR;
 	dnssec\-lookaside \fIstring\fR trust\-anchor \fIstring\fR;
 	dnssec\-must\-be\-secure \fIstring\fR \fIboolean\fR;
 	dnssec\-accept\-expired \fIboolean\fR;
diff --git a/bin/named/named.conf.html b/bin/named/named.conf.html
index d972941712..462571b276 100644
--- a/bin/named/named.conf.html
+++ b/bin/named/named.conf.html
@@ -13,7 +13,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -235,6 +235,7 @@ options
 	root-delegation-only [ exclude { quoted_string; ... } ];

 	disable-algorithms string { string; ... };

 	dnssec-enable boolean;

+	dnssec-validation boolean;

 	dnssec-lookaside string trust-anchor string;

 	dnssec-must-be-secure string boolean;

 	dnssec-accept-expired boolean;

@@ -311,7 +312,7 @@ options
 

 
 

-
VIEW

+
VIEW

 


 view string optional_class {

 	match-clients { address_match_element; ... };

@@ -381,6 +382,7 @@ view
 	root-delegation-only [ exclude { quoted_string; ... } ];

 	disable-algorithms string { string; ... };

 	dnssec-enable boolean;

+	dnssec-validation boolean;

 	dnssec-lookaside string trust-anchor string;

 	dnssec-must-be-secure string boolean;

 	dnssec-accept-expired boolean;

@@ -449,7 +451,7 @@ view
 

 

 

-
ZONE

+
ZONE

 


 zone string optional_class {

 	type ( master | slave | stub | hint |

@@ -533,12 +535,12 @@ zone
 

 

 

-
FILES

+
FILES

 
/etc/named.conf
     

 

 

-
SEE ALSO

+
SEE ALSO

 
named(8),
       rndc(8),
       BIND 9 Administrator Reference Manual.
diff --git a/bin/named/named.html b/bin/named/named.html
index 0f4550c5a7..fcad28c847 100644
--- a/bin/named/named.html
+++ b/bin/named/named.html
@@ -1,5 +1,5 @@
 
-
+
 
 
 
@@ -32,7 +32,7 @@
 
named  [-4] [-6] [-c config-file] [-d debug-level] [-f] [-g] [-n #cpus] [-p port] [-s] [-t directory] [-u user] [-v] [-x cache-file]

 

 

-
DESCRIPTION

+
DESCRIPTION

 
named
       is a Domain Name System (DNS) server,
       part of the BIND 9 distribution from ISC.  For more
@@ -47,7 +47,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-4

 

@@ -180,7 +180,7 @@
 

 

 

-
SIGNALS

+
SIGNALS

 

       In routine operation, signals should not be used to control
       the nameserver; rndc should be used
@@ -201,7 +201,7 @@
     

 

 

-
CONFIGURATION

+
CONFIGURATION

 

       The named configuration file is too complex
       to describe in detail here.  A complete description is provided
@@ -210,7 +210,7 @@
     

 

 

-
FILES

+
FILES

 

 
/etc/named.conf

 

@@ -223,17 +223,18 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
RFC 1033,
       RFC 1034,
       RFC 1035,
       rndc(8),
       lwresd(8),
+      named.conf(5),
       BIND 9 Administrator Reference Manual.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index 45a21abc27..bbe90a24de 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -77,23 +77,23 @@
 
server Statement Grammar

 
server Statement Definition and
             Usage

-
trusted-keys Statement Grammar

-
trusted-keys Statement Definition
+
trusted-keys Statement Grammar

+
trusted-keys Statement Definition
             and Usage

 
view Statement Grammar

-
view Statement Definition and Usage

+
view Statement Definition and Usage

 
zone
             Statement Grammar

-
zone Statement Definition and Usage

+
zone Statement Definition and Usage

 
-
Zone File

+
Zone File

 

 
Types of Resource Records and When to Use Them

-
Discussion of MX Records

+
Discussion of MX Records

 
Setting TTLs

-
Inverse Mapping in IPv4

-
Other Zone File Directives

-
BIND Master File Extension: the  $GENERATE Directive

+
Inverse Mapping in IPv4

+
Other Zone File Directives

+
BIND Master File Extension: the  $GENERATE Directive

 
Additional File Formats

 

 
@@ -1750,6 +1750,7 @@ category notify { null; };
     [ use-id-pool yes_or_no; ]
     [ maintain-ixfr-base yes_or_no; ]
     [ dnssec-enable yes_or_no; ]
+    [ dnssec-validation yes_or_no; ]
     [ dnssec-lookaside domain trust-anchor domain; ]
     [ dnssec-must-be-secure domain yes_or_no; ]
     [ dnssec-accept-expired yes_or_no; ]
@@ -2641,6 +2642,13 @@ options {
 

                   Enable DNSSEC support in named.  Unless set to yes
                   named behaves as if it does not support DNSSEC.
+                  The default is yes.
+                

+
dnssec-validation

+

+                  Enable DNSSEC validation in named.
+                  Note dnssec-enable also needs to be
+                  set to yes to be effective.
                   The default is no.
                 

 
dnssec-accept-expired

@@ -2755,7 +2763,7 @@ options {
 
 

 

-Forwarding

+Forwarding

 

             The forwarding facility can be used to create a large site-wide
             cache on a few servers, reducing traffic over links to external
@@ -2799,7 +2807,7 @@ options {
 
 

 

-Dual-stack Servers

+Dual-stack Servers

 

             Dual-stack servers are used as servers of last resort to work
             around
@@ -2959,7 +2967,7 @@ options {
 
 

 

-Interfaces

+Interfaces

 

             The interfaces and ports that the server will answer queries
             from may be specified using the listen-on option. listen-on takes
@@ -3039,7 +3047,7 @@ listen-on-v6 port 1234 { !2001:db8::/32; any; };
 
 

 

-Query Address

+Query Address

 

             If the server doesn't know the answer to a question, it will
             query other name servers. query-source specifies
@@ -3319,7 +3327,7 @@ query-source-v6 address * port *;
 
 

 

-Bad UDP Port Lists

+Bad UDP Port Lists

 
avoid-v4-udp-ports
             and avoid-v6-udp-ports specify a list
             of IPv4 and IPv6 UDP ports that will not be used as system
@@ -3333,7 +3341,7 @@ query-source-v6 address * port *;
 
 

 

-Operating System Resource Limits

+Operating System Resource Limits

 

             The server's usage of many system resources can be limited.
             Scaled values are allowed when specifying resource limits.  For
@@ -3393,7 +3401,7 @@ query-source-v6 address * port *;
 
 

 

-Server  Resource Limits

+Server  Resource Limits

 

             The following options set limits on the server's
             resource consumption that are enforced internally by the
@@ -3471,7 +3479,7 @@ query-source-v6 address * port *;
 
 

 

-Periodic Task Intervals

+Periodic Task Intervals

 

 
cleaning-interval

 

@@ -4506,7 +4514,7 @@ query-source-v6 address * port *;
 

 

 

-trusted-keys Statement Grammar

+trusted-keys Statement Grammar

 
trusted-keys {
     string number number number string ;
     [ string number number number string ; [...]]
@@ -4515,7 +4523,7 @@ query-source-v6 address * port *;
 
 

 

-trusted-keys Statement Definition
+trusted-keys Statement Definition
             and Usage

 

             The trusted-keys statement defines
@@ -4558,7 +4566,7 @@ query-source-v6 address * port *;
 

 

 

-view Statement Definition and Usage

+view Statement Definition and Usage

 

             The view statement is a powerful
             feature
@@ -4809,10 +4817,10 @@ zone zone_name [
 

 

-zone Statement Definition and Usage

+zone Statement Definition and Usage

 

 

-Zone Types

+Zone Types

 

 
 

@@ -5021,7 +5029,7 @@ zone zone_name [
 

 

-Class

+Class

 

               The zone's name may optionally be followed by a class. If
               a class is not specified, class IN (for Internet),
@@ -5043,7 +5051,7 @@ zone zone_name [
 

 

-Zone Options

+Zone Options

 

 
journal

 

@@ -5526,7 +5534,7 @@ zone zone_name [
 

 

-Zone File

+Zone File

 

 

 Types of Resource Records and When to Use Them

@@ -5539,7 +5547,7 @@ zone zone_name [
 

 

-Resource Records

+Resource Records

 

               A domain name identifies a node.  Each node has a set of
               resource information, which may be empty.  The set of resource
@@ -6190,7 +6198,7 @@ zone zone_name [
 

 

-Textual expression of RRs

+Textual expression of RRs

 

               RRs are represented in binary form in the packets of the DNS
               protocol, and are usually represented in highly encoded form
@@ -6393,7 +6401,7 @@ zone zone_name [
 

 

-Discussion of MX Records

+Discussion of MX Records

 

             As described above, domain servers store information as a
             series of resource records, each of which contains a particular
@@ -6651,7 +6659,7 @@ zone zone_name [
 

 

-Inverse Mapping in IPv4

+Inverse Mapping in IPv4

 

             Reverse name resolution (that is, translation from IP address
             to name) is achieved by means of the in-addr.arpa domain
@@ -6712,7 +6720,7 @@ zone zone_name [
 

 

-Other Zone File Directives

+Other Zone File Directives

 

             The Master File Format was initially defined in RFC 1035 and
             has subsequently been extended. While the Master File Format
@@ -6727,7 +6735,7 @@ zone zone_name [
 

 

-The $ORIGIN Directive

+The $ORIGIN Directive

 

               Syntax: $ORIGIN
               domain-name
@@ -6755,7 +6763,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 

 

-The $INCLUDE Directive

+The $INCLUDE Directive

 

               Syntax: $INCLUDE
               filename
@@ -6791,7 +6799,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 

 

-The $TTL Directive

+The $TTL Directive

 

               Syntax: $TTL
               default-ttl
@@ -6810,7 +6818,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 

 

-BIND Master File Extension: the  $GENERATE Directive

+BIND Master File Extension: the  $GENERATE Directive

 

             Syntax: $GENERATE
             range
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index c70af245b8..e95cbf69cb 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -46,10 +46,10 @@
 
Table of Contents

 

 
Access Control Lists

-
chroot and setuid

+
chroot and setuid

 

-
The chroot Environment

-
Using the setuid Function

+
The chroot Environment

+
Using the setuid Function

 

 
Dynamic Update Security

 

@@ -116,7 +116,7 @@ zone "example.com" {
 
 

 

-chroot and setuid

+chroot and setuid

 

           On UNIX servers, it is possible to run BIND in a chrooted environment
           (chroot()) by specifying the "-t"
@@ -139,7 +139,7 @@ zone "example.com" {
         

 

 

-The chroot Environment

+The chroot Environment

 

             In order for a chroot() environment
             to
@@ -167,7 +167,7 @@ zone "example.com" {
 
 

 

-Using the setuid Function

+Using the setuid Function

 

             Prior to running the named daemon,
             use
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index 47dc6ff828..eb135ce17c 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,18 +45,18 @@
 

 
Table of Contents

 

-
Common Problems

-
It's not working; how can I figure out what's wrong?

-
Incrementing and Changing the Serial Number

-
Where Can I Get Help?

+
Common Problems

+
It's not working; how can I figure out what's wrong?

+
Incrementing and Changing the Serial Number

+
Where Can I Get Help?

 

 

 

 

-Common Problems

+Common Problems

 

 

-It's not working; how can I figure out what's wrong?

+It's not working; how can I figure out what's wrong?

 

             The best solution to solving installation and
             configuration issues is to take preventative measures by setting
@@ -68,7 +68,7 @@
 
 

 

-Incrementing and Changing the Serial Number

+Incrementing and Changing the Serial Number

 

           Zone serial numbers are just numbers-they aren't date
           related.  A lot of people set them to a number that represents a
@@ -95,7 +95,7 @@
 
 

 

-Where Can I Get Help?

+Where Can I Get Help?

 

           The Internet Systems Consortium
           (ISC) offers a wide range
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index a23e4b17b9..b6b7e08116 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,21 +45,21 @@
 

 
Table of Contents

 

-
Acknowledgments

+
Acknowledgments

 
A Brief History of the DNS and BIND

-
General DNS Reference Information

+
General DNS Reference Information

 
IPv6 addresses (AAAA)

 
Bibliography (and Suggested Reading)

 

 
Request for Comments (RFCs)

 
Internet Drafts

-
Other Documents About BIND

+
Other Documents About BIND

 

 

 

 

 

-Acknowledgments

+Acknowledgments

 

 

 A Brief History of the DNS and BIND

@@ -145,7 +145,7 @@
 

 

 

-General DNS Reference Information

+General DNS Reference Information

 

 

 IPv6 addresses (AAAA)

@@ -232,7 +232,7 @@
           

 

 

-Bibliography

+Bibliography

 

 
Standards

 
[RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 

@@ -417,11 +417,11 @@
 

 

 

-Other Documents About BIND

+Other Documents About BIND

 

 

 

-Bibliography

+Bibliography

 
Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 

 
 
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index 7a0cd55707..644a756b8e 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -155,54 +155,54 @@
 
server Statement Grammar

 
server Statement Definition and
             Usage

-
trusted-keys Statement Grammar

-
trusted-keys Statement Definition
+
trusted-keys Statement Grammar

+
trusted-keys Statement Definition
             and Usage

 
view Statement Grammar

-
view Statement Definition and Usage

+
view Statement Definition and Usage

 
zone
             Statement Grammar

-
zone Statement Definition and Usage

+
zone Statement Definition and Usage

 
-
Zone File

+
Zone File

 

 
Types of Resource Records and When to Use Them

-
Discussion of MX Records

+
Discussion of MX Records

 
Setting TTLs

-
Inverse Mapping in IPv4

-
Other Zone File Directives

-
BIND Master File Extension: the  $GENERATE Directive

+
Inverse Mapping in IPv4

+
Other Zone File Directives

+
BIND Master File Extension: the  $GENERATE Directive

 
Additional File Formats

 

 
 
7. BIND 9 Security Considerations

 

 
Access Control Lists

-
chroot and setuid

+
chroot and setuid

 

-
The chroot Environment

-
Using the setuid Function

+
The chroot Environment

+
Using the setuid Function

 

 
Dynamic Update Security

 

 
8. Troubleshooting

 

-
Common Problems

-
It's not working; how can I figure out what's wrong?

-
Incrementing and Changing the Serial Number

-
Where Can I Get Help?

+
Common Problems

+
It's not working; how can I figure out what's wrong?

+
Incrementing and Changing the Serial Number

+
Where Can I Get Help?

 

 
A. Appendices

 

-
Acknowledgments

+
Acknowledgments

 
A Brief History of the DNS and BIND

-
General DNS Reference Information

+
General DNS Reference Information

 
IPv6 addresses (AAAA)

 
Bibliography (and Suggested Reading)

 

 
Request for Comments (RFCs)

 
Internet Drafts

-
Other Documents About BIND

+
Other Documents About BIND

 

 

 
I. Manual pages

diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index 68ce6e153b..d137892b76 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -52,7 +52,7 @@
 
dig  [global-queryopt...] [query...]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dig
       (domain information groper) is a flexible tool
       for interrogating DNS name servers.  It performs DNS lookups and
@@ -91,7 +91,7 @@
     

 

 

-
SIMPLE USAGE

+
SIMPLE USAGE

 

       A typical invocation of dig looks like:
       

@@ -137,7 +137,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

       The -b option sets the source IP address of the query
       to address.  This must be a valid
@@ -237,7 +237,7 @@
     

 

 

-
QUERY OPTIONS

+
QUERY OPTIONS

 
dig
       provides a number of query options which affect
       the way in which lookups are made and the results displayed.  Some of
@@ -556,7 +556,7 @@
     

 

 

-
MULTIPLE QUERIES

+
MULTIPLE QUERIES

 

       The BIND 9 implementation of dig 
       supports
@@ -602,7 +602,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
IDN SUPPORT

+
IDN SUPPORT

 

       If dig has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names.
@@ -616,14 +616,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
FILES

+
FILES

 
/etc/resolv.conf
     

 
${HOME}/.digrc
     

 

 

-
SEE ALSO

+
SEE ALSO

 
host(1),
       named(8),
       dnssec-keygen(8),
@@ -631,7 +631,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
BUGS

+
BUGS

 

       There are probably too many query options.
     

diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index 8f317bb15a..c094f146ee 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
dnssec-keygen  {-a algorithm} {-b keysize} {-n nametype} [-c class] [-e] [-f flag] [-g generator] [-h] [-k] [-p protocol] [-r randomdev] [-s strength] [-t type] [-v level] {name}

 

 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-keygen
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC <TBA\>.  It can also generate keys for use with
@@ -58,7 +58,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a algorithm

 

@@ -166,7 +166,7 @@
 

 

 

-
GENERATED KEYS

+
GENERATED KEYS

 

       When dnssec-keygen completes
       successfully,
@@ -212,7 +212,7 @@
     

 

 

-
EXAMPLE

+
EXAMPLE

 

       To generate a 768-bit DSA key for the domain
       example.com, the following command would be
@@ -233,7 +233,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
       RFC 2535,
@@ -242,7 +242,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index b56bc0fa30..6b2c564bf4 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
dnssec-signzone  [-a] [-c class] [-d directory] [-e end-time] [-f output-file] [-g] [-h] [-k key] [-l domain] [-i interval] [-I input-format] [-j jitter] [-n nthreads] [-o origin] [-O output-format] [-p] [-r randomdev] [-s start-time] [-t] [-v level] [-z] {zonefile} [key...]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-signzone
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
@@ -61,7 +61,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a

 

@@ -238,7 +238,7 @@
 

 

 

-
EXAMPLE

+
EXAMPLE

 

       The following command signs the example.com
       zone with the DSA key generated in the dnssec-keygen
@@ -264,14 +264,14 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 2535.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html
index c51c92ab4f..158bae46bf 100644
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
host  [-aCdlnrsTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-m flag] [-4] [-6] {name} [server]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
host
       is a simple utility for performing DNS lookups.
       It is normally used to convert names to IP addresses and vice versa.
@@ -202,7 +202,7 @@
     

 

 

-
IDN SUPPORT

+
IDN SUPPORT

 

       If host has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names. 
@@ -216,12 +216,12 @@
     

 

 

-
FILES

+
FILES

 
/etc/resolv.conf
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dig(1),
       named(8).
     

diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index 7a1f1fa84f..7142ed500f 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,14 +50,14 @@
 
named-checkconf  [-v] [-j] [-t directory] {filename} [-z]

 

 

-
DESCRIPTION

+
DESCRIPTION

 
named-checkconf
       checks the syntax, but not the semantics, of a named
       configuration file.
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-t directory

 

@@ -88,20 +88,20 @@
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 
named-checkconf
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
named(8),
       BIND 9 Administrator Reference Manual.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index 809de257db..aaf5013d3a 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -51,7 +51,7 @@
 
named-compilezone  [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-i mode] [-k mode] [-m mode] [-n mode] [-o filename] [-s style] [-t directory] [-w directory] [-D] [-W mode] {zonename} {filename}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
named-checkzone
       checks the syntax and integrity of a zone file.  It performs the
       same checks as named does when loading a
@@ -71,7 +71,7 @@
      

 

 

-
OPTIONS

+
OPTIONS

 

 
-d

 

@@ -251,21 +251,21 @@
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 
named-checkzone
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
named(8),
       RFC 1035,
       BIND 9 Administrator Reference Manual.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index 606b0f598e..e977a9b8d8 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
named  [-4] [-6] [-c config-file] [-d debug-level] [-f] [-g] [-n #cpus] [-p port] [-s] [-t directory] [-u user] [-v] [-x cache-file]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
named
       is a Domain Name System (DNS) server,
       part of the BIND 9 distribution from ISC.  For more
@@ -65,7 +65,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-4

 

@@ -198,7 +198,7 @@
 

 

 

-
SIGNALS

+
SIGNALS

 

       In routine operation, signals should not be used to control
       the nameserver; rndc should be used
@@ -219,7 +219,7 @@
     

 

 

-
CONFIGURATION

+
CONFIGURATION

 

       The named configuration file is too complex
       to describe in detail here.  A complete description is provided
@@ -228,7 +228,7 @@
     

 

 

-
FILES

+
FILES

 

 
/etc/named.conf

 

@@ -241,17 +241,18 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
RFC 1033,
       RFC 1034,
       RFC 1035,
       rndc(8),
       lwresd(8),
+      named.conf(5),
       BIND 9 Administrator Reference Manual.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index e0a1a53189..eef42ffc8e 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -48,7 +48,7 @@
 
rndc-confgen  [-a] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc-confgen
       generates configuration files
       for rndc.  It can be used as a
@@ -64,7 +64,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a

 

@@ -171,7 +171,7 @@
 

 

 

-
EXAMPLES

+
EXAMPLES

 

       To allow rndc to be used with
       no manual configuration, run
@@ -188,7 +188,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc(8),
       rndc.conf(5),
       named(8),
@@ -196,7 +196,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index 79949c33ce..46c2b62368 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
rndc.conf 

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc.conf is the configuration file
       for rndc, the BIND 9 name server control
       utility.  This file has a similar structure and syntax to
@@ -135,7 +135,7 @@
     

 

 

-
EXAMPLE

+
EXAMPLE

 
       options {
         default-server  localhost;
@@ -209,7 +209,7 @@
     

 

 

-
NAME SERVER CONFIGURATION

+
NAME SERVER CONFIGURATION

 

       The name server must be configured to accept rndc connections and
       to recognize the key specified in the rndc.conf
@@ -219,7 +219,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc(8),
       rndc-confgen(8),
       mmencode(1),
@@ -227,7 +227,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index 76a9081838..8e327054d6 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
rndc  [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-V] [-y key_id] {command}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc
       controls the operation of a name
       server.  It supersedes the ndc utility
@@ -79,7 +79,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-b source-address

 

@@ -152,7 +152,7 @@
     

 

 

-
LIMITATIONS

+
LIMITATIONS

 
rndc
       does not yet support all the commands of
       the BIND 8 ndc utility.
@@ -166,7 +166,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc.conf(5),
       named(8),
       named.conf(5)
@@ -175,7 +175,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/misc/options b/doc/misc/options
index e934d9d198..16ec6b7333 100644
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -86,6 +86,7 @@ options {
         root-delegation-only [ exclude { ; ... } ];
         disable-algorithms  { ; ... };
         dnssec-enable ;
+        dnssec-validation ;
         dnssec-lookaside  trust-anchor ;
         dnssec-must-be-secure  ;
         dnssec-accept-expired ;
@@ -313,6 +314,7 @@ view   {
         root-delegation-only [ exclude { ; ... } ];
         disable-algorithms  { ; ... };
         dnssec-enable ;
+        dnssec-validation ;
         dnssec-lookaside  trust-anchor ;
         dnssec-must-be-secure  ;
         dnssec-accept-expired ;

From 8c9c09dacf7e74f20ad5c23854d5c97d2542ee36 Mon Sep 17 00:00:00 2001
From: Michael Graff 
Date: Tue, 21 Mar 2006 15:34:02 +0000
Subject: [PATCH 127/465] add  since we call strlen() here

---
 lib/isc/print.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/lib/isc/print.c b/lib/isc/print.c
index 470c6bc370..70b6cf3313 100644
--- a/lib/isc/print.c
+++ b/lib/isc/print.c
@@ -15,14 +15,15 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: print.c,v 1.29 2005/04/29 00:23:29 marka Exp $ */
+/* $Id: print.c,v 1.30 2006/03/21 15:34:02 explorer Exp $ */
 
 /*! \file */
 
 #include 
 
 #include 
-#include 		/* for sprintf */
+#include 		/* for sprintf() */
+#include 		/* for strlen() */
 
 #define	ISC__PRINT_SOURCE	/* Used to get the isc_print_* prototypes. */
 

From 4ed465f13a05fad0d5dab113b2c949a359e9400e Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 21 Mar 2006 23:30:19 +0000
Subject: [PATCH 128/465] newcopyrights

---
 util/copyrights | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/util/copyrights b/util/copyrights
index 9cce250359..0e191dfd3c 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -2110,7 +2110,7 @@
 ./lib/isc/ondestroy.c				C	2000,2001,2004,2005
 ./lib/isc/parseint.c				C	2001,2002,2003,2004,2005
 ./lib/isc/powerpc/include/isc/atomic.h		C	2005
-./lib/isc/print.c				C	1999,2000,2001,2003,2004,2005
+./lib/isc/print.c				C	1999,2000,2001,2003,2004,2005,2006
 ./lib/isc/pthreads/.cvsignore			X	1999,2000,2001
 ./lib/isc/pthreads/Makefile.in			MAKE	1998,1999,2000,2001,2004
 ./lib/isc/pthreads/condition.c			C	1998,1999,2000,2001,2004,2005

From a3d739b23b0fb4d1ba89758950d43fbcbb0770cb Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Mon, 27 Mar 2006 22:07:01 +0000
Subject: [PATCH 129/465] new draft

---
 ...> draft-ietf-dnsext-rfc2536bis-dsa-07.txt} | 64 +++++++++----------
 1 file changed, 32 insertions(+), 32 deletions(-)
 rename doc/draft/{draft-ietf-dnsext-rfc2536bis-dsa-06.txt => draft-ietf-dnsext-rfc2536bis-dsa-07.txt} (87%)

diff --git a/doc/draft/draft-ietf-dnsext-rfc2536bis-dsa-06.txt b/doc/draft/draft-ietf-dnsext-rfc2536bis-dsa-07.txt
similarity index 87%
rename from doc/draft/draft-ietf-dnsext-rfc2536bis-dsa-06.txt
rename to doc/draft/draft-ietf-dnsext-rfc2536bis-dsa-07.txt
index 5b6d655297..e169da8681 100644
--- a/doc/draft/draft-ietf-dnsext-rfc2536bis-dsa-06.txt
+++ b/doc/draft/draft-ietf-dnsext-rfc2536bis-dsa-07.txt
@@ -2,12 +2,12 @@
 INTERNET-DRAFT                                DSA Information in the DNS
 OBSOLETES: RFC 2536                               Donald E. Eastlake 3rd
                                                    Motorola Laboratories
-Expires: January 2006                                          July 2005
+Expires: September 2006                                       March 2006
 
 
             DSA Keying and Signature Information in the DNS
             --- ------ --- --------- ----------- -- --- ---
-               
+               
                          Donald E. Eastlake 3rd
 
 
@@ -30,7 +30,7 @@ Status of This Document
    Internet-Drafts are draft documents valid for a maximum of six months
    and may be updated, replaced, or obsoleted by other documents at any
    time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than a "work in progress."
+   material or to cite them other than as "work in progress."
 
    The list of current Internet-Drafts can be accessed at
    http://www.ietf.org/1id-abstracts.html
@@ -39,6 +39,7 @@ Status of This Document
    http://www.ietf.org/shadow.html
 
 
+
 Abstract
 
    The standard method of encoding US Government Digital Signature
@@ -46,9 +47,8 @@ Abstract
    System is specified.
 
 
-Copyright Notice
 
-   Copyright (C) The Internet Society 2005. All Rights Reserved.
+
 
 
 
@@ -64,7 +64,6 @@ Table of Contents
 
       Status of This Document....................................1
       Abstract...................................................1
-      Copyright Notice...........................................1
 
       Table of Contents..........................................2
 
@@ -74,12 +73,12 @@ Table of Contents
       4. Performance Considerations..............................4
       5. Security Considerations.................................5
       6. IANA Considerations.....................................5
-      Copyright and Disclaimer...................................5
+      Copyright, Disclaimer, and Additional IPR Provisions.......5
 
       Normative References.......................................7
       Informative References.....................................7
 
-      Authors Address............................................8
+      Author's Address...........................................8
       Expiration and File Name...................................8
 
 
@@ -110,6 +109,7 @@ Table of Contents
 
 
 
+
 
 
 D. Eastlake 3rd                                                 [Page 2]
@@ -279,9 +279,9 @@ INTERNET-DRAFT                                DSA Information in the DNS
 
 
 
-Copyright and Disclaimer
+Copyright, Disclaimer, and Additional IPR Provisions
 
-   Copyright (C) The Internet Society (2005).  This document is subject to
+   Copyright (C) The Internet Society (2006).  This document is subject to
    the rights, licenses and restrictions contained in BCP 78, and except
    as set forth therein, the authors retain all their rights.
 
@@ -300,27 +300,27 @@ INTERNET-DRAFT                                DSA Information in the DNS
    INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
    WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
 
+   The IETF takes no position regarding the validity or scope of any
+   Intellectual Property Rights or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; nor does it represent that it has
+   made any independent effort to identify any such rights.  Information
+   on the procedures with respect to rights in RFC documents can be
+   found in BCP 78 and BCP 79.
 
+   Copies of IPR disclosures made to the IETF Secretariat and any
+   assurances of licenses to be made available, or the result of an
+   attempt made to obtain a general license or permission for the use of
+   such proprietary rights by implementers or users of this
+   specification can be obtained from the IETF on-line IPR repository at
+   http://www.ietf.org/ipr.
 
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights that may cover technology that may be required to implement
+   this standard.  Please address the information to the IETF at ietf-
+   ipr@ietf.org.
 
 
 
@@ -408,7 +408,7 @@ D. Eastlake 3rd                                                 [Page 7]
 INTERNET-DRAFT                                DSA Information in the DNS
 
 
-Authors Address
+Author's Address
 
    Donald E. Eastlake 3rd
    Motorola Labortories
@@ -422,9 +422,9 @@ Authors Address
 
 Expiration and File Name
 
-   This draft expires in January 2006.
+   This draft expires in September 2006.
 
-   Its file name is draft-ietf-dnsext-rfc2536bis-dsa-06.txt.
+   Its file name is draft-ietf-dnsext-rfc2536bis-dsa-07.txt.
 
 
 

From c718f47e64d6fb3313c0c3a056b5b64dfaa52afb Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Mon, 27 Mar 2006 23:00:54 +0000
Subject: [PATCH 130/465] new draft

---
 ...> draft-ietf-dnsext-rfc2539bis-dhk-07.txt} | 106 +++++++++---------
 1 file changed, 53 insertions(+), 53 deletions(-)
 rename doc/draft/{draft-ietf-dnsext-rfc2539bis-dhk-06.txt => draft-ietf-dnsext-rfc2539bis-dhk-07.txt} (86%)

diff --git a/doc/draft/draft-ietf-dnsext-rfc2539bis-dhk-06.txt b/doc/draft/draft-ietf-dnsext-rfc2539bis-dhk-07.txt
similarity index 86%
rename from doc/draft/draft-ietf-dnsext-rfc2539bis-dhk-06.txt
rename to doc/draft/draft-ietf-dnsext-rfc2539bis-dhk-07.txt
index 5e6cb1d09e..f6e8588e8c 100644
--- a/doc/draft/draft-ietf-dnsext-rfc2539bis-dhk-06.txt
+++ b/doc/draft/draft-ietf-dnsext-rfc2539bis-dhk-07.txt
@@ -2,14 +2,14 @@
 INTERNET-DRAFT                     Diffie-Hellman Information in the DNS
 OBSOLETES: RFC 2539                               Donald E. Eastlake 3rd
                                                    Motorola Laboratories
-Expires: January 2006                                          July 2005
+Expires: September 2006                                       March 2006
 
 
 
 
         Storage of Diffie-Hellman Keying Information in the DNS
         ------- -- -------------- ------ ----------- -- --- ---
-               
+               
 
 
 
@@ -32,7 +32,7 @@ Status of This Document
    Internet-Drafts are draft documents valid for a maximum of six months
    and may be updated, replaced, or obsoleted by other documents at any
    time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than a "work in progress."
+   material or to cite them other than as "work in progress."
 
    The list of current Internet-Drafts can be accessed at
    http://www.ietf.org/1id-abstracts.html
@@ -48,9 +48,9 @@ Abstract
 
 
 
-Copyright
 
-   Copyright (C) The Internet Society 2005.
+
+
 
 
 
@@ -72,9 +72,8 @@ Acknowledgements
 
 Table of Contents
 
-      Status of This Document....................................1
+          Status of This Document....................................1
       Abstract...................................................1
-      Copyright..................................................1
 
       Acknowledgements...........................................2
       Table of Contents..........................................2
@@ -86,12 +85,12 @@ Table of Contents
       3. Performance Considerations..............................5
       4. IANA Considerations.....................................5
       5. Security Considerations.................................5
-      Copyright and Disclaimer...................................5
+      Copyright, Disclaimer, and Additional IPR Provisions.......5
 
       Normative References.......................................7
       Informative Refences.......................................7
 
-      Author Address.............................................8
+      Author's Address...........................................8
       Expiration and File Name...................................8
 
       Appendix A: Well known prime/generator pairs...............9
@@ -112,6 +111,7 @@ Table of Contents
 
 
 
+
 D. Eastlake 3rd                                                 [Page 2]
 
 
@@ -135,6 +135,10 @@ INTERNET-DRAFT                     Diffie-Hellman Information in the DNS
    Familiarity with the Diffie-Hellman key exchange algorithm is assumed
    [Schneier, RFC 2631].
 
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in RFC 2119.
+
 
 
 1.2 About Diffie-Hellman
@@ -164,10 +168,6 @@ INTERNET-DRAFT                     Diffie-Hellman Information in the DNS
    mod p which is hard for strong p and g).
 
    The private key for each party is their secret i (or j).  The public
-   key is the pair p and g, which must be the same for the parties, and
-   their individual X (or Y).
-
-   For further information about Diffie-Hellman and precautions to take
 
 
 D. Eastlake 3rd                                                 [Page 3]
@@ -176,6 +176,10 @@ D. Eastlake 3rd                                                 [Page 3]
 INTERNET-DRAFT                     Diffie-Hellman Information in the DNS
 
 
+   key is the pair p and g, which is the same for both parties, and
+   their individual X (or Y).
+
+   For further information about Diffie-Hellman and precautions to take
    in deciding on a p and g, see [RFC 2631].
 
 
@@ -224,10 +228,6 @@ INTERNET-DRAFT                     Diffie-Hellman Information in the DNS
 
 
 
-
-
-
-
 D. Eastlake 3rd                                                 [Page 4]
 
 
@@ -274,14 +274,14 @@ INTERNET-DRAFT                     Diffie-Hellman Information in the DNS
    and dependent on security policy.
 
    In addition, the usual Diffie-Hellman key strength considerations
-   apply. (p-1)/2 should also be prime, g should be primitive mod p, p
-   should be "large", etc. See [RFC 2631, Schneier].
+   apply. (p-1)/2 SHOULD also be prime, g SHOULD be primitive mod p, p
+   SHOULD be "large", etc. See [RFC 2631, Schneier].
 
 
 
-Copyright and Disclaimer
+Copyright, Disclaimer, and Additional IPR Provisions
 
-   Copyright (C) The Internet Society (2005).  This document is subject to
+   Copyright (C) The Internet Society (2006).  This document is subject to
    the rights, licenses and restrictions contained in BCP 78, and except
    as set forth therein, the authors retain all their rights.
 
@@ -300,27 +300,27 @@ INTERNET-DRAFT                     Diffie-Hellman Information in the DNS
    INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
    WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
 
+   The IETF takes no position regarding the validity or scope of any
+   Intellectual Property Rights or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; nor does it represent that it has
+   made any independent effort to identify any such rights.  Information
+   on the procedures with respect to rights in RFC documents can be
+   found in BCP 78 and BCP 79.
 
+   Copies of IPR disclosures made to the IETF Secretariat and any
+   assurances of licenses to be made available, or the result of an
+   attempt made to obtain a general license or permission for the use of
+   such proprietary rights by implementers or users of this
+   specification can be obtained from the IETF on-line IPR repository at
+   http://www.ietf.org/ipr.
 
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights that may cover technology that may be required to implement
+   this standard.  Please address the information to the IETF at ietf-
+   ipr@ietf.org.
 
 
 
@@ -352,12 +352,15 @@ INTERNET-DRAFT                     Diffie-Hellman Information in the DNS
 
 Normative References
 
-   [RFC 2631] - "Diffie-Hellman Key Agreement Method", E. Rescorla, June
-   1999.
+   [RFC 2119] - Bradner, S., "Key words for use in RFCs to Indicate
+   Requirement Levels", BCP 14, RFC 2119, March 1997.
 
    [RFC 2434] - "Guidelines for Writing an IANA Considerations Section
    in RFCs", T.  Narten, H. Alvestrand, October 1998.
 
+   [RFC 2631] - "Diffie-Hellman Key Agreement Method", E. Rescorla, June
+   1999.
+
    [RFC 4034] - Arends, R., Austein, R., Larson, M., Massey, D., and S.
    Rose, "Resource Records for the DNS Security Extensions", RFC 4034,
    March 2005.
@@ -399,16 +402,13 @@ Informative Refences
 
 
 
-
-
-
 D. Eastlake 3rd                                                 [Page 7]
 
 
 INTERNET-DRAFT                     Diffie-Hellman Information in the DNS
 
 
-Author Address
+Author's Address
 
    Donald E. Eastlake 3rd
    Motorola Laboratories
@@ -422,9 +422,9 @@ Author Address
 
 Expiration and File Name
 
-   This draft expires in January 2006.
+   This draft expires in September 2006.
 
-   Its file name is draft-ietf-dnsext-rfc2539bis-dhk-06.txt.
+   Its file name is draft-ietf-dnsext-rfc2539bis-dhk-07.txt.
 
 
 
@@ -468,11 +468,10 @@ INTERNET-DRAFT                     Diffie-Hellman Information in the DNS
 
 Appendix A: Well known prime/generator pairs
 
-   These numbers are copied from the IPSEC effort where the derivation of
-   these values is more fully explained and additional information is
-   available.
-   Richard Schroeppel performed all the mathematical and computational
-   work for this appendix.
+   These numbers are copied from the IPSEC effort where the derivation
+   of these values is more fully explained and additional information is
+   available.  Richard Schroeppel performed all the mathematical and
+   computational work for this appendix.
 
 
 
@@ -518,6 +517,7 @@ A.2. Well-Known Group 2:  A 1024 bit prime
 
 
 
+
 D. Eastlake 3rd                                                 [Page 9]
 
 

From 803d44a71a840c92e6935d8a94a124e9494d1e04 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 28 Mar 2006 23:16:51 +0000
Subject: [PATCH 131/465] auto update

---
 doc/private/branches | 1 +
 1 file changed, 1 insertion(+)

diff --git a/doc/private/branches b/doc/private/branches
index 6f1038520f..1039ab7c9d 100644
--- a/doc/private/branches
+++ b/doc/private/branches
@@ -36,6 +36,7 @@ rt14815				open		// stats blind spots
 rt14895				open	jinmei
 rt14895b			open	
 rt15327				open	
+rt15452				new	
 rt15473				review	marka
 rt15473b			review	marka
 rt15592				review	

From 5d7bdf97d1b4f08cd08633231d24d5a24aeadce2 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 30 Mar 2006 23:16:49 +0000
Subject: [PATCH 132/465] auto update

---
 doc/private/branches | 1 +
 1 file changed, 1 insertion(+)

diff --git a/doc/private/branches b/doc/private/branches
index 1039ab7c9d..a47175f90c 100644
--- a/doc/private/branches
+++ b/doc/private/branches
@@ -70,6 +70,7 @@ rt15849				new
 rt15855				new	
 rt15860				new	
 rt15878				new	
+rt15941				new	
 rt1727				open		// ixfr-from-differences workfile
 rt6496a				review	marka
 rt6496b				new	

From dd03b69e3cc0f9a17091c754fb1b5b5611b7dbe2 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 31 Mar 2006 00:03:39 +0000
Subject: [PATCH 133/465] custom_WFB_v9_3_2

---
 doc/private/delete-list | 1 +
 1 file changed, 1 insertion(+)

diff --git a/doc/private/delete-list b/doc/private/delete-list
index dda9b429cb..e472179e6c 100644
--- a/doc/private/delete-list
+++ b/doc/private/delete-list
@@ -1,2 +1,3 @@
 peter
 custom_WFB_v9_3_1
+custom_WFB_v9_3_2

From 6e0b8a49c1057bff2b48490141b39841bcc1189e Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 31 Mar 2006 23:16:53 +0000
Subject: [PATCH 134/465] auto update

---
 doc/private/branches | 1 +
 1 file changed, 1 insertion(+)

diff --git a/doc/private/branches b/doc/private/branches
index a47175f90c..c1aa85c515 100644
--- a/doc/private/branches
+++ b/doc/private/branches
@@ -10,6 +10,7 @@ Branch				Status	Whom	// Comments
 				closed		finished with
 
 custom_WFB_v9_3_1		private	
+custom_WFB_v9_3_2		new	
 gssapi3-skan			new	
 gsstsig2			open	sra	// old (circa 9.3.0) gss-tsig, finally worked with hacked heimdal spnego
 gsstsig3			new	

From 702d5594271bf0ade096b5a9bf4092f43604d451 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 31 Mar 2006 23:30:22 +0000
Subject: [PATCH 135/465] newcopyrights

---
 util/copyrights | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/util/copyrights b/util/copyrights
index 0e191dfd3c..31c5922baf 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -1241,7 +1241,7 @@
 ./doc/private/CHANGES				X	2000,2001
 ./doc/private/branches				X	2002,2005,2006
 ./doc/private/bugfix-by-assertion		X	2001
-./doc/private/delete-list			X	2005
+./doc/private/delete-list			X	2005,2006
 ./doc/private/options				TXT.BRIEF	2000,2001,2004
 ./doc/todo/brister/todo				X	2000,2001
 ./doc/todo/bwelling/todo			X	2000,2001

From b26014a1945864a54464b413279faad7dad6d772 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Sun, 2 Apr 2006 23:35:55 +0000
Subject: [PATCH 136/465] 4398:   Storing Certificates in the Domain Name
 System (DNS)

---
 doc/draft/draft-ietf-dnsext-rfc2538bis-04.txt | 840 ---------------
 doc/rfc/index                                 |   1 +
 doc/rfc/rfc4398.txt                           | 955 ++++++++++++++++++
 3 files changed, 956 insertions(+), 840 deletions(-)
 delete mode 100644 doc/draft/draft-ietf-dnsext-rfc2538bis-04.txt
 create mode 100644 doc/rfc/rfc4398.txt

diff --git a/doc/draft/draft-ietf-dnsext-rfc2538bis-04.txt b/doc/draft/draft-ietf-dnsext-rfc2538bis-04.txt
deleted file mode 100644
index 2ec9dbec51..0000000000
--- a/doc/draft/draft-ietf-dnsext-rfc2538bis-04.txt
+++ /dev/null
@@ -1,840 +0,0 @@
-
-
-
-Network Working Group                                       S. Josefsson
-Internet-Draft                                           August 30, 2005
-Expires: March 3, 2006
-
-
-          Storing Certificates in the Domain Name System (DNS)
-                    draft-ietf-dnsext-rfc2538bis-04
-
-Status of this Memo
-
-   By submitting this Internet-Draft, each author represents that any
-   applicable patent or other IPR claims of which he or she is aware
-   have been or will be disclosed, and any of which he or she becomes
-   aware will be disclosed, in accordance with Section 6 of BCP 79.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on March 3, 2006.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2005).
-
-Abstract
-
-   Cryptographic public keys are frequently published and their
-   authenticity demonstrated by certificates.  A CERT resource record
-   (RR) is defined so that such certificates and related certificate
-   revocation lists can be stored in the Domain Name System (DNS).
-
-   This document obsoletes RFC 2538.
-
-
-
-
-
-
-Josefsson                 Expires March 3, 2006                 [Page 1]
-
-Internet-Draft       Storing Certificates in the DNS         August 2005
-
-
-Table of Contents
-
-   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
-   2.  The CERT Resource Record . . . . . . . . . . . . . . . . . . .  3
-     2.1.  Certificate Type Values  . . . . . . . . . . . . . . . . .  4
-     2.2.  Text Representation of CERT RRs  . . . . . . . . . . . . .  5
-     2.3.  X.509 OIDs . . . . . . . . . . . . . . . . . . . . . . . .  6
-   3.  Appropriate Owner Names for CERT RRs . . . . . . . . . . . . .  6
-     3.1.  Content-based X.509 CERT RR Names  . . . . . . . . . . . .  7
-     3.2.  Purpose-based X.509 CERT RR Names  . . . . . . . . . . . .  8
-     3.3.  Content-based OpenPGP CERT RR Names  . . . . . . . . . . .  9
-     3.4.  Purpose-based OpenPGP CERT RR Names  . . . . . . . . . . .  9
-     3.5.  Owner names for IPKIX, ISPKI, and IPGP . . . . . . . . . .  9
-   4.  Performance Considerations . . . . . . . . . . . . . . . . . . 10
-   5.  Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 10
-   6.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10
-   7.  Security Considerations  . . . . . . . . . . . . . . . . . . . 10
-   8.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 11
-   9.  Changes since RFC 2538 . . . . . . . . . . . . . . . . . . . . 11
-   Appendix A.  Copying conditions  . . . . . . . . . . . . . . . . . 12
-   10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 12
-     10.1. Normative References . . . . . . . . . . . . . . . . . . . 12
-     10.2. Informative References . . . . . . . . . . . . . . . . . . 13
-   Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 14
-   Intellectual Property and Copyright Statements . . . . . . . . . . 15
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Josefsson                 Expires March 3, 2006                 [Page 2]
-
-Internet-Draft       Storing Certificates in the DNS         August 2005
-
-
-1.  Introduction
-
-   Public keys are frequently published in the form of a certificate and
-   their authenticity is commonly demonstrated by certificates and
-   related certificate revocation lists (CRLs).  A certificate is a
-   binding, through a cryptographic digital signature, of a public key,
-   a validity interval and/or conditions, and identity, authorization,
-   or other information.  A certificate revocation list is a list of
-   certificates that are revoked, and incidental information, all signed
-   by the signer (issuer) of the revoked certificates.  Examples are
-   X.509 certificates/CRLs in the X.500 directory system or OpenPGP
-   certificates/revocations used by OpenPGP software.
-
-   Section 2 below specifies a CERT resource record (RR) for the storage
-   of certificates in the Domain Name System [1] [2].
-
-   Section 3 discusses appropriate owner names for CERT RRs.
-
-   Sections 4, 5, and 6 below cover performance, IANA, and security
-   considerations, respectively.
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in [3].
-
-
-2.  The CERT Resource Record
-
-   The CERT resource record (RR) has the structure given below.  Its RR
-   type code is 37.
-
-                       1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
-   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |             type              |             key tag           |
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |   algorithm   |                                               /
-   +---------------+            certificate or CRL                 /
-   /                                                               /
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
-
-   The type field is the certificate type as defined in section 2.1
-   below.
-
-   The key tag field is the 16 bit value computed for the key embedded
-   in the certificate, using the RRSIG Key Tag algorithm described in
-   Appendix B of [10].  This field is used as an efficiency measure to
-   pick which CERT RRs may be applicable to a particular key.  The key
-
-
-
-Josefsson                 Expires March 3, 2006                 [Page 3]
-
-Internet-Draft       Storing Certificates in the DNS         August 2005
-
-
-   tag can be calculated for the key in question and then only CERT RRs
-   with the same key tag need be examined.  However, the key must always
-   be transformed to the format it would have as the public key portion
-   of a DNSKEY RR before the key tag is computed.  This is only possible
-   if the key is applicable to an algorithm (and limits such as key size
-   limits) defined for DNS security.  If it is not, the algorithm field
-   MUST BE zero and the tag field is meaningless and SHOULD BE zero.
-
-   The algorithm field has the same meaning as the algorithm field in
-   DNSKEY and RRSIG RRs [10], except that a zero algorithm field
-   indicates the algorithm is unknown to a secure DNS, which may simply
-   be the result of the algorithm not having been standardized for
-   DNSSEC.
-
-2.1.  Certificate Type Values
-
-   The following values are defined or reserved:
-
-       Value  Mnemonic  Certificate Type
-       -----  --------  ----------------
-           0            reserved
-           1  PKIX      X.509 as per PKIX
-           2  SPKI      SPKI certificate
-           3  PGP       OpenPGP packet
-           4  IPKIX     The URL of an X.509 data object
-           5  ISPKI     The URL of an SPKI certificate
-           6  IPGP      The URL of an OpenPGP packet
-       7-252            available for IANA assignment
-         253  URI       URI private
-         254  OID       OID private
-   255-65534            available for IANA assignment
-       65535            reserved
-
-   The PKIX type is reserved to indicate an X.509 certificate conforming
-   to the profile being defined by the IETF PKIX working group.  The
-   certificate section will start with a one-byte unsigned OID length
-   and then an X.500 OID indicating the nature of the remainder of the
-   certificate section (see 2.3 below).  (NOTE: X.509 certificates do
-   not include their X.500 directory type designating OID as a prefix.)
-
-   The SPKI type is reserved to indicate the SPKI certificate format
-   [13], for use when the SPKI documents are moved from experimental
-   status.
-
-   The PGP type indicates an OpenPGP packet as described in [6] and its
-   extensions and successors.  Two uses are to transfer public key
-   material and revocation signatures.  The data is binary, and MUST NOT
-   be encoded into an ASCII armor.  An implementation SHOULD process
-
-
-
-Josefsson                 Expires March 3, 2006                 [Page 4]
-
-Internet-Draft       Storing Certificates in the DNS         August 2005
-
-
-   transferable public keys as described in section 10.1 of [6], but it
-   MAY handle additional OpenPGP packets.
-
-   The IPKIX, ISPKI and IPGP types indicate a URL which will serve the
-   content that would have been in the "certificate, CRL or URL" field
-   of the corresponding (PKIX, SPKI or PGP) packet types.  These types
-   are known as "indirect".  These packet types MUST be used when the
-   content is too large to fit in the CERT RR, and MAY be used at the
-   implementer's discretion.  They SHOULD NOT be used where the entire
-   UDP packet would have fit in 512 bytes.
-
-   The URI private type indicates a certificate format defined by an
-   absolute URI.  The certificate portion of the CERT RR MUST begin with
-   a null terminated URI [5] and the data after the null is the private
-   format certificate itself.  The URI SHOULD be such that a retrieval
-   from it will lead to documentation on the format of the certificate.
-   Recognition of private certificate types need not be based on URI
-   equality but can use various forms of pattern matching so that, for
-   example, subtype or version information can also be encoded into the
-   URI.
-
-   The OID private type indicates a private format certificate specified
-   by an ISO OID prefix.  The certificate section will start with a one-
-   byte unsigned OID length and then a BER encoded OID indicating the
-   nature of the remainder of the certificate section.  This can be an
-   X.509 certificate format or some other format.  X.509 certificates
-   that conform to the IETF PKIX profile SHOULD be indicated by the PKIX
-   type, not the OID private type.  Recognition of private certificate
-   types need not be based on OID equality but can use various forms of
-   pattern matching such as OID prefix.
-
-2.2.  Text Representation of CERT RRs
-
-   The RDATA portion of a CERT RR has the type field as an unsigned
-   decimal integer or as a mnemonic symbol as listed in section 2.1
-   above.
-
-   The key tag field is represented as an unsigned decimal integer.
-
-   The algorithm field is represented as an unsigned decimal integer or
-   a mnemonic symbol as listed in [10].
-
-   The certificate / CRL portion is represented in base 64 [14] and may
-   be divided up into any number of white space separated substrings,
-   down to single base 64 digits, which are concatenated to obtain the
-   full signature.  These substrings can span lines using the standard
-   parenthesis.
-
-
-
-
-Josefsson                 Expires March 3, 2006                 [Page 5]
-
-Internet-Draft       Storing Certificates in the DNS         August 2005
-
-
-   Note that the certificate / CRL portion may have internal sub-fields,
-   but these do not appear in the master file representation.  For
-   example, with type 254, there will be an OID size, an OID, and then
-   the certificate / CRL proper.  But only a single logical base 64
-   string will appear in the text representation.
-
-2.3.  X.509 OIDs
-
-   OIDs have been defined in connection with the X.500 directory for
-   user certificates, certification authority certificates, revocations
-   of certification authority, and revocations of user certificates.
-   The following table lists the OIDs, their BER encoding, and their
-   length-prefixed hex format for use in CERT RRs:
-
-       id-at-userCertificate
-           = { joint-iso-ccitt(2) ds(5) at(4) 36 }
-              == 0x 03 55 04 24
-       id-at-cACertificate
-           = { joint-iso-ccitt(2) ds(5) at(4) 37 }
-              == 0x 03 55 04 25
-       id-at-authorityRevocationList
-           = { joint-iso-ccitt(2) ds(5) at(4) 38 }
-              == 0x 03 55 04 26
-       id-at-certificateRevocationList
-           = { joint-iso-ccitt(2) ds(5) at(4) 39 }
-              == 0x 03 55 04 27
-
-
-3.  Appropriate Owner Names for CERT RRs
-
-   It is recommended that certificate CERT RRs be stored under a domain
-   name related to their subject, i.e., the name of the entity intended
-   to control the private key corresponding to the public key being
-   certified.  It is recommended that certificate revocation list CERT
-   RRs be stored under a domain name related to their issuer.
-
-   Following some of the guidelines below may result in the use in DNS
-   names of characters that require DNS quoting which is to use a
-   backslash followed by the octal representation of the ASCII code for
-   the character (e.g., \000 for NULL).
-
-   The choice of name under which CERT RRs are stored is important to
-   clients that perform CERT queries.  In some situations, the clients
-   may not know all information about the CERT RR object it wishes to
-   retrieve.  For example, a client may not know the subject name of an
-   X.509 certificate, or the e-mail address of the owner of an OpenPGP
-   key.  Further, the client might only know the hostname of a service
-   that uses X.509 certificates or the Key ID of an OpenPGP key.
-
-
-
-Josefsson                 Expires March 3, 2006                 [Page 6]
-
-Internet-Draft       Storing Certificates in the DNS         August 2005
-
-
-   Therefore, two owner name guidelines are defined: content-based owner
-   names and purpose-based owner names.  A content-based owner name is
-   derived from the content of the CERT RR data; for example, the
-   Subject field in an X.509 certificate or the User ID field in OpenPGP
-   keys.  A purpose-based owner name is a name that a client retrieving
-   CERT RRs MUST already know; for example, the host name of an X.509
-   protected service or the Key ID of an OpenPGP key.  The content-based
-   and purpose-based owner name MAY be the same; for example, when a
-   client looks up a key based on the From: address of an incoming
-   e-mail.
-
-   Implementations SHOULD use the purpose-based owner name guidelines
-   described in this document, and MAY use CNAMEs of content-based owner
-   names (or other names), pointing to the purpose-based owner name.
-
-3.1.  Content-based X.509 CERT RR Names
-
-   Some X.509 versions permit multiple names to be associated with
-   subjects and issuers under "Subject Alternate Name" and "Issuer
-   Alternate Name".  For example, X.509v3 has such Alternate Names with
-   an ASN.1 specification as follows:
-
-        GeneralName ::= CHOICE {
-           otherName                  [0] INSTANCE OF OTHER-NAME,
-           rfc822Name                 [1] IA5String,
-           dNSName                    [2] IA5String,
-           x400Address                [3] EXPLICIT OR-ADDRESS.&Type,
-           directoryName              [4] EXPLICIT Name,
-           ediPartyName               [5] EDIPartyName,
-           uniformResourceIdentifier  [6] IA5String,
-           iPAddress                  [7] OCTET STRING,
-           registeredID               [8] OBJECT IDENTIFIER
-        }
-
-   The recommended locations of CERT storage are as follows, in priority
-   order:
-   1.  If a domain name is included in the identification in the
-       certificate or CRL, that should be used.
-   2.  If a domain name is not included but an IP address is included,
-       then the translation of that IP address into the appropriate
-       inverse domain name should be used.
-   3.  If neither of the above is used, but a URI containing a domain
-       name is present, that domain name should be used.
-   4.  If none of the above is included but a character string name is
-       included, then it should be treated as described for OpenPGP
-       names below.
-
-
-
-
-
-Josefsson                 Expires March 3, 2006                 [Page 7]
-
-Internet-Draft       Storing Certificates in the DNS         August 2005
-
-
-   5.  If none of the above apply, then the distinguished name (DN)
-       should be mapped into a domain name as specified in [4].
-
-   Example 1: An X.509v3 certificate is issued to /CN=John Doe /DC=Doe/
-   DC=com/DC=xy/O=Doe Inc/C=XY/ with Subject Alternative Names of (a)
-   string "John (the Man) Doe", (b) domain name john-doe.com, and (c)
-   uri .  The storage locations
-   recommended, in priority order, would be
-   1.  john-doe.com,
-   2.  www.secure.john-doe.com, and
-   3.  Doe.com.xy.
-
-   Example 2: An X.509v3 certificate is issued to /CN=James Hacker/
-   L=Basingstoke/O=Widget Inc/C=GB/ with Subject Alternate names of (a)
-   domain name widget.foo.example, (b) IPv4 address 10.251.13.201, and
-   (c) string "James Hacker ".  The
-   storage locations recommended, in priority order, would be
-   1.  widget.foo.example,
-   2.  201.13.251.10.in-addr.arpa, and
-   3.  hacker.mail.widget.foo.example.
-
-3.2.  Purpose-based X.509 CERT RR Names
-
-   Due to the difficulty for clients that do not already possess a
-   certificate to reconstruct the content-based owner name, purpose-
-   based owner names are recommended in this section.  Recommendations
-   for purpose-based owner names vary per scenario.  The following table
-   summarizes the purpose-based X.509 CERT RR owner name guidelines for
-   use with S/MIME [16], SSL/TLS [11], and IPSEC [12]:
-
-    Scenario             Owner name
-    ------------------   ----------------------------------------------
-    S/MIME Certificate   Standard translation of an RFC 2822 email
-                         address.  Example: An S/MIME certificate for
-                         "postmaster@example.org" will use a standard
-                         hostname translation of the owner name,
-                         "postmaster.example.org".
-
-    TLS Certificate      Hostname of the TLS server.
-
-    IPSEC Certificate    Hostname of the IPSEC machine and/or, for IPv4
-                         or IPv6 addresses, the fully qualified domain
-                         name in the appropriate reverse domain.
-
-   An alternate approach for IPSEC is to store raw public keys [15].
-
-
-
-
-
-
-Josefsson                 Expires March 3, 2006                 [Page 8]
-
-Internet-Draft       Storing Certificates in the DNS         August 2005
-
-
-3.3.  Content-based OpenPGP CERT RR Names
-
-   OpenPGP signed keys (certificates) use a general character string
-   User ID [6].  However, it is recommended by OpenPGP that such names
-   include the RFC 2822 [8] email address of the party, as in "Leslie
-   Example ".  If such a format is used, the CERT
-   should be under the standard translation of the email address into a
-   domain name, which would be leslie.host.example in this case.  If no
-   RFC 2822 name can be extracted from the string name, no specific
-   domain name is recommended.
-
-   If a user has more than one email address, the CNAME type can be used
-   to reduce the amount of data stored in the DNS.  Example:
-
-      $ORIGIN example.org.
-      smith        IN CERT PGP 0 0 
-      john.smith   IN CNAME smith
-      js           IN CNAME smith
-
-3.4.  Purpose-based OpenPGP CERT RR Names
-
-   Applications that receive an OpenPGP packet containing encrypted or
-   signed data but do not know the email address of the sender will have
-   difficulties constructing the correct owner name and cannot use the
-   content-based owner name guidelines.  However, these clients commonly
-   know the key fingerprint or the Key ID.  The key ID is found in
-   OpenPGP packets, and the key fingerprint is commonly found in
-   auxilliary data that may be available.  In this case, use of an owner
-   name identical to the key fingerprint and the key ID expressed in
-   hexadecimal [14] is recommended.  Example:
-
-      $ORIGIN example.org.
-      0424D4EE81A0E3D119C6F835EDA21E94B565716F IN CERT PGP ...
-      F835EDA21E94B565716F                     IN CERT PGP ...
-      B565716F                                 IN CERT PGP ...
-
-   If the same key material is stored for several owner names, the use
-   of CNAME may be used to avoid data duplication.  Note that CNAME is
-   not always applicable, because it maps one owner name to the other
-   for all purposes, which may be sub-optimal when two keys with the
-   same Key ID are stored.
-
-3.5.  Owner names for IPKIX, ISPKI, and IPGP
-
-   These types are stored under the same owner names, both purpose- and
-   content-based, as the PKIX, SPKI and PGP types.
-
-
-
-
-
-Josefsson                 Expires March 3, 2006                 [Page 9]
-
-Internet-Draft       Storing Certificates in the DNS         August 2005
-
-
-4.  Performance Considerations
-
-   Current Domain Name System (DNS) implementations are optimized for
-   small transfers, typically not more than 512 bytes including
-   overhead.  While larger transfers will perform correctly and work is
-   underway to make larger transfers more efficient, it is still
-   advisable at this time to make every reasonable effort to minimize
-   the size of certificates stored within the DNS.  Steps that can be
-   taken may include using the fewest possible optional or extension
-   fields and using short field values for necessary variable length
-   fields.
-
-   The RDATA field in the DNS protocol may only hold data of size 65535
-   octets (64kb) or less.  This means that each CERT RR MUST NOT contain
-   more than 64kb of payload, even if the corresponding certificate or
-   certificate revocation list is larger.  This document addresses this
-   by defining "indirect" data types for each normal type.
-
-
-5.  Contributors
-
-   The majority of this document is copied verbatim from RFC 2538, by
-   Donald Eastlake 3rd and Olafur Gudmundsson.
-
-
-6.  Acknowledgements
-
-   Thanks to David Shaw and Michael Graff for their contributions to
-   earlier works that motivated, and served as inspiration for, this
-   document.
-
-   This document was improved by suggestions and comments from Olivier
-   Dubuisson, Olaf M. Kolkman, Ben Laurie, Edward Lewis, Jason
-   Sloderbeck, Samuel Weiler, and Florian Weimer.  No doubt the list is
-   incomplete.  We apologize to anyone we left out.
-
-
-7.  Security Considerations
-
-   By definition, certificates contain their own authenticating
-   signature.  Thus, it is reasonable to store certificates in non-
-   secure DNS zones or to retrieve certificates from DNS with DNS
-   security checking not implemented or deferred for efficiency.  The
-   results MAY be trusted if the certificate chain is verified back to a
-   known trusted key and this conforms with the user's security policy.
-
-   Alternatively, if certificates are retrieved from a secure DNS zone
-   with DNS security checking enabled and are verified by DNS security,
-
-
-
-Josefsson                 Expires March 3, 2006                [Page 10]
-
-Internet-Draft       Storing Certificates in the DNS         August 2005
-
-
-   the key within the retrieved certificate MAY be trusted without
-   verifying the certificate chain if this conforms with the user's
-   security policy.
-
-   If an organization chooses to issue certificates for it's employees,
-   placing CERT RR's in the DNS by owner name, and if DNSSEC (with NSEC)
-   is in use, it is possible for someone to enumerate all employees of
-   the organization.  This is usually not considered desirable, for the
-   same reason enterprise phone listings are not often publicly
-   published and are even mark confidential.
-
-   When the URI type is used, it should be understood that it introduces
-   an additional indirection that may allow for a new attack vector.
-   One method to secure that indirection is to include a hash of the
-   certificate in the URI itself.
-
-   CERT RRs are not used by DNSSEC [9], so there are no security
-   considerations related to CERT RRs and securing the DNS itself.
-
-   If DNSSEC is used, then the non-existence of a CERT RR and,
-   consequently, certificates or revocation lists can be securely
-   asserted.  Without DNSSEC, this is not possible.
-
-
-8.  IANA Considerations
-
-   Certificate types 0x0000 through 0x00FF and 0xFF00 through 0xFFFF can
-   only be assigned by an IETF standards action [7].  This document
-   assigns 0x0001 through 0x0006 and 0x00FD and 0x00FE.  Certificate
-   types 0x0100 through 0xFEFF are assigned through IETF Consensus [7]
-   based on RFC documentation of the certificate type.  The availability
-   of private types under 0x00FD and 0x00FE should satisfy most
-   requirements for proprietary or private types.
-
-   The CERT RR reuses the DNS Security Algorithm Numbers registry.  In
-   particular, the CERT RR requires that algorithm number 0 remain
-   reserved, as described in Section 2.  The IANA is directed to
-   reference the CERT RR as a user of this registry and value 0, in
-   particular.
-
-
-9.  Changes since RFC 2538
-
-   1.   Editorial changes to conform with new document requirements,
-        including splitting reference section into two parts and
-        updating the references to point at latest versions, and to add
-        some additional references.
-
-
-
-
-Josefsson                 Expires March 3, 2006                [Page 11]
-
-Internet-Draft       Storing Certificates in the DNS         August 2005
-
-
-   2.   Improve terminology.  For example replace "PGP" with "OpenPGP",
-        to align with RFC 2440.
-   3.   In section 2.1, clarify that OpenPGP public key data are binary,
-        not the ASCII armored format, and reference 10.1 in RFC 2440 on
-        how to deal with OpenPGP keys, and acknowledge that
-        implementations may handle additional packet types.
-   4.   Clarify that integers in the representation format are decimal.
-   5.   Replace KEY/SIG with DNSKEY/RRSIG etc, to align with DNSSECbis
-        terminology.  Improve reference for Key Tag Algorithm
-        calculations.
-   6.   Add examples that suggest use of CNAME to reduce bandwidth.
-   7.   In section 3, appended the last paragraphs that discuss
-        "content-based" vs "purpose-based" owner names.  Add section 3.2
-        for purpose-based X.509 CERT owner names, and section 3.4 for
-        purpose-based OpenPGP CERT owner names.
-   8.   Added size considerations.
-   9.   The SPKI types has been reserved, until RFC 2692/2693 is moved
-        from the experimental status.
-   10.  Added indirect types IPKIX, ISPKI, and IPGP.
-
-
-Appendix A.  Copying conditions
-
-   Regarding the portion of this document that was written by Simon
-   Josefsson ("the author", for the remainder of this section), the
-   author makes no guarantees and is not responsible for any damage
-   resulting from its use.  The author grants irrevocable permission to
-   anyone to use, modify, and distribute it in any way that does not
-   diminish the rights of anyone else to use, modify, and distribute it,
-   provided that redistributed derivative works do not contain
-   misleading author or version information.  Derivative works need not
-   be licensed under similar terms.
-
-
-10.  References
-
-10.1.  Normative References
-
-   [1]   Mockapetris, P., "Domain names - concepts and facilities",
-         STD 13, RFC 1034, November 1987.
-
-   [2]   Mockapetris, P., "Domain names - implementation and
-         specification", STD 13, RFC 1035, November 1987.
-
-   [3]   Bradner, S., "Key words for use in RFCs to Indicate Requirement
-         Levels", BCP 14, RFC 2119, March 1997.
-
-   [4]   Kille, S., Wahl, M., Grimstad, A., Huber, R., and S. Sataluri,
-
-
-
-Josefsson                 Expires March 3, 2006                [Page 12]
-
-Internet-Draft       Storing Certificates in the DNS         August 2005
-
-
-         "Using Domains in LDAP/X.500 Distinguished Names", RFC 2247,
-         January 1998.
-
-   [5]   Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
-         Resource Identifiers (URI): Generic Syntax", RFC 2396,
-         August 1998.
-
-   [6]   Callas, J., Donnerhacke, L., Finney, H., and R. Thayer,
-         "OpenPGP Message Format", RFC 2440, November 1998.
-
-   [7]   Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA
-         Considerations Section in RFCs", BCP 26, RFC 2434,
-         October 1998.
-
-   [8]   Resnick, P., "Internet Message Format", RFC 2822, April 2001.
-
-   [9]   Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-         "DNS Security Introduction and Requirements", RFC 4033,
-         March 2005.
-
-   [10]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-         "Resource Records for the DNS Security Extensions", RFC 4034,
-         March 2005.
-
-10.2.  Informative References
-
-   [11]  Dierks, T. and C. Allen, "The TLS Protocol Version 1.0",
-         RFC 2246, January 1999.
-
-   [12]  Kent, S. and R. Atkinson, "Security Architecture for the
-         Internet Protocol", RFC 2401, November 1998.
-
-   [13]  Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas, B.,
-         and T. Ylonen, "SPKI Certificate Theory", RFC 2693,
-         September 1999.
-
-   [14]  Josefsson, S., "The Base16, Base32, and Base64 Data Encodings",
-         RFC 3548, July 2003.
-
-   [15]  Richardson, M., "A Method for Storing IPsec Keying Material in
-         DNS", RFC 4025, March 2005.
-
-   [16]  Ramsdell, B., "Secure/Multipurpose Internet Mail Extensions
-         (S/MIME) Version 3.1 Message Specification", RFC 3851,
-         July 2004.
-
-
-
-
-
-
-Josefsson                 Expires March 3, 2006                [Page 13]
-
-Internet-Draft       Storing Certificates in the DNS         August 2005
-
-
-Author's Address
-
-   Simon Josefsson
-
-   Email: simon@josefsson.org
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Josefsson                 Expires March 3, 2006                [Page 14]
-
-Internet-Draft       Storing Certificates in the DNS         August 2005
-
-
-Intellectual Property Statement
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-
-Disclaimer of Validity
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Copyright Statement
-
-   Copyright (C) The Internet Society (2005).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-
-Acknowledgment
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-Josefsson                 Expires March 3, 2006                [Page 15]
-
diff --git a/doc/rfc/index b/doc/rfc/index
index 947827e59a..6d8e3d255a 100644
--- a/doc/rfc/index
+++ b/doc/rfc/index
@@ -105,4 +105,5 @@
 4255:	Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints
 4343:	Domain Name System (DNS) Case Insensitivity Clarification
 4367:	What's in a Name: False Assumptions about DNS Names
+4398:	Storing Certificates in the Domain Name System (DNS)
 4431:	The DNSSEC Lookaside Validation (DLV) DNS Resource Record
diff --git a/doc/rfc/rfc4398.txt b/doc/rfc/rfc4398.txt
new file mode 100644
index 0000000000..6437436e6a
--- /dev/null
+++ b/doc/rfc/rfc4398.txt
@@ -0,0 +1,955 @@
+
+
+
+
+
+
+Network Working Group                                       S. Josefsson
+Request for Comments: 4398                                    March 2006
+Obsoletes: 2538
+Category: Standards Track
+
+
+          Storing Certificates in the Domain Name System (DNS)
+
+Status of This Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2006).
+
+Abstract
+
+   Cryptographic public keys are frequently published, and their
+   authenticity is demonstrated by certificates.  A CERT resource record
+   (RR) is defined so that such certificates and related certificate
+   revocation lists can be stored in the Domain Name System (DNS).
+
+   This document obsoletes RFC 2538.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Josefsson                   Standards Track                     [Page 1]
+
+RFC 4398            Storing Certificates in the DNS        February 2006
+
+
+Table of Contents
+
+   1. Introduction ....................................................3
+   2. The CERT Resource Record ........................................3
+      2.1. Certificate Type Values ....................................4
+      2.2. Text Representation of CERT RRs ............................6
+      2.3. X.509 OIDs .................................................6
+   3. Appropriate Owner Names for CERT RRs ............................7
+      3.1. Content-Based X.509 CERT RR Names ..........................8
+      3.2. Purpose-Based X.509 CERT RR Names ..........................9
+      3.3. Content-Based OpenPGP CERT RR Names ........................9
+      3.4. Purpose-Based OpenPGP CERT RR Names .......................10
+      3.5. Owner Names for IPKIX, ISPKI, IPGP, and IACPKIX ...........10
+   4. Performance Considerations .....................................11
+   5. Contributors ...................................................11
+   6. Acknowledgements ...............................................11
+   7. Security Considerations ........................................12
+   8. IANA Considerations ............................................12
+   9. Changes since RFC 2538 .........................................13
+   10. References ....................................................14
+      10.1. Normative References .....................................14
+      10.2. Informative References ...................................15
+   Appendix A.  Copying Conditions ...................................16
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Josefsson                   Standards Track                     [Page 2]
+
+RFC 4398            Storing Certificates in the DNS        February 2006
+
+
+1.  Introduction
+
+   Public keys are frequently published in the form of a certificate,
+   and their authenticity is commonly demonstrated by certificates and
+   related certificate revocation lists (CRLs).  A certificate is a
+   binding, through a cryptographic digital signature, of a public key,
+   a validity interval and/or conditions, and identity, authorization,
+   or other information.  A certificate revocation list is a list of
+   certificates that are revoked, and of incidental information, all
+   signed by the signer (issuer) of the revoked certificates.  Examples
+   are X.509 certificates/CRLs in the X.500 directory system or OpenPGP
+   certificates/revocations used by OpenPGP software.
+
+   Section 2 specifies a CERT resource record (RR) for the storage of
+   certificates in the Domain Name System [1] [2].
+
+   Section 3 discusses appropriate owner names for CERT RRs.
+
+   Sections 4, 7, and 8 cover performance, security, and IANA
+   considerations, respectively.
+
+   Section 9 explains the changes in this document compared to RFC 2538.
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in [3].
+
+2.  The CERT Resource Record
+
+   The CERT resource record (RR) has the structure given below.  Its RR
+   type code is 37.
+
+                       1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
+   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   |             type              |             key tag           |
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   |   algorithm   |                                               /
+   +---------------+            certificate or CRL                 /
+   /                                                               /
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
+
+   The type field is the certificate type as defined in Section 2.1
+   below.
+
+   The key tag field is the 16-bit value computed for the key embedded
+   in the certificate, using the RRSIG Key Tag algorithm described in
+   Appendix B of [12].  This field is used as an efficiency measure to
+
+
+
+Josefsson                   Standards Track                     [Page 3]
+
+RFC 4398            Storing Certificates in the DNS        February 2006
+
+
+   pick which CERT RRs may be applicable to a particular key.  The key
+   tag can be calculated for the key in question, and then only CERT RRs
+   with the same key tag need to be examined.  Note that two different
+   keys can have the same key tag.  However, the key MUST be transformed
+   to the format it would have as the public key portion of a DNSKEY RR
+   before the key tag is computed.  This is only possible if the key is
+   applicable to an algorithm and complies to limits (such as key size)
+   defined for DNS security.  If it is not, the algorithm field MUST be
+   zero and the tag field is meaningless and SHOULD be zero.
+
+   The algorithm field has the same meaning as the algorithm field in
+   DNSKEY and RRSIG RRs [12], except that a zero algorithm field
+   indicates that the algorithm is unknown to a secure DNS, which may
+   simply be the result of the algorithm not having been standardized
+   for DNSSEC [11].
+
+2.1.  Certificate Type Values
+
+   The following values are defined or reserved:
+
+         Value  Mnemonic  Certificate Type
+         -----  --------  ----------------
+             0            Reserved
+             1  PKIX      X.509 as per PKIX
+             2  SPKI      SPKI certificate
+             3  PGP       OpenPGP packet
+             4  IPKIX     The URL of an X.509 data object
+             5  ISPKI     The URL of an SPKI certificate
+             6  IPGP      The fingerprint and URL of an OpenPGP packet
+             7  ACPKIX    Attribute Certificate
+             8  IACPKIX   The URL of an Attribute Certificate
+         9-252            Available for IANA assignment
+           253  URI       URI private
+           254  OID       OID private
+           255            Reserved
+     256-65279            Available for IANA assignment
+   65280-65534            Experimental
+         65535            Reserved
+
+   These values represent the initial content of the IANA registry; see
+   Section 8.
+
+   The PKIX type is reserved to indicate an X.509 certificate conforming
+   to the profile defined by the IETF PKIX working group [8].  The
+   certificate section will start with a one-octet unsigned OID length
+   and then an X.500 OID indicating the nature of the remainder of the
+
+
+
+
+
+Josefsson                   Standards Track                     [Page 4]
+
+RFC 4398            Storing Certificates in the DNS        February 2006
+
+
+   certificate section (see Section 2.3, below).  (NOTE: X.509
+   certificates do not include their X.500 directory-type-designating
+   OID as a prefix.)
+
+   The SPKI and ISPKI types are reserved to indicate the SPKI
+   certificate format [15], for use when the SPKI documents are moved
+   from experimental status.  The format for these two CERT RR types
+   will need to be specified later.
+
+   The PGP type indicates an OpenPGP packet as described in [5] and its
+   extensions and successors.  This is used to transfer public key
+   material and revocation signatures.  The data is binary and MUST NOT
+   be encoded into an ASCII armor.  An implementation SHOULD process
+   transferable public keys as described in Section 10.1 of [5], but it
+   MAY handle additional OpenPGP packets.
+
+   The ACPKIX type indicates an Attribute Certificate format [9].
+
+   The IPKIX and IACPKIX types indicate a URL that will serve the
+   content that would have been in the "certificate, CRL, or URL" field
+   of the corresponding type (PKIX or ACPKIX, respectively).
+
+   The IPGP type contains both an OpenPGP fingerprint for the key in
+   question, as well as a URL.  The certificate portion of the IPGP CERT
+   RR is defined as a one-octet fingerprint length, followed by the
+   OpenPGP fingerprint, followed by the URL.  The OpenPGP fingerprint is
+   calculated as defined in RFC 2440 [5].  A zero-length fingerprint or
+   a zero-length URL are legal, and indicate URL-only IPGP data or
+   fingerprint-only IPGP data, respectively.  A zero-length fingerprint
+   and a zero-length URL are meaningless and invalid.
+
+   The IPKIX, ISPKI, IPGP, and IACPKIX types are known as "indirect".
+   These types MUST be used when the content is too large to fit in the
+   CERT RR and MAY be used at the implementer's discretion.  They SHOULD
+   NOT be used where the DNS message is 512 octets or smaller and could
+   thus be expected to fit a UDP packet.
+
+   The URI private type indicates a certificate format defined by an
+   absolute URI.  The certificate portion of the CERT RR MUST begin with
+   a null-terminated URI [10], and the data after the null is the
+   private format certificate itself.  The URI SHOULD be such that a
+   retrieval from it will lead to documentation on the format of the
+   certificate.  Recognition of private certificate types need not be
+   based on URI equality but can use various forms of pattern matching
+   so that, for example, subtype or version information can also be
+   encoded into the URI.
+
+
+
+
+
+Josefsson                   Standards Track                     [Page 5]
+
+RFC 4398            Storing Certificates in the DNS        February 2006
+
+
+   The OID private type indicates a private format certificate specified
+   by an ISO OID prefix.  The certificate section will start with a
+   one-octet unsigned OID length and then a BER-encoded OID indicating
+   the nature of the remainder of the certificate section.  This can be
+   an X.509 certificate format or some other format.  X.509 certificates
+   that conform to the IETF PKIX profile SHOULD be indicated by the PKIX
+   type, not the OID private type.  Recognition of private certificate
+   types need not be based on OID equality but can use various forms of
+   pattern matching such as OID prefix.
+
+2.2.  Text Representation of CERT RRs
+
+   The RDATA portion of a CERT RR has the type field as an unsigned
+   decimal integer or as a mnemonic symbol as listed in Section 2.1,
+   above.
+
+   The key tag field is represented as an unsigned decimal integer.
+
+   The algorithm field is represented as an unsigned decimal integer or
+   a mnemonic symbol as listed in [12].
+
+   The certificate/CRL portion is represented in base 64 [16] and may be
+   divided into any number of white-space-separated substrings, down to
+   single base-64 digits, which are concatenated to obtain the full
+   signature.  These substrings can span lines using the standard
+   parenthesis.
+
+   Note that the certificate/CRL portion may have internal sub-fields,
+   but these do not appear in the master file representation.  For
+   example, with type 254, there will be an OID size, an OID, and then
+   the certificate/CRL proper.  However, only a single logical base-64
+   string will appear in the text representation.
+
+2.3.  X.509 OIDs
+
+   OIDs have been defined in connection with the X.500 directory for
+   user certificates, certification authority certificates, revocations
+   of certification authority, and revocations of user certificates.
+   The following table lists the OIDs, their BER encoding, and their
+   length-prefixed hex format for use in CERT RRs:
+
+
+
+
+
+
+
+
+
+
+
+Josefsson                   Standards Track                     [Page 6]
+
+RFC 4398            Storing Certificates in the DNS        February 2006
+
+
+       id-at-userCertificate
+           = { joint-iso-ccitt(2) ds(5) at(4) 36 }
+              == 0x 03 55 04 24
+       id-at-cACertificate
+           = { joint-iso-ccitt(2) ds(5) at(4) 37 }
+              == 0x 03 55 04 25
+       id-at-authorityRevocationList
+           = { joint-iso-ccitt(2) ds(5) at(4) 38 }
+              == 0x 03 55 04 26
+       id-at-certificateRevocationList
+           = { joint-iso-ccitt(2) ds(5) at(4) 39 }
+              == 0x 03 55 04 27
+
+3.  Appropriate Owner Names for CERT RRs
+
+   It is recommended that certificate CERT RRs be stored under a domain
+   name related to their subject, i.e., the name of the entity intended
+   to control the private key corresponding to the public key being
+   certified.  It is recommended that certificate revocation list CERT
+   RRs be stored under a domain name related to their issuer.
+
+   Following some of the guidelines below may result in DNS names with
+   characters that require DNS quoting as per Section 5.1 of RFC 1035
+   [2].
+
+   The choice of name under which CERT RRs are stored is important to
+   clients that perform CERT queries.  In some situations, the clients
+   may not know all information about the CERT RR object it wishes to
+   retrieve.  For example, a client may not know the subject name of an
+   X.509 certificate, or the email address of the owner of an OpenPGP
+   key.  Further, the client might only know the hostname of a service
+   that uses X.509 certificates or the Key ID of an OpenPGP key.
+
+   Therefore, two owner name guidelines are defined: content-based owner
+   names and purpose-based owner names.  A content-based owner name is
+   derived from the content of the CERT RR data; for example, the
+   Subject field in an X.509 certificate or the User ID field in OpenPGP
+   keys.  A purpose-based owner name is a name that a client retrieving
+   CERT RRs ought to know already; for example, the host name of an
+   X.509 protected service or the Key ID of an OpenPGP key.  The
+   content-based and purpose-based owner name may be the same; for
+   example, when a client looks up a key based on the From: address of
+   an incoming email.
+
+   Implementations SHOULD use the purpose-based owner name guidelines
+   described in this document and MAY use CNAME RRs at content-based
+   owner names (or other names), pointing to the purpose-based owner
+   name.
+
+
+
+Josefsson                   Standards Track                     [Page 7]
+
+RFC 4398            Storing Certificates in the DNS        February 2006
+
+
+   Note that this section describes an application-based mapping from
+   the name space used in a certificate to the name space used by DNS.
+   The DNS does not infer any relationship amongst CERT resource records
+   based on similarities or differences of the DNS owner name(s) of CERT
+   resource records.  For example, if multiple labels are used when
+   mapping from a CERT identifier to a domain name, then care must be
+   taken in understanding wildcard record synthesis.
+
+3.1.  Content-Based X.509 CERT RR Names
+
+   Some X.509 versions, such as the PKIX profile of X.509 [8], permit
+   multiple names to be associated with subjects and issuers under
+   "Subject Alternative Name" and "Issuer Alternative Name".  For
+   example, the PKIX profile has such Alternate Names with an ASN.1
+   specification as follows:
+
+      GeneralName ::= CHOICE {
+           otherName                       [0]     OtherName,
+           rfc822Name                      [1]     IA5String,
+           dNSName                         [2]     IA5String,
+           x400Address                     [3]     ORAddress,
+           directoryName                   [4]     Name,
+           ediPartyName                    [5]     EDIPartyName,
+           uniformResourceIdentifier       [6]     IA5String,
+           iPAddress                       [7]     OCTET STRING,
+           registeredID                    [8]     OBJECT IDENTIFIER }
+
+   The recommended locations of CERT storage are as follows, in priority
+   order:
+
+   1.  If a domain name is included in the identification in the
+       certificate or CRL, that ought to be used.
+   2.  If a domain name is not included but an IP address is included,
+       then the translation of that IP address into the appropriate
+       inverse domain name ought to be used.
+   3.  If neither of the above is used, but a URI containing a domain
+       name is present, that domain name ought to be used.
+   4.  If none of the above is included but a character string name is
+       included, then it ought to be treated as described below for
+       OpenPGP names.
+   5.  If none of the above apply, then the distinguished name (DN)
+       ought to be mapped into a domain name as specified in [4].
+
+   Example 1: An X.509v3 certificate is issued to /CN=John Doe /DC=Doe/
+   DC=com/DC=xy/O=Doe Inc/C=XY/ with Subject Alternative Names of (a)
+   string "John (the Man) Doe", (b) domain name john-doe.com, and (c)
+   URI .  The storage locations
+   recommended, in priority order, would be
+
+
+
+Josefsson                   Standards Track                     [Page 8]
+
+RFC 4398            Storing Certificates in the DNS        February 2006
+
+
+   1.  john-doe.com,
+   2.  www.secure.john-doe.com, and
+   3.  Doe.com.xy.
+
+   Example 2: An X.509v3 certificate is issued to /CN=James Hacker/
+   L=Basingstoke/O=Widget Inc/C=GB/ with Subject Alternate names of (a)
+   domain name widget.foo.example, (b) IPv4 address 10.251.13.201, and
+   (c) string "James Hacker ".  The
+   storage locations recommended, in priority order, would be
+
+   1.  widget.foo.example,
+   2.  201.13.251.10.in-addr.arpa, and
+   3.  hacker.mail.widget.foo.example.
+
+3.2.  Purpose-Based X.509 CERT RR Names
+
+   Due to the difficulty for clients that do not already possess a
+   certificate to reconstruct the content-based owner name,
+   purpose-based owner names are recommended in this section.
+   Recommendations for purpose-based owner names vary per scenario.  The
+   following table summarizes the purpose-based X.509 CERT RR owner name
+   guidelines for use with S/MIME [17], SSL/TLS [13], and IPsec [14]:
+
+    Scenario             Owner name
+    ------------------   ----------------------------------------------
+    S/MIME Certificate   Standard translation of an RFC 2822 email
+                         address.  Example: An S/MIME certificate for
+                         "postmaster@example.org" will use a standard
+                         hostname translation of the owner name,
+                         "postmaster.example.org".
+
+    TLS Certificate      Hostname of the TLS server.
+
+    IPsec Certificate    Hostname of the IPsec machine and/or, for IPv4
+                         or IPv6 addresses, the fully qualified domain
+                         name in the appropriate reverse domain.
+
+   An alternate approach for IPsec is to store raw public keys [18].
+
+3.3.  Content-Based OpenPGP CERT RR Names
+
+   OpenPGP signed keys (certificates) use a general character string
+   User ID [5].  However, it is recommended by OpenPGP that such names
+   include the RFC 2822 [7] email address of the party, as in "Leslie
+   Example ".  If such a format is used, the CERT
+   ought to be under the standard translation of the email address into
+
+
+
+
+
+Josefsson                   Standards Track                     [Page 9]
+
+RFC 4398            Storing Certificates in the DNS        February 2006
+
+
+   a domain name, which would be leslie.host.example in this case.  If
+   no RFC 2822 name can be extracted from the string name, no specific
+   domain name is recommended.
+
+   If a user has more than one email address, the CNAME type can be used
+   to reduce the amount of data stored in the DNS.  For example:
+
+      $ORIGIN example.org.
+      smith        IN CERT PGP 0 0 
+      john.smith   IN CNAME smith
+      js           IN CNAME smith
+
+3.4.  Purpose-Based OpenPGP CERT RR Names
+
+   Applications that receive an OpenPGP packet containing encrypted or
+   signed data but do not know the email address of the sender will have
+   difficulties constructing the correct owner name and cannot use the
+   content-based owner name guidelines.  However, these clients commonly
+   know the key fingerprint or the Key ID.  The key ID is found in
+   OpenPGP packets, and the key fingerprint is commonly found in
+   auxiliary data that may be available.  In this case, use of an owner
+   name identical to the key fingerprint and the key ID expressed in
+   hexadecimal [16] is recommended.  For example:
+
+      $ORIGIN example.org.
+      0424D4EE81A0E3D119C6F835EDA21E94B565716F IN CERT PGP ...
+      F835EDA21E94B565716F                     IN CERT PGP ...
+      B565716F                                 IN CERT PGP ...
+
+   If the same key material is stored for several owner names, the use
+   of CNAME may help avoid data duplication.  Note that CNAME is not
+   always applicable, because it maps one owner name to the other for
+   all purposes, which may be sub-optimal when two keys with the same
+   Key ID are stored.
+
+3.5.  Owner Names for IPKIX, ISPKI, IPGP, and IACPKIX
+
+   These types are stored under the same owner names, both purpose- and
+   content-based, as the PKIX, SPKI, PGP, and ACPKIX types.
+
+
+
+
+
+
+
+
+
+
+
+
+Josefsson                   Standards Track                    [Page 10]
+
+RFC 4398            Storing Certificates in the DNS        February 2006
+
+
+4.  Performance Considerations
+
+   The Domain Name System (DNS) protocol was designed for small
+   transfers, typically below 512 octets.  While larger transfers will
+   perform correctly and work is underway to make larger transfers more
+   efficient, it is still advisable at this time that every reasonable
+   effort be made to minimize the size of certificates stored within the
+   DNS.  Steps that can be taken may include using the fewest possible
+   optional or extension fields and using short field values for
+   necessary variable-length fields.
+
+   The RDATA field in the DNS protocol may only hold data of size 65535
+   octets (64kb) or less.  This means that each CERT RR MUST NOT contain
+   more than 64kb of payload, even if the corresponding certificate or
+   certificate revocation list is larger.  This document addresses this
+   by defining "indirect" data types for each normal type.
+
+   Deploying CERT RRs to support digitally signed email changes the
+   access patterns of DNS lookups from per-domain to per-user.  If
+   digitally signed email and a key/certificate lookup based on CERT RRs
+   are deployed on a wide scale, this may lead to an increased DNS load,
+   with potential performance and cache effectiveness consequences.
+   Whether or not this load increase will be noticeable is not known.
+
+5.  Contributors
+
+   The majority of this document is copied verbatim from RFC 2538, by
+   Donald Eastlake 3rd and Olafur Gudmundsson.
+
+6.  Acknowledgements
+
+   Thanks to David Shaw and Michael Graff for their contributions to
+   earlier works that motivated, and served as inspiration for, this
+   document.
+
+   This document was improved by suggestions and comments from Olivier
+   Dubuisson, Scott Hollenbeck, Russ Housley, Peter Koch, Olaf M.
+   Kolkman, Ben Laurie, Edward Lewis, John Loughney, Allison Mankin,
+   Douglas Otis, Marcos Sanz, Pekka Savola, Jason Sloderbeck, Samuel
+   Weiler, and Florian Weimer.  No doubt the list is incomplete.  We
+   apologize to anyone we left out.
+
+
+
+
+
+
+
+
+
+
+Josefsson                   Standards Track                    [Page 11]
+
+RFC 4398            Storing Certificates in the DNS        February 2006
+
+
+7.  Security Considerations
+
+   By definition, certificates contain their own authenticating
+   signatures.  Thus, it is reasonable to store certificates in
+   non-secure DNS zones or to retrieve certificates from DNS with DNS
+   security checking not implemented or deferred for efficiency.  The
+   results may be trusted if the certificate chain is verified back to a
+   known trusted key and this conforms with the user's security policy.
+
+   Alternatively, if certificates are retrieved from a secure DNS zone
+   with DNS security checking enabled and are verified by DNS security,
+   the key within the retrieved certificate may be trusted without
+   verifying the certificate chain if this conforms with the user's
+   security policy.
+
+   If an organization chooses to issue certificates for its employees,
+   placing CERT RRs in the DNS by owner name, and if DNSSEC (with NSEC)
+   is in use, it is possible for someone to enumerate all employees of
+   the organization.  This is usually not considered desirable, for the
+   same reason that enterprise phone listings are not often publicly
+   published and are even marked confidential.
+
+   Using the URI type introduces another level of indirection that may
+   open a new vulnerability.  One method of securing that indirection is
+   to include a hash of the certificate in the URI itself.
+
+   If DNSSEC is used, then the non-existence of a CERT RR and,
+   consequently, certificates or revocation lists can be securely
+   asserted.  Without DNSSEC, this is not possible.
+
+8.  IANA Considerations
+
+   The IANA has created a new registry for CERT RR: certificate types.
+   The initial contents of this registry is:
+
+       Decimal   Type     Meaning                           Reference
+       -------   ----     -------                           ---------
+             0            Reserved                          RFC 4398
+             1   PKIX     X.509 as per PKIX                 RFC 4398
+             2   SPKI     SPKI certificate                  RFC 4398
+             3   PGP      OpenPGP packet                    RFC 4398
+             4   IPKIX    The URL of an X.509 data object   RFC 4398
+             5   ISPKI    The URL of an SPKI certificate    RFC 4398
+             6   IPGP     The fingerprint and URL           RFC 4398
+                          of an OpenPGP packet
+             7   ACPKIX   Attribute Certificate             RFC 4398
+             8   IACPKIX  The URL of an Attribute           RFC 4398
+                             Certificate
+
+
+
+Josefsson                   Standards Track                    [Page 12]
+
+RFC 4398            Storing Certificates in the DNS        February 2006
+
+
+         9-252            Available for IANA assignment
+                             by IETF Standards action
+           253   URI      URI private                       RFC 4398
+           254   OID      OID private                       RFC 4398
+           255            Reserved                          RFC 4398
+     256-65279            Available for IANA assignment
+                          by IETF Consensus
+   65280-65534            Experimental                      RFC 4398
+         65535            Reserved                          RFC 4398
+
+   Certificate types 0x0000 through 0x00FF and 0xFF00 through 0xFFFF can
+   only be assigned by an IETF standards action [6].  This document
+   assigns 0x0001 through 0x0008 and 0x00FD and 0x00FE.  Certificate
+   types 0x0100 through 0xFEFF are assigned through IETF Consensus [6]
+   based on RFC documentation of the certificate type.  The availability
+   of private types under 0x00FD and 0x00FE ought to satisfy most
+   requirements for proprietary or private types.
+
+   The CERT RR reuses the DNS Security Algorithm Numbers registry.  In
+   particular, the CERT RR requires that algorithm number 0 remain
+   reserved, as described in Section 2.  The IANA will reference the
+   CERT RR as a user of this registry and value 0, in particular.
+
+9.  Changes since RFC 2538
+
+   1.   Editorial changes to conform with new document requirements,
+        including splitting reference section into two parts and
+        updating the references to point at latest versions, and to add
+        some additional references.
+   2.   Improve terminology.  For example replace "PGP" with "OpenPGP",
+        to align with RFC 2440.
+   3.   In Section 2.1, clarify that OpenPGP public key data are binary,
+        not the ASCII armored format, and reference 10.1 in RFC 2440 on
+        how to deal with OpenPGP keys, and acknowledge that
+        implementations may handle additional packet types.
+   4.   Clarify that integers in the representation format are decimal.
+   5.   Replace KEY/SIG with DNSKEY/RRSIG etc, to align with DNSSECbis
+        terminology.  Improve reference for Key Tag Algorithm
+        calculations.
+   6.   Add examples that suggest use of CNAME to reduce bandwidth.
+   7.   In Section 3, appended the last paragraphs that discuss
+        "content-based" vs "purpose-based" owner names.  Add Section 3.2
+        for purpose-based X.509 CERT owner names, and Section 3.4 for
+        purpose-based OpenPGP CERT owner names.
+   8.   Added size considerations.
+   9.   The SPKI types has been reserved, until RFC 2692/2693 is moved
+        from the experimental status.
+   10.  Added indirect types IPKIX, ISPKI, IPGP, and IACPKIX.
+
+
+
+Josefsson                   Standards Track                    [Page 13]
+
+RFC 4398            Storing Certificates in the DNS        February 2006
+
+
+   11.  An IANA registry of CERT type values was created.
+
+10.  References
+
+10.1.  Normative References
+
+   [1]   Mockapetris, P., "Domain names - concepts and facilities",
+         STD 13, RFC 1034, November 1987.
+
+   [2]   Mockapetris, P., "Domain names - implementation and
+         specification", STD 13, RFC 1035, November 1987.
+
+   [3]   Bradner, S., "Key words for use in RFCs to Indicate Requirement
+         Levels", BCP 14, RFC 2119, March 1997.
+
+   [4]   Kille, S., Wahl, M., Grimstad, A., Huber, R., and S. Sataluri,
+         "Using Domains in LDAP/X.500 Distinguished Names", RFC 2247,
+         January 1998.
+
+   [5]   Callas, J., Donnerhacke, L., Finney, H., and R. Thayer,
+         "OpenPGP Message Format", RFC 2440, November 1998.
+
+   [6]   Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA
+         Considerations Section in RFCs", BCP 26, RFC 2434,
+         October 1998.
+
+   [7]   Resnick, P., "Internet Message Format", RFC 2822, April 2001.
+
+   [8]   Housley, R., Polk, W., Ford, W., and D. Solo, "Internet X.509
+         Public Key Infrastructure Certificate and Certificate
+         Revocation List (CRL) Profile", RFC 3280, April 2002.
+
+   [9]   Farrell, S. and R. Housley, "An Internet Attribute Certificate
+         Profile for Authorization", RFC 3281, April 2002.
+
+   [10]  Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
+         Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986,
+         January 2005.
+
+   [11]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+         "DNS Security Introduction and Requirements", RFC 4033,
+         March 2005.
+
+   [12]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+         "Resource Records for the DNS Security Extensions", RFC 4034,
+         March 2005.
+
+
+
+
+
+Josefsson                   Standards Track                    [Page 14]
+
+RFC 4398            Storing Certificates in the DNS        February 2006
+
+
+10.2.  Informative References
+
+   [13]  Dierks, T. and C. Allen, "The TLS Protocol Version 1.0",
+         RFC 2246, January 1999.
+
+   [14]  Kent, S. and K. Seo, "Security Architecture for the Internet
+         Protocol", RFC 4301, December 2005.
+
+   [15]  Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas, B.,
+         and T. Ylonen, "SPKI Certificate Theory", RFC 2693,
+         September 1999.
+
+   [16]  Josefsson, S., "The Base16, Base32, and Base64 Data Encodings",
+         RFC 3548, July 2003.
+
+   [17]  Ramsdell, B., "Secure/Multipurpose Internet Mail Extensions
+         (S/MIME) Version 3.1 Message Specification", RFC 3851,
+         July 2004.
+
+   [18]  Richardson, M., "A Method for Storing IPsec Keying Material in
+         DNS", RFC 4025, March 2005.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Josefsson                   Standards Track                    [Page 15]
+
+RFC 4398            Storing Certificates in the DNS        February 2006
+
+
+Appendix A.  Copying Conditions
+
+   Regarding the portion of this document that was written by Simon
+   Josefsson ("the author", for the remainder of this section), the
+   author makes no guarantees and is not responsible for any damage
+   resulting from its use.  The author grants irrevocable permission to
+   anyone to use, modify, and distribute it in any way that does not
+   diminish the rights of anyone else to use, modify, and distribute it,
+   provided that redistributed derivative works do not contain
+   misleading author or version information.  Derivative works need not
+   be licensed under similar terms.
+
+Author's Address
+
+   Simon Josefsson
+
+   EMail: simon@josefsson.org
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Josefsson                   Standards Track                    [Page 16]
+
+RFC 4398            Storing Certificates in the DNS        February 2006
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (2006).
+
+   This document is subject to the rights, licenses and restrictions
+   contained in BCP 78, and except as set forth therein, the authors
+   retain all their rights.
+
+   This document and the information contained herein are provided on an
+   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Intellectual Property
+
+   The IETF takes no position regarding the validity or scope of any
+   Intellectual Property Rights or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; nor does it represent that it has
+   made any independent effort to identify any such rights.  Information
+   on the procedures with respect to rights in RFC documents can be
+   found in BCP 78 and BCP 79.
+
+   Copies of IPR disclosures made to the IETF Secretariat and any
+   assurances of licenses to be made available, or the result of an
+   attempt made to obtain a general license or permission for the use of
+   such proprietary rights by implementers or users of this
+   specification can be obtained from the IETF on-line IPR repository at
+   http://www.ietf.org/ipr.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights that may cover technology that may be required to implement
+   this standard.  Please address the information to the IETF at
+   ietf-ipr@ietf.org.
+
+Acknowledgement
+
+   Funding for the RFC Editor function is provided by the IETF
+   Administrative Support Activity (IASA).
+
+
+
+
+
+
+
+Josefsson                   Standards Track                    [Page 17]
+

From 069a2ad007cdd9c898ec827dd26eade4c4b4cdea Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Mon, 3 Apr 2006 00:00:42 +0000
Subject: [PATCH 137/465] update copyright notice

---
 lib/isc/print.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/isc/print.c b/lib/isc/print.c
index 70b6cf3313..b304955791 100644
--- a/lib/isc/print.c
+++ b/lib/isc/print.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: print.c,v 1.30 2006/03/21 15:34:02 explorer Exp $ */
+/* $Id: print.c,v 1.31 2006/04/03 00:00:42 marka Exp $ */
 
 /*! \file */
 

From 80a63e1574114b7e4e42d023f3a92cd9c7f252fe Mon Sep 17 00:00:00 2001
From: Michael Graff 
Date: Mon, 10 Apr 2006 16:28:04 +0000
Subject: [PATCH 138/465] Documentation changes; no functional changes.  Some
 variables were renamed from 'i' to 'index' in heap.h so documentation can be
 nicer.

---
 lib/isc/heap.c             |  47 ++++++-------
 lib/isc/include/isc/heap.h | 137 ++++++++++++++++++++++++++++++++++---
 2 files changed, 149 insertions(+), 35 deletions(-)

diff --git a/lib/isc/heap.c b/lib/isc/heap.c
index 49832040ae..7ea5e12889 100644
--- a/lib/isc/heap.c
+++ b/lib/isc/heap.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: heap.c,v 1.32 2005/04/29 00:23:24 marka Exp $ */
+/* $Id: heap.c,v 1.33 2006/04/10 16:28:04 explorer Exp $ */
 
 /*! \file
  * Heap implementation of priority queues adapted from the following:
@@ -39,7 +39,8 @@
 /*%
  * Note: to make heap_parent and heap_left easy to compute, the first
  * element of the heap array is not used; i.e. heap subscripts are 1-based,
- * not 0-based.
+ * not 0-based.  The parent is index/2, and the left-child is index*2.
+ * The right child is index*2+1.
  */
 #define heap_parent(i)			((i) >> 1)
 #define heap_left(i)			((i) << 1)
@@ -71,7 +72,6 @@ struct isc_heap {
 	isc_heapindex_t			index;
 };
 
-/*% Create a heap. */
 isc_result_t
 isc_heap_create(isc_mem_t *mctx, isc_heapcompare_t compare,
 		isc_heapindex_t index, unsigned int size_increment,
@@ -102,7 +102,6 @@ isc_heap_create(isc_mem_t *mctx, isc_heapcompare_t compare,
 	return (ISC_R_SUCCESS);
 }
 
-/*% Destroy a heap. */
 void
 isc_heap_destroy(isc_heap_t **heapp) {
 	isc_heap_t *heap;
@@ -146,8 +145,8 @@ static void
 float_up(isc_heap_t *heap, unsigned int i, void *elt) {
 	unsigned int p;
 
-	for (p = heap_parent(i);
-	     i > 1 && heap->compare(elt, heap->array[p]);
+	for (p = heap_parent(i) ;
+	     i > 1 && heap->compare(elt, heap->array[p]) ;
 	     i = p, p = heap_parent(i)) {
 		heap->array[i] = heap->array[p];
 		if (heap->index != NULL)
@@ -185,7 +184,6 @@ sink_down(isc_heap_t *heap, unsigned int i, void *elt) {
 	INSIST(HEAPCONDITION(i));
 }
 
-/*% Insert a heap. */
 isc_result_t
 isc_heap_insert(isc_heap_t *heap, void *elt) {
 	unsigned int i;
@@ -201,50 +199,49 @@ isc_heap_insert(isc_heap_t *heap, void *elt) {
 	return (ISC_R_SUCCESS);
 }
 
-/*% Delete a heap. */
 void
-isc_heap_delete(isc_heap_t *heap, unsigned int i) {
+isc_heap_delete(isc_heap_t *heap, unsigned int index) {
 	void *elt;
 	isc_boolean_t less;
 
 	REQUIRE(VALID_HEAP(heap));
-	REQUIRE(i >= 1 && i <= heap->last);
+	REQUIRE(index >= 1 && index <= heap->last);
 
-	if (i == heap->last) {
+	if (index == heap->last) {
 		heap->last--;
 	} else {
 		elt = heap->array[heap->last--];
-		less = heap->compare(elt, heap->array[i]);
-		heap->array[i] = elt;
+		less = heap->compare(elt, heap->array[index]);
+		heap->array[index] = elt;
 		if (less)
-			float_up(heap, i, heap->array[i]);
+			float_up(heap, index, heap->array[index]);
 		else
-			sink_down(heap, i, heap->array[i]);
+			sink_down(heap, index, heap->array[index]);
 	}
 }
 
 void
-isc_heap_increased(isc_heap_t *heap, unsigned int i) {
+isc_heap_increased(isc_heap_t *heap, unsigned int index) {
 	REQUIRE(VALID_HEAP(heap));
-	REQUIRE(i >= 1 && i <= heap->last);
+	REQUIRE(index >= 1 && index <= heap->last);
 
-	float_up(heap, i, heap->array[i]);
+	float_up(heap, index, heap->array[index]);
 }
 
 void
-isc_heap_decreased(isc_heap_t *heap, unsigned int i) {
+isc_heap_decreased(isc_heap_t *heap, unsigned int index) {
 	REQUIRE(VALID_HEAP(heap));
-	REQUIRE(i >= 1 && i <= heap->last);
+	REQUIRE(index >= 1 && index <= heap->last);
 
-	sink_down(heap, i, heap->array[i]);
+	sink_down(heap, index, heap->array[index]);
 }
 
 void *
-isc_heap_element(isc_heap_t *heap, unsigned int i) {
+isc_heap_element(isc_heap_t *heap, unsigned int index) {
 	REQUIRE(VALID_HEAP(heap));
-	REQUIRE(i >= 1 && i <= heap->last);
+	REQUIRE(index >= 1 && index <= heap->last);
 
-	return (heap->array[i]);
+	return (heap->array[index]);
 }
 
 void
@@ -254,6 +251,6 @@ isc_heap_foreach(isc_heap_t *heap, isc_heapaction_t action, void *uap) {
 	REQUIRE(VALID_HEAP(heap));
 	REQUIRE(action != NULL);
 
-	for (i = 1; i <= heap->last; i++)
+	for (i = 1 ; i <= heap->last ; i++)
 		(action)(heap->array[i], uap);
 }
diff --git a/lib/isc/include/isc/heap.h b/lib/isc/include/isc/heap.h
index 2e97b625b6..ff11370b32 100644
--- a/lib/isc/include/isc/heap.h
+++ b/lib/isc/include/isc/heap.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: heap.h,v 1.19 2005/04/29 00:23:37 marka Exp $ */
+/* $Id: heap.h,v 1.20 2006/04/10 16:28:04 explorer Exp $ */
 
 #ifndef ISC_HEAP_H
 #define ISC_HEAP_H 1
@@ -33,20 +33,137 @@ ISC_LANG_BEGINDECLS
  */
 typedef isc_boolean_t (*isc_heapcompare_t)(void *, void *);
 
+/*%
+ * The index function allows the client of the heap to receive a callback
+ * when an item's index number changes.  This allows it to maintain
+ * sync with its external state, but still delete itself, since deletions
+ * from the heap require the index be provided.
+ */
 typedef void (*isc_heapindex_t)(void *, unsigned int);
+
+/*%
+ * The heapaction function is used when iterating over the heap.
+ *
+ * NOTE:  The heap structure CANNOT BE MODIFIED during the call to
+ * isc_heap_foreach().
+ */
 typedef void (*isc_heapaction_t)(void *, void *);
 
 typedef struct isc_heap isc_heap_t;
 
-isc_result_t	isc_heap_create(isc_mem_t *, isc_heapcompare_t,
-				isc_heapindex_t, unsigned int, isc_heap_t **);
-void		isc_heap_destroy(isc_heap_t **);
-isc_result_t	isc_heap_insert(isc_heap_t *, void *);
-void		isc_heap_delete(isc_heap_t *, unsigned int);
-void		isc_heap_increased(isc_heap_t *, unsigned int);
-void		isc_heap_decreased(isc_heap_t *, unsigned int);
-void *		isc_heap_element(isc_heap_t *, unsigned int);
-void		isc_heap_foreach(isc_heap_t *, isc_heapaction_t, void *);
+isc_result_t
+isc_heap_create(isc_mem_t *mctx, isc_heapcompare_t compare,
+		isc_heapindex_t index, unsigned int size_increment,
+		isc_heap_t **heapp);
+/*!<
+ * \brief Create a new heap.  The heap is implemented using a space-efficient
+ * storage method.  When the heap elements are deleted space is not freed
+ * but will be reused when new elements are inserted.
+ *
+ * Requires:
+ *\li	"mctx" is valid.
+ *\li	"compare" is a function which takes two void * arguments and
+ *	returns ISC_TRUE if the first argument has a higher priority than
+ *	the second, and ISC_FALSE otherwise.
+ *\li	"index" is a function which takes a void *, and an unsigned int
+ *	argument.  This function will be called whenever an element's
+ *	index value changes, so it may continue to delete itself from the
+ *	heap.  This option may be NULL if this functionality is unneeded.
+ *\li	"size_increment" is a hint about how large the heap should grow
+ *	when resizing is needed.  If this is 0, a default size will be
+ *	used, which is currently 1024, allowing space for an additional 1024
+ *	heap elements to be inserted before adding more space.
+ *\li	"heapp" is not NULL, and "*heap" is NULL.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS		- success
+ *\li	ISC_R_NOMEMORY		- insufficient memory
+ */
+
+void
+isc_heap_destroy(isc_heap_t **heapp);
+/*!<
+ * \brief Destroys a heap.
+ *
+ * Requires:
+ *\li	"heapp" is not NULL and "*heap" points to a valid isc_heap_t.
+ */
+
+isc_result_t
+isc_heap_insert(isc_heap_t *heap, void *elt);
+/*!<
+ * \brief Inserts a new element into a heap.
+ *
+ * Requires:
+ *\li	"heapp" is not NULL and "*heap" points to a valid isc_heap_t.
+ */
+
+void
+isc_heap_delete(isc_heap_t *heap, unsigned int index);
+/*!<
+ * \brief Deletes an element from a heap, by element index.
+ *
+ * Requires:
+ *\li	"heapp" is not NULL and "*heap" points to a valid isc_heap_t.
+ *\li	"index" is a valid element index, as provided by the "index" callback
+ *	provided during heap creation.
+ */
+
+void
+isc_heap_increased(isc_heap_t *heap, unsigned int index);
+/*!<
+ * \brief Indicates to the heap that an element's priority has increased.
+ * This function MUST be called whenever an element has increased in priority.
+ *
+ * Requires:
+ *\li	"heapp" is not NULL and "*heap" points to a valid isc_heap_t.
+ *\li	"index" is a valid element index, as provided by the "index" callback
+ *	provided during heap creation.
+ */
+
+void
+isc_heap_decreased(isc_heap_t *heap, unsigned int index);
+/*!<
+ * \brief Indicates to the heap that an element's priority has decreased.
+ * This function MUST be called whenever an element has decreased in priority.
+ *
+ * Requires:
+ *\li	"heapp" is not NULL and "*heap" points to a valid isc_heap_t.
+ *\li	"index" is a valid element index, as provided by the "index" callback
+ *	provided during heap creation.
+ */
+
+void *
+isc_heap_element(isc_heap_t *heap, unsigned int index);
+/*!<
+ * \brief Returns the element for a specific element index.
+ *
+ * Requires:
+ *\li	"heapp" is not NULL and "*heap" points to a valid isc_heap_t.
+ *\li	"index" is a valid element index, as provided by the "index" callback
+ *	provided during heap creation.
+ *
+ * Returns:
+ *\li	A pointer to the element for the element index.
+ */
+
+void
+isc_heap_foreach(isc_heap_t *heap, isc_heapaction_t action, void *uap);
+/*!<
+ * \brief Iterate over the heap, calling an action for each element.  The
+ * order of iteration is not sorted.
+ *
+ * Requires:
+ *\li	"heapp" is not NULL and "*heap" points to a valid isc_heap_t.
+ *\li	"action" is not NULL, and is a function which takes two arguments.
+ *	The first is a void *, representing the element, and the second is
+ *	"uap" as provided to isc_heap_foreach.
+ *\li	"uap" is a caller-provided argument, and may be NULL.
+ *
+ * Note:
+ *\li	The heap structure CANNOT be modified during this iteration.  The only
+ *	safe function to call while iterating the heap is isc_heap_element().
+ */
 
 ISC_LANG_ENDDECLS
 

From a192c2d9a76b9a313b2450f2e00f357b51855441 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Mon, 10 Apr 2006 23:04:47 +0000
Subject: [PATCH 139/465] new draft

---
 ...raft-ietf-dnsext-dnssec-experiments-01.txt | 784 ----------------
 ...raft-ietf-dnsext-dnssec-experiments-03.txt | 840 ++++++++++++++++++
 2 files changed, 840 insertions(+), 784 deletions(-)
 delete mode 100644 doc/draft/draft-ietf-dnsext-dnssec-experiments-01.txt
 create mode 100644 doc/draft/draft-ietf-dnsext-dnssec-experiments-03.txt

diff --git a/doc/draft/draft-ietf-dnsext-dnssec-experiments-01.txt b/doc/draft/draft-ietf-dnsext-dnssec-experiments-01.txt
deleted file mode 100644
index ee03583a13..0000000000
--- a/doc/draft/draft-ietf-dnsext-dnssec-experiments-01.txt
+++ /dev/null
@@ -1,784 +0,0 @@
-
-
-
-DNSEXT                                                         D. Blacka
-Internet-Draft                                            Verisign, Inc.
-Expires: January 19, 2006                                  July 18, 2005
-
-
-                           DNSSEC Experiments
-                draft-ietf-dnsext-dnssec-experiments-01
-
-Status of this Memo
-
-   By submitting this Internet-Draft, each author represents that any
-   applicable patent or other IPR claims of which he or she is aware
-   have been or will be disclosed, and any of which he or she becomes
-   aware will be disclosed, in accordance with Section 6 of BCP 79.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on January 19, 2006.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2005).
-
-Abstract
-
-   In the long history of the development of the DNS security extensions
-   [1] (DNSSEC), a number of alternate methodologies and modifications
-   have been proposed and rejected for practical, rather than strictly
-   technical, reasons.  There is a desire to be able to experiment with
-   these alternate methods in the public DNS.  This document describes a
-   methodology for deploying alternate, non-backwards-compatible, DNSSEC
-   methodologies in an experimental fashion without disrupting the
-   deployment of standard DNSSEC.
-
-
-
-
-Blacka                  Expires January 19, 2006                [Page 1]
-
-Internet-Draft             DNSSEC Experiments                  July 2005
-
-
-Table of Contents
-
-   1.   Definitions and Terminology  . . . . . . . . . . . . . . . .   3
-   2.   Overview . . . . . . . . . . . . . . . . . . . . . . . . . .   4
-   3.   Experiments  . . . . . . . . . . . . . . . . . . . . . . . .   5
-   4.   Method . . . . . . . . . . . . . . . . . . . . . . . . . . .   6
-   5.   Defining an Experiment . . . . . . . . . . . . . . . . . . .   8
-   6.   Considerations . . . . . . . . . . . . . . . . . . . . . . .   9
-   7.   Transitions  . . . . . . . . . . . . . . . . . . . . . . . .  10
-   8.   Security Considerations  . . . . . . . . . . . . . . . . . .  11
-   9.   IANA Considerations  . . . . . . . . . . . . . . . . . . . .  12
-   10.  References . . . . . . . . . . . . . . . . . . . . . . . . .  13
-     10.1   Normative References . . . . . . . . . . . . . . . . . .  13
-     10.2   Informative References . . . . . . . . . . . . . . . . .  13
-        Author's Address . . . . . . . . . . . . . . . . . . . . . .  13
-        Intellectual Property and Copyright Statements . . . . . . .  14
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Blacka                  Expires January 19, 2006                [Page 2]
-
-Internet-Draft             DNSSEC Experiments                  July 2005
-
-
-1.  Definitions and Terminology
-
-   Throughout this document, familiarity with the DNS system (RFC 1035
-   [4]) and the DNS security extensions ([1], [2], and [3].
-
-   The key words "MUST, "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY, and "OPTIONAL" in this
-   document are to be interpreted as described in RFC 2119 [5].
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Blacka                  Expires January 19, 2006                [Page 3]
-
-Internet-Draft             DNSSEC Experiments                  July 2005
-
-
-2.  Overview
-
-   Historically, experimentation with DNSSEC alternatives has been a
-   problematic endeavor.  There has typically been a desire to both
-   introduce non-backwards-compatible changes to DNSSEC, and to try
-   these changes on real zones in the public DNS.  This creates a
-   problem when the change to DNSSEC would make all or part of the zone
-   using those changes appear bogus (bad) or otherwise broken to
-   existing DNSSEC-aware resolvers.
-
-   This document describes a standard methodology for setting up public
-   DNSSEC experiments.  This methodology addresses the issue of co-
-   existence with standard DNSSEC and DNS by using unknown algorithm
-   identifiers to hide the experimental DNSSEC protocol modifications
-   from standard DNSSEC-aware resolvers.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Blacka                  Expires January 19, 2006                [Page 4]
-
-Internet-Draft             DNSSEC Experiments                  July 2005
-
-
-3.  Experiments
-
-   When discussing DNSSEC experiments, it is necessary to classify these
-   experiments into two broad categories:
-
-   Backwards-Compatible: describes experimental changes that, while not
-      strictly adhering to the DNSSEC standard, are nonetheless
-      interoperable with clients and server that do implement the DNSSEC
-      standard.
-
-   Non-Backwards-Compatible: describes experiments that would cause a
-      standard DNSSEC-aware resolver to (incorrectly) determine that all
-      or part of a zone is bogus, or to otherwise not interoperable with
-      standard DNSSEC clients and servers.
-
-   Not included in these terms are experiments with the core DNS
-   protocol itself.
-
-   The methodology described in this document is not necessary for
-   backwards-compatible experiments, although it certainly could be used
-   if desired.
-
-   Note that, in essence, this metholodolgy would also be used to
-   introduce a new DNSSEC algorithm, independently from any DNSSEC
-   experimental protocol change.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Blacka                  Expires January 19, 2006                [Page 5]
-
-Internet-Draft             DNSSEC Experiments                  July 2005
-
-
-4.  Method
-
-   The core of the methodology is the use of strictly "unknown"
-   algorithms to sign the experimental zone, and more importantly,
-   having only unknown algorithm DS records for the delegation to the
-   zone at the parent.
-
-   This technique works because of the way DNSSEC-compliant validators
-   are expected to work in the presence of a DS set with only unknown
-   algorithms.  From [3], Section 5.2:
-
-      If the validator does not support any of the algorithms listed in
-      an authenticated DS RRset, then the resolver has no supported
-      authentication path leading from the parent to the child.  The
-      resolver should treat this case as it would the case of an
-      authenticated NSEC RRset proving that no DS RRset exists, as
-      described above.
-
-   And further:
-
-      If the resolver does not support any of the algorithms listed in
-      an authenticated DS RRset, then the resolver will not be able to
-      verify the authentication path to the child zone.  In this case,
-      the resolver SHOULD treat the child zone as if it were unsigned.
-
-   While this behavior isn't strictly mandatory (as marked by MUST), it
-   is unlikely that a validator would not implement the behavior, or,
-   more to the point, it will not violate this behavior in an unsafe way
-   (see below (Section 6).)
-
-   Because we are talking about experiments, it is RECOMMENDED that
-   private algorithm numbers be used (see [2], appendix A.1.1.  Note
-   that secure handling of private algorithms requires special handing
-   by the validator logic.  See [6] for futher details.)  Normally,
-   instead of actually inventing new signing algorithms, the recommended
-   path is to create alternate algorithm identifiers that are aliases
-   for the existing, known algorithms.  While, strictly speaking, it is
-   only necessary to create an alternate identifier for the mandatory
-   algorithms, it is RECOMMENDED that all OPTIONAL defined algorithms be
-   aliased as well.
-
-   It is RECOMMENDED that for a particular DNSSEC experiment, a
-   particular domain name base is chosen for all new algorithms, then
-   the algorithm number (or name) is prepended to it.  For example, for
-   experiment A, the base name of "dnssec-experiment-a.example.com" is
-   chosen.  Then, aliases for algorithms 3 (DSA) and 5 (RSASHA1) are
-   defined to be "3.dnssec-experiment-a.example.com" and "5.dnssec-
-   experiment-a.example.com".  However, any unique identifier will
-
-
-
-Blacka                  Expires January 19, 2006                [Page 6]
-
-Internet-Draft             DNSSEC Experiments                  July 2005
-
-
-   suffice.
-
-   Using this method, resolvers (or, more specificially, DNSSEC
-   validators) essentially indicate their ability to understand the
-   DNSSEC experiment's semantics by understanding what the new algorithm
-   identifiers signify.
-
-   This method creates two classes of DNSSEC-aware servers and
-   resolvers: servers and resolvers that are aware of the experiment
-   (and thus recognize the experiments algorithm identifiers and
-   experimental semantics), and servers and resolvers that are unware of
-   the experiment.
-
-   This method also precludes any zone from being both in an experiment
-   and in a classic DNSSEC island of security.  That is, a zone is
-   either in an experiment and only experimentally validatable, or it
-   isn't.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Blacka                  Expires January 19, 2006                [Page 7]
-
-Internet-Draft             DNSSEC Experiments                  July 2005
-
-
-5.  Defining an Experiment
-
-   The DNSSEC experiment must define the particular set of (previously
-   unknown) algorithms that identify the experiment, and define what
-   each unknown algorithm identifier means.  Typically, unless the
-   experiment is actually experimenting with a new DNSSEC algorithm,
-   this will be a mapping of private algorithm identifiers to existing,
-   known algorithms.
-
-   Normally the experiment will choose a DNS name as the algorithm
-   identifier base.  This DNS name SHOULD be under the control of the
-   authors of the experiment.  Then the experiment will define a mapping
-   between known mandatory and optional algorithms into this private
-   algorithm identifier space.  Alternately, the experiment MAY use the
-   OID private algorithm space instead (using algorithm number 254), or
-   may choose non-private algorithm numbers, although this would require
-   an IANA allocation (see below (Section 9).)
-
-   For example, an experiment might specify in its description the DNS
-   name "dnssec-experiment-a.example.com" as the base name, and provide
-   the mapping of "3.dnssec-experiment-a.example.com" is an alias of
-   DNSSEC algorithm 3 (DSA), and "5.dnssec-experiment-a.example.com" is
-   an alias of DNSSEC algorithm 5 (RSASHA1).
-
-   Resolvers MUST then only recognize the experiment's semantics when
-   present in a zone signed by one or more of these private algorithms.
-
-   In general, however, resolvers involved in the experiment are
-   expected to understand both standard DNSSEC and the defined
-   experimental DNSSEC protocol, although this isn't required.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Blacka                  Expires January 19, 2006                [Page 8]
-
-Internet-Draft             DNSSEC Experiments                  July 2005
-
-
-6.  Considerations
-
-   There are a number of considerations with using this methodology.
-
-   1.  Under some circumstances, it may be that the experiment will not
-       be sufficiently masked by this technique and may cause resolution
-       problem for resolvers not aware of the experiment.  For instance,
-       the resolver may look at the not validatable response and
-       conclude that the response is bogus, either due to local policy
-       or implementation details.  This is not expected to be the common
-       case, however.
-
-   2.  In general, it will not be possible for DNSSEC-aware resolvers
-       not aware of the experiment to build a chain of trust through an
-       experimental zone.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Blacka                  Expires January 19, 2006                [Page 9]
-
-Internet-Draft             DNSSEC Experiments                  July 2005
-
-
-7.  Transitions
-
-   If an experiment is successful, there may be a desire to move the
-   experiment to a standards-track extension.  One way to do so would be
-   to move from private algorithm numbers to IANA allocated algorithm
-   numbers, with otherwise the same meaning.  This would still leave a
-   divide between resolvers that understood the extension versus
-   resolvers that did not.  It would, in essence, create an additional
-   version of DNSSEC.
-
-   An alternate technique might be to do a typecode rollover, thus
-   actually creating a definitive new version of DNSSEC.  There may be
-   other transition techniques available, as well.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Blacka                  Expires January 19, 2006               [Page 10]
-
-Internet-Draft             DNSSEC Experiments                  July 2005
-
-
-8.  Security Considerations
-
-   Zones using this methodology will be considered insecure by all
-   resolvers except those aware of the experiment.  It is not generally
-   possible to create a secure delegation from an experimental zone that
-   will be followed by resolvers unaware of the experiment.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Blacka                  Expires January 19, 2006               [Page 11]
-
-Internet-Draft             DNSSEC Experiments                  July 2005
-
-
-9.  IANA Considerations
-
-   IANA may need to allocate new DNSSEC algorithm numbers if that
-   transition approach is taken, or the experiment decides to use
-   allocated numbers to begin with.  No IANA action is required to
-   deploy an experiment using private algorithm identifiers.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Blacka                  Expires January 19, 2006               [Page 12]
-
-Internet-Draft             DNSSEC Experiments                  July 2005
-
-
-10.  References
-
-10.1  Normative References
-
-   [1]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-        "DNS Security Introduction and Requirements", RFC 4033,
-        March 2005.
-
-   [2]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-        "Resource Records for the DNS Security Extensions", RFC 4034,
-        March 2005.
-
-   [3]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-        "Protocol Modifications for the DNS Security Extensions",
-        RFC 4035, March 2005.
-
-10.2  Informative References
-
-   [4]  Mockapetris, P., "Domain names - implementation and
-        specification", STD 13, RFC 1035, November 1987.
-
-   [5]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
-        Levels", BCP 14, RFC 2119, March 1997.
-
-   [6]  Weiler, S., "Clarifications and Implementation Notes for
-        DNSSECbis", draft-weiler-dnsext-dnssec-bis-updates-00 (work in
-        progress), March 2005.
-
-
-Author's Address
-
-   David Blacka
-   Verisign, Inc.
-   21355 Ridgetop Circle
-   Dulles, VA  20166
-   US
-
-   Phone: +1 703 948 3200
-   Email: davidb@verisign.com
-   URI:   http://www.verisignlabs.com
-
-
-
-
-
-
-
-
-
-
-
-Blacka                  Expires January 19, 2006               [Page 13]
-
-Internet-Draft             DNSSEC Experiments                  July 2005
-
-
-Intellectual Property Statement
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-
-Disclaimer of Validity
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Copyright Statement
-
-   Copyright (C) The Internet Society (2005).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-
-Acknowledgment
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-Blacka                  Expires January 19, 2006               [Page 14]
-
diff --git a/doc/draft/draft-ietf-dnsext-dnssec-experiments-03.txt b/doc/draft/draft-ietf-dnsext-dnssec-experiments-03.txt
new file mode 100644
index 0000000000..c8db70916f
--- /dev/null
+++ b/doc/draft/draft-ietf-dnsext-dnssec-experiments-03.txt
@@ -0,0 +1,840 @@
+
+
+
+DNSEXT                                                         D. Blacka
+Internet-Draft                                            VeriSign, Inc.
+Intended status: Standards Track                           April 7, 2006
+Expires: October 9, 2006
+
+
+                           DNSSEC Experiments
+                draft-ietf-dnsext-dnssec-experiments-03
+
+Status of this Memo
+
+   By submitting this Internet-Draft, each author represents that any
+   applicable patent or other IPR claims of which he or she is aware
+   have been or will be disclosed, and any of which he or she becomes
+   aware will be disclosed, in accordance with Section 6 of BCP 79.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   This Internet-Draft will expire on October 9, 2006.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2006).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Blacka                   Expires October 9, 2006                [Page 1]
+
+Internet-Draft             DNSSEC Experiments                 April 2006
+
+
+Abstract
+
+   This document describes a methodology for deploying alternate, non-
+   backwards-compatible, DNSSEC methodologies in an experimental fashion
+   without disrupting the deployment of standard DNSSEC.
+
+
+Table of Contents
+
+   1.  Definitions and Terminology  . . . . . . . . . . . . . . . . .  3
+   2.  Overview . . . . . . . . . . . . . . . . . . . . . . . . . . .  4
+   3.  Experiments  . . . . . . . . . . . . . . . . . . . . . . . . .  5
+   4.  Method . . . . . . . . . . . . . . . . . . . . . . . . . . . .  6
+   5.  Defining an Experiment . . . . . . . . . . . . . . . . . . . .  8
+   6.  Considerations . . . . . . . . . . . . . . . . . . . . . . . .  9
+   7.  Use in Non-Experiments . . . . . . . . . . . . . . . . . . . . 10
+   8.  Security Considerations  . . . . . . . . . . . . . . . . . . . 11
+   9.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 12
+   10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13
+     10.1.  Normative References  . . . . . . . . . . . . . . . . . . 13
+     10.2.  Informative References  . . . . . . . . . . . . . . . . . 13
+   Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 14
+   Intellectual Property and Copyright Statements . . . . . . . . . . 15
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Blacka                   Expires October 9, 2006                [Page 2]
+
+Internet-Draft             DNSSEC Experiments                 April 2006
+
+
+1.  Definitions and Terminology
+
+   Throughout this document, familiarity with the DNS system (RFC 1035
+   [5]) and the DNS security extensions ([2], [3], and [4] is assumed.
+
+   The key words "MUST, "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY, and "OPTIONAL" in this
+   document are to be interpreted as described in RFC 2119 [1].
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Blacka                   Expires October 9, 2006                [Page 3]
+
+Internet-Draft             DNSSEC Experiments                 April 2006
+
+
+2.  Overview
+
+   Historically, experimentation with DNSSEC alternatives has been a
+   problematic endeavor.  There has typically been a desire to both
+   introduce non-backwards-compatible changes to DNSSEC and to try these
+   changes on real zones in the public DNS.  This creates a problem when
+   the change to DNSSEC would make all or part of the zone using those
+   changes appear bogus (bad) or otherwise broken to existing security-
+   aware resolvers.
+
+   This document describes a standard methodology for setting up DNSSEC
+   experiments.  This methodology addresses the issue of co-existence
+   with standard DNSSEC and DNS by using unknown algorithm identifiers
+   to hide the experimental DNSSEC protocol modifications from standard
+   security-aware resolvers.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Blacka                   Expires October 9, 2006                [Page 4]
+
+Internet-Draft             DNSSEC Experiments                 April 2006
+
+
+3.  Experiments
+
+   When discussing DNSSEC experiments, it is necessary to classify these
+   experiments into two broad categories:
+
+   Backwards-Compatible:  describes experimental changes that, while not
+      strictly adhering to the DNSSEC standard, are nonetheless
+      interoperable with clients and servers that do implement the
+      DNSSEC standard.
+
+   Non-Backwards-Compatible:  describes experiments that would cause a
+      standard security-aware resolver to (incorrectly) determine that
+      all or part of a zone is bogus, or to otherwise not interoperate
+      with standard DNSSEC clients and servers.
+
+   Not included in these terms are experiments with the core DNS
+   protocol itself.
+
+   The methodology described in this document is not necessary for
+   backwards-compatible experiments, although it certainly may be used
+   if desired.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Blacka                   Expires October 9, 2006                [Page 5]
+
+Internet-Draft             DNSSEC Experiments                 April 2006
+
+
+4.  Method
+
+   The core of the methodology is the use of strictly unknown algorithm
+   identifiers when signing the experimental zone, and more importantly,
+   having only unknown algorithm identifiers in the DS records for the
+   delegation to the zone at the parent.
+
+   This technique works because of the way DNSSEC-compliant validators
+   are expected to work in the presence of a DS set with only unknown
+   algorithm identifiers.  From [4], Section 5.2:
+
+      If the validator does not support any of the algorithms listed in
+      an authenticated DS RRset, then the resolver has no supported
+      authentication path leading from the parent to the child.  The
+      resolver should treat this case as it would the case of an
+      authenticated NSEC RRset proving that no DS RRset exists, as
+      described above.
+
+   And further:
+
+      If the resolver does not support any of the algorithms listed in
+      an authenticated DS RRset, then the resolver will not be able to
+      verify the authentication path to the child zone.  In this case,
+      the resolver SHOULD treat the child zone as if it were unsigned.
+
+   While this behavior isn't strictly mandatory (as marked by MUST), it
+   is likely that a validator would implement this behavior, or, more to
+   the point, it would handle this situation in a safe way (see below
+   (Section 6).)
+
+   Because we are talking about experiments, it is RECOMMENDED that
+   private algorithm numbers be used (see [3], appendix A.1.1.  Note
+   that secure handling of private algorithms requires special handing
+   by the validator logic.  See [6] for further details.)  Normally,
+   instead of actually inventing new signing algorithms, the recommended
+   path is to create alternate algorithm identifiers that are aliases
+   for the existing, known algorithms.  While, strictly speaking, it is
+   only necessary to create an alternate identifier for the mandatory
+   algorithms, it is suggested that all optional defined algorithms be
+   aliased as well.
+
+   It is RECOMMENDED that for a particular DNSSEC experiment, a
+   particular domain name base is chosen for all new algorithms, then
+   the algorithm number (or name) is prepended to it.  For example, for
+   experiment A, the base name of "dnssec-experiment-a.example.com" is
+   chosen.  Then, aliases for algorithms 3 (DSA) and 5 (RSASHA1) are
+   defined to be "3.dnssec-experiment-a.example.com" and
+   "5.dnssec-experiment-a.example.com".  However, any unique identifier
+
+
+
+Blacka                   Expires October 9, 2006                [Page 6]
+
+Internet-Draft             DNSSEC Experiments                 April 2006
+
+
+   will suffice.
+
+   Using this method, resolvers (or, more specifically, DNSSEC
+   validators) essentially indicate their ability to understand the
+   DNSSEC experiment's semantics by understanding what the new algorithm
+   identifiers signify.
+
+   This method creates two classes of security-aware servers and
+   resolvers: servers and resolvers that are aware of the experiment
+   (and thus recognize the experiment's algorithm identifiers and
+   experimental semantics), and servers and resolvers that are unaware
+   of the experiment.
+
+   This method also precludes any zone from being both in an experiment
+   and in a classic DNSSEC island of security.  That is, a zone is
+   either in an experiment and only experimentally validatable, or it is
+   not.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Blacka                   Expires October 9, 2006                [Page 7]
+
+Internet-Draft             DNSSEC Experiments                 April 2006
+
+
+5.  Defining an Experiment
+
+   The DNSSEC experiment MUST define the particular set of (previously
+   unknown) algorithm identifiers that identify the experiment, and
+   define what each unknown algorithm identifier means.  Typically,
+   unless the experiment is actually experimenting with a new DNSSEC
+   algorithm, this will be a mapping of private algorithm identifiers to
+   existing, known algorithms.
+
+   Normally the experiment will choose a DNS name as the algorithm
+   identifier base.  This DNS name SHOULD be under the control of the
+   authors of the experiment.  Then the experiment will define a mapping
+   between known mandatory and optional algorithms into this private
+   algorithm identifier space.  Alternately, the experiment MAY use the
+   OID private algorithm space instead (using algorithm number 254), or
+   MAY choose non-private algorithm numbers, although this would require
+   an IANA allocation.
+
+   For example, an experiment might specify in its description the DNS
+   name "dnssec-experiment-a.example.com" as the base name, and declare
+   that "3.dnssec-experiment-a.example.com" is an alias of DNSSEC
+   algorithm 3 (DSA), and that "5.dnssec-experiment-a.example.com" is an
+   alias of DNSSEC algorithm 5 (RSASHA1).
+
+   Resolvers MUST only recognize the experiment's semantics when present
+   in a zone signed by one or more of these algorithm identifiers.  This
+   is necessary to isolate the semantics of one experiment from any
+   others that the resolver might understand.
+
+   In general, resolvers involved in the experiment are expected to
+   understand both standard DNSSEC and the defined experimental DNSSEC
+   protocol, although this isn't required.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Blacka                   Expires October 9, 2006                [Page 8]
+
+Internet-Draft             DNSSEC Experiments                 April 2006
+
+
+6.  Considerations
+
+   There are a number of considerations with using this methodology.
+
+   1.  Under some circumstances, it may be that the experiment will not
+       be sufficiently masked by this technique and may cause resolution
+       problem for resolvers not aware of the experiment.  For instance,
+       the resolver may look at a non-validatable response and conclude
+       that the response is bogus, either due to local policy or
+       implementation details.  This is not expected to be a common
+       case, however.
+
+   2.  It will not be possible for security-aware resolvers unaware of
+       the experiment to build a chain of trust through an experimental
+       zone.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Blacka                   Expires October 9, 2006                [Page 9]
+
+Internet-Draft             DNSSEC Experiments                 April 2006
+
+
+7.  Use in Non-Experiments
+
+   This general methodology MAY be used for non-backwards compatible
+   DNSSEC protocol changes that start out as or become standards.  In
+   this case:
+
+   o  The protocol change SHOULD use public IANA allocated algorithm
+      identifiers instead of private algorithm identifiers.  This will
+      help identify the protocol change as a standard, rather than an
+      experiment.
+
+   o  Resolvers MAY recognize the protocol change in zones not signed
+      (or not solely signed) using the new algorithm identifiers.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Blacka                   Expires October 9, 2006               [Page 10]
+
+Internet-Draft             DNSSEC Experiments                 April 2006
+
+
+8.  Security Considerations
+
+   Zones using this methodology will be considered insecure by all
+   resolvers except those aware of the experiment.  It is not generally
+   possible to create a secure delegation from an experimental zone that
+   will be followed by resolvers unaware of the experiment.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Blacka                   Expires October 9, 2006               [Page 11]
+
+Internet-Draft             DNSSEC Experiments                 April 2006
+
+
+9.  IANA Considerations
+
+   This document has no IANA actions.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Blacka                   Expires October 9, 2006               [Page 12]
+
+Internet-Draft             DNSSEC Experiments                 April 2006
+
+
+10.  References
+
+10.1.  Normative References
+
+   [1]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
+        Levels", BCP 14, RFC 2119, March 1997.
+
+   [2]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+        "DNS Security Introduction and Requirements", RFC 4033,
+        March 2005.
+
+   [3]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+        "Resource Records for the DNS Security Extensions", RFC 4034,
+        March 2005.
+
+   [4]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+        "Protocol Modifications for the DNS Security Extensions",
+        RFC 4035, March 2005.
+
+10.2.  Informative References
+
+   [5]  Mockapetris, P., "Domain names - implementation and
+        specification", STD 13, RFC 1035, November 1987.
+
+   [6]  Austein, R. and S. Weiler, "Clarifications and Implementation
+        Notes for DNSSECbis", draft-ietf-dnsext-dnssec-bis-updates-02
+        (work in progress), January 2006.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Blacka                   Expires October 9, 2006               [Page 13]
+
+Internet-Draft             DNSSEC Experiments                 April 2006
+
+
+Author's Address
+
+   David Blacka
+   VeriSign, Inc.
+   21355 Ridgetop Circle
+   Dulles, VA  20166
+   US
+
+   Phone: +1 703 948 3200
+   Email: davidb@verisign.com
+   URI:   http://www.verisignlabs.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Blacka                   Expires October 9, 2006               [Page 14]
+
+Internet-Draft             DNSSEC Experiments                 April 2006
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (2006).
+
+   This document is subject to the rights, licenses and restrictions
+   contained in BCP 78, and except as set forth therein, the authors
+   retain all their rights.
+
+   This document and the information contained herein are provided on an
+   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Intellectual Property
+
+   The IETF takes no position regarding the validity or scope of any
+   Intellectual Property Rights or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; nor does it represent that it has
+   made any independent effort to identify any such rights.  Information
+   on the procedures with respect to rights in RFC documents can be
+   found in BCP 78 and BCP 79.
+
+   Copies of IPR disclosures made to the IETF Secretariat and any
+   assurances of licenses to be made available, or the result of an
+   attempt made to obtain a general license or permission for the use of
+   such proprietary rights by implementers or users of this
+   specification can be obtained from the IETF on-line IPR repository at
+   http://www.ietf.org/ipr.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights that may cover technology that may be required to implement
+   this standard.  Please address the information to the IETF at
+   ietf-ipr@ietf.org.
+
+
+Acknowledgment
+
+   Funding for the RFC Editor function is provided by the IETF
+   Administrative Support Activity (IASA).
+
+
+
+
+
+Blacka                   Expires October 9, 2006               [Page 15]
+

From 753259033ce336bf43a589a44560a0af84d75ce1 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Mon, 10 Apr 2006 23:30:20 +0000
Subject: [PATCH 140/465] newcopyrights

---
 util/copyrights | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/util/copyrights b/util/copyrights
index 31c5922baf..b1128e6eb2 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -2004,7 +2004,7 @@
 ./lib/isc/event.c				C	1998,1999,2000,2001,2004,2005
 ./lib/isc/fsaccess.c				C	2000,2001,2004,2005
 ./lib/isc/hash.c				C	2003,2004,2005,2006
-./lib/isc/heap.c				C	1997,1998,1999,2000,2001,2004,2005
+./lib/isc/heap.c				C	1997,1998,1999,2000,2001,2004,2005,2006
 ./lib/isc/hex.c					C	2000,2001,2002,2003,2004,2005
 ./lib/isc/hmacmd5.c				C	2000,2001,2004,2005,2006
 ./lib/isc/hmacsha.c				C	2005,2006
@@ -2028,7 +2028,7 @@
 ./lib/isc/include/isc/formatcheck.h		C	2000,2001,2004,2005
 ./lib/isc/include/isc/fsaccess.h		C	2000,2001,2004,2005
 ./lib/isc/include/isc/hash.h			C	2003,2004,2005
-./lib/isc/include/isc/heap.h			C	1997,1998,1999,2000,2001,2004,2005
+./lib/isc/include/isc/heap.h			C	1997,1998,1999,2000,2001,2004,2005,2006
 ./lib/isc/include/isc/hex.h			C	2000,2001,2004,2005
 ./lib/isc/include/isc/hmacmd5.h			C	2000,2001,2004,2005,2006
 ./lib/isc/include/isc/hmacsha.h			C	2005,2006

From f19353d73186913a6e0f0f766c1f72e5f4c5e9e1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tatuya=20JINMEI=20=E7=A5=9E=E6=98=8E=E9=81=94=E5=93=89?=
 
Date: Wed, 12 Apr 2006 10:43:14 +0000
Subject: [PATCH 141/465] 2010.	[placeholder]	rt15958

---
 CHANGES | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/CHANGES b/CHANGES
index 58dece775c..947ebd07d8 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+2010.	[placeholder]	rt15958
+
 2009.	[bug]		libbind: coverity fixes. [RT #15808]
 
 2008.	[func]		It is now posssible to enable/disable DNSSEC

From b6ad33eca26cdd4c7d3c6a59a213dd0f39df5ee3 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 12 Apr 2006 23:16:58 +0000
Subject: [PATCH 142/465] auto update

---
 doc/private/branches | 1 +
 1 file changed, 1 insertion(+)

diff --git a/doc/private/branches b/doc/private/branches
index c1aa85c515..00c987833d 100644
--- a/doc/private/branches
+++ b/doc/private/branches
@@ -72,6 +72,7 @@ rt15855				new
 rt15860				new	
 rt15878				new	
 rt15941				new	
+rt15958				new	
 rt1727				open		// ixfr-from-differences workfile
 rt6496a				review	marka
 rt6496b				new	

From 6ed53e5949d9fcd9715b440015b56e5a896d63df Mon Sep 17 00:00:00 2001
From: David Hankins 
Date: Thu, 13 Apr 2006 18:09:56 +0000
Subject: [PATCH 143/465] 2011.   [func]          dnssec-signzone can now
 update the SOA record of                         the signed zone, either as
 an increment or as the                         system time(). [RT #15633]

---
 CHANGES                            |   4 +
 bin/dnssec/dnssec-signzone.c       | 117 ++++++++++++++++++++++++++++-
 bin/dnssec/dnssec-signzone.docbook |  44 ++++++++++-
 3 files changed, 160 insertions(+), 5 deletions(-)

diff --git a/CHANGES b/CHANGES
index 947ebd07d8..5426520d97 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+2011.	[func]		dnssec-signzone can now update the SOA record of
+			the signed zone, either as an increment or as the
+			system time(). [RT #15633]
+
 2010.	[placeholder]	rt15958
 
 2009.	[bug]		libbind: coverity fixes. [RT #15808]
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index 53f85c0be9..a58cbca754 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -16,7 +16,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-signzone.c,v 1.197 2006/02/21 23:49:50 marka Exp $ */
+/* $Id: dnssec-signzone.c,v 1.198 2006/04/13 18:09:56 dhankins Exp $ */
 
 /*! \file */
 
@@ -61,6 +61,7 @@
 #include 
 #include 
 #include 
+#include 
 #include 
 
 #include 
@@ -88,6 +89,10 @@ struct signer_key_struct {
 #define SIGNER_EVENT_WRITE	(SIGNER_EVENTCLASS + 0)
 #define SIGNER_EVENT_WORK	(SIGNER_EVENTCLASS + 1)
 
+#define SOA_SERIAL_KEEP		0
+#define SOA_SERIAL_INCREMENT	1
+#define SOA_SERIAL_UNIXTIME	2
+
 typedef struct signer_event sevent_t;
 struct signer_event {
 	ISC_EVENT_COMMON(sevent_t);
@@ -131,6 +136,7 @@ static isc_boolean_t ignoreksk = ISC_FALSE;
 static dns_name_t *dlv = NULL;
 static dns_fixedname_t dlv_fixed;
 static dns_master_style_t *dsstyle = NULL;
+static unsigned int serialformat = SOA_SERIAL_KEEP;
 
 #define INCSTAT(counter)		\
 	if (printstats) {		\
@@ -1042,6 +1048,81 @@ soattl(void) {
 	return (ttl);
 }
 
+/*%
+ * Increment (or set if nonzero) the SOA serial
+ */
+static isc_result_t
+setsoaserial(isc_uint32_t serial) {
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+	dns_rdataset_t rdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_uint32_t old_serial, new_serial;
+
+	result = dns_db_getoriginnode(gdb, &node);
+	if (result != ISC_R_SUCCESS)
+		return result;
+
+	dns_rdataset_init(&rdataset);
+
+	result = dns_db_findrdataset(gdb, node, gversion,
+				     dns_rdatatype_soa, 0,
+				     0, &rdataset, NULL);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = dns_rdataset_first(&rdataset);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	dns_rdataset_current(&rdataset, &rdata);
+
+	old_serial = dns_soa_getserial(&rdata);
+
+	if (serial) {
+		/* Set SOA serial to the value provided. */
+		new_serial = serial;
+	} else {
+		/* Increment SOA serial using RFC 1982 arithmetics */
+		new_serial = (old_serial + 1) & 0xFFFFFFFF;
+		if (new_serial == 0)
+			new_serial = 1;
+	}
+
+	/* If the new serial is not likely to cause a zone transfer
+	 * (a/ixfr) from servers having the old serial, warn the user.
+	 *
+	 * RFC1982 section 7 defines the maximum increment to be
+	 * (2^(32-1))-1.  Using u_int32_t arithmetic, we can do a single
+	 * comparison.  (5 - 6 == (2^32)-1, not negative-one)
+	 */
+	if (new_serial == old_serial ||
+	    (new_serial - old_serial) > 0x7fffffffU)
+		fprintf(stderr, "%s: warning: Serial number not advanced, "
+			"zone may not transfer\n", program);
+
+	dns_soa_setserial(new_serial, &rdata);
+
+	result = dns_db_deleterdataset(gdb, node, gversion,
+				       dns_rdatatype_soa, 0);
+	check_result(result, "dns_db_deleterdataset");
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = dns_db_addrdataset(gdb, node, gversion,
+				    0, &rdataset, 0, NULL);
+	check_result(result, "dns_db_addrdataset");
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+cleanup:
+	dns_rdataset_disassociate(&rdataset);
+	if (node != NULL)
+		dns_db_detachnode(gdb, &node);
+	dns_rdata_reset(&rdata);
+
+	return (result);
+}
+
 /*%
  * Delete any RRSIG records at a node.
  */
@@ -1690,6 +1771,8 @@ usage(void) {
 	fprintf(stderr, "\t\tfile format of input zonefile (text)\n");
 	fprintf(stderr, "\t-O format:\n");
 	fprintf(stderr, "\t\tfile format of signed zone file (text)\n");
+	fprintf(stderr, "\t-N format:\n");
+	fprintf(stderr, "\t\tsoa serial format of signed zone file (keep)\n");
 	fprintf(stderr, "\t-r randomdev:\n");
 	fprintf(stderr,	"\t\ta file containing random data\n");
 	fprintf(stderr, "\t-a:\t");
@@ -1749,6 +1832,7 @@ main(int argc, char *argv[]) {
 	char *startstr = NULL, *endstr = NULL, *classname = NULL;
 	char *origin = NULL, *file = NULL, *output = NULL;
 	char *inputformatstr = NULL, *outputformatstr = NULL;
+	char *serialformatstr = NULL;
 	char *dskeyfile[MAXDSKEYS];
 	int ndskeys = 0;
 	char *endp;
@@ -1776,7 +1860,7 @@ main(int argc, char *argv[]) {
 	dns_result_register();
 
 	while ((ch = isc_commandline_parse(argc, argv,
-					   "ac:d:e:f:ghi:I:j:k:l:n:o:O:pr:s:Stv:z"))
+					   "ac:d:e:f:ghi:I:j:k:l:n:N:o:O:pr:s:Stv:z"))
 	       != -1) {
 		switch (ch) {
 		case 'a':
@@ -1853,6 +1937,10 @@ main(int argc, char *argv[]) {
 				fatal("number of cpus must be numeric");
 			break;
 
+		case 'N':
+			serialformatstr = isc_commandline_argument;
+			break;
+
 		case 'o':
 			origin = isc_commandline_argument;
 			break;
@@ -1974,6 +2062,18 @@ main(int argc, char *argv[]) {
 			fatal("unknown file format: %s\n", outputformatstr);
 	}
 
+	if (serialformatstr != NULL) {
+		if (strcasecmp(serialformatstr, "keep") == 0)
+			serialformat = SOA_SERIAL_KEEP;
+		else if (strcasecmp(serialformatstr, "increment") == 0 ||
+			 strcasecmp(serialformatstr, "incr") == 0)
+			serialformat = SOA_SERIAL_INCREMENT;
+		else if (strcasecmp(serialformatstr, "unixtime") == 0)
+			serialformat = SOA_SERIAL_UNIXTIME;
+		else
+			fatal("unknown soa serial format: %s\n", serialformatstr);
+	}
+
 	result = dns_master_stylecreate(&dsstyle,  DNS_STYLEFLAG_NO_TTL,
 					0, 24, 0, 0, 0, 8, mctx);
 	check_result(result, "dns_master_stylecreate");
@@ -2078,6 +2178,19 @@ main(int argc, char *argv[]) {
 	result = dns_db_newversion(gdb, &gversion);
 	check_result(result, "dns_db_newversion()");
 
+	switch (serialformat) {
+		case SOA_SERIAL_INCREMENT:
+			setsoaserial(0);
+			break;
+		case SOA_SERIAL_UNIXTIME:
+			setsoaserial(now);
+			break;
+		case SOA_SERIAL_KEEP:
+		default:
+			/* do nothing */
+			break;
+	}
+
 	nsecify();
 
 	if (!nokeys) {
diff --git a/bin/dnssec/dnssec-signzone.docbook b/bin/dnssec/dnssec-signzone.docbook
index c09f0284fe..a43f939d17 100644
--- a/bin/dnssec/dnssec-signzone.docbook
+++ b/bin/dnssec/dnssec-signzone.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   
     June 30, 2000
@@ -26,7 +26,7 @@
 
   
     dnssec-signzone
-    8
+   8
     BIND9
   
 
@@ -65,7 +65,7 @@
       
       
       
-      
+      
       
       
       
@@ -281,6 +281,44 @@
         
       
 
+      
+        -N soa-serial-format
+        
+          
+            The SOA serial number format of the signed zone.
+	    Possible formats are "keep" (default),
+            "increment" and
+	    "unixtime".
+          
+
+          
+	    
+	      "keep"
+              
+                Do not modify the SOA serial number.
+	      
+            
+
+	    
+	      "increment"
+              
+                Increment the SOA serial number using RFC 1982
+                      arithmetics.
+	      
+            
+
+	    
+	      "unixtime"
+              
+                Set the SOA serial number to the number of seconds
+	        since epoch.
+	      
+            
+	 
+
+        
+      
+
       
         -o origin
         

From e086341ea57e618a60c9f166b95daee1fab71b3b Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 13 Apr 2006 23:30:20 +0000
Subject: [PATCH 144/465] newcopyrights

---
 util/copyrights | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/util/copyrights b/util/copyrights
index b1128e6eb2..4c78cc812f 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -61,7 +61,7 @@
 ./bin/dnssec/dnssec-keygen.html			HTML	DOCBOOK
 ./bin/dnssec/dnssec-signzone.8			MAN	DOCBOOK
 ./bin/dnssec/dnssec-signzone.c			C.NAI	1999,2000,2001,2002,2003,2004,2005,2006
-./bin/dnssec/dnssec-signzone.docbook		SGML	2000,2001,2002,2003,2004,2005
+./bin/dnssec/dnssec-signzone.docbook		SGML	2000,2001,2002,2003,2004,2005,2006
 ./bin/dnssec/dnssec-signzone.html		HTML	DOCBOOK
 ./bin/dnssec/dnssectool.c			C	2000,2001,2003,2004,2005
 ./bin/dnssec/dnssectool.h			C	2000,2001,2003,2004

From 4b3f3cc67135e676a9b3b688685fb59e3494b0e6 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Sat, 15 Apr 2006 01:30:16 +0000
Subject: [PATCH 145/465] update copyright notice

---
 bin/dnssec/dnssec-signzone.docbook | 5 +++--
 lib/isc/heap.c                     | 4 ++--
 lib/isc/include/isc/heap.h         | 4 ++--
 3 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/bin/dnssec/dnssec-signzone.docbook b/bin/dnssec/dnssec-signzone.docbook
index a43f939d17..2640d9ff75 100644
--- a/bin/dnssec/dnssec-signzone.docbook
+++ b/bin/dnssec/dnssec-signzone.docbook
@@ -2,7 +2,7 @@
                "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
 	       []>
 
 
-
+
 
   
     June 30, 2000
@@ -39,6 +39,7 @@
     
       2004
       2005
+      2006
       Internet Systems Consortium, Inc. ("ISC")
     
     
diff --git a/lib/isc/heap.c b/lib/isc/heap.c
index 7ea5e12889..34dbc89cc4 100644
--- a/lib/isc/heap.c
+++ b/lib/isc/heap.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1997-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: heap.c,v 1.33 2006/04/10 16:28:04 explorer Exp $ */
+/* $Id: heap.c,v 1.34 2006/04/15 01:30:16 marka Exp $ */
 
 /*! \file
  * Heap implementation of priority queues adapted from the following:
diff --git a/lib/isc/include/isc/heap.h b/lib/isc/include/isc/heap.h
index ff11370b32..612480fcc9 100644
--- a/lib/isc/include/isc/heap.h
+++ b/lib/isc/include/isc/heap.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1997-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: heap.h,v 1.20 2006/04/10 16:28:04 explorer Exp $ */
+/* $Id: heap.h,v 1.21 2006/04/15 01:30:16 marka Exp $ */
 
 #ifndef ISC_HEAP_H
 #define ISC_HEAP_H 1

From 170938fdfc065eb9629b1dc2793f883e2d6cc565 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Sat, 15 Apr 2006 22:19:49 +0000
Subject: [PATCH 146/465] tag mis-match

---
 bin/dnssec/dnssec-signzone.docbook | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/bin/dnssec/dnssec-signzone.docbook b/bin/dnssec/dnssec-signzone.docbook
index 2640d9ff75..3a948f0ca5 100644
--- a/bin/dnssec/dnssec-signzone.docbook
+++ b/bin/dnssec/dnssec-signzone.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   
     June 30, 2000
@@ -288,7 +288,7 @@
           
             The SOA serial number format of the signed zone.
 	    Possible formats are "keep" (default),
-            "increment" and
+            "increment" and
 	    "unixtime".
           
 

From 68e8184976121c1823d822d9c25cc4189d98fa4c Mon Sep 17 00:00:00 2001
From: Michael Graff 
Date: Mon, 17 Apr 2006 18:10:50 +0000
Subject: [PATCH 147/465] fix dates

---
 util/copyrights | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/util/copyrights b/util/copyrights
index 4c78cc812f..3b731106c1 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -1317,7 +1317,7 @@
 ./lib/bind/include/isc/ctl.h			X	2001,2005
 ./lib/bind/include/isc/dst.h			X	2001,2005
 ./lib/bind/include/isc/eventlib.h		X	2001,2005
-./lib/bind/include/isc/heap.h			X	2001,2005
+./lib/bind/include/isc/heap.h			X	2001,2005,2006
 ./lib/bind/include/isc/irpmarshall.h		X	2001,2005
 ./lib/bind/include/isc/list.h			X	2001,2005
 ./lib/bind/include/isc/logging.h		X	2001,2005

From 71c66884067e249bec5ae819139265c35f6f128f Mon Sep 17 00:00:00 2001
From: Michael Graff 
Date: Mon, 17 Apr 2006 18:11:52 +0000
Subject: [PATCH 148/465] undo previous; wrong heap.h...

---
 util/copyrights | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/util/copyrights b/util/copyrights
index 3b731106c1..4c78cc812f 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -1317,7 +1317,7 @@
 ./lib/bind/include/isc/ctl.h			X	2001,2005
 ./lib/bind/include/isc/dst.h			X	2001,2005
 ./lib/bind/include/isc/eventlib.h		X	2001,2005
-./lib/bind/include/isc/heap.h			X	2001,2005,2006
+./lib/bind/include/isc/heap.h			X	2001,2005
 ./lib/bind/include/isc/irpmarshall.h		X	2001,2005
 ./lib/bind/include/isc/list.h			X	2001,2005
 ./lib/bind/include/isc/logging.h		X	2001,2005

From 371a74e0c1bef8b719eedb9ff0d27f36e0df914e Mon Sep 17 00:00:00 2001
From: Michael Graff 
Date: Mon, 17 Apr 2006 18:27:07 +0000
Subject: [PATCH 149/465] pull up my changes from the mainline, to v9_2

---
 lib/isc/heap.c             |  70 +++++++++---------
 lib/isc/include/isc/heap.h | 143 +++++++++++++++++++++++++++++++++----
 lib/isc/print.c            |  25 +++++--
 util/copyrights            |   6 +-
 4 files changed, 190 insertions(+), 54 deletions(-)

diff --git a/lib/isc/heap.c b/lib/isc/heap.c
index bd9f097eee..65976bba78 100644
--- a/lib/isc/heap.c
+++ b/lib/isc/heap.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1997-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,15 +15,15 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: heap.c,v 1.28.2.1 2004/03/09 06:11:46 marka Exp $ */
+/* $Id: heap.c,v 1.28.2.2 2006/04/17 18:27:07 explorer Exp $ */
 
-/*
+/*! \file
  * Heap implementation of priority queues adapted from the following:
  *
- *	_Introduction to Algorithms_, Cormen, Leiserson, and Rivest,
+ *	\li "Introduction to Algorithms," Cormen, Leiserson, and Rivest,
  *	MIT Press / McGraw Hill, 1990, ISBN 0-262-03141-8, chapter 7.
  *
- *	_Algorithms_, Second Edition, Sedgewick, Addison-Wesley, 1988,
+ *	\li "Algorithms," Second Edition, Sedgewick, Addison-Wesley, 1988,
  *	ISBN 0-201-06673-4, chapter 11.
  */
 
@@ -35,20 +35,23 @@
 #include 		/* Required for memcpy. */
 #include 
 
-/*
+/*@{*/
+/*%
  * Note: to make heap_parent and heap_left easy to compute, the first
  * element of the heap array is not used; i.e. heap subscripts are 1-based,
- * not 0-based.
+ * not 0-based.  The parent is index/2, and the left-child is index*2.
+ * The right child is index*2+1.
  */
 #define heap_parent(i)			((i) >> 1)
 #define heap_left(i)			((i) << 1)
+/*@}*/
 
 #define SIZE_INCREMENT			1024
 
 #define HEAP_MAGIC			ISC_MAGIC('H', 'E', 'A', 'P')
 #define VALID_HEAP(h)			ISC_MAGIC_VALID(h, HEAP_MAGIC)
 
-/*
+/*%
  * When the heap is in a consistent state, the following invariant
  * holds true: for every element i > 1, heap_parent(i) has a priority
  * higher than or equal to that of i.
@@ -57,6 +60,7 @@
 			  ! heap->compare(heap->array[(i)], \
 					  heap->array[heap_parent(i)]))
 
+/*% ISC heap structure. */
 struct isc_heap {
 	unsigned int			magic;
 	isc_mem_t *			mctx;
@@ -78,7 +82,7 @@ isc_heap_create(isc_mem_t *mctx, isc_heapcompare_t compare,
 	REQUIRE(heapp != NULL && *heapp == NULL);
 	REQUIRE(compare != NULL);
 
-	heap = isc_mem_get(mctx, sizeof *heap);
+	heap = isc_mem_get(mctx, sizeof(*heap));
 	if (heap == NULL)
 		return (ISC_R_NOMEMORY);
 	heap->magic = HEAP_MAGIC;
@@ -108,9 +112,9 @@ isc_heap_destroy(isc_heap_t **heapp) {
 
 	if (heap->array != NULL)
 		isc_mem_put(heap->mctx, heap->array,
-			    heap->size * sizeof (void *));
+			    heap->size * sizeof(void *));
 	heap->magic = 0;
-	isc_mem_put(heap->mctx, heap, sizeof *heap);
+	isc_mem_put(heap->mctx, heap, sizeof(*heap));
 
 	*heapp = NULL;
 }
@@ -123,13 +127,13 @@ resize(isc_heap_t *heap) {
 	REQUIRE(VALID_HEAP(heap));
 
 	new_size = heap->size + heap->size_increment;
-	new_array = isc_mem_get(heap->mctx, new_size * sizeof (void *));
+	new_array = isc_mem_get(heap->mctx, new_size * sizeof(void *));
 	if (new_array == NULL)
 		return (ISC_FALSE);
 	if (heap->array != NULL) {
-		memcpy(new_array, heap->array, heap->size * sizeof (void *));
+		memcpy(new_array, heap->array, heap->size * sizeof(void *));
 		isc_mem_put(heap->mctx, heap->array,
-			    heap->size * sizeof (void *));
+			    heap->size * sizeof(void *));
 	}
 	heap->size = new_size;
 	heap->array = new_array;
@@ -141,8 +145,8 @@ static void
 float_up(isc_heap_t *heap, unsigned int i, void *elt) {
 	unsigned int p;
 
-	for (p = heap_parent(i);
-	     i > 1 && heap->compare(elt, heap->array[p]);
+	for (p = heap_parent(i) ;
+	     i > 1 && heap->compare(elt, heap->array[p]) ;
 	     i = p, p = heap_parent(i)) {
 		heap->array[i] = heap->array[p];
 		if (heap->index != NULL)
@@ -196,48 +200,48 @@ isc_heap_insert(isc_heap_t *heap, void *elt) {
 }
 
 void
-isc_heap_delete(isc_heap_t *heap, unsigned int i) {
+isc_heap_delete(isc_heap_t *heap, unsigned int index) {
 	void *elt;
 	isc_boolean_t less;
 
 	REQUIRE(VALID_HEAP(heap));
-	REQUIRE(i >= 1 && i <= heap->last);
+	REQUIRE(index >= 1 && index <= heap->last);
 
-	if (i == heap->last) {
+	if (index == heap->last) {
 		heap->last--;
 	} else {
 		elt = heap->array[heap->last--];
-		less = heap->compare(elt, heap->array[i]);
-		heap->array[i] = elt;
+		less = heap->compare(elt, heap->array[index]);
+		heap->array[index] = elt;
 		if (less)
-			float_up(heap, i, heap->array[i]);
+			float_up(heap, index, heap->array[index]);
 		else
-			sink_down(heap, i, heap->array[i]);
+			sink_down(heap, index, heap->array[index]);
 	}
 }
 
 void
-isc_heap_increased(isc_heap_t *heap, unsigned int i) {
+isc_heap_increased(isc_heap_t *heap, unsigned int index) {
 	REQUIRE(VALID_HEAP(heap));
-	REQUIRE(i >= 1 && i <= heap->last);
+	REQUIRE(index >= 1 && index <= heap->last);
 
-	float_up(heap, i, heap->array[i]);
+	float_up(heap, index, heap->array[index]);
 }
 
 void
-isc_heap_decreased(isc_heap_t *heap, unsigned int i) {
+isc_heap_decreased(isc_heap_t *heap, unsigned int index) {
 	REQUIRE(VALID_HEAP(heap));
-	REQUIRE(i >= 1 && i <= heap->last);
+	REQUIRE(index >= 1 && index <= heap->last);
 
-	sink_down(heap, i, heap->array[i]);
+	sink_down(heap, index, heap->array[index]);
 }
 
 void *
-isc_heap_element(isc_heap_t *heap, unsigned int i) {
+isc_heap_element(isc_heap_t *heap, unsigned int index) {
 	REQUIRE(VALID_HEAP(heap));
-	REQUIRE(i >= 1 && i <= heap->last);
+	REQUIRE(index >= 1 && index <= heap->last);
 
-	return (heap->array[i]);
+	return (heap->array[index]);
 }
 
 void
@@ -247,6 +251,6 @@ isc_heap_foreach(isc_heap_t *heap, isc_heapaction_t action, void *uap) {
 	REQUIRE(VALID_HEAP(heap));
 	REQUIRE(action != NULL);
 
-	for (i = 1; i <= heap->last; i++)
+	for (i = 1 ; i <= heap->last ; i++)
 		(action)(heap->array[i], uap);
 }
diff --git a/lib/isc/include/isc/heap.h b/lib/isc/include/isc/heap.h
index 9e8d2e8379..89a8470b89 100644
--- a/lib/isc/include/isc/heap.h
+++ b/lib/isc/include/isc/heap.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1997-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,36 +15,155 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: heap.h,v 1.16.2.1 2004/03/09 06:11:56 marka Exp $ */
+/* $Id: heap.h,v 1.16.2.2 2006/04/17 18:27:07 explorer Exp $ */
 
 #ifndef ISC_HEAP_H
 #define ISC_HEAP_H 1
 
+/*! \file */
+
 #include 
 #include 
 
 ISC_LANG_BEGINDECLS
 
-/*
+/*%
  * The comparision function returns ISC_TRUE if the first argument has
  * higher priority than the second argument, and ISC_FALSE otherwise.
  */
 typedef isc_boolean_t (*isc_heapcompare_t)(void *, void *);
 
+/*%
+ * The index function allows the client of the heap to receive a callback
+ * when an item's index number changes.  This allows it to maintain
+ * sync with its external state, but still delete itself, since deletions
+ * from the heap require the index be provided.
+ */
 typedef void (*isc_heapindex_t)(void *, unsigned int);
+
+/*%
+ * The heapaction function is used when iterating over the heap.
+ *
+ * NOTE:  The heap structure CANNOT BE MODIFIED during the call to
+ * isc_heap_foreach().
+ */
 typedef void (*isc_heapaction_t)(void *, void *);
 
 typedef struct isc_heap isc_heap_t;
 
-isc_result_t	isc_heap_create(isc_mem_t *, isc_heapcompare_t,
-				isc_heapindex_t, unsigned int, isc_heap_t **);
-void		isc_heap_destroy(isc_heap_t **);
-isc_result_t	isc_heap_insert(isc_heap_t *, void *);
-void		isc_heap_delete(isc_heap_t *, unsigned int);
-void		isc_heap_increased(isc_heap_t *, unsigned int);
-void		isc_heap_decreased(isc_heap_t *, unsigned int);
-void *		isc_heap_element(isc_heap_t *, unsigned int);
-void		isc_heap_foreach(isc_heap_t *, isc_heapaction_t, void *);
+isc_result_t
+isc_heap_create(isc_mem_t *mctx, isc_heapcompare_t compare,
+		isc_heapindex_t index, unsigned int size_increment,
+		isc_heap_t **heapp);
+/*!<
+ * \brief Create a new heap.  The heap is implemented using a space-efficient
+ * storage method.  When the heap elements are deleted space is not freed
+ * but will be reused when new elements are inserted.
+ *
+ * Requires:
+ *\li	"mctx" is valid.
+ *\li	"compare" is a function which takes two void * arguments and
+ *	returns ISC_TRUE if the first argument has a higher priority than
+ *	the second, and ISC_FALSE otherwise.
+ *\li	"index" is a function which takes a void *, and an unsigned int
+ *	argument.  This function will be called whenever an element's
+ *	index value changes, so it may continue to delete itself from the
+ *	heap.  This option may be NULL if this functionality is unneeded.
+ *\li	"size_increment" is a hint about how large the heap should grow
+ *	when resizing is needed.  If this is 0, a default size will be
+ *	used, which is currently 1024, allowing space for an additional 1024
+ *	heap elements to be inserted before adding more space.
+ *\li	"heapp" is not NULL, and "*heap" is NULL.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS		- success
+ *\li	ISC_R_NOMEMORY		- insufficient memory
+ */
+
+void
+isc_heap_destroy(isc_heap_t **heapp);
+/*!<
+ * \brief Destroys a heap.
+ *
+ * Requires:
+ *\li	"heapp" is not NULL and "*heap" points to a valid isc_heap_t.
+ */
+
+isc_result_t
+isc_heap_insert(isc_heap_t *heap, void *elt);
+/*!<
+ * \brief Inserts a new element into a heap.
+ *
+ * Requires:
+ *\li	"heapp" is not NULL and "*heap" points to a valid isc_heap_t.
+ */
+
+void
+isc_heap_delete(isc_heap_t *heap, unsigned int index);
+/*!<
+ * \brief Deletes an element from a heap, by element index.
+ *
+ * Requires:
+ *\li	"heapp" is not NULL and "*heap" points to a valid isc_heap_t.
+ *\li	"index" is a valid element index, as provided by the "index" callback
+ *	provided during heap creation.
+ */
+
+void
+isc_heap_increased(isc_heap_t *heap, unsigned int index);
+/*!<
+ * \brief Indicates to the heap that an element's priority has increased.
+ * This function MUST be called whenever an element has increased in priority.
+ *
+ * Requires:
+ *\li	"heapp" is not NULL and "*heap" points to a valid isc_heap_t.
+ *\li	"index" is a valid element index, as provided by the "index" callback
+ *	provided during heap creation.
+ */
+
+void
+isc_heap_decreased(isc_heap_t *heap, unsigned int index);
+/*!<
+ * \brief Indicates to the heap that an element's priority has decreased.
+ * This function MUST be called whenever an element has decreased in priority.
+ *
+ * Requires:
+ *\li	"heapp" is not NULL and "*heap" points to a valid isc_heap_t.
+ *\li	"index" is a valid element index, as provided by the "index" callback
+ *	provided during heap creation.
+ */
+
+void *
+isc_heap_element(isc_heap_t *heap, unsigned int index);
+/*!<
+ * \brief Returns the element for a specific element index.
+ *
+ * Requires:
+ *\li	"heapp" is not NULL and "*heap" points to a valid isc_heap_t.
+ *\li	"index" is a valid element index, as provided by the "index" callback
+ *	provided during heap creation.
+ *
+ * Returns:
+ *\li	A pointer to the element for the element index.
+ */
+
+void
+isc_heap_foreach(isc_heap_t *heap, isc_heapaction_t action, void *uap);
+/*!<
+ * \brief Iterate over the heap, calling an action for each element.  The
+ * order of iteration is not sorted.
+ *
+ * Requires:
+ *\li	"heapp" is not NULL and "*heap" points to a valid isc_heap_t.
+ *\li	"action" is not NULL, and is a function which takes two arguments.
+ *	The first is a void *, representing the element, and the second is
+ *	"uap" as provided to isc_heap_foreach.
+ *\li	"uap" is a caller-provided argument, and may be NULL.
+ *
+ * Note:
+ *\li	The heap structure CANNOT be modified during this iteration.  The only
+ *	safe function to call while iterating the heap is isc_heap_element().
+ */
 
 ISC_LANG_ENDDECLS
 
diff --git a/lib/isc/print.c b/lib/isc/print.c
index 5df0068fee..87c1e6e9f3 100644
--- a/lib/isc/print.c
+++ b/lib/isc/print.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,13 +15,15 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: print.c,v 1.22.2.4 2004/03/09 06:11:50 marka Exp $ */
+/* $Id: print.c,v 1.22.2.5 2006/04/17 18:27:07 explorer Exp $ */
+
+/*! \file */
 
 #include 
 
 #include 
-#include 		/* for sprintf */
-#include 
+#include 		/* for sprintf() */
+#include 		/* for strlen() */
 
 #define	ISC__PRINT_SOURCE	/* Used to get the isc_print_* prototypes. */
 
@@ -29,9 +31,20 @@
 #include 
 #include 
 #include 
+#include 
 #include 
 
-/*
+int
+isc_print_sprintf(char *str, const char *format, ...) {
+	va_list ap;
+
+	va_start(ap, format);
+	vsprintf(str, format, ap);
+	va_end(ap);
+	return (strlen(str));
+}
+
+/*!
  * Return length of string that would have been written if not truncated.
  */
 
@@ -47,7 +60,7 @@ isc_print_snprintf(char *str, size_t size, const char *format, ...) {
 
 }
 
-/*
+/*!
  * Return length of string that would have been written if not truncated.
  */
 
diff --git a/util/copyrights b/util/copyrights
index 0f8750cd2f..2ab52e11b5 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -1826,7 +1826,7 @@
 ./lib/isc/event.c				C	1998,1999,2000,2001,2004
 ./lib/isc/fsaccess.c				C	2000,2001,2004
 ./lib/isc/hash.c				C	2003,2004,2006
-./lib/isc/heap.c				C	1997,1998,1999,2000,2001,2004
+./lib/isc/heap.c				C	1997,1998,1999,2000,2001,2004,2005,2006
 ./lib/isc/hex.c					C	2000,2001,2002,2004
 ./lib/isc/hmacmd5.c				C	2000,2001,2004,2006
 ./lib/isc/include/.cvsignore			X	1999,2000,2001
@@ -1849,7 +1849,7 @@
 ./lib/isc/include/isc/formatcheck.h		C	2000,2001,2004
 ./lib/isc/include/isc/fsaccess.h		C	2000,2001,2004
 ./lib/isc/include/isc/hash.h			C	2003,2004
-./lib/isc/include/isc/heap.h			C	1997,1998,1999,2000,2001,2004
+./lib/isc/include/isc/heap.h			C	1997,1998,1999,2000,2001,2004,2005,2006
 ./lib/isc/include/isc/hex.h			C	2000,2001,2004
 ./lib/isc/include/isc/hmacmd5.h			C	2000,2001,2004
 ./lib/isc/include/isc/interfaceiter.h		C	1999,2000,2001,2004
@@ -1920,7 +1920,7 @@
 ./lib/isc/nothreads/mutex.c			C	2000,2001,2004
 ./lib/isc/nothreads/thread.c			C	2000,2001,2004
 ./lib/isc/ondestroy.c				C	2000,2001,2004
-./lib/isc/print.c				C	1999,2000,2001,2003,2004
+./lib/isc/print.c				C	1999,2000,2001,2003,2004,2005,2006
 ./lib/isc/pthreads/.cvsignore			X	1999,2000,2001
 ./lib/isc/pthreads/Makefile.in			MAKE	1998,1999,2000,2001,2004
 ./lib/isc/pthreads/condition.c			C	1998,1999,2000,2001,2004

From f297e593da89e8f0705b5cd75157bdf352fce800 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 21 Apr 2006 01:01:14 +0000
Subject: [PATCH 150/465] new draft

---
 ...s-43.txt => draft-ietf-dnsext-mdns-46.txt} | 1007 +++++++++--------
 1 file changed, 534 insertions(+), 473 deletions(-)
 rename doc/draft/{draft-ietf-dnsext-mdns-43.txt => draft-ietf-dnsext-mdns-46.txt} (86%)

diff --git a/doc/draft/draft-ietf-dnsext-mdns-43.txt b/doc/draft/draft-ietf-dnsext-mdns-46.txt
similarity index 86%
rename from doc/draft/draft-ietf-dnsext-mdns-43.txt
rename to doc/draft/draft-ietf-dnsext-mdns-46.txt
index 5de6e85ecf..63d0b23af6 100644
--- a/doc/draft/draft-ietf-dnsext-mdns-43.txt
+++ b/doc/draft/draft-ietf-dnsext-mdns-46.txt
@@ -7,8 +7,8 @@
 DNSEXT Working Group                                       Bernard Aboba
 INTERNET-DRAFT                                               Dave Thaler
 Category: Standards Track                                   Levon Esibov
-                    Microsoft Corporation
-29 August 2005
+                    Microsoft Corporation
+16 April 2006
 
               Linklocal Multicast Name Resolution (LLMNR)
 
@@ -35,11 +35,11 @@ Status of this Memo
    The list of Internet-Draft Shadow Directories can be accessed at
    http://www.ietf.org/shadow.html.
 
-   This Internet-Draft will expire on March 15, 2006.
+   This Internet-Draft will expire on October 15, 2006.
 
 Copyright Notice
 
-   Copyright (C) The Internet Society 2005.
+   Copyright (C) The Internet Society 2006.
 
 Abstract
 
@@ -61,7 +61,7 @@ Aboba, Thaler & Esibov       Standards Track                    [Page 1]
 
 
 
-INTERNET-DRAFT                    LLMNR                   29 August 2005
+INTERNET-DRAFT                    LLMNR                    16 April 2006
 
 
 Table of Contents
@@ -70,35 +70,35 @@ Table of Contents
    1.1       Requirements ....................................    4
    1.2       Terminology .....................................    4
 2.     Name Resolution Using LLMNR ...........................    4
-   2.1       LLMNR Packet Format .............................    6
-   2.2       Sender Behavior .................................    9
-   2.3       Responder Behavior ..............................   10
-   2.4       Unicast Queries and Responses ...................   12
-   2.5       Off-link Detection ..............................   13
-   2.6       Responder Responsibilities ......................   13
-   2.7       Retransmission and Jitter .......................   14
-   2.8       DNS TTL .........................................   15
-   2.9       Use of the Authority and Additional Sections ....   15
-3.     Usage model ...........................................   16
-   3.1       LLMNR Configuration .............................   17
+   2.1       LLMNR Packet Format .............................    5
+   2.2       Sender Behavior .................................    8
+   2.3       Responder Behavior ..............................    8
+   2.4       Unicast Queries and Responses ...................   11
+   2.5       Off-link Detection ..............................   11
+   2.6       Responder Responsibilities ......................   12
+   2.7       Retransmission and Jitter .......................   13
+   2.8       DNS TTL .........................................   14
+   2.9       Use of the Authority and Additional Sections ....   14
+3.     Usage model ...........................................   15
+   3.1       LLMNR Configuration .............................   16
 4.     Conflict Resolution ...................................   18
-   4.1       Uniqueness Verification .........................   19
-   4.2       Conflict Detection and Defense ..................   20
-   4.3       Considerations for Multiple Interfaces ..........   21
+   4.1       Uniqueness Verification .........................   18
+   4.2       Conflict Detection and Defense ..................   19
+   4.3       Considerations for Multiple Interfaces ..........   20
    4.4       API issues ......................................   22
 5.     Security Considerations ...............................   22
-   5.1       Denial of Service ...............................   23
+   5.1       Denial of Service ...............................   22
    5.2       Spoofing ...............,........................   23
    5.3       Authentication ..................................   24
-   5.4       Cache and Port Separation .......................   25
+   5.4       Cache and Port Separation .......................   24
 6.     IANA considerations ...................................   25
 7.     Constants .............................................   25
-8.     References ............................................   25
-   8.1       Normative References ............................   25
+8.     References ............................................   26
+   8.1       Normative References ............................   26
    8.2       Informative References ..........................   26
-Acknowledgments ..............................................   27
+Acknowledgments ..............................................   28
 Authors' Addresses ...........................................   28
-Intellectual Property Statement ..............................   28
+Intellectual Property Statement ..............................   29
 Disclaimer of Validity .......................................   29
 Copyright Statement ..........................................   29
 
@@ -121,7 +121,7 @@ Aboba, Thaler & Esibov       Standards Track                    [Page 2]
 
 
 
-INTERNET-DRAFT                    LLMNR                   29 August 2005
+INTERNET-DRAFT                    LLMNR                    16 April 2006
 
 
 1.  Introduction
@@ -132,15 +132,6 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
    port from the Domain Name System (DNS), with a distinct resolver
    cache.
 
-   The goal of LLMNR is to enable name resolution in scenarios in which
-   conventional DNS name resolution is not possible.  Usage scenarios
-   (discussed in more detail in Section 3.1) include situations in which
-   hosts are not configured with the address of a DNS server; where the
-   DNS server is unavailable or unreachable; where there is no DNS
-   server authoritative for the name of a host, or where the
-   authoritative DNS server does not have the desired RRs, as described
-   in Section 2.
-
    Since LLMNR only operates on the local link, it cannot be considered
    a substitute for DNS.  Link-scope multicast addresses are used to
    prevent propagation of LLMNR traffic across routers, potentially
@@ -171,6 +162,15 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
    using LLMNR in particular, is outside of the scope of this document,
    as is name resolution over non-multicast capable media.
 
+1.1.  Requirements
+
+   In this document, several words are used to signify the requirements
+   of the specification.  The key words "MUST", "MUST NOT", "REQUIRED",
+   "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY",
+   and "OPTIONAL" in this document are to be interpreted as described in
+   [RFC2119].
+
+
 
 
 
@@ -181,26 +181,14 @@ Aboba, Thaler & Esibov       Standards Track                    [Page 3]
 
 
 
-INTERNET-DRAFT                    LLMNR                   29 August 2005
+INTERNET-DRAFT                    LLMNR                    16 April 2006
 
 
-1.1.  Requirements
-
-   In this document, several words are used to signify the requirements
-   of the specification.  The key words "MUST", "MUST NOT", "REQUIRED",
-   "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY",
-   and "OPTIONAL" in this document are to be interpreted as described in
-   [RFC2119].
-
 1.2.  Terminology
 
    This document assumes familiarity with DNS terminology defined in
    [RFC1035].  Other terminology used in this document includes:
 
-Positively Resolved
-     Responses with RCODE set to zero are referred to in this document
-     as "positively resolved".
-
 Routable Address
      An address other than a Link-Local address.  This includes globally
      routable addresses, as well as private addresses.
@@ -227,24 +215,11 @@ UNIQUE
 
 2.  Name Resolution Using LLMNR
 
-   LLMNR is a peer-to-peer name resolution protocol that is not intended
-   as a replacement for DNS.  LLMNR queries are sent to and received on
-   port 5355.  The IPv4 link-scope multicast address a given responder
-   listens to, and to which a sender sends queries, is 224.0.0.252.  The
-   IPv6 link-scope multicast address a given responder listens to, and
-
-
-
-Aboba, Thaler & Esibov       Standards Track                    [Page 4]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
-   to which a sender sends all queries, is FF02:0:0:0:0:0:1:3.
+   LLMNR queries are sent to and received on port 5355.  The IPv4 link-
+   scope multicast address a given responder listens to, and to which a
+   sender sends queries, is 224.0.0.252.  The IPv6 link-scope multicast
+   address a given responder listens to, and to which a sender sends all
+   queries, is FF02:0:0:0:0:0:1:3.
 
    Typically a host is configured as both an LLMNR sender and a
    responder.  A host MAY be configured as a sender, but not a
@@ -254,77 +229,30 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
    configured.  This may occur via any mechanism, including DHCPv4
    [RFC2131] or DHCPv6 [RFC3315].
 
-   LLMNR usage MAY be configured manually or automatically on a per
-   interface basis.  By default, LLMNR responders SHOULD be enabled on
-   all interfaces, at all times.  Enabling LLMNR for use in situations
-   where a DNS server has been configured will result in a change in
-   default behavior without a simultaneous update to configuration
-   information.  Where this is considered undesirable, LLMNR SHOULD NOT
-   be enabled by default, so that hosts will neither listen on the link-
-   scope multicast address, nor will they send queries to that address.
-
-   By default, LLMNR queries MAY be sent only when one of the following
-   conditions are met:
-
-   [1] No manual or automatic DNS configuration has been performed.
-       If DNS server address(es) have been configured, then LLMNR
-       SHOULD NOT be used as the primary name resolution mechanism,
-       although it MAY be used as a secondary name resolution
-       mechanism.  A dual stack host SHOULD attempt to reach DNS
-       servers overall protocols on which DNS server address(es) are
-       configured, prior to sending LLMNR queries.  For dual stack
-       hosts configured with DNS server address(es) for one protocol
-       but not another, this inplies that DNS queries SHOULD be sent
-       over the protocol configured with a DNS server, prior to
-       sending LLMNR queries.
-
-   [2] All attempts to resolve the name via DNS on all interfaces
-       have failed after exhausting the searchlist.  This can occur
-       because DNS servers did not respond, or because they
-       responded to DNS queries with RCODE=3 (Authoritative Name
-       Error) or RCODE=0, and an empty answer section.  Where a
-       single resolver call generates DNS queries for A and AAAA RRs,
-       an implementation MAY choose not to send LLMNR queries if any
-       of the DNS queries is successful.  An LLMNR query SHOULD only
-       be sent for the originally requested name;  a searchlist
-       is not used to form additional LLMNR queries.
-
-   While these conditions are necessary for sending an LLMNR query, they
-   are not sufficient.  While an LLMNR sender MAY send a query for any
-   name, it also MAY impose additional conditions on sending LLMNR
-
-
-
-Aboba, Thaler & Esibov       Standards Track                    [Page 5]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
-   queries.  For example, a sender configured with a DNS server MAY send
-   LLMNR queries only for unqualified names and for fully qualified
-   domain names within configured zones.
-
    A typical sequence of events for LLMNR usage is as follows:
 
-   [a]  DNS servers are not configured or attempts to resolve the
-        name via DNS have failed, after exhausting the searchlist.
-        Also, the name to be queried satisfies the restrictions
-        imposed by the implementation.
+   [a]  An LLMNR sender sends an LLMNR query to the link-scope
+
+
+
+Aboba, Thaler & Esibov       Standards Track                    [Page 4]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                    16 April 2006
+
 
-   [b]  An LLMNR sender sends an LLMNR query to the link-scope
         multicast address(es), unless a unicast query is indicated,
         as specified in Section 2.4.
 
-   [c]  A responder responds to this query only if it is authoritative
-        for the domain name in the query.  A responder responds to a
+   [b]  A responder responds to this query only if it is authoritative
+        for the name in the query.  A responder responds to a
         multicast query by sending a unicast UDP response to the sender.
         Unicast queries are responded to as indicated in Section 2.4.
 
-   [d]  Upon reception of the response, the sender processes it.
+   [c]  Upon reception of the response, the sender processes it.
 
    The sections that follow provide further details on sender and
    responder behavior.
@@ -345,25 +273,6 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
    LLMNR queries and responses utilize the DNS header format defined in
    [RFC1035] with exceptions noted below:
 
-
-
-
-
-
-
-
-
-
-
-Aboba, Thaler & Esibov       Standards Track                    [Page 6]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
                                    1  1  1  1  1  1
      0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
@@ -382,6 +291,19 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
 
    where:
 
+
+
+
+
+Aboba, Thaler & Esibov       Standards Track                    [Page 5]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                    16 April 2006
+
+
 ID   A 16 bit identifier assigned by the program that generates any kind
      of query.  This identifier is copied from the query to the response
      and can be used by the sender to match responses to outstanding
@@ -411,27 +333,16 @@ C    Conflict.  When set within a request, the 'C'onflict bit indicates
      respond to LLMNR queries with the 'C' bit set, but may start the
      uniqueness verification process, as described in Section 4.2.
 
-
-
-
-
-Aboba, Thaler & Esibov       Standards Track                    [Page 7]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
 TC   TrunCation - specifies that this message was truncated due to
      length greater than that permitted on the transmission channel.
      The TC bit MUST NOT be set in an LLMNR query and if set is ignored
      by an LLMNR responder.  If the TC bit is set in an LLMNR response,
-     then the sender SHOULD discard the response and resend the LLMNR
-     query over TCP using the unicast address of the responder as the
-     destination address.  See  [RFC2181] and Section 2.4 of this
-     specification for further discussion of the TC bit.
+     then the sender SHOULD resend the LLMNR query over TCP using the
+     unicast address of the responder as the destination address.  If
+     the sender receives a response to the TCP query, then it SHOULD
+     discard the UDP response with the TC bit set.  See  [RFC2181] and
+     Section 2.4 of this specification for further discussion of the TC
+     bit.
 
 T    Tentative.  The 'T'entative bit is set in a response if the
      responder is authoritative for the name, but has not yet verified
@@ -441,6 +352,18 @@ T    Tentative.  The 'T'entative bit is set in a response if the
      which case a conflict has been detected and a responder MUST
      resolve the conflict as described in Section 4.1.
 
+
+
+
+Aboba, Thaler & Esibov       Standards Track                    [Page 6]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                    16 April 2006
+
+
 Z    Reserved for future use.  Implementations of this specification
      MUST set these bits to zero in both queries and responses.  If
      these bits are set in a LLMNR query or response, implementations of
@@ -463,27 +386,19 @@ RCODE
      and the TC bit set.  This will cause the query to be resent using
      TCP, and allow the inclusion of a non-zero RCODE in the response to
      the TCP query.  Responding with the TC bit set is preferable to not
-     sending a response, since it enables errors to be diagnosed.
-     Errors include those defined in [RFC2845], such as BADSIG(16),
-     BADKEY(17) and BADTIME(18).
+     sending a response, since it enables errors to be diagnosed.  This
+     may be required, for example, when an LLMNR query includes a TSIG
+     RR in the additional section, and the responder encounters a
+     problem that requires returning a non-zero RCODE.  TSIG error
+     conditions defined in [RFC2845] include a TSIG RR in an
+     unacceptable position (RCODE=1) or a TSIG RR which does not
+     validate (RCODE=9 with TSIG ERROR 17 (BADKEY) or 16 (BADSIG)).
 
      Since LLMNR responders only respond to LLMNR queries for names for
      which they are authoritative, LLMNR responders MUST NOT respond
      with an RCODE of 3; instead, they should not respond at all.
 
      LLMNR implementations MUST support EDNS0 [RFC2671] and extended
-
-
-
-Aboba, Thaler & Esibov       Standards Track                    [Page 8]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
      RCODE values.
 
 QDCOUNT
@@ -497,6 +412,18 @@ QDCOUNT
 ANCOUNT
      An unsigned 16 bit integer specifying the number of resource
      records in the answer section.  LLMNR responders MUST silently
+
+
+
+Aboba, Thaler & Esibov       Standards Track                    [Page 7]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                    16 April 2006
+
+
      discard LLMNR queries with ANCOUNT not equal to zero.
 
 NSCOUNT
@@ -532,25 +459,8 @@ ARCOUNT
    responses with the 'C' bit clear; instead, only the responses with
    the 'C' bit set SHOULD be returned.  If valid LLMNR response(s) are
    received along with error response(s), then the error responses are
-
-
-
-Aboba, Thaler & Esibov       Standards Track                    [Page 9]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
    silently discarded.
 
-   If error responses are received from both DNS and LLMNR, then the
-   lowest RCODE value should be returned. For example, if either DNS or
-   LLMNR receives a response with RCODE=0, then this should returned to
-   the caller.
-
    Since the responder may order the RRs in the response so as to
    indicate preference, the sender SHOULD preserve ordering in the
    response to the querying application.
@@ -562,6 +472,18 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
    Upon configuring an IP address, responders typically will synthesize
    corresponding A, AAAA and PTR RRs so as to be able to respond to
    LLMNR queries for these RRs.  An SOA RR is synthesized only when a
+
+
+
+Aboba, Thaler & Esibov       Standards Track                    [Page 8]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                    16 April 2006
+
+
    responder has another RR in addition to the SOA RR;  the SOA RR MUST
    NOT be the only RR that a responder has.  However, in general whether
    RRs are manually or automatically created is an implementation
@@ -591,22 +513,9 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
 
    In responding to queries:
 
-
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 10]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
 [a]  Responders MUST listen on UDP port 5355 on the link-scope multicast
-     address(es) defined in Section 2, and on UDP and TCP port 5355 on
-     the unicast address(es) that could be set as the source address(es)
+     address(es) defined in Section 2, and on TCP port 5355 on the
+     unicast address(es) that could be set as the source address(es)
      when the responder responds to the LLMNR query.
 
 [b]  Responders MUST direct responses to the port from which the query
@@ -624,6 +533,17 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
 [d]  Responders MUST NOT respond to LLMNR queries for names they are not
      authoritative for.
 
+
+
+Aboba, Thaler & Esibov       Standards Track                    [Page 9]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                    16 April 2006
+
+
 [e]  Responders MUST NOT respond using data from the LLMNR or DNS
      resolver cache.
 
@@ -653,17 +573,6 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
    conventional DNS terminology, an LLMNR responder is authoritative
    only for the zone apex.
 
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 11]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
    For example the host "foo.example.com." is not authoritative for the
    name "child.foo.example.com." unless the host is configured with
    multiple names, including "foo.example.com."  and
@@ -683,6 +592,18 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
    hosts could perform a dynamic update of the parent (or grandparent)
    zone with a delegation to a child zone;  for example a host
    "child.foo.example.com." could send a dynamic update for the NS and
+
+
+
+Aboba, Thaler & Esibov       Standards Track                   [Page 10]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                    16 April 2006
+
+
    glue A record to "foo.example.com.".  However, this approach
    significantly complicates implementation of LLMNR and would not be
    acceptable for lightweight hosts.
@@ -705,24 +626,16 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
 
    Unicast UDP queries MUST be silently discarded.
 
-   If TCP connection setup cannot be completed in order to send a
-   unicast TCP query, this is treated as a response that no records of
-   the specified type and class exist for the specified name (it is
-   treated the same as a response with RCODE=0 and an empty answer
-   section).
-
-
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 12]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
+   A unicast PTR RR query for an off-link address will not elicit a
+   response, but instead an ICMP TTL or Hop Limit exceeded message will
+   be received.  An implementation receiving an ICMP message in response
+   to a TCP connection setup attempt can return immediately, treating
+   this as a response that no such name exists (RCODE=3 is returned).
+   An implementation that cannot process ICMP messages MAY send
+   multicast UDP queries for PTR RRs.  Since TCP implementations will
+   not retransmit prior to RTOmin, a considerable period will elapse
+   before TCP retransmits multiple times, resulting in a long timeout
+   for TCP PTR RR queries sent to an off-link destination.
 
 2.5.  "Off link" Detection
 
@@ -740,6 +653,17 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
    sent to another multicast address, then the query MUST be silently
    discarded.
 
+
+
+Aboba, Thaler & Esibov       Standards Track                   [Page 11]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                    16 April 2006
+
+
    Section 2.4 discusses use of TCP for LLMNR queries and responses.  In
    composing an LLMNR query using TCP, the sender MUST set the Hop Limit
    field in the IPv6 header and the TTL field in the IPv4 header of the
@@ -752,7 +676,7 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
    For UDP queries and responses, the Hop Limit field in the IPv6 header
    and the TTL field in the IPV4 header MAY be set to any value.
    However, it is RECOMMENDED that the value 255 be used for
-   compatibility with Apple Bonjour [Bonjour].
+   compatibility with early implementations of [RFC3927].
 
    Implementation note:
 
@@ -772,18 +696,6 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
    IPv4 Link-Local addresses are defined in [RFC3927].  IPv6 Link-Local
    addresses are defined in [RFC2373].  In particular:
 
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 13]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
    [a] If a link-scope IPv6 address is returned in a AAAA RR,
        that address MUST be valid on the local link over which
        LLMNR is used.
@@ -800,6 +712,18 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
 
    [d] If the source address of the query is a link-scope address,
        then the responder SHOULD include a link-scope address first
+
+
+
+Aboba, Thaler & Esibov       Standards Track                   [Page 12]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                    16 April 2006
+
+
        in the response, if available.
 
    [e] If the source address of the query is a routable address,
@@ -816,9 +740,8 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
 
    If an LLMNR query sent over UDP is not resolved within LLMNR_TIMEOUT,
    then a sender SHOULD repeat the transmission of the query in order to
-   assure that it was received by a host capable of responding to it,
-   while increasing the value of LLMNR_TIMEOUT exponentially.  An LLMNR
-   query SHOULD NOT be sent more than three times.
+   assure that it was received by a host capable of responding to it.
+   An LLMNR query SHOULD NOT be sent more than three times.
 
    Where LLMNR queries are sent using TCP, retransmission is handled by
    the transport layer.  Queries with the 'C' bit set MUST be sent using
@@ -833,35 +756,34 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
    after the first response is received, if that response has the 'C'
    bit clear.
 
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 14]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
    However, if the first response has the 'C' bit set, then the sender
-   SHOULD wait for LLMNR_TIMEOUT in order to collect all possible
-   responses.  When multiple valid answers are received, they may first
-   be concatenated, and then treated in the same manner that multiple
-   RRs received from the same DNS server would.  A unicast query sender
-   considers the query answered after the first response is received, so
-   that it only waits for LLMNR_TIMEOUT if no response has been
+   SHOULD wait for LLMNR_TIMEOUT + JITTER_INTERVAL in order to collect
+   all possible responses.  When multiple valid answers are received,
+   they may first be concatenated, and then treated in the same manner
+   that multiple RRs received from the same DNS server would.  A unicast
+   query sender considers the query answered after the first response is
    received.
 
    Since it is possible for a response with the 'C' bit clear to be
    followed by a response with the 'C' bit set, an LLMNR sender SHOULD
    be prepared to process additional responses for the purposes of
-   conflict detection and LLMNR_TIMEOUT estimation, even after it has
-   considered a query answered.
+   conflict detection, even after it has considered a query answered.
 
    In order to avoid synchronization, the transmission of each LLMNR
    query and response SHOULD delayed by a time randomly selected from
-   the interval 0 to JITTER_INTERVAL. This delay MAY be avoided by
+   the interval 0 to JITTER_INTERVAL.  This delay MAY be avoided by
+
+
+
+Aboba, Thaler & Esibov       Standards Track                   [Page 13]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                    16 April 2006
+
+
    responders responding with names which they have previously
    determined to be UNIQUE (see Section 4 for details).
 
@@ -892,18 +814,6 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
    indicates how long a resolver may cache the negative answer.  The
    owner name of the SOA record (MNAME) MUST be set to the query name.
    The RNAME, SERIAL, REFRESH, RETRY and EXPIRE values MUST be ignored
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 15]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
    by senders.  Negative responses without SOA records SHOULD NOT be
    cached.
 
@@ -923,16 +833,77 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
    of a response as answers, though they may be used for other purposes
    such as negative caching.
 
+
+
+Aboba, Thaler & Esibov       Standards Track                   [Page 14]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                    16 April 2006
+
+
 3.  Usage Model
 
+   LLMNR is a peer-to-peer name resolution protocol that is not intended
+   as a replacement for DNS; rather, it enables name resolution in
+   scenarios in which conventional DNS name resolution is not possible.
+   This includes situations in which hosts are not configured with the
+   address of a DNS server; where the DNS server is unavailable or
+   unreachable; where there is no DNS server authoritative for the name
+   of a host, or where the authoritative DNS server does not have the
+   desired RRs.
+
+   By default, an LLMNR sender SHOULD send LLMNR queries only for
+   single-label names.  In order to reduce unnecessary DNS queries, stub
+   resolvers supporting both DNS and LLMNR SHOULD avoid sending DNS
+   queries for single-label names.  An LLMNR sender SHOULD NOT be
+   enabled to send a query for any name, except where security
+   mechanisms (described in Section 5.3) can be utilized.
+
+   Regardless of whether security mechanisms can be utilized, LLMNR
+   queries SHOULD NOT be sent unless one of the following conditions are
+   met:
+
+   [1] No manual or automatic DNS configuration has been performed.
+       If DNS server address(es) have been configured, a
+       host SHOULD attempt to reach DNS servers over all protocols
+       on which DNS server address(es) are configured, prior to sending
+       LLMNR queries.  For dual stack hosts configured with DNS server
+       address(es) for one protocol but not another, this implies that
+       DNS queries SHOULD be sent over the protocol configured with
+       a DNS server, prior to sending LLMNR queries.
+
+   [2] All attempts to resolve the name via DNS on all interfaces
+       have failed after exhausting the searchlist.  This can occur
+       because DNS servers did not respond, or because they
+       responded to DNS queries with RCODE=3 (Authoritative Name
+       Error) or RCODE=0, and an empty answer section.  Where a
+       single resolver call generates DNS queries for A and AAAA RRs,
+       an implementation MAY choose not to send LLMNR queries if any
+       of the DNS queries is successful.  An LLMNR query SHOULD only
+       be sent for the originally requested name;  a searchlist
+       is not used to form additional LLMNR queries.
+
    Since LLMNR is a secondary name resolution mechanism, its usage is in
-   part determined by the behavior of DNS implementations.  This
-   document does not specify any changes to DNS resolver behavior, such
-   as searchlist processing or retransmission/failover policy.  However,
+   part determined by the behavior of DNS implementations.  In general,
    robust DNS resolver implementations are more likely to avoid
    unnecessary LLMNR queries.
 
    As noted in [DNSPerf], even when DNS servers are configured, a
+
+
+
+Aboba, Thaler & Esibov       Standards Track                   [Page 15]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                    16 April 2006
+
+
    significant fraction of DNS queries do not receive a response, or
    result in negative responses due to missing inverse mappings or NS
    records that point to nonexistent or inappropriate hosts.  This has
@@ -946,12 +917,41 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
 
    For example, [RFC1536] Section 1 describes issues with retransmission
    and recommends implementation of a retransmission policy based on
-   round trip estimates, with exponential backoff.  [RFC1536] Section 4
+   round trip estimates, with exponential back-off.  [RFC1536] Section 4
    describes issues with failover, and recommends that resolvers try
    another server when they don't receive a response to a query.  These
    policies are likely to avoid unnecessary LLMNR queries.
 
    [RFC1536] Section 3 describes zero answer bugs, which if addressed
+   will also reduce unnecessary LLMNR queries.
+
+   [RFC1536] Section 6 describes name error bugs and recommended
+   searchlist processing that will reduce unnecessary RCODE=3
+   (authoritative name) errors, thereby also reducing unnecessary LLMNR
+   queries.
+
+   If error responses are received from both DNS and LLMNR, then the
+   lowest RCODE value should be returned.  For example, if either DNS or
+   LLMNR receives a response with RCODE=0, then this should returned to
+   the caller.
+
+3.1.  LLMNR Configuration
+
+   LLMNR usage MAY be configured manually or automatically on a per
+   interface basis.  By default, LLMNR responders SHOULD be enabled on
+   all interfaces, at all times.  Enabling LLMNR for use in situations
+   where a DNS server has been configured will result in a change in
+   default behavior without a simultaneous update to configuration
+   information.  Where this is considered undesirable, LLMNR SHOULD NOT
+   be enabled by default, so that hosts will neither listen on the link-
+   scope multicast address, nor will they send queries to that address.
+
+   Since IPv4 and IPv6 utilize distinct configuration mechanisms, it is
+   possible for a dual stack host to be configured with the address of a
+   DNS server over IPv4, while remaining unconfigured with a DNS server
+   suitable for use over IPv6.
+
+   In these situations, a dual stack host will send AAAA queries to the
 
 
 
@@ -961,24 +961,9 @@ Aboba, Thaler & Esibov       Standards Track                   [Page 16]
 
 
 
-INTERNET-DRAFT                    LLMNR                   29 August 2005
+INTERNET-DRAFT                    LLMNR                    16 April 2006
 
 
-   will also reduce unnecessary LLMNR queries.
-
-   [RFC1536] Section 6 describes name error bugs and recommended
-   searchlist processing that will reduce unnecessary RCODE=3
-   (authoritative name) errors, thereby also reducing unnecessary LLMNR
-   queries.
-
-3.1.  LLMNR Configuration
-
-   Since IPv4 and IPv6 utilize distinct configuration mechanisms, it is
-   possible for a dual stack host to be configured with the address of a
-   DNS server over IPv4, while remaining unconfigured with a DNS server
-   suitable for use over IPv6.
-
-   In these situations, a dual stack host will send AAAA queries to the
    configured DNS server over IPv4.  However, an IPv6-only host
    unconfigured with a DNS server suitable for use over IPv6 will be
    unable to resolve names using DNS.  Automatic IPv6 DNS configuration
@@ -1012,18 +997,6 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
    enables linklocal name resolution over IPv4.
 
    Where DHCPv4 or DHCPv6 is implemented, DHCP options can be used to
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 17]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
    configure LLMNR on an interface.  The LLMNR Enable Option, described
    in [LLMNREnable], can be used to explicitly enable or disable use of
    LLMNR on an interface.  The LLMNR Enable Option does not determine
@@ -1039,6 +1012,18 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
    configuration.
 
    For example, where DHCP is used for configuring DNS servers, one or
+
+
+
+Aboba, Thaler & Esibov       Standards Track                   [Page 17]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                    16 April 2006
+
+
    more DHCP servers can fail.  As a result, hosts configured prior to
    the outage will be configured with a DNS server, while hosts
    configured after the outage will not.  Alternatively, it is possible
@@ -1069,21 +1054,6 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
    and potentially to intervene and reconfigure LLMNR responders who
    should not be configured to respond to the same name.
 
-
-
-
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 18]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
 4.1.  Uniqueness Verification
 
    Prior to sending an LLMNR response with the 'T' bit clear, a
@@ -1102,6 +1072,18 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
      - wakes from sleep (if the network interface was inactive
        during sleep)
      - is configured to respond to LLMNR queries on an interface
+
+
+
+Aboba, Thaler & Esibov       Standards Track                   [Page 18]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                    16 April 2006
+
+
        enabled for transmission and reception of IP traffic
      - is configured to respond to LLMNR queries using additional
        UNIQUE resource records
@@ -1132,18 +1114,6 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
    the answer section in a response is irrelevant.
 
    Periodically carrying out uniqueness verification in an attempt to
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 19]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
    detect name conflicts is not necessary, wastes network bandwidth, and
    may actually be detrimental.  For example, if network links are
    joined only briefly, and are separated again before any new
@@ -1162,6 +1132,18 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
    sender receives multiple LLMNR responses to a query, it MUST check if
    the 'C' bit is clear in any of the responses.  If so, the sender
    SHOULD send another query for the same name, type and class, this
+
+
+
+Aboba, Thaler & Esibov       Standards Track                   [Page 19]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                    16 April 2006
+
+
    time with the 'C' bit set, with the potentially conflicting resource
    records included in the additional section.
 
@@ -1193,17 +1175,6 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
    attempt uniqueness verification again after the expiration of the TTL
    of the conflicting response.
 
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 20]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
 4.3.  Considerations for Multiple Interfaces
 
    A multi-homed host may elect to configure LLMNR on only one of its
@@ -1220,6 +1191,19 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
    A multi-homed host checks the uniqueness of UNIQUE records as
    described in Section 4.  The situation is illustrated in figure 1.
 
+
+
+
+
+Aboba, Thaler & Esibov       Standards Track                   [Page 20]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                    16 April 2006
+
+
         ----------  ----------
          |      |    |      |
         [A]    [myhost]   [myhost]
@@ -1252,18 +1236,6 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
    hosts on both interfaces.
 
    Host myhost cannot distinguish between the situation shown in Figure
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 21]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
    2, and that shown in Figure 3 where no conflict exists.
 
                 [A]
@@ -1281,6 +1253,17 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
    separated name spaces.  It is not the intent of this document to
    address the issue of uniqueness of names within DNS.
 
+
+
+Aboba, Thaler & Esibov       Standards Track                   [Page 21]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                    16 April 2006
+
+
 4.4.  API Issues
 
    [RFC2553] provides an API which can partially solve the name
@@ -1312,18 +1295,6 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
    the same link.  These threats are most serious in wireless networks
    such as 802.11, since attackers on a wired network will require
    physical access to the network, while wireless attackers may mount
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 22]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
    attacks from a distance.  Link-layer security such as [IEEE-802.11i]
    can be of assistance against these threats if it is available.
 
@@ -1341,6 +1312,18 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
    An attacker may spoof LLMNR queries from a victim's address in order
    to mount a denial of service attack.  Responders setting the IPv6 Hop
    Limit or IPv4 TTL field to a value larger than one in an LLMNR UDP
+
+
+
+Aboba, Thaler & Esibov       Standards Track                   [Page 22]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                    16 April 2006
+
+
    response may be able to reach the victim across the Internet.
 
    While LLMNR responders only respond to queries for which they are
@@ -1372,18 +1355,6 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
 
    Since LLMNR queries can be sent when DNS server(s) do not respond, an
    attacker can execute a denial of service attack on the DNS server(s)
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 23]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
    and then poison the LLMNR cache by responding to an LLMNR query with
    incorrect information.  As noted in "Threat Analysis of the Domain
    Name System (DNS)" [RFC3833] these threats also exist with DNS, since
@@ -1402,56 +1373,53 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
    a response in a timely way is not difficult, since a legitimate
    response will never be received.
 
-   Limiting the situations in which LLMNR queries are sent, as described
-   in Section 2, is the best protection against these attacks.  If LLMNR
-   is given higher priority than DNS among the enabled name resolution
-   mechanisms, a denial of service attack on the DNS server would not be
-   necessary in order to poison the LLMNR cache, since LLMNR queries
-   would be sent even when the DNS server is available.  In addition,
-   the LLMNR cache, once poisoned, would take precedence over the DNS
-   cache, eliminating the benefits of cache separation.  As a result,
-   LLMNR is only used as a name resolution mechanism of last resort.
+
+
+Aboba, Thaler & Esibov       Standards Track                   [Page 23]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                    16 April 2006
+
+
+   This vulnerability can be reduced by limiting use of LLMNR to
+   resolution of single-label names as described in Section 3, or by
+   implementation of authentication (see Section 5.3).
 
 5.3.  Authentication
 
    LLMNR is a peer-to-peer name resolution protocol, and as a result,
    it is often deployed in situations where no trust model can be
-   assumed.  This makes it difficult to apply existing DNS security
-   mechanisms to LLMNR.
-
-   LLMNR does not support "delegated trust" (CD or AD bits).  As a
-   result, unless LLMNR senders are DNSSEC aware, it is not feasible to
-   use DNSSEC [RFC4033] with LLMNR.
-
-   If authentication is desired, and a pre-arranged security
-   configuration is possible, then the following security mechanisms may
-   be used:
+   assumed.  Where a pre-arranged security configuration is possible,
+   the following security mechanisms may be used:
 
 [a]  LLMNR implementations MAY support TSIG [RFC2845] and/or SIG(0)
-     [RFC2931] security mechanisms. "DNS Name Service based on Secure
+     [RFC2931] security mechanisms.  "DNS Name Service based on Secure
      Multicast DNS for IPv6 Mobile Ad Hoc Networks" [LLMNRSec] describes
-     the use of TSIG to secure LLMNR responses, based on group keys.
-
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 24]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
+     the use of TSIG to secure LLMNR, based on group keys.  While group
+     keys can be used to demonstrate membership in a group, they do not
+     protect against forgery by an attacker that is a member of the
+     group.
 
 [b]  IPsec ESP with a null-transform MAY be used to authenticate unicast
      LLMNR queries and responses or LLMNR responses to multicast
      queries.  In a small network without a certificate authority, this
      can be most easily accomplished through configuration of a group
-     pre-shared key for trusted hosts.
+     pre-shared key for trusted hosts.  As with TSIG, this does not
+     protect against forgery by an attacker with access to the group
+     pre-shared key.
 
-   Where these mechanisms cannot be supported, responses to LLMNR
-   queries may be unauthenticated.
+[c]  LLMNR implementations MAY support DNSSEC [RFC4033].  In order to
+     support DNSSEC, LLMNR implementations MAY be configured with trust
+     anchors, or they MAY make use of keys obtained from DNS queries.
+     Since LLMNR does not support "delegated trust" (CD or AD bits),
+     LLMNR implementations cannot make use of DNSSEC unless they are
+     DNSSEC-aware and support validation.  Unlike approaches [a] or [b],
+     DNSSEC permits a responder to demonstrate ownership of a name, not
+     just membership within a trusted group.  As a result, it enables
+     protection against forgery.
 
 5.4.  Cache and Port Separation
 
@@ -1465,11 +1433,27 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
    LLMNR operates on a separate port from DNS, reducing the likelihood
    that a DNS server will unintentionally respond to an LLMNR query.
 
-6.  IANA Considerations
 
-   This specification creates one new name space:  the reserved bits in
-   the LLMNR header.  These are allocated by IETF Consensus, in
-   accordance with BCP 26 [RFC2434].
+
+Aboba, Thaler & Esibov       Standards Track                   [Page 24]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                    16 April 2006
+
+
+   If LLMNR is given higher priority than DNS among the enabled name
+   resolution mechanisms, a denial of service attack on the DNS server
+   would not be necessary in order to poison the LLMNR cache, since
+   LLMNR queries would be sent even when the DNS server is available.
+   In addition, the LLMNR cache, once poisoned, would take precedence
+   over the DNS cache, eliminating the benefits of cache separation.  As
+   a result, LLMNR SHOULD NOT be used as a primary name resolution
+   mechanism.
+
+6.  IANA Considerations
 
    LLMNR requires allocation of port 5355 for both TCP and UDP.
 
@@ -1477,6 +1461,26 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
    224.0.0.252, as well as link-scope multicast IPv6 address
    FF02:0:0:0:0:0:1:3.
 
+   This specification creates two new name spaces:  the LLMNR namespace
+   and the reserved bits in the LLMNR header.  The reserved bits in the
+   LLMNR header are allocated by IETF Consensus, in accordance with BCP
+   26 [RFC2434].
+
+   In order to to avoid creating any new administrative procedures,
+   administration of the LLMNR namespace will piggyback on the
+   administration of the DNS namespace.
+
+   The rights to use a fully qualified domain name (FQDN) within LLMNR
+   are obtained coincident with acquiring the rights to use that name
+   within DNS.  Those wishing to use a FQDN within LLMNR should first
+   acquire the rights to use the corresponding FQDN within DNS.  Using a
+   FQDN within LLMNR without ownership of the corresponding name in DNS
+   creates the possibility of conflict and therefore is discouraged.
+
+   LLMNR responders may self-allocate a name within the single-label
+   name space, first defined in [RFC1001].  Since single-label names are
+   not unique, no registration process is required.
+
 7.  Constants
 
    The following timing constants are used in this protocol; they are
@@ -1486,12 +1490,8 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
       LLMNR_TIMEOUT        1 second (if set statically on all interfaces)
                            100 ms (IEEE 802 media, including IEEE 802.11)
 
-8.  References
 
-8.1.  Normative References
 
-[RFC1035] Mockapetris, P., "Domain Names - Implementation and
-          Specification", RFC 1035, November 1987.
 
 
 
@@ -1501,9 +1501,20 @@ Aboba, Thaler & Esibov       Standards Track                   [Page 25]
 
 
 
-INTERNET-DRAFT                    LLMNR                   29 August 2005
+INTERNET-DRAFT                    LLMNR                    16 April 2006
 
 
+8.  References
+
+8.1.  Normative References
+
+[RFC1001] Auerbach, K. and A. Aggarwal, "Protocol Standard for a NetBIOS
+          Service on a TCP/UDP Transport: Concepts and Methods", RFC
+          1001, March 1987.
+
+[RFC1035] Mockapetris, P., "Domain Names - Implementation and
+          Specification", RFC 1035, November 1987.
+
 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
           Requirement Levels", BCP 14, RFC 2119, March 1997.
 
@@ -1532,10 +1543,6 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
 
 8.2.  Informative References
 
-[Bonjour] Cheshire, S. and M. Krochmal, "Multicast DNS", Internet draft
-          (work in progress), draft-cheshire-dnsext-multicastdns-05.txt,
-          June 2005.
-
 [DNSPerf] Jung, J., et al., "DNS Performance and the Effectiveness of
           Caching", IEEE/ACM Transactions on Networking, Volume 10,
           Number 5, pp. 589, October 2002.
@@ -1545,13 +1552,6 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
           Internet draft (work in progress), draft-ietf-ipv6-dns-
           discovery-07.txt, October 2002.
 
-[IEEE-802.11i]
-          Institute of Electrical and Electronics Engineers, "Supplement
-          to Standard for Telecommunications and Information Exchange
-          Between Systems - LAN/MAN Specific Requirements - Part 11:
-          Wireless LAN Medium Access Control (MAC) and Physical Layer
-          (PHY) Specifications: Specification for Enhanced Security",
-          IEEE 802.11i, July 2004.
 
 
 
@@ -1561,9 +1561,17 @@ Aboba, Thaler & Esibov       Standards Track                   [Page 26]
 
 
 
-INTERNET-DRAFT                    LLMNR                   29 August 2005
+INTERNET-DRAFT                    LLMNR                    16 April 2006
 
 
+[IEEE-802.11i]
+          Institute of Electrical and Electronics Engineers, "Supplement
+          to Standard for Telecommunications and Information Exchange
+          Between Systems - LAN/MAN Specific Requirements - Part 11:
+          Wireless LAN Medium Access Control (MAC) and Physical Layer
+          (PHY) Specifications: Specification for Enhanced Security",
+          IEEE 802.11i, July 2004.
+
 [LLMNREnable]
           Guttman, E., "DHCP LLMNR Enable Option", Internet draft (work
           in progress), draft-guttman-mdns-enable-02.txt, April 2002.
@@ -1605,14 +1613,6 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
 [RFC3833] Atkins, D. and R. Austein, "Threat Analysis of the Domain Name
           System (DNS)", RFC 3833, August 2004.
 
-[RFC3927] Cheshire, S., Aboba, B. and E. Guttman, "Dynamic Configuration
-          of Link-Local IPv4 Addresses", RFC 3927, October 2004.
-
-[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D. and S. Rose,
-          "DNS Security Introduction and Requirement", RFC 4033, March
-          2005.
-
-
 
 
 Aboba, Thaler & Esibov       Standards Track                   [Page 27]
@@ -1621,9 +1621,16 @@ Aboba, Thaler & Esibov       Standards Track                   [Page 27]
 
 
 
-INTERNET-DRAFT                    LLMNR                   29 August 2005
+INTERNET-DRAFT                    LLMNR                    16 April 2006
 
 
+[RFC3927] Cheshire, S., Aboba, B. and E. Guttman, "Dynamic Configuration
+          of Link-Local IPv4 Addresses", RFC 3927, October 2004.
+
+[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D. and S. Rose,
+          "DNS Security Introduction and Requirement", RFC 4033, March
+          2005.
+
 Acknowledgments
 
    This work builds upon original work done on multicast DNS by Bill
@@ -1662,6 +1669,21 @@ Authors' Addresses
 
    EMail: levone@microsoft.com
 
+
+
+
+
+
+
+Aboba, Thaler & Esibov       Standards Track                   [Page 28]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                    16 April 2006
+
+
 Intellectual Property Statement
 
    The IETF takes no position regarding the validity or scope of any
@@ -1673,17 +1695,6 @@ Intellectual Property Statement
    on the procedures with respect to rights in RFC documents can be
    found in BCP 78 and BCP 79.
 
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 28]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
    Copies of IPR disclosures made to the IETF Secretariat and any
    assurances of licenses to be made available, or the result of an
    attempt made to obtain a general license or permission for the use of
@@ -1709,7 +1720,7 @@ Disclaimer of Validity
 
 Copyright Statement
 
-   Copyright (C) The Internet Society (2005).  This document is subject
+   Copyright (C) The Internet Society (2006).  This document is subject
    to the rights, licenses and restrictions contained in BCP 78, and
    except as set forth therein, the authors retain all their rights.
 
@@ -1718,6 +1729,21 @@ Acknowledgment
    Funding for the RFC Editor function is currently provided by the
    Internet Society.
 
+
+
+
+
+
+
+Aboba, Thaler & Esibov       Standards Track                   [Page 29]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                    16 April 2006
+
+
 Open Issues
 
    Open issues with this specification are tracked on the following web
@@ -1735,6 +1761,41 @@ Open Issues
 
 
 
-Aboba, Thaler & Esibov       Standards Track                   [Page 29]
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Aboba, Thaler & Esibov       Standards Track                   [Page 30]
+
 
 

From c4a216adcf672cc546525cdb2dd0f9b2b474f3f3 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 21 Apr 2006 23:17:02 +0000
Subject: [PATCH 151/465] auto update

---
 doc/private/branches | 1 +
 1 file changed, 1 insertion(+)

diff --git a/doc/private/branches b/doc/private/branches
index 00c987833d..c653f2d123 100644
--- a/doc/private/branches
+++ b/doc/private/branches
@@ -73,6 +73,7 @@ rt15860				new
 rt15878				new	
 rt15941				new	
 rt15958				new	
+rt15970				new	
 rt1727				open		// ixfr-from-differences workfile
 rt6496a				review	marka
 rt6496b				new	

From 591624154fd690d6899f5b2a87fe42011f7e5057 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Sun, 23 Apr 2006 10:10:10 +0000
Subject: [PATCH 152/465] regen

---
 bin/check/named-checkconf.html          |  14 +--
 bin/check/named-checkzone.html          |  14 +--
 bin/dig/dig.html                        |  20 ++--
 bin/dig/host.html                       |  10 +-
 bin/dig/nslookup.html                   |  16 +--
 bin/dnssec/dnssec-keygen.html           |  16 +--
 bin/dnssec/dnssec-makekeyset.html       |  14 +--
 bin/dnssec/dnssec-signkey.html          |  14 +--
 bin/dnssec/dnssec-signzone.html         |  14 +--
 bin/named/lwresd.html                   |  14 +--
 bin/named/named.conf.html               |  30 ++---
 bin/named/named.html                    |  18 +--
 bin/nsupdate/nsupdate.html              |  16 +--
 bin/rndc/rndc-confgen.html              |  14 +--
 bin/rndc/rndc.conf.html                 |  14 +--
 bin/rndc/rndc.html                      |  14 +--
 doc/arm/Bv9ARM.ch01.html                |  50 ++++----
 doc/arm/Bv9ARM.ch02.html                |  22 ++--
 doc/arm/Bv9ARM.ch03.html                |  26 ++--
 doc/arm/Bv9ARM.ch04.html                |  74 ++++++------
 doc/arm/Bv9ARM.ch05.html                |   6 +-
 doc/arm/Bv9ARM.ch06.html                | 132 ++++++++++-----------
 doc/arm/Bv9ARM.ch07.html                |  14 +--
 doc/arm/Bv9ARM.ch08.html                |  18 +--
 doc/arm/Bv9ARM.ch09.html                |  26 ++--
 doc/arm/Bv9ARM.html                     | 150 ++++++++++++------------
 lib/lwres/man/lwres.html                |  14 +--
 lib/lwres/man/lwres_buffer.html         |   6 +-
 lib/lwres/man/lwres_config.html         |  12 +-
 lib/lwres/man/lwres_context.html        |  10 +-
 lib/lwres/man/lwres_gabn.html           |  10 +-
 lib/lwres/man/lwres_gai_strerror.html   |   8 +-
 lib/lwres/man/lwres_getaddrinfo.html    |  10 +-
 lib/lwres/man/lwres_gethostent.html     |  12 +-
 lib/lwres/man/lwres_getipnode.html      |  10 +-
 lib/lwres/man/lwres_getnameinfo.html    |  12 +-
 lib/lwres/man/lwres_getrrsetbyname.html |  10 +-
 lib/lwres/man/lwres_gnba.html           |  10 +-
 lib/lwres/man/lwres_hstrerror.html      |  10 +-
 lib/lwres/man/lwres_inetntop.html       |  10 +-
 lib/lwres/man/lwres_noop.html           |  10 +-
 lib/lwres/man/lwres_packet.html         |   8 +-
 lib/lwres/man/lwres_resutil.html        |  10 +-
 43 files changed, 471 insertions(+), 471 deletions(-)

diff --git a/bin/check/named-checkconf.html b/bin/check/named-checkconf.html
index dda2f490c0..2f7472120c 100644
--- a/bin/check/named-checkconf.html
+++ b/bin/check/named-checkconf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -22,7 +22,7 @@
 
 
 

-

+

 

 
Name

 
named-checkconf — named configuration file syntax checking tool

@@ -32,14 +32,14 @@
 
named-checkconf  [-v] [-t directory] {filename}

 

 

-
DESCRIPTION

+
DESCRIPTION

 

         named-checkconf checks the syntax, but not
 	the semantics, of a named configuration file.
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-t directory

 

@@ -60,21 +60,21 @@
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 

         named-checkconf returns an exit status of 1 if
 	errors were detected and 0 otherwise.
     

 

 

-
SEE ALSO

+
SEE ALSO

 

       named(8),
       BIND 9 Administrator Reference Manual.
     

 

 

-
AUTHOR

+
AUTHOR

 

         Internet Systems Consortium
     

diff --git a/bin/check/named-checkzone.html b/bin/check/named-checkzone.html
index 1940a68cf4..c0afa9e9d2 100644
--- a/bin/check/named-checkzone.html
+++ b/bin/check/named-checkzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -22,7 +22,7 @@
 
 
 

-

+

 

 
Name

 
named-checkzone — zone file validity checking tool

@@ -32,7 +32,7 @@
 
named-checkzone  [-d] [-j] [-q] [-v] [-c class] {zonename} {filename}

 

 

-
DESCRIPTION

+
DESCRIPTION

 

         named-checkzone checks the syntax and integrity of
 	a zone file.  It performs the same checks as named
@@ -42,7 +42,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-d

 

@@ -76,14 +76,14 @@
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 

         named-checkzone returns an exit status of 1 if
 	errors were detected and 0 otherwise.
     

 

 

-
SEE ALSO

+
SEE ALSO

 

       named(8),
       RFC 1035,
@@ -91,7 +91,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 

         Internet Systems Consortium
     

diff --git a/bin/dig/dig.html b/bin/dig/dig.html
index 28bc44bc9d..6cdddb5325 100644
--- a/bin/dig/dig.html
+++ b/bin/dig/dig.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -22,7 +22,7 @@
 
 
 

-

+

 

 
Name

 
dig — DNS lookup utility

@@ -34,7 +34,7 @@
 
dig  [global-queryopt...] [query...]

 

 

-
DESCRIPTION

+
DESCRIPTION

 

 dig (domain information groper) is a flexible tool
 for interrogating DNS name servers.  It performs DNS lookups and
@@ -69,7 +69,7 @@ are applied before the command line arguments.
 

 

 

-
SIMPLE USAGE

+
SIMPLE USAGE

 

 A typical invocation of dig looks like:
 

@@ -107,7 +107,7 @@ ANY, A, MX, SIG, etc.
 

 

 

-
OPTIONS

+
OPTIONS

 

 The -b option sets the source IP address of the query
 to address.  This must be a valid address on
@@ -181,7 +181,7 @@ being used.  In BIND, this is done by providing appropriate
 

 

 

-
QUERY OPTIONS

+
QUERY OPTIONS

 

 dig provides a number of query options which affect
 the way in which lookups are made and the results displayed.  Some of
@@ -396,7 +396,7 @@ in the OPT record in the additional section of the query.
 

 

 

-
MULTIPLE QUERIES

+
MULTIPLE QUERIES

 

 The BIND 9 implementation of dig  supports
 specifying multiple queries on the command line (in addition to
@@ -437,7 +437,7 @@ will not print the initial query when it looks up the NS records for
 

 

 

-
FILES

+
FILES

 

 /etc/resolv.conf
 

@@ -446,7 +446,7 @@ will not print the initial query when it looks up the NS records for
 

 

 

-
SEE ALSO

+
SEE ALSO

 

 host(1),
 named(8),
@@ -455,7 +455,7 @@ will not print the initial query when it looks up the NS records for
 

 

 

-
BUGS 

+
BUGS 

 

 There are probably too many query options. 
 

diff --git a/bin/dig/host.html b/bin/dig/host.html
index e1fa3dd91e..78b0b204a8 100644
--- a/bin/dig/host.html
+++ b/bin/dig/host.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -22,7 +22,7 @@
 
 
 

-

+

 

 
Name

 
host — DNS lookup utility

@@ -32,7 +32,7 @@
 
host  [-aCdlnrTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] {name} [server]

 

 

-
DESCRIPTION

+
DESCRIPTION

 

 host
 is a simple utility for performing DNS lookups.
@@ -148,13 +148,13 @@ value for an integer quantity.
 

 

 

-
FILES

+
FILES

 

 /etc/resolv.conf
 

 

 

-
SEE ALSO

+
SEE ALSO

 

 dig(1),
 named(8).
diff --git a/bin/dig/nslookup.html b/bin/dig/nslookup.html
index 14ce80229d..63d4749ab5 100644
--- a/bin/dig/nslookup.html
+++ b/bin/dig/nslookup.html
@@ -13,7 +13,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -21,7 +21,7 @@
 
 
 

-

+

 

 
Name

 
nslookup — query Internet name servers interactively

@@ -31,7 +31,7 @@
 
nslookup  [-option] [name | -] [server]

 

 

-
DESCRIPTION

+
DESCRIPTION

 

 Nslookup
 is a program to query Internet domain name servers.  Nslookup
@@ -43,7 +43,7 @@ domain.
 

 

 

-
ARGUMENTS

+
ARGUMENTS

 

 Interactive mode is entered in the following cases:
 

@@ -75,7 +75,7 @@ nslookup -query=hinfo  -timeout=10
 

 

 

-
INTERACTIVE COMMANDS

+
INTERACTIVE COMMANDS

 

 
host [server]

 

@@ -241,13 +241,13 @@ the lookups.  Valid keywords are:
 

 

 

-
FILES

+
FILES

 

 /etc/resolv.conf
 

 

 

-
SEE ALSO

+
SEE ALSO

 

 dig(1),
 host(1),
@@ -255,7 +255,7 @@ the lookups.  Valid keywords are:
 

 

 

-
Author

+
Author

 

 Andrew Cherenson
 

diff --git a/bin/dnssec/dnssec-keygen.html b/bin/dnssec/dnssec-keygen.html
index ab9f370ee6..4abe59892f 100644
--- a/bin/dnssec/dnssec-keygen.html
+++ b/bin/dnssec/dnssec-keygen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -22,7 +22,7 @@
 
 
 

-

+

 

 
Name

 
dnssec-keygen — DNSSEC key generation tool

@@ -32,7 +32,7 @@
 
dnssec-keygen  {-a algorithm} {-b keysize} {-n nametype} [-c class] [-e] [-g generator] [-h] [-p protocol] [-r randomdev] [-s strength] [-t type] [-v level] {name}

 

 

-
DESCRIPTION

+
DESCRIPTION

 

         dnssec-keygen generates keys for DNSSEC
 	(Secure DNS), as defined in RFC 2535.  It can also generate
@@ -41,7 +41,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a algorithm

 

@@ -133,7 +133,7 @@
 

 

 

-
GENERATED KEYS

+
GENERATED KEYS

 

         When dnssec-keygen completes successfully,
 	it prints a string of the form Knnnn.+aaa+iiiii
@@ -177,7 +177,7 @@
     

 

 

-
EXAMPLE

+
EXAMPLE

 

         To generate a 768-bit DSA key for the domain
 	example.com, the following command would be
@@ -199,7 +199,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 

       dnssec-makekeyset(8),
       dnssec-signkey(8),
@@ -211,7 +211,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 

         Internet Systems Consortium
     

diff --git a/bin/dnssec/dnssec-makekeyset.html b/bin/dnssec/dnssec-makekeyset.html
index b8b127093c..974fc5617f 100644
--- a/bin/dnssec/dnssec-makekeyset.html
+++ b/bin/dnssec/dnssec-makekeyset.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -22,7 +22,7 @@
 
 
 

-

+

 

 
Name

 
dnssec-makekeyset — DNSSEC zone signing tool

@@ -32,7 +32,7 @@
 
dnssec-makekeyset  [-a] [-s start-time] [-e end-time] [-h] [-p] [-r randomdev] [-tttl] [-v level] {key...}

 

 

-
DESCRIPTION

+
DESCRIPTION

 

         dnssec-makekeyset generates a key set from one
 	or more keys created by dnssec-keygen.  It creates
@@ -43,7 +43,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a

 

@@ -111,7 +111,7 @@
 

 

 

-
EXAMPLE

+
EXAMPLE

 

         The following command generates a keyset containing the DSA key for
 	example.com generated in the
@@ -135,7 +135,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 

       dnssec-keygen(8),
       dnssec-signkey(8),
@@ -144,7 +144,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 

         Internet Systems Consortium
     

diff --git a/bin/dnssec/dnssec-signkey.html b/bin/dnssec/dnssec-signkey.html
index 661d6a16bd..c3c69d8baf 100644
--- a/bin/dnssec/dnssec-signkey.html
+++ b/bin/dnssec/dnssec-signkey.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -22,7 +22,7 @@
 
 
 

-

+

 

 
Name

 
dnssec-signkey — DNSSEC key set signing tool

@@ -32,7 +32,7 @@
 
dnssec-signkey  [-a] [-c class] [-s start-time] [-e end-time] [-h] [-p] [-r randomdev] [-v level] {keyset} {key...}

 

 

-
DESCRIPTION

+
DESCRIPTION

 

         dnssec-signkey signs a keyset.  Typically
 	the keyset will be for a child zone, and will have been generated
@@ -43,7 +43,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a

 

@@ -112,7 +112,7 @@
 

 

 

-
EXAMPLE

+
EXAMPLE

 

         The DNS administrator for a DNSSEC-aware .com
 	zone would use the following command to sign the
@@ -131,7 +131,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 

       dnssec-keygen(8),
       dnssec-makekeyset(8),
@@ -139,7 +139,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 

         Internet Systems Consortium
     

diff --git a/bin/dnssec/dnssec-signzone.html b/bin/dnssec/dnssec-signzone.html
index a454e8d143..601c304a7d 100644
--- a/bin/dnssec/dnssec-signzone.html
+++ b/bin/dnssec/dnssec-signzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -22,7 +22,7 @@
 
 
 

-

+

 

 
Name

 
dnssec-signzone — DNSSEC zone signing tool

@@ -32,7 +32,7 @@
 
dnssec-signzone  [-a] [-c class] [-d directory] [-s start-time] [-e end-time] [-f output-file] [-h] [-i interval] [-n nthreads] [-o origin] [-p] [-r randomdev] [-t] [-v level] {zonefile} [key...]

 

 

-
DESCRIPTION

+
DESCRIPTION

 

         dnssec-signzone signs a zone.  It generates NXT
 	and SIG records and produces a signed version of the zone.  If there
@@ -45,7 +45,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a

 

@@ -162,7 +162,7 @@
 

 

 

-
EXAMPLE

+
EXAMPLE

 

         The following command signs the example.com
 	zone with the DSA key generated in the dnssec-keygen
@@ -186,7 +186,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 

       dnssec-keygen(8),
       dnssec-signkey(8),
@@ -195,7 +195,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 

         Internet Systems Consortium
     

diff --git a/bin/named/lwresd.html b/bin/named/lwresd.html
index d9fc331bcf..4ec3db1142 100644
--- a/bin/named/lwresd.html
+++ b/bin/named/lwresd.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -22,7 +22,7 @@
 
 
 

-

+

 

 
Name

 
lwresd — lightweight resolver daemon

@@ -32,7 +32,7 @@
 
lwresd  [-C config-file] [-d debug-level] [-f] [-g] [-i pid-file] [-n #cpus] [-P port] [-p port] [-s] [-t directory] [-u user] [-v]

 

 

-
DESCRIPTION

+
DESCRIPTION

 

 	lwresd is the daemon providing name lookup
 	services to clients that use the BIND 9 lightweight resolver
@@ -67,7 +67,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-C config-file

 

@@ -159,7 +159,7 @@
 

 

 

-
FILES

+
FILES

 

 
/etc/resolv.conf

 

@@ -172,7 +172,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 

 	named(8),
 	lwres(3),
@@ -180,7 +180,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 

 	Internet Systems Consortium
     

diff --git a/bin/named/named.conf.html b/bin/named/named.conf.html
index be9b0c01e9..95d4c23fe3 100644
--- a/bin/named/named.conf.html
+++ b/bin/named/named.conf.html
@@ -13,7 +13,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -21,7 +21,7 @@
 
 
 

-

+

 

 
Name

 
named.conf — configuration file for named

@@ -31,7 +31,7 @@
 
named.conf 

 

 

-
DESCRIPTION

+
DESCRIPTION

 

 	named.conf is the configuration file for
 	named.  Statements are enclosed
@@ -50,14 +50,14 @@
     

 

 

-
ACL

+
ACL

 


 acl string { address_match_element; ... };

 

 

 

 

-
KEY

+
KEY

 


 key domain_name {

 	algorithm string;

@@ -66,7 +66,7 @@ key
 

 

 

-
SERVER

+
SERVER

 


 server ( ipv4_address | ipv6_address ) {

 	bogus boolean;

@@ -86,7 +86,7 @@ server
 

 

 

-
TRUSTED-KEYS

+
TRUSTED-KEYS

 


 trusted-keys {

 	domain_name flags protocol algorithm key; ... 

@@ -94,7 +94,7 @@ trusted-keys
 

 

 

-
CONTROLS

+
CONTROLS

 


 controls {

 	inet ( ipv4_address | ipv6_address | * )

@@ -106,7 +106,7 @@ controls
 

 

 

-
LOGGING

+
LOGGING

 


 logging {

 	channel string {

@@ -124,7 +124,7 @@ logging
 

 

 

-
LWRES

+
LWRES

 


 lwres {

 	listen-on [ port integer ] {

@@ -137,7 +137,7 @@ lwres
 

 

 

-
OPTIONS

+
OPTIONS

 


 options {

 	blackhole { address_match_element; ... };

@@ -251,7 +251,7 @@ options
 

 

 

-
VIEW

+
VIEW

 


 view string optional_class {

 	match-clients { address_match_element; ... };

@@ -348,7 +348,7 @@ view
 

 

 

-
ZONE

+
ZONE

 


 zone string optional_class {

 	type ( master | slave | stub | hint |

@@ -413,13 +413,13 @@ zone
 

 

 

-
FILES

+
FILES

 

 /etc/named.conf
 

 

 

-
SEE ALSO

+
SEE ALSO

 

 named(8),
 rndc(8),
diff --git a/bin/named/named.html b/bin/named/named.html
index 6c99f3be94..e7da8cdf47 100644
--- a/bin/named/named.html
+++ b/bin/named/named.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -22,7 +22,7 @@
 
 
 

-

+

 

 
Name

 
named — Internet domain name server

@@ -32,7 +32,7 @@
 
named  [-c config-file] [-d debug-level] [-f] [-g] [-n #cpus] [-p port] [-s] [-t directory] [-u user] [-v] [-x cache-file]

 

 

-
DESCRIPTION

+
DESCRIPTION

 

 	named is a Domain Name System (DNS) server,
 	part of the BIND 9 distribution from ISC.  For more
@@ -46,7 +46,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-c config-file

 

@@ -165,7 +165,7 @@
 

 

 

-
SIGNALS

+
SIGNALS

 

 	In routine operation, signals should not be used to control
 	the nameserver; rndc should be used
@@ -186,7 +186,7 @@
     

 

 

-
CONFIGURATION

+
CONFIGURATION

 

 	The named configuration file is too complex
 	to describe in detail here.  A complete description is
@@ -195,7 +195,7 @@
     

 

 

-
FILES

+
FILES

 

 
/etc/named.conf

 

@@ -208,7 +208,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 

 	RFC 1033,
 	RFC 1034,
@@ -220,7 +220,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 

 	Internet Systems Consortium
     

diff --git a/bin/nsupdate/nsupdate.html b/bin/nsupdate/nsupdate.html
index 30dd81ad0d..eda6375ecc 100644
--- a/bin/nsupdate/nsupdate.html
+++ b/bin/nsupdate/nsupdate.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -22,7 +22,7 @@
 
 
 

-

+

 

 
Name

 
nsupdate — Dynamic DNS update utility

@@ -32,7 +32,7 @@
 
nsupdate  [-d] [[-y keyname:secret] |  [-k keyfile]] [-v] [filename]

 

 

-
DESCRIPTION

+
DESCRIPTION

 

 nsupdate
 is used to submit Dynamic DNS Update requests as defined in RFC2136
@@ -141,7 +141,7 @@ This may be preferable when a batch of update requests is made.
 

 

 

-
INPUT FORMAT

+
INPUT FORMAT

 

 nsupdate
 reads input from
@@ -345,7 +345,7 @@ Lines beginning with a semicolon are comments and are ignored.
 

 

 

-
EXAMPLES

+
EXAMPLES

 

 The examples below show how
 nsupdate
@@ -398,7 +398,7 @@ SIG, KEY and NXT records.)
 

 

 

-
FILES

+
FILES

 

 
/etc/resolv.conf

 

@@ -417,7 +417,7 @@ base-64 encoding of HMAC-MD5 key created by
 

 

 

-
SEE ALSO

+
SEE ALSO

 

 RFC2136,
 RFC3007,
@@ -430,7 +430,7 @@ base-64 encoding of HMAC-MD5 key created by
 

 

 

-
BUGS

+
BUGS

 

 The TSIG key is redundantly stored in two separate files.
 This is a consequence of nsupdate using the DST library
diff --git a/bin/rndc/rndc-confgen.html b/bin/rndc/rndc-confgen.html
index 0957daa844..efab84a527 100644
--- a/bin/rndc/rndc-confgen.html
+++ b/bin/rndc/rndc-confgen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -22,7 +22,7 @@
 
 
 

-

+

 

 
Name

 
rndc-confgen — rndc key generation tool

@@ -32,7 +32,7 @@
 
rndc-confgen  [-a] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]

 

 

-
DESCRIPTION

+
DESCRIPTION

 

         rndc-confgen generates configuration files
 	for rndc.  It can be used as a
@@ -48,7 +48,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a

 

@@ -137,7 +137,7 @@
 

 

 

-
EXAMPLES

+
EXAMPLES

 

         To allow rndc to be used with
 	no manual configuration, run
@@ -156,7 +156,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 

       rndc(8),
       rndc.conf(5),
@@ -165,7 +165,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 

         Internet Systems Consortium
     

diff --git a/bin/rndc/rndc.conf.html b/bin/rndc/rndc.conf.html
index 0f21a64bda..d2b3a8a693 100644
--- a/bin/rndc/rndc.conf.html
+++ b/bin/rndc/rndc.conf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -22,7 +22,7 @@
 
 
 

-

+

 

 
Name

 
rndc.conf — rndc configuration file

@@ -32,7 +32,7 @@
 
rndc.conf 

 

 

-
DESCRIPTION

+
DESCRIPTION

 

         rndc.conf is the configuration file
 	for rndc, the BIND 9 name server control
@@ -105,7 +105,7 @@
     

 

 

-
EXAMPLE

+
EXAMPLE

 
     options {
         default-server  localhost;
@@ -151,7 +151,7 @@
     

 

 

-
NAME SERVER CONFIGURATION

+
NAME SERVER CONFIGURATION

 

         The name server must be configured to accept rndc connections and
 	to recognize the key specified in the rndc.conf
@@ -161,7 +161,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 

       rndc(8),
       rndc-confgen(8),
@@ -170,7 +170,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 

         Internet Systems Consortium
     

diff --git a/bin/rndc/rndc.html b/bin/rndc/rndc.html
index 1b2d5f3707..0591bb5321 100644
--- a/bin/rndc/rndc.html
+++ b/bin/rndc/rndc.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -22,7 +22,7 @@
 
 
 

-

+

 

 
Name

 
rndc — name server control utility

@@ -32,7 +32,7 @@
 
rndc  [-c config-file] [-k key-file] [-s server] [-p port] [-V] [-y key_id] {command}

 

 

-
DESCRIPTION

+
DESCRIPTION

 

         rndc controls the operation of a name
 	server.  It supersedes the ndc utility
@@ -61,7 +61,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-c config-file

 

@@ -123,7 +123,7 @@
     

 

 

-
LIMITATIONS

+
LIMITATIONS

 

         rndc does not yet support all the commands of
 	the BIND 8 ndc utility.
@@ -137,7 +137,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 

       rndc.conf(5),
       named(8),
@@ -147,7 +147,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 

         Internet Systems Consortium
     

diff --git a/doc/arm/Bv9ARM.ch01.html b/doc/arm/Bv9ARM.ch01.html
index 9b7bff33d1..0cdfe6d7dd 100644
--- a/doc/arm/Bv9ARM.ch01.html
+++ b/doc/arm/Bv9ARM.ch01.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,17 +45,17 @@
 

 
Table of Contents

 

-
Scope of Document

-
Organization of This Document

-
Conventions Used in This Document

-
The Domain Name System (DNS)

+
Scope of Document

+
Organization of This Document

+
Conventions Used in This Document

+
The Domain Name System (DNS)

 

-
DNS Fundamentals

-
Domains and Domain Names

-
Zones

-
Authoritative Name Servers

-
Caching Name Servers

-
Name Servers in Multiple Roles

+
DNS Fundamentals

+
Domains and Domain Names

+
Zones

+
Authoritative Name Servers

+
Caching Name Servers

+
Name Servers in Multiple Roles

 

 

 

@@ -67,7 +67,7 @@
   hierarchical databases.

 

 

-Scope of Document

+Scope of Document

 
The Berkeley Internet Name Domain (BIND) implements an
     domain name server for a number of operating systems. This
     document provides basic information about the installation and
@@ -78,7 +78,7 @@
 

 

 

-Organization of This Document

+Organization of This Document

 
In this document, Section 1 introduces
     the basic DNS and BIND concepts. Section 2
     describes resource requirements for running BIND in various
@@ -103,7 +103,7 @@
 

 

 

-Conventions Used in This Document

+Conventions Used in This Document

 
In this document, we use the following general typographic
     conventions:

 

 
 


@@ -169,7 +169,7 @@ describe:

 
 

 

-The Domain Name System (DNS)

+The Domain Name System (DNS)

 
The purpose of this document is to explain the installation
 and upkeep of the BIND software package, and we
 begin by reviewing the fundamentals of the Domain Name System
@@ -177,7 +177,7 @@ begin by reviewing the fundamentals of the Domain Name System
 

 

 

-DNS Fundamentals

+DNS Fundamentals

 
The Domain Name System (DNS) is the hierarchical, distributed
 database.  It stores information for mapping Internet host names to IP
 addresses and vice versa, mail routing information, and other data
@@ -190,7 +190,7 @@ name server and a resolver library.

 
 

 

-Domains and Domain Names

+Domains and Domain Names

 
The data stored in the DNS is identified by domain
 names that are organized as a tree according to
 organizational or administrative boundaries. Each node of the tree,
@@ -227,7 +227,7 @@ the DNS protocol, please refer to the standards documents listed in
 
 

 

-Zones

+Zones

 
To properly operate a name server, it is important to understand
 the difference between a zone
 and a domain.

@@ -267,7 +267,7 @@ actually asking for slave service for some collection of zones.

 
 

 

-Authoritative Name Servers

+Authoritative Name Servers

 
Each zone is served by at least
 one authoritative name server,
 which contains the complete data for the zone.
@@ -280,7 +280,7 @@ easy to identify when debugging DNS configurations using tools like
 dig (the section called “Diagnostic Tools”).

 

 

-The Primary Master

+The Primary Master

 

 The authoritative server where the master copy of the zone data is maintained is
 called the primary master server, or simply the
@@ -291,7 +291,7 @@ the zone file or <
 
 

 

-Slave Servers

+Slave Servers

 
The other authoritative servers, the slave
 servers (also known as secondary servers) load
 the zone contents from another server using a replication process
@@ -302,7 +302,7 @@ may itself act as a master to a subordinate slave server.

 
 

 

-Stealth Servers

+Stealth Servers

 
Usually all of the zone's authoritative servers are listed in 
 NS records in the parent zone.  These NS records constitute
 a delegation of the zone from the parent.
@@ -327,7 +327,7 @@ with the outside world.

 
 

 

-Caching Name Servers

+Caching Name Servers

 
The resolver libraries provided by most operating systems are 
 stub resolvers, meaning that they are not capable of
 performing the full DNS resolution process by themselves by talking
@@ -346,7 +346,7 @@ Time To Live (TTL) field associated with each resource record.
 

 

 

-Forwarding

+Forwarding

 
Even a caching name server does not necessarily perform
 the complete recursive lookup itself.  Instead, it can
 forward some or all of the queries
@@ -369,7 +369,7 @@ of.

 
 

 

-Name Servers in Multiple Roles

+Name Servers in Multiple Roles

 
The BIND name server can simultaneously act as
 a master for some zones, a slave for other zones, and as a caching
 (recursive) server for a set of local clients.

diff --git a/doc/arm/Bv9ARM.ch02.html b/doc/arm/Bv9ARM.ch02.html
index a6811eca82..32edbb26e9 100644
--- a/doc/arm/Bv9ARM.ch02.html
+++ b/doc/arm/Bv9ARM.ch02.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,16 +45,16 @@
 

 
Table of Contents

 

-
Hardware requirements

-
CPU Requirements

-
Memory Requirements

-
Nameserver Intensive Environment Issues

-
Supported Operating Systems

+
Hardware requirements

+
CPU Requirements

+
Memory Requirements

+
Nameserver Intensive Environment Issues

+
Supported Operating Systems

 

 

 

 

-Hardware requirements

+Hardware requirements

 
DNS hardware requirements have traditionally been quite modest.
 For many installations, servers that have been pensioned off from
 active duty have performed admirably as DNS servers.

@@ -66,7 +66,7 @@ multiprocessor systems for installations that need it.

 
 

 

-CPU Requirements

+CPU Requirements

 
CPU requirements for BIND 9 range from i486-class machines
 for serving of static zones without caching, to enterprise-class
 machines if you intend to process many dynamic updates and DNSSEC
@@ -74,7 +74,7 @@ signed zones, serving many thousands of queries per second.

 
 

 

-Memory Requirements

+Memory Requirements

 
The memory of the server has to be large enough to fit the
 cache and zones loaded off disk.  The max-cache-size
 option can be used to limit the amount of memory used by the cache,
@@ -89,7 +89,7 @@ be set higher than this stable size.

 
 

 

-Nameserver Intensive Environment Issues

+Nameserver Intensive Environment Issues

 
For nameserver intensive environments, there are two alternative
 configurations that may be used. The first is where clients and
 any second-level internal nameservers query a main nameserver, which
@@ -103,7 +103,7 @@ as none of the nameservers share their cached data.

 
 

 

-Supported Operating Systems

+Supported Operating Systems

 
ISC BIND 9 compiles and runs on the following operating
 systems:

 

@@ -67,7 +67,7 @@ option setting.

 Sample Configurations
 

 

-A Caching-only Nameserver

+A Caching-only Nameserver

 
The following sample configuration is appropriate for a caching-only
 name server for use by clients internal to a corporation.  All queries
 from outside clients are refused.

@@ -91,7 +91,7 @@ zone "0.0.127.in-addr.arpa" {
 
 

 

-An Authoritative-only Nameserver

+An Authoritative-only Nameserver

 
This sample configuration is for an authoritative-only server
 that is the master server for "example.com"
 and a slave for the subdomain "eng.example.com".

@@ -133,7 +133,7 @@ zone "eng.example.com" {
 
 

 

-Load Balancing

+Load Balancing

 
Primitive load balancing can be achieved in DNS using multiple
 A records for one name.

 
For example, if you have three WWW servers with network addresses
@@ -208,10 +208,10 @@ of the time:

 
 

 

-Nameserver Operations

+Nameserver Operations

 

 

-Tools for Use With the Nameserver Daemon

+Tools for Use With the Nameserver Daemon

 
There are several indispensable diagnostic, administrative
 and monitoring tools available to the system administrator for controlling
 and debugging the nameserver daemon. We describe several in this
@@ -451,7 +451,7 @@ a rndc.key file and not modify
 
 

 

-Signals

+Signals

 
Certain UNIX signals cause the name server to take specific
 actions, as described in the following table.  These signals can
 be sent using the kill command.

diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html
index ddf4714ca7..91357c763a 100644
--- a/doc/arm/Bv9ARM.ch04.html
+++ b/doc/arm/Bv9ARM.ch04.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -48,30 +48,30 @@
 
Dynamic Update

 
The journal file

 
Incremental Zone Transfers (IXFR)

-
Split DNS

+
Split DNS

 
TSIG

 

-
Generate Shared Keys for Each Pair of Hosts

-
Copying the Shared Secret to Both Machines

-
Informing the Servers of the Key's Existence

-
Instructing the Server to Use the Key

-
TSIG Key Based Access Control

-
Errors

+
Generate Shared Keys for Each Pair of Hosts

+
Copying the Shared Secret to Both Machines

+
Informing the Servers of the Key's Existence

+
Instructing the Server to Use the Key

+
TSIG Key Based Access Control

+
Errors

 

-
TKEY

-
SIG(0)

+
TKEY

+
SIG(0)

 
DNSSEC

 

-
Generating Keys

-
Creating a Keyset

-
Signing the Child's Keyset

-
Signing the Zone

-
Configuring Servers

+
Generating Keys

+
Creating a Keyset

+
Signing the Child's Keyset

+
Signing the Zone

+
Configuring Servers

 

-
IPv6 Support in BIND 9

+
IPv6 Support in BIND 9

 

-
Address Lookups Using AAAA Records

-
Address to Name Lookups Using Nibble Format

+
Address Lookups Using AAAA Records

+
Address to Name Lookups Using Nibble Format

 

 
 
@@ -150,7 +150,7 @@ of the server statement.

 
 

 

-Split DNS

+Split DNS

 
Setting up different views, or visibility, of DNS space to
 internal and external resolvers is usually referred to as a Split
 DNS setup. There are several reasons an organization
@@ -352,13 +352,13 @@ for TSIG.

     -y command line options.

 

 

-Generate Shared Keys for Each Pair of Hosts

+Generate Shared Keys for Each Pair of Hosts

 
A shared secret is generated to be shared between host1 and host2.
 An arbitrary key name is chosen: "host1-host2.". The key name must
 be the same on both hosts.

 

 

-Automatic Generation

+Automatic Generation

 
The following command will generate a 128 bit (16 byte) HMAC-MD5
 key as described above. Longer keys are better, but shorter keys
 are easier to read. Note that the maximum key length is 512 bits;
@@ -375,7 +375,7 @@ be used as the shared secret.

 
 

 

-Manual Generation

+Manual Generation

 
The shared secret is simply a random sequence of bits, encoded
 in base-64. Most ASCII strings are valid base-64 strings (assuming
 the length is a multiple of 4 and only valid characters are used),
@@ -386,13 +386,13 @@ a similar program to generate base-64 encoded data.

 
 

 

-Copying the Shared Secret to Both Machines

+Copying the Shared Secret to Both Machines

 
This is beyond the scope of DNS. A secure transport mechanism
 should be used. This could be secure FTP, ssh, telephone, etc.

 
 

 

-Informing the Servers of the Key's Existence

+Informing the Servers of the Key's Existence

 
Imagine host1 and host 2 are
 both servers. The following is added to each server's named.conf file:

 
@@ -413,7 +413,7 @@ the same key.

 
 

 

-Instructing the Server to Use the Key

+Instructing the Server to Use the Key

 
Since keys are shared between two hosts only, the server must
 be told when keys are to be used. The following is added to the named.conf file
 for host1, if the IP address of host2 is
@@ -436,7 +436,7 @@ sign request messages to host1.

 
 

 

-TSIG Key Based Access Control

+TSIG Key Based Access Control

 
BIND allows IP addresses and ranges to be specified in ACL
 definitions and
 allow-{ query | transfer | update } directives.
@@ -454,7 +454,7 @@ allow-update { key host1-host2. ;};
 
 

 

-Errors

+Errors

 
The processing of TSIG signed messages can result in
       several errors. If a signed message is sent to a non-TSIG aware
       server, a FORMERR will be returned, since the server will not
@@ -476,7 +476,7 @@ allow-update { key host1-host2. ;};
 
 

 

-TKEY

+TKEY

 
TKEY is a mechanism for automatically
     generating a shared secret between two hosts.  There are several
     "modes" of TKEY that specify how the key is
@@ -502,7 +502,7 @@ allow-update { key host1-host2. ;};
 
 

 

-SIG(0)

+SIG(0)

 
BIND 9 partially supports DNSSEC SIG(0) transaction
     signatures as specified in RFC 2535.  SIG(0) uses public/private
     keys to authenticate messages.  Access control is performed in the
@@ -541,7 +541,7 @@ allow-update { key host1-host2. ;};
     zone key of another zone above this one in the DNS tree.

 

 

-Generating Keys

+Generating Keys

 
The dnssec-keygen program is used to
       generate keys.

 
A secure zone must contain one or more zone keys.  The
@@ -574,7 +574,7 @@ allow-update { key host1-host2. ;};
 
 

 

-Creating a Keyset

+Creating a Keyset

 
The dnssec-makekeyset program is used
       to create a key set from one or more keys.

 
Once the zone keys have been generated, a key set must be
@@ -602,7 +602,7 @@ allow-update { key host1-host2. ;};
 
 

 

-Signing the Child's Keyset

+Signing the Child's Keyset

 
The dnssec-signkey program is used to
       sign one child's keyset.

 
If the child.example zone has any
@@ -622,7 +622,7 @@ allow-update { key host1-host2. ;};
 
 

 

-Signing the Zone

+Signing the Zone

 
The dnssec-signzone program is used to
       sign a zone.

 
Any signedkey files corresponding to
@@ -645,7 +645,7 @@ allow-update { key host1-host2. ;};
 
 

 

-Configuring Servers

+Configuring Servers

 
Unlike in BIND 8, 
 data is not verified on load in BIND 9,
 so zone keys for authoritative zones do not need to be specified
@@ -657,7 +657,7 @@ statement, as described later in this document. 

 
 

 

-IPv6 Support in BIND 9

+IPv6 Support in BIND 9

 
BIND 9 fully supports all currently
     defined forms of IPv6 name to address and address to name
     lookups.  It will also use IPv6 addresses to make queries when
@@ -679,7 +679,7 @@ statement, as described later in this document. 

     see the section called “IPv6 addresses (A6)”.

 

 

-Address Lookups Using AAAA Records

+Address Lookups Using AAAA Records

 
The AAAA record is a parallel to the IPv4 A record.  It
       specifies the entire address in a single record.  For
       example,

@@ -690,7 +690,7 @@ host            3600    IN      AAAA    2001:db8::1
 
 

 

-Address to Name Lookups Using Nibble Format

+Address to Name Lookups Using Nibble Format

 
When looking up an address in nibble format, the address
       components are simply reversed, just as in IPv4, and
       IP6.ARPA. is appended to the resulting name.
diff --git a/doc/arm/Bv9ARM.ch05.html b/doc/arm/Bv9ARM.ch05.html
index 3e57cf1bf1..e72e2c28ac 100644
--- a/doc/arm/Bv9ARM.ch05.html
+++ b/doc/arm/Bv9ARM.ch05.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,13 +45,13 @@
 

 
Table of Contents

 

-
The Lightweight Resolver Library

+
The Lightweight Resolver Library

 
Running a Resolver Daemon

 

 

 

 

-The Lightweight Resolver Library

+The Lightweight Resolver Library

 
Traditionally applications have been linked with a stub resolver
 library that sends recursive DNS queries to a local caching name
 server.

diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index d7293de3ff..566262719d 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -48,44 +48,44 @@
 
Configuration File Elements

 

 
Address Match Lists

-
Comment Syntax

+
Comment Syntax

 

 
Configuration File Grammar

 

-
acl Statement Grammar

+
acl Statement Grammar

 
acl Statement Definition and
 Usage

-
controls Statement Grammar

+
controls Statement Grammar

 
controls Statement Definition and Usage

-
include Statement Grammar

-
include Statement Definition and Usage

-
key Statement Grammar

-
key Statement Definition and Usage

-
logging Statement Grammar

-
logging Statement Definition and Usage

-
lwres Statement Grammar

-
lwres Statement Definition and Usage

-
options Statement Grammar

-
options Statement Definition and Usage

+
include Statement Grammar

+
include Statement Definition and Usage

+
key Statement Grammar

+
key Statement Definition and Usage

+
logging Statement Grammar

+
logging Statement Definition and Usage

+
lwres Statement Grammar

+
lwres Statement Definition and Usage

+
options Statement Grammar

+
options Statement Definition and Usage

 
server Statement Grammar

 
server Statement Definition and Usage

-
trusted-keys Statement Grammar

-
trusted-keys Statement Definition
+
trusted-keys Statement Grammar

+
trusted-keys Statement Definition
 and Usage

-
view Statement Grammar

-
view Statement Definition and Usage

+
view Statement Grammar

+
view Statement Definition and Usage

 
zone
 Statement Grammar

-
zone Statement Definition and Usage

+
zone Statement Definition and Usage

 

-
Zone File

+
Zone File

 

 
Types of Resource Records and When to Use Them

-
Discussion of MX Records

+
Discussion of MX Records

 
Setting TTLs

-
Inverse Mapping in IPv4

-
Other Zone File Directives

-
BIND Master File Extension: the  $GENERATE Directive

+
Inverse Mapping in IPv4

+
Other Zone File Directives

+
BIND Master File Extension: the  $GENERATE Directive

 

 
 
@@ -224,7 +224,7 @@ are restricted to slave and stub zones.

 Address Match Lists
 

 

-Syntax

+Syntax

 
address_match_list = address_match_list_element ;
   [ address_match_list_element; ... ]
 address_match_list_element = [ ! ] (ip_address [/length] |
@@ -233,7 +233,7 @@ are restricted to slave and stub zones.

 
 

 

-Definition and Usage

+Definition and Usage

 
Address match lists are primarily used to determine access
 control for various server operations. They are also used to define
 priorities for querying other nameservers and to set the addresses
@@ -288,14 +288,14 @@ other 1.2.3.* hosts fall through.

 
 

 

-Comment Syntax

+Comment Syntax

 
The BIND 9 comment syntax allows for comments to appear
       anywhere that white space may appear in a BIND configuration
       file. To appeal to programmers of all kinds, they can be written
       in C, C++, or shell/perl constructs.

 

 

-Syntax

+Syntax

 
/* This is a BIND comment as in C */

 

 

@@ -308,7 +308,7 @@ other 1.2.3.* hosts fall through.

 
 

 

-Definition and Usage

+Definition and Usage

 
Comments may appear anywhere that whitespace may appear in
 a BIND configuration file.

 
C-style comments start with the two characters /* (slash,
@@ -417,7 +417,7 @@ a per-server basis.

     configuration.

 

 

-acl Statement Grammar

+acl Statement Grammar

 
acl acl-name { 
     address_match_list 
 };
@@ -470,7 +470,7 @@ complete set of local IPv6 addresses for a host.
 
 

 

-controls Statement Grammar

+controls Statement Grammar

 
controls {
    inet ( ip_addr | * ) [ port ip_port ] allow {  address_match_list  }
                 keys {  key_list  };
@@ -568,12 +568,12 @@ statement: controls { };.
 
 

 

-include Statement Grammar

+include Statement Grammar

 
include filename;

 
 

 

-include Statement Definition and Usage

+include Statement Definition and Usage

 
The include statement inserts the
       specified file at the point that the include
       statement is encountered. The include
@@ -584,7 +584,7 @@ statement: controls { };.
 
 

 

-key Statement Grammar

+key Statement Grammar

 
key key_id {
     algorithm string;
     secret string;
@@ -593,7 +593,7 @@ statement: controls { };.
 
 

 

-key Statement Definition and Usage

+key Statement Definition and Usage

 
The key statement defines a shared
 secret key for use with TSIG, see the section called “TSIG”.

 

@@ -621,7 +621,7 @@ string.

 
 

 

-logging Statement Grammar

+logging Statement Grammar

 
logging {
    [ channel channel_name {
      ( file path name
@@ -645,7 +645,7 @@ string.

 
 

 

-logging Statement Definition and Usage

+logging Statement Definition and Usage

 
The logging statement configures a wide
 variety of logging options for the nameserver. Its channel phrase
 associates output methods, format options and severity levels with
@@ -668,7 +668,7 @@ channels, or to standard error if the "-g" option
 was specified.

 

 

-The channel Phrase

+The channel Phrase

 
All log output goes to one or more channels;
 you can make as many of them as you want.

 
Every channel definition must include a destination clause that
@@ -963,7 +963,7 @@ a delegation-only in a hint or stu
 
 

 

-lwres Statement Grammar

+lwres Statement Grammar

 
 This is the grammar of the lwres
 statement in the named.conf file:

 
lwres {
@@ -976,7 +976,7 @@ statement in the named.conf file:

 
 

 

-lwres Statement Definition and Usage

+lwres Statement Definition and Usage

 
The lwres statement configures the name
 server to also act as a lightweight resolver server, see
 the section called “Running a Resolver Daemon”.  There may be be multiple
@@ -1004,7 +1004,7 @@ exact match lookup before search path elements are appended.

 
 

 

-options Statement Grammar

+options Statement Grammar

 
This is the grammar of the options
 statement in the named.conf file:

 
options {
@@ -1102,7 +1102,7 @@ statement in the named.conf file:

 
 

 

-options Statement Definition and Usage

+options Statement Definition and Usage

 
The options statement sets up global options
 to be used by BIND. This statement may appear only
 once in a configuration file. If more than one occurrence is found,
@@ -1453,7 +1453,7 @@ The use of this option for any other purpose is discouraged.
 
 

 

-Forwarding

+Forwarding

 
The forwarding facility can be used to create a large site-wide
 cache on a few servers, reducing traffic over links to external
 nameservers. It can also be used to allow queries by servers that
@@ -1530,7 +1530,7 @@ from these addresses will not be responded to. The default is 
 

-Interfaces

+Interfaces
 
The interfaces and ports that the server will answer queries
 from may be specified using the listen-on option. listen-on takes
 an optional port, and an address_match_list.
@@ -1572,7 +1572,7 @@ the server will not listen on any IPv6 address.

 
 

 

-Query Address

+Query Address

 
If the server doesn't know the answer to a question, it will
 query other nameservers. query-source specifies
 the address and port used for such queries. For queries sent over
@@ -1734,7 +1734,7 @@ but applies to notify messages sent to IPv6 addresses.

 
 

 

-Operating System Resource Limits

+Operating System Resource Limits

 
The server's usage of many system resources can be limited.
 Scaled values are allowed when specifying resource limits.  For
 example, 1G can be used instead of
@@ -1778,7 +1778,7 @@ may use. The default is default.

 
 

 

-Server  Resource Limits

+Server  Resource Limits

 
The following options set limits on the server's
 resource consumption that are enforced internally by the
 server rather than the operating system.

@@ -1811,7 +1811,7 @@ records are purged from the cache only when their TTLs expire.
 
 

 

-Periodic Task Intervals

+Periodic Task Intervals

 

 
cleaning-interval

 
The server will remove expired resource records
@@ -2267,7 +2267,7 @@ supported.

 

 

 

-trusted-keys Statement Grammar

+trusted-keys Statement Grammar

 
trusted-keys {
     string number number number string ;
     [ string number number number string ; [...]]
@@ -2276,7 +2276,7 @@ supported.

 
 

 

-trusted-keys Statement Definition
+trusted-keys Statement Definition
 and Usage

 
The trusted-keys statement defines DNSSEC
 security roots. DNSSEC is described in the section called “DNSSEC”. A security root is defined when the public key for a non-authoritative
@@ -2292,7 +2292,7 @@ key data.

 

 

 

-view Statement Grammar

+view Statement Grammar

 
view view_name [class] {
       match-clients { address_match_list } ;
       match-destinations { address_match_list } ;
@@ -2305,7 +2305,7 @@ key data.

 
 

 

-view Statement Definition and Usage

+view Statement Definition and Usage

 
The view statement is a powerful new feature
 of BIND 9 that lets a name server answer a DNS query differently
 depending on who is asking. It is particularly useful for implementing
@@ -2488,10 +2488,10 @@ zone zone_name [
 

 

-zone Statement Definition and Usage

+zone Statement Definition and Usage

 

 

-Zone Types

+Zone Types

 
@@ -2602,7 +2602,7 @@ from forwarders.

 
 

 

-Class

+Class

 
The zone's name may optionally be followed by a class. If
 a class is not specified, class IN (for Internet),
 is assumed. This is correct for the vast majority of cases.

@@ -2617,7 +2617,7 @@ in the mid-1970s. Zone data for it can be specified with the 
 

-Zone Options

+Zone Options
 

 
allow-notify

 
See the description of
@@ -2833,7 +2833,7 @@ SIG, NS, SOA, and NXT. Types may be specified by name, including
 

 

 

-Zone File

+Zone File

 

 

 Types of Resource Records and When to Use Them

@@ -2843,7 +2843,7 @@ Since the publication of RFC 1034, several new RRs have been identified
 and implemented in the DNS. These are also included.

 

 

-Resource Records

+Resource Records

 
A domain name identifies a node.  Each node has a set of
         resource information, which may be empty.  The set of resource
         information associated with a particular name is composed of
@@ -3118,7 +3118,7 @@ used as "pointers" to other data in the DNS.

 
 

 

-Textual expression of RRs

+Textual expression of RRs

 
RRs are represented in binary form in the packets of the DNS
 protocol, and are usually represented in highly encoded form when
 stored in a nameserver or resolver.  In the examples provided in
@@ -3208,7 +3208,7 @@ each of a different class.

 
 

 

-Discussion of MX Records

+Discussion of MX Records

 
As described above, domain servers store information as a
 series of resource records, each of which contains a particular
 piece of information about a given domain name (which is usually,
@@ -3325,7 +3325,7 @@ can be explicitly specified, for example, 1h30m. 
 

 

-Inverse Mapping in IPv4

+Inverse Mapping in IPv4

 
Reverse name resolution (that is, translation from IP address
 to name) is achieved by means of the in-addr.arpa domain
 and PTR records. Entries in the in-addr.arpa domain are made in
@@ -3363,7 +3363,7 @@ that the example is relative to the listed origin.

 
 

 

-Other Zone File Directives

+Other Zone File Directives

 
The Master File Format was initially defined in RFC 1035 and
 has subsequently been extended. While the Master File Format itself
 is class independent all records in a Master File must be of the same
@@ -3372,7 +3372,7 @@ class.

 and $TTL.

 

 

-The $ORIGIN Directive

+The $ORIGIN Directive

 
Syntax: $ORIGIN
 domain-name [ comment]

 
$ORIGIN sets the domain name that will
@@ -3387,7 +3387,7 @@ WWW     CNAME   MAIN-SERVER
 
 

 

-The $INCLUDE Directive

+The $INCLUDE Directive

 
Syntax: $INCLUDE
 filename [
 origin ] [ comment ]

@@ -3411,7 +3411,7 @@ This could be construed as a deviation from RFC 1035, a feature, or both.
 
 

 

-The $TTL Directive

+The $TTL Directive

 
Syntax: $TTL
 default-ttl [
 comment ]

@@ -3422,7 +3422,7 @@ with undefined TTLs. Valid TTLs are of the range 0-2147483647 seconds.

 
 

 

-BIND Master File Extension: the  $GENERATE Directive

+BIND Master File Extension: the  $GENERATE Directive

 
Syntax: $GENERATE range lhs type rhs [ comment ]

 
$GENERATE is used to create a series of
 resource records that only differ from each other by an iterator. $GENERATE can
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index 8d9905d971..a758b9aab9 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -46,11 +46,11 @@
 
Table of Contents

 

 
Access Control Lists

-
chroot and setuid (for
+
chroot and setuid (for
 UNIX servers)

 

-
The chroot Environment

-
Using the setuid Function

+
The chroot Environment

+
Using the setuid Function

 

 
Dynamic Update Security

 

@@ -100,7 +100,7 @@ see the AUSCERT advisory at
 
 

 

-chroot and setuid (for
+chroot and setuid (for
 UNIX servers)

 
On UNIX servers, it is possible to run BIND in a chrooted environment
 (chroot()) by specifying the "-t"
@@ -115,7 +115,7 @@ user 202:

 
/usr/local/bin/named -u 202 -t /var/named

 

 

-The chroot Environment

+The chroot Environment

 
In order for a chroot() environment to
 work properly in a particular directory
 (for example, /var/named),
@@ -140,7 +140,7 @@ to set up things like
 
 

 

-Using the setuid Function

+Using the setuid Function

 
Prior to running the named daemon, use
 the touch utility (to change file access and
 modification times) or the chown utility (to
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index a3003e5d55..b9364d7263 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,18 +45,18 @@
 

 
Table of Contents

 

-
Common Problems

-
It's not working; how can I figure out what's wrong?

-
Incrementing and Changing the Serial Number

-
Where Can I Get Help?

+
Common Problems

+
It's not working; how can I figure out what's wrong?

+
Incrementing and Changing the Serial Number

+
Where Can I Get Help?

 

 

 

 

-Common Problems

+Common Problems

 

 

-It's not working; how can I figure out what's wrong?

+It's not working; how can I figure out what's wrong?

 
The best solution to solving installation and
       configuration issues is to take preventative measures by setting
       up logging files beforehand. The log files provide a
@@ -66,7 +66,7 @@
 
 

 

-Incrementing and Changing the Serial Number

+Incrementing and Changing the Serial Number

 
Zone serial numbers are just numbers-they aren't date
     related.  A lot of people set them to a number that represents a
     date, usually of the form YYYYMMDDRR. A number of people have been
@@ -87,7 +87,7 @@
 
 

 

-Where Can I Get Help?

+Where Can I Get Help?

 
The Internet Software Consortium (ISC) offers a wide range
     of support and service agreements for BIND and DHCP servers. Four
     levels of premium support are available and each level includes
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index 17205d8605..2acd53e28e 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -43,26 +43,26 @@
 

 
Table of Contents

 

-
Acknowledgements

-
A Brief History of the DNS and BIND

+
Acknowledgements

+
A Brief History of the DNS and BIND

 
Historical DNS Information

 
Classes of Resource Records

-
General DNS Reference Information

+
General DNS Reference Information

 
IPv6 addresses (A6)

 
Bibliography (and Suggested Reading)

 

 
Request for Comments (RFCs)

 
Internet Drafts

-
Other Documents About BIND

+
Other Documents About BIND

 

 

 

 

 

-Acknowledgements

+Acknowledgements

 

 

-A Brief History of the DNS and BIND

+A Brief History of the DNS and BIND

 
Although the "official" beginning of the Domain Name
       System occurred in 1984 with the publication of RFC 920, the
       core of the new system was described in 1983 in RFCs 882 and
@@ -122,7 +122,7 @@ individuals.

 Classes of Resource Records
 

 

-HS = hesiod

+HS = hesiod

 
The [hesiod] class is an information service
 developed by MIT's Project Athena. It is used to share information
 about various systems databases, such as users, groups, printers
@@ -131,7 +131,7 @@ hesiod.

 
 

 

-CH = chaos

+CH = chaos

 
The chaos class is used to specify zone
 data for the MIT-developed CHAOSnet, a LAN protocol created in the
 mid-1970s.

@@ -140,7 +140,7 @@ mid-1970s.

 
 

 

-General DNS Reference Information

+General DNS Reference Information

 

 

 IPv6 addresses (A6)

@@ -320,7 +320,7 @@ the number of the RFC). RFCs are also available via the Web at
 

 

 

-Bibliography

+Bibliography

 

 
Standards

 
[RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 

@@ -420,11 +420,11 @@ after which they are deleted unless updated by their authors.
 

 

 

-Other Documents About BIND

+Other Documents About BIND

 

 

 

-Bibliography

+Bibliography

 
Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 

 
 
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index 3d33187e10..86a30cd5b5 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -40,7 +40,7 @@
 

 

 

-BIND 9 Administrator Reference Manual

+BIND 9 Administrator Reference Manual

 
Copyright © 2004-2006 Internet Systems Consortium, Inc. ("ISC")

 
Copyright © 2000-2003 Internet Software Consortium.

 

@@ -51,40 +51,40 @@
 

 
1. Introduction 

 

-
Scope of Document

-
Organization of This Document

-
Conventions Used in This Document

-
The Domain Name System (DNS)

+
Scope of Document

+
Organization of This Document

+
Conventions Used in This Document

+
The Domain Name System (DNS)

 

-
DNS Fundamentals

-
Domains and Domain Names

-
Zones

-
Authoritative Name Servers

-
Caching Name Servers

-
Name Servers in Multiple Roles

+
DNS Fundamentals

+
Domains and Domain Names

+
Zones

+
Authoritative Name Servers

+
Caching Name Servers

+
Name Servers in Multiple Roles

 

 

 
2. BIND Resource Requirements

 

-
Hardware requirements

-
CPU Requirements

-
Memory Requirements

-
Nameserver Intensive Environment Issues

-
Supported Operating Systems

+
Hardware requirements

+
CPU Requirements

+
Memory Requirements

+
Nameserver Intensive Environment Issues

+
Supported Operating Systems

 

 
3. Nameserver Configuration

 

 
Sample Configurations

 

-
A Caching-only Nameserver

-
An Authoritative-only Nameserver

+
A Caching-only Nameserver

+
An Authoritative-only Nameserver

 

-
Load Balancing

+
Load Balancing

 
Notify

-
Nameserver Operations

+
Nameserver Operations

 

-
Tools for Use With the Nameserver Daemon

-
Signals

+
Tools for Use With the Nameserver Daemon

+
Signals

 

 

 
4. Advanced Concepts

@@ -92,35 +92,35 @@
 
Dynamic Update

 
The journal file

 
Incremental Zone Transfers (IXFR)

-
Split DNS

+
Split DNS

 
TSIG

 

-
Generate Shared Keys for Each Pair of Hosts

-
Copying the Shared Secret to Both Machines

-
Informing the Servers of the Key's Existence

-
Instructing the Server to Use the Key

-
TSIG Key Based Access Control

-
Errors

+
Generate Shared Keys for Each Pair of Hosts

+
Copying the Shared Secret to Both Machines

+
Informing the Servers of the Key's Existence

+
Instructing the Server to Use the Key

+
TSIG Key Based Access Control

+
Errors

 

-
TKEY

-
SIG(0)

+
TKEY

+
SIG(0)

 
DNSSEC

 

-
Generating Keys

-
Creating a Keyset

-
Signing the Child's Keyset

-
Signing the Zone

-
Configuring Servers

+
Generating Keys

+
Creating a Keyset

+
Signing the Child's Keyset

+
Signing the Zone

+
Configuring Servers

 

-
IPv6 Support in BIND 9

+
IPv6 Support in BIND 9

 

-
Address Lookups Using AAAA Records

-
Address to Name Lookups Using Nibble Format

+
Address Lookups Using AAAA Records

+
Address to Name Lookups Using Nibble Format

 

 

 
5. The BIND 9 Lightweight Resolver

 

-
The Lightweight Resolver Library

+
The Lightweight Resolver Library

 
Running a Resolver Daemon

 

 
6. BIND 9 Configuration Reference

@@ -128,77 +128,77 @@
 
Configuration File Elements

 

 
Address Match Lists

-
Comment Syntax

+
Comment Syntax

 

 
Configuration File Grammar

 

-
acl Statement Grammar

+
acl Statement Grammar

 
acl Statement Definition and
 Usage

-
controls Statement Grammar

+
controls Statement Grammar

 
controls Statement Definition and Usage

-
include Statement Grammar

-
include Statement Definition and Usage

-
key Statement Grammar

-
key Statement Definition and Usage

-
logging Statement Grammar

-
logging Statement Definition and Usage

-
lwres Statement Grammar

-
lwres Statement Definition and Usage

-
options Statement Grammar

-
options Statement Definition and Usage

+
include Statement Grammar

+
include Statement Definition and Usage

+
key Statement Grammar

+
key Statement Definition and Usage

+
logging Statement Grammar

+
logging Statement Definition and Usage

+
lwres Statement Grammar

+
lwres Statement Definition and Usage

+
options Statement Grammar

+
options Statement Definition and Usage

 
server Statement Grammar

 
server Statement Definition and Usage

-
trusted-keys Statement Grammar

-
trusted-keys Statement Definition
+
trusted-keys Statement Grammar

+
trusted-keys Statement Definition
 and Usage

-
view Statement Grammar

-
view Statement Definition and Usage

+
view Statement Grammar

+
view Statement Definition and Usage

 
zone
 Statement Grammar

-
zone Statement Definition and Usage

+
zone Statement Definition and Usage

 

-
Zone File

+
Zone File

 

 
Types of Resource Records and When to Use Them

-
Discussion of MX Records

+
Discussion of MX Records

 
Setting TTLs

-
Inverse Mapping in IPv4

-
Other Zone File Directives

-
BIND Master File Extension: the  $GENERATE Directive

+
Inverse Mapping in IPv4

+
Other Zone File Directives

+
BIND Master File Extension: the  $GENERATE Directive

 

 
 
7. BIND 9 Security Considerations

 

 
Access Control Lists

-
chroot and setuid (for
+
chroot and setuid (for
 UNIX servers)

 

-
The chroot Environment

-
Using the setuid Function

+
The chroot Environment

+
Using the setuid Function

 

 
Dynamic Update Security

 

 
8. Troubleshooting

 

-
Common Problems

-
It's not working; how can I figure out what's wrong?

-
Incrementing and Changing the Serial Number

-
Where Can I Get Help?

+
Common Problems

+
It's not working; how can I figure out what's wrong?

+
Incrementing and Changing the Serial Number

+
Where Can I Get Help?

 

 
A. Appendices

 

-
Acknowledgements

-
A Brief History of the DNS and BIND

+
Acknowledgements

+
A Brief History of the DNS and BIND

 
Historical DNS Information

 
Classes of Resource Records

-
General DNS Reference Information

+
General DNS Reference Information

 
IPv6 addresses (A6)

 
Bibliography (and Suggested Reading)

 

 
Request for Comments (RFCs)

 
Internet Drafts

-
Other Documents About BIND

+
Other Documents About BIND

 

 

 
diff --git a/lib/lwres/man/lwres.html b/lib/lwres/man/lwres.html
index bf6c96e05a..1718f4caa7 100644
--- a/lib/lwres/man/lwres.html
+++ b/lib/lwres/man/lwres.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -22,7 +22,7 @@
 
 
 

-

+

 

 
Name

 
lwres — introduction to the lightweight resolver library

@@ -32,7 +32,7 @@
 
#include <lwres/lwres.h>

 

 

-
DESCRIPTION

+
DESCRIPTION

 

 The BIND 9 lightweight resolver library is a simple, name service
 independent stub resolver library.  It provides hostname-to-address
@@ -47,7 +47,7 @@ UDP-based protocol.
 

 

 

-
OVERVIEW

+
OVERVIEW

 

 The lwresd library implements multiple name service APIs.
 The standard
@@ -101,7 +101,7 @@ and servers is outlined in the following sections.
 

 

 

-
CLIENT-SIDE LOW-LEVEL API CALL FLOW

+
CLIENT-SIDE LOW-LEVEL API CALL FLOW

 

 When a client program wishes to make an lwres request using the
 native low-level API, it typically performs the following 
@@ -147,7 +147,7 @@ packet specific information contained in the body.
 

 

 

-
SERVER-SIDE LOW-LEVEL API CALL FLOW

+
SERVER-SIDE LOW-LEVEL API CALL FLOW

 

 When implementing the server side of the lightweight resolver
 protocol using the lwres library, a sequence of actions like the
@@ -188,7 +188,7 @@ set.
 

 

 

-
SEE ALSO

+
SEE ALSO

 

 lwres_gethostent(3),
 
diff --git a/lib/lwres/man/lwres_buffer.html b/lib/lwres/man/lwres_buffer.html
index 7c8e8e9135..5e2266e9e7 100644
--- a/lib/lwres/man/lwres_buffer.html
+++ b/lib/lwres/man/lwres_buffer.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -22,7 +22,7 @@
 
 
 

-

+

 

 
Name

 
lwres_buffer_init, lwres_buffer_invalidate, lwres_buffer_add, lwres_buffer_subtract, lwres_buffer_clear, lwres_buffer_first, lwres_buffer_forward, lwres_buffer_back, lwres_buffer_getuint8, lwres_buffer_putuint8, lwres_buffer_getuint16, lwres_buffer_putuint16, lwres_buffer_getuint32, lwres_buffer_putuint32, lwres_buffer_putmem, lwres_buffer_getmem — lightweight resolver buffer management

@@ -249,7 +249,7 @@ void
 

 

 

-
DESCRIPTION

+
DESCRIPTION

 

 These functions provide bounds checked access to a region of memory
 where data is being read or written.
diff --git a/lib/lwres/man/lwres_config.html b/lib/lwres/man/lwres_config.html
index cb42b163c8..78d7597c42 100644
--- a/lib/lwres/man/lwres_config.html
+++ b/lib/lwres/man/lwres_config.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -22,7 +22,7 @@
 
 
 

-

+

 

 
Name

 
lwres_conf_init, lwres_conf_clear, lwres_conf_parse, lwres_conf_print, lwres_conf_get — lightweight resolver configuration

@@ -88,7 +88,7 @@ lwres_conf_t *
 

 

 

-
DESCRIPTION

+
DESCRIPTION

 

 lwres_conf_init()
 creates an empty
@@ -125,7 +125,7 @@ to the
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 

 lwres_conf_parse()
 returns
@@ -150,14 +150,14 @@ If this happens, the function returns
 

 

 

-
SEE ALSO

+
SEE ALSO

 

 stdio(3),
 resolver(5).
 

 

 

-
FILES

+
FILES

 

 /etc/resolv.conf
 

diff --git a/lib/lwres/man/lwres_context.html b/lib/lwres/man/lwres_context.html
index 03de10cb08..221ef224e9 100644
--- a/lib/lwres/man/lwres_context.html
+++ b/lib/lwres/man/lwres_context.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -22,7 +22,7 @@
 
 
 

-

+

 

 
Name

 
lwres_context_create, lwres_context_destroy, lwres_context_nextserial, lwres_context_initserial, lwres_context_freemem, lwres_context_allocmem, lwres_context_sendrecv — lightweight resolver context management

@@ -160,7 +160,7 @@ void *
 

 

 

-
DESCRIPTION

+
DESCRIPTION

 

 lwres_context_create()
 creates a
@@ -290,7 +290,7 @@ returned in
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 

 lwres_context_create()
 returns
@@ -321,7 +321,7 @@ times out waiting for a response.
 

 

 

-
SEE ALSO

+
SEE ALSO

 

 lwres_conf_init(3),
 
diff --git a/lib/lwres/man/lwres_gabn.html b/lib/lwres/man/lwres_gabn.html
index 7a38a551a3..1b33532de3 100644
--- a/lib/lwres/man/lwres_gabn.html
+++ b/lib/lwres/man/lwres_gabn.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -22,7 +22,7 @@
 
 
 

-

+

 

 
Name

 
lwres_gabnrequest_render, lwres_gabnresponse_render, lwres_gabnrequest_parse, lwres_gabnresponse_parse, lwres_gabnresponse_free, lwres_gabnrequest_free — lightweight resolver getaddrbyname message handling

@@ -164,7 +164,7 @@ void
 

 

 

-
DESCRIPTION

+
DESCRIPTION

 

 These are low-level routines for creating and parsing
 lightweight resolver name-to-address lookup request and 
@@ -279,7 +279,7 @@ structures is also discarded.
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 

 The getaddrbyname opcode functions
 lwres_gabnrequest_render(), 
@@ -317,7 +317,7 @@ indicate that the packet is not a response to an earlier query.
 

 

 

-
SEE ALSO

+
SEE ALSO

 

 lwres_packet(3
 )
diff --git a/lib/lwres/man/lwres_gai_strerror.html b/lib/lwres/man/lwres_gai_strerror.html
index 2c7f2633ad..ed73b3b4ae 100644
--- a/lib/lwres/man/lwres_gai_strerror.html
+++ b/lib/lwres/man/lwres_gai_strerror.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -22,7 +22,7 @@
 
 
 

-

+

 

 
Name

 
gai_strerror — print suitable error string

@@ -37,7 +37,7 @@ char *
 

 

 

-
DESCRIPTION

+
DESCRIPTION

 

 lwres_gai_strerror()
 returns an error message corresponding to an error code returned by
@@ -109,7 +109,7 @@ used by
 

 

 

-
SEE ALSO

+
SEE ALSO

 

 strerror(3),
 
diff --git a/lib/lwres/man/lwres_getaddrinfo.html b/lib/lwres/man/lwres_getaddrinfo.html
index b99977a950..fb2b0fc4c5 100644
--- a/lib/lwres/man/lwres_getaddrinfo.html
+++ b/lib/lwres/man/lwres_getaddrinfo.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -22,7 +22,7 @@
 
 
 

-

+

 

 
Name

 
lwres_getaddrinfo, lwres_freeaddrinfo — socket address structure to host and service name

@@ -87,7 +87,7 @@ struct  addrinfo {
 

 

 

-
DESCRIPTION

+
DESCRIPTION

 

 lwres_getaddrinfo()
 is used to get a list of IP addresses and port numbers for host
@@ -284,7 +284,7 @@ created by a call to
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 

 lwres_getaddrinfo()
 returns zero on success or one of the error codes listed in
@@ -304,7 +304,7 @@ returns
 

 

 

-
SEE ALSO

+
SEE ALSO

 

 lwres(3),
 
diff --git a/lib/lwres/man/lwres_gethostent.html b/lib/lwres/man/lwres_gethostent.html
index ec742d2af2..0f2214f648 100644
--- a/lib/lwres/man/lwres_gethostent.html
+++ b/lib/lwres/man/lwres_gethostent.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -22,7 +22,7 @@
 
 
 

-

+

 

 
Name

 
lwres_gethostbyname, lwres_gethostbyname2, lwres_gethostbyaddr, lwres_gethostent, lwres_sethostent, lwres_endhostent, lwres_gethostbyname_r, lwres_gethostbyaddr_r, lwres_gethostent_r, lwres_sethostent_r, lwres_endhostent_r — lightweight resolver get network host entry

@@ -187,7 +187,7 @@ void
 

 

 

-
DESCRIPTION

+
DESCRIPTION

 

 These functions provide hostname-to-address and
 address-to-hostname lookups by means of the lightweight resolver.
@@ -324,7 +324,7 @@ calls to lwres_gethostbyaddr_r() return
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 

 The functions
 lwres_gethostbyname(),
@@ -391,7 +391,7 @@ hostent.  If buf was too small, b
 

 

 

-
SEE ALSO

+
SEE ALSO

 

 gethostent(3),
 
@@ -402,7 +402,7 @@ hostent.  If buf was too small, b
 

 

 

-
BUGS

+
BUGS

 

 lwres_gethostbyname(),
 lwres_gethostbyname2(),
diff --git a/lib/lwres/man/lwres_getipnode.html b/lib/lwres/man/lwres_getipnode.html
index 08b4903e8f..b6a9469e83 100644
--- a/lib/lwres/man/lwres_getipnode.html
+++ b/lib/lwres/man/lwres_getipnode.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -22,7 +22,7 @@
 
 
 

-

+

 

 
Name

 
lwres_getipnodebyname, lwres_getipnodebyaddr, lwres_freehostent — lightweight resolver nodename / address translation API

@@ -92,7 +92,7 @@ void
 

 

 

-
DESCRIPTION

+
DESCRIPTION

 

 These functions perform thread safe, protocol independent
 nodename-to-address and address-to-nodename 
@@ -233,7 +233,7 @@ structure itself.
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 

 If an error occurs,
 lwres_getipnodebyname()
@@ -279,7 +279,7 @@ translates these error codes to suitable error messages.
 

 

 

-
SEE ALSO

+
SEE ALSO

 

 RFC2553,
 
diff --git a/lib/lwres/man/lwres_getnameinfo.html b/lib/lwres/man/lwres_getnameinfo.html
index d3b11704c2..92eb47869f 100644
--- a/lib/lwres/man/lwres_getnameinfo.html
+++ b/lib/lwres/man/lwres_getnameinfo.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -22,7 +22,7 @@
 
 
 

-

+

 

 
Name

 
lwres_getnameinfo — lightweight resolver socket address structure to hostname and service name

@@ -74,7 +74,7 @@ int
 

 

 

-
DESCRIPTION

+
DESCRIPTION

 
 This function is equivalent to the getnameinfo(3) function defined in RFC2133.
 lwres_getnameinfo() returns the hostname for the
 struct sockaddr sa which is
@@ -125,14 +125,14 @@ TCP.
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 

 lwres_getnameinfo()
 returns 0 on success or a non-zero error code if an error occurs.
 

 

 

-
SEE ALSO

+
SEE ALSO

 

 RFC2133,
 getservbyport(3),
@@ -143,7 +143,7 @@ returns 0 on success or a non-zero error code if an error occurs.
 

 

 

-
BUGS

+
BUGS

 

 RFC2133 fails to define what the nonzero return values of
 getnameinfo(3)
diff --git a/lib/lwres/man/lwres_getrrsetbyname.html b/lib/lwres/man/lwres_getrrsetbyname.html
index 7cb14617d3..672e9406ac 100644
--- a/lib/lwres/man/lwres_getrrsetbyname.html
+++ b/lib/lwres/man/lwres_getrrsetbyname.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -22,7 +22,7 @@
 
 
 

-

+

 

 
Name

 
lwres_getrrsetbyname, lwres_freerrset — retrieve DNS records

@@ -95,7 +95,7 @@ struct  rrsetinfo {
 

 

 

-
DESCRIPTION

+
DESCRIPTION

 

 lwres_getrrsetbyname()
 gets a set of resource records associated with a
@@ -172,7 +172,7 @@ created by a call to
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 

 lwres_getrrsetbyname()
 returns zero on success, and one of the following error
@@ -208,7 +208,7 @@ other failure
 

 

 

-
SEE ALSO

+
SEE ALSO

 

 lwres(3).
 

diff --git a/lib/lwres/man/lwres_gnba.html b/lib/lwres/man/lwres_gnba.html
index aa257aeaa1..9a7fec77f3 100644
--- a/lib/lwres/man/lwres_gnba.html
+++ b/lib/lwres/man/lwres_gnba.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -22,7 +22,7 @@
 
 
 

-

+

 

 
Name

 
lwres_gnbarequest_render, lwres_gnbaresponse_render, lwres_gnbarequest_parse, lwres_gnbaresponse_parse, lwres_gnbaresponse_free, lwres_gnbarequest_free — lightweight resolver getnamebyaddress message handling

@@ -172,7 +172,7 @@ void
 

 

 

-
DESCRIPTION

+
DESCRIPTION

 

 These are low-level routines for creating and parsing
 lightweight resolver address-to-name lookup request and 
@@ -277,7 +277,7 @@ structures is also discarded.
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 

 The getnamebyaddr opcode functions
 lwres_gnbarequest_render(),
@@ -315,7 +315,7 @@ indicate that the packet is not a response to an earlier query.
 

 

 

-
SEE ALSO

+
SEE ALSO

 

 lwres_packet(3).
 

diff --git a/lib/lwres/man/lwres_hstrerror.html b/lib/lwres/man/lwres_hstrerror.html
index 77e2a508bc..4618947439 100644
--- a/lib/lwres/man/lwres_hstrerror.html
+++ b/lib/lwres/man/lwres_hstrerror.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -22,7 +22,7 @@
 
 
 

-

+

 

 
Name

 
lwres_herror, lwres_hstrerror — lightweight resolver error message generation

@@ -40,7 +40,7 @@ const char *
 

 

 

-
DESCRIPTION

+
DESCRIPTION

 

 lwres_herror() prints the string
 s on stderr followed by the string
@@ -79,7 +79,7 @@ the error codes and messages are as follows:
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 

 The string Unknown resolver error is returned by
 lwres_hstrerror()
@@ -89,7 +89,7 @@ is not a valid error code.
 

 

 

-
SEE ALSO

+
SEE ALSO

 

 herror(3),
 
diff --git a/lib/lwres/man/lwres_inetntop.html b/lib/lwres/man/lwres_inetntop.html
index a4994eddc6..34bfd963f5 100644
--- a/lib/lwres/man/lwres_inetntop.html
+++ b/lib/lwres/man/lwres_inetntop.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -22,7 +22,7 @@
 
 
 

-

+

 

 
Name

 
lwres_net_ntop — lightweight resolver IP address presentation

@@ -59,7 +59,7 @@ const char *
 

 

 

-
DESCRIPTION

+
DESCRIPTION

 

 lwres_net_ntop() converts an IP address of
 protocol family af — IPv4 or IPv6 —
@@ -75,7 +75,7 @@ ASCII representation of the address.
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 

 If successful, the function returns dst:
 a pointer to a string containing the presentation format of the
@@ -87,7 +87,7 @@ supported.
 

 

 

-
SEE ALSO

+
SEE ALSO

 

 RFC1884,
 inet_ntop(3),
diff --git a/lib/lwres/man/lwres_noop.html b/lib/lwres/man/lwres_noop.html
index 36f2ca3882..6e8db7a6b9 100644
--- a/lib/lwres/man/lwres_noop.html
+++ b/lib/lwres/man/lwres_noop.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -22,7 +22,7 @@
 
 
 

-

+

 

 
Name

 
lwres_nooprequest_render, lwres_noopresponse_render, lwres_nooprequest_parse, lwres_noopresponse_parse, lwres_noopresponse_free, lwres_nooprequest_free — lightweight resolver no-op message handling

@@ -165,7 +165,7 @@ void
 

 

 

-
DESCRIPTION

+
DESCRIPTION

 

 These are low-level routines for creating and parsing
 lightweight resolver no-op request and response messages.
@@ -246,7 +246,7 @@ structures referenced via structp.
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 

 The no-op opcode functions
 lwres_nooprequest_render(),
@@ -285,7 +285,7 @@ indicate that the packet is not a response to an earlier query.
 

 

 

-
SEE ALSO

+
SEE ALSO

 

 lwres_packet(3
 )
diff --git a/lib/lwres/man/lwres_packet.html b/lib/lwres/man/lwres_packet.html
index 5621a49fba..981a0ad24d 100644
--- a/lib/lwres/man/lwres_packet.html
+++ b/lib/lwres/man/lwres_packet.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -22,7 +22,7 @@
 
 
 

-

+

 

 
Name

 
lwres_lwpacket_renderheader, lwres_lwpacket_parseheader — lightweight resolver packet handling functions

@@ -64,7 +64,7 @@ lwres_result_t
 

 

 

-
DESCRIPTION

+
DESCRIPTION

 

 These functions rely on a
 struct lwres_lwpacket
@@ -202,7 +202,7 @@ buffer *b to resolver packet
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 
 Successful calls to
 lwres_lwpacket_renderheader() and
 lwres_lwpacket_parseheader() return
diff --git a/lib/lwres/man/lwres_resutil.html b/lib/lwres/man/lwres_resutil.html
index 62d181c85f..694907b939 100644
--- a/lib/lwres/man/lwres_resutil.html
+++ b/lib/lwres/man/lwres_resutil.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -22,7 +22,7 @@
 
 
 

-

+

 

 
Name

 
lwres_string_parse, lwres_addr_parse, lwres_getaddrsbyname, lwres_getnamebyaddr — lightweight resolver utility functions

@@ -124,7 +124,7 @@ lwres_result_t
 

 

 

-
DESCRIPTION

+
DESCRIPTION

 

 lwres_string_parse() retrieves a DNS-encoded
 string starting the current pointer of lightweight resolver buffer
@@ -200,7 +200,7 @@ is made available through *structp.
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 

 Successful calls to
 lwres_string_parse()
@@ -244,7 +244,7 @@ small.
 

 

 

-
SEE ALSO

+
SEE ALSO

 

 lwres_buffer(3),
 

From 52ece689e0265f9a3e518de5b2539e749f6d35ac Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Sun, 23 Apr 2006 10:14:12 +0000
Subject: [PATCH 153/465] regen

---
 bin/check/named-checkconf.html          |  12 +-
 bin/check/named-checkzone.html          |  12 +-
 bin/dig/dig.html                        |  20 ++--
 bin/dig/host.html                       |  10 +-
 bin/dig/nslookup.html                   |  16 +--
 bin/dnssec/dnssec-keygen.html           |  14 +--
 bin/dnssec/dnssec-signzone.8            |  25 +++-
 bin/dnssec/dnssec-signzone.html         |  35 ++++--
 bin/named/lwresd.html                   |  14 +--
 bin/named/named.conf.html               |  32 +++---
 bin/named/named.html                    |  16 +--
 bin/nsupdate/nsupdate.html              |  16 +--
 bin/rndc/rndc-confgen.html              |  12 +-
 bin/rndc/rndc.conf.html                 |  12 +-
 bin/rndc/rndc.html                      |  12 +-
 doc/arm/Bv9ARM.ch01.html                |  50 ++++----
 doc/arm/Bv9ARM.ch02.html                |  22 ++--
 doc/arm/Bv9ARM.ch03.html                |  26 ++---
 doc/arm/Bv9ARM.ch04.html                |  66 +++++------
 doc/arm/Bv9ARM.ch05.html                |   6 +-
 doc/arm/Bv9ARM.ch06.html                | 136 +++++++++++-----------
 doc/arm/Bv9ARM.ch07.html                |  14 +--
 doc/arm/Bv9ARM.ch08.html                |  18 +--
 doc/arm/Bv9ARM.ch09.html                |  18 +--
 doc/arm/Bv9ARM.html                     | 144 ++++++++++++------------
 doc/arm/man.dig.html                    |  20 ++--
 doc/arm/man.dnssec-keygen.html          |  14 +--
 doc/arm/man.dnssec-signzone.html        |  33 ++++--
 doc/arm/man.host.html                   |  10 +-
 doc/arm/man.named-checkconf.html        |  12 +-
 doc/arm/man.named-checkzone.html        |  12 +-
 doc/arm/man.named.html                  |  16 +--
 doc/arm/man.rndc-confgen.html           |  12 +-
 doc/arm/man.rndc.conf.html              |  12 +-
 doc/arm/man.rndc.html                   |  12 +-
 lib/lwres/man/lwres.html                |  14 +--
 lib/lwres/man/lwres_buffer.html         |   6 +-
 lib/lwres/man/lwres_config.html         |  12 +-
 lib/lwres/man/lwres_context.html        |  10 +-
 lib/lwres/man/lwres_gabn.html           |  10 +-
 lib/lwres/man/lwres_gai_strerror.html   |   8 +-
 lib/lwres/man/lwres_getaddrinfo.html    |  10 +-
 lib/lwres/man/lwres_gethostent.html     |  12 +-
 lib/lwres/man/lwres_getipnode.html      |  10 +-
 lib/lwres/man/lwres_getnameinfo.html    |  12 +-
 lib/lwres/man/lwres_getrrsetbyname.html |  10 +-
 lib/lwres/man/lwres_gnba.html           |  10 +-
 lib/lwres/man/lwres_hstrerror.html      |  10 +-
 lib/lwres/man/lwres_inetntop.html       |  10 +-
 lib/lwres/man/lwres_noop.html           |  10 +-
 lib/lwres/man/lwres_packet.html         |   8 +-
 lib/lwres/man/lwres_resutil.html        |  10 +-
 52 files changed, 570 insertions(+), 513 deletions(-)

diff --git a/bin/check/named-checkconf.html b/bin/check/named-checkconf.html
index dbd7374b40..ce2b7b435e 100644
--- a/bin/check/named-checkconf.html
+++ b/bin/check/named-checkconf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -32,14 +32,14 @@
 
named-checkconf  [-v] [-j] [-t directory] {filename} [-z]

 

 

-
DESCRIPTION

+
DESCRIPTION

 
named-checkconf
       checks the syntax, but not the semantics, of a named
       configuration file.
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-t directory

 

@@ -70,20 +70,20 @@
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 
named-checkconf
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
named(8),
       BIND 9 Administrator Reference Manual.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/bin/check/named-checkzone.html b/bin/check/named-checkzone.html
index 5d10c79225..7e7c128a2d 100644
--- a/bin/check/named-checkzone.html
+++ b/bin/check/named-checkzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -33,7 +33,7 @@
 
named-compilezone  [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-i mode] [-k mode] [-m mode] [-n mode] [-o filename] [-s style] [-t directory] [-w directory] [-D] [-W mode] {zonename} {filename}

 

 

-
DESCRIPTION

+
DESCRIPTION

 
named-checkzone
       checks the syntax and integrity of a zone file.  It performs the
       same checks as named does when loading a
@@ -53,7 +53,7 @@
      

 

 

-
OPTIONS

+
OPTIONS

 

 
-d

 

@@ -233,21 +233,21 @@
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 
named-checkzone
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
named(8),
       RFC 1035,
       BIND 9 Administrator Reference Manual.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/bin/dig/dig.html b/bin/dig/dig.html
index b0d611187f..c33abbc585 100644
--- a/bin/dig/dig.html
+++ b/bin/dig/dig.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -34,7 +34,7 @@
 
dig  [global-queryopt...] [query...]

 

 

-
DESCRIPTION

+
DESCRIPTION

 
dig
       (domain information groper) is a flexible tool
       for interrogating DNS name servers.  It performs DNS lookups and
@@ -73,7 +73,7 @@
     

 

 

-
SIMPLE USAGE

+
SIMPLE USAGE

 

       A typical invocation of dig looks like:
       

@@ -119,7 +119,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

       The -b option sets the source IP address of the query
       to address.  This must be a valid
@@ -219,7 +219,7 @@
     

 

 

-
QUERY OPTIONS

+
QUERY OPTIONS

 
dig
       provides a number of query options which affect
       the way in which lookups are made and the results displayed.  Some of
@@ -538,7 +538,7 @@
     

 

 

-
MULTIPLE QUERIES

+
MULTIPLE QUERIES

 

       The BIND 9 implementation of dig 
       supports
@@ -584,7 +584,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
IDN SUPPORT

+
IDN SUPPORT

 

       If dig has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names.
@@ -598,14 +598,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
FILES

+
FILES

 
/etc/resolv.conf
     

 
${HOME}/.digrc
     

 

 

-
SEE ALSO

+
SEE ALSO

 
host(1),
       named(8),
       dnssec-keygen(8),
@@ -613,7 +613,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
BUGS

+
BUGS

 

       There are probably too many query options.
     

diff --git a/bin/dig/host.html b/bin/dig/host.html
index 6dcb171598..1cc092d875 100644
--- a/bin/dig/host.html
+++ b/bin/dig/host.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -32,7 +32,7 @@
 
host  [-aCdlnrsTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-m flag] [-4] [-6] {name} [server]

 

 

-
DESCRIPTION

+
DESCRIPTION

 
host
       is a simple utility for performing DNS lookups.
       It is normally used to convert names to IP addresses and vice versa.
@@ -184,7 +184,7 @@
     

 

 

-
IDN SUPPORT

+
IDN SUPPORT

 

       If host has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names. 
@@ -198,12 +198,12 @@
     

 

 

-
FILES

+
FILES

 
/etc/resolv.conf
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dig(1),
       named(8).
     

diff --git a/bin/dig/nslookup.html b/bin/dig/nslookup.html
index 2090334337..bbd9c11b2c 100644
--- a/bin/dig/nslookup.html
+++ b/bin/dig/nslookup.html
@@ -13,7 +13,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -21,7 +21,7 @@
 
 
 

-

+

 

 
Name

 
nslookup — query Internet name servers interactively

@@ -31,7 +31,7 @@
 
nslookup  [-option] [name | -] [server]

 

 

-
DESCRIPTION

+
DESCRIPTION

 
Nslookup
       is a program to query Internet domain name servers.  Nslookup
       has two modes: interactive and non-interactive.  Interactive mode allows
@@ -43,7 +43,7 @@
     

 

 

-
ARGUMENTS

+
ARGUMENTS

 

       Interactive mode is entered in the following cases:
       

@@ -76,7 +76,7 @@ nslookup -query=hinfo  -timeout=10
     

 

 

-
INTERACTIVE COMMANDS

+
INTERACTIVE COMMANDS

 

 
host [server]

 

@@ -288,19 +288,19 @@ nslookup -query=hinfo  -timeout=10
 

 

 

-
FILES

+
FILES

 
/etc/resolv.conf
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dig(1),
       host(1),
       named(8).
     

 

 

-
Author

+
Author

 

       Andrew Cherenson
     

diff --git a/bin/dnssec/dnssec-keygen.html b/bin/dnssec/dnssec-keygen.html
index b7420f7da2..8ec86a46ec 100644
--- a/bin/dnssec/dnssec-keygen.html
+++ b/bin/dnssec/dnssec-keygen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -32,7 +32,7 @@
 
dnssec-keygen  {-a algorithm} {-b keysize} {-n nametype} [-c class] [-e] [-f flag] [-g generator] [-h] [-k] [-p protocol] [-r randomdev] [-s strength] [-t type] [-v level] {name}

 

 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-keygen
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC <TBA\>.  It can also generate keys for use with
@@ -40,7 +40,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a algorithm

 

@@ -148,7 +148,7 @@
 

 

 

-
GENERATED KEYS

+
GENERATED KEYS

 

       When dnssec-keygen completes
       successfully,
@@ -194,7 +194,7 @@
     

 

 

-
EXAMPLE

+
EXAMPLE

 

       To generate a 768-bit DSA key for the domain
       example.com, the following command would be
@@ -215,7 +215,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
       RFC 2535,
@@ -224,7 +224,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/bin/dnssec/dnssec-signzone.8 b/bin/dnssec/dnssec-signzone.8
index aaab46d330..d86d2a331c 100644
--- a/bin/dnssec/dnssec-signzone.8
+++ b/bin/dnssec/dnssec-signzone.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000-2003 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-signzone.8,v 1.40 2005/10/13 03:13:57 marka Exp $
+.\" $Id: dnssec-signzone.8,v 1.41 2006/04/23 10:14:12 marka Exp $
 .\"
 .hy 0
 .ad l
@@ -30,7 +30,7 @@
 dnssec\-signzone \- DNSSEC zone signing tool
 .SH "SYNOPSIS"
 .HP 16
-\fBdnssec\-signzone\fR [\fB\-a\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIdirectory\fR\fR] [\fB\-e\ \fR\fB\fIend\-time\fR\fR] [\fB\-f\ \fR\fB\fIoutput\-file\fR\fR] [\fB\-g\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkey\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-I\ \fR\fB\fIinput\-format\fR\fR] [\fB\-j\ \fR\fB\fIjitter\fR\fR] [\fB\-n\ \fR\fB\fInthreads\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-O\ \fR\fB\fIoutput\-format\fR\fR] [\fB\-p\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-t\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] {zonefile} [key...]
+\fBdnssec\-signzone\fR [\fB\-a\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIdirectory\fR\fR] [\fB\-e\ \fR\fB\fIend\-time\fR\fR] [\fB\-f\ \fR\fB\fIoutput\-file\fR\fR] [\fB\-g\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkey\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-I\ \fR\fB\fIinput\-format\fR\fR] [\fB\-j\ \fR\fB\fIjitter\fR\fR] [\fB\-N\ \fR\fB\fIsoa\-serial\-format\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-O\ \fR\fB\fIoutput\-format\fR\fR] [\fB\-p\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-t\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] {zonefile} [key...]
 .SH "DESCRIPTION"
 .PP
 \fBdnssec\-signzone\fR
@@ -110,6 +110,25 @@ Signature lifetime jitter also to some extent benefits validators and servers by
 \-n \fIncpus\fR
 Specifies the number of threads to use. By default, one thread is started for each detected CPU.
 .TP
+\-N \fIsoa\-serial\-format\fR
+The SOA serial number format of the signed zone. Possible formats are
+\fB"keep"\fR
+(default),
+\fB"increment"\fR
+and
+\fB"unixtime"\fR.
+.RS
+.TP
+\fB"keep"\fR
+Do not modify the SOA serial number.
+.TP
+\fB"increment"\fR
+Increment the SOA serial number using RFC 1982 arithmetics.
+.TP
+\fB"unixtime"\fR
+Set the SOA serial number to the number of seconds since epoch.
+.RE
+.TP
 \-o \fIorigin\fR
 The zone origin. If not specified, the name of the zone file is assumed to be the origin.
 .TP
diff --git a/bin/dnssec/dnssec-signzone.html b/bin/dnssec/dnssec-signzone.html
index fa8aa82ab4..74e4cbcda2 100644
--- a/bin/dnssec/dnssec-signzone.html
+++ b/bin/dnssec/dnssec-signzone.html
@@ -1,5 +1,5 @@
 
-
+
 
 
 
@@ -29,10 +29,10 @@
 

 

 
Synopsis

-
dnssec-signzone  [-a] [-c class] [-d directory] [-e end-time] [-f output-file] [-g] [-h] [-k key] [-l domain] [-i interval] [-I input-format] [-j jitter] [-n nthreads] [-o origin] [-O output-format] [-p] [-r randomdev] [-s start-time] [-t] [-v level] [-z] {zonefile} [key...]

+
dnssec-signzone  [-a] [-c class] [-d directory] [-e end-time] [-f output-file] [-g] [-h] [-k key] [-l domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-p] [-r randomdev] [-s start-time] [-t] [-v level] [-z] {zonefile} [key...]

 

 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-signzone
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
@@ -43,7 +43,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a

 

@@ -165,6 +165,25 @@
             Specifies the number of threads to use.  By default, one
             thread is started for each detected CPU.
           

+
-N soa-serial-format

+

+

+            The SOA serial number format of the signed zone.
+	    Possible formats are "keep" (default),
+            "increment" and
+	    "unixtime".
+          

+

+
"keep"

+
Do not modify the SOA serial number.

+
"increment"

+
Increment the SOA serial number using RFC 1982
+                      arithmetics.

+
"unixtime"

+
Set the SOA serial number to the number of seconds
+	        since epoch.

+

+

 
-o origin

 

             The zone origin.  If not specified, the name of the zone file
@@ -220,7 +239,7 @@
 

 

 

-
EXAMPLE

+
EXAMPLE

 

       The following command signs the example.com
       zone with the DSA key generated in the dnssec-keygen
@@ -246,14 +265,14 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 2535.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/bin/named/lwresd.html b/bin/named/lwresd.html
index c1e04a9919..ade92711e2 100644
--- a/bin/named/lwresd.html
+++ b/bin/named/lwresd.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -22,7 +22,7 @@
 
 
 

-

+

 

 
Name

 
lwresd — lightweight resolver daemon

@@ -32,7 +32,7 @@
 
lwresd  [-C config-file] [-d debug-level] [-f] [-g] [-i pid-file] [-n #cpus] [-P port] [-p port] [-s] [-t directory] [-u user] [-v]

 

 

-
DESCRIPTION

+
DESCRIPTION

 
lwresd
       is the daemon providing name lookup
       services to clients that use the BIND 9 lightweight resolver
@@ -67,7 +67,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-C config-file

 

@@ -159,7 +159,7 @@
 

 

 

-
FILES

+
FILES

 

 
/etc/resolv.conf

 

@@ -172,14 +172,14 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
named(8),
       lwres(3),
       resolver(5).
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/bin/named/named.conf.html b/bin/named/named.conf.html
index 462571b276..d07e1e7740 100644
--- a/bin/named/named.conf.html
+++ b/bin/named/named.conf.html
@@ -13,7 +13,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -21,7 +21,7 @@
 
 
 

-

+

 

 
Name

 
named.conf — configuration file for named

@@ -31,7 +31,7 @@
 
named.conf 

 

 

-
DESCRIPTION

+
DESCRIPTION

 
named.conf is the configuration file
       for
       named.  Statements are enclosed
@@ -50,14 +50,14 @@
     

 

 

-
ACL

+
ACL

 


 acl string { address_match_element; ... };

 

 

 

 

-
KEY

+
KEY

 


 key domain_name {

 	algorithm string;

@@ -66,7 +66,7 @@ key
 

 

 

-
MASTERS

+
MASTERS

 


 masters string [ port integer ] {
masters | ipv4_address [port integer] |

@@ -75,7 +75,7 @@ masters
 

 

 

-
SERVER

+
SERVER

 


 server ( ipv4_address[/prefixlen] | ipv6_address[/prefixlen] ) {

 	bogus boolean;

@@ -97,7 +97,7 @@ server
 

 

 

-
TRUSTED-KEYS

+
TRUSTED-KEYS

 


 trusted-keys {

 	domain_name flags protocol algorithm key; ... 

@@ -105,7 +105,7 @@ trusted-keys
 

 

 

-
CONTROLS

+
CONTROLS

 


 controls {

 	inet ( ipv4_address | ipv6_address | * )

@@ -117,7 +117,7 @@ controls
 

 

 

-
LOGGING

+
LOGGING

 


 logging {

 	channel string {

@@ -135,7 +135,7 @@ logging
 

 

 

-
LWRES

+
LWRES

 


 lwres {

 	listen-on [ port integer ] {

@@ -148,7 +148,7 @@ lwres
 

 

 

-
OPTIONS

+
OPTIONS

 


 options {

 	avoid-v4-udp-ports { port; ... };

@@ -312,7 +312,7 @@ options
 

 

 

-
VIEW

+
VIEW

 


 view string optional_class {

 	match-clients { address_match_element; ... };

@@ -451,7 +451,7 @@ view
 

 

 

-
ZONE

+
ZONE

 


 zone string optional_class {

 	type ( master | slave | stub | hint |

@@ -535,12 +535,12 @@ zone
 

 

 

-
FILES

+
FILES

 
/etc/named.conf
     

 

 

-
SEE ALSO

+
SEE ALSO

 
named(8),
       rndc(8),
       BIND 9 Administrator Reference Manual.
diff --git a/bin/named/named.html b/bin/named/named.html
index fcad28c847..a60897cc07 100644
--- a/bin/named/named.html
+++ b/bin/named/named.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -32,7 +32,7 @@
 
named  [-4] [-6] [-c config-file] [-d debug-level] [-f] [-g] [-n #cpus] [-p port] [-s] [-t directory] [-u user] [-v] [-x cache-file]

 

 

-
DESCRIPTION

+
DESCRIPTION

 
named
       is a Domain Name System (DNS) server,
       part of the BIND 9 distribution from ISC.  For more
@@ -47,7 +47,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-4

 

@@ -180,7 +180,7 @@
 

 

 

-
SIGNALS

+
SIGNALS

 

       In routine operation, signals should not be used to control
       the nameserver; rndc should be used
@@ -201,7 +201,7 @@
     

 

 

-
CONFIGURATION

+
CONFIGURATION

 

       The named configuration file is too complex
       to describe in detail here.  A complete description is provided
@@ -210,7 +210,7 @@
     

 

 

-
FILES

+
FILES

 

 
/etc/named.conf

 

@@ -223,7 +223,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
RFC 1033,
       RFC 1034,
       RFC 1035,
@@ -234,7 +234,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/bin/nsupdate/nsupdate.html b/bin/nsupdate/nsupdate.html
index 0b798c4729..554d7bc843 100644
--- a/bin/nsupdate/nsupdate.html
+++ b/bin/nsupdate/nsupdate.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -22,7 +22,7 @@
 
 
 

-

+

 

 
Name

 
nsupdate — Dynamic DNS update utility

@@ -32,7 +32,7 @@
 
nsupdate  [-d] [[-y [hmac:]keyname:secret] |  [-k keyfile]] [-t timeout] [-u udptimeout] [-r udpretries] [-v] [filename]

 

 

-
DESCRIPTION

+
DESCRIPTION

 
nsupdate
       is used to submit Dynamic DNS Update requests as defined in RFC2136
       to a name server.
@@ -153,7 +153,7 @@
     

 

 

-
INPUT FORMAT

+
INPUT FORMAT

 
nsupdate
       reads input from
       filename
@@ -343,7 +343,7 @@
     

 

 

-
EXAMPLES

+
EXAMPLES

 

       The examples below show how
       nsupdate
@@ -397,7 +397,7 @@
     

 

 

-
FILES

+
FILES

 

 
/etc/resolv.conf

 

@@ -416,7 +416,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
RFC2136,
       RFC3007,
       RFC2104,
@@ -429,7 +429,7 @@
     

 

 

-
BUGS

+
BUGS

 

       The TSIG key is redundantly stored in two separate files.
       This is a consequence of nsupdate using the DST library
diff --git a/bin/rndc/rndc-confgen.html b/bin/rndc/rndc-confgen.html
index 3f576d35f1..852086ea90 100644
--- a/bin/rndc/rndc-confgen.html
+++ b/bin/rndc/rndc-confgen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -32,7 +32,7 @@
 
rndc-confgen  [-a] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]

 

 

-
DESCRIPTION

+
DESCRIPTION

 
rndc-confgen
       generates configuration files
       for rndc.  It can be used as a
@@ -48,7 +48,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a

 

@@ -155,7 +155,7 @@
 

 

 

-
EXAMPLES

+
EXAMPLES

 

       To allow rndc to be used with
       no manual configuration, run
@@ -172,7 +172,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc(8),
       rndc.conf(5),
       named(8),
@@ -180,7 +180,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/bin/rndc/rndc.conf.html b/bin/rndc/rndc.conf.html
index 8ef1809aef..2c5a5e73aa 100644
--- a/bin/rndc/rndc.conf.html
+++ b/bin/rndc/rndc.conf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -32,7 +32,7 @@
 
rndc.conf 

 

 

-
DESCRIPTION

+
DESCRIPTION

 
rndc.conf is the configuration file
       for rndc, the BIND 9 name server control
       utility.  This file has a similar structure and syntax to
@@ -117,7 +117,7 @@
     

 

 

-
EXAMPLE

+
EXAMPLE

 
       options {
         default-server  localhost;
@@ -191,7 +191,7 @@
     

 

 

-
NAME SERVER CONFIGURATION

+
NAME SERVER CONFIGURATION

 

       The name server must be configured to accept rndc connections and
       to recognize the key specified in the rndc.conf
@@ -201,7 +201,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc(8),
       rndc-confgen(8),
       mmencode(1),
@@ -209,7 +209,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/bin/rndc/rndc.html b/bin/rndc/rndc.html
index 3f671a9b7a..927c9f9778 100644
--- a/bin/rndc/rndc.html
+++ b/bin/rndc/rndc.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -32,7 +32,7 @@
 
rndc  [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-V] [-y key_id] {command}

 

 

-
DESCRIPTION

+
DESCRIPTION

 
rndc
       controls the operation of a name
       server.  It supersedes the ndc utility
@@ -61,7 +61,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-b source-address

 

@@ -134,7 +134,7 @@
     

 

 

-
LIMITATIONS

+
LIMITATIONS

 
rndc
       does not yet support all the commands of
       the BIND 8 ndc utility.
@@ -148,7 +148,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc.conf(5),
       named(8),
       named.conf(5)
@@ -157,7 +157,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/Bv9ARM.ch01.html b/doc/arm/Bv9ARM.ch01.html
index a9b6409408..02589fec3a 100644
--- a/doc/arm/Bv9ARM.ch01.html
+++ b/doc/arm/Bv9ARM.ch01.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,17 +45,17 @@
 

 
Table of Contents

 

-
Scope of Document

-
Organization of This Document

-
Conventions Used in This Document

-
The Domain Name System (DNS)

+
Scope of Document

+
Organization of This Document

+
Conventions Used in This Document

+
The Domain Name System (DNS)

 

-
DNS Fundamentals

-
Domains and Domain Names

-
Zones

-
Authoritative Name Servers

-
Caching Name Servers

-
Name Servers in Multiple Roles

+
DNS Fundamentals

+
Domains and Domain Names

+
Zones

+
Authoritative Name Servers

+
Caching Name Servers

+
Name Servers in Multiple Roles

 

 

 

@@ -71,7 +71,7 @@
     

 

 

-Scope of Document

+Scope of Document

 

         The Berkeley Internet Name Domain
         (BIND) implements an
@@ -87,7 +87,7 @@
 

 

 

-Organization of This Document

+Organization of This Document

 

         In this document, Section 1 introduces
         the basic DNS and BIND concepts. Section 2
@@ -116,7 +116,7 @@
 

 

 

-Conventions Used in This Document

+Conventions Used in This Document

 

         In this document, we use the following general typographic
         conventions:
@@ -243,7 +243,7 @@
 

 

 

-The Domain Name System (DNS)

+The Domain Name System (DNS)

 

         The purpose of this document is to explain the installation
         and upkeep of the BIND software
@@ -253,7 +253,7 @@
       

 

 

-DNS Fundamentals

+DNS Fundamentals

 

           The Domain Name System (DNS) is a hierarchical, distributed
           database.  It stores information for mapping Internet host names to
@@ -273,7 +273,7 @@
 

 

 

-Domains and Domain Names

+Domains and Domain Names

 

           The data stored in the DNS is identified by domain names that are organized as a tree according to
           organizational or administrative boundaries. Each node of the tree,
@@ -319,7 +319,7 @@
 

 

 

-Zones

+Zones

 

           To properly operate a name server, it is important to understand
           the difference between a zone
@@ -372,7 +372,7 @@
 

 

 

-Authoritative Name Servers

+Authoritative Name Servers

 

           Each zone is served by at least
           one authoritative name server,
@@ -389,7 +389,7 @@
         

 

 

-The Primary Master

+The Primary Master

 

             The authoritative server where the master copy of the zone
             data is maintained is called the
@@ -409,7 +409,7 @@
 
 

 

-Slave Servers

+Slave Servers

 

             The other authoritative servers, the slave
             servers (also known as secondary servers)
@@ -425,7 +425,7 @@
 
 

 

-Stealth Servers

+Stealth Servers

 

             Usually all of the zone's authoritative servers are listed in
             NS records in the parent zone.  These NS records constitute
@@ -460,7 +460,7 @@
 
 

 

-Caching Name Servers

+Caching Name Servers

 

           The resolver libraries provided by most operating systems are
           stub resolvers, meaning that they are not
@@ -487,7 +487,7 @@
         

 

 

-Forwarding

+Forwarding

 

             Even a caching name server does not necessarily perform
             the complete recursive lookup itself.  Instead, it can
@@ -514,7 +514,7 @@
 
 

 

-Name Servers in Multiple Roles

+Name Servers in Multiple Roles

 

           The BIND name server can
           simultaneously act as
diff --git a/doc/arm/Bv9ARM.ch02.html b/doc/arm/Bv9ARM.ch02.html
index 157fd450f3..fba60c0112 100644
--- a/doc/arm/Bv9ARM.ch02.html
+++ b/doc/arm/Bv9ARM.ch02.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,16 +45,16 @@
 

 
Table of Contents

 

-
Hardware requirements

-
CPU Requirements

-
Memory Requirements

-
Name Server Intensive Environment Issues

-
Supported Operating Systems

+
Hardware requirements

+
CPU Requirements

+
Memory Requirements

+
Name Server Intensive Environment Issues

+
Supported Operating Systems

 

 

 

 

-Hardware requirements

+Hardware requirements

 

         DNS hardware requirements have
         traditionally been quite modest.
@@ -73,7 +73,7 @@
 
 

 

-CPU Requirements

+CPU Requirements

 

         CPU requirements for BIND 9 range from
         i486-class machines
@@ -84,7 +84,7 @@
 
 

 

-Memory Requirements

+Memory Requirements

 

         The memory of the server has to be large enough to fit the
         cache and zones loaded off disk.  The max-cache-size
@@ -107,7 +107,7 @@
 
 

 

-Name Server Intensive Environment Issues

+Name Server Intensive Environment Issues

 

         For name server intensive environments, there are two alternative
         configurations that may be used. The first is where clients and
@@ -124,7 +124,7 @@
 
 

 

-Supported Operating Systems

+Supported Operating Systems

 

         ISC BIND 9 compiles and runs on a large
         number
diff --git a/doc/arm/Bv9ARM.ch03.html b/doc/arm/Bv9ARM.ch03.html
index f3b7eaa3bd..5f86862896 100644
--- a/doc/arm/Bv9ARM.ch03.html
+++ b/doc/arm/Bv9ARM.ch03.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -47,14 +47,14 @@
 

 
Sample Configurations

 

-
A Caching-only Name Server

-
An Authoritative-only Name Server

+
A Caching-only Name Server

+
An Authoritative-only Name Server

 

-
Load Balancing

-
Name Server Operations

+
Load Balancing

+
Name Server Operations

 

-
Tools for Use With the Name Server Daemon

-
Signals

+
Tools for Use With the Name Server Daemon

+
Signals

 

 

 
@@ -68,7 +68,7 @@
 Sample Configurations
 

 

-A Caching-only Name Server

+A Caching-only Name Server

 

           The following sample configuration is appropriate for a caching-only
           name server for use by clients internal to a corporation.  All
@@ -95,7 +95,7 @@ zone "0.0.127.in-addr.arpa" {
 
 

 

-An Authoritative-only Name Server

+An Authoritative-only Name Server

 

           This sample configuration is for an authoritative-only server
           that is the master server for "example.com"
@@ -137,7 +137,7 @@ zone "eng.example.com" {
 
 

 

-Load Balancing

+Load Balancing

 

         A primitive form of load balancing can be achieved in
         the DNS by using multiple A records for
@@ -280,10 +280,10 @@ zone "eng.example.com" {
 
 

 

-Name Server Operations

+Name Server Operations

 

 

-Tools for Use With the Name Server Daemon

+Tools for Use With the Name Server Daemon

 

           This section describes several indispensable diagnostic,
           administrative and monitoring tools available to the system
@@ -741,7 +741,7 @@ controls {
 
 

 

-Signals

+Signals

 

           Certain UNIX signals cause the name server to take specific
           actions, as described in the following table.  These signals can
diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html
index f4c3b5caaf..5b0c992a72 100644
--- a/doc/arm/Bv9ARM.ch04.html
+++ b/doc/arm/Bv9ARM.ch04.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -49,28 +49,28 @@
 
Dynamic Update

 
The journal file

 
Incremental Zone Transfers (IXFR)

-
Split DNS

+
Split DNS

 
TSIG

 

-
Generate Shared Keys for Each Pair of Hosts

-
Copying the Shared Secret to Both Machines

-
Informing the Servers of the Key's Existence

-
Instructing the Server to Use the Key

-
TSIG Key Based Access Control

-
Errors

+
Generate Shared Keys for Each Pair of Hosts

+
Copying the Shared Secret to Both Machines

+
Informing the Servers of the Key's Existence

+
Instructing the Server to Use the Key

+
TSIG Key Based Access Control

+
Errors

 

-
TKEY

-
SIG(0)

+
TKEY

+
SIG(0)

 
DNSSEC

 

-
Generating Keys

-
Signing the Zone

-
Configuring Servers

+
Generating Keys

+
Signing the Zone

+
Configuring Servers

 

-
IPv6 Support in BIND 9

+
IPv6 Support in BIND 9

 

-
Address Lookups Using AAAA Records

-
Address to Name Lookups Using Nibble Format

+
Address Lookups Using AAAA Records

+
Address to Name Lookups Using Nibble Format

 

 
 
@@ -204,7 +204,7 @@
 
 

 

-Split DNS

+Split DNS

 

         Setting up different views, or visibility, of the DNS space to
         internal and external resolvers is usually referred to as a
@@ -479,7 +479,7 @@ nameserver 172.16.72.4
       

 

 

-Generate Shared Keys for Each Pair of Hosts

+Generate Shared Keys for Each Pair of Hosts

 

           A shared secret is generated to be shared between host1 and host2.
           An arbitrary key name is chosen: "host1-host2.". The key name must
@@ -487,7 +487,7 @@ nameserver 172.16.72.4
         

 

 

-Automatic Generation

+Automatic Generation

 

             The following command will generate a 128 bit (16 byte) HMAC-MD5
             key as described above. Longer keys are better, but shorter keys
@@ -512,7 +512,7 @@ nameserver 172.16.72.4
 
 

 

-Manual Generation

+Manual Generation

 

             The shared secret is simply a random sequence of bits, encoded
             in base-64. Most ASCII strings are valid base-64 strings (assuming
@@ -527,7 +527,7 @@ nameserver 172.16.72.4
 
 

 

-Copying the Shared Secret to Both Machines

+Copying the Shared Secret to Both Machines

 

           This is beyond the scope of DNS. A secure transport mechanism
           should be used. This could be secure FTP, ssh, telephone, etc.
@@ -535,7 +535,7 @@ nameserver 172.16.72.4
 
 

 

-Informing the Servers of the Key's Existence

+Informing the Servers of the Key's Existence

 

           Imagine host1 and host 2
           are
@@ -564,7 +564,7 @@ key host1-host2. {
 
 

 

-Instructing the Server to Use the Key

+Instructing the Server to Use the Key

 

           Since keys are shared between two hosts only, the server must
           be told when keys are to be used. The following is added to the named.conf file
@@ -596,7 +596,7 @@ server 10.1.2.3 {
 
 

 

-TSIG Key Based Access Control

+TSIG Key Based Access Control

 

           BIND allows IP addresses and ranges
           to be specified in ACL
@@ -624,7 +624,7 @@ allow-update { key host1-host2. ;};
 
 

 

-Errors

+Errors

 

           The processing of TSIG signed messages can result in
           several errors. If a signed message is sent to a non-TSIG aware
@@ -650,7 +650,7 @@ allow-update { key host1-host2. ;};
 
 

 

-TKEY

+TKEY

 
TKEY
         is a mechanism for automatically generating a shared secret
         between two hosts.  There are several "modes" of
@@ -686,7 +686,7 @@ allow-update { key host1-host2. ;};
 
 

 

-SIG(0)

+SIG(0)

 

         BIND 9 partially supports DNSSEC SIG(0)
             transaction signatures as specified in RFC 2535 and RFC2931.
@@ -747,7 +747,7 @@ allow-update { key host1-host2. ;};
       

 

 

-Generating Keys

+Generating Keys

 

           The dnssec-keygen program is used to
           generate keys.
@@ -798,7 +798,7 @@ allow-update { key host1-host2. ;};
 
 

 

-Signing the Zone

+Signing the Zone

 

           The dnssec-signzone program is used
           to
@@ -842,7 +842,7 @@ allow-update { key host1-host2. ;};
 
 

 

-Configuring Servers

+Configuring Servers

 

           To enable named to respond appropriately
           to DNS requests from DNSSEC aware clients
@@ -930,7 +930,7 @@ options {
 
 

 

-IPv6 Support in BIND 9

+IPv6 Support in BIND 9

 

         BIND 9 fully supports all currently
         defined forms of IPv6
@@ -969,7 +969,7 @@ options {
       

 

 

-Address Lookups Using AAAA Records

+Address Lookups Using AAAA Records

 

           The IPv6 AAAA record is a parallel to the IPv4 A record,
           and, unlike the deprecated A6 record, specifies the entire
@@ -988,7 +988,7 @@ host            3600    IN      AAAA    2001:db8::1
 
 

 

-Address to Name Lookups Using Nibble Format

+Address to Name Lookups Using Nibble Format

 

           When looking up an address in nibble format, the address
           components are simply reversed, just as in IPv4, and
diff --git a/doc/arm/Bv9ARM.ch05.html b/doc/arm/Bv9ARM.ch05.html
index 76a144fa62..2a6a7dbe0a 100644
--- a/doc/arm/Bv9ARM.ch05.html
+++ b/doc/arm/Bv9ARM.ch05.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,13 +45,13 @@
 

 
Table of Contents

 

-
The Lightweight Resolver Library

+
The Lightweight Resolver Library

 
Running a Resolver Daemon

 

 

 

 

-The Lightweight Resolver Library

+The Lightweight Resolver Library

 

         Traditionally applications have been linked with a stub resolver
         library that sends recursive DNS queries to a local caching name
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index bbe90a24de..e6951fbf3a 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -48,52 +48,52 @@
 
Configuration File Elements

 

 
Address Match Lists

-
Comment Syntax

+
Comment Syntax

 

 
Configuration File Grammar

 

-
acl Statement Grammar

+
acl Statement Grammar

 
acl Statement Definition and
           Usage

-
controls Statement Grammar

+
controls Statement Grammar

 
controls Statement Definition and
           Usage

-
include Statement Grammar

-
include Statement Definition and
+
include Statement Grammar

+
include Statement Definition and
           Usage

-
key Statement Grammar

-
key Statement Definition and Usage

-
logging Statement Grammar

-
logging Statement Definition and
+
key Statement Grammar

+
key Statement Definition and Usage

+
logging Statement Grammar

+
logging Statement Definition and
           Usage

-
lwres Statement Grammar

-
lwres Statement Definition and Usage

-
masters Statement Grammar

-
masters Statement Definition and
+
lwres Statement Grammar

+
lwres Statement Definition and Usage

+
masters Statement Grammar

+
masters Statement Definition and
           Usage

-
options Statement Grammar

+
options Statement Grammar

 
options Statement Definition and
           Usage

 
server Statement Grammar

 
server Statement Definition and
             Usage

-
trusted-keys Statement Grammar

-
trusted-keys Statement Definition
+
trusted-keys Statement Grammar

+
trusted-keys Statement Definition
             and Usage

 
view Statement Grammar

-
view Statement Definition and Usage

+
view Statement Definition and Usage

 
zone
             Statement Grammar

-
zone Statement Definition and Usage

+
zone Statement Definition and Usage

 

-
Zone File

+
Zone File

 

 
Types of Resource Records and When to Use Them

-
Discussion of MX Records

+
Discussion of MX Records

 
Setting TTLs

-
Inverse Mapping in IPv4

-
Other Zone File Directives

-
BIND Master File Extension: the  $GENERATE Directive

+
Inverse Mapping in IPv4

+
Other Zone File Directives

+
BIND Master File Extension: the  $GENERATE Directive

 
Additional File Formats

 

 
@@ -428,7 +428,7 @@
 Address Match Lists
 

 

-Syntax

+Syntax

 
address_match_list = address_match_list_element ;
   [ address_match_list_element; ... ]
 address_match_list_element = [ ! ] (ip_address [/length] |
@@ -437,7 +437,7 @@
 
 

 

-Definition and Usage

+Definition and Usage

 

             Address match lists are primarily used to determine access
             control for various server operations. They are also used in
@@ -515,7 +515,7 @@
 
 

 

-Comment Syntax

+Comment Syntax

 

           The BIND 9 comment syntax allows for
           comments to appear
@@ -525,7 +525,7 @@
         

 

 

-Syntax

+Syntax

 

             

 
/* This is a BIND comment as in C */

@@ -540,7 +540,7 @@
 
 

 

-Definition and Usage

+Definition and Usage

 

             Comments may appear anywhere that whitespace may appear in
             a BIND configuration file.
@@ -774,7 +774,7 @@
       

 

 

-acl Statement Grammar

+acl Statement Grammar

 
acl acl-name {
     address_match_list
 };
@@ -857,7 +857,7 @@
 
 

 

-controls Statement Grammar

+controls Statement Grammar

 
controls {
    [ inet ( ip_addr | * ) [ port ip_port ] allow {  address_match_list  }
                 keys { key_list }; ]
@@ -979,12 +979,12 @@
 
 

 

-include Statement Grammar

+include Statement Grammar

 
include filename;

 
 

 

-include Statement Definition and
+include Statement Definition and
           Usage

 

           The include statement inserts the
@@ -999,7 +999,7 @@
 

 

 

-key Statement Grammar

+key Statement Grammar

 
key key_id {
     algorithm string;
     secret string;
@@ -1008,7 +1008,7 @@
 
 

 

-key Statement Definition and Usage

+key Statement Definition and Usage

 

           The key statement defines a shared
           secret key for use with TSIG (see the section called “TSIG”)
@@ -1055,7 +1055,7 @@
 
 

 

-logging Statement Grammar

+logging Statement Grammar

 
logging {
    [ channel channel_name {
      ( file path name
@@ -1079,7 +1079,7 @@
 
 

 

-logging Statement Definition and
+logging Statement Definition and
           Usage

 

           The logging statement configures a
@@ -1113,7 +1113,7 @@
         

 

 

-The channel Phrase

+The channel Phrase

 

             All log output goes to one or more channels;
             you can make as many of them as you want.
@@ -1632,7 +1632,7 @@ category notify { null; };
 
 

 

-lwres Statement Grammar

+lwres Statement Grammar

 

            This is the grammar of the lwres
           statement in the named.conf file:
@@ -1647,7 +1647,7 @@ category notify { null; };
 
 

 

-lwres Statement Definition and Usage

+lwres Statement Definition and Usage

 

           The lwres statement configures the
           name
@@ -1698,14 +1698,14 @@ category notify { null; };
 
 

 

-masters Statement Grammar

+masters Statement Grammar

 
 masters name [port ip_port] { ( masters_list | ip_addr [port ip_port] [key key] ) ; [...] };
 

 
 

 

-masters Statement Definition and
+masters Statement Definition and
           Usage

 
masters
           lists allow for a common set of masters to be easily used by
@@ -1714,7 +1714,7 @@ category notify { null; };
 

 

 

-options Statement Grammar

+options Statement Grammar

 

           This is the grammar of the options
           statement in the named.conf file:
@@ -2763,7 +2763,7 @@ options {
 
 

 

-Forwarding

+Forwarding

 

             The forwarding facility can be used to create a large site-wide
             cache on a few servers, reducing traffic over links to external
@@ -2807,7 +2807,7 @@ options {
 
 

 

-Dual-stack Servers

+Dual-stack Servers

 

             Dual-stack servers are used as servers of last resort to work
             around
@@ -2967,7 +2967,7 @@ options {
 
 

 

-Interfaces

+Interfaces

 

             The interfaces and ports that the server will answer queries
             from may be specified using the listen-on option. listen-on takes
@@ -3047,7 +3047,7 @@ listen-on-v6 port 1234 { !2001:db8::/32; any; };
 
 

 

-Query Address

+Query Address

 

             If the server doesn't know the answer to a question, it will
             query other name servers. query-source specifies
@@ -3327,7 +3327,7 @@ query-source-v6 address * port *;
 
 

 

-Bad UDP Port Lists

+Bad UDP Port Lists

 
avoid-v4-udp-ports
             and avoid-v6-udp-ports specify a list
             of IPv4 and IPv6 UDP ports that will not be used as system
@@ -3341,7 +3341,7 @@ query-source-v6 address * port *;
 
 

 

-Operating System Resource Limits

+Operating System Resource Limits

 

             The server's usage of many system resources can be limited.
             Scaled values are allowed when specifying resource limits.  For
@@ -3401,7 +3401,7 @@ query-source-v6 address * port *;
 
 

 

-Server  Resource Limits

+Server  Resource Limits

 

             The following options set limits on the server's
             resource consumption that are enforced internally by the
@@ -3479,7 +3479,7 @@ query-source-v6 address * port *;
 
 

 

-Periodic Task Intervals

+Periodic Task Intervals

 

 
cleaning-interval

 

@@ -4514,7 +4514,7 @@ query-source-v6 address * port *;
 

 

 

-trusted-keys Statement Grammar

+trusted-keys Statement Grammar

 
trusted-keys {
     string number number number string ;
     [ string number number number string ; [...]]
@@ -4523,7 +4523,7 @@ query-source-v6 address * port *;
 
 

 

-trusted-keys Statement Definition
+trusted-keys Statement Definition
             and Usage

 

             The trusted-keys statement defines
@@ -4566,7 +4566,7 @@ query-source-v6 address * port *;
 

 

 

-view Statement Definition and Usage

+view Statement Definition and Usage

 

             The view statement is a powerful
             feature
@@ -4817,10 +4817,10 @@ zone zone_name [
 

 

-zone Statement Definition and Usage

+zone Statement Definition and Usage

 

 

-Zone Types

+Zone Types

 

 
 

@@ -5029,7 +5029,7 @@ zone zone_name [
 

 

-Class

+Class

 

               The zone's name may optionally be followed by a class. If
               a class is not specified, class IN (for Internet),
@@ -5051,7 +5051,7 @@ zone zone_name [
 

 

-Zone Options

+Zone Options

 

 
journal

 

@@ -5534,7 +5534,7 @@ zone zone_name [
 

 

-Zone File

+Zone File

 

 

 Types of Resource Records and When to Use Them

@@ -5547,7 +5547,7 @@ zone zone_name [
 

 

-Resource Records

+Resource Records

 

               A domain name identifies a node.  Each node has a set of
               resource information, which may be empty.  The set of resource
@@ -6198,7 +6198,7 @@ zone zone_name [
 

 

-Textual expression of RRs

+Textual expression of RRs

 

               RRs are represented in binary form in the packets of the DNS
               protocol, and are usually represented in highly encoded form
@@ -6401,7 +6401,7 @@ zone zone_name [
 

 

-Discussion of MX Records

+Discussion of MX Records

 

             As described above, domain servers store information as a
             series of resource records, each of which contains a particular
@@ -6659,7 +6659,7 @@ zone zone_name [
 

 

-Inverse Mapping in IPv4

+Inverse Mapping in IPv4

 

             Reverse name resolution (that is, translation from IP address
             to name) is achieved by means of the in-addr.arpa domain
@@ -6720,7 +6720,7 @@ zone zone_name [
 

 

-Other Zone File Directives

+Other Zone File Directives

 

             The Master File Format was initially defined in RFC 1035 and
             has subsequently been extended. While the Master File Format
@@ -6735,7 +6735,7 @@ zone zone_name [
 

 

-The $ORIGIN Directive

+The $ORIGIN Directive

 

               Syntax: $ORIGIN
               domain-name
@@ -6763,7 +6763,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 

 

-The $INCLUDE Directive

+The $INCLUDE Directive

 

               Syntax: $INCLUDE
               filename
@@ -6799,7 +6799,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 

 

-The $TTL Directive

+The $TTL Directive

 

               Syntax: $TTL
               default-ttl
@@ -6818,7 +6818,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 

 

-BIND Master File Extension: the  $GENERATE Directive

+BIND Master File Extension: the  $GENERATE Directive

 

             Syntax: $GENERATE
             range
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index e95cbf69cb..cfd6303f41 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -46,10 +46,10 @@
 
Table of Contents

 

 
Access Control Lists

-
chroot and setuid

+
chroot and setuid

 

-
The chroot Environment

-
Using the setuid Function

+
The chroot Environment

+
Using the setuid Function

 

 
Dynamic Update Security

 

@@ -116,7 +116,7 @@ zone "example.com" {
 
 

 

-chroot and setuid

+chroot and setuid

 

           On UNIX servers, it is possible to run BIND in a chrooted environment
           (chroot()) by specifying the "-t"
@@ -139,7 +139,7 @@ zone "example.com" {
         

 

 

-The chroot Environment

+The chroot Environment

 

             In order for a chroot() environment
             to
@@ -167,7 +167,7 @@ zone "example.com" {
 
 

 

-Using the setuid Function

+Using the setuid Function

 

             Prior to running the named daemon,
             use
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index eb135ce17c..f2c0e17bbc 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,18 +45,18 @@
 

 
Table of Contents

 

-
Common Problems

-
It's not working; how can I figure out what's wrong?

-
Incrementing and Changing the Serial Number

-
Where Can I Get Help?

+
Common Problems

+
It's not working; how can I figure out what's wrong?

+
Incrementing and Changing the Serial Number

+
Where Can I Get Help?

 

 

 

 

-Common Problems

+Common Problems

 

 

-It's not working; how can I figure out what's wrong?

+It's not working; how can I figure out what's wrong?

 

             The best solution to solving installation and
             configuration issues is to take preventative measures by setting
@@ -68,7 +68,7 @@
 
 

 

-Incrementing and Changing the Serial Number

+Incrementing and Changing the Serial Number

 

           Zone serial numbers are just numbers-they aren't date
           related.  A lot of people set them to a number that represents a
@@ -95,7 +95,7 @@
 
 

 

-Where Can I Get Help?

+Where Can I Get Help?

 

           The Internet Systems Consortium
           (ISC) offers a wide range
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index b6b7e08116..c5b50171ca 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,21 +45,21 @@
 

 
Table of Contents

 

-
Acknowledgments

+
Acknowledgments

 
A Brief History of the DNS and BIND

-
General DNS Reference Information

+
General DNS Reference Information

 
IPv6 addresses (AAAA)

 
Bibliography (and Suggested Reading)

 

 
Request for Comments (RFCs)

 
Internet Drafts

-
Other Documents About BIND

+
Other Documents About BIND

 

 

 

 

 

-Acknowledgments

+Acknowledgments

 

 

 A Brief History of the DNS and BIND

@@ -145,7 +145,7 @@
 

 

 

-General DNS Reference Information

+General DNS Reference Information

 

 

 IPv6 addresses (AAAA)

@@ -232,7 +232,7 @@
           

 

 

-Bibliography

+Bibliography

 

 
Standards

 
[RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 

@@ -417,11 +417,11 @@
 

 

 

-Other Documents About BIND

+Other Documents About BIND

 

 

 

-Bibliography

+Bibliography

 
Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 

 
 
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index 644a756b8e..e60f7047af 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -40,7 +40,7 @@
 

 

 

-BIND 9 Administrator Reference Manual

+BIND 9 Administrator Reference Manual

 
Copyright © 2004-2006 Internet Systems Consortium, Inc. ("ISC")

 
Copyright © 2000-2003 Internet Software Consortium.

 

@@ -51,39 +51,39 @@
 

 
1. Introduction

 

-
Scope of Document

-
Organization of This Document

-
Conventions Used in This Document

-
The Domain Name System (DNS)

+
Scope of Document

+
Organization of This Document

+
Conventions Used in This Document

+
The Domain Name System (DNS)

 

-
DNS Fundamentals

-
Domains and Domain Names

-
Zones

-
Authoritative Name Servers

-
Caching Name Servers

-
Name Servers in Multiple Roles

+
DNS Fundamentals

+
Domains and Domain Names

+
Zones

+
Authoritative Name Servers

+
Caching Name Servers

+
Name Servers in Multiple Roles

 

 

 
2. BIND Resource Requirements

 

-
Hardware requirements

-
CPU Requirements

-
Memory Requirements

-
Name Server Intensive Environment Issues

-
Supported Operating Systems

+
Hardware requirements

+
CPU Requirements

+
Memory Requirements

+
Name Server Intensive Environment Issues

+
Supported Operating Systems

 

 
3. Name Server Configuration

 

 
Sample Configurations

 

-
A Caching-only Name Server

-
An Authoritative-only Name Server

+
A Caching-only Name Server

+
An Authoritative-only Name Server

 

-
Load Balancing

-
Name Server Operations

+
Load Balancing

+
Name Server Operations

 

-
Tools for Use With the Name Server Daemon

-
Signals

+
Tools for Use With the Name Server Daemon

+
Signals

 

 

 
4. Advanced DNS Features

@@ -92,33 +92,33 @@
 
Dynamic Update

 
The journal file

 
Incremental Zone Transfers (IXFR)

-
Split DNS

+
Split DNS

 
TSIG

 

-
Generate Shared Keys for Each Pair of Hosts

-
Copying the Shared Secret to Both Machines

-
Informing the Servers of the Key's Existence

-
Instructing the Server to Use the Key

-
TSIG Key Based Access Control

-
Errors

+
Generate Shared Keys for Each Pair of Hosts

+
Copying the Shared Secret to Both Machines

+
Informing the Servers of the Key's Existence

+
Instructing the Server to Use the Key

+
TSIG Key Based Access Control

+
Errors

 

-
TKEY

-
SIG(0)

+
TKEY

+
SIG(0)

 
DNSSEC

 

-
Generating Keys

-
Signing the Zone

-
Configuring Servers

+
Generating Keys

+
Signing the Zone

+
Configuring Servers

 

-
IPv6 Support in BIND 9

+
IPv6 Support in BIND 9

 

-
Address Lookups Using AAAA Records

-
Address to Name Lookups Using Nibble Format

+
Address Lookups Using AAAA Records

+
Address to Name Lookups Using Nibble Format

 

 

 
5. The BIND 9 Lightweight Resolver

 

-
The Lightweight Resolver Library

+
The Lightweight Resolver Library

 
Running a Resolver Daemon

 

 
6. BIND 9 Configuration Reference

@@ -126,83 +126,83 @@
 
Configuration File Elements

 

 
Address Match Lists

-
Comment Syntax

+
Comment Syntax

 

 
Configuration File Grammar

 

-
acl Statement Grammar

+
acl Statement Grammar

 
acl Statement Definition and
           Usage

-
controls Statement Grammar

+
controls Statement Grammar

 
controls Statement Definition and
           Usage

-
include Statement Grammar

-
include Statement Definition and
+
include Statement Grammar

+
include Statement Definition and
           Usage

-
key Statement Grammar

-
key Statement Definition and Usage

-
logging Statement Grammar

-
logging Statement Definition and
+
key Statement Grammar

+
key Statement Definition and Usage

+
logging Statement Grammar

+
logging Statement Definition and
           Usage

-
lwres Statement Grammar

-
lwres Statement Definition and Usage

-
masters Statement Grammar

-
masters Statement Definition and
+
lwres Statement Grammar

+
lwres Statement Definition and Usage

+
masters Statement Grammar

+
masters Statement Definition and
           Usage

-
options Statement Grammar

+
options Statement Grammar

 
options Statement Definition and
           Usage

 
server Statement Grammar

 
server Statement Definition and
             Usage

-
trusted-keys Statement Grammar

-
trusted-keys Statement Definition
+
trusted-keys Statement Grammar

+
trusted-keys Statement Definition
             and Usage

 
view Statement Grammar

-
view Statement Definition and Usage

+
view Statement Definition and Usage

 
zone
             Statement Grammar

-
zone Statement Definition and Usage

+
zone Statement Definition and Usage

 

-
Zone File

+
Zone File

 

 
Types of Resource Records and When to Use Them

-
Discussion of MX Records

+
Discussion of MX Records

 
Setting TTLs

-
Inverse Mapping in IPv4

-
Other Zone File Directives

-
BIND Master File Extension: the  $GENERATE Directive

+
Inverse Mapping in IPv4

+
Other Zone File Directives

+
BIND Master File Extension: the  $GENERATE Directive

 
Additional File Formats

 

 
 
7. BIND 9 Security Considerations

 

 
Access Control Lists

-
chroot and setuid

+
chroot and setuid

 

-
The chroot Environment

-
Using the setuid Function

+
The chroot Environment

+
Using the setuid Function

 

 
Dynamic Update Security

 

 
8. Troubleshooting

 

-
Common Problems

-
It's not working; how can I figure out what's wrong?

-
Incrementing and Changing the Serial Number

-
Where Can I Get Help?

+
Common Problems

+
It's not working; how can I figure out what's wrong?

+
Incrementing and Changing the Serial Number

+
Where Can I Get Help?

 

 
A. Appendices

 

-
Acknowledgments

+
Acknowledgments

 
A Brief History of the DNS and BIND

-
General DNS Reference Information

+
General DNS Reference Information

 
IPv6 addresses (AAAA)

 
Bibliography (and Suggested Reading)

 

 
Request for Comments (RFCs)

 
Internet Drafts

-
Other Documents About BIND

+
Other Documents About BIND

 

 

 
I. Manual pages

diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index d137892b76..27efa576ed 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -52,7 +52,7 @@
 
dig  [global-queryopt...] [query...]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dig
       (domain information groper) is a flexible tool
       for interrogating DNS name servers.  It performs DNS lookups and
@@ -91,7 +91,7 @@
     

 

 

-
SIMPLE USAGE

+
SIMPLE USAGE

 

       A typical invocation of dig looks like:
       

@@ -137,7 +137,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

       The -b option sets the source IP address of the query
       to address.  This must be a valid
@@ -237,7 +237,7 @@
     

 

 

-
QUERY OPTIONS

+
QUERY OPTIONS

 
dig
       provides a number of query options which affect
       the way in which lookups are made and the results displayed.  Some of
@@ -556,7 +556,7 @@
     

 

 

-
MULTIPLE QUERIES

+
MULTIPLE QUERIES

 

       The BIND 9 implementation of dig 
       supports
@@ -602,7 +602,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
IDN SUPPORT

+
IDN SUPPORT

 

       If dig has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names.
@@ -616,14 +616,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
FILES

+
FILES

 
/etc/resolv.conf
     

 
${HOME}/.digrc
     

 

 

-
SEE ALSO

+
SEE ALSO

 
host(1),
       named(8),
       dnssec-keygen(8),
@@ -631,7 +631,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
BUGS

+
BUGS

 

       There are probably too many query options.
     

diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index c094f146ee..d6c3ab3c3b 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
dnssec-keygen  {-a algorithm} {-b keysize} {-n nametype} [-c class] [-e] [-f flag] [-g generator] [-h] [-k] [-p protocol] [-r randomdev] [-s strength] [-t type] [-v level] {name}

 

 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-keygen
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC <TBA\>.  It can also generate keys for use with
@@ -58,7 +58,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a algorithm

 

@@ -166,7 +166,7 @@
 

 

 

-
GENERATED KEYS

+
GENERATED KEYS

 

       When dnssec-keygen completes
       successfully,
@@ -212,7 +212,7 @@
     

 

 

-
EXAMPLE

+
EXAMPLE

 

       To generate a 768-bit DSA key for the domain
       example.com, the following command would be
@@ -233,7 +233,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
       RFC 2535,
@@ -242,7 +242,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index 6b2c564bf4..2f8fefdf42 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -47,10 +47,10 @@
 
 

 
Synopsis

-
dnssec-signzone  [-a] [-c class] [-d directory] [-e end-time] [-f output-file] [-g] [-h] [-k key] [-l domain] [-i interval] [-I input-format] [-j jitter] [-n nthreads] [-o origin] [-O output-format] [-p] [-r randomdev] [-s start-time] [-t] [-v level] [-z] {zonefile} [key...]

+
dnssec-signzone  [-a] [-c class] [-d directory] [-e end-time] [-f output-file] [-g] [-h] [-k key] [-l domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-p] [-r randomdev] [-s start-time] [-t] [-v level] [-z] {zonefile} [key...]

 

 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-signzone
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
@@ -61,7 +61,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a

 

@@ -183,6 +183,25 @@
             Specifies the number of threads to use.  By default, one
             thread is started for each detected CPU.
           

+
-N soa-serial-format

+

+

+            The SOA serial number format of the signed zone.
+	    Possible formats are "keep" (default),
+            "increment" and
+	    "unixtime".
+          

+

+
"keep"

+
Do not modify the SOA serial number.

+
"increment"

+
Increment the SOA serial number using RFC 1982
+                      arithmetics.

+
"unixtime"

+
Set the SOA serial number to the number of seconds
+	        since epoch.

+

+

 
-o origin

 

             The zone origin.  If not specified, the name of the zone file
@@ -238,7 +257,7 @@
 

 

 

-
EXAMPLE

+
EXAMPLE

 

       The following command signs the example.com
       zone with the DSA key generated in the dnssec-keygen
@@ -264,14 +283,14 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 2535.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html
index 158bae46bf..93a0e0c041 100644
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
host  [-aCdlnrsTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-m flag] [-4] [-6] {name} [server]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
host
       is a simple utility for performing DNS lookups.
       It is normally used to convert names to IP addresses and vice versa.
@@ -202,7 +202,7 @@
     

 

 

-
IDN SUPPORT

+
IDN SUPPORT

 

       If host has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names. 
@@ -216,12 +216,12 @@
     

 

 

-
FILES

+
FILES

 
/etc/resolv.conf
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dig(1),
       named(8).
     

diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index 7142ed500f..92f5486b4f 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,14 +50,14 @@
 
named-checkconf  [-v] [-j] [-t directory] {filename} [-z]

 

 

-
DESCRIPTION

+
DESCRIPTION

 
named-checkconf
       checks the syntax, but not the semantics, of a named
       configuration file.
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-t directory

 

@@ -88,20 +88,20 @@
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 
named-checkconf
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
named(8),
       BIND 9 Administrator Reference Manual.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index aaf5013d3a..fc072e3463 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -51,7 +51,7 @@
 
named-compilezone  [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-i mode] [-k mode] [-m mode] [-n mode] [-o filename] [-s style] [-t directory] [-w directory] [-D] [-W mode] {zonename} {filename}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
named-checkzone
       checks the syntax and integrity of a zone file.  It performs the
       same checks as named does when loading a
@@ -71,7 +71,7 @@
      

 

 

-
OPTIONS

+
OPTIONS

 

 
-d

 

@@ -251,21 +251,21 @@
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 
named-checkzone
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
named(8),
       RFC 1035,
       BIND 9 Administrator Reference Manual.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index e977a9b8d8..e1598a4491 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
named  [-4] [-6] [-c config-file] [-d debug-level] [-f] [-g] [-n #cpus] [-p port] [-s] [-t directory] [-u user] [-v] [-x cache-file]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
named
       is a Domain Name System (DNS) server,
       part of the BIND 9 distribution from ISC.  For more
@@ -65,7 +65,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-4

 

@@ -198,7 +198,7 @@
 

 

 

-
SIGNALS

+
SIGNALS

 

       In routine operation, signals should not be used to control
       the nameserver; rndc should be used
@@ -219,7 +219,7 @@
     

 

 

-
CONFIGURATION

+
CONFIGURATION

 

       The named configuration file is too complex
       to describe in detail here.  A complete description is provided
@@ -228,7 +228,7 @@
     

 

 

-
FILES

+
FILES

 

 
/etc/named.conf

 

@@ -241,7 +241,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
RFC 1033,
       RFC 1034,
       RFC 1035,
@@ -252,7 +252,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index eef42ffc8e..ac783445b1 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -48,7 +48,7 @@
 
rndc-confgen  [-a] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc-confgen
       generates configuration files
       for rndc.  It can be used as a
@@ -64,7 +64,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a

 

@@ -171,7 +171,7 @@
 

 

 

-
EXAMPLES

+
EXAMPLES

 

       To allow rndc to be used with
       no manual configuration, run
@@ -188,7 +188,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc(8),
       rndc.conf(5),
       named(8),
@@ -196,7 +196,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index 46c2b62368..8b1eda9c75 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
rndc.conf 

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc.conf is the configuration file
       for rndc, the BIND 9 name server control
       utility.  This file has a similar structure and syntax to
@@ -135,7 +135,7 @@
     

 

 

-
EXAMPLE

+
EXAMPLE

 
       options {
         default-server  localhost;
@@ -209,7 +209,7 @@
     

 

 

-
NAME SERVER CONFIGURATION

+
NAME SERVER CONFIGURATION

 

       The name server must be configured to accept rndc connections and
       to recognize the key specified in the rndc.conf
@@ -219,7 +219,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc(8),
       rndc-confgen(8),
       mmencode(1),
@@ -227,7 +227,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index 8e327054d6..0d49bfa449 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
rndc  [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-V] [-y key_id] {command}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc
       controls the operation of a name
       server.  It supersedes the ndc utility
@@ -79,7 +79,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-b source-address

 

@@ -152,7 +152,7 @@
     

 

 

-
LIMITATIONS

+
LIMITATIONS

 
rndc
       does not yet support all the commands of
       the BIND 8 ndc utility.
@@ -166,7 +166,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc.conf(5),
       named(8),
       named.conf(5)
@@ -175,7 +175,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/lib/lwres/man/lwres.html b/lib/lwres/man/lwres.html
index bcd35a7779..1818c5de3a 100644
--- a/lib/lwres/man/lwres.html
+++ b/lib/lwres/man/lwres.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -22,7 +22,7 @@
 
 
 

-

+

 

 
Name

 
lwres — introduction to the lightweight resolver library

@@ -32,7 +32,7 @@
 
#include <lwres/lwres.h>

 

 

-
DESCRIPTION

+
DESCRIPTION

 

       The BIND 9 lightweight resolver library is a simple, name service
       independent stub resolver library.  It provides hostname-to-address
@@ -47,7 +47,7 @@
     

 

 

-
OVERVIEW

+
OVERVIEW

 

       The lwresd library implements multiple name service APIs.
       The standard
@@ -101,7 +101,7 @@
     

 

 

-
CLIENT-SIDE LOW-LEVEL API CALL FLOW

+
CLIENT-SIDE LOW-LEVEL API CALL FLOW

 

       When a client program wishes to make an lwres request using the
       native low-level API, it typically performs the following
@@ -149,7 +149,7 @@
     

 

 

-
SERVER-SIDE LOW-LEVEL API CALL FLOW

+
SERVER-SIDE LOW-LEVEL API CALL FLOW

 

       When implementing the server side of the lightweight resolver
       protocol using the lwres library, a sequence of actions like the
@@ -191,7 +191,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
lwres_gethostent(3),
 
       lwres_getipnode(3),
diff --git a/lib/lwres/man/lwres_buffer.html b/lib/lwres/man/lwres_buffer.html
index bc1e0d8bd1..026f2f37b0 100644
--- a/lib/lwres/man/lwres_buffer.html
+++ b/lib/lwres/man/lwres_buffer.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -22,7 +22,7 @@
 
 
 

-

+

 

 
Name

 
lwres_buffer_init, lwres_buffer_invalidate, lwres_buffer_add, lwres_buffer_subtract, lwres_buffer_clear, lwres_buffer_first, lwres_buffer_forward, lwres_buffer_back, lwres_buffer_getuint8, lwres_buffer_putuint8, lwres_buffer_getuint16, lwres_buffer_putuint16, lwres_buffer_getuint32, lwres_buffer_putuint32, lwres_buffer_putmem, lwres_buffer_getmem — lightweight resolver buffer management

@@ -262,7 +262,7 @@ void
 

 

 

-
DESCRIPTION

+
DESCRIPTION

 

       These functions provide bounds checked access to a region of memory
       where data is being read or written.
diff --git a/lib/lwres/man/lwres_config.html b/lib/lwres/man/lwres_config.html
index ca4df96576..84f1192e8c 100644
--- a/lib/lwres/man/lwres_config.html
+++ b/lib/lwres/man/lwres_config.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -22,7 +22,7 @@
 
 
 

-

+

 

 
Name

 
lwres_conf_init, lwres_conf_clear, lwres_conf_parse, lwres_conf_print, lwres_conf_get — lightweight resolver configuration

@@ -90,7 +90,7 @@ lwres_conf_t *
 

 

 

-
DESCRIPTION

+
DESCRIPTION

 
lwres_conf_init()
       creates an empty
       lwres_conf_t
@@ -123,7 +123,7 @@ lwres_conf_t *
     

 

 

-
RETURN VALUES

+
RETURN VALUES

 
lwres_conf_parse()
       returns LWRES_R_SUCCESS
       if it successfully read and parsed
@@ -142,13 +142,13 @@ lwres_conf_t *
     

 

 

-
SEE ALSO

+
SEE ALSO

 
stdio(3),
       resolver(5).
     

 

 

-
FILES

+
FILES

 
/etc/resolv.conf
     

 

diff --git a/lib/lwres/man/lwres_context.html b/lib/lwres/man/lwres_context.html
index 1e6073c3bf..290742b351 100644
--- a/lib/lwres/man/lwres_context.html
+++ b/lib/lwres/man/lwres_context.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -22,7 +22,7 @@
 
 
 

-

+

 

 
Name

 
lwres_context_create, lwres_context_destroy, lwres_context_nextserial, lwres_context_initserial, lwres_context_freemem, lwres_context_allocmem, lwres_context_sendrecv — lightweight resolver context management

@@ -172,7 +172,7 @@ void *
 

 

 

-
DESCRIPTION

+
DESCRIPTION

 
lwres_context_create()
       creates a lwres_context_t structure for use in
       lightweight resolver operations.  It holds a socket and other
@@ -258,7 +258,7 @@ void *
     

 

 

-
RETURN VALUES

+
RETURN VALUES

 
lwres_context_create()
       returns LWRES_R_NOMEMORY if memory for
       the struct lwres_context could not be allocated,
@@ -283,7 +283,7 @@ void *
     

 

 

-
SEE ALSO

+
SEE ALSO

 
lwres_conf_init(3),
 
       malloc(3),
diff --git a/lib/lwres/man/lwres_gabn.html b/lib/lwres/man/lwres_gabn.html
index b3fa27eb0c..f22762450c 100644
--- a/lib/lwres/man/lwres_gabn.html
+++ b/lib/lwres/man/lwres_gabn.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -22,7 +22,7 @@
 
 
 

-

+

 

 
Name

 
lwres_gabnrequest_render, lwres_gabnresponse_render, lwres_gabnrequest_parse, lwres_gabnresponse_parse, lwres_gabnresponse_free, lwres_gabnrequest_free — lightweight resolver getaddrbyname message handling

@@ -178,7 +178,7 @@ void
 

 

 

-
DESCRIPTION

+
DESCRIPTION

 

       These are low-level routines for creating and parsing
       lightweight resolver name-to-address lookup request and
@@ -278,7 +278,7 @@ typedef struct {
     

 

 

-
RETURN VALUES

+
RETURN VALUES

 

       The getaddrbyname opcode functions
       lwres_gabnrequest_render(),
@@ -316,7 +316,7 @@ typedef struct {
     

 

 

-
SEE ALSO

+
SEE ALSO

 
lwres_packet(3)
     

 

diff --git a/lib/lwres/man/lwres_gai_strerror.html b/lib/lwres/man/lwres_gai_strerror.html
index f4fb1a570d..2ef18441fa 100644
--- a/lib/lwres/man/lwres_gai_strerror.html
+++ b/lib/lwres/man/lwres_gai_strerror.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -22,7 +22,7 @@
 
 
 

-

+

 

 
Name

 
lwres_gai_strerror — print suitable error string

@@ -37,7 +37,7 @@ char *
 

 

 

-
DESCRIPTION

+
DESCRIPTION

 
lwres_gai_strerror()
       returns an error message corresponding to an error code returned by
       getaddrinfo().
@@ -105,7 +105,7 @@ char *
     

 

 

-
SEE ALSO

+
SEE ALSO

 
strerror(3),
 
       lwres_getaddrinfo(3),
diff --git a/lib/lwres/man/lwres_getaddrinfo.html b/lib/lwres/man/lwres_getaddrinfo.html
index c89b3f5fa8..6aea3c88c5 100644
--- a/lib/lwres/man/lwres_getaddrinfo.html
+++ b/lib/lwres/man/lwres_getaddrinfo.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -22,7 +22,7 @@
 
 
 

-

+

 

 
Name

 
lwres_getaddrinfo, lwres_freeaddrinfo — socket address structure to host and service name

@@ -89,7 +89,7 @@ struct  addrinfo {
     

 

 

-
DESCRIPTION

+
DESCRIPTION

 
lwres_getaddrinfo()
       is used to get a list of IP addresses and port numbers for host
       hostname and service
@@ -283,7 +283,7 @@ struct  addrinfo {
     

 

 

-
RETURN VALUES

+
RETURN VALUES

 
lwres_getaddrinfo()
       returns zero on success or one of the error codes listed in
       gai_strerror(3)
@@ -294,7 +294,7 @@ struct  addrinfo {
     

 

 

-
SEE ALSO

+
SEE ALSO

 
lwres(3),
 
       lwres_getaddrinfo(3),
diff --git a/lib/lwres/man/lwres_gethostent.html b/lib/lwres/man/lwres_gethostent.html
index 47cc72b1ce..8aadc050a2 100644
--- a/lib/lwres/man/lwres_gethostent.html
+++ b/lib/lwres/man/lwres_gethostent.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -22,7 +22,7 @@
 
 
 

-

+

 

 
Name

 
lwres_gethostbyname, lwres_gethostbyname2, lwres_gethostbyaddr, lwres_gethostent, lwres_sethostent, lwres_endhostent, lwres_gethostbyname_r, lwres_gethostbyaddr_r, lwres_gethostent_r, lwres_sethostent_r, lwres_endhostent_r — lightweight resolver get network host entry

@@ -203,7 +203,7 @@ void
 

 

 

-
DESCRIPTION

+
DESCRIPTION

 

       These functions provide hostname-to-address and
       address-to-hostname lookups by means of the lightweight resolver.
@@ -341,7 +341,7 @@ struct  hostent {
     

 

 

-
RETURN VALUES

+
RETURN VALUES

 

       The functions
       lwres_gethostbyname(),
@@ -405,7 +405,7 @@ struct  hostent {
     

 

 

-
SEE ALSO

+
SEE ALSO

 
gethostent(3),
 
       lwres_getipnode(3),
@@ -414,7 +414,7 @@ struct  hostent {
     

 

 

-
BUGS

+
BUGS

 
lwres_gethostbyname(),
       lwres_gethostbyname2(),
       lwres_gethostbyaddr()
diff --git a/lib/lwres/man/lwres_getipnode.html b/lib/lwres/man/lwres_getipnode.html
index 9e7f1da358..d44df8402d 100644
--- a/lib/lwres/man/lwres_getipnode.html
+++ b/lib/lwres/man/lwres_getipnode.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -22,7 +22,7 @@
 
 
 

-

+

 

 
Name

 
lwres_getipnodebyname, lwres_getipnodebyaddr, lwres_freehostent — lightweight resolver nodename / address translation API

@@ -98,7 +98,7 @@ void
 

 

 

-
DESCRIPTION

+
DESCRIPTION

 

       These functions perform thread safe, protocol independent
       nodename-to-address and address-to-nodename
@@ -217,7 +217,7 @@ struct  hostent {
     

 

 

-
RETURN VALUES

+
RETURN VALUES

 

       If an error occurs,
       lwres_getipnodebyname()
@@ -261,7 +261,7 @@ struct  hostent {
     

 

 

-
SEE ALSO

+
SEE ALSO

 
RFC2553,
 
       lwres(3),
diff --git a/lib/lwres/man/lwres_getnameinfo.html b/lib/lwres/man/lwres_getnameinfo.html
index 549741b4f3..cdc449f79b 100644
--- a/lib/lwres/man/lwres_getnameinfo.html
+++ b/lib/lwres/man/lwres_getnameinfo.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -22,7 +22,7 @@
 
 
 

-

+

 

 
Name

 
lwres_getnameinfo — lightweight resolver socket address structure to hostname and
@@ -82,7 +82,7 @@ int
 

 

 

-
DESCRIPTION

+
DESCRIPTION

 

        This function is equivalent to the
       getnameinfo(3) function defined in RFC2133.
@@ -149,13 +149,13 @@ int
     

 

 

-
RETURN VALUES

+
RETURN VALUES

 
lwres_getnameinfo()
       returns 0 on success or a non-zero error code if an error occurs.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
RFC2133,
       getservbyport(3),
       lwres(3),
@@ -165,7 +165,7 @@ int
     

 

 

-
BUGS

+
BUGS

 

       RFC2133 fails to define what the nonzero return values of
       getnameinfo(3)
diff --git a/lib/lwres/man/lwres_getrrsetbyname.html b/lib/lwres/man/lwres_getrrsetbyname.html
index 8bcb9d5853..c8ead6da8f 100644
--- a/lib/lwres/man/lwres_getrrsetbyname.html
+++ b/lib/lwres/man/lwres_getrrsetbyname.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -22,7 +22,7 @@
 
 
 

-

+

 

 
Name

 
lwres_getrrsetbyname, lwres_freerrset — retrieve DNS records

@@ -102,7 +102,7 @@ struct  rrsetinfo {
     

 

 

-
DESCRIPTION

+
DESCRIPTION

 
lwres_getrrsetbyname()
       gets a set of resource records associated with a
       hostname, class,
@@ -150,7 +150,7 @@ struct  rrsetinfo {
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 
lwres_getrrsetbyname()
       returns zero on success, and one of the following error codes if
       an error occurred:
@@ -184,7 +184,7 @@ struct  rrsetinfo {
     

 

 

-
SEE ALSO

+
SEE ALSO

 
lwres(3).
     

 

diff --git a/lib/lwres/man/lwres_gnba.html b/lib/lwres/man/lwres_gnba.html
index 7cab32d944..b026a29c08 100644
--- a/lib/lwres/man/lwres_gnba.html
+++ b/lib/lwres/man/lwres_gnba.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -22,7 +22,7 @@
 
 
 

-

+

 

 
Name

 
lwres_gnbarequest_render, lwres_gnbaresponse_render, lwres_gnbarequest_parse, lwres_gnbaresponse_parse, lwres_gnbaresponse_free, lwres_gnbarequest_free — lightweight resolver getnamebyaddress message handling

@@ -183,7 +183,7 @@ void
 

 

 

-
DESCRIPTION

+
DESCRIPTION

 

       These are low-level routines for creating and parsing
       lightweight resolver address-to-name lookup request and
@@ -270,7 +270,7 @@ typedef struct {
     

 

 

-
RETURN VALUES

+
RETURN VALUES

 

       The getnamebyaddr opcode functions
       lwres_gnbarequest_render(),
@@ -308,7 +308,7 @@ typedef struct {
     

 

 

-
SEE ALSO

+
SEE ALSO

 
lwres_packet(3).
     

 

diff --git a/lib/lwres/man/lwres_hstrerror.html b/lib/lwres/man/lwres_hstrerror.html
index 00c77f7df9..58154c8631 100644
--- a/lib/lwres/man/lwres_hstrerror.html
+++ b/lib/lwres/man/lwres_hstrerror.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -22,7 +22,7 @@
 
 
 

-

+

 

 
Name

 
lwres_herror, lwres_hstrerror — lightweight resolver error message generation

@@ -40,7 +40,7 @@ const char *
 

 

 

-
DESCRIPTION

+
DESCRIPTION

 
lwres_herror()
       prints the string s on
       stderr followed by the string generated by
@@ -74,7 +74,7 @@ const char *
     

 

 

-
RETURN VALUES

+
RETURN VALUES

 

       The string Unknown resolver error is returned by
       lwres_hstrerror()
@@ -84,7 +84,7 @@ const char *
     

 

 

-
SEE ALSO

+
SEE ALSO

 
herror(3),
 
       lwres_hstrerror(3).
diff --git a/lib/lwres/man/lwres_inetntop.html b/lib/lwres/man/lwres_inetntop.html
index f4230a061b..9994aa1ab0 100644
--- a/lib/lwres/man/lwres_inetntop.html
+++ b/lib/lwres/man/lwres_inetntop.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -22,7 +22,7 @@
 
 
 

-

+

 

 
Name

 
lwres_net_ntop — lightweight resolver IP address presentation

@@ -62,7 +62,7 @@ const char *
 

 

 

-
DESCRIPTION

+
DESCRIPTION

 
lwres_net_ntop()
       converts an IP address of protocol family
       af — IPv4 or IPv6 — at
@@ -80,7 +80,7 @@ const char *
     

 

 

-
RETURN VALUES

+
RETURN VALUES

 

       If successful, the function returns dst:
       a pointer to a string containing the presentation format of the
@@ -93,7 +93,7 @@ const char *
     

 

 

-
SEE ALSO

+
SEE ALSO

 
RFC1884,
       inet_ntop(3),
       errno(3).
diff --git a/lib/lwres/man/lwres_noop.html b/lib/lwres/man/lwres_noop.html
index c0a9448085..168469b267 100644
--- a/lib/lwres/man/lwres_noop.html
+++ b/lib/lwres/man/lwres_noop.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -22,7 +22,7 @@
 
 
 

-

+

 

 
Name

 
lwres_nooprequest_render, lwres_noopresponse_render, lwres_nooprequest_parse, lwres_noopresponse_parse, lwres_noopresponse_free, lwres_nooprequest_free — lightweight resolver no-op message handling

@@ -179,7 +179,7 @@ void
 

 

 

-
DESCRIPTION

+
DESCRIPTION

 

       These are low-level routines for creating and parsing
       lightweight resolver no-op request and response messages.
@@ -270,7 +270,7 @@ typedef struct {
     

 

 

-
RETURN VALUES

+
RETURN VALUES

 

       The no-op opcode functions
       lwres_nooprequest_render(),
@@ -309,7 +309,7 @@ typedef struct {
     

 

 

-
SEE ALSO

+
SEE ALSO

 
lwres_packet(3)
     

 

diff --git a/lib/lwres/man/lwres_packet.html b/lib/lwres/man/lwres_packet.html
index d8b9471a25..bfd05317e8 100644
--- a/lib/lwres/man/lwres_packet.html
+++ b/lib/lwres/man/lwres_packet.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -22,7 +22,7 @@
 
 
 

-

+

 

 
Name

 
lwres_lwpacket_renderheader, lwres_lwpacket_parseheader — lightweight resolver packet handling functions

@@ -66,7 +66,7 @@ lwres_result_t
 

 

 

-
DESCRIPTION

+
DESCRIPTION

 

       These functions rely on a
       struct lwres_lwpacket
@@ -219,7 +219,7 @@ struct lwres_lwpacket {
     

 

 

-
RETURN VALUES

+
RETURN VALUES

 

       Successful calls to
       lwres_lwpacket_renderheader() and
diff --git a/lib/lwres/man/lwres_resutil.html b/lib/lwres/man/lwres_resutil.html
index 8c48911dd2..0e116bfaf9 100644
--- a/lib/lwres/man/lwres_resutil.html
+++ b/lib/lwres/man/lwres_resutil.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -22,7 +22,7 @@
 
 
 

-

+

 

 
Name

 
lwres_string_parse, lwres_addr_parse, lwres_getaddrsbyname, lwres_getnamebyaddr — lightweight resolver utility functions

@@ -134,7 +134,7 @@ lwres_result_t
 

 

 

-
DESCRIPTION

+
DESCRIPTION

 
lwres_string_parse()
       retrieves a DNS-encoded string starting the current pointer of
       lightweight resolver buffer b: i.e.
@@ -210,7 +210,7 @@ typedef struct {
     

 

 

-
RETURN VALUES

+
RETURN VALUES

 

       Successful calls to
       lwres_string_parse()
@@ -248,7 +248,7 @@ typedef struct {
     

 

 

-
SEE ALSO

+
SEE ALSO

 
lwres_buffer(3),
 
       lwres_gabn(3).

From 47f9dd025ac8efe53ffa684c12cc93aa2ab2efa7 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Mon, 24 Apr 2006 23:16:43 +0000
Subject: [PATCH 154/465] auto update

---
 doc/private/branches | 1 +
 1 file changed, 1 insertion(+)

diff --git a/doc/private/branches b/doc/private/branches
index c653f2d123..de65d397f3 100644
--- a/doc/private/branches
+++ b/doc/private/branches
@@ -74,6 +74,7 @@ rt15878				new
 rt15941				new	
 rt15958				new	
 rt15970				new	
+rt15976				new	
 rt1727				open		// ixfr-from-differences workfile
 rt6496a				review	marka
 rt6496b				new	

From 602784c4ceb4f36f614afe5da80c7964eb9a766c Mon Sep 17 00:00:00 2001
From: Shane Kerr 
Date: Wed, 26 Apr 2006 12:03:08 +0000
Subject: [PATCH 155/465] Pulling rt15958 into HEAD.

---
 lib/dns/acache.c | 64 ++++++++++++++++++++++++++++++++----------------
 1 file changed, 43 insertions(+), 21 deletions(-)

diff --git a/lib/dns/acache.c b/lib/dns/acache.c
index f155b4016f..fbd8c91025 100644
--- a/lib/dns/acache.c
+++ b/lib/dns/acache.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: acache.c,v 1.11 2005/11/30 03:33:48 marka Exp $ */
+/* $Id: acache.c,v 1.12 2006/04/26 12:03:08 shane Exp $ */
 
 #include 
 
@@ -132,6 +132,8 @@ struct acache_cleaner {
 	unsigned int		cleaning_interval; /* The cleaning-interval
 						      from named.conf,
 						      in seconds. */
+	isc_stdtime_t		last_cleanup_time; /* The time when the last
+						      cleanup task completed */
 
 	isc_timer_t 		*cleaning_timer;
 	isc_event_t		*resched_event;	/* Sent by cleaner task to
@@ -523,6 +525,7 @@ acache_cleaner_init(dns_acache_t *acache, isc_timermgr_t *timermgr,
 		}
 
 		cleaner->cleaning_interval = 0; /* Initially turned off. */
+		isc_stdtime_get(&cleaner->last_cleanup_time);
 		result = isc_timer_create(timermgr, isc_timertype_inactive,
 					  NULL, NULL,
 					  acache->task,
@@ -636,6 +639,8 @@ end_cleaning(acache_cleaner_t *cleaner, isc_event_t *event) {
 	}
 	dns_acache_detachentry(&cleaner->current_entry);
 
+	isc_stdtime_get(&cleaner->last_cleanup_time);
+
 	UNLOCK(&acache->lock);
 
 	dns_acache_setcleaninginterval(cleaner->acache,
@@ -647,13 +652,6 @@ end_cleaning(acache_cleaner_t *cleaner, isc_event_t *event) {
 		      cleaner->ncleaned,
 		      (unsigned long)isc_mem_inuse(cleaner->acache->mctx));
 
-	if (cleaner->overmem) {
-		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
-			      DNS_LOGMODULE_ACACHE, ISC_LOG_NOTICE,
-			      "acache is still in overmem state "
-			      "after cleaning");
-	}
-
 	cleaner->ncleaned = 0;
 	cleaner->state = cleaner_s_idle;
 	cleaner->resched_event = event;
@@ -684,11 +682,8 @@ acache_cleaning_timer_action(isc_task_t *task, isc_event_t *event) {
 /* The caller must hold entry lock. */
 static inline isc_boolean_t
 entry_stale(acache_cleaner_t *cleaner, dns_acacheentry_t *entry,
-	    isc_stdtime_t now)
+	    isc_stdtime32_t now32, unsigned int interval)
 {
-	unsigned int interval = cleaner->cleaning_interval;
-	isc_stdtime32_t now32;
-
 	/*
 	 * If the callback has been canceled, we definitely do not need the
 	 * entry.
@@ -696,25 +691,28 @@ entry_stale(acache_cleaner_t *cleaner, dns_acacheentry_t *entry,
 	if (entry->callback == NULL)
 		return (ISC_TRUE);
 
-	isc_stdtime_convert32(now, &now32);
+	if (interval > cleaner->cleaning_interval)
+		interval = cleaner->cleaning_interval;
+
 	if (entry->lastused + interval < now32)
 		return (ISC_TRUE);
 
 	/*
-	 * If the acache is in an overmem state, probabilistically decide if
+	 * If the acache is in the overmem state, probabilistically decide if
 	 * the entry should be purged, based on the time passed from its last
 	 * use and the cleaning interval.
 	 */
 	if (cleaner->overmem) {
 		unsigned int passed =
 			now32 - entry->lastused; /* <= interval */
-		isc_uint32_t val, r;
+		isc_uint32_t val;
 
-		isc_random_get(&val);
-		r = val % interval;
-
-		if (r < passed)
+		if (passed > interval / 2)
 			return (ISC_TRUE);
+		isc_random_get(&val);
+		if (passed > interval / 4)
+			return (ISC_TF(val % 4 == 0));
+		return (ISC_TF(val % 8 == 0));
 	}
 
 	return (ISC_FALSE);
@@ -729,7 +727,9 @@ acache_incremental_cleaning_action(isc_task_t *task, isc_event_t *event) {
 	dns_acache_t *acache = cleaner->acache;
 	dns_acacheentry_t *entry, *next = NULL;
 	int n_entries;
+	isc_stdtime32_t now32, last32;
 	isc_stdtime_t now;
+	unsigned int interval;
 
 	INSIST(DNS_ACACHE_VALID(acache));
 	INSIST(task == acache->task);
@@ -746,21 +746,25 @@ acache_incremental_cleaning_action(isc_task_t *task, isc_event_t *event) {
 	n_entries = cleaner->increment;
 
 	isc_stdtime_get(&now);
+	isc_stdtime_convert32(now, &now32);
 
 	LOCK(&acache->lock);
 
 	entry = cleaner->current_entry;
+	isc_stdtime_convert32(cleaner->last_cleanup_time, &last32);
+	INSIST(now32 > last32);
+	interval = now32 - last32;
 
 	while (n_entries-- > 0) {
 		isc_boolean_t is_stale = ISC_FALSE;
-		
+
 		INSIST(entry != NULL);
 
 		next = ISC_LIST_NEXT(entry, link);
 
 		ACACHE_LOCK(&entry->lock, isc_rwlocktype_write);
 
-		is_stale = entry_stale(cleaner, entry, now);
+		is_stale = entry_stale(cleaner, entry, now32, interval);
 		if (is_stale) {
 			ISC_LIST_UNLINK(acache->entries, entry, link);
 			unlink_dbentries(acache, entry);
@@ -777,6 +781,24 @@ acache_incremental_cleaning_action(isc_task_t *task, isc_event_t *event) {
 			dns_acache_detachentry(&entry);
 
 		if (next == NULL) {
+			if (cleaner->overmem) {
+				entry = ISC_LIST_HEAD(acache->entries);
+				if (entry != NULL) {
+					/*
+					 * If we are still in the overmem
+					 * state, keep cleaning.
+					 */
+					isc_log_write(dns_lctx,
+						      DNS_LOGCATEGORY_DATABASE,
+						      DNS_LOGMODULE_ACACHE,
+						      ISC_LOG_DEBUG(1),
+						      "acache cleaner: "
+						      "still overmem, "
+						      "reset and try again");
+					continue;
+				}
+			}
+
 			UNLOCK(&acache->lock);
 			end_cleaning(cleaner, event);
 			return;

From 1e844d04a716346f08ec027e365ce43e7b360c51 Mon Sep 17 00:00:00 2001
From: Shane Kerr 
Date: Wed, 26 Apr 2006 12:12:45 +0000
Subject: [PATCH 156/465] Pulling rt15970 into HEAD.

---
 lib/dns/acache.c | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/lib/dns/acache.c b/lib/dns/acache.c
index fbd8c91025..4142604398 100644
--- a/lib/dns/acache.c
+++ b/lib/dns/acache.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: acache.c,v 1.12 2006/04/26 12:03:08 shane Exp $ */
+/* $Id: acache.c,v 1.13 2006/04/26 12:12:45 shane Exp $ */
 
 #include 
 
@@ -1247,6 +1247,21 @@ dns_acache_createentry(dns_acache_t *acache, dns_db_t *origdb,
 	REQUIRE(entryp != NULL && *entryp == NULL);
 	REQUIRE(origdb != NULL);
 
+	/* 
+	 * Should we exceed our memory limit for some reason (for 
+	 * example, if the cleaner does not run aggressively enough), 
+	 * then we will not create additional entries.
+	 *
+	 * XXX: It might be better to lock the acache->cleaner->lock,
+	 * but locking may be an expensive bottleneck. If we misread 
+	 * the value, we will occasionally refuse to create a few 
+	 * cache entries, or create a few that we should not. I do not
+	 * expect this to happen often, and it will not have very bad
+	 * effects when it does. So no lock for now.
+	 */
+	if (acache->cleaner.overmem)
+		return (ISC_R_NORESOURCES);
+
 	newentry = isc_mem_get(acache->mctx, sizeof(*newentry));
 	if (newentry == NULL)
 		return (ISC_R_NOMEMORY);

From 26089d49041d02d3fc56d4f0635e3e15af0150d0 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 26 Apr 2006 23:30:21 +0000
Subject: [PATCH 157/465] newcopyrights

---
 util/copyrights | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/util/copyrights b/util/copyrights
index 4c78cc812f..a904293954 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -1710,7 +1710,7 @@
 ./lib/bind9/win32/version.c			C	1998,1999,2000,2001,2004
 ./lib/dns/.cvsignore				X	1999,2000,2001
 ./lib/dns/Makefile.in				MAKE	1998,1999,2000,2001,2002,2003,2004,2005,2006
-./lib/dns/acache.c				C	2004,2005
+./lib/dns/acache.c				C	2004,2005,2006
 ./lib/dns/acl.c					C	1999,2000,2001,2002,2004,2005,2006
 ./lib/dns/adb.c					C	1999,2000,2001,2002,2003,2004,2005
 ./lib/dns/api					X	1999,2000,2001

From 696d061d14fd1439e4e214f5ac2ba9b61003f4b3 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 27 Apr 2006 09:36:46 +0000
Subject: [PATCH 158/465] update copyright notice

---
 lib/dns/acache.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/dns/acache.c b/lib/dns/acache.c
index 4142604398..0e90f5f2f0 100644
--- a/lib/dns/acache.c
+++ b/lib/dns/acache.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: acache.c,v 1.13 2006/04/26 12:12:45 shane Exp $ */
+/* $Id: acache.c,v 1.14 2006/04/27 09:36:46 marka Exp $ */
 
 #include 
 

From bc1467288a25b48446d3229fef0a19fad0cb6f2f Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 2 May 2006 03:24:18 +0000
Subject: [PATCH 159/465] 2012.   [func]          Don't insert new acache
 entries if acache is full.                         [RT #15970]

---
 CHANGES | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/CHANGES b/CHANGES
index 5426520d97..660e3062ca 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2012.	[func]		Don't insert new acache entries if acache is full.
+			[RT #15970]
+
 2011.	[func]		dnssec-signzone can now update the SOA record of
 			the signed zone, either as an increment or as the
 			system time(). [RT #15633]

From a8f950ff05e2e81d425a3411268cdf21f8f26b16 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 2 May 2006 04:07:36 +0000
Subject: [PATCH 160/465] 2013.   [bug]           Handle unexpected TSIGs on
 unsigned AXFR/IXFR                         responses more gracefully. [RT
 #15941]

---
 CHANGES        | 3 +++
 lib/dns/tsig.c | 7 +++++--
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index 660e3062ca..947690651f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2013.	[bug]		Handle unexpected TSIGs on unsigned AXFR/IXFR
+			responses more gracefully. [RT #15941]
+
 2012.	[func]		Don't insert new acache entries if acache is full.
 			[RT #15970]
 
diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
index ff1c798bc5..eafaadeac8 100644
--- a/lib/dns/tsig.c
+++ b/lib/dns/tsig.c
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: tsig.c,v 1.125 2006/03/08 03:51:01 marka Exp $
+ * $Id: tsig.c,v 1.126 2006/05/02 04:07:36 marka Exp $
  */
 /*! \file */
 #include 
@@ -855,8 +855,11 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
 
 	msg->verify_attempted = 1;
 
-	if (msg->tcp_continuation)
+	if (msg->tcp_continuation) {
+		if (tsigkey == NULL || msg->querytsig == NULL)
+			return (DNS_R_UNEXPECTEDTSIG);
 		return (tsig_verify_tcp(source, msg));
+	}
 
 	/*
 	 * There should be a TSIG record...

From 1de2d24ea2ec7393aa475fe54ca53b4335716807 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 2 May 2006 04:19:47 +0000
Subject: [PATCH 161/465] 2013.   [bug]           Handle unexpected TSIGs on
 unsigned AXFR/IXFR                         responses more gracefully. [RT
 #15941]

---
 CHANGES        | 3 +++
 lib/dns/tsig.c | 7 +++++--
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index b939c7d35b..960659e079 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2013.	[bug]		Handle unexpected TSIGs on unsigned AXFR/IXFR
+			responses more gracefully. [RT #15941]
+
 2009.	[bug]		libbind: coverity fixes. [RT #15808]
 
 2005.	[bug]		libbind: Retransmission timeouts should be
diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
index 3105c0eb53..19f6967397 100644
--- a/lib/dns/tsig.c
+++ b/lib/dns/tsig.c
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: tsig.c,v 1.112.2.9 2006/03/08 03:56:21 marka Exp $
+ * $Id: tsig.c,v 1.112.2.10 2006/05/02 04:19:47 marka Exp $
  */
 
 #include 
@@ -646,8 +646,11 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
 
 	msg->verify_attempted = 1;
 
-	if (msg->tcp_continuation)
+	if (msg->tcp_continuation) {
+		if (tsigkey == NULL || msg->querytsig == NULL)
+			return (DNS_R_UNEXPECTEDTSIG);
 		return (tsig_verify_tcp(source, msg));
+	}
 
 	/*
 	 * There should be a TSIG record...

From 0d8971a4b8abed599ec9d9b7d1b51b8de8038ce2 Mon Sep 17 00:00:00 2001
From: Shane Kerr 
Date: Tue, 2 May 2006 13:04:54 +0000
Subject: [PATCH 162/465] Stats for acache.

---
 CHANGES                      |   3 ++
 lib/dns/acache.c             | 100 ++++++++++++++++++++++++++++++++---
 lib/dns/include/dns/acache.h |   8 ++-
 lib/dns/include/dns/types.h  |   3 +-
 lib/dns/rbtdb.c              |   7 ++-
 5 files changed, 110 insertions(+), 11 deletions(-)

diff --git a/CHANGES b/CHANGES
index 947690651f..708c687561 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2014.	[func]		Statistics about acache now recorded and sent
+			to log. [RT #15976]
+
 2013.	[bug]		Handle unexpected TSIGs on unsigned AXFR/IXFR
 			responses more gracefully. [RT #15941]
 
diff --git a/lib/dns/acache.c b/lib/dns/acache.c
index 0e90f5f2f0..c87ab1817a 100644
--- a/lib/dns/acache.c
+++ b/lib/dns/acache.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: acache.c,v 1.14 2006/04/27 09:36:46 marka Exp $ */
+/* $Id: acache.c,v 1.15 2006/05/02 13:04:54 shane Exp $ */
 
 #include 
 
@@ -132,8 +132,9 @@ struct acache_cleaner {
 	unsigned int		cleaning_interval; /* The cleaning-interval
 						      from named.conf,
 						      in seconds. */
+
 	isc_stdtime_t		last_cleanup_time; /* The time when the last
-						      cleanup task completed */
+      						      cleanup task completed */
 
 	isc_timer_t 		*cleaning_timer;
 	isc_event_t		*resched_event;	/* Sent by cleaner task to
@@ -153,6 +154,19 @@ struct acache_cleaner {
 						   state. */
 };
 
+struct dns_acachestats {
+	unsigned int			hits;
+	unsigned int			queries;
+	unsigned int			misses;
+	unsigned int			adds;
+	unsigned int			deleted;
+	unsigned int			cleaned;
+	unsigned int			cleaner_runs;
+	unsigned int			overmem;
+	unsigned int			overmem_nocreates;
+	unsigned int			nomem;
+};
+
 /*
  * The actual acache object.
  */
@@ -176,6 +190,8 @@ struct dns_acache {
 	isc_task_t 			*task;
 	isc_event_t			cevent;
 	isc_boolean_t			cevent_sent;
+
+	dns_acachestats_t		stats;
 };
 
 struct dns_acacheentry {
@@ -240,6 +256,23 @@ static void acache_overmem_cleaning_action(isc_task_t *task,
 static void acache_cleaner_shutdown_action(isc_task_t *task,
 					   isc_event_t *event);
 
+/*
+ * acache should be locked.  If it is not, the stats can get out of whack,
+ * which is not a big deal for us since this is for debugging / stats
+ */
+static void
+reset_stats(dns_acache_t *acache) {
+	acache->stats.hits = 0;
+	acache->stats.queries = 0;
+	acache->stats.misses = 0;
+	acache->stats.adds = 0;
+	acache->stats.deleted = 0;
+	acache->stats.cleaned = 0;
+	acache->stats.overmem = 0;
+	acache->stats.overmem_nocreates = 0;
+	acache->stats.nomem = 0;
+}
+
 /*
  * The acache must be locked before calling.
  */
@@ -639,6 +672,26 @@ end_cleaning(acache_cleaner_t *cleaner, isc_event_t *event) {
 	}
 	dns_acache_detachentry(&cleaner->current_entry);
 
+	if (cleaner->overmem)
+		acache->stats.overmem++;
+	acache->stats.cleaned += cleaner->ncleaned;
+	acache->stats.cleaner_runs++;
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_ACACHE,
+		      ISC_LOG_NOTICE,
+		      "acache %p stats: hits=%d misses=%d queries=%d "
+		      "adds=%d deleted=%d "
+		      "cleaned=%d cleaner_runs=%d overmem=%d "
+		      "overmem_nocreates=%d nomem=%d",
+		      acache,
+		      acache->stats.hits, acache->stats.misses,
+		      acache->stats.queries,
+		      acache->stats.adds, acache->stats.deleted,
+		      acache->stats.cleaned, acache->stats.cleaner_runs,
+		      acache->stats.overmem, acache->stats.overmem_nocreates, 
+		      acache->stats.nomem);
+	reset_stats(acache);
+
 	isc_stdtime_get(&cleaner->last_cleanup_time);
 
 	UNLOCK(&acache->lock);
@@ -652,6 +705,13 @@ end_cleaning(acache_cleaner_t *cleaner, isc_event_t *event) {
 		      cleaner->ncleaned,
 		      (unsigned long)isc_mem_inuse(cleaner->acache->mctx));
 
+	if (cleaner->overmem) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_ACACHE, ISC_LOG_NOTICE,
+			      "acache is still in overmem state "
+			      "after cleaning");
+	}
+
 	cleaner->ncleaned = 0;
 	cleaner->state = cleaner_s_idle;
 	cleaner->resched_event = event;
@@ -757,7 +817,7 @@ acache_incremental_cleaning_action(isc_task_t *task, isc_event_t *event) {
 
 	while (n_entries-- > 0) {
 		isc_boolean_t is_stale = ISC_FALSE;
-
+		
 		INSIST(entry != NULL);
 
 		next = ISC_LIST_NEXT(entry, link);
@@ -1010,6 +1070,9 @@ dns_acache_create(dns_acache_t **acachep, isc_mem_t *mctx,
 	if (result != ISC_R_SUCCESS)
 		goto cleanup;
 
+	acache->stats.cleaner_runs = 0;
+	reset_stats(acache);
+
 	acache->magic = ACACHE_MAGIC;
 
 	*acachep = acache;
@@ -1039,6 +1102,12 @@ dns_acache_attach(dns_acache_t *source, dns_acache_t **targetp) {
 	*targetp = source;
 }
 
+void
+dns_acache_countquerymiss(dns_acache_t *acache) {
+	acache->stats.misses++; 	/* XXXSK danger: unlocked! */
+	acache->stats.queries++;	/* XXXSK danger: unlocked! */
+}
+
 void
 dns_acache_detach(dns_acache_t **acachep) {
 	dns_acache_t *acache;
@@ -1230,6 +1299,8 @@ dns_acache_putdb(dns_acache_t *acache, dns_db_t *db) {
 
 	acache->dbentries--;
 
+	acache->stats.deleted++;
+
 	UNLOCK(&acache->lock);
 
 	return (ISC_R_SUCCESS);
@@ -1252,19 +1323,23 @@ dns_acache_createentry(dns_acache_t *acache, dns_db_t *origdb,
 	 * example, if the cleaner does not run aggressively enough), 
 	 * then we will not create additional entries.
 	 *
-	 * XXX: It might be better to lock the acache->cleaner->lock,
+	 * XXXSK: It might be better to lock the acache->cleaner->lock,
 	 * but locking may be an expensive bottleneck. If we misread 
 	 * the value, we will occasionally refuse to create a few 
 	 * cache entries, or create a few that we should not. I do not
 	 * expect this to happen often, and it will not have very bad
 	 * effects when it does. So no lock for now.
 	 */
-	if (acache->cleaner.overmem)
+	if (acache->cleaner.overmem) {
+		acache->stats.overmem_nocreates++; /* XXXSK danger: unlocked! */
 		return (ISC_R_NORESOURCES);
+	}
 
 	newentry = isc_mem_get(acache->mctx, sizeof(*newentry));
-	if (newentry == NULL)
+	if (newentry == NULL) {
+		acache->stats.nomem++;  /* XXXMLG danger: unlocked! */
 		return (ISC_R_NOMEMORY);
+	}
 
 	result = ACACHE_INITLOCK(&newentry->lock);
 	if (result != ISC_R_SUCCESS) {
@@ -1371,6 +1446,9 @@ dns_acache_getentry(dns_acacheentry_t *entry, dns_zone_t **zonep,
 		}
 	}
 
+	entry->acache->stats.hits++; /* XXXMLG danger: unlocked! */
+	entry->acache->stats.queries++;
+
 	ACACHE_UNLOCK(&entry->lock, isc_rwlocktype_read);
 
 	return (result);
@@ -1501,6 +1579,8 @@ dns_acache_setentry(dns_acache_t *acache, dns_acacheentry_t *entry,
 	dns_acache_attachentry(entry, &dummy_entry);
 
 	ACACHE_UNLOCK(&entry->lock, isc_rwlocktype_write);
+
+	acache->stats.adds++;
 	UNLOCK(&acache->lock);
 
 	return (ISC_R_SUCCESS);
@@ -1568,6 +1648,7 @@ dns_acache_detachentry(dns_acacheentry_t **entryp) {
 	 */
 	if (refs == 0) {
 		INSIST(!ISC_LINK_LINKED(entry, link));
+		(*entryp)->acache->stats.deleted++;
 		destroy_entry(entry);
 	}
 
@@ -1610,6 +1691,11 @@ dns_acache_setcleaninginterval(dns_acache_t *acache, unsigned int t) {
 			      DNS_LOGMODULE_ACACHE, ISC_LOG_WARNING,
 			      "could not set acache cleaning interval: %s",
 			      isc_result_totext(result));
+	else
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_ACACHE, ISC_LOG_NOTICE,
+			      "acache %p cleaning interval set to %d.",
+			      acache, t);
 
  unlock:
 	UNLOCK(&acache->lock);
diff --git a/lib/dns/include/dns/acache.h b/lib/dns/include/dns/acache.h
index 19def50b02..d2ef1f337e 100644
--- a/lib/dns/include/dns/acache.h
+++ b/lib/dns/include/dns/acache.h
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: acache.h,v 1.4 2004/12/23 00:13:17 marka Exp $ */
+/* $Id: acache.h,v 1.5 2006/05/02 13:04:54 shane Exp $ */
 
 #ifndef DNS_ACACHE_H
 #define DNS_ACACHE_H 1
@@ -434,6 +434,12 @@ dns_acache_detachentry(dns_acacheentry_t **entryp);
  *	entry (including the entry object itself) will be freed.
  */
 
+void
+dns_acache_countquerymiss(dns_acache_t *acache);
+/*
+ * Count up a missed acache query.  XXXMLG need more docs.
+ */
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_ACACHE_H */
diff --git a/lib/dns/include/dns/types.h b/lib/dns/include/dns/types.h
index c7ce50bc04..32c4a9ce4c 100644
--- a/lib/dns/include/dns/types.h
+++ b/lib/dns/include/dns/types.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: types.h,v 1.120 2006/02/28 02:39:51 marka Exp $ */
+/* $Id: types.h,v 1.121 2006/05/02 13:04:54 shane Exp $ */
 
 #ifndef DNS_TYPES_H
 #define DNS_TYPES_H 1
@@ -33,6 +33,7 @@
 
 typedef struct dns_acache			dns_acache_t;
 typedef struct dns_acacheentry			dns_acacheentry_t;
+typedef struct dns_acachestats			dns_acachestats_t;
 typedef struct dns_acl 				dns_acl_t;
 typedef struct dns_aclelement 			dns_aclelement_t;
 typedef struct dns_aclenv			dns_aclenv_t;
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index cea5516a8f..d8f3ac4be5 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbtdb.c,v 1.231 2006/03/07 04:58:51 marka Exp $ */
+/* $Id: rbtdb.c,v 1.232 2006/05/02 13:04:54 shane Exp $ */
 
 /*! \file */
 
@@ -6411,11 +6411,14 @@ rdataset_getadditional(dns_rdataset_t *rdataset, dns_rdatasetadditional_t type,
 	}
 
 	if (acarray == NULL) {
+		if (type != dns_rdatasetadditional_fromcache)
+			dns_acache_countquerymiss(acache);
 		NODE_UNLOCK(nodelock, isc_rwlocktype_read);
 		return (ISC_R_NOTFOUND);
 	}
 
 	if (acarray[count].entry == NULL) {
+		dns_acache_countquerymiss(acache);
 		NODE_UNLOCK(nodelock, isc_rwlocktype_read);
 		return (ISC_R_NOTFOUND);
 	}
@@ -6695,7 +6698,7 @@ rdataset_putadditional(dns_acache_t *acache, dns_rdataset_t *rdataset,
 	NODE_UNLOCK(nodelock, isc_rwlocktype_write);
 
 	if (entry != NULL) {
-		if(cbarg != NULL)
+		if (cbarg != NULL)
 			acache_cancelentry(rbtdb->common.mctx, entry, &cbarg);
 		dns_acache_detachentry(&entry);
 	}

From 0e5aa1a93371be94da17f42d302a0b55798ceb79 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 2 May 2006 23:30:24 +0000
Subject: [PATCH 163/465] newcopyrights

---
 util/copyrights | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/util/copyrights b/util/copyrights
index a904293954..5207e19958 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -1744,7 +1744,7 @@
 ./lib/dns/include/Makefile.in			MAKE	1998,1999,2000,2001,2004
 ./lib/dns/include/dns/.cvsignore		X	1999,2000,2001
 ./lib/dns/include/dns/Makefile.in		MAKE	1998,1999,2000,2001,2002,2003,2004
-./lib/dns/include/dns/acache.h			C	2004
+./lib/dns/include/dns/acache.h			C	2004,2006
 ./lib/dns/include/dns/acl.h			C	1999,2000,2001,2002,2004,2005,2006
 ./lib/dns/include/dns/adb.h			C	1999,2000,2001,2002,2003,2004,2005
 ./lib/dns/include/dns/bit.h			C	2000,2001,2004,2005

From 5f7ca73d88db8aedeef501b1a791ea61e48a17f9 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 3 May 2006 00:07:50 +0000
Subject: [PATCH 164/465] update copyright notice

---
 lib/dns/acache.c             | 4 ++--
 lib/dns/include/dns/acache.h | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/lib/dns/acache.c b/lib/dns/acache.c
index c87ab1817a..5d68616ed1 100644
--- a/lib/dns/acache.c
+++ b/lib/dns/acache.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: acache.c,v 1.15 2006/05/02 13:04:54 shane Exp $ */
+/* $Id: acache.c,v 1.16 2006/05/03 00:07:50 marka Exp $ */
 
 #include 
 
diff --git a/lib/dns/include/dns/acache.h b/lib/dns/include/dns/acache.h
index d2ef1f337e..ba73e059a5 100644
--- a/lib/dns/include/dns/acache.h
+++ b/lib/dns/include/dns/acache.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: acache.h,v 1.5 2006/05/02 13:04:54 shane Exp $ */
+/* $Id: acache.h,v 1.6 2006/05/03 00:07:50 marka Exp $ */
 
 #ifndef DNS_ACACHE_H
 #define DNS_ACACHE_H 1

From 6412902ffc0d255657f54db768f30b6efa819143 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 3 May 2006 01:54:54 +0000
Subject: [PATCH 165/465] 2015.   [cleanup]       use-additional-cache is now
 acache-enable for                         consistancy.  Default acache-enable
 off in BIND 9.4                         as it requires memory usage to be
 configured.                         It may be enabled by default in BIND 9.5
 once we                         have more experience with it.

---
 CHANGES                 |  6 ++++++
 bin/named/config.c      |  4 ++--
 bin/named/server.c      |  9 +++++----
 doc/arm/Bv9ARM-book.xml | 12 ++++++------
 lib/isccfg/namedconf.c  |  4 ++--
 5 files changed, 21 insertions(+), 14 deletions(-)

diff --git a/CHANGES b/CHANGES
index 708c687561..f150696946 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,9 @@
+2015.	[cleanup]	use-additional-cache is now acache-enable for
+			consistancy.  Default acache-enable off in BIND 9.4
+			as it requires memory usage to be configured.
+			It may be enabled by default in BIND 9.5 once we
+			have more experience with it.
+
 2014.	[func]		Statistics about acache now recorded and sent
 			to log. [RT #15976]
 
diff --git a/bin/named/config.c b/bin/named/config.c
index 198322b794..856d2f48dd 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.c,v 1.73 2006/03/09 23:21:53 marka Exp $ */
+/* $Id: config.c,v 1.74 2006/05/03 01:54:53 marka Exp $ */
 
 /*! \file */
 
@@ -132,7 +132,7 @@ options {\n\
 	check-names slave warn;\n\
 	check-names response ignore;\n\
 	check-mx warn;\n\
-	use-additional-cache true;\n\
+	acache-enable no;\n\
 	acache-cleaning-interval 60;\n\
 	max-acache-size 0;\n\
 	dnssec-enable yes;\n\
diff --git a/bin/named/server.c b/bin/named/server.c
index 94e0c0cb9f..9cab092b88 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.c,v 1.462 2006/03/09 23:39:00 marka Exp $ */
+/* $Id: server.c,v 1.463 2006/05/03 01:54:53 marka Exp $ */
 
 /*! \file */
 
@@ -968,11 +968,12 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 
 	/*
 	 * Create additional cache for this view and zones under the view
-	 * unless explicitly disabled.
+	 * if explicitly enabled.
+	 * XXX950 default to on.
 	 */
 	obj = NULL;
-	(void)ns_config_get(maps, "use-additional-cache", &obj);
-	if (obj == NULL || cfg_obj_asboolean(obj)) {
+	(void)ns_config_get(maps, "acache-enable", &obj);
+	if (obj != NULL && cfg_obj_asboolean(obj)) {
 		cmctx = NULL;
 		CHECK(isc_mem_create(0, 0, &cmctx));
 		CHECK(dns_acache_create(&view->acache, cmctx, ns_g_taskmgr,
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 55285f1db0..80cfd85331 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   BIND 9 Administrator Reference Manual
 
@@ -4492,7 +4492,7 @@ category notify { null; };
      root-delegation-only  exclude { namelist }  ; 
      querylog yes_or_no ; 
      disable-algorithms domain { algorithm;  algorithm;  }; 
-     use-additional-cache yes_or_no ; 
+     acache-enable yes_or_no ; 
      acache-cleaning-interval number; 
      max-acache-size size_spec ; 
      clients-per-query number ; 
@@ -7508,7 +7508,7 @@ query-source-v6 address * port *;
             Thus, if the response performance does not matter and memory
             consumption is much more critical, the
             acache mechanism can be
-            disabled by setting use-additional-cache to
+            disabled by setting acache-enable to
             no.
             It is also possible to specify the upper limit of memory
             consumption
@@ -7540,11 +7540,11 @@ query-source-v6 address * port *;
           
 
             
-              use-additional-cache
+              acache-enable
               
                 
-                  If yes, additional section caching is enabled.
-                  The default value is yes.
+                  If yes, additional section caching is
+		  enabled.  The default value is no.
                 
               
             
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index a37285d703..cc34ec864c 100644
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: namedconf.c,v 1.68 2006/03/09 23:21:54 marka Exp $ */
+/* $Id: namedconf.c,v 1.69 2006/05/03 01:54:54 marka Exp $ */
 
 /*! \file */
 
@@ -774,7 +774,7 @@ view_clauses[] = {
 	   CFG_CLAUSEFLAG_MULTI },
 	{ "dnssec-accept-expired", &cfg_type_boolean, 0 },
 	{ "ixfr-from-differences", &cfg_type_ixfrdifftype, 0 },
-	{ "use-additional-cache", &cfg_type_boolean, 0 },
+	{ "acache-enable", &cfg_type_boolean, 0 },
 	{ "acache-cleaning-interval", &cfg_type_uint32, 0 },
 	{ "max-acache-size", &cfg_type_sizenodefault, 0 },
 	{ "clients-per-query", &cfg_type_uint32, 0 },

From df6faef67126d1277b0f21defd41c54994bf6fcf Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 3 May 2006 02:27:23 +0000
Subject: [PATCH 166/465] regen

---
 doc/arm/Bv9ARM.ch06.html         | 38 ++++++++++++++++----------------
 doc/arm/Bv9ARM.ch07.html         | 10 ++++-----
 doc/arm/Bv9ARM.ch08.html         | 18 +++++++--------
 doc/arm/Bv9ARM.ch09.html         |  6 ++---
 doc/arm/Bv9ARM.html              | 24 ++++++++++----------
 doc/arm/man.dig.html             | 10 ++++-----
 doc/arm/man.dnssec-keygen.html   | 14 ++++++------
 doc/arm/man.dnssec-signzone.html | 12 +++++-----
 doc/arm/man.named-checkconf.html | 10 ++++-----
 doc/arm/man.named-checkzone.html | 12 +++++-----
 doc/arm/man.named.html           | 16 +++++++-------
 doc/arm/man.rndc-confgen.html    | 12 +++++-----
 doc/arm/man.rndc.conf.html       |  8 +++----
 doc/arm/man.rndc.html            | 12 +++++-----
 doc/misc/options                 |  4 ++--
 15 files changed, 103 insertions(+), 103 deletions(-)

diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index e6951fbf3a..683e623883 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -84,15 +84,15 @@
 
view Statement Definition and Usage

 
zone
             Statement Grammar

-
zone Statement Definition and Usage

+
zone Statement Definition and Usage

 
 
Zone File

 

 
Types of Resource Records and When to Use Them

-
Discussion of MX Records

+
Discussion of MX Records

 
Setting TTLs

-
Inverse Mapping in IPv4

-
Other Zone File Directives

+
Inverse Mapping in IPv4

+
Other Zone File Directives

 
BIND Master File Extension: the  $GENERATE Directive

 
Additional File Formats

 

@@ -1849,7 +1849,7 @@ category notify { null; };
     [ root-delegation-only [ exclude { namelist } ] ; ]
     [ querylog yes_or_no ; ]
     [ disable-algorithms domain { algorithm; [ algorithm; ] }; ]
-    [ use-additional-cache yes_or_no ; ]
+    [ acache-enable yes_or_no ; ]
     [ acache-cleaning-interval number; ]
     [ max-acache-size size_spec ; ]
     [ clients-per-query number ; ]
@@ -3047,7 +3047,7 @@ listen-on-v6 port 1234 { !2001:db8::/32; any; };
 

 

 

-Query Address

+Query Address

 

             If the server doesn't know the answer to a question, it will
             query other name servers. query-source specifies
@@ -3401,7 +3401,7 @@ query-source-v6 address * port *;
 

 

 

-Server  Resource Limits

+Server  Resource Limits

 

             The following options set limits on the server's
             resource consumption that are enforced internally by the
@@ -4262,7 +4262,7 @@ query-source-v6 address * port *;
             Thus, if the response performance does not matter and memory
             consumption is much more critical, the
             acache mechanism can be
-            disabled by setting use-additional-cache to
+            disabled by setting acache-enable to
             no.
             It is also possible to specify the upper limit of memory
             consumption
@@ -4289,10 +4289,10 @@ query-source-v6 address * port *;
             acache.
           

 

-
use-additional-cache

+
acache-enable

 

-                  If yes, additional section caching is enabled.
-                  The default value is yes.
+                  If yes, additional section caching is
+                  enabled.  The default value is no.
                 

 
acache-cleaning-interval

 

@@ -4817,10 +4817,10 @@ zone zone_name [
 

 

-zone Statement Definition and Usage

+zone Statement Definition and Usage

 

 

-Zone Types

+Zone Types

 

 
 

@@ -5029,7 +5029,7 @@ zone zone_name [
 

 

-Class

+Class

 

               The zone's name may optionally be followed by a class. If
               a class is not specified, class IN (for Internet),
@@ -6401,7 +6401,7 @@ zone zone_name [
 

 

-Discussion of MX Records

+Discussion of MX Records

 

             As described above, domain servers store information as a
             series of resource records, each of which contains a particular
@@ -6659,7 +6659,7 @@ zone zone_name [
 

 

-Inverse Mapping in IPv4

+Inverse Mapping in IPv4

 

             Reverse name resolution (that is, translation from IP address
             to name) is achieved by means of the in-addr.arpa domain
@@ -6720,7 +6720,7 @@ zone zone_name [
 

 

-Other Zone File Directives

+Other Zone File Directives

 

             The Master File Format was initially defined in RFC 1035 and
             has subsequently been extended. While the Master File Format
@@ -6735,7 +6735,7 @@ zone zone_name [
 

 

-The $ORIGIN Directive

+The $ORIGIN Directive

 

               Syntax: $ORIGIN
               domain-name
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index cfd6303f41..c4dfa215a6 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -48,8 +48,8 @@
 
Access Control Lists

 
chroot and setuid

 

-
The chroot Environment

-
Using the setuid Function

+
The chroot Environment

+
Using the setuid Function

 

 
Dynamic Update Security

 
@@ -139,7 +139,7 @@ zone "example.com" {
         

 

 

-The chroot Environment

+The chroot Environment

 

             In order for a chroot() environment
             to
@@ -167,7 +167,7 @@ zone "example.com" {
 
 

 

-Using the setuid Function

+Using the setuid Function

 

             Prior to running the named daemon,
             use
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index f2c0e17bbc..4ee655c709 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,18 +45,18 @@
 

 
Table of Contents

 

-
Common Problems

-
It's not working; how can I figure out what's wrong?

-
Incrementing and Changing the Serial Number

-
Where Can I Get Help?

+
Common Problems

+
It's not working; how can I figure out what's wrong?

+
Incrementing and Changing the Serial Number

+
Where Can I Get Help?

 

 

 

 

-Common Problems

+Common Problems

 

 

-It's not working; how can I figure out what's wrong?

+It's not working; how can I figure out what's wrong?

 

             The best solution to solving installation and
             configuration issues is to take preventative measures by setting
@@ -68,7 +68,7 @@
 
 

 

-Incrementing and Changing the Serial Number

+Incrementing and Changing the Serial Number

 

           Zone serial numbers are just numbers-they aren't date
           related.  A lot of people set them to a number that represents a
@@ -95,7 +95,7 @@
 
 

 

-Where Can I Get Help?

+Where Can I Get Help?

 

           The Internet Systems Consortium
           (ISC) offers a wide range
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index c5b50171ca..59693f1caa 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,7 +45,7 @@
 

 
Table of Contents

 

-
Acknowledgments

+
Acknowledgments

 
A Brief History of the DNS and BIND

 
General DNS Reference Information

 
IPv6 addresses (AAAA)

@@ -59,7 +59,7 @@
 

 

 

-Acknowledgments

+Acknowledgments

 

 

 A Brief History of the DNS and BIND

diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index e60f7047af..72ed763a3a 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -162,15 +162,15 @@
 
view Statement Definition and Usage

 
zone
             Statement Grammar

-
zone Statement Definition and Usage

+
zone Statement Definition and Usage

 
 
Zone File

 

 
Types of Resource Records and When to Use Them

-
Discussion of MX Records

+
Discussion of MX Records

 
Setting TTLs

-
Inverse Mapping in IPv4

-
Other Zone File Directives

+
Inverse Mapping in IPv4

+
Other Zone File Directives

 
BIND Master File Extension: the  $GENERATE Directive

 
Additional File Formats

 

@@ -180,21 +180,21 @@
 
Access Control Lists

 
chroot and setuid

 

-
The chroot Environment

-
Using the setuid Function

+
The chroot Environment

+
Using the setuid Function

 

 
Dynamic Update Security

 
 
8. Troubleshooting

 

-
Common Problems

-
It's not working; how can I figure out what's wrong?

-
Incrementing and Changing the Serial Number

-
Where Can I Get Help?

+
Common Problems

+
It's not working; how can I figure out what's wrong?

+
Incrementing and Changing the Serial Number

+
Where Can I Get Help?

 

 
A. Appendices

 

-
Acknowledgments

+
Acknowledgments

 
A Brief History of the DNS and BIND

 
General DNS Reference Information

 
IPv6 addresses (AAAA)

diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index 27efa576ed..ec92cbd5a5 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -602,7 +602,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
IDN SUPPORT

+
IDN SUPPORT

 

       If dig has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names.
@@ -616,14 +616,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
FILES

+
FILES

 
/etc/resolv.conf
     

 
${HOME}/.digrc
     

 

 

-
SEE ALSO

+
SEE ALSO

 
host(1),
       named(8),
       dnssec-keygen(8),
@@ -631,7 +631,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
BUGS

+
BUGS

 

       There are probably too many query options.
     

diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index d6c3ab3c3b..b84385b6e7 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
dnssec-keygen  {-a algorithm} {-b keysize} {-n nametype} [-c class] [-e] [-f flag] [-g generator] [-h] [-k] [-p protocol] [-r randomdev] [-s strength] [-t type] [-v level] {name}

 

 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-keygen
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC <TBA\>.  It can also generate keys for use with
@@ -58,7 +58,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a algorithm

 

@@ -166,7 +166,7 @@
 

 

 

-
GENERATED KEYS

+
GENERATED KEYS

 

       When dnssec-keygen completes
       successfully,
@@ -212,7 +212,7 @@
     

 

 

-
EXAMPLE

+
EXAMPLE

 

       To generate a 768-bit DSA key for the domain
       example.com, the following command would be
@@ -233,7 +233,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
       RFC 2535,
@@ -242,7 +242,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index 2f8fefdf42..b0326dbd10 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
dnssec-signzone  [-a] [-c class] [-d directory] [-e end-time] [-f output-file] [-g] [-h] [-k key] [-l domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-p] [-r randomdev] [-s start-time] [-t] [-v level] [-z] {zonefile} [key...]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-signzone
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
@@ -61,7 +61,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a

 

@@ -257,7 +257,7 @@
 

 

 

-
EXAMPLE

+
EXAMPLE

 

       The following command signs the example.com
       zone with the DSA key generated in the dnssec-keygen
@@ -283,14 +283,14 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 2535.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index 92f5486b4f..a589dcb668 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -57,7 +57,7 @@
     

 
 

-
OPTIONS

+
OPTIONS

 

 
-t directory

 

@@ -88,20 +88,20 @@
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 
named-checkconf
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
named(8),
       BIND 9 Administrator Reference Manual.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index fc072e3463..47522c1792 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -51,7 +51,7 @@
 
named-compilezone  [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-i mode] [-k mode] [-m mode] [-n mode] [-o filename] [-s style] [-t directory] [-w directory] [-D] [-W mode] {zonename} {filename}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
named-checkzone
       checks the syntax and integrity of a zone file.  It performs the
       same checks as named does when loading a
@@ -71,7 +71,7 @@
      

 

 

-
OPTIONS

+
OPTIONS

 

 
-d

 

@@ -251,21 +251,21 @@
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 
named-checkzone
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
named(8),
       RFC 1035,
       BIND 9 Administrator Reference Manual.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index e1598a4491..ed38ebe451 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
named  [-4] [-6] [-c config-file] [-d debug-level] [-f] [-g] [-n #cpus] [-p port] [-s] [-t directory] [-u user] [-v] [-x cache-file]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
named
       is a Domain Name System (DNS) server,
       part of the BIND 9 distribution from ISC.  For more
@@ -65,7 +65,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-4

 

@@ -198,7 +198,7 @@
 

 

 

-
SIGNALS

+
SIGNALS

 

       In routine operation, signals should not be used to control
       the nameserver; rndc should be used
@@ -219,7 +219,7 @@
     

 

 

-
CONFIGURATION

+
CONFIGURATION

 

       The named configuration file is too complex
       to describe in detail here.  A complete description is provided
@@ -228,7 +228,7 @@
     

 

 

-
FILES

+
FILES

 

 
/etc/named.conf

 

@@ -241,7 +241,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
RFC 1033,
       RFC 1034,
       RFC 1035,
@@ -252,7 +252,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index ac783445b1..3f59da5e76 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -48,7 +48,7 @@
 
rndc-confgen  [-a] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc-confgen
       generates configuration files
       for rndc.  It can be used as a
@@ -64,7 +64,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a

 

@@ -171,7 +171,7 @@
 

 

 

-
EXAMPLES

+
EXAMPLES

 

       To allow rndc to be used with
       no manual configuration, run
@@ -188,7 +188,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc(8),
       rndc.conf(5),
       named(8),
@@ -196,7 +196,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index 8b1eda9c75..87cf96ac3e 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -209,7 +209,7 @@
     

 
 

-
NAME SERVER CONFIGURATION

+
NAME SERVER CONFIGURATION

 

       The name server must be configured to accept rndc connections and
       to recognize the key specified in the rndc.conf
@@ -219,7 +219,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc(8),
       rndc-confgen(8),
       mmencode(1),
@@ -227,7 +227,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index 0d49bfa449..bd1e293760 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
rndc  [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-V] [-y key_id] {command}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc
       controls the operation of a name
       server.  It supersedes the ndc utility
@@ -79,7 +79,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-b source-address

 

@@ -152,7 +152,7 @@
     

 

 

-
LIMITATIONS

+
LIMITATIONS

 
rndc
       does not yet support all the commands of
       the BIND 8 ndc utility.
@@ -166,7 +166,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc.conf(5),
       named(8),
       named.conf(5)
@@ -175,7 +175,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/misc/options b/doc/misc/options
index 16ec6b7333..a17c52274e 100644
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -91,7 +91,7 @@ options {
         dnssec-must-be-secure  ;
         dnssec-accept-expired ;
         ixfr-from-differences ;
-        use-additional-cache ;
+        acache-enable ;
         acache-cleaning-interval ;
         max-acache-size ;
         clients-per-query ;
@@ -319,7 +319,7 @@ view   {
         dnssec-must-be-secure  ;
         dnssec-accept-expired ;
         ixfr-from-differences ;
-        use-additional-cache ;
+        acache-enable ;
         acache-cleaning-interval ;
         max-acache-size ;
         clients-per-query ;

From 5d14b4fef72406e66d2b3b50e911ae6fdf30550f Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 4 May 2006 02:22:15 +0000
Subject: [PATCH 167/465] comment: cleanng -> cleaning

---
 lib/dns/cache.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/dns/cache.c b/lib/dns/cache.c
index 4305e0c0de..cd78a8e3d8 100644
--- a/lib/dns/cache.c
+++ b/lib/dns/cache.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cache.c,v 1.45.2.11 2006/03/01 01:34:05 marka Exp $ */
+/* $Id: cache.c,v 1.45.2.12 2006/05/04 02:22:15 marka Exp $ */
 
 #include 
 
@@ -762,7 +762,7 @@ incremental_cleaning_action(isc_task_t *task, isc_event_t *event) {
 			 * Either the end was reached (ISC_R_NOMORE) or
 			 * some error was signaled.  If the cache is still
 			 * overmem and no error was encountered,
-			 * keep trying to clean it, otherwise stop cleanng.
+			 * keep trying to clean it, otherwise stop cleaning.
 			 */
 			if (result != ISC_R_NOMORE)
 				UNEXPECTED_ERROR(__FILE__, __LINE__,

From 481d821ad099b8090386bdc1a6cc6be614e9042f Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 4 May 2006 02:24:06 +0000
Subject: [PATCH 168/465] comment: cleanng -> cleaning

---
 lib/dns/cache.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/dns/cache.c b/lib/dns/cache.c
index 5708470736..8f1fb11a1e 100644
--- a/lib/dns/cache.c
+++ b/lib/dns/cache.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cache.c,v 1.68 2006/01/26 22:56:04 marka Exp $ */
+/* $Id: cache.c,v 1.69 2006/05/04 02:24:06 marka Exp $ */
 
 /*! \file */
 
@@ -855,7 +855,7 @@ incremental_cleaning_action(isc_task_t *task, isc_event_t *event) {
 			 * Either the end was reached (ISC_R_NOMORE) or
 			 * some error was signaled.  If the cache is still
 			 * overmem and no error was encountered,
-			 * keep trying to clean it, otherwise stop cleanng.
+			 * keep trying to clean it, otherwise stop cleaning.
 			 */
 			if (result != ISC_R_NOMORE)
 				UNEXPECTED_ERROR(__FILE__, __LINE__,

From 5121b47ee2a547f196b1109c06c0e4917833d405 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 4 May 2006 23:16:53 +0000
Subject: [PATCH 169/465] auto update

---
 doc/private/branches | 1 +
 1 file changed, 1 insertion(+)

diff --git a/doc/private/branches b/doc/private/branches
index de65d397f3..a4d179f5d8 100644
--- a/doc/private/branches
+++ b/doc/private/branches
@@ -73,6 +73,7 @@ rt15860				new
 rt15878				new	
 rt15941				new	
 rt15958				new	
+rt15960				new	
 rt15970				new	
 rt15976				new	
 rt1727				open		// ixfr-from-differences workfile

From de8cb0a69bb4abe1db41a6932d54c14b4327c76b Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Mon, 8 May 2006 15:45:50 +0000
Subject: [PATCH 170/465] regen

---
 doc/arm/Bv9ARM.ch01.html |  50 ++++++-------
 doc/arm/Bv9ARM.ch02.html |  22 +++---
 doc/arm/Bv9ARM.ch03.html |  26 +++----
 doc/arm/Bv9ARM.ch04.html |  74 ++++++++++----------
 doc/arm/Bv9ARM.ch05.html |   6 +-
 doc/arm/Bv9ARM.ch06.html | 132 +++++++++++++++++-----------------
 doc/arm/Bv9ARM.ch07.html |  14 ++--
 doc/arm/Bv9ARM.ch08.html |  18 ++---
 doc/arm/Bv9ARM.ch09.html |  26 +++----
 doc/arm/Bv9ARM.html      | 148 +++++++++++++++++++--------------------
 10 files changed, 258 insertions(+), 258 deletions(-)

diff --git a/doc/arm/Bv9ARM.ch01.html b/doc/arm/Bv9ARM.ch01.html
index 0cdfe6d7dd..aa433d33bd 100644
--- a/doc/arm/Bv9ARM.ch01.html
+++ b/doc/arm/Bv9ARM.ch01.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,17 +45,17 @@
 

 
Table of Contents

 

-
Scope of Document

-
Organization of This Document

-
Conventions Used in This Document

-
The Domain Name System (DNS)

+
Scope of Document

+
Organization of This Document

+
Conventions Used in This Document

+
The Domain Name System (DNS)

 

-
DNS Fundamentals

-
Domains and Domain Names

-
Zones

-
Authoritative Name Servers

-
Caching Name Servers

-
Name Servers in Multiple Roles

+
DNS Fundamentals

+
Domains and Domain Names

+
Zones

+
Authoritative Name Servers

+
Caching Name Servers

+
Name Servers in Multiple Roles

 

 

 

@@ -67,7 +67,7 @@
   hierarchical databases.

 

 

-Scope of Document

+Scope of Document

 
The Berkeley Internet Name Domain (BIND) implements an
     domain name server for a number of operating systems. This
     document provides basic information about the installation and
@@ -78,7 +78,7 @@
 
 

 

-Organization of This Document

+Organization of This Document

 
In this document, Section 1 introduces
     the basic DNS and BIND concepts. Section 2
     describes resource requirements for running BIND in various
@@ -103,7 +103,7 @@
 
 

 

-Conventions Used in This Document

+Conventions Used in This Document

 
In this document, we use the following general typographic
     conventions:

 

 
 


@@ -169,7 +169,7 @@ describe:

 
 

 

-The Domain Name System (DNS)

+The Domain Name System (DNS)

 
The purpose of this document is to explain the installation
 and upkeep of the BIND software package, and we
 begin by reviewing the fundamentals of the Domain Name System
@@ -177,7 +177,7 @@ begin by reviewing the fundamentals of the Domain Name System
 

 

 

-DNS Fundamentals

+DNS Fundamentals

 
The Domain Name System (DNS) is the hierarchical, distributed
 database.  It stores information for mapping Internet host names to IP
 addresses and vice versa, mail routing information, and other data
@@ -190,7 +190,7 @@ name server and a resolver library.

 
 

 

-Domains and Domain Names

+Domains and Domain Names

 
The data stored in the DNS is identified by domain
 names that are organized as a tree according to
 organizational or administrative boundaries. Each node of the tree,
@@ -227,7 +227,7 @@ the DNS protocol, please refer to the standards documents listed in
 
 

 

-Zones

+Zones

 
To properly operate a name server, it is important to understand
 the difference between a zone
 and a domain.

@@ -267,7 +267,7 @@ actually asking for slave service for some collection of zones.

 
 

 

-Authoritative Name Servers

+Authoritative Name Servers

 
Each zone is served by at least
 one authoritative name server,
 which contains the complete data for the zone.
@@ -280,7 +280,7 @@ easy to identify when debugging DNS configurations using tools like
 dig (the section called “Diagnostic Tools”).

 

 

-The Primary Master

+The Primary Master

 

 The authoritative server where the master copy of the zone data is maintained is
 called the primary master server, or simply the
@@ -291,7 +291,7 @@ the zone file or <
 
 

 

-Slave Servers

+Slave Servers

 
The other authoritative servers, the slave
 servers (also known as secondary servers) load
 the zone contents from another server using a replication process
@@ -302,7 +302,7 @@ may itself act as a master to a subordinate slave server.

 
 

 

-Stealth Servers

+Stealth Servers

 
Usually all of the zone's authoritative servers are listed in 
 NS records in the parent zone.  These NS records constitute
 a delegation of the zone from the parent.
@@ -327,7 +327,7 @@ with the outside world.

 
 

 

-Caching Name Servers

+Caching Name Servers

 
The resolver libraries provided by most operating systems are 
 stub resolvers, meaning that they are not capable of
 performing the full DNS resolution process by themselves by talking
@@ -346,7 +346,7 @@ Time To Live (TTL) field associated with each resource record.
 

 

 

-Forwarding

+Forwarding

 
Even a caching name server does not necessarily perform
 the complete recursive lookup itself.  Instead, it can
 forward some or all of the queries
@@ -369,7 +369,7 @@ of.

 
 

 

-Name Servers in Multiple Roles

+Name Servers in Multiple Roles

 
The BIND name server can simultaneously act as
 a master for some zones, a slave for other zones, and as a caching
 (recursive) server for a set of local clients.

diff --git a/doc/arm/Bv9ARM.ch02.html b/doc/arm/Bv9ARM.ch02.html
index 32edbb26e9..5123206ada 100644
--- a/doc/arm/Bv9ARM.ch02.html
+++ b/doc/arm/Bv9ARM.ch02.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,16 +45,16 @@
 

 
Table of Contents

 

-
Hardware requirements

-
CPU Requirements

-
Memory Requirements

-
Nameserver Intensive Environment Issues

-
Supported Operating Systems

+
Hardware requirements

+
CPU Requirements

+
Memory Requirements

+
Nameserver Intensive Environment Issues

+
Supported Operating Systems

 

 

 

 

-Hardware requirements

+Hardware requirements

 
DNS hardware requirements have traditionally been quite modest.
 For many installations, servers that have been pensioned off from
 active duty have performed admirably as DNS servers.

@@ -66,7 +66,7 @@ multiprocessor systems for installations that need it.

 
 

 

-CPU Requirements

+CPU Requirements

 
CPU requirements for BIND 9 range from i486-class machines
 for serving of static zones without caching, to enterprise-class
 machines if you intend to process many dynamic updates and DNSSEC
@@ -74,7 +74,7 @@ signed zones, serving many thousands of queries per second.

 
 

 

-Memory Requirements

+Memory Requirements

 
The memory of the server has to be large enough to fit the
 cache and zones loaded off disk.  The max-cache-size
 option can be used to limit the amount of memory used by the cache,
@@ -89,7 +89,7 @@ be set higher than this stable size.

 
 

 

-Nameserver Intensive Environment Issues

+Nameserver Intensive Environment Issues

 
For nameserver intensive environments, there are two alternative
 configurations that may be used. The first is where clients and
 any second-level internal nameservers query a main nameserver, which
@@ -103,7 +103,7 @@ as none of the nameservers share their cached data.

 
 

 

-Supported Operating Systems

+Supported Operating Systems

 
ISC BIND 9 compiles and runs on the following operating
 systems:

 

@@ -67,7 +67,7 @@ option setting.

 Sample Configurations
 

 

-A Caching-only Nameserver

+A Caching-only Nameserver

 
The following sample configuration is appropriate for a caching-only
 name server for use by clients internal to a corporation.  All queries
 from outside clients are refused.

@@ -91,7 +91,7 @@ zone "0.0.127.in-addr.arpa" {
 
 

 

-An Authoritative-only Nameserver

+An Authoritative-only Nameserver

 
This sample configuration is for an authoritative-only server
 that is the master server for "example.com"
 and a slave for the subdomain "eng.example.com".

@@ -133,7 +133,7 @@ zone "eng.example.com" {
 
 

 

-Load Balancing

+Load Balancing

 
Primitive load balancing can be achieved in DNS using multiple
 A records for one name.

 
For example, if you have three WWW servers with network addresses
@@ -208,10 +208,10 @@ of the time:

 
 

 

-Nameserver Operations

+Nameserver Operations

 

 

-Tools for Use With the Nameserver Daemon

+Tools for Use With the Nameserver Daemon

 
There are several indispensable diagnostic, administrative
 and monitoring tools available to the system administrator for controlling
 and debugging the nameserver daemon. We describe several in this
@@ -451,7 +451,7 @@ a rndc.key file and not modify
 
 

 

-Signals

+Signals

 
Certain UNIX signals cause the name server to take specific
 actions, as described in the following table.  These signals can
 be sent using the kill command.

diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html
index 91357c763a..359b4d73ac 100644
--- a/doc/arm/Bv9ARM.ch04.html
+++ b/doc/arm/Bv9ARM.ch04.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -48,30 +48,30 @@
 
Dynamic Update

 
The journal file

 
Incremental Zone Transfers (IXFR)

-
Split DNS

+
Split DNS

 
TSIG

 

-
Generate Shared Keys for Each Pair of Hosts

-
Copying the Shared Secret to Both Machines

-
Informing the Servers of the Key's Existence

-
Instructing the Server to Use the Key

-
TSIG Key Based Access Control

-
Errors

+
Generate Shared Keys for Each Pair of Hosts

+
Copying the Shared Secret to Both Machines

+
Informing the Servers of the Key's Existence

+
Instructing the Server to Use the Key

+
TSIG Key Based Access Control

+
Errors

 

-
TKEY

-
SIG(0)

+
TKEY

+
SIG(0)

 
DNSSEC

 

-
Generating Keys

-
Creating a Keyset

-
Signing the Child's Keyset

-
Signing the Zone

-
Configuring Servers

+
Generating Keys

+
Creating a Keyset

+
Signing the Child's Keyset

+
Signing the Zone

+
Configuring Servers

 

-
IPv6 Support in BIND 9

+
IPv6 Support in BIND 9

 

-
Address Lookups Using AAAA Records

-
Address to Name Lookups Using Nibble Format

+
Address Lookups Using AAAA Records

+
Address to Name Lookups Using Nibble Format

 

 
 
@@ -150,7 +150,7 @@ of the server statement.

 
 

 

-Split DNS

+Split DNS

 
Setting up different views, or visibility, of DNS space to
 internal and external resolvers is usually referred to as a Split
 DNS setup. There are several reasons an organization
@@ -352,13 +352,13 @@ for TSIG.

     -y command line options.

 

 

-Generate Shared Keys for Each Pair of Hosts

+Generate Shared Keys for Each Pair of Hosts

 
A shared secret is generated to be shared between host1 and host2.
 An arbitrary key name is chosen: "host1-host2.". The key name must
 be the same on both hosts.

 

 

-Automatic Generation

+Automatic Generation

 
The following command will generate a 128 bit (16 byte) HMAC-MD5
 key as described above. Longer keys are better, but shorter keys
 are easier to read. Note that the maximum key length is 512 bits;
@@ -375,7 +375,7 @@ be used as the shared secret.

 
 

 

-Manual Generation

+Manual Generation

 
The shared secret is simply a random sequence of bits, encoded
 in base-64. Most ASCII strings are valid base-64 strings (assuming
 the length is a multiple of 4 and only valid characters are used),
@@ -386,13 +386,13 @@ a similar program to generate base-64 encoded data.

 
 

 

-Copying the Shared Secret to Both Machines

+Copying the Shared Secret to Both Machines

 
This is beyond the scope of DNS. A secure transport mechanism
 should be used. This could be secure FTP, ssh, telephone, etc.

 
 

 

-Informing the Servers of the Key's Existence

+Informing the Servers of the Key's Existence

 
Imagine host1 and host 2 are
 both servers. The following is added to each server's named.conf file:

 
@@ -413,7 +413,7 @@ the same key.

 
 

 

-Instructing the Server to Use the Key

+Instructing the Server to Use the Key

 
Since keys are shared between two hosts only, the server must
 be told when keys are to be used. The following is added to the named.conf file
 for host1, if the IP address of host2 is
@@ -436,7 +436,7 @@ sign request messages to host1.

 
 

 

-TSIG Key Based Access Control

+TSIG Key Based Access Control

 
BIND allows IP addresses and ranges to be specified in ACL
 definitions and
 allow-{ query | transfer | update } directives.
@@ -454,7 +454,7 @@ allow-update { key host1-host2. ;};
 
 

 

-Errors

+Errors

 
The processing of TSIG signed messages can result in
       several errors. If a signed message is sent to a non-TSIG aware
       server, a FORMERR will be returned, since the server will not
@@ -476,7 +476,7 @@ allow-update { key host1-host2. ;};
 
 

 

-TKEY

+TKEY

 
TKEY is a mechanism for automatically
     generating a shared secret between two hosts.  There are several
     "modes" of TKEY that specify how the key is
@@ -502,7 +502,7 @@ allow-update { key host1-host2. ;};
 
 

 

-SIG(0)

+SIG(0)

 
BIND 9 partially supports DNSSEC SIG(0) transaction
     signatures as specified in RFC 2535.  SIG(0) uses public/private
     keys to authenticate messages.  Access control is performed in the
@@ -541,7 +541,7 @@ allow-update { key host1-host2. ;};
     zone key of another zone above this one in the DNS tree.

 

 

-Generating Keys

+Generating Keys

 
The dnssec-keygen program is used to
       generate keys.

 
A secure zone must contain one or more zone keys.  The
@@ -574,7 +574,7 @@ allow-update { key host1-host2. ;};
 
 

 

-Creating a Keyset

+Creating a Keyset

 
The dnssec-makekeyset program is used
       to create a key set from one or more keys.

 
Once the zone keys have been generated, a key set must be
@@ -602,7 +602,7 @@ allow-update { key host1-host2. ;};
 
 

 

-Signing the Child's Keyset

+Signing the Child's Keyset

 
The dnssec-signkey program is used to
       sign one child's keyset.

 
If the child.example zone has any
@@ -622,7 +622,7 @@ allow-update { key host1-host2. ;};
 
 

 

-Signing the Zone

+Signing the Zone

 
The dnssec-signzone program is used to
       sign a zone.

 
Any signedkey files corresponding to
@@ -645,7 +645,7 @@ allow-update { key host1-host2. ;};
 
 

 

-Configuring Servers

+Configuring Servers

 
Unlike in BIND 8, 
 data is not verified on load in BIND 9,
 so zone keys for authoritative zones do not need to be specified
@@ -657,7 +657,7 @@ statement, as described later in this document. 

 
 

 

-IPv6 Support in BIND 9

+IPv6 Support in BIND 9

 
BIND 9 fully supports all currently
     defined forms of IPv6 name to address and address to name
     lookups.  It will also use IPv6 addresses to make queries when
@@ -679,7 +679,7 @@ statement, as described later in this document. 

     see the section called “IPv6 addresses (A6)”.

 

 

-Address Lookups Using AAAA Records

+Address Lookups Using AAAA Records

 
The AAAA record is a parallel to the IPv4 A record.  It
       specifies the entire address in a single record.  For
       example,

@@ -690,7 +690,7 @@ host            3600    IN      AAAA    2001:db8::1
 
 

 

-Address to Name Lookups Using Nibble Format

+Address to Name Lookups Using Nibble Format

 
When looking up an address in nibble format, the address
       components are simply reversed, just as in IPv4, and
       IP6.ARPA. is appended to the resulting name.
diff --git a/doc/arm/Bv9ARM.ch05.html b/doc/arm/Bv9ARM.ch05.html
index e72e2c28ac..0b20c91dd8 100644
--- a/doc/arm/Bv9ARM.ch05.html
+++ b/doc/arm/Bv9ARM.ch05.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,13 +45,13 @@
 

 
Table of Contents

 

-
The Lightweight Resolver Library

+
The Lightweight Resolver Library

 
Running a Resolver Daemon

 

 

 

 

-The Lightweight Resolver Library

+The Lightweight Resolver Library

 
Traditionally applications have been linked with a stub resolver
 library that sends recursive DNS queries to a local caching name
 server.

diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index 566262719d..1601accf87 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -48,44 +48,44 @@
 
Configuration File Elements

 

 
Address Match Lists

-
Comment Syntax

+
Comment Syntax

 

 
Configuration File Grammar

 

-
acl Statement Grammar

+
acl Statement Grammar

 
acl Statement Definition and
 Usage

-
controls Statement Grammar

+
controls Statement Grammar

 
controls Statement Definition and Usage

-
include Statement Grammar

-
include Statement Definition and Usage

-
key Statement Grammar

-
key Statement Definition and Usage

-
logging Statement Grammar

-
logging Statement Definition and Usage

-
lwres Statement Grammar

-
lwres Statement Definition and Usage

-
options Statement Grammar

-
options Statement Definition and Usage

+
include Statement Grammar

+
include Statement Definition and Usage

+
key Statement Grammar

+
key Statement Definition and Usage

+
logging Statement Grammar

+
logging Statement Definition and Usage

+
lwres Statement Grammar

+
lwres Statement Definition and Usage

+
options Statement Grammar

+
options Statement Definition and Usage

 
server Statement Grammar

 
server Statement Definition and Usage

-
trusted-keys Statement Grammar

-
trusted-keys Statement Definition
+
trusted-keys Statement Grammar

+
trusted-keys Statement Definition
 and Usage

-
view Statement Grammar

-
view Statement Definition and Usage

+
view Statement Grammar

+
view Statement Definition and Usage

 
zone
 Statement Grammar

-
zone Statement Definition and Usage

+
zone Statement Definition and Usage

 

-
Zone File

+
Zone File

 

 
Types of Resource Records and When to Use Them

-
Discussion of MX Records

+
Discussion of MX Records

 
Setting TTLs

-
Inverse Mapping in IPv4

-
Other Zone File Directives

-
BIND Master File Extension: the  $GENERATE Directive

+
Inverse Mapping in IPv4

+
Other Zone File Directives

+
BIND Master File Extension: the  $GENERATE Directive

 

 
 
@@ -224,7 +224,7 @@ are restricted to slave and stub zones.

 Address Match Lists
 

 

-Syntax

+Syntax

 
address_match_list = address_match_list_element ;
   [ address_match_list_element; ... ]
 address_match_list_element = [ ! ] (ip_address [/length] |
@@ -233,7 +233,7 @@ are restricted to slave and stub zones.

 
 

 

-Definition and Usage

+Definition and Usage

 
Address match lists are primarily used to determine access
 control for various server operations. They are also used to define
 priorities for querying other nameservers and to set the addresses
@@ -288,14 +288,14 @@ other 1.2.3.* hosts fall through.

 
 

 

-Comment Syntax

+Comment Syntax

 
The BIND 9 comment syntax allows for comments to appear
       anywhere that white space may appear in a BIND configuration
       file. To appeal to programmers of all kinds, they can be written
       in C, C++, or shell/perl constructs.

 

 

-Syntax

+Syntax

 
/* This is a BIND comment as in C */

 

 

@@ -308,7 +308,7 @@ other 1.2.3.* hosts fall through.

 
 

 

-Definition and Usage

+Definition and Usage

 
Comments may appear anywhere that whitespace may appear in
 a BIND configuration file.

 
C-style comments start with the two characters /* (slash,
@@ -417,7 +417,7 @@ a per-server basis.

     configuration.

 

 

-acl Statement Grammar

+acl Statement Grammar

 
acl acl-name { 
     address_match_list 
 };
@@ -470,7 +470,7 @@ complete set of local IPv6 addresses for a host.
 
 

 

-controls Statement Grammar

+controls Statement Grammar

 
controls {
    inet ( ip_addr | * ) [ port ip_port ] allow {  address_match_list  }
                 keys {  key_list  };
@@ -568,12 +568,12 @@ statement: controls { };.
 
 

 

-include Statement Grammar

+include Statement Grammar

 
include filename;

 
 

 

-include Statement Definition and Usage

+include Statement Definition and Usage

 
The include statement inserts the
       specified file at the point that the include
       statement is encountered. The include
@@ -584,7 +584,7 @@ statement: controls { };.
 
 

 

-key Statement Grammar

+key Statement Grammar

 
key key_id {
     algorithm string;
     secret string;
@@ -593,7 +593,7 @@ statement: controls { };.
 
 

 

-key Statement Definition and Usage

+key Statement Definition and Usage

 
The key statement defines a shared
 secret key for use with TSIG, see the section called “TSIG”.

 

@@ -621,7 +621,7 @@ string.

 
 

 

-logging Statement Grammar

+logging Statement Grammar

 
logging {
    [ channel channel_name {
      ( file path name
@@ -645,7 +645,7 @@ string.

 
 

 

-logging Statement Definition and Usage

+logging Statement Definition and Usage

 
The logging statement configures a wide
 variety of logging options for the nameserver. Its channel phrase
 associates output methods, format options and severity levels with
@@ -668,7 +668,7 @@ channels, or to standard error if the "-g" option
 was specified.

 

 

-The channel Phrase

+The channel Phrase

 
All log output goes to one or more channels;
 you can make as many of them as you want.

 
Every channel definition must include a destination clause that
@@ -963,7 +963,7 @@ a delegation-only in a hint or stu
 
 

 

-lwres Statement Grammar

+lwres Statement Grammar

 
 This is the grammar of the lwres
 statement in the named.conf file:

 
lwres {
@@ -976,7 +976,7 @@ statement in the named.conf file:

 
 

 

-lwres Statement Definition and Usage

+lwres Statement Definition and Usage

 
The lwres statement configures the name
 server to also act as a lightweight resolver server, see
 the section called “Running a Resolver Daemon”.  There may be be multiple
@@ -1004,7 +1004,7 @@ exact match lookup before search path elements are appended.

 
 

 

-options Statement Grammar

+options Statement Grammar

 
This is the grammar of the options
 statement in the named.conf file:

 
options {
@@ -1102,7 +1102,7 @@ statement in the named.conf file:

 
 

 

-options Statement Definition and Usage

+options Statement Definition and Usage

 
The options statement sets up global options
 to be used by BIND. This statement may appear only
 once in a configuration file. If more than one occurrence is found,
@@ -1453,7 +1453,7 @@ The use of this option for any other purpose is discouraged.
 
 

 

-Forwarding

+Forwarding

 
The forwarding facility can be used to create a large site-wide
 cache on a few servers, reducing traffic over links to external
 nameservers. It can also be used to allow queries by servers that
@@ -1530,7 +1530,7 @@ from these addresses will not be responded to. The default is 
 

-Interfaces

+Interfaces
 
The interfaces and ports that the server will answer queries
 from may be specified using the listen-on option. listen-on takes
 an optional port, and an address_match_list.
@@ -1572,7 +1572,7 @@ the server will not listen on any IPv6 address.

 
 

 

-Query Address

+Query Address

 
If the server doesn't know the answer to a question, it will
 query other nameservers. query-source specifies
 the address and port used for such queries. For queries sent over
@@ -1734,7 +1734,7 @@ but applies to notify messages sent to IPv6 addresses.

 
 

 

-Operating System Resource Limits

+Operating System Resource Limits

 
The server's usage of many system resources can be limited.
 Scaled values are allowed when specifying resource limits.  For
 example, 1G can be used instead of
@@ -1778,7 +1778,7 @@ may use. The default is default.

 
 

 

-Server  Resource Limits

+Server  Resource Limits

 
The following options set limits on the server's
 resource consumption that are enforced internally by the
 server rather than the operating system.

@@ -1811,7 +1811,7 @@ records are purged from the cache only when their TTLs expire.
 
 

 

-Periodic Task Intervals

+Periodic Task Intervals

 

 
cleaning-interval

 
The server will remove expired resource records
@@ -2267,7 +2267,7 @@ supported.

 

 

 

-trusted-keys Statement Grammar

+trusted-keys Statement Grammar

 
trusted-keys {
     string number number number string ;
     [ string number number number string ; [...]]
@@ -2276,7 +2276,7 @@ supported.

 
 

 

-trusted-keys Statement Definition
+trusted-keys Statement Definition
 and Usage

 
The trusted-keys statement defines DNSSEC
 security roots. DNSSEC is described in the section called “DNSSEC”. A security root is defined when the public key for a non-authoritative
@@ -2292,7 +2292,7 @@ key data.

 

 

 

-view Statement Grammar

+view Statement Grammar

 
view view_name [class] {
       match-clients { address_match_list } ;
       match-destinations { address_match_list } ;
@@ -2305,7 +2305,7 @@ key data.

 
 

 

-view Statement Definition and Usage

+view Statement Definition and Usage

 
The view statement is a powerful new feature
 of BIND 9 that lets a name server answer a DNS query differently
 depending on who is asking. It is particularly useful for implementing
@@ -2488,10 +2488,10 @@ zone zone_name [
 

 

-zone Statement Definition and Usage

+zone Statement Definition and Usage

 

 

-Zone Types

+Zone Types

 
@@ -2602,7 +2602,7 @@ from forwarders.

 
 

 

-Class

+Class

 
The zone's name may optionally be followed by a class. If
 a class is not specified, class IN (for Internet),
 is assumed. This is correct for the vast majority of cases.

@@ -2617,7 +2617,7 @@ in the mid-1970s. Zone data for it can be specified with the 
 

-Zone Options

+Zone Options
 

 
allow-notify

 
See the description of
@@ -2833,7 +2833,7 @@ SIG, NS, SOA, and NXT. Types may be specified by name, including
 

 

 

-Zone File

+Zone File

 

 

 Types of Resource Records and When to Use Them

@@ -2843,7 +2843,7 @@ Since the publication of RFC 1034, several new RRs have been identified
 and implemented in the DNS. These are also included.

 

 

-Resource Records

+Resource Records

 
A domain name identifies a node.  Each node has a set of
         resource information, which may be empty.  The set of resource
         information associated with a particular name is composed of
@@ -3118,7 +3118,7 @@ used as "pointers" to other data in the DNS.

 
 

 

-Textual expression of RRs

+Textual expression of RRs

 
RRs are represented in binary form in the packets of the DNS
 protocol, and are usually represented in highly encoded form when
 stored in a nameserver or resolver.  In the examples provided in
@@ -3208,7 +3208,7 @@ each of a different class.

 
 

 

-Discussion of MX Records

+Discussion of MX Records

 
As described above, domain servers store information as a
 series of resource records, each of which contains a particular
 piece of information about a given domain name (which is usually,
@@ -3325,7 +3325,7 @@ can be explicitly specified, for example, 1h30m. 
 

 

-Inverse Mapping in IPv4

+Inverse Mapping in IPv4

 
Reverse name resolution (that is, translation from IP address
 to name) is achieved by means of the in-addr.arpa domain
 and PTR records. Entries in the in-addr.arpa domain are made in
@@ -3363,7 +3363,7 @@ that the example is relative to the listed origin.

 
 

 

-Other Zone File Directives

+Other Zone File Directives

 
The Master File Format was initially defined in RFC 1035 and
 has subsequently been extended. While the Master File Format itself
 is class independent all records in a Master File must be of the same
@@ -3372,7 +3372,7 @@ class.

 and $TTL.

 

 

-The $ORIGIN Directive

+The $ORIGIN Directive

 
Syntax: $ORIGIN
 domain-name [ comment]

 
$ORIGIN sets the domain name that will
@@ -3387,7 +3387,7 @@ WWW     CNAME   MAIN-SERVER
 
 

 

-The $INCLUDE Directive

+The $INCLUDE Directive

 
Syntax: $INCLUDE
 filename [
 origin ] [ comment ]

@@ -3411,7 +3411,7 @@ This could be construed as a deviation from RFC 1035, a feature, or both.
 
 

 

-The $TTL Directive

+The $TTL Directive

 
Syntax: $TTL
 default-ttl [
 comment ]

@@ -3422,7 +3422,7 @@ with undefined TTLs. Valid TTLs are of the range 0-2147483647 seconds.

 
 

 

-BIND Master File Extension: the  $GENERATE Directive

+BIND Master File Extension: the  $GENERATE Directive

 
Syntax: $GENERATE range lhs type rhs [ comment ]

 
$GENERATE is used to create a series of
 resource records that only differ from each other by an iterator. $GENERATE can
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index a758b9aab9..511bc04dad 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -46,11 +46,11 @@
 
Table of Contents

 

 
Access Control Lists

-
chroot and setuid (for
+
chroot and setuid (for
 UNIX servers)

 

-
The chroot Environment

-
Using the setuid Function

+
The chroot Environment

+
Using the setuid Function

 

 
Dynamic Update Security

 

@@ -100,7 +100,7 @@ see the AUSCERT advisory at
 
 

 

-chroot and setuid (for
+chroot and setuid (for
 UNIX servers)

 
On UNIX servers, it is possible to run BIND in a chrooted environment
 (chroot()) by specifying the "-t"
@@ -115,7 +115,7 @@ user 202:

 
/usr/local/bin/named -u 202 -t /var/named

 

 

-The chroot Environment

+The chroot Environment

 
In order for a chroot() environment to
 work properly in a particular directory
 (for example, /var/named),
@@ -140,7 +140,7 @@ to set up things like
 
 

 

-Using the setuid Function

+Using the setuid Function

 
Prior to running the named daemon, use
 the touch utility (to change file access and
 modification times) or the chown utility (to
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index b9364d7263..25fd419a12 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,18 +45,18 @@
 

 
Table of Contents

 

-
Common Problems

-
It's not working; how can I figure out what's wrong?

-
Incrementing and Changing the Serial Number

-
Where Can I Get Help?

+
Common Problems

+
It's not working; how can I figure out what's wrong?

+
Incrementing and Changing the Serial Number

+
Where Can I Get Help?

 

 

 

 

-Common Problems

+Common Problems

 

 

-It's not working; how can I figure out what's wrong?

+It's not working; how can I figure out what's wrong?

 
The best solution to solving installation and
       configuration issues is to take preventative measures by setting
       up logging files beforehand. The log files provide a
@@ -66,7 +66,7 @@
 
 

 

-Incrementing and Changing the Serial Number

+Incrementing and Changing the Serial Number

 
Zone serial numbers are just numbers-they aren't date
     related.  A lot of people set them to a number that represents a
     date, usually of the form YYYYMMDDRR. A number of people have been
@@ -87,7 +87,7 @@
 
 

 

-Where Can I Get Help?

+Where Can I Get Help?

 
The Internet Software Consortium (ISC) offers a wide range
     of support and service agreements for BIND and DHCP servers. Four
     levels of premium support are available and each level includes
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index 2acd53e28e..e1d81f2a78 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -43,26 +43,26 @@
 

 
Table of Contents

 

-
Acknowledgements

-
A Brief History of the DNS and BIND

+
Acknowledgements

+
A Brief History of the DNS and BIND

 
Historical DNS Information

 
Classes of Resource Records

-
General DNS Reference Information

+
General DNS Reference Information

 
IPv6 addresses (A6)

 
Bibliography (and Suggested Reading)

 

 
Request for Comments (RFCs)

 
Internet Drafts

-
Other Documents About BIND

+
Other Documents About BIND

 

 

 

 

 

-Acknowledgements

+Acknowledgements

 

 

-A Brief History of the DNS and BIND

+A Brief History of the DNS and BIND

 
Although the "official" beginning of the Domain Name
       System occurred in 1984 with the publication of RFC 920, the
       core of the new system was described in 1983 in RFCs 882 and
@@ -122,7 +122,7 @@ individuals.

 Classes of Resource Records
 

 

-HS = hesiod

+HS = hesiod

 
The [hesiod] class is an information service
 developed by MIT's Project Athena. It is used to share information
 about various systems databases, such as users, groups, printers
@@ -131,7 +131,7 @@ hesiod.

 
 

 

-CH = chaos

+CH = chaos

 
The chaos class is used to specify zone
 data for the MIT-developed CHAOSnet, a LAN protocol created in the
 mid-1970s.

@@ -140,7 +140,7 @@ mid-1970s.

 
 

 

-General DNS Reference Information

+General DNS Reference Information

 

 

 IPv6 addresses (A6)

@@ -320,7 +320,7 @@ the number of the RFC). RFCs are also available via the Web at
 

 

 

-Bibliography

+Bibliography

 

 
Standards

 
[RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 

@@ -420,11 +420,11 @@ after which they are deleted unless updated by their authors.
 

 

 

-Other Documents About BIND

+Other Documents About BIND

 

 

 

-Bibliography

+Bibliography

 
Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 

 
 
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index 86a30cd5b5..3d4f4bda75 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -51,40 +51,40 @@
 

 
1. Introduction 

 

-
Scope of Document

-
Organization of This Document

-
Conventions Used in This Document

-
The Domain Name System (DNS)

+
Scope of Document

+
Organization of This Document

+
Conventions Used in This Document

+
The Domain Name System (DNS)

 

-
DNS Fundamentals

-
Domains and Domain Names

-
Zones

-
Authoritative Name Servers

-
Caching Name Servers

-
Name Servers in Multiple Roles

+
DNS Fundamentals

+
Domains and Domain Names

+
Zones

+
Authoritative Name Servers

+
Caching Name Servers

+
Name Servers in Multiple Roles

 

 

 
2. BIND Resource Requirements

 

-
Hardware requirements

-
CPU Requirements

-
Memory Requirements

-
Nameserver Intensive Environment Issues

-
Supported Operating Systems

+
Hardware requirements

+
CPU Requirements

+
Memory Requirements

+
Nameserver Intensive Environment Issues

+
Supported Operating Systems

 

 
3. Nameserver Configuration

 

 
Sample Configurations

 

-
A Caching-only Nameserver

-
An Authoritative-only Nameserver

+
A Caching-only Nameserver

+
An Authoritative-only Nameserver

 

-
Load Balancing

+
Load Balancing

 
Notify

-
Nameserver Operations

+
Nameserver Operations

 

-
Tools for Use With the Nameserver Daemon

-
Signals

+
Tools for Use With the Nameserver Daemon

+
Signals

 

 

 
4. Advanced Concepts

@@ -92,35 +92,35 @@
 
Dynamic Update

 
The journal file

 
Incremental Zone Transfers (IXFR)

-
Split DNS

+
Split DNS

 
TSIG

 

-
Generate Shared Keys for Each Pair of Hosts

-
Copying the Shared Secret to Both Machines

-
Informing the Servers of the Key's Existence

-
Instructing the Server to Use the Key

-
TSIG Key Based Access Control

-
Errors

+
Generate Shared Keys for Each Pair of Hosts

+
Copying the Shared Secret to Both Machines

+
Informing the Servers of the Key's Existence

+
Instructing the Server to Use the Key

+
TSIG Key Based Access Control

+
Errors

 

-
TKEY

-
SIG(0)

+
TKEY

+
SIG(0)

 
DNSSEC

 

-
Generating Keys

-
Creating a Keyset

-
Signing the Child's Keyset

-
Signing the Zone

-
Configuring Servers

+
Generating Keys

+
Creating a Keyset

+
Signing the Child's Keyset

+
Signing the Zone

+
Configuring Servers

 

-
IPv6 Support in BIND 9

+
IPv6 Support in BIND 9

 

-
Address Lookups Using AAAA Records

-
Address to Name Lookups Using Nibble Format

+
Address Lookups Using AAAA Records

+
Address to Name Lookups Using Nibble Format

 

 

 
5. The BIND 9 Lightweight Resolver

 

-
The Lightweight Resolver Library

+
The Lightweight Resolver Library

 
Running a Resolver Daemon

 

 
6. BIND 9 Configuration Reference

@@ -128,77 +128,77 @@
 
Configuration File Elements

 

 
Address Match Lists

-
Comment Syntax

+
Comment Syntax

 

 
Configuration File Grammar

 

-
acl Statement Grammar

+
acl Statement Grammar

 
acl Statement Definition and
 Usage

-
controls Statement Grammar

+
controls Statement Grammar

 
controls Statement Definition and Usage

-
include Statement Grammar

-
include Statement Definition and Usage

-
key Statement Grammar

-
key Statement Definition and Usage

-
logging Statement Grammar

-
logging Statement Definition and Usage

-
lwres Statement Grammar

-
lwres Statement Definition and Usage

-
options Statement Grammar

-
options Statement Definition and Usage

+
include Statement Grammar

+
include Statement Definition and Usage

+
key Statement Grammar

+
key Statement Definition and Usage

+
logging Statement Grammar

+
logging Statement Definition and Usage

+
lwres Statement Grammar

+
lwres Statement Definition and Usage

+
options Statement Grammar

+
options Statement Definition and Usage

 
server Statement Grammar

 
server Statement Definition and Usage

-
trusted-keys Statement Grammar

-
trusted-keys Statement Definition
+
trusted-keys Statement Grammar

+
trusted-keys Statement Definition
 and Usage

-
view Statement Grammar

-
view Statement Definition and Usage

+
view Statement Grammar

+
view Statement Definition and Usage

 
zone
 Statement Grammar

-
zone Statement Definition and Usage

+
zone Statement Definition and Usage

 

-
Zone File

+
Zone File

 

 
Types of Resource Records and When to Use Them

-
Discussion of MX Records

+
Discussion of MX Records

 
Setting TTLs

-
Inverse Mapping in IPv4

-
Other Zone File Directives

-
BIND Master File Extension: the  $GENERATE Directive

+
Inverse Mapping in IPv4

+
Other Zone File Directives

+
BIND Master File Extension: the  $GENERATE Directive

 

 
 
7. BIND 9 Security Considerations

 

 
Access Control Lists

-
chroot and setuid (for
+
chroot and setuid (for
 UNIX servers)

 

-
The chroot Environment

-
Using the setuid Function

+
The chroot Environment

+
Using the setuid Function

 

 
Dynamic Update Security

 

 
8. Troubleshooting

 

-
Common Problems

-
It's not working; how can I figure out what's wrong?

-
Incrementing and Changing the Serial Number

-
Where Can I Get Help?

+
Common Problems

+
It's not working; how can I figure out what's wrong?

+
Incrementing and Changing the Serial Number

+
Where Can I Get Help?

 

 
A. Appendices

 

-
Acknowledgements

-
A Brief History of the DNS and BIND

+
Acknowledgements

+
A Brief History of the DNS and BIND

 
Historical DNS Information

 
Classes of Resource Records

-
General DNS Reference Information

+
General DNS Reference Information

 
IPv6 addresses (A6)

 
Bibliography (and Suggested Reading)

 

 
Request for Comments (RFCs)

 
Internet Drafts

-
Other Documents About BIND

+
Other Documents About BIND

 

 

 

From b15d6bddeb80c985f42986dba362c2aaf8803462 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Mon, 8 May 2006 15:46:27 +0000
Subject: [PATCH 171/465] regen

---
 bin/named/named.conf.html        |   4 +-
 doc/arm/Bv9ARM.ch01.html         |  50 +++++------
 doc/arm/Bv9ARM.ch02.html         |  22 ++---
 doc/arm/Bv9ARM.ch03.html         |  26 +++---
 doc/arm/Bv9ARM.ch04.html         |  66 +++++++-------
 doc/arm/Bv9ARM.ch05.html         |   6 +-
 doc/arm/Bv9ARM.ch06.html         | 136 ++++++++++++++---------------
 doc/arm/Bv9ARM.ch07.html         |  14 +--
 doc/arm/Bv9ARM.ch08.html         |  18 ++--
 doc/arm/Bv9ARM.ch09.html         |  18 ++--
 doc/arm/Bv9ARM.html              | 144 +++++++++++++++----------------
 doc/arm/man.dig.html             |  20 ++---
 doc/arm/man.dnssec-keygen.html   |  14 +--
 doc/arm/man.dnssec-signzone.html |  12 +--
 doc/arm/man.host.html            |  10 +--
 doc/arm/man.named-checkconf.html |  12 +--
 doc/arm/man.named-checkzone.html |  12 +--
 doc/arm/man.named.html           |  16 ++--
 doc/arm/man.rndc-confgen.html    |  12 +--
 doc/arm/man.rndc.conf.html       |  12 +--
 doc/arm/man.rndc.html            |  12 +--
 21 files changed, 318 insertions(+), 318 deletions(-)

diff --git a/bin/named/named.conf.html b/bin/named/named.conf.html
index d07e1e7740..3399b15a19 100644
--- a/bin/named/named.conf.html
+++ b/bin/named/named.conf.html
@@ -13,7 +13,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -451,7 +451,7 @@ view
 

 
 

-
ZONE

+
ZONE

 


 zone string optional_class {

 	type ( master | slave | stub | hint |

diff --git a/doc/arm/Bv9ARM.ch01.html b/doc/arm/Bv9ARM.ch01.html
index 02589fec3a..e0ef79e32a 100644
--- a/doc/arm/Bv9ARM.ch01.html
+++ b/doc/arm/Bv9ARM.ch01.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,17 +45,17 @@
 

 
Table of Contents

 

-
Scope of Document

-
Organization of This Document

-
Conventions Used in This Document

-
The Domain Name System (DNS)

+
Scope of Document

+
Organization of This Document

+
Conventions Used in This Document

+
The Domain Name System (DNS)

 

-
DNS Fundamentals

-
Domains and Domain Names

-
Zones

-
Authoritative Name Servers

-
Caching Name Servers

-
Name Servers in Multiple Roles

+
DNS Fundamentals

+
Domains and Domain Names

+
Zones

+
Authoritative Name Servers

+
Caching Name Servers

+
Name Servers in Multiple Roles

 

 

 

@@ -71,7 +71,7 @@
     

 

 

-Scope of Document

+Scope of Document

 

         The Berkeley Internet Name Domain
         (BIND) implements an
@@ -87,7 +87,7 @@
 
 

 

-Organization of This Document

+Organization of This Document

 

         In this document, Section 1 introduces
         the basic DNS and BIND concepts. Section 2
@@ -116,7 +116,7 @@
 
 

 

-Conventions Used in This Document

+Conventions Used in This Document

 

         In this document, we use the following general typographic
         conventions:
@@ -243,7 +243,7 @@
 
 

 

-The Domain Name System (DNS)

+The Domain Name System (DNS)

 

         The purpose of this document is to explain the installation
         and upkeep of the BIND software
@@ -253,7 +253,7 @@
       

 

 

-DNS Fundamentals

+DNS Fundamentals

 

           The Domain Name System (DNS) is a hierarchical, distributed
           database.  It stores information for mapping Internet host names to
@@ -273,7 +273,7 @@
 
 

 

-Domains and Domain Names

+Domains and Domain Names

 

           The data stored in the DNS is identified by domain names that are organized as a tree according to
           organizational or administrative boundaries. Each node of the tree,
@@ -319,7 +319,7 @@
 
 

 

-Zones

+Zones

 

           To properly operate a name server, it is important to understand
           the difference between a zone
@@ -372,7 +372,7 @@
 
 

 

-Authoritative Name Servers

+Authoritative Name Servers

 

           Each zone is served by at least
           one authoritative name server,
@@ -389,7 +389,7 @@
         

 

 

-The Primary Master

+The Primary Master

 

             The authoritative server where the master copy of the zone
             data is maintained is called the
@@ -409,7 +409,7 @@
 
 

 

-Slave Servers

+Slave Servers

 

             The other authoritative servers, the slave
             servers (also known as secondary servers)
@@ -425,7 +425,7 @@
 
 

 

-Stealth Servers

+Stealth Servers

 

             Usually all of the zone's authoritative servers are listed in
             NS records in the parent zone.  These NS records constitute
@@ -460,7 +460,7 @@
 
 

 

-Caching Name Servers

+Caching Name Servers

 

           The resolver libraries provided by most operating systems are
           stub resolvers, meaning that they are not
@@ -487,7 +487,7 @@
         

 

 

-Forwarding

+Forwarding

 

             Even a caching name server does not necessarily perform
             the complete recursive lookup itself.  Instead, it can
@@ -514,7 +514,7 @@
 
 

 

-Name Servers in Multiple Roles

+Name Servers in Multiple Roles

 

           The BIND name server can
           simultaneously act as
diff --git a/doc/arm/Bv9ARM.ch02.html b/doc/arm/Bv9ARM.ch02.html
index fba60c0112..2ec2e32996 100644
--- a/doc/arm/Bv9ARM.ch02.html
+++ b/doc/arm/Bv9ARM.ch02.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,16 +45,16 @@
 

 
Table of Contents

 

-
Hardware requirements

-
CPU Requirements

-
Memory Requirements

-
Name Server Intensive Environment Issues

-
Supported Operating Systems

+
Hardware requirements

+
CPU Requirements

+
Memory Requirements

+
Name Server Intensive Environment Issues

+
Supported Operating Systems

 

 

 

 

-Hardware requirements

+Hardware requirements

 

         DNS hardware requirements have
         traditionally been quite modest.
@@ -73,7 +73,7 @@
 
 

 

-CPU Requirements

+CPU Requirements

 

         CPU requirements for BIND 9 range from
         i486-class machines
@@ -84,7 +84,7 @@
 
 

 

-Memory Requirements

+Memory Requirements

 

         The memory of the server has to be large enough to fit the
         cache and zones loaded off disk.  The max-cache-size
@@ -107,7 +107,7 @@
 
 

 

-Name Server Intensive Environment Issues

+Name Server Intensive Environment Issues

 

         For name server intensive environments, there are two alternative
         configurations that may be used. The first is where clients and
@@ -124,7 +124,7 @@
 
 

 

-Supported Operating Systems

+Supported Operating Systems

 

         ISC BIND 9 compiles and runs on a large
         number
diff --git a/doc/arm/Bv9ARM.ch03.html b/doc/arm/Bv9ARM.ch03.html
index 5f86862896..d993fa56e3 100644
--- a/doc/arm/Bv9ARM.ch03.html
+++ b/doc/arm/Bv9ARM.ch03.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -47,14 +47,14 @@
 

 
Sample Configurations

 

-
A Caching-only Name Server

-
An Authoritative-only Name Server

+
A Caching-only Name Server

+
An Authoritative-only Name Server

 

-
Load Balancing

-
Name Server Operations

+
Load Balancing

+
Name Server Operations

 

-
Tools for Use With the Name Server Daemon

-
Signals

+
Tools for Use With the Name Server Daemon

+
Signals

 

 

 
@@ -68,7 +68,7 @@
 Sample Configurations
 

 

-A Caching-only Name Server

+A Caching-only Name Server

 

           The following sample configuration is appropriate for a caching-only
           name server for use by clients internal to a corporation.  All
@@ -95,7 +95,7 @@ zone "0.0.127.in-addr.arpa" {
 
 

 

-An Authoritative-only Name Server

+An Authoritative-only Name Server

 

           This sample configuration is for an authoritative-only server
           that is the master server for "example.com"
@@ -137,7 +137,7 @@ zone "eng.example.com" {
 
 

 

-Load Balancing

+Load Balancing

 

         A primitive form of load balancing can be achieved in
         the DNS by using multiple A records for
@@ -280,10 +280,10 @@ zone "eng.example.com" {
 
 

 

-Name Server Operations

+Name Server Operations

 

 

-Tools for Use With the Name Server Daemon

+Tools for Use With the Name Server Daemon

 

           This section describes several indispensable diagnostic,
           administrative and monitoring tools available to the system
@@ -741,7 +741,7 @@ controls {
 
 

 

-Signals

+Signals

 

           Certain UNIX signals cause the name server to take specific
           actions, as described in the following table.  These signals can
diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html
index 5b0c992a72..e07692fc08 100644
--- a/doc/arm/Bv9ARM.ch04.html
+++ b/doc/arm/Bv9ARM.ch04.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -49,28 +49,28 @@
 
Dynamic Update

 
The journal file

 
Incremental Zone Transfers (IXFR)

-
Split DNS

+
Split DNS

 
TSIG

 

-
Generate Shared Keys for Each Pair of Hosts

-
Copying the Shared Secret to Both Machines

-
Informing the Servers of the Key's Existence

-
Instructing the Server to Use the Key

-
TSIG Key Based Access Control

-
Errors

+
Generate Shared Keys for Each Pair of Hosts

+
Copying the Shared Secret to Both Machines

+
Informing the Servers of the Key's Existence

+
Instructing the Server to Use the Key

+
TSIG Key Based Access Control

+
Errors

 

-
TKEY

-
SIG(0)

+
TKEY

+
SIG(0)

 
DNSSEC

 

-
Generating Keys

-
Signing the Zone

-
Configuring Servers

+
Generating Keys

+
Signing the Zone

+
Configuring Servers

 

-
IPv6 Support in BIND 9

+
IPv6 Support in BIND 9

 

-
Address Lookups Using AAAA Records

-
Address to Name Lookups Using Nibble Format

+
Address Lookups Using AAAA Records

+
Address to Name Lookups Using Nibble Format

 

 
 
@@ -204,7 +204,7 @@
 
 

 

-Split DNS

+Split DNS

 

         Setting up different views, or visibility, of the DNS space to
         internal and external resolvers is usually referred to as a
@@ -479,7 +479,7 @@ nameserver 172.16.72.4
       

 

 

-Generate Shared Keys for Each Pair of Hosts

+Generate Shared Keys for Each Pair of Hosts

 

           A shared secret is generated to be shared between host1 and host2.
           An arbitrary key name is chosen: "host1-host2.". The key name must
@@ -487,7 +487,7 @@ nameserver 172.16.72.4
         

 

 

-Automatic Generation

+Automatic Generation

 

             The following command will generate a 128 bit (16 byte) HMAC-MD5
             key as described above. Longer keys are better, but shorter keys
@@ -512,7 +512,7 @@ nameserver 172.16.72.4
 
 

 

-Manual Generation

+Manual Generation

 

             The shared secret is simply a random sequence of bits, encoded
             in base-64. Most ASCII strings are valid base-64 strings (assuming
@@ -527,7 +527,7 @@ nameserver 172.16.72.4
 
 

 

-Copying the Shared Secret to Both Machines

+Copying the Shared Secret to Both Machines

 

           This is beyond the scope of DNS. A secure transport mechanism
           should be used. This could be secure FTP, ssh, telephone, etc.
@@ -535,7 +535,7 @@ nameserver 172.16.72.4
 
 

 

-Informing the Servers of the Key's Existence

+Informing the Servers of the Key's Existence

 

           Imagine host1 and host 2
           are
@@ -564,7 +564,7 @@ key host1-host2. {
 
 

 

-Instructing the Server to Use the Key

+Instructing the Server to Use the Key

 

           Since keys are shared between two hosts only, the server must
           be told when keys are to be used. The following is added to the named.conf file
@@ -596,7 +596,7 @@ server 10.1.2.3 {
 
 

 

-TSIG Key Based Access Control

+TSIG Key Based Access Control

 

           BIND allows IP addresses and ranges
           to be specified in ACL
@@ -624,7 +624,7 @@ allow-update { key host1-host2. ;};
 
 

 

-Errors

+Errors

 

           The processing of TSIG signed messages can result in
           several errors. If a signed message is sent to a non-TSIG aware
@@ -650,7 +650,7 @@ allow-update { key host1-host2. ;};
 
 

 

-TKEY

+TKEY

 
TKEY
         is a mechanism for automatically generating a shared secret
         between two hosts.  There are several "modes" of
@@ -686,7 +686,7 @@ allow-update { key host1-host2. ;};
 
 

 

-SIG(0)

+SIG(0)

 

         BIND 9 partially supports DNSSEC SIG(0)
             transaction signatures as specified in RFC 2535 and RFC2931.
@@ -747,7 +747,7 @@ allow-update { key host1-host2. ;};
       

 

 

-Generating Keys

+Generating Keys

 

           The dnssec-keygen program is used to
           generate keys.
@@ -798,7 +798,7 @@ allow-update { key host1-host2. ;};
 
 

 

-Signing the Zone

+Signing the Zone

 

           The dnssec-signzone program is used
           to
@@ -842,7 +842,7 @@ allow-update { key host1-host2. ;};
 
 

 

-Configuring Servers

+Configuring Servers

 

           To enable named to respond appropriately
           to DNS requests from DNSSEC aware clients
@@ -930,7 +930,7 @@ options {
 
 

 

-IPv6 Support in BIND 9

+IPv6 Support in BIND 9

 

         BIND 9 fully supports all currently
         defined forms of IPv6
@@ -969,7 +969,7 @@ options {
       

 

 

-Address Lookups Using AAAA Records

+Address Lookups Using AAAA Records

 

           The IPv6 AAAA record is a parallel to the IPv4 A record,
           and, unlike the deprecated A6 record, specifies the entire
@@ -988,7 +988,7 @@ host            3600    IN      AAAA    2001:db8::1
 
 

 

-Address to Name Lookups Using Nibble Format

+Address to Name Lookups Using Nibble Format

 

           When looking up an address in nibble format, the address
           components are simply reversed, just as in IPv4, and
diff --git a/doc/arm/Bv9ARM.ch05.html b/doc/arm/Bv9ARM.ch05.html
index 2a6a7dbe0a..330444d47a 100644
--- a/doc/arm/Bv9ARM.ch05.html
+++ b/doc/arm/Bv9ARM.ch05.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,13 +45,13 @@
 

 
Table of Contents

 

-
The Lightweight Resolver Library

+
The Lightweight Resolver Library

 
Running a Resolver Daemon

 

 

 

 

-The Lightweight Resolver Library

+The Lightweight Resolver Library

 

         Traditionally applications have been linked with a stub resolver
         library that sends recursive DNS queries to a local caching name
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index 683e623883..30e859950d 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -48,52 +48,52 @@
 
Configuration File Elements

 

 
Address Match Lists

-
Comment Syntax

+
Comment Syntax

 

 
Configuration File Grammar

 

-
acl Statement Grammar

+
acl Statement Grammar

 
acl Statement Definition and
           Usage

-
controls Statement Grammar

+
controls Statement Grammar

 
controls Statement Definition and
           Usage

-
include Statement Grammar

-
include Statement Definition and
+
include Statement Grammar

+
include Statement Definition and
           Usage

-
key Statement Grammar

-
key Statement Definition and Usage

-
logging Statement Grammar

-
logging Statement Definition and
+
key Statement Grammar

+
key Statement Definition and Usage

+
logging Statement Grammar

+
logging Statement Definition and
           Usage

-
lwres Statement Grammar

-
lwres Statement Definition and Usage

-
masters Statement Grammar

-
masters Statement Definition and
+
lwres Statement Grammar

+
lwres Statement Definition and Usage

+
masters Statement Grammar

+
masters Statement Definition and
           Usage

-
options Statement Grammar

+
options Statement Grammar

 
options Statement Definition and
           Usage

 
server Statement Grammar

 
server Statement Definition and
             Usage

-
trusted-keys Statement Grammar

-
trusted-keys Statement Definition
+
trusted-keys Statement Grammar

+
trusted-keys Statement Definition
             and Usage

 
view Statement Grammar

-
view Statement Definition and Usage

+
view Statement Definition and Usage

 
zone
             Statement Grammar

-
zone Statement Definition and Usage

+
zone Statement Definition and Usage

 

-
Zone File

+
Zone File

 

 
Types of Resource Records and When to Use Them

-
Discussion of MX Records

+
Discussion of MX Records

 
Setting TTLs

-
Inverse Mapping in IPv4

-
Other Zone File Directives

-
BIND Master File Extension: the  $GENERATE Directive

+
Inverse Mapping in IPv4

+
Other Zone File Directives

+
BIND Master File Extension: the  $GENERATE Directive

 
Additional File Formats

 

 
@@ -428,7 +428,7 @@
 Address Match Lists
 

 

-Syntax

+Syntax

 
address_match_list = address_match_list_element ;
   [ address_match_list_element; ... ]
 address_match_list_element = [ ! ] (ip_address [/length] |
@@ -437,7 +437,7 @@
 
 

 

-Definition and Usage

+Definition and Usage

 

             Address match lists are primarily used to determine access
             control for various server operations. They are also used in
@@ -515,7 +515,7 @@
 
 

 

-Comment Syntax

+Comment Syntax

 

           The BIND 9 comment syntax allows for
           comments to appear
@@ -525,7 +525,7 @@
         

 

 

-Syntax

+Syntax

 

             

 
/* This is a BIND comment as in C */

@@ -540,7 +540,7 @@
 
 

 

-Definition and Usage

+Definition and Usage

 

             Comments may appear anywhere that whitespace may appear in
             a BIND configuration file.
@@ -774,7 +774,7 @@
       

 

 

-acl Statement Grammar

+acl Statement Grammar

 
acl acl-name {
     address_match_list
 };
@@ -857,7 +857,7 @@
 
 

 

-controls Statement Grammar

+controls Statement Grammar

 
controls {
    [ inet ( ip_addr | * ) [ port ip_port ] allow {  address_match_list  }
                 keys { key_list }; ]
@@ -979,12 +979,12 @@
 
 

 

-include Statement Grammar

+include Statement Grammar

 
include filename;

 
 

 

-include Statement Definition and
+include Statement Definition and
           Usage

 

           The include statement inserts the
@@ -999,7 +999,7 @@
 

 

 

-key Statement Grammar

+key Statement Grammar

 
key key_id {
     algorithm string;
     secret string;
@@ -1008,7 +1008,7 @@
 
 

 

-key Statement Definition and Usage

+key Statement Definition and Usage

 

           The key statement defines a shared
           secret key for use with TSIG (see the section called “TSIG”)
@@ -1055,7 +1055,7 @@
 
 

 

-logging Statement Grammar

+logging Statement Grammar

 
logging {
    [ channel channel_name {
      ( file path name
@@ -1079,7 +1079,7 @@
 
 

 

-logging Statement Definition and
+logging Statement Definition and
           Usage

 

           The logging statement configures a
@@ -1113,7 +1113,7 @@
         

 

 

-The channel Phrase

+The channel Phrase

 

             All log output goes to one or more channels;
             you can make as many of them as you want.
@@ -1632,7 +1632,7 @@ category notify { null; };
 
 

 

-lwres Statement Grammar

+lwres Statement Grammar

 

            This is the grammar of the lwres
           statement in the named.conf file:
@@ -1647,7 +1647,7 @@ category notify { null; };
 
 

 

-lwres Statement Definition and Usage

+lwres Statement Definition and Usage

 

           The lwres statement configures the
           name
@@ -1698,14 +1698,14 @@ category notify { null; };
 
 

 

-masters Statement Grammar

+masters Statement Grammar

 
 masters name [port ip_port] { ( masters_list | ip_addr [port ip_port] [key key] ) ; [...] };
 

 
 

 

-masters Statement Definition and
+masters Statement Definition and
           Usage

 
masters
           lists allow for a common set of masters to be easily used by
@@ -1714,7 +1714,7 @@ category notify { null; };
 

 

 

-options Statement Grammar

+options Statement Grammar

 

           This is the grammar of the options
           statement in the named.conf file:
@@ -2763,7 +2763,7 @@ options {
 
 

 

-Forwarding

+Forwarding

 

             The forwarding facility can be used to create a large site-wide
             cache on a few servers, reducing traffic over links to external
@@ -2807,7 +2807,7 @@ options {
 
 

 

-Dual-stack Servers

+Dual-stack Servers

 

             Dual-stack servers are used as servers of last resort to work
             around
@@ -2967,7 +2967,7 @@ options {
 
 

 

-Interfaces

+Interfaces

 

             The interfaces and ports that the server will answer queries
             from may be specified using the listen-on option. listen-on takes
@@ -3047,7 +3047,7 @@ listen-on-v6 port 1234 { !2001:db8::/32; any; };
 
 

 

-Query Address

+Query Address

 

             If the server doesn't know the answer to a question, it will
             query other name servers. query-source specifies
@@ -3327,7 +3327,7 @@ query-source-v6 address * port *;
 
 

 

-Bad UDP Port Lists

+Bad UDP Port Lists

 
avoid-v4-udp-ports
             and avoid-v6-udp-ports specify a list
             of IPv4 and IPv6 UDP ports that will not be used as system
@@ -3341,7 +3341,7 @@ query-source-v6 address * port *;
 
 

 

-Operating System Resource Limits

+Operating System Resource Limits

 

             The server's usage of many system resources can be limited.
             Scaled values are allowed when specifying resource limits.  For
@@ -3401,7 +3401,7 @@ query-source-v6 address * port *;
 
 

 

-Server  Resource Limits

+Server  Resource Limits

 

             The following options set limits on the server's
             resource consumption that are enforced internally by the
@@ -3479,7 +3479,7 @@ query-source-v6 address * port *;
 
 

 

-Periodic Task Intervals

+Periodic Task Intervals

 

 
cleaning-interval

 

@@ -4514,7 +4514,7 @@ query-source-v6 address * port *;
 

 

 

-trusted-keys Statement Grammar

+trusted-keys Statement Grammar

 
trusted-keys {
     string number number number string ;
     [ string number number number string ; [...]]
@@ -4523,7 +4523,7 @@ query-source-v6 address * port *;
 
 

 

-trusted-keys Statement Definition
+trusted-keys Statement Definition
             and Usage

 

             The trusted-keys statement defines
@@ -4566,7 +4566,7 @@ query-source-v6 address * port *;
 

 

 

-view Statement Definition and Usage

+view Statement Definition and Usage

 

             The view statement is a powerful
             feature
@@ -4817,10 +4817,10 @@ zone zone_name [
 

 

-zone Statement Definition and Usage

+zone Statement Definition and Usage

 

 

-Zone Types

+Zone Types

 

 
 

@@ -5029,7 +5029,7 @@ zone zone_name [
 

 

-Class

+Class

 

               The zone's name may optionally be followed by a class. If
               a class is not specified, class IN (for Internet),
@@ -5051,7 +5051,7 @@ zone zone_name [
 

 

-Zone Options

+Zone Options

 

 
journal

 

@@ -5534,7 +5534,7 @@ zone zone_name [
 

 

-Zone File

+Zone File

 

 

 Types of Resource Records and When to Use Them

@@ -5547,7 +5547,7 @@ zone zone_name [
 

 

-Resource Records

+Resource Records

 

               A domain name identifies a node.  Each node has a set of
               resource information, which may be empty.  The set of resource
@@ -6198,7 +6198,7 @@ zone zone_name [
 

 

-Textual expression of RRs

+Textual expression of RRs

 

               RRs are represented in binary form in the packets of the DNS
               protocol, and are usually represented in highly encoded form
@@ -6401,7 +6401,7 @@ zone zone_name [
 

 

-Discussion of MX Records

+Discussion of MX Records

 

             As described above, domain servers store information as a
             series of resource records, each of which contains a particular
@@ -6659,7 +6659,7 @@ zone zone_name [
 

 

-Inverse Mapping in IPv4

+Inverse Mapping in IPv4

 

             Reverse name resolution (that is, translation from IP address
             to name) is achieved by means of the in-addr.arpa domain
@@ -6720,7 +6720,7 @@ zone zone_name [
 

 

-Other Zone File Directives

+Other Zone File Directives

 

             The Master File Format was initially defined in RFC 1035 and
             has subsequently been extended. While the Master File Format
@@ -6735,7 +6735,7 @@ zone zone_name [
 

 

-The $ORIGIN Directive

+The $ORIGIN Directive

 

               Syntax: $ORIGIN
               domain-name
@@ -6763,7 +6763,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 

 

-The $INCLUDE Directive

+The $INCLUDE Directive

 

               Syntax: $INCLUDE
               filename
@@ -6799,7 +6799,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 

 

-The $TTL Directive

+The $TTL Directive

 

               Syntax: $TTL
               default-ttl
@@ -6818,7 +6818,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 

 

-BIND Master File Extension: the  $GENERATE Directive

+BIND Master File Extension: the  $GENERATE Directive

 

             Syntax: $GENERATE
             range
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index c4dfa215a6..1b9870af86 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -46,10 +46,10 @@
 
Table of Contents

 

 
Access Control Lists

-
chroot and setuid

+
chroot and setuid

 

-
The chroot Environment

-
Using the setuid Function

+
The chroot Environment

+
Using the setuid Function

 

 
Dynamic Update Security

 

@@ -116,7 +116,7 @@ zone "example.com" {
 
 

 

-chroot and setuid

+chroot and setuid

 

           On UNIX servers, it is possible to run BIND in a chrooted environment
           (chroot()) by specifying the "-t"
@@ -139,7 +139,7 @@ zone "example.com" {
         

 

 

-The chroot Environment

+The chroot Environment

 

             In order for a chroot() environment
             to
@@ -167,7 +167,7 @@ zone "example.com" {
 
 

 

-Using the setuid Function

+Using the setuid Function

 

             Prior to running the named daemon,
             use
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index 4ee655c709..3be206d2b7 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,18 +45,18 @@
 

 
Table of Contents

 

-
Common Problems

-
It's not working; how can I figure out what's wrong?

-
Incrementing and Changing the Serial Number

-
Where Can I Get Help?

+
Common Problems

+
It's not working; how can I figure out what's wrong?

+
Incrementing and Changing the Serial Number

+
Where Can I Get Help?

 

 

 

 

-Common Problems

+Common Problems

 

 

-It's not working; how can I figure out what's wrong?

+It's not working; how can I figure out what's wrong?

 

             The best solution to solving installation and
             configuration issues is to take preventative measures by setting
@@ -68,7 +68,7 @@
 
 

 

-Incrementing and Changing the Serial Number

+Incrementing and Changing the Serial Number

 

           Zone serial numbers are just numbers-they aren't date
           related.  A lot of people set them to a number that represents a
@@ -95,7 +95,7 @@
 
 

 

-Where Can I Get Help?

+Where Can I Get Help?

 

           The Internet Systems Consortium
           (ISC) offers a wide range
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index 59693f1caa..e7a061ab3c 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,21 +45,21 @@
 

 
Table of Contents

 

-
Acknowledgments

+
Acknowledgments

 
A Brief History of the DNS and BIND

-
General DNS Reference Information

+
General DNS Reference Information

 
IPv6 addresses (AAAA)

 
Bibliography (and Suggested Reading)

 

 
Request for Comments (RFCs)

 
Internet Drafts

-
Other Documents About BIND

+
Other Documents About BIND

 

 

 

 

 

-Acknowledgments

+Acknowledgments

 

 

 A Brief History of the DNS and BIND

@@ -145,7 +145,7 @@
 

 

 

-General DNS Reference Information

+General DNS Reference Information

 

 

 IPv6 addresses (AAAA)

@@ -232,7 +232,7 @@
           

 

 

-Bibliography

+Bibliography

 

 
Standards

 
[RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 

@@ -417,11 +417,11 @@
 

 

 

-Other Documents About BIND

+Other Documents About BIND

 

 

 

-Bibliography

+Bibliography

 
Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 

 
 
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index 72ed763a3a..172935810f 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -40,7 +40,7 @@
 

 

 

-BIND 9 Administrator Reference Manual

+BIND 9 Administrator Reference Manual

 
Copyright © 2004-2006 Internet Systems Consortium, Inc. ("ISC")

 
Copyright © 2000-2003 Internet Software Consortium.

 

@@ -51,39 +51,39 @@
 

 
1. Introduction

 

-
Scope of Document

-
Organization of This Document

-
Conventions Used in This Document

-
The Domain Name System (DNS)

+
Scope of Document

+
Organization of This Document

+
Conventions Used in This Document

+
The Domain Name System (DNS)

 

-
DNS Fundamentals

-
Domains and Domain Names

-
Zones

-
Authoritative Name Servers

-
Caching Name Servers

-
Name Servers in Multiple Roles

+
DNS Fundamentals

+
Domains and Domain Names

+
Zones

+
Authoritative Name Servers

+
Caching Name Servers

+
Name Servers in Multiple Roles

 

 

 
2. BIND Resource Requirements

 

-
Hardware requirements

-
CPU Requirements

-
Memory Requirements

-
Name Server Intensive Environment Issues

-
Supported Operating Systems

+
Hardware requirements

+
CPU Requirements

+
Memory Requirements

+
Name Server Intensive Environment Issues

+
Supported Operating Systems

 

 
3. Name Server Configuration

 

 
Sample Configurations

 

-
A Caching-only Name Server

-
An Authoritative-only Name Server

+
A Caching-only Name Server

+
An Authoritative-only Name Server

 

-
Load Balancing

-
Name Server Operations

+
Load Balancing

+
Name Server Operations

 

-
Tools for Use With the Name Server Daemon

-
Signals

+
Tools for Use With the Name Server Daemon

+
Signals

 

 

 
4. Advanced DNS Features

@@ -92,33 +92,33 @@
 
Dynamic Update

 
The journal file

 
Incremental Zone Transfers (IXFR)

-
Split DNS

+
Split DNS

 
TSIG

 

-
Generate Shared Keys for Each Pair of Hosts

-
Copying the Shared Secret to Both Machines

-
Informing the Servers of the Key's Existence

-
Instructing the Server to Use the Key

-
TSIG Key Based Access Control

-
Errors

+
Generate Shared Keys for Each Pair of Hosts

+
Copying the Shared Secret to Both Machines

+
Informing the Servers of the Key's Existence

+
Instructing the Server to Use the Key

+
TSIG Key Based Access Control

+
Errors

 

-
TKEY

-
SIG(0)

+
TKEY

+
SIG(0)

 
DNSSEC

 

-
Generating Keys

-
Signing the Zone

-
Configuring Servers

+
Generating Keys

+
Signing the Zone

+
Configuring Servers

 

-
IPv6 Support in BIND 9

+
IPv6 Support in BIND 9

 

-
Address Lookups Using AAAA Records

-
Address to Name Lookups Using Nibble Format

+
Address Lookups Using AAAA Records

+
Address to Name Lookups Using Nibble Format

 

 

 
5. The BIND 9 Lightweight Resolver

 

-
The Lightweight Resolver Library

+
The Lightweight Resolver Library

 
Running a Resolver Daemon

 

 
6. BIND 9 Configuration Reference

@@ -126,83 +126,83 @@
 
Configuration File Elements

 

 
Address Match Lists

-
Comment Syntax

+
Comment Syntax

 

 
Configuration File Grammar

 

-
acl Statement Grammar

+
acl Statement Grammar

 
acl Statement Definition and
           Usage

-
controls Statement Grammar

+
controls Statement Grammar

 
controls Statement Definition and
           Usage

-
include Statement Grammar

-
include Statement Definition and
+
include Statement Grammar

+
include Statement Definition and
           Usage

-
key Statement Grammar

-
key Statement Definition and Usage

-
logging Statement Grammar

-
logging Statement Definition and
+
key Statement Grammar

+
key Statement Definition and Usage

+
logging Statement Grammar

+
logging Statement Definition and
           Usage

-
lwres Statement Grammar

-
lwres Statement Definition and Usage

-
masters Statement Grammar

-
masters Statement Definition and
+
lwres Statement Grammar

+
lwres Statement Definition and Usage

+
masters Statement Grammar

+
masters Statement Definition and
           Usage

-
options Statement Grammar

+
options Statement Grammar

 
options Statement Definition and
           Usage

 
server Statement Grammar

 
server Statement Definition and
             Usage

-
trusted-keys Statement Grammar

-
trusted-keys Statement Definition
+
trusted-keys Statement Grammar

+
trusted-keys Statement Definition
             and Usage

 
view Statement Grammar

-
view Statement Definition and Usage

+
view Statement Definition and Usage

 
zone
             Statement Grammar

-
zone Statement Definition and Usage

+
zone Statement Definition and Usage

 

-
Zone File

+
Zone File

 

 
Types of Resource Records and When to Use Them

-
Discussion of MX Records

+
Discussion of MX Records

 
Setting TTLs

-
Inverse Mapping in IPv4

-
Other Zone File Directives

-
BIND Master File Extension: the  $GENERATE Directive

+
Inverse Mapping in IPv4

+
Other Zone File Directives

+
BIND Master File Extension: the  $GENERATE Directive

 
Additional File Formats

 

 
 
7. BIND 9 Security Considerations

 

 
Access Control Lists

-
chroot and setuid

+
chroot and setuid

 

-
The chroot Environment

-
Using the setuid Function

+
The chroot Environment

+
Using the setuid Function

 

 
Dynamic Update Security

 

 
8. Troubleshooting

 

-
Common Problems

-
It's not working; how can I figure out what's wrong?

-
Incrementing and Changing the Serial Number

-
Where Can I Get Help?

+
Common Problems

+
It's not working; how can I figure out what's wrong?

+
Incrementing and Changing the Serial Number

+
Where Can I Get Help?

 

 
A. Appendices

 

-
Acknowledgments

+
Acknowledgments

 
A Brief History of the DNS and BIND

-
General DNS Reference Information

+
General DNS Reference Information

 
IPv6 addresses (AAAA)

 
Bibliography (and Suggested Reading)

 

 
Request for Comments (RFCs)

 
Internet Drafts

-
Other Documents About BIND

+
Other Documents About BIND

 

 

 
I. Manual pages

diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index ec92cbd5a5..793bcbc4c4 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -52,7 +52,7 @@
 
dig  [global-queryopt...] [query...]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dig
       (domain information groper) is a flexible tool
       for interrogating DNS name servers.  It performs DNS lookups and
@@ -91,7 +91,7 @@
     

 

 

-
SIMPLE USAGE

+
SIMPLE USAGE

 

       A typical invocation of dig looks like:
       

@@ -137,7 +137,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

       The -b option sets the source IP address of the query
       to address.  This must be a valid
@@ -237,7 +237,7 @@
     

 

 

-
QUERY OPTIONS

+
QUERY OPTIONS

 
dig
       provides a number of query options which affect
       the way in which lookups are made and the results displayed.  Some of
@@ -556,7 +556,7 @@
     

 

 

-
MULTIPLE QUERIES

+
MULTIPLE QUERIES

 

       The BIND 9 implementation of dig 
       supports
@@ -602,7 +602,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
IDN SUPPORT

+
IDN SUPPORT

 

       If dig has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names.
@@ -616,14 +616,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
FILES

+
FILES

 
/etc/resolv.conf
     

 
${HOME}/.digrc
     

 

 

-
SEE ALSO

+
SEE ALSO

 
host(1),
       named(8),
       dnssec-keygen(8),
@@ -631,7 +631,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
BUGS

+
BUGS

 

       There are probably too many query options.
     

diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index b84385b6e7..e063393286 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
dnssec-keygen  {-a algorithm} {-b keysize} {-n nametype} [-c class] [-e] [-f flag] [-g generator] [-h] [-k] [-p protocol] [-r randomdev] [-s strength] [-t type] [-v level] {name}

 

 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-keygen
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC <TBA\>.  It can also generate keys for use with
@@ -58,7 +58,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a algorithm

 

@@ -166,7 +166,7 @@
 

 

 

-
GENERATED KEYS

+
GENERATED KEYS

 

       When dnssec-keygen completes
       successfully,
@@ -212,7 +212,7 @@
     

 

 

-
EXAMPLE

+
EXAMPLE

 

       To generate a 768-bit DSA key for the domain
       example.com, the following command would be
@@ -233,7 +233,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
       RFC 2535,
@@ -242,7 +242,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index b0326dbd10..09c8854dfe 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
dnssec-signzone  [-a] [-c class] [-d directory] [-e end-time] [-f output-file] [-g] [-h] [-k key] [-l domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-p] [-r randomdev] [-s start-time] [-t] [-v level] [-z] {zonefile} [key...]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-signzone
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
@@ -61,7 +61,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a

 

@@ -257,7 +257,7 @@
 

 

 

-
EXAMPLE

+
EXAMPLE

 

       The following command signs the example.com
       zone with the DSA key generated in the dnssec-keygen
@@ -283,14 +283,14 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 2535.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html
index 93a0e0c041..ff83ad3339 100644
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
host  [-aCdlnrsTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-m flag] [-4] [-6] {name} [server]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
host
       is a simple utility for performing DNS lookups.
       It is normally used to convert names to IP addresses and vice versa.
@@ -202,7 +202,7 @@
     

 

 

-
IDN SUPPORT

+
IDN SUPPORT

 

       If host has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names. 
@@ -216,12 +216,12 @@
     

 

 

-
FILES

+
FILES

 
/etc/resolv.conf
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dig(1),
       named(8).
     

diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index a589dcb668..2f49dd6491 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,14 +50,14 @@
 
named-checkconf  [-v] [-j] [-t directory] {filename} [-z]

 

 

-
DESCRIPTION

+
DESCRIPTION

 
named-checkconf
       checks the syntax, but not the semantics, of a named
       configuration file.
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-t directory

 

@@ -88,20 +88,20 @@
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 
named-checkconf
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
named(8),
       BIND 9 Administrator Reference Manual.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index 47522c1792..3ce08b0ed0 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -51,7 +51,7 @@
 
named-compilezone  [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-i mode] [-k mode] [-m mode] [-n mode] [-o filename] [-s style] [-t directory] [-w directory] [-D] [-W mode] {zonename} {filename}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
named-checkzone
       checks the syntax and integrity of a zone file.  It performs the
       same checks as named does when loading a
@@ -71,7 +71,7 @@
      

 

 

-
OPTIONS

+
OPTIONS

 

 
-d

 

@@ -251,21 +251,21 @@
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 
named-checkzone
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
named(8),
       RFC 1035,
       BIND 9 Administrator Reference Manual.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index ed38ebe451..782f08057c 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
named  [-4] [-6] [-c config-file] [-d debug-level] [-f] [-g] [-n #cpus] [-p port] [-s] [-t directory] [-u user] [-v] [-x cache-file]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
named
       is a Domain Name System (DNS) server,
       part of the BIND 9 distribution from ISC.  For more
@@ -65,7 +65,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-4

 

@@ -198,7 +198,7 @@
 

 

 

-
SIGNALS

+
SIGNALS

 

       In routine operation, signals should not be used to control
       the nameserver; rndc should be used
@@ -219,7 +219,7 @@
     

 

 

-
CONFIGURATION

+
CONFIGURATION

 

       The named configuration file is too complex
       to describe in detail here.  A complete description is provided
@@ -228,7 +228,7 @@
     

 

 

-
FILES

+
FILES

 

 
/etc/named.conf

 

@@ -241,7 +241,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
RFC 1033,
       RFC 1034,
       RFC 1035,
@@ -252,7 +252,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index 3f59da5e76..01b805eb60 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -48,7 +48,7 @@
 
rndc-confgen  [-a] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc-confgen
       generates configuration files
       for rndc.  It can be used as a
@@ -64,7 +64,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a

 

@@ -171,7 +171,7 @@
 

 

 

-
EXAMPLES

+
EXAMPLES

 

       To allow rndc to be used with
       no manual configuration, run
@@ -188,7 +188,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc(8),
       rndc.conf(5),
       named(8),
@@ -196,7 +196,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index 87cf96ac3e..883879fe76 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
rndc.conf 

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc.conf is the configuration file
       for rndc, the BIND 9 name server control
       utility.  This file has a similar structure and syntax to
@@ -135,7 +135,7 @@
     

 

 

-
EXAMPLE

+
EXAMPLE

 
       options {
         default-server  localhost;
@@ -209,7 +209,7 @@
     

 

 

-
NAME SERVER CONFIGURATION

+
NAME SERVER CONFIGURATION

 

       The name server must be configured to accept rndc connections and
       to recognize the key specified in the rndc.conf
@@ -219,7 +219,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc(8),
       rndc-confgen(8),
       mmencode(1),
@@ -227,7 +227,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index bd1e293760..dcc448fb58 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
rndc  [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-V] [-y key_id] {command}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc
       controls the operation of a name
       server.  It supersedes the ndc utility
@@ -79,7 +79,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-b source-address

 

@@ -152,7 +152,7 @@
     

 

 

-
LIMITATIONS

+
LIMITATIONS

 
rndc
       does not yet support all the commands of
       the BIND 8 ndc utility.
@@ -166,7 +166,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc.conf(5),
       named(8),
       named.conf(5)
@@ -175,7 +175,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 


From daf193f2f4f12b10699af0c4fd03e6443d7680d9 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Sat, 13 May 2006 23:17:49 +0000
Subject: [PATCH 172/465] auto update

---
 doc/private/branches | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/doc/private/branches b/doc/private/branches
index a4d179f5d8..ee702e7b7b 100644
--- a/doc/private/branches
+++ b/doc/private/branches
@@ -14,6 +14,8 @@ custom_WFB_v9_3_2		new
 gssapi3-skan			new	
 gsstsig2			open	sra	// old (circa 9.3.0) gss-tsig, finally worked with hacked heimdal spnego
 gsstsig3			new	
+gsstsig4			new	
+gsstsig4_win32			new	
 jinmei-mmapzone-test		new		// mmap based zone file. very experimental, just for reference purposes
 jinmei_libdnsng			new	
 libbind_clean			open	jinmei

From a24742821b690ca638ad7ca136f9fccd4c5a4b44 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Mon, 15 May 2006 06:10:58 +0000
Subject: [PATCH 173/465] recusion -> recursion

---
 bin/dig/dig.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/bin/dig/dig.c b/bin/dig/dig.c
index 1274034948..ac35558212 100644
--- a/bin/dig/dig.c
+++ b/bin/dig/dig.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dig.c,v 1.211 2006/01/27 02:35:14 marka Exp $ */
+/* $Id: dig.c,v 1.212 2006/05/15 06:10:58 marka Exp $ */
 
 /*! \file */
 
@@ -495,7 +495,7 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
 			if (msg != query->lookup->sendmsg &&
 			    (msg->flags & DNS_MESSAGEFLAG_RD) != 0 &&
 			    (msg->flags & DNS_MESSAGEFLAG_RA) == 0)
-				printf(";; WARNING: recusion requested "
+				printf(";; WARNING: recursion requested "
 				       "but not available\n");
 		}
 		if (msg != query->lookup->sendmsg && extrabytes != 0U)

From c4d83bd905d6021eb5215c609d6151192e7068d7 Mon Sep 17 00:00:00 2001
From: Rob Austein 
Date: Mon, 15 May 2006 19:10:59 +0000
Subject: [PATCH 174/465] update gss-tsig-related branches

---
 doc/private/branches | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/doc/private/branches b/doc/private/branches
index ee702e7b7b..90340841b8 100644
--- a/doc/private/branches
+++ b/doc/private/branches
@@ -10,12 +10,12 @@ Branch				Status	Whom	// Comments
 				closed		finished with
 
 custom_WFB_v9_3_1		private	
-custom_WFB_v9_3_2		new	
-gssapi3-skan			new	
-gsstsig2			open	sra	// old (circa 9.3.0) gss-tsig, finally worked with hacked heimdal spnego
-gsstsig3			new	
-gsstsig4			new	
-gsstsig4_win32			new	
+custom_WFB_v9_3_2		private
+gssapi3-skan			closed	graff
+gsstsig2			closed	sra	// old (circa 9.3.0) gss-tsig, finally worked with hacked heimdal spnego
+gsstsig3			closed	sra
+gsstsig4			open	sra	// head + gsstsig as of 12 may 2006
+gsstsig4_win32			open	danny	// sub-branch off gsstsig4 for windows development
 jinmei-mmapzone-test		new		// mmap based zone file. very experimental, just for reference purposes
 jinmei_libdnsng			new	
 libbind_clean			open	jinmei

From 9ab0b4f90e5a472352b62f55c21f08a0ccae115d Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Mon, 15 May 2006 23:16:59 +0000
Subject: [PATCH 175/465] auto update

---
 doc/private/branches | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/doc/private/branches b/doc/private/branches
index 90340841b8..3e9c316eaa 100644
--- a/doc/private/branches
+++ b/doc/private/branches
@@ -10,10 +10,7 @@ Branch				Status	Whom	// Comments
 				closed		finished with
 
 custom_WFB_v9_3_1		private	
-custom_WFB_v9_3_2		private
-gssapi3-skan			closed	graff
-gsstsig2			closed	sra	// old (circa 9.3.0) gss-tsig, finally worked with hacked heimdal spnego
-gsstsig3			closed	sra
+custom_WFB_v9_3_2		private	
 gsstsig4			open	sra	// head + gsstsig as of 12 may 2006
 gsstsig4_win32			open	danny	// sub-branch off gsstsig4 for windows development
 jinmei-mmapzone-test		new		// mmap based zone file. very experimental, just for reference purposes
@@ -78,6 +75,7 @@ rt15958				new
 rt15960				new	
 rt15970				new	
 rt15976				new	
+rt16034				new	
 rt1727				open		// ixfr-from-differences workfile
 rt6496a				review	marka
 rt6496b				new	
@@ -117,6 +115,9 @@ ds13				closed
 ds_12				closed
 edns1				closed
 edns_size			closed
+gssapi3-skan			closed
+gsstsig2			closed		// old (circa 9.3.0) gss-tsig, finally worked with hacked heimdal spnego
+gsstsig3			closed
 ifiter_getifaddrs		closed
 ipl				closed
 ipv6-improvements		closed

From 82ecc9cd96239649dfeb0a16e31c3b978d0d266a Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 16 May 2006 03:10:23 +0000
Subject: [PATCH 176/465] 2016.   [bug]           Return a partial answer if
 recursion is not                         allowed but requested and we had the
 answer                         to the original qname. [RT #15945]

---
 CHANGES           | 14 +++++++++-----
 bin/named/query.c |  9 +++++----
 2 files changed, 14 insertions(+), 9 deletions(-)

diff --git a/CHANGES b/CHANGES
index f150696946..499a754055 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+2016.	[bug]		Return a partial answer if recursion is not
+			allowed but requested and we had the answer
+			to the original qname. [RT #15945]
+
 2015.	[cleanup]	use-additional-cache is now acache-enable for
 			consistancy.  Default acache-enable off in BIND 9.4
 			as it requires memory usage to be configured.
@@ -156,7 +160,7 @@
 			Jason Vas Dias .
 
 1971.	[port]		linux: make detection of missing IF_NAMESIZE more
-                        robust. [RT #15443]
+			robust. [RT #15443]
 
 1970.	[bug]		nsupdate: adjust UDP timeout when falling back to
 			unsigned SOA query. [RT #15775]
@@ -739,14 +743,14 @@
 
 1779.	[port]		OSF 5.1: libtool didn't handle -pthread correctly.
 
-1778.   [port]   	HUX 11.11: fix broken IN6ADDR_ANY_INIT and
+1778.	[port]		HUX 11.11: fix broken IN6ADDR_ANY_INIT and
 			IN6ADDR_LOOPBACK_INIT macros.
 
-1777.   [port]   	OSF 5.1: fix broken IN6ADDR_ANY_INIT and
+1777.	[port]		OSF 5.1: fix broken IN6ADDR_ANY_INIT and
 			IN6ADDR_LOOPBACK_INIT macros.
 
-1776.   [port]   	Solaris 2.9: fix broken IN6ADDR_ANY_INIT and
-                        IN6ADDR_LOOPBACK_INIT macros.
+1776.	[port]		Solaris 2.9: fix broken IN6ADDR_ANY_INIT and
+			IN6ADDR_LOOPBACK_INIT macros.
 
 1775.	[bug]		Only compile getnetent_r.c when threaded. [RT #13205]
 
diff --git a/bin/named/query.c b/bin/named/query.c
index 4744655834..b3afcb0396 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: query.c,v 1.284 2006/03/09 23:39:00 marka Exp $ */
+/* $Id: query.c,v 1.285 2006/05/16 03:10:23 marka Exp $ */
 
 /*! \file */
 
@@ -3486,9 +3486,10 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		}
 	}
 	if (result != ISC_R_SUCCESS) {
-		if (result == DNS_R_REFUSED)
-			QUERY_ERROR(DNS_R_REFUSED);
-		else
+		if (result == DNS_R_REFUSED) {
+			if (!PARTIALANSWER(client))
+				QUERY_ERROR(DNS_R_REFUSED);
+		} else
 			QUERY_ERROR(DNS_R_SERVFAIL);
 		goto cleanup;
 	}

From 495ba4ad19cbd8ffc563b8578f6b74a667769f64 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 16 May 2006 03:31:09 +0000
Subject: [PATCH 177/465] 2016.   [bug]           Return a partial answer if
 recursion is not                         allowed but requested and we had the
 answer                         to the original qname. [RT #15945]

---
 CHANGES           | 14 +++++++++-----
 bin/named/query.c |  9 +++++----
 2 files changed, 14 insertions(+), 9 deletions(-)

diff --git a/CHANGES b/CHANGES
index 960659e079..1fe8a8b7e7 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+2016.	[bug]		Return a partial answer if recursion is not
+			allowed but requested and we had the answer
+			to the original qname. [RT #15945]
+
 2013.	[bug]		Handle unexpected TSIGs on unsigned AXFR/IXFR
 			responses more gracefully. [RT #15941]
 
@@ -55,7 +59,7 @@
 			Jason Vas Dias .
 
 1971.	[port]		linux: make detection of missing IF_NAMESIZE more
-                        robust. [RT #15443]
+			robust. [RT #15443]
 
 1969.	[bug]		win32: the socket code was freeing the socket
 			structure too early. [RT #15776]
@@ -331,14 +335,14 @@
 
 1779.	[port]		OSF 5.1: libtool didn't handle -pthread correctly.
 
-1778.   [port]   	HUX 11.11: fix broken IN6ADDR_ANY_INIT and
+1778.	[port]		HUX 11.11: fix broken IN6ADDR_ANY_INIT and
 			IN6ADDR_LOOPBACK_INIT macros.
 
-1777.   [port]   	OSF 5.1: fix broken IN6ADDR_ANY_INIT and
+1777.	[port]		OSF 5.1: fix broken IN6ADDR_ANY_INIT and
 			IN6ADDR_LOOPBACK_INIT macros.
 
-1776.   [port]   	Solaris 2.9: fix broken IN6ADDR_ANY_INIT and
-                        IN6ADDR_LOOPBACK_INIT macros.
+1776.	[port]		Solaris 2.9: fix broken IN6ADDR_ANY_INIT and
+			IN6ADDR_LOOPBACK_INIT macros.
 
 1775.	[bug]		Only compile getnetent_r.c when threaded. [RT #13205]
 
diff --git a/bin/named/query.c b/bin/named/query.c
index 8fc512c926..329d7ca87e 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: query.c,v 1.198.2.25 2006/03/01 01:34:05 marka Exp $ */
+/* $Id: query.c,v 1.198.2.26 2006/05/16 03:31:09 marka Exp $ */
 
 #include 
 
@@ -2507,9 +2507,10 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 	result = query_getdb(client, client->query.qname, options, &zone, &db,
 			     &version, &is_zone);
 	if (result != ISC_R_SUCCESS) {
-		if (result == DNS_R_REFUSED)
-			QUERY_ERROR(DNS_R_REFUSED);
-		else
+		if (result == DNS_R_REFUSED) {
+			if (!PARTIALANSWER(client))
+				QUERY_ERROR(DNS_R_REFUSED);
+		} else
 			QUERY_ERROR(DNS_R_SERVFAIL);
 		goto cleanup;
 	}

From 7b68fa6229f1edadac44c7ec459c9ed77a8368c8 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 16 May 2006 03:35:56 +0000
Subject: [PATCH 178/465] 2017.   [bug]           allow-query default was net
 correct. [RT #15946]

---
 CHANGES              | 2 ++
 bin/named/zoneconf.c | 5 +++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index 499a754055..2d333abdc5 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+2017.	[bug]		allow-query default was net correct. [RT #15946]
+
 2016.	[bug]		Return a partial answer if recursion is not
 			allowed but requested and we had the answer
 			to the original qname. [RT #15945]
diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
index d7cb752f74..4866374a83 100644
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zoneconf.c,v 1.132 2006/03/06 01:27:52 marka Exp $ */
+/* $Id: zoneconf.c,v 1.133 2006/05/16 03:35:56 marka Exp $ */
 
 /*% */
 
@@ -65,7 +65,7 @@ configure_zone_acl(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig,
 		   void (*clearzacl)(dns_zone_t *))
 {
 	isc_result_t result;
-	const cfg_obj_t *maps[4];
+	const cfg_obj_t *maps[5];
 	const cfg_obj_t *aclobj = NULL;
 	int i = 0;
 	dns_acl_t *dacl = NULL;
@@ -80,6 +80,7 @@ configure_zone_acl(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig,
 		if (options != NULL)
 			maps[i++] = options;
 	}
+	maps[i++] = ns_g_defaults;
 	maps[i] = NULL;
 
 	result = ns_config_get(maps, aclname, &aclobj);

From dc1f18f211a91735faf2771acc8438f0fbc70d4b Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 16 May 2006 03:44:54 +0000
Subject: [PATCH 179/465] 2018.   [bug]           Checking if the HMAC MD5
 private file was broken.                         [RT #15960]

---
 CHANGES             |  5 ++++-
 lib/dns/dst_parse.c | 23 +++++++++++++++--------
 2 files changed, 19 insertions(+), 9 deletions(-)

diff --git a/CHANGES b/CHANGES
index 2d333abdc5..44461ac4a9 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,7 @@
-2017.	[bug]		allow-query default was net correct. [RT #15946]
+2018.	[bug]		Checking if the HMAC MD5 private file was broken.
+			[RT #15960]
+
+2017.	[bug]		allow-query default was not correct. [RT #15946]
 
 2016.	[bug]		Return a partial answer if recursion is not
 			allowed but requested and we had the answer
diff --git a/lib/dns/dst_parse.c b/lib/dns/dst_parse.c
index 6e84a533d4..9851ad11b7 100644
--- a/lib/dns/dst_parse.c
+++ b/lib/dns/dst_parse.c
@@ -18,7 +18,7 @@
 
 /*%
  * Principal Author: Brian Wellington
- * $Id: dst_parse.c,v 1.5 2006/01/27 23:57:46 marka Exp $
+ * $Id: dst_parse.c,v 1.6 2006/05/16 03:44:54 marka Exp $
  */
 
 #include 
@@ -161,15 +161,22 @@ static int
 check_hmac_md5(const dst_private_t *priv, isc_boolean_t old) {
 	int i, j;
 
-	if (!((priv->nelements == HMACMD5_NTAGS) ||
-	      (old && (priv->nelements == OLD_HMACMD5_NTAGS))))
+	if (priv->nelements != HMACMD5_NTAGS) {
+		/*
+		 * If this a good old format and we are accepting
+		 * the old format return success.
+		 */
+		if (old && priv->nelements == OLD_HMACMD5_NTAGS &&
+		    priv->elements[0].tag == TAG_HMACMD5_KEY)
+			return (0);
 		return (-1);
-	if (priv->nelements == OLD_HMACMD5_NTAGS &&
-	    priv->elements[0].tag != TAG_HMACMD5_KEY)
-		return (-1);
-	for (i = 0; i < DSA_NTAGS; i++) {
+	}
+	/*
+	 * We must be new format at this point.
+	 */
+	for (i = 0; i < HMACMD5_NTAGS; i++) {
 		for (j = 0; j < priv->nelements; j++)
-			if (priv->elements[j].tag == TAG(DST_ALG_DSA, i))
+			if (priv->elements[j].tag == TAG(DST_ALG_HMACMD5, i))
 				break;
 		if (j == priv->nelements)
 			return (-1);

From b66ca17f2990433a3e277b50cc3c15f19cdd0771 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 16 May 2006 03:54:35 +0000
Subject: [PATCH 180/465] 2019.   [tuning]        Reduce the amount of work
 performed per quantum                         when cleaning the cache. [RT
 #15986]

---
 CHANGES         | 3 +++
 lib/dns/cache.c | 9 +++++----
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/CHANGES b/CHANGES
index 44461ac4a9..525a6c4498 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2019.	[tuning]	Reduce the amount of work performed per quantum
+			when cleaning the cache. [RT #15986]
+
 2018.	[bug]		Checking if the HMAC MD5 private file was broken.
 			[RT #15960]
 
diff --git a/lib/dns/cache.c b/lib/dns/cache.c
index 8f1fb11a1e..2019aeaae6 100644
--- a/lib/dns/cache.c
+++ b/lib/dns/cache.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cache.c,v 1.69 2006/05/04 02:24:06 marka Exp $ */
+/* $Id: cache.c,v 1.70 2006/05/16 03:54:35 marka Exp $ */
 
 /*! \file */
 
@@ -212,15 +212,16 @@ adjust_increment(cache_cleaner_t *cleaner, unsigned int remaining,
 	}
 
 	new = (names * interval);
-	new /= usecs;
+	new /= (usecs * 2);
 	if (new == 0)
 		new = 1;
-	else if (new > DNS_CACHE_CLEANERINCREMENT)
-		new = DNS_CACHE_CLEANERINCREMENT;
 
 	/* Smooth */
 	new = (new + cleaner->increment * 7) / 8;
 
+	if (new > DNS_CACHE_CLEANERINCREMENT)
+		new = DNS_CACHE_CLEANERINCREMENT;
+
 	cleaner->increment = (unsigned int)new;
 
 	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_CACHE,

From 9900a6d0f818c514be740961df64e4ee433ae8b4 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 16 May 2006 04:00:01 +0000
Subject: [PATCH 181/465] fix comment

---
 lib/dns/dst_parse.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/dns/dst_parse.c b/lib/dns/dst_parse.c
index 9851ad11b7..c427522c13 100644
--- a/lib/dns/dst_parse.c
+++ b/lib/dns/dst_parse.c
@@ -18,7 +18,7 @@
 
 /*%
  * Principal Author: Brian Wellington
- * $Id: dst_parse.c,v 1.6 2006/05/16 03:44:54 marka Exp $
+ * $Id: dst_parse.c,v 1.7 2006/05/16 04:00:01 marka Exp $
  */
 
 #include 
@@ -163,7 +163,7 @@ check_hmac_md5(const dst_private_t *priv, isc_boolean_t old) {
 
 	if (priv->nelements != HMACMD5_NTAGS) {
 		/*
-		 * If this a good old format and we are accepting
+		 * If this is a good old format and we are accepting
 		 * the old format return success.
 		 */
 		if (old && priv->nelements == OLD_HMACMD5_NTAGS &&

From 5c45d30402af6860e1f66f5aa7d78dff58373b27 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 16 May 2006 04:06:55 +0000
Subject: [PATCH 182/465] 2020.   [bug]           rdataset_setadditional()
 could leak memory. [RT #16034]

---
 CHANGES         |  2 ++
 lib/dns/rbtdb.c | 12 ++++++++----
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/CHANGES b/CHANGES
index 525a6c4498..75f8a448e7 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+2020.	[bug]		rdataset_setadditional() could leak memory. [RT #16034]
+
 2019.	[tuning]	Reduce the amount of work performed per quantum
 			when cleaning the cache. [RT #15986]
 
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index d8f3ac4be5..13fbffa3bf 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbtdb.c,v 1.232 2006/05/02 13:04:54 shane Exp $ */
+/* $Id: rbtdb.c,v 1.233 2006/05/16 04:06:55 marka Exp $ */
 
 /*! \file */
 
@@ -6626,11 +6626,15 @@ rdataset_setadditional(dns_rdataset_t *rdataset, dns_rdatasetadditional_t type,
 	return (ISC_R_SUCCESS);
 
   fail:
-	if (newentry != NULL) {
-		if (newcbarg != NULL)
+	if (newcbarg != NULL) {
+		if (newentry != NULL) {
 			acache_cancelentry(rbtdb->common.mctx, newentry,
 					   &newcbarg);
-		dns_acache_detachentry(&newentry);
+			dns_acache_detachentry(&newentry);
+		}
+		dns_db_detachnode((dns_db_t *)rbtdb, &newcbarg->node);
+		dns_db_detach(&newcbarg->db);
+		isc_mem_put(rbtdb->common.mctx, newcbarg, sizeof(*newcbarg));
 	}
 
 	return (result);

From ffcc1bdb3635ef9c6992b9c24d7c85ebab2c393b Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 16 May 2006 06:07:09 +0000
Subject: [PATCH 183/465] make query-source{-v6} clearer

---
 bin/named/named.conf.docbook | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/bin/named/named.conf.docbook b/bin/named/named.conf.docbook
index 1ba25acf88..3fc54dac7e 100644
--- a/bin/named/named.conf.docbook
+++ b/bin/named/named.conf.docbook
@@ -17,7 +17,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   
     Aug 13, 2004
@@ -232,8 +232,8 @@ options {
 	rfc2308-type1 boolean; // not yet implemented
 	additional-from-auth boolean;
 	additional-from-cache boolean;
-	query-source querysource4;
-	query-source-v6 querysource6;
+	query-source ( ( ipv4_address | * ) |  address ( ipv4_address | * )  )  port ( integer | * ) ;
+	query-source-v6 ( ( ipv6_address | * ) |  address ( ipv6_address | * )  )  port ( integer | * ) ;
 	cleaning-interval integer;
 	min-roots integer; // not implemented
 	lame-ttl integer;
@@ -380,8 +380,8 @@ view string optional_class
 	rfc2308-type1 boolean; // not yet implemented
 	additional-from-auth boolean;
 	additional-from-cache boolean;
-	query-source querysource4;
-	query-source-v6 querysource6;
+	query-source ( ( ipv4_address | * ) |  address ( ipv4_address | * )  )  port ( integer | * ) ;
+	query-source-v6 ( ( ipv6_address | * ) |  address ( ipv6_address | * )  )  port ( integer | * ) ;
 	cleaning-interval integer;
 	min-roots integer; // not implemented
 	lame-ttl integer;

From 842609ab8f3d3b59da7ffff89051b2cc81faf244 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 16 May 2006 06:14:24 +0000
Subject: [PATCH 184/465] make query-source{-v6} clearer

---
 bin/named/named.conf.docbook | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/bin/named/named.conf.docbook b/bin/named/named.conf.docbook
index 46fceb0183..95e781a1af 100644
--- a/bin/named/named.conf.docbook
+++ b/bin/named/named.conf.docbook
@@ -17,7 +17,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
 
   
@@ -213,8 +213,8 @@ options {
 	rfc2308-type1 boolean; // not yet implemented
 	additional-from-auth boolean;
 	additional-from-cache boolean;
-	query-source querysource4;
-	query-source-v6 querysource6;
+	query-source  address ( ipv4_address | * )   port ( integer | * ) ;
+	query-source-v6  address ( ipv6_address | * )   port ( integer | * ) ;
 	cleaning-interval integer;
 	min-roots integer; // not implemented
 	lame-ttl integer;
@@ -318,8 +318,8 @@ view string optional_class
 	rfc2308-type1 boolean; // not yet implemented
 	additional-from-auth boolean;
 	additional-from-cache boolean;
-	query-source querysource4;
-	query-source-v6 querysource6;
+	query-source  address ( ipv4_address | * )   port ( integer | * ) ;
+	query-source-v6  address ( ipv6_address | * )   port ( integer | * ) ;
 	cleaning-interval integer;
 	min-roots integer; // not implemented
 	lame-ttl integer;

From 43dbc3935e243d92dc1d0fde0ef8464f266020bf Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 16 May 2006 06:42:09 +0000
Subject: [PATCH 185/465] grammer, spelling and clarity

---
 doc/arm/Bv9ARM-book.xml | 62 ++++++++++++++++++++---------------------
 1 file changed, 31 insertions(+), 31 deletions(-)

diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 80cfd85331..550e24249c 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   BIND 9 Administrator Reference Manual
 
@@ -1097,7 +1097,7 @@ zone "eng.example.com" {
                   command
                   command
                 
-                command
+                The command
 		  is one of the following:
                 
 
@@ -1263,7 +1263,7 @@ zone "eng.example.com" {
                         made through dynamic update or IXFR are first saved to
                         the master files of the updated zones.
 			If -p is specified named's process id is returned.
-			This allows a external process to determine when named
+			This allows an external process to determine when named
 			had completed stopping.
                       
                     
@@ -1278,7 +1278,7 @@ zone "eng.example.com" {
                         the master files, but will be rolled forward from the
 			journal files when the server is restarted.
 			If -p is specified named's process id is returned.
-			This allows a external process to determine when named
+			This allows an external process to determine when named
 			had completed halting.
                       
                     
@@ -1599,7 +1599,7 @@ controls {
       
 
       
-	As slave zone can also be a master to other slaves, named,
+	As a slave zone can also be a master to other slaves, named,
         by default, sends NOTIFY messages for every zone
 	it loads.  Specifying notify master-only; will
 	cause named to only send NOTIFY for master
@@ -1880,7 +1880,7 @@ controls {
       
         Here is an example configuration for the setup we just
         described above. Note that this is only configuration information;
-        for information on how to configure your zone files, see 
+        for information on how to configure your zone files, see .
       
 
       
@@ -2170,7 +2170,7 @@ allow-update { key host1-host2. ;};
         
           The processing of TSIG signed messages can result in
           several errors. If a signed message is sent to a non-TSIG aware
-          server, a FORMERR will be returned, since the server will not
+          server, a FORMERR (format error) will be returned, since the server will not
           understand the record. This is a result of misconfiguration,
           since the server must be explicitly configured to send a TSIG
           signed message to a specific server.
@@ -2187,7 +2187,7 @@ allow-update { key host1-host2. ;};
           the TSIG extended error code set to BADTIME, and the time values
           will be adjusted so that the response can be successfully
           verified. In any of these cases, the message's rcode is set to
-          NOTAUTH.
+          NOTAUTH (not authoritative).
         
 
       
@@ -2287,7 +2287,7 @@ allow-update { key host1-host2. ;};
         There must also be communication with the administrators of
         the parent and/or child zone to transmit keys.  A zone's security
         status must be indicated by the parent zone for a DNSSEC capable
-        resolver to trust its data.  This is done through the presense
+        resolver to trust its data.  This is done through the presence
         or absence of a DS record at the
         delegation
         point.
@@ -2421,13 +2421,13 @@ allow-update { key host1-host2. ;};
 	  To enable named to validate answers from
 	  other servers both dnssec-enable and
 	  dnssec-validate must be set and some
-	  some trusted-keys must be configured
+	  trusted-keys must be configured
 	  into named.conf.
         
 	  
 	
 	  trusted-keys are copies of DNSKEY RRs
-	  for zones that are used to form the first link the the
+	  for zones that are used to form the first link in the
 	  cryptographic chain of trust.  All keys listed in
 	  trusted-keys (and corresponding zones)
 	  are deemed to exist and only the listed keys will be used
@@ -2497,7 +2497,7 @@ options {
 
 
 	
-	  None of the keys listed in this example are valid.  In particular
+	  None of the keys listed in this example are valid.  In particular,
 	  the root key is not valid.
 	
 
@@ -3125,7 +3125,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
         
           Definition and Usage
           
-            Comments may appear anywhere that whitespace may appear in
+            Comments may appear anywhere that white space may appear in
             a BIND configuration file.
           
           
@@ -3278,7 +3278,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
               
                 
                   configures named to
-                  also act as a light weight resolver daemon (lwresd).
+                  also act as a light-weight resolver daemon (lwresd).
                 
               
             
@@ -3474,7 +3474,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
           An inet control channel is a TCP socket
 	  listening at the specified ip_port on the
 	  specified ip_addr, which can be an IPv4 or IPv6
-	  address.  An ip_addr of * is
+	  address.  An ip_addr of * (asterisk) is
 	  interpreted as the IPv4 wildcard address; connections will be
 	  accepted on any of the system's IPv4 addresses.
 	  To listen on the IPv6 wildcard address,
@@ -3485,7 +3485,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
         
 
         
-          If no port is specified, port 953 is used.
+          If no port is specified, port 953 is used. The asterisk
 	  "*" cannot be used for ip_port.
         
 
@@ -3501,7 +3501,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
         
 
 	
-	  An unix control channel is a UNIX domain
+	  A unix control channel is a UNIX domain
 	  socket listening at the specified path in the file system.
 	  Access to the socket is specified by the perm,
 	  owner and group clauses.
@@ -3870,7 +3870,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
             with the  flag followed by a positive integer,
             or by running rndc trace.
             The global debug level
-            can be set to zero, and debugging mode turned off, by running ndc
+            can be set to zero, and debugging mode turned off, by running rndc
 notrace. All debugging messages in the server have a debug
             level, and higher debug levels give more detailed output. Channels
             that specify a specific debug severity, for example:
@@ -4189,7 +4189,7 @@ category notify { null; };
                       Specify where queries should be logged to.
                     
                     
-                      At startup, specifing the category queries will also
+                      At startup, specifying the category queries will also
                       enable query logging unless querylog option has been
                       specified.
                     
@@ -4287,8 +4287,8 @@ category notify { null; };
         
           The lwres statement configures the
           name
-          server to also act as a lightweight resolver server, see
-          .  There may be be multiple
+          server to also act as a lightweight resolver server. (See
+          .)  There may be be multiple
           lwres statements configuring
           lightweight resolver servers with different properties.
         
@@ -4721,7 +4721,7 @@ digits" + "tkey-domain". In most cases,
             root-delegation-only
             
               
-                Turn on enforcement of delegation-only in TLDs and root zones
+                Turn on enforcement of delegation-only in TLDs (top level domains) and root zones
                 with an optional
                 exclude list.
               
@@ -5086,7 +5086,7 @@ options {
               
                 
                   When the nameserver exits due receiving SIGTERM,
-                  flush / do not flush any pending zone writes.  The default
+                  flush or do not flush any pending zone writes.  The default
                   is
                   flush-zones-on-shutdown no.
                 
@@ -5542,7 +5542,7 @@ options {
                   the default is ignore.
                 
                 
-                  The rules for legal hostnames / mail domains are derived
+                  The rules for legal hostnames or mail domains are derived
                   from RFC 952 and RFC 821 as modified by RFC 1123.
                 
                 check-names
@@ -5741,7 +5741,7 @@ options {
               dual-stack-servers
               
                 
-                  Specifies host names / addresses of machines with access to
+                  Specifies host names or addresses of machines with access to
                   both IPv4 and IPv6 transports. If a hostname is used the
                   server must be able
                   to resolve the name using only the transport it has.  If the
@@ -6358,7 +6358,7 @@ query-source-v6 address * port *;
                   server's masters zone clause or
                   in an allow-notify clause.  This
                   statement sets the notify-source
-                  for all zones, but can be overridden on a per-zone /
+                  for all zones, but can be overridden on a per-zone or
                   per-view basis by including a
                   notify-source statement within
                   the zone or
@@ -6515,7 +6515,7 @@ query-source-v6 address * port *;
               
                 
                   Sets a maximum size for each journal file
-                  ().  When the journal file
+                  (see ).  When the journal file
                   approaches
                   the specified size, some of the oldest transactions in the
                   journal
@@ -7101,7 +7101,7 @@ query-source-v6 address * port *;
 		  specified in the named configuration
 		  file.  This statement sets the
 		  masterfile-format for all zones,
-		  but can be overridden on a per-zone / per-view basis
+		  but can be overridden on a per-zone or per-view basis
 		  by including a masterfile-format
 		  statement within the zone or
 		  view block in the configuration
@@ -7236,7 +7236,7 @@ query-source-v6 address * port *;
 	    These are for zones that should normally be answered locally
 	    and which queries should not be sent to the Internet's root
 	    servers.  The offical servers which cover these namespaces
-	    return NXDOMAIN responses to these queries.  In particular
+	    return NXDOMAIN responses to these queries.  In particular,
 	    these cover the reverse namespace for addresses from RFC 1918 and
 	    RFC 3330.  They also include the reverse namespace for IPv6 local
 	    address (locally assigned), IPv6 link local addresses, the IPv6
@@ -8167,7 +8167,7 @@ zone zone_name classzone_name class
                     
                       
-                        Identifies a mail exchange for the domain.
+                        Identifies a mail exchange for the domain with
                         a 16 bit preference value (lower is better)
                         followed by the host name of the mail exchange.
                         Described in RFC 974, RFC 1035.

From c89a5efe78604a1dce37e0dfd00f3d489493fa3d Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 16 May 2006 22:39:53 +0000
Subject: [PATCH 186/465] grammer, spelling and clarity

---
 doc/arm/Bv9ARM-book.xml | 42 +++++++++++++++++++++--------------------
 1 file changed, 22 insertions(+), 20 deletions(-)

diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 1eee8489e9..f8cb6838ec 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
 
 BIND 9 Administrator Reference Manual
@@ -754,7 +754,7 @@ of a server.
                 command
                 command
               
-              command is one of the following:
+              The command is one of the following:
 
 
 
@@ -1148,7 +1148,7 @@ internal clients will now be able to:
     Here is an example configuration for the setup we just
     described above. Note that this is only configuration information;
     for information on how to configure your zone files, see 
+    linkend="sample_configuration"/>.
 
 Internal DNS server config:
 
@@ -1353,11 +1353,12 @@ allow-update { key host1-host2. ;};
       Errors
 
       The processing of TSIG signed messages can result in
-      several errors. If a signed message is sent to a non-TSIG aware
-      server, a FORMERR will be returned, since the server will not
-      understand the record. This is a result of misconfiguration,
-      since the server must be explicitly configured to send a TSIG
-      signed message to a specific server.
+      several errors. If a signed message is sent to a non-TSIG
+      aware server, a FORMERR (format error) will be returned, since
+      the server will not understand the record. This is a result
+      of misconfiguration, since the server must be explicitly
+      configured to send a TSIG signed message to a specific
+      server.
 
       If a TSIG aware server receives a message signed by an
       unknown key, the response will be unsigned with the TSIG
@@ -1369,7 +1370,7 @@ allow-update { key host1-host2. ;};
       the TSIG extended error code set to BADTIME, and the time values
       will be adjusted so that the response can be successfully
       verified. In any of these cases, the message's rcode is set to
-      NOTAUTH.
+      NOTAUTH (not authorised).
 
     
   
@@ -1667,7 +1668,7 @@ that is distinct from and simpler than the full DNS protocol.
 Running a Resolver Daemon
 To use the lightweight resolver interface, the system must
 run the resolver daemon lwresd.
-By default, applications using the lightweight resolver library will make
+By default, applications using the light-weight resolver library will make
 UDP requests to the IPv4 loopback address (127.0.0.1) on port 921.  The
 address can be overridden by lwserver lines in
 /etc/resolv.conf.
@@ -1898,7 +1899,7 @@ other 1.2.3.* hosts fall through.
       
       
         Definition and Usage
-Comments may appear anywhere that whitespace may appear in
+Comments may appear anywhere that white space may appear in
 a BIND configuration file.
 C-style comments start with the two characters /* (slash,
 star) and end with */ (star, slash). Because they are completely
@@ -2089,7 +2090,7 @@ complete set of local IPv6 addresses for a host.
       ip_port on the specified
       ip_addr, which can be an IPv4 or IPv6
       address.  An ip_addr
-      of * is interpreted as the IPv4 wildcard
+      of * (asterisk) is interpreted as the IPv4 wildcard
       address; connections will be accepted on any of the system's
       IPv4 addresses.  To listen on the IPv6 wildcard address,
       use an ip_addr of ::.
@@ -2160,8 +2161,9 @@ installed.
       that contains the users who should have access.
 
       The UNIX control channel type of BIND 8 is not supported
-      in BIND 9, and is not expected to be added in future
-      releases.  If it is present in the controls statement from a
+      in BIND 9.0, BIND 9.1,
+      BIND 9.2 and BIND 9.3.
+      If it is present in the controls statement from a
       BIND 8 configuration file, it is ignored
       and a warning is logged.
 
@@ -2381,7 +2383,7 @@ level is set either by starting the named server
 with the  flag followed by a positive integer,
 or by running rndc trace.
 The global debug level
-can be set to zero, and debugging mode turned off, by running ndc
+can be set to zero, and debugging mode turned off, by running rndc
 notrace. All debugging messages in the server have a debug
 level, and higher debug levels give more detailed output. Channels
 that specify a specific debug severity, for example:
@@ -2609,8 +2611,8 @@ statement in the named.conf file:
 <command>lwres</command> Statement Definition and Usage
 
 The lwres statement configures the name
-server to also act as a lightweight resolver server, see
-.  There may be be multiple
+server to also act as a light-weight resolver daemon. (See
+.)  There may be be multiple
 lwres statements configuring
 lightweight resolver servers with different properties.
 
@@ -3269,7 +3271,7 @@ the server will not listen on any IPv6 address.
 query other nameservers. query-source specifies
 the address and port used for such queries. For queries sent over
 IPv6, there is a separate query-source-v6 option.
-If address is * or is omitted,
+If address is * (asterisk) or is omitted,
 a wildcard IP address (INADDR_ANY) will be used.
 If port is * or is omitted,
 a random unprivileged port will be used. The defaults are
@@ -3432,7 +3434,7 @@ send NOTIFY messages.
 This address must appear in the slave server's masters
 zone clause or in an allow-notify clause.
 This statement sets the notify-source for all zones,
-but can be overridden on a per-zone / per-view basis by including a
+but can be overridden on a per-zone or per-view basis by including a
 notify-source statement within the zone
 or view block in the configuration file.
                
@@ -4281,7 +4283,7 @@ Authentication to the master can also be done with per-server TSIG keys.
 If a file is specified, then the
 replica will be written to this file whenever the zone is changed,
 and reloaded from this file on a server restart. Use of a file is
-recommended, since it often speeds server start-up and eliminates
+recommended, since it often speeds server startup and eliminates
 a needless waste of bandwidth. Note that for large numbers (in the
 tens or hundreds of thousands) of zones per server, it is best to
 use a two level naming scheme for zone file names. For example,

From e1356e58e6f6eaa6e06320a888eb906cc2120b3a Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 16 May 2006 23:17:48 +0000
Subject: [PATCH 187/465] auto update

---
 doc/private/branches | 1 +
 1 file changed, 1 insertion(+)

diff --git a/doc/private/branches b/doc/private/branches
index 3e9c316eaa..6218179665 100644
--- a/doc/private/branches
+++ b/doc/private/branches
@@ -76,6 +76,7 @@ rt15960				new
 rt15970				new	
 rt15976				new	
 rt16034				new	
+rt16037				new	
 rt1727				open		// ixfr-from-differences workfile
 rt6496a				review	marka
 rt6496b				new	

From 1c101a8a72a8a251302cdcb42979c20ee59a3cc1 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 16 May 2006 23:30:03 +0000
Subject: [PATCH 188/465] newcopyrights

---
 util/copyrights | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/util/copyrights b/util/copyrights
index 2ab52e11b5..1f4bc7b504 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -138,7 +138,7 @@
 ./bin/named/main.c				C	1999,2000,2001,2002,2003,2004,2005,2006
 ./bin/named/named.8				MAN	DOCBOOK
 ./bin/named/named.conf.5			MAN	DOCBOOK
-./bin/named/named.conf.docbook			SGML	2004,2005
+./bin/named/named.conf.docbook			SGML	2004,2005,2006
 ./bin/named/named.conf.html			HTML	DOCBOOK
 ./bin/named/named.docbook			SGML	2000,2001,2004,2005,2006
 ./bin/named/named.html				HTML	DOCBOOK

From aa9012f2b134cffd3b6b37a1eb9e1d291b9b8cea Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 17 May 2006 00:34:34 +0000
Subject: [PATCH 189/465] update copyright notice

---
 bin/named/named.conf.docbook | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/bin/named/named.conf.docbook b/bin/named/named.conf.docbook
index 95e781a1af..39360adeca 100644
--- a/bin/named/named.conf.docbook
+++ b/bin/named/named.conf.docbook
@@ -2,7 +2,7 @@
                "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
 	       []>
 
 
-
+
 
 
   
@@ -34,6 +34,7 @@
     
       2004
       2005
+      2006
       Internet Systems Consortium, Inc. ("ISC")
     
   

From 1d49f4d5ec051b56f119eb8b55e4a04d50d2d9c2 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 17 May 2006 01:31:50 +0000
Subject: [PATCH 190/465] grammer, spelling and clarity

---
 doc/arm/Bv9ARM-book.xml | 138 +++++++++++++++++++++++-----------------
 1 file changed, 79 insertions(+), 59 deletions(-)

diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 550e24249c..a09b8d340b 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   BIND 9 Administrator Reference Manual
 
@@ -2187,7 +2187,7 @@ allow-update { key host1-host2. ;};
           the TSIG extended error code set to BADTIME, and the time values
           will be adjusted so that the response can be successfully
           verified. In any of these cases, the message's rcode is set to
-          NOTAUTH (not authoritative).
+          NOTAUTH (not authenticated).
         
 
       
@@ -3954,7 +3954,7 @@ channel null {
             special
             property that it only produces output when the server's debug
             level is
-            nonzero.  It normally writes to a file named.run
+            nonzero.  It normally writes to a file called named.run
             in the server's working directory.
           
 
@@ -4661,7 +4661,7 @@ digits" + "tkey-domain". In most cases,
                 If not specified, the default is named.stats in the
                 server's current directory.  The format of the file is
                 described
-                in 
+                in .
               
             
           
@@ -5289,7 +5289,7 @@ options {
                 
                   See the description of
                   provide-ixfr in
-                  
+                  .
                 
               
             
@@ -5300,7 +5300,7 @@ options {
                 
                   See the description of
                   request-ixfr in
-                  
+                  .
                 
               
             
@@ -5639,7 +5639,8 @@ options {
 	        
 		  When returning authoritative negative responses to
 		  SOA queries set the TTL of the SOA recored returned in
-		  the authority section to zero.  Default yes.
+		  the authority section to zero.
+		  The default is yes.
 	        
 	      
 	    
@@ -5649,7 +5650,8 @@ options {
 	      
 	        
 		  When caching a negative response to a SOA query
-		  set the TTL to zero.  Default no.
+		  set the TTL to zero.
+		  The default is no.
 	        
 	      
 	    
@@ -5663,7 +5665,8 @@ options {
 		  the DNSKEY RR to determine if this key should be
 		  used to generate the RRSIG.  This flag is ignored
 		  if there are not DNSKEY RRs both with and without
-		  a KSK.  Default yes.
+		  a KSK.
+		  The default is yes.
 		
 	      
 	    
@@ -6204,7 +6207,7 @@ query-source-v6 address * port *;
 		  only supported by relatively new slave servers,
                   such as BIND 9, BIND
 		  8.x and BIND 4.9.5 onwards.
-	          The many-answers format also supported by
+	          The many-answers format is also supported by
 		  recent Microsoft Windows nameservers.
 		  The default is many-answers.
 		  transfer-format may be overridden on a
@@ -6417,7 +6420,7 @@ query-source-v6 address * port *;
             uses the limit
             that was in force when the server was started. See the description
             of
-            size_spec in .
+             issize_spec in .
           
 
           
@@ -6978,8 +6981,8 @@ query-source-v6 address * port *;
             
               max-cache-ttl
               
-                max-cache-ttl
-		  sets the maximum time for which the server will
+                
+		  Sets the maximum time for which the server will
                   cache ordinary (positive) answers. The default is
                   one week (7 days).
                 
@@ -6997,7 +7000,7 @@ query-source-v6 address * port *;
                 
                 
                   
-                    Not implemented in BIND9.
+                    Not implemented in BIND 9.
                   
                 
               
@@ -7083,7 +7086,7 @@ query-source-v6 address * port *;
 	    
 	      masterfile-format
 	      
-	        masterfile-format specifies
+	        Specifies
 		  the file format of zone files (see
 	          ).
 	          The default value is text, which is the
@@ -7114,8 +7117,7 @@ query-source-v6 address * port *;
 	      clients-per-query
 	      max-clients-per-query
               
-		clients-per-query
-		  and max-clients-per-query set the
+		These set the
 		  initial value (minimum) and maximum number of recursive
 		  simultanious clients for any given query
 		  (<qname,qtype,qclass>) that the server will accept
@@ -7141,7 +7143,7 @@ query-source-v6 address * port *;
 		
 		  If max-clients-per-query is set to zero
 		  then there is no upper bound other than imposed by
-		  recurive-clients.
+		  recursive-clients.
 		
               
 	    
@@ -7198,7 +7200,7 @@ query-source-v6 address * port *;
                   with type TXT, class CHAOS.
                   This defaults to the hostname of the machine hosting the
                   name server as
-                  found by gethostname().  The primary purpose of such queries
+                  found by the gethostname() function.  The primary purpose of such queries
                   is to
                   identify which of a group of anycast servers is actually
                   answering your queries.  Specifying hostname none;
@@ -7219,7 +7221,7 @@ query-source-v6 address * port *;
                   answering your queries.  Specifying server-id none;
                   disables processing of the queries.
                   Specifying server-id hostname; will cause named to
-                  use the hostname as found by gethostname().
+                  use the hostname as found by the gethostname() function.
                   The default server-id is none.
                 
               
@@ -7285,8 +7287,10 @@ query-source-v6 address * port *;
 	    views of class IN.  Disabled empty zones are only inherited
 	    from options if there are no disabled empty zones specified
 	    at the view level.  To override the options list of disabled
-	    zones you can disable the root zone at the view level
-	    (disable-empty-zone ".";).
+	    zones you can disable the root zone at the view level, for example:
+
+	    disable-empty-zone ".";
+
 	  
 	  
 	    If you are using the address ranges covered here you should
@@ -7357,8 +7361,13 @@ query-source-v6 address * port *;
             generated by BIND 8.
           
           
-            The statistics dump begins with the line +++ Statistics Dump
-+++ (973798949), where the number in parentheses is a standard
+            The statistics dump begins with a line, like:
+	  
+          
+	    +++ Statistics Dump +++ (973798949)
+	  
+	  
+	    The number in parentheses is a standard
             Unix-style timestamp, measured as seconds since January 1, 1970.
             Following
             that line are a series of lines containing a counter type, the
@@ -7368,9 +7377,14 @@ query-source-v6 address * port *;
             the entire server.
             Lines with a zone and view name for the given view and zone (the
             view name is
-            omitted for the default view).  The statistics dump ends
-            with the line --- Statistics Dump --- (973798949), where the
-            number is identical to the number in the beginning line.
+            omitted for the default view).
+	  
+	  
+	    The statistics dump ends with the line where the
+            number is identical to the number in the beginning line; for example:
+          
+          
+	    --- Statistics Dump --- (973798949)
           
           
             The following statistics counters are maintained:
@@ -8353,23 +8367,12 @@ zone zone_name class
 
-              
-                journal
-                
-                  
-                    Allow the default journal's file name to be overridden.
-                    The default is the zone's file with ".jnl" appended.
-                    This is applicable to master and slave zones.
-                  
-                
-              
-
               
                 allow-notify
                 
                   
                     See the description of
-                    allow-notify in 
+                    allow-notify in .
                   
                 
               
@@ -8379,7 +8382,7 @@ zone zone_name class
                   
                     See the description of
-                    allow-query in 
+                    allow-query in .
                   
                 
               
@@ -8626,6 +8629,17 @@ zone zone_name class
               
 
+              
+                journal
+                
+                  
+                    Allow the default journal's file name to be overridden.
+                    The default is the zone's file with ".jnl" appended.
+                    This is applicable to master and slave zones.
+                  
+                
+              
+
               
                 max-transfer-time-in
                 
@@ -8718,7 +8732,7 @@ zone zone_name class
                   
                     See the description of
-                    transfer-source in 
+                    transfer-source in .
                   
                 
               
@@ -8728,7 +8742,7 @@ zone zone_name class
                   
                     See the description of
-                    transfer-source-v6 in 
+                    transfer-source-v6 in .
                   
                 
               
@@ -8738,7 +8752,7 @@ zone zone_name class
                   
                     See the description of
-                    alt-transfer-source in 
+                    alt-transfer-source in .
                   
                 
               
@@ -8748,7 +8762,7 @@ zone zone_name class
                   
                     See the description of
-                    alt-transfer-source-v6 in 
+                    alt-transfer-source-v6 in .
                   
                 
               
@@ -8758,7 +8772,7 @@ zone zone_name class
                   
                     See the description of
-                    use-alt-transfer-source in 
+                    use-alt-transfer-source in .
                   
                 
               
@@ -8769,7 +8783,7 @@ zone zone_name class
                   
                     See the description of
-                    notify-source in 
+                    notify-source in .
                   
                 
               
@@ -8811,7 +8825,7 @@ zone zone_name class
                   
                     See the description of
-                    key-directory in 
+                    key-directory in .
                   
                 
               
@@ -10400,10 +10414,10 @@ $GENERATE 1-127 $ CNAME $.0
                       { immediately following the
                       $ as
                       ${offset[,width[,base]]}.
-                      e.g. ${-20,3,d} which
+                      For example, ${-20,3,d}
                       subtracts 20 from the current value, prints the
                       result as a decimal in a zero padded field of
-                      with 3.
+                      width 3.
 
 		      Available output forms are decimal
                       (d), octal
@@ -10417,7 +10431,7 @@ $GENERATE 1-127 $ CNAME $.0
                     
                     
                       For compatibility with earlier versions $$ is still
-                      recognized a indicating a literal $ in the output.
+                      recognized as indicating a literal $ in the output.
                     
                   
                 
@@ -10426,8 +10440,8 @@ $GENERATE 1-127 $ CNAME $.0
                     ttl
                   
                   
-                    ttl
-		      specifies the ttl of the generated records. If
+                    
+		      Specifies the time-to-live of the generated records. If
                       not specified this will be inherited using the
                       normal ttl inheritance rules.
                     
@@ -10442,8 +10456,8 @@ $GENERATE 1-127 $ CNAME $.0
                     class
                   
                   
-                    class
-		      specifies the class of the generated records.
+                    
+		      Specifies the class of the generated records.
                       This must match the zone class if it is
                       specified.
                     
@@ -10470,7 +10484,7 @@ $GENERATE 1-127 $ CNAME $.0
                   
                   
                     
-                      rhs is a domain name. It is processed
+                      A domain name. It is processed
                       similarly to lhs.
                     
                   
@@ -10563,6 +10577,7 @@ acl bogusnets {
 	0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3;
 	10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
 };
+
 // Set up an ACL called our-nets. Replace this with the real IP numbers.
 acl our-nets { x.x.x.x/24; x.x.x.x/21; };
 options {
@@ -10574,6 +10589,7 @@ options {
   blackhole { bogusnets; };
   ...
 };
+
 zone "example.com" {
   type master;
   file "m/example.com";
@@ -10621,7 +10637,7 @@ zone "example.com" {
           The <command>chroot</command> Environment
 
           
-            In order for a chroot() environment
+            In order for a chroot environment
             to
             work properly in a particular directory
             (for example, /var/named),
@@ -10641,7 +10657,7 @@ zone "example.com" {
             to set up things like
             /dev/zero,
             /dev/random,
-            /dev/log, and/or
+            /dev/log, and
             /etc/localtime.
           
         
@@ -10827,7 +10843,10 @@ zone "example.com" {
             under
             a grant from the US Defense Advanced Research Projects
             Administration
-            (DARPA). Versions of BIND through
+            (DARPA).
+          
+          
+	    Versions of BIND through
             4.8.3 were maintained by the Computer
             Systems Research Group (CSRG) at UC Berkeley. Douglas Terry, Mark
             Painter, David Riggle and Songnian Zhou made up the initial BIND
@@ -11059,13 +11078,13 @@ zone "example.com" {
               
 	      
                 RFC2671
-                Extension Mechanisms for DNS (EDNS0)
                 
                   
                     P.
                     Vixie
                   
                 
+                Extension Mechanisms for DNS (EDNS0)
                 August 1997
 	      
 	      
@@ -12206,6 +12225,7 @@ zone "example.com" {
       
       
       
+      
       
       
       

From 9ea39822241d443154001c04127e733ab66654a0 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 17 May 2006 01:58:26 +0000
Subject: [PATCH 191/465] grammer, spelling and clarity

---
 doc/arm/Bv9ARM-book.xml | 71 +++++++++++++++++++++++++----------------
 1 file changed, 43 insertions(+), 28 deletions(-)

diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index f8cb6838ec..071d1f6d90 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
 
 BIND 9 Administrator Reference Manual
@@ -1370,7 +1370,7 @@ allow-update { key host1-host2. ;};
       the TSIG extended error code set to BADTIME, and the time values
       will be adjusted so that the response can be successfully
       verified. In any of these cases, the message's rcode is set to
-      NOTAUTH (not authorised).
+      NOTAUTH (not authenticated).
 
     
   
@@ -2446,7 +2446,7 @@ channel "null" {
 
 The default_debug channel has the special
 property that it only produces output when the server's debug level is
-nonzero.  It normally writes to a file named.run
+nonzero.  It normally writes to a file called named.run
 in the server's working directory.
 
 For security reasons, when the ""
@@ -2823,7 +2823,7 @@ nameserver.
 to when instructed to do so using rndc stats.
 If not specified, the default is named.stats in the
 server's current directory.  The format of the file is described
-in 
+in .
 
 
 port
@@ -3030,7 +3030,7 @@ in . See also
 
 See the description of
 provide-ixfr in
-
+.
 
 
 request-ixfr
@@ -3038,7 +3038,7 @@ See the description of
 
 See the description of
 request-ixfr in
-
+.
 
 
 treat-cr-as-space
@@ -3374,7 +3374,8 @@ resource record transferred.
 possible into a message. many-answers is more
 efficient, but is only supported by relatively new slave servers,
 such as BIND 9, BIND 8.x and patched
-versions of BIND 4.9.5. The default is
+versions of BIND 4.9.5. The many-answers
+format is also supported by recent Microsoft Windows nameservers. The default is
 many-answers. transfer-format
 may be overridden on a per-server basis by using the
 server statement.
@@ -3463,8 +3464,8 @@ example, 1G can be used instead of
 1073741824 to specify a limit of one
 gigabyte. unlimited requests unlimited use, or the
 maximum available amount. default uses the limit
-that was in force when the server was started. See the description of
-size_spec in size_spec in .
 
 The following options set operating system resource limits for
@@ -3830,7 +3831,7 @@ Not implemented in BIND 9.
 
 
 max-cache-ttl
-max-cache-ttl sets
+Sets
 the maximum time for which the server will cache ordinary (positive)
 answers. The default is one week (7 days).
 
@@ -3881,16 +3882,25 @@ and clamp the SOA refresh and retry times to the specified values.
 is similar, but not identical, to that
 generated by BIND 8.
 
-The statistics dump begins with the line +++ Statistics Dump
-+++ (973798949), where the number in parentheses is a standard
+The statistics dump begins with a line, like:
+ 
+ +++ Statistics Dump +++ (973798949)
+ 
+ The numberr in parentheses is a standard
 Unix-style timestamp, measured as seconds since January 1, 1970.  Following
 that line are a series of lines containing a counter type, the value of the
 counter, optionally a zone name, and optionally a view name.
 The lines without view and zone listed are global statistics for the entire server.
 Lines with a zone and view name for the given view and zone (the view name is
-omitted for the default view).  The statistics dump ends
-with the line --- Statistics Dump --- (973798949), where the
-number is identical to the number in the beginning line.
+omitted for the default view).
+
+
+The statistics dump ends with the line where the
+number is identical to the number in the beginning line; for example:
+
+
+--- Statistics Dump --- (973798949)
+
 The following statistics counters are maintained:
 CHAOSallow-notify
 See the description of
-allow-notify in 
+allow-notify in .
 
 
 allow-query
 See the description of
-allow-query in 
+allow-query in .
 
 
 allow-transfer
@@ -4543,19 +4553,19 @@ information for this zone, which can be dumped to the
 
 transfer-source
 See the description of
-transfer-source in 
+transfer-source in .
 
 
 
 transfer-source-v6
 See the description of
-transfer-source-v6 in 
+transfer-source-v6 in .
 
 
 
 notify-source
 See the description of
-notify-source in 
+notify-source in .
 
 
 
@@ -5200,7 +5210,7 @@ This could be construed as a deviation from RFC 1035, a feature, or both.
 Set the default Time To Live (TTL) for subsequent records
 with undefined TTLs. Valid TTLs are of the range 0-2147483647 seconds.
 $TTL is defined in RFC 2308.
-<acronym>BIND</acronym> Master File Extension: the  <command>$GENERATE</command> Directive
+<acronym>BIND</acronym> Master File Extension: the  <command>$GENERATE</command> Directive.
         Syntax: $GENERATE range lhs type rhs  comment 
 $GENERATE is used to create a series of
 resource records that only differ from each other by an iterator. $GENERATE can
@@ -5241,8 +5251,8 @@ e.g. \$. The $ may optionally be followed
 by modifiers which change the offset from the interator, field width and base. 
 Modifiers are introduced by a { immediately following the
 $ as ${offset[,width[,base]]}.
-e.g. ${-20,3,d} which subtracts 20 from the current value,
-prints the result as a decimal in a zero padded field of with 3.  Available
+For example, ${-20,3,d} which subtracts 20 from the current value,
+prints the result as a decimal in a zero padded field of width 3.  Available
 output forms are decimal (d), octal (o)
 and hexadecimal (x or X for uppercase).
 The default modifier is ${0,0,d}.
@@ -5250,7 +5260,7 @@ If the lhs is not
 absolute, the current $ORIGIN is appended to
 the name.
 For compatibility with earlier versions $$ is still
-recognised a indicating a literal $ in the output.
+recognised as indicating a literal $ in the output.
         
         
           type
@@ -5259,7 +5269,7 @@ PTR, CNAME, DNAME, A, AAAA and NS.
         
         
           rhs
-          rhs is a domain name. It is processed
+          A domain name. It is processed
 similarly to lhs.
         
       
@@ -5288,6 +5298,7 @@ your server.
 // Set up an ACL named "bogusnets" that will block RFC1918 space,
 // which is commonly used in spoofing attacks.
 acl bogusnets { 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; };
+
 // Set up an ACL called our-nets. Replace this with the real IP numbers.
 acl our-nets { x.x.x.x/24; x.x.x.x/21; }; 
 options {
@@ -5299,6 +5310,7 @@ options {
   blackhole { bogusnets; };
   ...
 };
+
 zone "example.com" {
   type master;
   file "m/example.com";
@@ -5326,7 +5338,7 @@ user 202:
 
 The <command>chroot</command> Environment
 
-In order for a chroot() environment to
+In order for a chroot environment to
 work properly in a particular directory
 (for example, /var/named),
 you will need to set up an environment that includes everything
@@ -5344,7 +5356,7 @@ However, depending on your operating system, you may need
 to set up things like
 /dev/zero,
 /dev/random,
-/dev/log, and/or
+/dev/log, and
 /etc/localtime.
 
 
@@ -5481,7 +5493,10 @@ Center (SRI-NIC). A DNS server for Unix machines, the Berkele
 Name Domain (BIND) package, was written soon after by a group of
 graduate students at the University of California at Berkeley under
 a grant from the US Defense Advanced Research Projects Administration
-(DARPA). Versions of BIND through 4.8.3 were maintained by the Computer
+(DARPA).
+
+
+Versions of BIND through 4.8.3 were maintained by the Computer
 Systems Research Group (CSRG) at UC Berkeley. Douglas Terry, Mark
 Painter, David Riggle and Songnian Zhou made up the initial BIND
 project team. After that, additional work on the software package

From bf4538f2c77911cbe9c4f3224074abe6a628e184 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 17 May 2006 02:00:15 +0000
Subject: [PATCH 192/465] grammer, spelling and clarity

---
 doc/arm/Bv9ARM-book.xml | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index a09b8d340b..5bd6c312f1 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   BIND 9 Administrator Reference Manual
 
@@ -6419,8 +6419,7 @@ query-source-v6 address * port *;
             maximum available amount. default
             uses the limit
             that was in force when the server was started. See the description
-            of
-             issize_spec in .
+            of size_spec in .
           
 
           

From f9b370ebbdebc14b0a7e6e70f6f940d1cb9096e1 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 17 May 2006 02:37:47 +0000
Subject: [PATCH 193/465] regen

---
 bin/named/named.conf.5    |  12 +--
 bin/named/named.conf.html |  38 +++----
 doc/arm/Bv9ARM.ch03.html  |   8 +-
 doc/arm/Bv9ARM.ch04.html  |  89 ++++++++--------
 doc/arm/Bv9ARM.ch05.html  |   8 +-
 doc/arm/Bv9ARM.ch06.html  | 209 ++++++++++++++++++++------------------
 doc/arm/Bv9ARM.ch07.html  |  20 ++--
 doc/arm/Bv9ARM.ch08.html  |  18 ++--
 doc/arm/Bv9ARM.ch09.html  |  31 +++---
 doc/arm/Bv9ARM.html       | 108 ++++++++++----------
 10 files changed, 279 insertions(+), 262 deletions(-)

diff --git a/bin/named/named.conf.5 b/bin/named/named.conf.5
index 9f31bd929b..8d3e2be7ef 100644
--- a/bin/named/named.conf.5
+++ b/bin/named/named.conf.5
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -12,7 +12,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: named.conf.5,v 1.1.6.7 2005/10/13 02:23:30 marka Exp $
+.\" $Id: named.conf.5,v 1.1.6.8 2006/05/17 02:37:45 marka Exp $
 .\"
 .hy 0
 .ad l
@@ -169,8 +169,8 @@ options {
 	rfc2308\-type1 \fIboolean\fR; // not yet implemented
 	additional\-from\-auth \fIboolean\fR;
 	additional\-from\-cache \fIboolean\fR;
-	query\-source \fIquerysource4\fR;
-	query\-source\-v6 \fIquerysource6\fR;
+	query\-source [ address ( \fIipv4_address\fR | * ) ] [ port ( \fIinteger\fR | * ) ];
+	query\-source\-v6 [ address ( \fIipv6_address\fR | * ) ] [ port ( \fIinteger\fR | * ) ];
 	cleaning\-interval \fIinteger\fR;
 	min\-roots \fIinteger\fR; // not implemented
 	lame\-ttl \fIinteger\fR;
@@ -259,8 +259,8 @@ view \fIstring\fR \fIoptional_class\fR {
 	rfc2308\-type1 \fIboolean\fR; // not yet implemented
 	additional\-from\-auth \fIboolean\fR;
 	additional\-from\-cache \fIboolean\fR;
-	query\-source \fIquerysource4\fR;
-	query\-source\-v6 \fIquerysource6\fR;
+	query\-source [ address ( \fIipv4_address\fR | * ) ] [ port ( \fIinteger\fR | * ) ];
+	query\-source\-v6 [ address ( \fIipv6_address\fR | * ) ] [ port ( \fIinteger\fR | * ) ];
 	cleaning\-interval \fIinteger\fR;
 	min\-roots \fIinteger\fR; // not implemented
 	lame\-ttl \fIinteger\fR;
diff --git a/bin/named/named.conf.html b/bin/named/named.conf.html
index 95d4c23fe3..de2f81a8c9 100644
--- a/bin/named/named.conf.html
+++ b/bin/named/named.conf.html
@@ -1,5 +1,5 @@
 
-
+
 
 
 
@@ -31,7 +31,7 @@
 
named.conf 

 

 

-
DESCRIPTION

+
DESCRIPTION

 

 	named.conf is the configuration file for
 	named.  Statements are enclosed
@@ -50,14 +50,14 @@
     

 

 

-
ACL

+
ACL

 


 acl string { address_match_element; ... };

 

 

 

 

-
KEY

+
KEY

 


 key domain_name {

 	algorithm string;

@@ -66,7 +66,7 @@ key
 

 

 

-
SERVER

+
SERVER

 


 server ( ipv4_address | ipv6_address ) {

 	bogus boolean;

@@ -86,7 +86,7 @@ server
 

 

 

-
TRUSTED-KEYS

+
TRUSTED-KEYS

 


 trusted-keys {

 	domain_name flags protocol algorithm key; ... 

@@ -94,7 +94,7 @@ trusted-keys
 

 

 

-
CONTROLS

+
CONTROLS

 


 controls {

 	inet ( ipv4_address | ipv6_address | * )

@@ -106,7 +106,7 @@ controls
 

 

 

-
LOGGING

+
LOGGING

 


 logging {

 	channel string {

@@ -124,7 +124,7 @@ logging
 

 

 

-
LWRES

+
LWRES

 


 lwres {

 	listen-on [ port integer ] {

@@ -137,7 +137,7 @@ lwres
 

 

 

-
OPTIONS

+
OPTIONS

 


 options {

 	blackhole { address_match_element; ... };

@@ -186,8 +186,8 @@ options
 	rfc2308-type1 boolean; // not yet implemented

 	additional-from-auth boolean;

 	additional-from-cache boolean;

-	query-source querysource4;

-	query-source-v6 querysource6;

+	query-source [ address ( ipv4_address | * ) ] [ port ( integer | * ) ];

+	query-source-v6 [ address ( ipv6_address | * ) ] [ port ( integer | * ) ];

 	cleaning-interval integer;

 	min-roots integer; // not implemented

 	lame-ttl integer;

@@ -251,7 +251,7 @@ options
 

 

 

-
VIEW

+
VIEW

 


 view string optional_class {

 	match-clients { address_match_element; ... };

@@ -290,8 +290,8 @@ view
 	rfc2308-type1 boolean; // not yet implemented

 	additional-from-auth boolean;

 	additional-from-cache boolean;

-	query-source querysource4;

-	query-source-v6 querysource6;

+	query-source [ address ( ipv4_address | * ) ] [ port ( integer | * ) ];

+	query-source-v6 [ address ( ipv6_address | * ) ] [ port ( integer | * ) ];

 	cleaning-interval integer;

 	min-roots integer; // not implemented

 	lame-ttl integer;

@@ -348,7 +348,7 @@ view
 

 

 

-
ZONE

+
ZONE

 


 zone string optional_class {

 	type ( master | slave | stub | hint |

@@ -413,13 +413,13 @@ zone
 

 

 

-
FILES

+
FILES

 

 /etc/named.conf
 

 

 

-
SEE ALSO

+
SEE ALSO

 

 named(8),
 rndc(8),
diff --git a/doc/arm/Bv9ARM.ch03.html b/doc/arm/Bv9ARM.ch03.html
index 28837c403f..a03faf05a7 100644
--- a/doc/arm/Bv9ARM.ch03.html
+++ b/doc/arm/Bv9ARM.ch03.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -55,7 +55,7 @@
 
Nameserver Operations

 

 
Tools for Use With the Nameserver Daemon

-
Signals

+
Signals

 

 
 

@@ -299,7 +299,7 @@ of a server.

               If you run rndc without any options
               it will display a usage message as follows:

 
rndc  [-c config] [-s server] [-p port] [-y key]  command  [command...]

-
command is one of the following:

+
The command is one of the following:

 

 
reload

 
Reload configuration file and zones.

@@ -451,7 +451,7 @@ a rndc.key file and not modify
 

 

 

-Signals

+Signals

 
Certain UNIX signals cause the name server to take specific
 actions, as described in the following table.  These signals can
 be sent using the kill command.

diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html
index 359b4d73ac..62758efc30 100644
--- a/doc/arm/Bv9ARM.ch04.html
+++ b/doc/arm/Bv9ARM.ch04.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -48,30 +48,30 @@
 
Dynamic Update

 
The journal file

 
Incremental Zone Transfers (IXFR)

-
Split DNS

+
Split DNS

 
TSIG

 

-
Generate Shared Keys for Each Pair of Hosts

-
Copying the Shared Secret to Both Machines

-
Informing the Servers of the Key's Existence

-
Instructing the Server to Use the Key

-
TSIG Key Based Access Control

-
Errors

+
Generate Shared Keys for Each Pair of Hosts

+
Copying the Shared Secret to Both Machines

+
Informing the Servers of the Key's Existence

+
Instructing the Server to Use the Key

+
TSIG Key Based Access Control

+
Errors

 

-
TKEY

-
SIG(0)

+
TKEY

+
SIG(0)

 
DNSSEC

 

-
Generating Keys

-
Creating a Keyset

-
Signing the Child's Keyset

-
Signing the Zone

-
Configuring Servers

+
Generating Keys

+
Creating a Keyset

+
Signing the Child's Keyset

+
Signing the Zone

+
Configuring Servers

 

-
IPv6 Support in BIND 9

+
IPv6 Support in BIND 9

 

-
Address Lookups Using AAAA Records

-
Address to Name Lookups Using Nibble Format

+
Address Lookups Using AAAA Records

+
Address to Name Lookups Using Nibble Format

 

 
 
@@ -150,7 +150,7 @@ of the server statement.

 
 

 

-Split DNS

+Split DNS

 
Setting up different views, or visibility, of DNS space to
 internal and external resolvers is usually referred to as a Split
 DNS setup. There are several reasons an organization
@@ -235,7 +235,7 @@ internal clients will now be able to:

 
 
Here is an example configuration for the setup we just
     described above. Note that this is only configuration information;
-    for information on how to configure your zone files, see the section called “Sample Configurations”

+    for information on how to configure your zone files, see the section called “Sample Configurations”.

 
Internal DNS server config:

 
 
@@ -352,13 +352,13 @@ for TSIG.

     -y command line options.

 

 

-Generate Shared Keys for Each Pair of Hosts

+Generate Shared Keys for Each Pair of Hosts

 
A shared secret is generated to be shared between host1 and host2.
 An arbitrary key name is chosen: "host1-host2.". The key name must
 be the same on both hosts.

 

 

-Automatic Generation

+Automatic Generation

 
The following command will generate a 128 bit (16 byte) HMAC-MD5
 key as described above. Longer keys are better, but shorter keys
 are easier to read. Note that the maximum key length is 512 bits;
@@ -375,7 +375,7 @@ be used as the shared secret.

 
 

 

-Manual Generation

+Manual Generation

 
The shared secret is simply a random sequence of bits, encoded
 in base-64. Most ASCII strings are valid base-64 strings (assuming
 the length is a multiple of 4 and only valid characters are used),
@@ -386,13 +386,13 @@ a similar program to generate base-64 encoded data.

 
 

 

-Copying the Shared Secret to Both Machines

+Copying the Shared Secret to Both Machines

 
This is beyond the scope of DNS. A secure transport mechanism
 should be used. This could be secure FTP, ssh, telephone, etc.

 
 

 

-Informing the Servers of the Key's Existence

+Informing the Servers of the Key's Existence

 
Imagine host1 and host 2 are
 both servers. The following is added to each server's named.conf file:

 
@@ -413,7 +413,7 @@ the same key.

 
 

 

-Instructing the Server to Use the Key

+Instructing the Server to Use the Key

 
Since keys are shared between two hosts only, the server must
 be told when keys are to be used. The following is added to the named.conf file
 for host1, if the IP address of host2 is
@@ -436,7 +436,7 @@ sign request messages to host1.

 
 

 

-TSIG Key Based Access Control

+TSIG Key Based Access Control

 
BIND allows IP addresses and ranges to be specified in ACL
 definitions and
 allow-{ query | transfer | update } directives.
@@ -454,13 +454,14 @@ allow-update { key host1-host2. ;};
 
 

 

-Errors

+Errors

 
The processing of TSIG signed messages can result in
-      several errors. If a signed message is sent to a non-TSIG aware
-      server, a FORMERR will be returned, since the server will not
-      understand the record. This is a result of misconfiguration,
-      since the server must be explicitly configured to send a TSIG
-      signed message to a specific server.

+      several errors. If a signed message is sent to a non-TSIG
+      aware server, a FORMERR (format error) will be returned, since
+      the server will not understand the record. This is a result
+      of misconfiguration, since the server must be explicitly
+      configured to send a TSIG signed message to a specific
+      server.

 
If a TSIG aware server receives a message signed by an
       unknown key, the response will be unsigned with the TSIG
       extended error code set to BADKEY. If a TSIG aware server
@@ -471,12 +472,12 @@ allow-update { key host1-host2. ;};
       the TSIG extended error code set to BADTIME, and the time values
       will be adjusted so that the response can be successfully
       verified. In any of these cases, the message's rcode is set to
-      NOTAUTH.

+      NOTAUTH (not authenticated).

 
 
 

 

-TKEY

+TKEY

 
TKEY is a mechanism for automatically
     generating a shared secret between two hosts.  There are several
     "modes" of TKEY that specify how the key is
@@ -502,7 +503,7 @@ allow-update { key host1-host2. ;};
 
 

 

-SIG(0)

+SIG(0)

 
BIND 9 partially supports DNSSEC SIG(0) transaction
     signatures as specified in RFC 2535.  SIG(0) uses public/private
     keys to authenticate messages.  Access control is performed in the
@@ -541,7 +542,7 @@ allow-update { key host1-host2. ;};
     zone key of another zone above this one in the DNS tree.

 

 

-Generating Keys

+Generating Keys

 
The dnssec-keygen program is used to
       generate keys.

 
A secure zone must contain one or more zone keys.  The
@@ -574,7 +575,7 @@ allow-update { key host1-host2. ;};
 
 

 

-Creating a Keyset

+Creating a Keyset

 
The dnssec-makekeyset program is used
       to create a key set from one or more keys.

 
Once the zone keys have been generated, a key set must be
@@ -602,7 +603,7 @@ allow-update { key host1-host2. ;};
 
 

 

-Signing the Child's Keyset

+Signing the Child's Keyset

 
The dnssec-signkey program is used to
       sign one child's keyset.

 
If the child.example zone has any
@@ -622,7 +623,7 @@ allow-update { key host1-host2. ;};
 
 

 

-Signing the Zone

+Signing the Zone

 
The dnssec-signzone program is used to
       sign a zone.

 
Any signedkey files corresponding to
@@ -645,7 +646,7 @@ allow-update { key host1-host2. ;};
 
 

 

-Configuring Servers

+Configuring Servers

 
Unlike in BIND 8, 
 data is not verified on load in BIND 9,
 so zone keys for authoritative zones do not need to be specified
@@ -657,7 +658,7 @@ statement, as described later in this document. 

 
 

 

-IPv6 Support in BIND 9

+IPv6 Support in BIND 9

 
BIND 9 fully supports all currently
     defined forms of IPv6 name to address and address to name
     lookups.  It will also use IPv6 addresses to make queries when
@@ -679,7 +680,7 @@ statement, as described later in this document. 

     see the section called “IPv6 addresses (A6)”.

 

 

-Address Lookups Using AAAA Records

+Address Lookups Using AAAA Records

 
The AAAA record is a parallel to the IPv4 A record.  It
       specifies the entire address in a single record.  For
       example,

@@ -690,7 +691,7 @@ host            3600    IN      AAAA    2001:db8::1
 
 

 

-Address to Name Lookups Using Nibble Format

+Address to Name Lookups Using Nibble Format

 
When looking up an address in nibble format, the address
       components are simply reversed, just as in IPv4, and
       IP6.ARPA. is appended to the resulting name.
diff --git a/doc/arm/Bv9ARM.ch05.html b/doc/arm/Bv9ARM.ch05.html
index 0b20c91dd8..bb83157f47 100644
--- a/doc/arm/Bv9ARM.ch05.html
+++ b/doc/arm/Bv9ARM.ch05.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,13 +45,13 @@
 

 
Table of Contents

 

-
The Lightweight Resolver Library

+
The Lightweight Resolver Library

 
Running a Resolver Daemon

 

 

 

 

-The Lightweight Resolver Library

+The Lightweight Resolver Library

 
Traditionally applications have been linked with a stub resolver
 library that sends recursive DNS queries to a local caching name
 server.

@@ -70,7 +70,7 @@ that is distinct from and simpler than the full DNS protocol.

 Running a Resolver Daemon
 
To use the lightweight resolver interface, the system must
 run the resolver daemon lwresd.

-
By default, applications using the lightweight resolver library will make
+
By default, applications using the light-weight resolver library will make
 UDP requests to the IPv4 loopback address (127.0.0.1) on port 921.  The
 address can be overridden by lwserver lines in
 /etc/resolv.conf.
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index 1601accf87..6f9d2676b7 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -48,44 +48,44 @@
 
Configuration File Elements

 

 
Address Match Lists

-
Comment Syntax

+
Comment Syntax

 

 
Configuration File Grammar

 

-
acl Statement Grammar

+
acl Statement Grammar

 
acl Statement Definition and
 Usage

-
controls Statement Grammar

+
controls Statement Grammar

 
controls Statement Definition and Usage

-
include Statement Grammar

-
include Statement Definition and Usage

-
key Statement Grammar

-
key Statement Definition and Usage

-
logging Statement Grammar

-
logging Statement Definition and Usage

-
lwres Statement Grammar

-
lwres Statement Definition and Usage

-
options Statement Grammar

-
options Statement Definition and Usage

+
include Statement Grammar

+
include Statement Definition and Usage

+
key Statement Grammar

+
key Statement Definition and Usage

+
logging Statement Grammar

+
logging Statement Definition and Usage

+
lwres Statement Grammar

+
lwres Statement Definition and Usage

+
options Statement Grammar

+
options Statement Definition and Usage

 
server Statement Grammar

 
server Statement Definition and Usage

-
trusted-keys Statement Grammar

-
trusted-keys Statement Definition
+
trusted-keys Statement Grammar

+
trusted-keys Statement Definition
 and Usage

-
view Statement Grammar

-
view Statement Definition and Usage

+
view Statement Grammar

+
view Statement Definition and Usage

 
zone
 Statement Grammar

-
zone Statement Definition and Usage

+
zone Statement Definition and Usage

 

-
Zone File

+
Zone File

 

 
Types of Resource Records and When to Use Them

-
Discussion of MX Records

+
Discussion of MX Records

 
Setting TTLs

-
Inverse Mapping in IPv4

-
Other Zone File Directives

-
BIND Master File Extension: the  $GENERATE Directive

+
Inverse Mapping in IPv4

+
Other Zone File Directives

+
BIND Master File Extension: the  $GENERATE Directive

 

 
 
@@ -224,7 +224,7 @@ are restricted to slave and stub zones.

 Address Match Lists
 

 

-Syntax

+Syntax

 
address_match_list = address_match_list_element ;
   [ address_match_list_element; ... ]
 address_match_list_element = [ ! ] (ip_address [/length] |
@@ -233,7 +233,7 @@ are restricted to slave and stub zones.

 
 

 

-Definition and Usage

+Definition and Usage

 
Address match lists are primarily used to determine access
 control for various server operations. They are also used to define
 priorities for querying other nameservers and to set the addresses
@@ -288,14 +288,14 @@ other 1.2.3.* hosts fall through.

 
 

 

-Comment Syntax

+Comment Syntax

 
The BIND 9 comment syntax allows for comments to appear
       anywhere that white space may appear in a BIND configuration
       file. To appeal to programmers of all kinds, they can be written
       in C, C++, or shell/perl constructs.

 

 

-Syntax

+Syntax

 
/* This is a BIND comment as in C */

 

 

@@ -308,8 +308,8 @@ other 1.2.3.* hosts fall through.

 
 

 

-Definition and Usage

-
Comments may appear anywhere that whitespace may appear in
+Definition and Usage

+
Comments may appear anywhere that white space may appear in
 a BIND configuration file.

 
C-style comments start with the two characters /* (slash,
 star) and end with */ (star, slash). Because they are completely
@@ -417,7 +417,7 @@ a per-server basis.

     configuration.

 

 

-acl Statement Grammar

+acl Statement Grammar

 
acl acl-name { 
     address_match_list 
 };
@@ -470,7 +470,7 @@ complete set of local IPv6 addresses for a host.
 
 

 

-controls Statement Grammar

+controls Statement Grammar

 
controls {
    inet ( ip_addr | * ) [ port ip_port ] allow {  address_match_list  }
                 keys {  key_list  };
@@ -491,7 +491,7 @@ complete set of local IPv6 addresses for a host.
       ip_port on the specified
       ip_addr, which can be an IPv4 or IPv6
       address.  An ip_addr
-      of * is interpreted as the IPv4 wildcard
+      of * (asterisk) is interpreted as the IPv4 wildcard
       address; connections will be accepted on any of the system's
       IPv4 addresses.  To listen on the IPv6 wildcard address,
       use an ip_addr of ::.
@@ -557,8 +557,9 @@ installed.
       rndc.conf and make it group readable by a group
       that contains the users who should have access.

 
The UNIX control channel type of BIND 8 is not supported
-      in BIND 9, and is not expected to be added in future
-      releases.  If it is present in the controls statement from a
+      in BIND 9.0, BIND 9.1,
+      BIND 9.2 and BIND 9.3.
+      If it is present in the controls statement from a
       BIND 8 configuration file, it is ignored
       and a warning is logged.

 

@@ -568,12 +569,12 @@ statement: controls { };.
 
 

 

-include Statement Grammar

+include Statement Grammar

 
include filename;

 
 

 

-include Statement Definition and Usage

+include Statement Definition and Usage

 
The include statement inserts the
       specified file at the point that the include
       statement is encountered. The include
@@ -584,7 +585,7 @@ statement: controls { };.
 
 

 

-key Statement Grammar

+key Statement Grammar

 
key key_id {
     algorithm string;
     secret string;
@@ -593,7 +594,7 @@ statement: controls { };.
 
 

 

-key Statement Definition and Usage

+key Statement Definition and Usage

 
The key statement defines a shared
 secret key for use with TSIG, see the section called “TSIG”.

 

@@ -621,7 +622,7 @@ string.

 
 

 

-logging Statement Grammar

+logging Statement Grammar

 
logging {
    [ channel channel_name {
      ( file path name
@@ -645,7 +646,7 @@ string.

 
 

 

-logging Statement Definition and Usage

+logging Statement Definition and Usage

 
The logging statement configures a wide
 variety of logging options for the nameserver. Its channel phrase
 associates output methods, format options and severity levels with
@@ -668,7 +669,7 @@ channels, or to standard error if the "-g" option
 was specified.

 

 

-The channel Phrase

+The channel Phrase

 
All log output goes to one or more channels;
 you can make as many of them as you want.

 
Every channel definition must include a destination clause that
@@ -759,7 +760,7 @@ level is set either by starting the named
 with the -d flag followed by a positive integer,
 or by running rndc trace.
 The global debug level
-can be set to zero, and debugging mode turned off, by running ndc
+can be set to zero, and debugging mode turned off, by running rndc
 notrace. All debugging messages in the server have a debug
 level, and higher debug levels give more detailed output. Channels
 that specify a specific debug severity, for example:

@@ -818,7 +819,7 @@ channel "null" {
 

 
The default_debug channel has the special
 property that it only produces output when the server's debug level is
-nonzero.  It normally writes to a file named.run
+nonzero.  It normally writes to a file called named.run
 in the server's working directory.

 
For security reasons, when the "-u"
 command line option is used, the named.run file
@@ -963,7 +964,7 @@ a delegation-only in a hint or stu
 
 

 

-lwres Statement Grammar

+lwres Statement Grammar

 
 This is the grammar of the lwres
 statement in the named.conf file:

 
lwres {
@@ -976,10 +977,10 @@ statement in the named.conf file:

 
 

 

-lwres Statement Definition and Usage

+lwres Statement Definition and Usage

 
The lwres statement configures the name
-server to also act as a lightweight resolver server, see
-the section called “Running a Resolver Daemon”.  There may be be multiple
+server to also act as a light-weight resolver daemon. (See
+the section called “Running a Resolver Daemon”.)  There may be be multiple
 lwres statements configuring
 lightweight resolver servers with different properties.

 
The listen-on statement specifies a list of
@@ -1004,7 +1005,7 @@ exact match lookup before search path elements are appended.

 
 

 

-options Statement Grammar

+options Statement Grammar

 
This is the grammar of the options
 statement in the named.conf file:

 
options {
@@ -1102,7 +1103,7 @@ statement in the named.conf file:

 
 

 

-options Statement Definition and Usage

+options Statement Definition and Usage

 
The options statement sets up global options
 to be used by BIND. This statement may appear only
 once in a configuration file. If more than one occurrence is found,
@@ -1172,7 +1173,7 @@ nameserver.

 to when instructed to do so using rndc stats.
 If not specified, the default is named.stats in the
 server's current directory.  The format of the file is described
-in the section called “The Statistics File”

+in the section called “The Statistics File”.

 
port

 

 The UDP/TCP port number the server uses for 
@@ -1367,13 +1368,13 @@ in provide-ixfr in
-the section called “server Statement Definition and Usage”
+the section called “server Statement Definition and Usage”.
 

 
request-ixfr

 

 See the description of
 request-ixfr in
-the section called “server Statement Definition and Usage”
+the section called “server Statement Definition and Usage”.
 

 
treat-cr-as-space

 
This option was used in BIND 8 to make
@@ -1453,7 +1454,7 @@ The use of this option for any other purpose is discouraged.
 
 

 

-Forwarding

+Forwarding

 
The forwarding facility can be used to create a large site-wide
 cache on a few servers, reducing traffic over links to external
 nameservers. It can also be used to allow queries by servers that
@@ -1530,7 +1531,7 @@ from these addresses will not be responded to. The default is 
 

-Interfaces

+Interfaces
 
The interfaces and ports that the server will answer queries
 from may be specified using the listen-on option. listen-on takes
 an optional port, and an address_match_list.
@@ -1572,12 +1573,12 @@ the server will not listen on any IPv6 address.

 
 

 

-Query Address

+Query Address

 
If the server doesn't know the answer to a question, it will
 query other nameservers. query-source specifies
 the address and port used for such queries. For queries sent over
 IPv6, there is a separate query-source-v6 option.
-If address is * or is omitted,
+If address is * (asterisk) or is omitted,
 a wildcard IP address (INADDR_ANY) will be used.
 If port is * or is omitted,
 a random unprivileged port will be used. The defaults are

@@ -1668,7 +1669,8 @@ resource record transferred.
 possible into a message. many-answers is more
 efficient, but is only supported by relatively new slave servers,
 such as BIND 9, BIND 8.x and patched
-versions of BIND 4.9.5. The default is
+versions of BIND 4.9.5. The many-answers
+format is also supported by recent Microsoft Windows nameservers. The default is
 many-answers. transfer-format
 may be overridden on a per-server basis by using the
 server statement.
@@ -1716,7 +1718,7 @@ send NOTIFY messages.
 This address must appear in the slave server's masters
 zone clause or in an allow-notify clause.
 This statement sets the notify-source for all zones,
-but can be overridden on a per-zone / per-view basis by including a
+but can be overridden on a per-zone or per-view basis by including a
 notify-source statement within the zone
 or view block in the configuration file.

 

@@ -1734,15 +1736,15 @@ but applies to notify messages sent to IPv6 addresses.

 
 

 

-Operating System Resource Limits

+Operating System Resource Limits

 
The server's usage of many system resources can be limited.
 Scaled values are allowed when specifying resource limits.  For
 example, 1G can be used instead of
 1073741824 to specify a limit of one
 gigabyte. unlimited requests unlimited use, or the
 maximum available amount. default uses the limit
-that was in force when the server was started. See the description of
-size_spec in the section called “Configuration File Elements”.

+that was in force when the server was started. See the description
+of size_spec in the section called “Configuration File Elements”.

 
The following options set operating system resource limits for
 the name server process.  Some operating systems don't support some or
 any of the limits. On such systems, a warning will be issued if the
@@ -1778,7 +1780,7 @@ may use. The default is default.

 
 

 

-Server  Resource Limits

+Server  Resource Limits

 
The following options set limits on the server's
 resource consumption that are enforced internally by the
 server rather than the operating system.

@@ -1811,7 +1813,7 @@ records are purged from the cache only when their TTLs expire.
 
 

 

-Periodic Task Intervals

+Periodic Task Intervals

 

 
cleaning-interval

 
The server will remove expired resource records
@@ -2074,7 +2076,7 @@ entries to be kept.
 Not implemented in BIND 9.
 

 
max-cache-ttl

-
max-cache-ttl sets
+
Sets
 the maximum time for which the server will cache ordinary (positive)
 answers. The default is one week (7 days).

 
min-roots

@@ -2121,16 +2123,25 @@ and clamp the SOA refresh and retry times to the specified values.
 is similar, but not identical, to that
 generated by BIND 8.
 

-
The statistics dump begins with the line +++ Statistics Dump
-+++ (973798949), where the number in parentheses is a standard
+
The statistics dump begins with a line, like:

+

+ +++ Statistics Dump +++ (973798949)
+ 

+
The numberr in parentheses is a standard
 Unix-style timestamp, measured as seconds since January 1, 1970.  Following
 that line are a series of lines containing a counter type, the value of the
 counter, optionally a zone name, and optionally a view name.
 The lines without view and zone listed are global statistics for the entire server.
 Lines with a zone and view name for the given view and zone (the view name is
-omitted for the default view).  The statistics dump ends
-with the line --- Statistics Dump --- (973798949), where the
-number is identical to the number in the beginning line.

+omitted for the default view).
+

+

+The statistics dump ends with the line where the
+number is identical to the number in the beginning line; for example:
+

+

+--- Statistics Dump --- (973798949)
+

 
The following statistics counters are maintained:

 

 
 

@@ -2267,7 +2278,7 @@ supported.

 
 

 

-trusted-keys Statement Grammar

+trusted-keys Statement Grammar

 
trusted-keys {
     string number number number string ;
     [ string number number number string ; [...]]
@@ -2276,7 +2287,7 @@ supported.

 
 

 

-trusted-keys Statement Definition
+trusted-keys Statement Definition
 and Usage

 
The trusted-keys statement defines DNSSEC
 security roots. DNSSEC is described in the section called “DNSSEC”. A security root is defined when the public key for a non-authoritative
@@ -2292,7 +2303,7 @@ key data.

 

 

 

-view Statement Grammar

+view Statement Grammar

 
view view_name [class] {
       match-clients { address_match_list } ;
       match-destinations { address_match_list } ;
@@ -2305,7 +2316,7 @@ key data.

 
 

 

-view Statement Definition and Usage

+view Statement Definition and Usage

 
The view statement is a powerful new feature
 of BIND 9 that lets a name server answer a DNS query differently
 depending on who is asking. It is particularly useful for implementing
@@ -2488,10 +2499,10 @@ zone zone_name [
 

 

-zone Statement Definition and Usage

+zone Statement Definition and Usage

 

 

-Zone Types

+Zone Types

 

 

@@ -2516,7 +2527,7 @@ Authentication to the master can also be done with per-server TSIG keys.
 If a file is specified, then the
 replica will be written to this file whenever the zone is changed,
 and reloaded from this file on a server restart. Use of a file is
-recommended, since it often speeds server start-up and eliminates
+recommended, since it often speeds server startup and eliminates
 a needless waste of bandwidth. Note that for large numbers (in the
 tens or hundreds of thousands) of zones per server, it is best to
 use a two level naming scheme for zone file names. For example,
@@ -2602,7 +2613,7 @@ from forwarders.

 
 

 

-Class

+Class

 
The zone's name may optionally be followed by a class. If
 a class is not specified, class IN (for Internet),
 is assumed. This is correct for the vast majority of cases.

@@ -2617,14 +2628,14 @@ in the mid-1970s. Zone data for it can be specified with the 
 

-Zone Options

+Zone Options
 

 
allow-notify

 
See the description of
-allow-notify in the section called “Access Control”

+allow-notify in the section called “Access Control”.

 
allow-query

 
See the description of
-allow-query in the section called “Access Control”

+allow-query in the section called “Access Control”.

 
allow-transfer

 
See the description of allow-transfer
 in the section called “Access Control”.

@@ -2739,15 +2750,15 @@ information for this zone, which can be dumped to the
 sig-validity-interval in the section called “Tuning”.

 
transfer-source

 
See the description of
-transfer-source in the section called “Zone Transfers”
+transfer-source in the section called “Zone Transfers”.
 

 
transfer-source-v6

 
See the description of
-transfer-source-v6 in the section called “Zone Transfers”
+transfer-source-v6 in the section called “Zone Transfers”.
 

 
notify-source

 
See the description of
-notify-source in the section called “Zone Transfers”
+notify-source in the section called “Zone Transfers”.
 

 
notify-source-v6

 
See the description of
@@ -2833,7 +2844,7 @@ SIG, NS, SOA, and NXT. Types may be specified by name, including
 

 

 

-Zone File

+Zone File

 

 

 Types of Resource Records and When to Use Them

@@ -2843,7 +2854,7 @@ Since the publication of RFC 1034, several new RRs have been identified
 and implemented in the DNS. These are also included.

 

 

-Resource Records

+Resource Records

 
A domain name identifies a node.  Each node has a set of
         resource information, which may be empty.  The set of resource
         information associated with a particular name is composed of
@@ -3118,7 +3129,7 @@ used as "pointers" to other data in the DNS.

 
 

 

-Textual expression of RRs

+Textual expression of RRs

 
RRs are represented in binary form in the packets of the DNS
 protocol, and are usually represented in highly encoded form when
 stored in a nameserver or resolver.  In the examples provided in
@@ -3208,7 +3219,7 @@ each of a different class.

 
 

 

-Discussion of MX Records

+Discussion of MX Records

 
As described above, domain servers store information as a
 series of resource records, each of which contains a particular
 piece of information about a given domain name (which is usually,
@@ -3325,7 +3336,7 @@ can be explicitly specified, for example, 1h30m. 
 

 

-Inverse Mapping in IPv4

+Inverse Mapping in IPv4

 
Reverse name resolution (that is, translation from IP address
 to name) is achieved by means of the in-addr.arpa domain
 and PTR records. Entries in the in-addr.arpa domain are made in
@@ -3363,7 +3374,7 @@ that the example is relative to the listed origin.

 
 

 

-Other Zone File Directives

+Other Zone File Directives

 
The Master File Format was initially defined in RFC 1035 and
 has subsequently been extended. While the Master File Format itself
 is class independent all records in a Master File must be of the same
@@ -3372,7 +3383,7 @@ class.

 and $TTL.

 

 

-The $ORIGIN Directive

+The $ORIGIN Directive

 
Syntax: $ORIGIN
 domain-name [ comment]

 
$ORIGIN sets the domain name that will
@@ -3387,7 +3398,7 @@ WWW     CNAME   MAIN-SERVER
 
 

 

-The $INCLUDE Directive

+The $INCLUDE Directive

 
Syntax: $INCLUDE
 filename [
 origin ] [ comment ]

@@ -3411,7 +3422,7 @@ This could be construed as a deviation from RFC 1035, a feature, or both.
 
 

 

-The $TTL Directive

+The $TTL Directive

 
Syntax: $TTL
 default-ttl [
 comment ]

@@ -3422,8 +3433,8 @@ with undefined TTLs. Valid TTLs are of the range 0-2147483647 seconds.

 
 

 

-BIND Master File Extension: the  $GENERATE Directive

-
Syntax: $GENERATE range lhs type rhs [ comment ]

+BIND Master File Extension: the  $GENERATE Directive
.
+        
Syntax: $GENERATE range lhs type rhs [ comment ]

 
$GENERATE is used to create a series of
 resource records that only differ from each other by an iterator. $GENERATE can
 be used to easily generate the sets of records required to support
@@ -3465,8 +3476,8 @@ e.g. \$. The { immediately following the
 $ as ${offset[,width[,base]]}.
-e.g. ${-20,3,d} which subtracts 20 from the current value,
-prints the result as a decimal in a zero padded field of with 3.  Available
+For example, ${-20,3,d} which subtracts 20 from the current value,
+prints the result as a decimal in a zero padded field of width 3.  Available
 output forms are decimal (d), octal (o)
 and hexadecimal (x or X for uppercase).
 The default modifier is ${0,0,d}.
@@ -3474,7 +3485,7 @@ If the lhs is not
 absolute, the current $ORIGIN is appended to
 the name.

 
For compatibility with earlier versions $$ is still
-recognised a indicating a literal $ in the output.

+recognised as indicating a literal $ in the output.

 
 
 
@@ -3484,7 +3495,7 @@ PTR, CNAME, DNAME, A, AAAA and NS.

 
-
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index 511bc04dad..f8d8fb0f2d 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -46,11 +46,11 @@
 
Table of Contents

 

 
Access Control Lists

-
chroot and setuid (for
+
chroot and setuid (for
 UNIX servers)

 

-
The chroot Environment

-
Using the setuid Function

+
The chroot Environment

+
Using the setuid Function

 

 
Dynamic Update Security

 

@@ -75,6 +75,7 @@ your server.

 // Set up an ACL named "bogusnets" that will block RFC1918 space,
 // which is commonly used in spoofing attacks.
 acl bogusnets { 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; };
+
 // Set up an ACL called our-nets. Replace this with the real IP numbers.
 acl our-nets { x.x.x.x/24; x.x.x.x/21; }; 
 options {
@@ -86,6 +87,7 @@ options {
   blackhole { bogusnets; };
   ...
 };
+
 zone "example.com" {
   type master;
   file "m/example.com";
@@ -100,7 +102,7 @@ see the AUSCERT advisory at
 
 

 

-chroot and setuid (for
+chroot and setuid (for
 UNIX servers)

 
On UNIX servers, it is possible to run BIND in a chrooted environment
 (chroot()) by specifying the "-t"
@@ -115,8 +117,8 @@ user 202:

 
/usr/local/bin/named -u 202 -t /var/named

 

 

-The chroot Environment

-
In order for a chroot() environment to
+The chroot Environment

+
In order for a chroot environment to
 work properly in a particular directory
 (for example, /var/named),
 you will need to set up an environment that includes everything
@@ -134,13 +136,13 @@ However, depending on your operating system, you may need
 to set up things like
 /dev/zero,
 /dev/random,
-/dev/log, and/or
+/dev/log, and
 /etc/localtime.
 

 
 

 

-Using the setuid Function

+Using the setuid Function

 
Prior to running the named daemon, use
 the touch utility (to change file access and
 modification times) or the chown utility (to
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index 25fd419a12..47402d8056 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,18 +45,18 @@
 

 
Table of Contents

 

-
Common Problems

-
It's not working; how can I figure out what's wrong?

-
Incrementing and Changing the Serial Number

-
Where Can I Get Help?

+
Common Problems

+
It's not working; how can I figure out what's wrong?

+
Incrementing and Changing the Serial Number

+
Where Can I Get Help?

 

 

 

 

-Common Problems

+Common Problems

 

 

-It's not working; how can I figure out what's wrong?

+It's not working; how can I figure out what's wrong?

 
The best solution to solving installation and
       configuration issues is to take preventative measures by setting
       up logging files beforehand. The log files provide a
@@ -66,7 +66,7 @@
 
 

 

-Incrementing and Changing the Serial Number

+Incrementing and Changing the Serial Number

 
Zone serial numbers are just numbers-they aren't date
     related.  A lot of people set them to a number that represents a
     date, usually of the form YYYYMMDDRR. A number of people have been
@@ -87,7 +87,7 @@
 
 

 

-Where Can I Get Help?

+Where Can I Get Help?

 
The Internet Software Consortium (ISC) offers a wide range
     of support and service agreements for BIND and DHCP servers. Four
     levels of premium support are available and each level includes
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index e1d81f2a78..c320d641b1 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -43,26 +43,26 @@
 

 
Table of Contents

 

-
Acknowledgements

-
A Brief History of the DNS and BIND

+
Acknowledgements

+
A Brief History of the DNS and BIND

 
Historical DNS Information

 
Classes of Resource Records

-
General DNS Reference Information

+
General DNS Reference Information

 
IPv6 addresses (A6)

 
Bibliography (and Suggested Reading)

 

 
Request for Comments (RFCs)

 
Internet Drafts

-
Other Documents About BIND

+
Other Documents About BIND

 

 

 

 

 

-Acknowledgements

+Acknowledgements

 

 

-A Brief History of the DNS and BIND

+A Brief History of the DNS and BIND

 
Although the "official" beginning of the Domain Name
       System occurred in 1984 with the publication of RFC 920, the
       core of the new system was described in 1983 in RFCs 882 and
@@ -85,7 +85,10 @@ Center (SRI-NIC). A DNS server for Unix machines, t
 Name Domain (BIND) package, was written soon after by a group of
 graduate students at the University of California at Berkeley under
 a grant from the US Defense Advanced Research Projects Administration
-(DARPA). Versions of BIND through 4.8.3 were maintained by the Computer
+(DARPA).
+

+

+Versions of BIND through 4.8.3 were maintained by the Computer
 Systems Research Group (CSRG) at UC Berkeley. Douglas Terry, Mark
 Painter, David Riggle and Songnian Zhou made up the initial BIND
 project team. After that, additional work on the software package
@@ -122,7 +125,7 @@ individuals.

 Classes of Resource Records
 

 

-HS = hesiod

+HS = hesiod

 
The [hesiod] class is an information service
 developed by MIT's Project Athena. It is used to share information
 about various systems databases, such as users, groups, printers
@@ -131,7 +134,7 @@ hesiod.

 
 

 

-CH = chaos

+CH = chaos

 
The chaos class is used to specify zone
 data for the MIT-developed CHAOSnet, a LAN protocol created in the
 mid-1970s.

@@ -140,7 +143,7 @@ mid-1970s.

 
 

 

-General DNS Reference Information

+General DNS Reference Information

 

 

 IPv6 addresses (A6)

@@ -320,7 +323,7 @@ the number of the RFC). RFCs are also available via the Web at
 

 

 

-Bibliography

+Bibliography

 

 
Standards

 
[RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 

@@ -420,11 +423,11 @@ after which they are deleted unless updated by their authors.
 

 

 

-Other Documents About BIND

+Other Documents About BIND

 

 

 

-Bibliography

+Bibliography

 
Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 

 
 
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index 3d4f4bda75..c27310f05a 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -84,7 +84,7 @@
 
Nameserver Operations

 

 
Tools for Use With the Nameserver Daemon

-
Signals

+
Signals

 

 
 
4. Advanced Concepts

@@ -92,35 +92,35 @@
 
Dynamic Update

 
The journal file

 
Incremental Zone Transfers (IXFR)

-
Split DNS

+
Split DNS

 
TSIG

 

-
Generate Shared Keys for Each Pair of Hosts

-
Copying the Shared Secret to Both Machines

-
Informing the Servers of the Key's Existence

-
Instructing the Server to Use the Key

-
TSIG Key Based Access Control

-
Errors

+
Generate Shared Keys for Each Pair of Hosts

+
Copying the Shared Secret to Both Machines

+
Informing the Servers of the Key's Existence

+
Instructing the Server to Use the Key

+
TSIG Key Based Access Control

+
Errors

 

-
TKEY

-
SIG(0)

+
TKEY

+
SIG(0)

 
DNSSEC

 

-
Generating Keys

-
Creating a Keyset

-
Signing the Child's Keyset

-
Signing the Zone

-
Configuring Servers

+
Generating Keys

+
Creating a Keyset

+
Signing the Child's Keyset

+
Signing the Zone

+
Configuring Servers

 

-
IPv6 Support in BIND 9

+
IPv6 Support in BIND 9

 

-
Address Lookups Using AAAA Records

-
Address to Name Lookups Using Nibble Format

+
Address Lookups Using AAAA Records

+
Address to Name Lookups Using Nibble Format

 

 
 
5. The BIND 9 Lightweight Resolver

 

-
The Lightweight Resolver Library

+
The Lightweight Resolver Library

 
Running a Resolver Daemon

 

 
6. BIND 9 Configuration Reference

@@ -128,77 +128,77 @@
 
Configuration File Elements

 

 
Address Match Lists

-
Comment Syntax

+
Comment Syntax

 

 
Configuration File Grammar

 

-
acl Statement Grammar

+
acl Statement Grammar

 
acl Statement Definition and
 Usage

-
controls Statement Grammar

+
controls Statement Grammar

 
controls Statement Definition and Usage

-
include Statement Grammar

-
include Statement Definition and Usage

-
key Statement Grammar

-
key Statement Definition and Usage

-
logging Statement Grammar

-
logging Statement Definition and Usage

-
lwres Statement Grammar

-
lwres Statement Definition and Usage

-
options Statement Grammar

-
options Statement Definition and Usage

+
include Statement Grammar

+
include Statement Definition and Usage

+
key Statement Grammar

+
key Statement Definition and Usage

+
logging Statement Grammar

+
logging Statement Definition and Usage

+
lwres Statement Grammar

+
lwres Statement Definition and Usage

+
options Statement Grammar

+
options Statement Definition and Usage

 
server Statement Grammar

 
server Statement Definition and Usage

-
trusted-keys Statement Grammar

-
trusted-keys Statement Definition
+
trusted-keys Statement Grammar

+
trusted-keys Statement Definition
 and Usage

-
view Statement Grammar

-
view Statement Definition and Usage

+
view Statement Grammar

+
view Statement Definition and Usage

 
zone
 Statement Grammar

-
zone Statement Definition and Usage

+
zone Statement Definition and Usage

 

-
Zone File

+
Zone File

 

 
Types of Resource Records and When to Use Them

-
Discussion of MX Records

+
Discussion of MX Records

 
Setting TTLs

-
Inverse Mapping in IPv4

-
Other Zone File Directives

-
BIND Master File Extension: the  $GENERATE Directive

+
Inverse Mapping in IPv4

+
Other Zone File Directives

+
BIND Master File Extension: the  $GENERATE Directive

 

 
 
7. BIND 9 Security Considerations

 

 
Access Control Lists

-
chroot and setuid (for
+
chroot and setuid (for
 UNIX servers)

 

-
The chroot Environment

-
Using the setuid Function

+
The chroot Environment

+
Using the setuid Function

 

 
Dynamic Update Security

 

 
8. Troubleshooting

 

-
Common Problems

-
It's not working; how can I figure out what's wrong?

-
Incrementing and Changing the Serial Number

-
Where Can I Get Help?

+
Common Problems

+
It's not working; how can I figure out what's wrong?

+
Incrementing and Changing the Serial Number

+
Where Can I Get Help?

 

 
A. Appendices

 

-
Acknowledgements

-
A Brief History of the DNS and BIND

+
Acknowledgements

+
A Brief History of the DNS and BIND

 
Historical DNS Information

 
Classes of Resource Records

-
General DNS Reference Information

+
General DNS Reference Information

 
IPv6 addresses (A6)

 
Bibliography (and Suggested Reading)

 

 
Request for Comments (RFCs)

 
Internet Drafts

-
Other Documents About BIND

+
Other Documents About BIND

 

 

 

From 47012ae6dbf18a2503d7b33c1c9583dc38625cb7 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 17 May 2006 02:39:16 +0000
Subject: [PATCH 194/465] regen

---
 bin/named/named.conf.5           |  10 +-
 bin/named/named.conf.html        |  18 +-
 doc/arm/Bv9ARM.ch03.html         |  12 +-
 doc/arm/Bv9ARM.ch04.html         |  82 ++++-----
 doc/arm/Bv9ARM.ch05.html         |   6 +-
 doc/arm/Bv9ARM.ch06.html         | 287 ++++++++++++++++---------------
 doc/arm/Bv9ARM.ch07.html         |  20 ++-
 doc/arm/Bv9ARM.ch08.html         |  18 +-
 doc/arm/Bv9ARM.ch09.html         |  25 +--
 doc/arm/Bv9ARM.html              | 102 +++++------
 doc/arm/man.dig.html             |  20 +--
 doc/arm/man.dnssec-keygen.html   |  14 +-
 doc/arm/man.dnssec-signzone.html |  12 +-
 doc/arm/man.host.html            |  10 +-
 doc/arm/man.named-checkconf.html |  12 +-
 doc/arm/man.named-checkzone.html |  12 +-
 doc/arm/man.named.html           |  16 +-
 doc/arm/man.rndc-confgen.html    |  12 +-
 doc/arm/man.rndc.conf.html       |  12 +-
 doc/arm/man.rndc.html            |  12 +-
 20 files changed, 366 insertions(+), 346 deletions(-)

diff --git a/bin/named/named.conf.5 b/bin/named/named.conf.5
index ad840d9c9d..2b2244910b 100644
--- a/bin/named/named.conf.5
+++ b/bin/named/named.conf.5
@@ -12,7 +12,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: named.conf.5,v 1.18 2006/03/11 02:07:52 marka Exp $
+.\" $Id: named.conf.5,v 1.19 2006/05/17 02:39:15 marka Exp $
 .\"
 .hy 0
 .ad l
@@ -186,8 +186,8 @@ options {
 	rfc2308\-type1 \fIboolean\fR; // not yet implemented
 	additional\-from\-auth \fIboolean\fR;
 	additional\-from\-cache \fIboolean\fR;
-	query\-source \fIquerysource4\fR;
-	query\-source\-v6 \fIquerysource6\fR;
+	query\-source ( ( \fIipv4_address\fR | * ) | [ address ( \fIipv4_address\fR | * ) ] ) [ port ( \fIinteger\fR | * ) ];
+	query\-source\-v6 ( ( \fIipv6_address\fR | * ) | [ address ( \fIipv6_address\fR | * ) ] ) [ port ( \fIinteger\fR | * ) ];
 	cleaning\-interval \fIinteger\fR;
 	min\-roots \fIinteger\fR; // not implemented
 	lame\-ttl \fIinteger\fR;
@@ -317,8 +317,8 @@ view \fIstring\fR \fIoptional_class\fR {
 	rfc2308\-type1 \fIboolean\fR; // not yet implemented
 	additional\-from\-auth \fIboolean\fR;
 	additional\-from\-cache \fIboolean\fR;
-	query\-source \fIquerysource4\fR;
-	query\-source\-v6 \fIquerysource6\fR;
+	query\-source ( ( \fIipv4_address\fR | * ) | [ address ( \fIipv4_address\fR | * ) ] ) [ port ( \fIinteger\fR | * ) ];
+	query\-source\-v6 ( ( \fIipv6_address\fR | * ) | [ address ( \fIipv6_address\fR | * ) ] ) [ port ( \fIinteger\fR | * ) ];
 	cleaning\-interval \fIinteger\fR;
 	min\-roots \fIinteger\fR; // not implemented
 	lame\-ttl \fIinteger\fR;
diff --git a/bin/named/named.conf.html b/bin/named/named.conf.html
index 3399b15a19..d2a4e797e4 100644
--- a/bin/named/named.conf.html
+++ b/bin/named/named.conf.html
@@ -13,7 +13,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -204,8 +204,8 @@ options
 	rfc2308-type1 boolean; // not yet implemented

 	additional-from-auth boolean;

 	additional-from-cache boolean;

-	query-source querysource4;

-	query-source-v6 querysource6;

+	query-source ( ( ipv4_address | * ) | [ address ( ipv4_address | * ) ] ) [ port ( integer | * ) ];

+	query-source-v6 ( ( ipv6_address | * ) | [ address ( ipv6_address | * ) ] ) [ port ( integer | * ) ];

 	cleaning-interval integer;

 	min-roots integer; // not implemented

 	lame-ttl integer;

@@ -312,7 +312,7 @@ options
 

 
 

-
VIEW

+
VIEW

 


 view string optional_class {

 	match-clients { address_match_element; ... };

@@ -351,8 +351,8 @@ view
 	rfc2308-type1 boolean; // not yet implemented

 	additional-from-auth boolean;

 	additional-from-cache boolean;

-	query-source querysource4;

-	query-source-v6 querysource6;

+	query-source ( ( ipv4_address | * ) | [ address ( ipv4_address | * ) ] ) [ port ( integer | * ) ];

+	query-source-v6 ( ( ipv6_address | * ) | [ address ( ipv6_address | * ) ] ) [ port ( integer | * ) ];

 	cleaning-interval integer;

 	min-roots integer; // not implemented

 	lame-ttl integer;

@@ -451,7 +451,7 @@ view
 

 

 

-
ZONE

+
ZONE

 


 zone string optional_class {

 	type ( master | slave | stub | hint |

@@ -535,12 +535,12 @@ zone
 

 

 

-
FILES

+
FILES

 
/etc/named.conf
     

 

 

-
SEE ALSO

+
SEE ALSO

 
named(8),
       rndc(8),
       BIND 9 Administrator Reference Manual.
diff --git a/doc/arm/Bv9ARM.ch03.html b/doc/arm/Bv9ARM.ch03.html
index d993fa56e3..edd9b03c0c 100644
--- a/doc/arm/Bv9ARM.ch03.html
+++ b/doc/arm/Bv9ARM.ch03.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -54,7 +54,7 @@
 
Name Server Operations

 

 
Tools for Use With the Name Server Daemon

-
Signals

+
Signals

 

 
 

@@ -430,7 +430,7 @@ zone "eng.example.com" {
                   it will display a usage message as follows:
                 

 
rndc  [-c config] [-s server] [-p port] [-y key]  command  [command...]

-
command
+
The command
                   is one of the following:
                 

 

@@ -536,7 +536,7 @@ zone "eng.example.com" {
                         made through dynamic update or IXFR are first saved to
                         the master files of the updated zones.
                         If -p is specified named's process id is returned.
-                        This allows a external process to determine when named
+                        This allows an external process to determine when named
                         had completed stopping.
                       

 
halt [-p]

@@ -546,7 +546,7 @@ zone "eng.example.com" {
                         the master files, but will be rolled forward from the
                         journal files when the server is restarted.
                         If -p is specified named's process id is returned.
-                        This allows a external process to determine when named
+                        This allows an external process to determine when named
                         had completed halting.
                       

 
trace

@@ -741,7 +741,7 @@ controls {
 

 

 

-Signals

+Signals

 

           Certain UNIX signals cause the name server to take specific
           actions, as described in the following table.  These signals can
diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html
index e07692fc08..9fd2c47684 100644
--- a/doc/arm/Bv9ARM.ch04.html
+++ b/doc/arm/Bv9ARM.ch04.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -49,28 +49,28 @@
 
Dynamic Update

 
The journal file

 
Incremental Zone Transfers (IXFR)

-
Split DNS

+
Split DNS

 
TSIG

 

-
Generate Shared Keys for Each Pair of Hosts

-
Copying the Shared Secret to Both Machines

-
Informing the Servers of the Key's Existence

-
Instructing the Server to Use the Key

-
TSIG Key Based Access Control

-
Errors

+
Generate Shared Keys for Each Pair of Hosts

+
Copying the Shared Secret to Both Machines

+
Informing the Servers of the Key's Existence

+
Instructing the Server to Use the Key

+
TSIG Key Based Access Control

+
Errors

 

-
TKEY

-
SIG(0)

+
TKEY

+
SIG(0)

 
DNSSEC

 

-
Generating Keys

-
Signing the Zone

-
Configuring Servers

+
Generating Keys

+
Signing the Zone

+
Configuring Servers

 

-
IPv6 Support in BIND 9

+
IPv6 Support in BIND 9

 

-
Address Lookups Using AAAA Records

-
Address to Name Lookups Using Nibble Format

+
Address Lookups Using AAAA Records

+
Address to Name Lookups Using Nibble Format

 

 
 
@@ -94,7 +94,7 @@
       

 

 
Note

-        As slave zone can also be a master to other slaves, named,
+        As a slave zone can also be a master to other slaves, named,
         by default, sends NOTIFY messages for every zone
         it loads.  Specifying notify master-only; will
         cause named to only send NOTIFY for master
@@ -204,7 +204,7 @@
 

 

 

-Split DNS

+Split DNS

 

         Setting up different views, or visibility, of the DNS space to
         internal and external resolvers is usually referred to as a
@@ -347,7 +347,7 @@
 

         Here is an example configuration for the setup we just
         described above. Note that this is only configuration information;
-        for information on how to configure your zone files, see the section called “Sample Configurations”
+        for information on how to configure your zone files, see the section called “Sample Configurations”.
       

 

         Internal DNS server config:
@@ -479,7 +479,7 @@ nameserver 172.16.72.4
       

 

 

-Generate Shared Keys for Each Pair of Hosts

+Generate Shared Keys for Each Pair of Hosts

 

           A shared secret is generated to be shared between host1 and host2.
           An arbitrary key name is chosen: "host1-host2.". The key name must
@@ -487,7 +487,7 @@ nameserver 172.16.72.4
         

 

 

-Automatic Generation

+Automatic Generation

 

             The following command will generate a 128 bit (16 byte) HMAC-MD5
             key as described above. Longer keys are better, but shorter keys
@@ -512,7 +512,7 @@ nameserver 172.16.72.4
 
 

 

-Manual Generation

+Manual Generation

 

             The shared secret is simply a random sequence of bits, encoded
             in base-64. Most ASCII strings are valid base-64 strings (assuming
@@ -527,7 +527,7 @@ nameserver 172.16.72.4
 
 

 

-Copying the Shared Secret to Both Machines

+Copying the Shared Secret to Both Machines

 

           This is beyond the scope of DNS. A secure transport mechanism
           should be used. This could be secure FTP, ssh, telephone, etc.
@@ -535,7 +535,7 @@ nameserver 172.16.72.4
 
 

 

-Informing the Servers of the Key's Existence

+Informing the Servers of the Key's Existence

 

           Imagine host1 and host 2
           are
@@ -564,7 +564,7 @@ key host1-host2. {
 
 

 

-Instructing the Server to Use the Key

+Instructing the Server to Use the Key

 

           Since keys are shared between two hosts only, the server must
           be told when keys are to be used. The following is added to the named.conf file
@@ -596,7 +596,7 @@ server 10.1.2.3 {
 
 

 

-TSIG Key Based Access Control

+TSIG Key Based Access Control

 

           BIND allows IP addresses and ranges
           to be specified in ACL
@@ -624,11 +624,11 @@ allow-update { key host1-host2. ;};
 
 

 

-Errors

+Errors

 

           The processing of TSIG signed messages can result in
           several errors. If a signed message is sent to a non-TSIG aware
-          server, a FORMERR will be returned, since the server will not
+          server, a FORMERR (format error) will be returned, since the server will not
           understand the record. This is a result of misconfiguration,
           since the server must be explicitly configured to send a TSIG
           signed message to a specific server.
@@ -644,13 +644,13 @@ allow-update { key host1-host2. ;};
           the TSIG extended error code set to BADTIME, and the time values
           will be adjusted so that the response can be successfully
           verified. In any of these cases, the message's rcode is set to
-          NOTAUTH.
+          NOTAUTH (not authenticated).
         

 
 
 

 

-TKEY

+TKEY

 
TKEY
         is a mechanism for automatically generating a shared secret
         between two hosts.  There are several "modes" of
@@ -686,7 +686,7 @@ allow-update { key host1-host2. ;};
 
 

 

-SIG(0)

+SIG(0)

 

         BIND 9 partially supports DNSSEC SIG(0)
             transaction signatures as specified in RFC 2535 and RFC2931.
@@ -735,7 +735,7 @@ allow-update { key host1-host2. ;};
         There must also be communication with the administrators of
         the parent and/or child zone to transmit keys.  A zone's security
         status must be indicated by the parent zone for a DNSSEC capable
-        resolver to trust its data.  This is done through the presense
+        resolver to trust its data.  This is done through the presence
         or absence of a DS record at the
         delegation
         point.
@@ -747,7 +747,7 @@ allow-update { key host1-host2. ;};
       

 

 

-Generating Keys

+Generating Keys

 

           The dnssec-keygen program is used to
           generate keys.
@@ -798,7 +798,7 @@ allow-update { key host1-host2. ;};
 
 

 

-Signing the Zone

+Signing the Zone

 

           The dnssec-signzone program is used
           to
@@ -842,7 +842,7 @@ allow-update { key host1-host2. ;};
 
 

 

-Configuring Servers

+Configuring Servers

 

           To enable named to respond appropriately
           to DNS requests from DNSSEC aware clients
@@ -852,12 +852,12 @@ allow-update { key host1-host2. ;};
           To enable named to validate answers from
           other servers both dnssec-enable and
           dnssec-validate must be set and some
-          some trusted-keys must be configured
+          trusted-keys must be configured
           into named.conf.
         

 

           trusted-keys are copies of DNSKEY RRs
-          for zones that are used to form the first link the the
+          for zones that are used to form the first link in the
           cryptographic chain of trust.  All keys listed in
           trusted-keys (and corresponding zones)
           are deemed to exist and only the listed keys will be used
@@ -923,14 +923,14 @@ options {
 
 

 
Note

-          None of the keys listed in this example are valid.  In particular
+          None of the keys listed in this example are valid.  In particular,
           the root key is not valid.
         

 
 
 

 

-IPv6 Support in BIND 9

+IPv6 Support in BIND 9

 

         BIND 9 fully supports all currently
         defined forms of IPv6
@@ -969,7 +969,7 @@ options {
       

 

 

-Address Lookups Using AAAA Records

+Address Lookups Using AAAA Records

 

           The IPv6 AAAA record is a parallel to the IPv4 A record,
           and, unlike the deprecated A6 record, specifies the entire
@@ -988,7 +988,7 @@ host            3600    IN      AAAA    2001:db8::1
 
 

 

-Address to Name Lookups Using Nibble Format

+Address to Name Lookups Using Nibble Format

 

           When looking up an address in nibble format, the address
           components are simply reversed, just as in IPv4, and
diff --git a/doc/arm/Bv9ARM.ch05.html b/doc/arm/Bv9ARM.ch05.html
index 330444d47a..5fd5d74e00 100644
--- a/doc/arm/Bv9ARM.ch05.html
+++ b/doc/arm/Bv9ARM.ch05.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,13 +45,13 @@
 

 
Table of Contents

 

-
The Lightweight Resolver Library

+
The Lightweight Resolver Library

 
Running a Resolver Daemon

 

 

 

 

-The Lightweight Resolver Library

+The Lightweight Resolver Library

 

         Traditionally applications have been linked with a stub resolver
         library that sends recursive DNS queries to a local caching name
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index 30e859950d..64102846c2 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -48,52 +48,52 @@
 
Configuration File Elements

 

 
Address Match Lists

-
Comment Syntax

+
Comment Syntax

 

 
Configuration File Grammar

 

-
acl Statement Grammar

+
acl Statement Grammar

 
acl Statement Definition and
           Usage

-
controls Statement Grammar

+
controls Statement Grammar

 
controls Statement Definition and
           Usage

-
include Statement Grammar

-
include Statement Definition and
+
include Statement Grammar

+
include Statement Definition and
           Usage

-
key Statement Grammar

-
key Statement Definition and Usage

-
logging Statement Grammar

-
logging Statement Definition and
+
key Statement Grammar

+
key Statement Definition and Usage

+
logging Statement Grammar

+
logging Statement Definition and
           Usage

-
lwres Statement Grammar

-
lwres Statement Definition and Usage

-
masters Statement Grammar

-
masters Statement Definition and
+
lwres Statement Grammar

+
lwres Statement Definition and Usage

+
masters Statement Grammar

+
masters Statement Definition and
           Usage

-
options Statement Grammar

+
options Statement Grammar

 
options Statement Definition and
           Usage

 
server Statement Grammar

 
server Statement Definition and
             Usage

-
trusted-keys Statement Grammar

-
trusted-keys Statement Definition
+
trusted-keys Statement Grammar

+
trusted-keys Statement Definition
             and Usage

 
view Statement Grammar

-
view Statement Definition and Usage

+
view Statement Definition and Usage

 
zone
             Statement Grammar

-
zone Statement Definition and Usage

+
zone Statement Definition and Usage

 

-
Zone File

+
Zone File

 

 
Types of Resource Records and When to Use Them

-
Discussion of MX Records

+
Discussion of MX Records

 
Setting TTLs

-
Inverse Mapping in IPv4

-
Other Zone File Directives

-
BIND Master File Extension: the  $GENERATE Directive

+
Inverse Mapping in IPv4

+
Other Zone File Directives

+
BIND Master File Extension: the  $GENERATE Directive

 
Additional File Formats

 

 
@@ -428,7 +428,7 @@
 Address Match Lists
 

 

-Syntax

+Syntax

 
address_match_list = address_match_list_element ;
   [ address_match_list_element; ... ]
 address_match_list_element = [ ! ] (ip_address [/length] |
@@ -437,7 +437,7 @@
 
 

 

-Definition and Usage

+Definition and Usage

 

             Address match lists are primarily used to determine access
             control for various server operations. They are also used in
@@ -515,7 +515,7 @@
 
 

 

-Comment Syntax

+Comment Syntax

 

           The BIND 9 comment syntax allows for
           comments to appear
@@ -525,7 +525,7 @@
         

 

 

-Syntax

+Syntax

 

             

 
/* This is a BIND comment as in C */

@@ -540,9 +540,9 @@
 
 

 

-Definition and Usage

+Definition and Usage

 

-            Comments may appear anywhere that whitespace may appear in
+            Comments may appear anywhere that white space may appear in
             a BIND configuration file.
           

 

@@ -697,7 +697,7 @@
 

@@ -774,7 +774,7 @@
       

 

 

-acl Statement Grammar

+acl Statement Grammar

 
acl acl-name {
     address_match_list
 };
@@ -857,7 +857,7 @@
 
 

 

-controls Statement Grammar

+controls Statement Grammar

 
controls {
    [ inet ( ip_addr | * ) [ port ip_port ] allow {  address_match_list  }
                 keys { key_list }; ]
@@ -882,7 +882,7 @@
           An inet control channel is a TCP socket
           listening at the specified ip_port on the
           specified ip_addr, which can be an IPv4 or IPv6
-          address.  An ip_addr of * is
+          address.  An ip_addr of * (asterisk) is
           interpreted as the IPv4 wildcard address; connections will be
           accepted on any of the system's IPv4 addresses.
           To listen on the IPv6 wildcard address,
@@ -892,7 +892,7 @@
           or ::1) is recommended for maximum security.
         

 

-          If no port is specified, port 953 is used.
+          If no port is specified, port 953 is used. The asterisk
           "*" cannot be used for ip_port.
         

 

@@ -906,7 +906,7 @@
           are ignored.
         

 

-          An unix control channel is a UNIX domain
+          A unix control channel is a UNIX domain
           socket listening at the specified path in the file system.
           Access to the socket is specified by the perm,
           owner and group clauses.
@@ -979,12 +979,12 @@
 
 

 

-include Statement Grammar

+include Statement Grammar

 
include filename;

 
 

 

-include Statement Definition and
+include Statement Definition and
           Usage

 

           The include statement inserts the
@@ -999,7 +999,7 @@
 

 

 

-key Statement Grammar

+key Statement Grammar

 
key key_id {
     algorithm string;
     secret string;
@@ -1008,7 +1008,7 @@
 
 

 

-key Statement Definition and Usage

+key Statement Definition and Usage

 

           The key statement defines a shared
           secret key for use with TSIG (see the section called “TSIG”)
@@ -1055,7 +1055,7 @@
 
 

 

-logging Statement Grammar

+logging Statement Grammar

 
logging {
    [ channel channel_name {
      ( file path name
@@ -1079,7 +1079,7 @@
 
 

 

-logging Statement Definition and
+logging Statement Definition and
           Usage

 

           The logging statement configures a
@@ -1113,7 +1113,7 @@
         

 

 

-The channel Phrase

+The channel Phrase

 

             All log output goes to one or more channels;
             you can make as many of them as you want.
@@ -1252,7 +1252,7 @@
             with the -d flag followed by a positive integer,
             or by running rndc trace.
             The global debug level
-            can be set to zero, and debugging mode turned off, by running ndc
+            can be set to zero, and debugging mode turned off, by running rndc
 notrace. All debugging messages in the server have a debug
             level, and higher debug levels give more detailed output. Channels
             that specify a specific debug severity, for example:
@@ -1330,7 +1330,7 @@ channel null {
             special
             property that it only produces output when the server's debug
             level is
-            nonzero.  It normally writes to a file named.run
+            nonzero.  It normally writes to a file called named.run
             in the server's working directory.
           

 

@@ -1557,7 +1557,7 @@ category notify { null; };
                       Specify where queries should be logged to.
                     

                     

-                      At startup, specifing the category queries will also
+                      At startup, specifying the category queries will also
                       enable query logging unless querylog option has been
                       specified.
                     

@@ -1632,7 +1632,7 @@ category notify { null; };
 
 

 

-lwres Statement Grammar

+lwres Statement Grammar

 

            This is the grammar of the lwres
           statement in the named.conf file:
@@ -1647,12 +1647,12 @@ category notify { null; };
 
 

 

-lwres Statement Definition and Usage

+lwres Statement Definition and Usage

 

           The lwres statement configures the
           name
-          server to also act as a lightweight resolver server, see
-          the section called “Running a Resolver Daemon”.  There may be be multiple
+          server to also act as a lightweight resolver server. (See
+          the section called “Running a Resolver Daemon”.)  There may be be multiple
           lwres statements configuring
           lightweight resolver servers with different properties.
         

@@ -1698,14 +1698,14 @@ category notify { null; };
 
 

 

-masters Statement Grammar

+masters Statement Grammar

 
 masters name [port ip_port] { ( masters_list | ip_addr [port ip_port] [key key] ) ; [...] };
 

 
 

 

-masters Statement Definition and
+masters Statement Definition and
           Usage

 
masters
           lists allow for a common set of masters to be easily used by
@@ -1714,7 +1714,7 @@ category notify { null; };
 

 

 

-options Statement Grammar

+options Statement Grammar

 

           This is the grammar of the options
           statement in the named.conf file:
@@ -1972,7 +1972,7 @@ digits" + "tkey-domain". In most cases,
                 If not specified, the default is named.stats in the
                 server's current directory.  The format of the file is
                 described
-                in the section called “The Statistics File”
+                in the section called “The Statistics File”.
               

 
port

 

@@ -2013,7 +2013,7 @@ digits" + "tkey-domain". In most cases,
 
root-delegation-only

 

 

-                Turn on enforcement of delegation-only in TLDs and root zones
+                Turn on enforcement of delegation-only in TLDs (top level domains) and root zones
                 with an optional
                 exclude list.
               

@@ -2329,7 +2329,7 @@ options {
 
flush-zones-on-shutdown

 

                   When the nameserver exits due receiving SIGTERM,
-                  flush / do not flush any pending zone writes.  The default
+                  flush or do not flush any pending zone writes.  The default
                   is
                   flush-zones-on-shutdown no.
                 

@@ -2481,7 +2481,7 @@ options {
                   provide-ixfr in
                   the section called “server Statement Definition and
-            Usage”
+            Usage”.
                 

 
request-ixfr

 

@@ -2489,7 +2489,7 @@ options {
                   request-ixfr in
                   the section called “server Statement Definition and
-            Usage”
+            Usage”.
                 

 
treat-cr-as-space

 

@@ -2680,7 +2680,7 @@ options {
                   the default is ignore.
                 

 

-                  The rules for legal hostnames / mail domains are derived
+                  The rules for legal hostnames or mail domains are derived
                   from RFC 952 and RFC 821 as modified by RFC 1123.
                 

 
check-names
@@ -2743,12 +2743,14 @@ options {
 

                   When returning authoritative negative responses to
                   SOA queries set the TTL of the SOA recored returned in
-                  the authority section to zero.  Default yes.
+                  the authority section to zero.
+                  The default is yes.
                 

 
zero-no-soa-ttl-cache

 

                   When caching a negative response to a SOA query
-                  set the TTL to zero.  Default no.
+                  set the TTL to zero.
+                  The default is no.
                 

 
update-check-ksk

 

@@ -2757,13 +2759,14 @@ options {
                   the DNSKEY RR to determine if this key should be
                   used to generate the RRSIG.  This flag is ignored
                   if there are not DNSKEY RRs both with and without
-                  a KSK.  Default yes.
+                  a KSK.
+                  The default is yes.
                 

 
 
 

 

-Forwarding

+Forwarding

 

             The forwarding facility can be used to create a large site-wide
             cache on a few servers, reducing traffic over links to external
@@ -2807,7 +2810,7 @@ options {
 
 

 

-Dual-stack Servers

+Dual-stack Servers

 

             Dual-stack servers are used as servers of last resort to work
             around
@@ -2818,7 +2821,7 @@ options {
 

 
dual-stack-servers

 

-                  Specifies host names / addresses of machines with access to
+                  Specifies host names or addresses of machines with access to
                   both IPv4 and IPv6 transports. If a hostname is used the
                   server must be able
                   to resolve the name using only the transport it has.  If the
@@ -2967,7 +2970,7 @@ options {
 

 

 

-Interfaces

+Interfaces

 

             The interfaces and ports that the server will answer queries
             from may be specified using the listen-on option. listen-on takes
@@ -3047,7 +3050,7 @@ listen-on-v6 port 1234 { !2001:db8::/32; any; };
 
 

 

-Query Address

+Query Address

 

             If the server doesn't know the answer to a question, it will
             query other name servers. query-source specifies
@@ -3188,7 +3191,7 @@ query-source-v6 address * port *;
                   only supported by relatively new slave servers,
                   such as BIND 9, BIND
                   8.x and BIND 4.9.5 onwards.
-                  The many-answers format also supported by
+                  The many-answers format is also supported by
                   recent Microsoft Windows nameservers.
                   The default is many-answers.
                   transfer-format may be overridden on a
@@ -3303,7 +3306,7 @@ query-source-v6 address * port *;
                   server's masters zone clause or
                   in an allow-notify clause.  This
                   statement sets the notify-source
-                  for all zones, but can be overridden on a per-zone /
+                  for all zones, but can be overridden on a per-zone or
                   per-view basis by including a
                   notify-source statement within
                   the zone or
@@ -3327,7 +3330,7 @@ query-source-v6 address * port *;
 
 

 

-Bad UDP Port Lists

+Bad UDP Port Lists

 
avoid-v4-udp-ports
             and avoid-v6-udp-ports specify a list
             of IPv4 and IPv6 UDP ports that will not be used as system
@@ -3341,7 +3344,7 @@ query-source-v6 address * port *;
 
 

 

-Operating System Resource Limits

+Operating System Resource Limits

 

             The server's usage of many system resources can be limited.
             Scaled values are allowed when specifying resource limits.  For
@@ -3353,8 +3356,7 @@ query-source-v6 address * port *;
             maximum available amount. default
             uses the limit
             that was in force when the server was started. See the description
-            of
-            size_spec in the section called “Configuration File Elements”.
+            of size_spec in the section called “Configuration File Elements”.
           

 

             The following options set operating system resource limits for
@@ -3401,7 +3403,7 @@ query-source-v6 address * port *;
 
 

 

-Server  Resource Limits

+Server  Resource Limits

 

             The following options set limits on the server's
             resource consumption that are enforced internally by the
@@ -3418,7 +3420,7 @@ query-source-v6 address * port *;
 
max-journal-size

 

                   Sets a maximum size for each journal file
-                  (the section called “The journal file”).  When the journal file
+                  (see the section called “The journal file”).  When the journal file
                   approaches
                   the specified size, some of the oldest transactions in the
                   journal
@@ -3479,7 +3481,7 @@ query-source-v6 address * port *;
 
 

 

-Periodic Task Intervals

+Periodic Task Intervals

 

 
cleaning-interval

 

@@ -3805,8 +3807,8 @@ query-source-v6 address * port *;
                   be silently truncated to 7 days if set to a greater value.
                 

 
max-cache-ttl

-
max-cache-ttl
-                  sets the maximum time for which the server will
+

+                  Sets the maximum time for which the server will
                   cache ordinary (positive) answers. The default is
                   one week (7 days).
                 

@@ -3821,7 +3823,7 @@ query-source-v6 address * port *;
 

 
Note

 

-                    Not implemented in BIND9.
+                    Not implemented in BIND 9.
                   

 

 

@@ -3884,7 +3886,7 @@ query-source-v6 address * port *;
                   that are greater than 512 bytes.
                 

 
masterfile-format

-
masterfile-format specifies
+
Specifies
                   the file format of zone files (see
                   the section called “Additional File Formats”).
                   The default value is text, which is the
@@ -3902,7 +3904,7 @@ query-source-v6 address * port *;
                   specified in the named configuration
                   file.  This statement sets the
                   masterfile-format for all zones,
-                  but can be overridden on a per-zone / per-view basis
+                  but can be overridden on a per-zone or per-view basis
                   by including a masterfile-format
                   statement within the zone or
                   view block in the configuration
@@ -3912,8 +3914,7 @@ query-source-v6 address * port *;
 clients-per-query, max-clients-per-query
 
 

-
clients-per-query
-                  and max-clients-per-query set the
+
These set the
                   initial value (minimum) and maximum number of recursive
                   simultanious clients for any given query
                   (<qname,qtype,qclass>) that the server will accept
@@ -3939,7 +3940,7 @@ query-source-v6 address * port *;
 

                   If max-clients-per-query is set to zero
                   then there is no upper bound other than imposed by
-                  recurive-clients.
+                  recursive-clients.
                 

 

 
@@ -3984,7 +3985,7 @@ query-source-v6 address * port *;
                   with type TXT, class CHAOS.
                   This defaults to the hostname of the machine hosting the
                   name server as
-                  found by gethostname().  The primary purpose of such queries
+                  found by the gethostname() function.  The primary purpose of such queries
                   is to
                   identify which of a group of anycast servers is actually
                   answering your queries.  Specifying hostname none;
@@ -4000,7 +4001,7 @@ query-source-v6 address * port *;
                   answering your queries.  Specifying server-id none;
                   disables processing of the queries.
                   Specifying server-id hostname; will cause named to
-                  use the hostname as found by gethostname().
+                  use the hostname as found by the gethostname() function.
                   The default server-id is none.
                 

 
@@ -4013,7 +4014,7 @@ query-source-v6 address * port *;
             These are for zones that should normally be answered locally
             and which queries should not be sent to the Internet's root
             servers.  The offical servers which cover these namespaces
-            return NXDOMAIN responses to these queries.  In particular
+            return NXDOMAIN responses to these queries.  In particular,
             these cover the reverse namespace for addresses from RFC 1918 and
             RFC 3330.  They also include the reverse namespace for IPv6 local
             address (locally assigned), IPv6 link local addresses, the IPv6
@@ -4064,8 +4065,12 @@ query-source-v6 address * port *;
             views of class IN.  Disabled empty zones are only inherited
             from options if there are no disabled empty zones specified
             at the view level.  To override the options list of disabled
-            zones you can disable the root zone at the view level
-            (disable-empty-zone ".";).
+            zones you can disable the root zone at the view level, for example:
+

+
+            disable-empty-zone ".";
+

+

           

 

             If you are using the address ranges covered here you should
@@ -4117,8 +4122,13 @@ query-source-v6 address * port *;
             generated by BIND 8.
           

 

-            The statistics dump begins with the line +++ Statistics Dump
-+++ (973798949), where the number in parentheses is a standard
+            The statistics dump begins with a line, like:
+          

+

+            +++ Statistics Dump +++ (973798949)
+          

+

+            The number in parentheses is a standard
             Unix-style timestamp, measured as seconds since January 1, 1970.
             Following
             that line are a series of lines containing a counter type, the
@@ -4128,9 +4138,14 @@ query-source-v6 address * port *;
             the entire server.
             Lines with a zone and view name for the given view and zone (the
             view name is
-            omitted for the default view).  The statistics dump ends
-            with the line --- Statistics Dump --- (973798949), where the
-            number is identical to the number in the beginning line.
+            omitted for the default view).
+          

+

+            The statistics dump ends with the line where the
+            number is identical to the number in the beginning line; for example:
+          

+

+            --- Statistics Dump --- (973798949)
           

 

             The following statistics counters are maintained:
@@ -4514,7 +4529,7 @@ query-source-v6 address * port *;
 
 

 

-trusted-keys Statement Grammar

+trusted-keys Statement Grammar

 
trusted-keys {
     string number number number string ;
     [ string number number number string ; [...]]
@@ -4523,7 +4538,7 @@ query-source-v6 address * port *;
 
 

 

-trusted-keys Statement Definition
+trusted-keys Statement Definition
             and Usage

 

             The trusted-keys statement defines
@@ -4566,7 +4581,7 @@ query-source-v6 address * port *;
 

 

 

-view Statement Definition and Usage

+view Statement Definition and Usage

 

             The view statement is a powerful
             feature
@@ -4817,10 +4832,10 @@ zone zone_name [
 

 

-zone Statement Definition and Usage

+zone Statement Definition and Usage

 

 

-Zone Types

+Zone Types

 

 
 


 

 
rhs
rhs is a domain name. It is processed
+
A domain name. It is processed
 similarly to lhs.

 

 

                 

                   configures named to
-                  also act as a light weight resolver daemon (lwresd).
+                  also act as a light-weight resolver daemon (lwresd).
                 

               		
 
@@ -4870,7 +4885,7 @@ zone zone_name [zone_name [
 

 

-Class

+Class

 

               The zone's name may optionally be followed by a class. If
               a class is not specified, class IN (for Internet),
@@ -5051,23 +5066,17 @@ zone zone_name [
 

 

-Zone Options

+Zone Options

 

-
journal

-

-                    Allow the default journal's file name to be overridden.
-                    The default is the zone's file with ".jnl" appended.
-                    This is applicable to master and slave zones.
-                  

 
allow-notify

 

                     See the description of
-                    allow-notify in the section called “Access Control”
+                    allow-notify in the section called “Access Control”.
                   

 
allow-query

 

                     See the description of
-                    allow-query in the section called “Access Control”
+                    allow-query in the section called “Access Control”.
                   

 
allow-transfer

 

@@ -5218,6 +5227,12 @@ zone zone_name [BIND 8.
                     Ignored in BIND 9.
                   

+
journal

+

+                    Allow the default journal's file name to be overridden.
+                    The default is the zone's file with ".jnl" appended.
+                    This is applicable to master and slave zones.
+                  

 
max-transfer-time-in

 

                     See the description of
@@ -5268,32 +5283,32 @@ zone zone_name [transfer-source
 

                     See the description of
-                    transfer-source in the section called “Zone Transfers”
+                    transfer-source in the section called “Zone Transfers”.
                   

 
transfer-source-v6

 

                     See the description of
-                    transfer-source-v6 in the section called “Zone Transfers”
+                    transfer-source-v6 in the section called “Zone Transfers”.
                   

 
alt-transfer-source

 

                     See the description of
-                    alt-transfer-source in the section called “Zone Transfers”
+                    alt-transfer-source in the section called “Zone Transfers”.
                   

 
alt-transfer-source-v6

 

                     See the description of
-                    alt-transfer-source-v6 in the section called “Zone Transfers”
+                    alt-transfer-source-v6 in the section called “Zone Transfers”.
                   

 
use-alt-transfer-source

 

                     See the description of
-                    use-alt-transfer-source in the section called “Zone Transfers”
+                    use-alt-transfer-source in the section called “Zone Transfers”.
                   

 
notify-source

 

                     See the description of
-                    notify-source in the section called “Zone Transfers”
+                    notify-source in the section called “Zone Transfers”.
                   

 
notify-source-v6

 

@@ -5316,7 +5331,7 @@ zone zone_name [key-directory in the section called “options Statement Definition and
-          Usage”
+          Usage”.
                   

 
multi-master

 

@@ -5534,7 +5549,7 @@ zone zone_name [
 

 

-Zone File

+Zone File

 

 

 Types of Resource Records and When to Use Them

@@ -5547,7 +5562,7 @@ zone zone_name [
 

 

-Resource Records

+Resource Records

 

               A domain name identifies a node.  Each node has a set of
               resource information, which may be empty.  The set of resource
@@ -5870,7 +5885,7 @@ zone zone_name [
 

@@ -6918,8 +6933,8 @@ $GENERATE 1-127 $ CNAME $.0
                     
ttl

                   
 
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index 1b9870af86..1321894ef8 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -46,10 +46,10 @@
 
Table of Contents

 

 
Access Control Lists

-
chroot and setuid

+
chroot and setuid

 

-
The chroot Environment

-
Using the setuid Function

+
The chroot Environment

+
Using the setuid Function

 

 
Dynamic Update Security

 

@@ -85,6 +85,7 @@ acl bogusnets {
         0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3;
         10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
 };
+
 // Set up an ACL called our-nets. Replace this with the real IP numbers.
 acl our-nets { x.x.x.x/24; x.x.x.x/21; };
 options {
@@ -96,6 +97,7 @@ options {
   blackhole { bogusnets; };
   ...
 };
+
 zone "example.com" {
   type master;
   file "m/example.com";
@@ -116,7 +118,7 @@ zone "example.com" {
 
 

 

-chroot and setuid

+chroot and setuid

 

           On UNIX servers, it is possible to run BIND in a chrooted environment
           (chroot()) by specifying the "-t"
@@ -139,9 +141,9 @@ zone "example.com" {
         

 

 

-The chroot Environment

+The chroot Environment

 

-            In order for a chroot() environment
+            In order for a chroot environment
             to
             work properly in a particular directory
             (for example, /var/named),
@@ -161,13 +163,13 @@ zone "example.com" {
             to set up things like
             /dev/zero,
             /dev/random,
-            /dev/log, and/or
+            /dev/log, and
             /etc/localtime.
           

 
 

 

-Using the setuid Function

+Using the setuid Function

 

             Prior to running the named daemon,
             use
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index 3be206d2b7..19fefb16ee 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,18 +45,18 @@
 

 
Table of Contents

 

-
Common Problems

-
It's not working; how can I figure out what's wrong?

-
Incrementing and Changing the Serial Number

-
Where Can I Get Help?

+
Common Problems

+
It's not working; how can I figure out what's wrong?

+
Incrementing and Changing the Serial Number

+
Where Can I Get Help?

 

 

 

 

-Common Problems

+Common Problems

 

 

-It's not working; how can I figure out what's wrong?

+It's not working; how can I figure out what's wrong?

 

             The best solution to solving installation and
             configuration issues is to take preventative measures by setting
@@ -68,7 +68,7 @@
 
 

 

-Incrementing and Changing the Serial Number

+Incrementing and Changing the Serial Number

 

           Zone serial numbers are just numbers-they aren't date
           related.  A lot of people set them to a number that represents a
@@ -95,7 +95,7 @@
 
 

 

-Where Can I Get Help?

+Where Can I Get Help?

 

           The Internet Systems Consortium
           (ISC) offers a wide range
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index e7a061ab3c..88538201a3 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,21 +45,21 @@
 

 
Table of Contents

 

-
Acknowledgments

+
Acknowledgments

 
A Brief History of the DNS and BIND

-
General DNS Reference Information

+
General DNS Reference Information

 
IPv6 addresses (AAAA)

 
Bibliography (and Suggested Reading)

 

 
Request for Comments (RFCs)

 
Internet Drafts

-
Other Documents About BIND

+
Other Documents About BIND

 

 

 

 

 

-Acknowledgments

+Acknowledgments

 

 

 A Brief History of the DNS and BIND

@@ -94,7 +94,10 @@
             under
             a grant from the US Defense Advanced Research Projects
             Administration
-            (DARPA). Versions of BIND through
+            (DARPA).
+          

+

+            Versions of BIND through
             4.8.3 were maintained by the Computer
             Systems Research Group (CSRG) at UC Berkeley. Douglas Terry, Mark
             Painter, David Riggle and Songnian Zhou made up the initial BIND
@@ -145,7 +148,7 @@
 

 

 

-General DNS Reference Information

+General DNS Reference Information

 

 

 IPv6 addresses (AAAA)

@@ -232,7 +235,7 @@
           

 

 

-Bibliography

+Bibliography

 

 
Standards

 
[RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 

@@ -250,7 +253,7 @@
 
[RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996. 

 
[RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996. 

 
[RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997. 

-
[RFC2671] Extension Mechanisms for DNS (EDNS0). P. Vixie. August 1997. 

+
[RFC2671] P. Vixie. Extension Mechanisms for DNS (EDNS0). August 1997. 

 
[RFC2672] M. Crawford. Non-Terminal DNS Name Redirection. August 1999. 

 
[RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000. 

 
[RFC2930] D. Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000. 

@@ -417,11 +420,11 @@
 

 

 

-Other Documents About BIND

+Other Documents About BIND

 

 

 

-Bibliography

+Bibliography

 
Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 

 
 
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index 172935810f..8bebaa5916 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -83,7 +83,7 @@
 
Name Server Operations

 

 
Tools for Use With the Name Server Daemon

-
Signals

+
Signals

 

 
 
4. Advanced DNS Features

@@ -92,33 +92,33 @@
 
Dynamic Update

 
The journal file

 
Incremental Zone Transfers (IXFR)

-
Split DNS

+
Split DNS

 
TSIG

 

-
Generate Shared Keys for Each Pair of Hosts

-
Copying the Shared Secret to Both Machines

-
Informing the Servers of the Key's Existence

-
Instructing the Server to Use the Key

-
TSIG Key Based Access Control

-
Errors

+
Generate Shared Keys for Each Pair of Hosts

+
Copying the Shared Secret to Both Machines

+
Informing the Servers of the Key's Existence

+
Instructing the Server to Use the Key

+
TSIG Key Based Access Control

+
Errors

 

-
TKEY

-
SIG(0)

+
TKEY

+
SIG(0)

 
DNSSEC

 

-
Generating Keys

-
Signing the Zone

-
Configuring Servers

+
Generating Keys

+
Signing the Zone

+
Configuring Servers

 

-
IPv6 Support in BIND 9

+
IPv6 Support in BIND 9

 

-
Address Lookups Using AAAA Records

-
Address to Name Lookups Using Nibble Format

+
Address Lookups Using AAAA Records

+
Address to Name Lookups Using Nibble Format

 

 
 
5. The BIND 9 Lightweight Resolver

 

-
The Lightweight Resolver Library

+
The Lightweight Resolver Library

 
Running a Resolver Daemon

 

 
6. BIND 9 Configuration Reference

@@ -126,83 +126,83 @@
 
Configuration File Elements

 

 
Address Match Lists

-
Comment Syntax

+
Comment Syntax

 

 
Configuration File Grammar

 

-
acl Statement Grammar

+
acl Statement Grammar

 
acl Statement Definition and
           Usage

-
controls Statement Grammar

+
controls Statement Grammar

 
controls Statement Definition and
           Usage

-
include Statement Grammar

-
include Statement Definition and
+
include Statement Grammar

+
include Statement Definition and
           Usage

-
key Statement Grammar

-
key Statement Definition and Usage

-
logging Statement Grammar

-
logging Statement Definition and
+
key Statement Grammar

+
key Statement Definition and Usage

+
logging Statement Grammar

+
logging Statement Definition and
           Usage

-
lwres Statement Grammar

-
lwres Statement Definition and Usage

-
masters Statement Grammar

-
masters Statement Definition and
+
lwres Statement Grammar

+
lwres Statement Definition and Usage

+
masters Statement Grammar

+
masters Statement Definition and
           Usage

-
options Statement Grammar

+
options Statement Grammar

 
options Statement Definition and
           Usage

 
server Statement Grammar

 
server Statement Definition and
             Usage

-
trusted-keys Statement Grammar

-
trusted-keys Statement Definition
+
trusted-keys Statement Grammar

+
trusted-keys Statement Definition
             and Usage

 
view Statement Grammar

-
view Statement Definition and Usage

+
view Statement Definition and Usage

 
zone
             Statement Grammar

-
zone Statement Definition and Usage

+
zone Statement Definition and Usage

 

-
Zone File

+
Zone File

 

 
Types of Resource Records and When to Use Them

-
Discussion of MX Records

+
Discussion of MX Records

 
Setting TTLs

-
Inverse Mapping in IPv4

-
Other Zone File Directives

-
BIND Master File Extension: the  $GENERATE Directive

+
Inverse Mapping in IPv4

+
Other Zone File Directives

+
BIND Master File Extension: the  $GENERATE Directive

 
Additional File Formats

 

 
 
7. BIND 9 Security Considerations

 

 
Access Control Lists

-
chroot and setuid

+
chroot and setuid

 

-
The chroot Environment

-
Using the setuid Function

+
The chroot Environment

+
Using the setuid Function

 

 
Dynamic Update Security

 

 
8. Troubleshooting

 

-
Common Problems

-
It's not working; how can I figure out what's wrong?

-
Incrementing and Changing the Serial Number

-
Where Can I Get Help?

+
Common Problems

+
It's not working; how can I figure out what's wrong?

+
Incrementing and Changing the Serial Number

+
Where Can I Get Help?

 

 
A. Appendices

 

-
Acknowledgments

+
Acknowledgments

 
A Brief History of the DNS and BIND

-
General DNS Reference Information

+
General DNS Reference Information

 
IPv6 addresses (AAAA)

 
Bibliography (and Suggested Reading)

 

 
Request for Comments (RFCs)

 
Internet Drafts

-
Other Documents About BIND

+
Other Documents About BIND

 

 

 
I. Manual pages

diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index 793bcbc4c4..2486c9c43e 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -52,7 +52,7 @@
 
dig  [global-queryopt...] [query...]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dig
       (domain information groper) is a flexible tool
       for interrogating DNS name servers.  It performs DNS lookups and
@@ -91,7 +91,7 @@
     

 

 

-
SIMPLE USAGE

+
SIMPLE USAGE

 

       A typical invocation of dig looks like:
       

@@ -137,7 +137,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

       The -b option sets the source IP address of the query
       to address.  This must be a valid
@@ -237,7 +237,7 @@
     

 

 

-
QUERY OPTIONS

+
QUERY OPTIONS

 
dig
       provides a number of query options which affect
       the way in which lookups are made and the results displayed.  Some of
@@ -556,7 +556,7 @@
     

 

 

-
MULTIPLE QUERIES

+
MULTIPLE QUERIES

 

       The BIND 9 implementation of dig 
       supports
@@ -602,7 +602,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
IDN SUPPORT

+
IDN SUPPORT

 

       If dig has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names.
@@ -616,14 +616,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
FILES

+
FILES

 
/etc/resolv.conf
     

 
${HOME}/.digrc
     

 

 

-
SEE ALSO

+
SEE ALSO

 
host(1),
       named(8),
       dnssec-keygen(8),
@@ -631,7 +631,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
BUGS

+
BUGS

 

       There are probably too many query options.
     

diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index e063393286..9530152baa 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
dnssec-keygen  {-a algorithm} {-b keysize} {-n nametype} [-c class] [-e] [-f flag] [-g generator] [-h] [-k] [-p protocol] [-r randomdev] [-s strength] [-t type] [-v level] {name}

 

 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-keygen
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC <TBA\>.  It can also generate keys for use with
@@ -58,7 +58,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a algorithm

 

@@ -166,7 +166,7 @@
 

 

 

-
GENERATED KEYS

+
GENERATED KEYS

 

       When dnssec-keygen completes
       successfully,
@@ -212,7 +212,7 @@
     

 

 

-
EXAMPLE

+
EXAMPLE

 

       To generate a 768-bit DSA key for the domain
       example.com, the following command would be
@@ -233,7 +233,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
       RFC 2535,
@@ -242,7 +242,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index 09c8854dfe..48fd2f5c20 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
dnssec-signzone  [-a] [-c class] [-d directory] [-e end-time] [-f output-file] [-g] [-h] [-k key] [-l domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-p] [-r randomdev] [-s start-time] [-t] [-v level] [-z] {zonefile} [key...]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-signzone
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
@@ -61,7 +61,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a

 

@@ -257,7 +257,7 @@
 

 

 

-
EXAMPLE

+
EXAMPLE

 

       The following command signs the example.com
       zone with the DSA key generated in the dnssec-keygen
@@ -283,14 +283,14 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 2535.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html
index ff83ad3339..764e84ead2 100644
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
host  [-aCdlnrsTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-m flag] [-4] [-6] {name} [server]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
host
       is a simple utility for performing DNS lookups.
       It is normally used to convert names to IP addresses and vice versa.
@@ -202,7 +202,7 @@
     

 

 

-
IDN SUPPORT

+
IDN SUPPORT

 

       If host has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names. 
@@ -216,12 +216,12 @@
     

 

 

-
FILES

+
FILES

 
/etc/resolv.conf
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dig(1),
       named(8).
     

diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index 2f49dd6491..e8cb15657f 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,14 +50,14 @@
 
named-checkconf  [-v] [-j] [-t directory] {filename} [-z]

 

 

-
DESCRIPTION

+
DESCRIPTION

 
named-checkconf
       checks the syntax, but not the semantics, of a named
       configuration file.
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-t directory

 

@@ -88,20 +88,20 @@
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 
named-checkconf
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
named(8),
       BIND 9 Administrator Reference Manual.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index 3ce08b0ed0..ee6be9393c 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -51,7 +51,7 @@
 
named-compilezone  [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-i mode] [-k mode] [-m mode] [-n mode] [-o filename] [-s style] [-t directory] [-w directory] [-D] [-W mode] {zonename} {filename}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
named-checkzone
       checks the syntax and integrity of a zone file.  It performs the
       same checks as named does when loading a
@@ -71,7 +71,7 @@
      

 

 

-
OPTIONS

+
OPTIONS

 

 
-d

 

@@ -251,21 +251,21 @@
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 
named-checkzone
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
named(8),
       RFC 1035,
       BIND 9 Administrator Reference Manual.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index 782f08057c..544c813d18 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
named  [-4] [-6] [-c config-file] [-d debug-level] [-f] [-g] [-n #cpus] [-p port] [-s] [-t directory] [-u user] [-v] [-x cache-file]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
named
       is a Domain Name System (DNS) server,
       part of the BIND 9 distribution from ISC.  For more
@@ -65,7 +65,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-4

 

@@ -198,7 +198,7 @@
 

 

 

-
SIGNALS

+
SIGNALS

 

       In routine operation, signals should not be used to control
       the nameserver; rndc should be used
@@ -219,7 +219,7 @@
     

 

 

-
CONFIGURATION

+
CONFIGURATION

 

       The named configuration file is too complex
       to describe in detail here.  A complete description is provided
@@ -228,7 +228,7 @@
     

 

 

-
FILES

+
FILES

 

 
/etc/named.conf

 

@@ -241,7 +241,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
RFC 1033,
       RFC 1034,
       RFC 1035,
@@ -252,7 +252,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index 01b805eb60..3dd8418942 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -48,7 +48,7 @@
 
rndc-confgen  [-a] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc-confgen
       generates configuration files
       for rndc.  It can be used as a
@@ -64,7 +64,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a

 

@@ -171,7 +171,7 @@
 

 

 

-
EXAMPLES

+
EXAMPLES

 

       To allow rndc to be used with
       no manual configuration, run
@@ -188,7 +188,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc(8),
       rndc.conf(5),
       named(8),
@@ -196,7 +196,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index 883879fe76..9580fa8234 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
rndc.conf 

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc.conf is the configuration file
       for rndc, the BIND 9 name server control
       utility.  This file has a similar structure and syntax to
@@ -135,7 +135,7 @@
     

 

 

-
EXAMPLE

+
EXAMPLE

 
       options {
         default-server  localhost;
@@ -209,7 +209,7 @@
     

 

 

-
NAME SERVER CONFIGURATION

+
NAME SERVER CONFIGURATION

 

       The name server must be configured to accept rndc connections and
       to recognize the key specified in the rndc.conf
@@ -219,7 +219,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc(8),
       rndc-confgen(8),
       mmencode(1),
@@ -227,7 +227,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index dcc448fb58..6a43989e98 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
rndc  [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-V] [-y key_id] {command}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc
       controls the operation of a name
       server.  It supersedes the ndc utility
@@ -79,7 +79,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-b source-address

 

@@ -152,7 +152,7 @@
     

 

 

-
LIMITATIONS

+
LIMITATIONS

 
rndc
       does not yet support all the commands of
       the BIND 8 ndc utility.
@@ -166,7 +166,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc.conf(5),
       named(8),
       named.conf(5)
@@ -175,7 +175,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 


From eadf7666822b8b755fe83fe43fd6475b5dd99601 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 17 May 2006 23:17:54 +0000
Subject: [PATCH 195/465] auto update

---
 doc/private/branches | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/doc/private/branches b/doc/private/branches
index 6218179665..45bb83c82b 100644
--- a/doc/private/branches
+++ b/doc/private/branches
@@ -75,6 +75,10 @@ rt15958				new
 rt15960				new	
 rt15970				new	
 rt15976				new	
+rt15992				new	
+rt16020				new	
+rt16026				new	
+rt16027				new	
 rt16034				new	
 rt16037				new	
 rt1727				open		// ixfr-from-differences workfile

From 21b76ee598c937c6736cbc7ab69684bb3332428a Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 18 May 2006 00:51:02 +0000
Subject: [PATCH 196/465] 2022.   [bug]           If dnssec validation is
 disabled only assert CD if                         CD was requested. [RT
 #16037]

2021.   [bug]           dnssec-enable no; triggered a REQUIRE. [RT #16037]
---
 CHANGES            | 5 +++++
 lib/dns/resolver.c | 9 +++++----
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/CHANGES b/CHANGES
index 75f8a448e7..d38b343d82 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,8 @@
+2022.	[bug]		If dnssec validation is disabled only assert CD if
+			CD was requested. [RT #16037]
+
+2021.	[bug]		dnssec-enable no; triggered a REQUIRE. [RT #16037]
+
 2020.	[bug]		rdataset_setadditional() could leak memory. [RT #16034]
 
 2019.	[tuning]	Reduce the amount of work performed per quantum
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 191552b4f2..d8075a57db 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resolver.c,v 1.330 2006/03/09 23:21:54 marka Exp $ */
+/* $Id: resolver.c,v 1.331 2006/05/18 00:51:02 marka Exp $ */
 
 /*! \file */
 
@@ -1284,7 +1284,9 @@ resquery_send(resquery_t *query) {
 	 * Set CD if the client says don't validate or the question is
 	 * under a secure entry point.
 	 */
-	if ((query->options & DNS_FETCHOPT_NOVALIDATE) == 0) {
+	if ((query->options & DNS_FETCHOPT_NOVALIDATE) != 0) {
+		fctx->qmessage->flags |= DNS_MESSAGEFLAG_CD;
+	} else if (res->view->enablevalidation) {
 		result = dns_keytable_issecuredomain(res->view->secroots,
 						     &fctx->name,
 						     &secure_domain);
@@ -1294,8 +1296,7 @@ resquery_send(resquery_t *query) {
 			secure_domain = ISC_TRUE;
 		if (secure_domain)
 			fctx->qmessage->flags |= DNS_MESSAGEFLAG_CD;
-	} else
-		fctx->qmessage->flags |= DNS_MESSAGEFLAG_CD;
+	}
 
 	/*
 	 * We don't have to set opcode because it defaults to query.

From 7d7f929274e48808b4771162d6302a99e69865d8 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 18 May 2006 00:59:40 +0000
Subject: [PATCH 197/465] 2023.   [bug]           "make install" should create
 ${localstatedir}/run and                         ${sysconfdir} if they do not
 exist. [RT #16033]

---
 CHANGES     | 3 +++
 Makefile.in | 5 +++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index d38b343d82..938acd50c2 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2023.	[bug]		"make install" should create ${localstatedir}/run and
+			${sysconfdir} if they do not exist. [RT #16033]
+
 2022.	[bug]		If dnssec validation is disabled only assert CD if
 			CD was requested. [RT #16037]
 
diff --git a/Makefile.in b/Makefile.in
index 30e15bc69f..00dd56e48c 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.45 2005/09/06 03:51:34 marka Exp $
+# $Id: Makefile.in,v 1.46 2006/05/18 00:59:40 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -44,7 +44,8 @@ maintainer-clean::
 	rm -f configure
 
 installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir}
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir} \
+	${DESTDIR}${localstatedir}/run ${DESTDIR}${sysconfdir}
 
 install:: isc-config.sh installdirs
 	${INSTALL_SCRIPT} isc-config.sh ${DESTDIR}${bindir}

From 05eeb368564d1584c17e50b5daaa70ef555f1716 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 18 May 2006 01:21:07 +0000
Subject: [PATCH 198/465] 2023.   [bug]           "make install" should create
 ${localstatedir}/run and                         ${sysconfdir} if they do not
 exist. [RT #16033]

---
 CHANGES     | 3 +++
 Makefile.in | 5 +++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index 1fe8a8b7e7..2e481c609d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2023.	[bug]		"make install" should create ${localstatedir}/run and
+			${sysconfdir} if they do not exist. [RT #16033]
+
 2016.	[bug]		Return a partial answer if recursion is not
 			allowed but requested and we had the answer
 			to the original qname. [RT #15945]
diff --git a/Makefile.in b/Makefile.in
index b2a8dda70a..41b992525d 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.41.2.3 2004/03/09 06:09:07 marka Exp $
+# $Id: Makefile.in,v 1.41.2.4 2006/05/18 01:21:07 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -44,7 +44,8 @@ maintainer-clean::
 	rm -f configure
 
 installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir}
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir} \
+	${DESTDIR}${localstatedir}/run ${DESTDIR}${sysconfdir}
 
 install:: isc-config.sh installdirs
 	${INSTALL_SCRIPT} isc-config.sh ${DESTDIR}${bindir}

From bda34793bb9f407390fd54cef8e5846c357e55c6 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 18 May 2006 01:51:21 +0000
Subject: [PATCH 199/465] 4408:   Sender Policy Framework (SPF) for Authorizing
 Use of Domains          in E-Mail, Version 1

---
 doc/rfc/index                                 |    2 +
 .../rfc4408.txt}                              | 2281 +++++++----------
 2 files changed, 920 insertions(+), 1363 deletions(-)
 rename doc/{draft/draft-schlitt-spf-classic-02.txt => rfc/rfc4408.txt} (59%)

diff --git a/doc/rfc/index b/doc/rfc/index
index 6d8e3d255a..2a7ebaf04d 100644
--- a/doc/rfc/index
+++ b/doc/rfc/index
@@ -107,3 +107,5 @@
 4367:	What's in a Name: False Assumptions about DNS Names
 4398:	Storing Certificates in the Domain Name System (DNS)
 4431:	The DNSSEC Lookaside Validation (DLV) DNS Resource Record
+4408:	Sender Policy Framework (SPF) for Authorizing Use of Domains
+	 in E-Mail, Version 1
diff --git a/doc/draft/draft-schlitt-spf-classic-02.txt b/doc/rfc/rfc4408.txt
similarity index 59%
rename from doc/draft/draft-schlitt-spf-classic-02.txt
rename to doc/rfc/rfc4408.txt
index 3bd9594c6d..bc1b3f539c 100644
--- a/doc/draft/draft-schlitt-spf-classic-02.txt
+++ b/doc/rfc/rfc4408.txt
@@ -1,43 +1,77 @@
 
 
 
+
+
+
 Network Working Group                                            M. Wong
-Internet-Draft                                                W. Schlitt
-Expires: December 8, 2005                                   June 6, 2005
+Request for Comments: 4408                                    W. Schlitt
+Category: Experimental                                        April 2006
 
 
-Sender Policy Framework (SPF) for Authorizing Use of Domains in E-MAIL,
-                               version 1
-                      draft-schlitt-spf-classic-02
+                   Sender Policy Framework (SPF) for
+            Authorizing Use of Domains in E-Mail, Version 1
 
-Status of this Memo
+Status of This Memo
 
-   By submitting this Internet-Draft, each author represents that any
-   applicable patent or other IPR claims of which he or she is aware
-   have been or will be disclosed, and any of which he or she becomes
-   aware will be disclosed, in accordance with Section 6 of BCP 79.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on December 8, 2005.
+   This memo defines an Experimental Protocol for the Internet
+   community.  It does not specify an Internet standard of any kind.
+   Discussion and suggestions for improvement are requested.
+   Distribution of this memo is unlimited.
 
 Copyright Notice
 
-   Copyright (C) The Internet Society (2005).
+   Copyright (C) The Internet Society (2006).
+
+IESG Note
+
+   The following documents  (RFC 4405, RFC 4406, RFC 4407, and RFC 4408)
+   are published simultaneously as Experimental RFCs, although there is
+   no general technical consensus and efforts to reconcile the two
+   approaches have failed.  As such, these documents have not received
+   full IETF review and are published "AS-IS" to document the different
+   approaches as they were considered in the MARID working group.
+
+   The IESG takes no position about which approach is to be preferred
+   and cautions the reader that there are serious open issues for each
+   approach and concerns about using them in tandem.  The IESG believes
+   that documenting the different approaches does less harm than not
+   documenting them.
+
+   Note that the Sender ID experiment may use DNS records that may have
+   been created for the current SPF experiment or earlier versions in
+   this set of experiments.  Depending on the content of the record,
+   this may mean that Sender-ID heuristics would be applied incorrectly
+   to a message.  Depending on the actions associated by the recipient
+   with those heuristics, the message may not be delivered or may be
+   discarded on receipt.
+
+   Participants relying on Sender ID experiment DNS records are warned
+   that they may lose valid messages in this set of circumstances.
+   aParticipants publishing SPF experiment DNS records should consider
+   the advice given in section 3.4 of RFC 4406 and may wish to publish
+   both v=spf1 and spf2.0 records to avoid the conflict.
+
+
+
+
+Wong & Schlitt                Experimental                      [Page 1]
+
+RFC 4408             Sender Policy Framework (SPF)            April 2006
+
+
+   Participants in the Sender-ID experiment need to be aware that the
+   way Resent-* header fields are used will result in failure to receive
+   legitimate email when interacting with standards-compliant systems
+   (specifically automatic forwarders which comply with the standards by
+   not adding Resent-* headers, and systems which comply with RFC 822
+   but have not yet implemented RFC 2822 Resent-* semantics).  It would
+   be inappropriate to advance Sender-ID on the standards track without
+   resolving this interoperability problem.
+
+   The community is invited to observe the success or failure of the two
+   approaches during the two years following publication, in order that
+   a community consensus can be reached in the future.
 
 Abstract
 
@@ -45,149 +79,125 @@ Abstract
    particular, existing protocols place no restriction on what a sending
    host can use as the reverse-path of a message or the domain given on
    the SMTP HELO/EHLO commands.  This document describes version 1 of
-   the SPF protocol, whereby a domain may explicitly authorize the hosts
-   that are allowed to use its domain name, and a receiving host may
-   check such authorization.
-
-
-
-
-Wong & Schlitt          Expires December 8, 2005                [Page 1]
-
-Internet-Draft        Sender Policy Framework (SPF)            June 2005
-
+   the Sender Policy Framework (SPF) protocol, whereby a domain may
+   explicitly authorize the hosts that are allowed to use its domain
+   name, and a receiving host may check such authorization.
 
 Table of Contents
 
-   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
-     1.1.  State of this draft  . . . . . . . . . . . . . . . . . . .  4
-     1.2.  Protocol Status  . . . . . . . . . . . . . . . . . . . . .  5
-     1.3.  Terminology  . . . . . . . . . . . . . . . . . . . . . . .  5
-   2.  Operation  . . . . . . . . . . . . . . . . . . . . . . . . . .  6
-     2.1.  The HELO Identity  . . . . . . . . . . . . . . . . . . . .  6
-     2.2.  The MAIL FROM Identity . . . . . . . . . . . . . . . . . .  6
-     2.3.  Publishing Authorization . . . . . . . . . . . . . . . . .  6
-     2.4.  Checking Authorization . . . . . . . . . . . . . . . . . .  7
-     2.5.  Interpreting the Result  . . . . . . . . . . . . . . . . .  8
-       2.5.1.  None . . . . . . . . . . . . . . . . . . . . . . . . .  8
-       2.5.2.  Neutral  . . . . . . . . . . . . . . . . . . . . . . .  9
-       2.5.3.  Pass . . . . . . . . . . . . . . . . . . . . . . . . .  9
-       2.5.4.  Fail . . . . . . . . . . . . . . . . . . . . . . . . .  9
-       2.5.5.  SoftFail . . . . . . . . . . . . . . . . . . . . . . .  9
-       2.5.6.  TempError  . . . . . . . . . . . . . . . . . . . . . . 10
-       2.5.7.  PermError  . . . . . . . . . . . . . . . . . . . . . . 10
-   3.  SPF Records  . . . . . . . . . . . . . . . . . . . . . . . . . 11
-     3.1.  Publishing . . . . . . . . . . . . . . . . . . . . . . . . 11
-       3.1.1.  DNS Resource Record Types  . . . . . . . . . . . . . . 11
-       3.1.2.  Multiple DNS Records . . . . . . . . . . . . . . . . . 12
-       3.1.3.  Multiple Strings in a Single DNS record  . . . . . . . 12
-       3.1.4.  Record Size  . . . . . . . . . . . . . . . . . . . . . 12
-       3.1.5.  Wildcard Records . . . . . . . . . . . . . . . . . . . 13
-   4.  The check_host() Function  . . . . . . . . . . . . . . . . . . 14
-     4.1.  Arguments  . . . . . . . . . . . . . . . . . . . . . . . . 14
-     4.2.  Results  . . . . . . . . . . . . . . . . . . . . . . . . . 14
-     4.3.  Initial Processing . . . . . . . . . . . . . . . . . . . . 14
-     4.4.  Record Lookup  . . . . . . . . . . . . . . . . . . . . . . 15
-     4.5.  Selecting Records  . . . . . . . . . . . . . . . . . . . . 15
-     4.6.  Record Evaluation  . . . . . . . . . . . . . . . . . . . . 15
-       4.6.1.  Term Evaluation  . . . . . . . . . . . . . . . . . . . 16
-       4.6.2.  Mechanisms . . . . . . . . . . . . . . . . . . . . . . 16
-       4.6.3.  Modifiers  . . . . . . . . . . . . . . . . . . . . . . 17
-     4.7.  Default Result . . . . . . . . . . . . . . . . . . . . . . 17
-     4.8.  Domain Specification . . . . . . . . . . . . . . . . . . . 17
-   5.  Mechanism Definitions  . . . . . . . . . . . . . . . . . . . . 19
-     5.1.  "all"  . . . . . . . . . . . . . . . . . . . . . . . . . . 19
-     5.2.  "include"  . . . . . . . . . . . . . . . . . . . . . . . . 20
-     5.3.  "a"  . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
-     5.4.  "mx" . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
-     5.5.  "ptr"  . . . . . . . . . . . . . . . . . . . . . . . . . . 22
-     5.6.  "ip4" and "ip6"  . . . . . . . . . . . . . . . . . . . . . 23
-     5.7.  "exists" . . . . . . . . . . . . . . . . . . . . . . . . . 24
-   6.  Modifier Definitions . . . . . . . . . . . . . . . . . . . . . 25
-     6.1.  redirect: Redirected Query . . . . . . . . . . . . . . . . 25
+   1. Introduction ....................................................4
+      1.1. Protocol Status ............................................4
+      1.2. Terminology ................................................5
+   2. Operation .......................................................5
+      2.1. The HELO Identity ..........................................5
+      2.2. The MAIL FROM Identity .....................................5
+      2.3. Publishing Authorization ...................................6
+      2.4. Checking Authorization .....................................6
+      2.5. Interpreting the Result ....................................7
+           2.5.1. None ................................................8
+           2.5.2. Neutral .............................................8
+           2.5.3. Pass ................................................8
+           2.5.4. Fail ................................................8
+           2.5.5. SoftFail ............................................9
+           2.5.6. TempError ...........................................9
+           2.5.7. PermError ...........................................9
+   3. SPF Records .....................................................9
+      3.1. Publishing ................................................10
+           3.1.1. DNS Resource Record Types ..........................10
+           3.1.2. Multiple DNS Records ...............................11
+           3.1.3. Multiple Strings in a Single DNS record ............11
+           3.1.4. Record Size ........................................11
+           3.1.5. Wildcard Records ...................................11
 
 
 
-Wong & Schlitt          Expires December 8, 2005                [Page 2]
+Wong & Schlitt                Experimental                      [Page 2]
 
-Internet-Draft        Sender Policy Framework (SPF)            June 2005
+RFC 4408             Sender Policy Framework (SPF)            April 2006
 
 
-     6.2.  exp: Explanation . . . . . . . . . . . . . . . . . . . . . 26
-   7.  The Received-SPF header field  . . . . . . . . . . . . . . . . 28
-   8.  Macros . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
-     8.1.  Macro definitions  . . . . . . . . . . . . . . . . . . . . 30
-     8.2.  Expansion Examples . . . . . . . . . . . . . . . . . . . . 33
-   9.  Implications . . . . . . . . . . . . . . . . . . . . . . . . . 34
-     9.1.  Sending Domains  . . . . . . . . . . . . . . . . . . . . . 34
-     9.2.  Mailing Lists  . . . . . . . . . . . . . . . . . . . . . . 34
-     9.3.  Forwarding Services and Aliases  . . . . . . . . . . . . . 34
-     9.4.  Mail Services  . . . . . . . . . . . . . . . . . . . . . . 36
-     9.5.  MTA Relays . . . . . . . . . . . . . . . . . . . . . . . . 37
-   10. Security Considerations  . . . . . . . . . . . . . . . . . . . 38
-     10.1. Processing Limits  . . . . . . . . . . . . . . . . . . . . 38
-     10.2. SPF-Authorized E-Mail May Be UBE . . . . . . . . . . . . . 39
-     10.3. Spoofed DNS and IP Data  . . . . . . . . . . . . . . . . . 40
-     10.4. Cross-User Forgery . . . . . . . . . . . . . . . . . . . . 40
-     10.5. Untrusted Information Sources  . . . . . . . . . . . . . . 40
-     10.6. Privacy Exposure . . . . . . . . . . . . . . . . . . . . . 41
-   11. Contributors and Acknowledgements  . . . . . . . . . . . . . . 42
-   12. IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 43
-     12.1. The SPF DNS Record Type  . . . . . . . . . . . . . . . . . 43
-     12.2. The Received-SPF mail header . . . . . . . . . . . . . . . 43
-   13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 44
-     13.1. Normative References . . . . . . . . . . . . . . . . . . . 44
-     13.2. Informative References . . . . . . . . . . . . . . . . . . 44
-   Appendix A.  Collected ABNF  . . . . . . . . . . . . . . . . . . . 46
-   Appendix B.  Extended Examples . . . . . . . . . . . . . . . . . . 48
-     B.1.  Simple Examples  . . . . . . . . . . . . . . . . . . . . . 48
-     B.2.  Multiple Domain Example  . . . . . . . . . . . . . . . . . 49
-     B.3.  DNSBL Style Example  . . . . . . . . . . . . . . . . . . . 50
-     B.4.  Multiple Requirements Example  . . . . . . . . . . . . . . 50
-   Appendix C.  Change Log  . . . . . . . . . . . . . . . . . . . . . 51
-     C.1.  Changes in Version -02 . . . . . . . . . . . . . . . . . . 51
-     C.2.  Changes in Version -01 . . . . . . . . . . . . . . . . . . 52
-   Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 55
-   Intellectual Property and Copyright Statements . . . . . . . . . . 56
+   4. The check_host() Function ......................................12
+      4.1. Arguments .................................................12
+      4.2. Results ...................................................13
+      4.3. Initial Processing ........................................13
+      4.4. Record Lookup .............................................13
+      4.5. Selecting Records .........................................13
+      4.6. Record Evaluation .........................................14
+           4.6.1. Term Evaluation ....................................14
+           4.6.2. Mechanisms .........................................15
+           4.6.3. Modifiers ..........................................15
+      4.7. Default Result ............................................16
+      4.8. Domain Specification ......................................16
+   5. Mechanism Definitions ..........................................16
+      5.1. "all" .....................................................17
+      5.2. "include" .................................................18
+      5.3. "a" .......................................................19
+      5.4. "mx" ......................................................20
+      5.5. "ptr" .....................................................20
+      5.6. "ip4" and "ip6" ...........................................21
+      5.7. "exists" ..................................................22
+   6. Modifier Definitions ...........................................22
+      6.1. redirect: Redirected Query ................................23
+      6.2. exp: Explanation ..........................................23
+   7. The Received-SPF Header Field ..................................25
+   8. Macros .........................................................27
+      8.1. Macro Definitions .........................................27
+      8.2. Expansion Examples ........................................30
+   9. Implications ...................................................31
+      9.1. Sending Domains ...........................................31
+      9.2. Mailing Lists .............................................32
+      9.3. Forwarding Services and Aliases ...........................32
+      9.4. Mail Services .............................................34
+      9.5. MTA Relays ................................................34
+   10. Security Considerations .......................................35
+      10.1. Processing Limits ........................................35
+      10.2. SPF-Authorized E-Mail May Contain Other False
+            Identities ...............................................37
+      10.3. Spoofed DNS and IP Data ..................................37
+      10.4. Cross-User Forgery .......................................37
+      10.5. Untrusted Information Sources ............................38
+      10.6. Privacy Exposure .........................................38
+   11. Contributors and Acknowledgements .............................38
+   12. IANA Considerations ...........................................39
+      12.1. The SPF DNS Record Type ..................................39
+      12.2. The Received-SPF Mail Header Field .......................39
+   13. References ....................................................39
+      13.1. Normative References .....................................39
+      13.2. Informative References ...................................40
 
 
 
-
-
-
-
-
-
-
-
-
-
-
-
-Wong & Schlitt          Expires December 8, 2005                [Page 3]
+Wong & Schlitt                Experimental                      [Page 3]
 
-Internet-Draft        Sender Policy Framework (SPF)            June 2005
+RFC 4408             Sender Policy Framework (SPF)            April 2006
 
 
+   Appendix A.  Collected ABNF .......................................42
+   Appendix B.  Extended Examples ....................................44
+      B.1.  Simple Examples ..........................................44
+      B.2.  Multiple Domain Example ..................................45
+      B.3.  DNSBL Style Example ......................................46
+      B.4.  Multiple Requirements Example ............................46
+
 1.  Introduction
 
-   The current e-mail infrastructure has the property that any host
+   The current E-Mail infrastructure has the property that any host
    injecting mail into the mail system can identify itself as any domain
    name it wants.  Hosts can do this at a variety of levels: in
-   particular, the session, the envelope, and the mail headers.  While
-   this feature is desirable in some circumstances, it is a major
-   obstacle to reducing Unsolicited Bulk E-mail (UBE, aka "spam").
+   particular, the session, the envelope, and the mail headers.
+   Although this feature is desirable in some circumstances, it is a
+   major obstacle to reducing Unsolicited Bulk E-Mail (UBE, aka spam).
    Furthermore, many domain name holders are understandably concerned
    about the ease with which other entities may make use of their domain
    names, often with malicious intent.
 
    This document defines a protocol by which domain owners may authorize
    hosts to use their domain name in the "MAIL FROM" or "HELO" identity.
-   Compliant domain holders publish SPF records specifying which hosts
-   are permitted to use their names, and compliant mail receivers use
-   the published SPF records to test the authorization of sending MTAs
-   using a given "HELO" or "MAIL FROM" identity during a mail
-   transaction.
+   Compliant domain holders publish Sender Policy Framework (SPF)
+   records specifying which hosts are permitted to use their names, and
+   compliant mail receivers use the published SPF records to test the
+   authorization of sending Mail Transfer Agents (MTAs) using a given
+   "HELO" or "MAIL FROM" identity during a mail transaction.
 
    An additional benefit to mail receivers is that after the use of an
    identity is verified, local policy decisions about the mail can be
@@ -195,40 +205,12 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
    This is advantageous because reputation of domain names is likely to
    be more accurate than reputation of host IP addresses.  Furthermore,
    if a claimed identity fails verification, local policy can take
-   stronger action against such e-mail, such as rejecting it.
+   stronger action against such E-Mail, such as rejecting it.
 
-1.1.  State of this draft
+1.1.  Protocol Status
 
-   This draft version attempts to resolve all known issues and address
-   all comments received from the IESG review of 2005/02/17, as well
-   reviews from the namedroppers, ietf-smtp, ietf-822 and spf-discuss
-   mailing lists both in January and in May.
-
-   Please check the Change log in Appendix C before proposing changes,
-   as it is possible that your idea has already been discussed.  Please
-   post comments on the spf-discuss@v2.listbox.com mailing list or
-   e-mail them directly to the author.
-
-   I am sorry for the length of this I-D; I have not had time to make it
-   shorter.
-
-   RFC Editor Note: Please remove this section for the final publication
-   of the document.  It has been inspired by
-   draft-ietf-tools-draft-submission-09.txt.
-
-
-
-
-
-Wong & Schlitt          Expires December 8, 2005                [Page 4]
-
-Internet-Draft        Sender Policy Framework (SPF)            June 2005
-
-
-1.2.  Protocol Status
-
-   SPF has been in development since the Summer of 2003, and has seen
-   deployment beyond the developers beginning in December, 2003.  The
+   SPF has been in development since the summer of 2003 and has seen
+   deployment beyond the developers beginning in December 2003.  The
    design of SPF slowly evolved until the spring of 2004 and has since
    stabilized.  There have been quite a number of forms of SPF, some
    written up as documents, some submitted as Internet Drafts, and many
@@ -238,11 +220,19 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
    by earlier draft specifications of SPF as used in existing
    implementations.  This conception of SPF is sometimes called "SPF
    Classic".  It is understood that particular implementations and
+
+
+
+Wong & Schlitt                Experimental                      [Page 4]
+
+RFC 4408             Sender Policy Framework (SPF)            April 2006
+
+
    deployments may differ from, and build upon, this work.  It is hoped
    that we have nonetheless captured the common understanding of SPF
    version 1.
 
-1.3.  Terminology
+1.2.  Terminology
 
    The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
    "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
@@ -251,35 +241,10 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
    This document is concerned with the portion of a mail message
    commonly called "envelope sender", "return path", "reverse path",
    "bounce address", "2821 FROM", or "MAIL FROM".  Since these terms are
-   either not well defined, or often used casually, this document
-   defines the "MAIL FROM" identity in Section 2.2.  Note that other
-   terms that may superficially look like the common terms, such as
-   "reverse-path", are used only with the defined meanings from
-   normative documents.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Wong & Schlitt          Expires December 8, 2005                [Page 5]
-
-Internet-Draft        Sender Policy Framework (SPF)            June 2005
-
+   either not well defined or often used casually, this document defines
+   the "MAIL FROM" identity in Section 2.2.  Note that other terms that
+   may superficially look like the common terms, such as "reverse-path",
+   are used only with the defined meanings from normative documents.
 
 2.  Operation
 
@@ -291,10 +256,10 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
    presented in the EHLO or HELO command are not always clear to the
    sending party, and SPF clients must be prepared for the "HELO"
    identity to be malformed or an IP address literal.  At the time of
-   this writing, many legitimate e-mails are delivered with invalid HELO
+   this writing, many legitimate E-Mails are delivered with invalid HELO
    domains.
 
-   It is RECOMMENDED that SPF clients check not only the "MAIL FROM"
+   It is RECOMMENDED that SPF clients not only check the "MAIL FROM"
    identity, but also separately check the "HELO" identity by applying
    the check_host() function (Section 4) to the "HELO" identity as the
    .
@@ -307,13 +272,21 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
    which notification messages are to be sent if there are problems
    delivering the message.
 
-   [RFC2821] allows the reverse-path to be null (see Section 4.5.5).  In
-   this case, there is no explicit sender mailbox, and such a message
-   can be assumed to be a notification message from the mail system
-   itself.  When the reverse-path is null, this document defines the
-   "MAIL FROM" identity to be the mailbox composed of the localpart
-   "postmaster" and the "HELO" identity (which may or may not have been
-   checked separately before).
+   [RFC2821] allows the reverse-path to be null (see Section 4.5.5 in
+   RFC 2821).  In this case, there is no explicit sender mailbox, and
+   such a message can be assumed to be a notification message from the
+   mail system itself.  When the reverse-path is null, this document
+
+
+
+Wong & Schlitt                Experimental                      [Page 5]
+
+RFC 4408             Sender Policy Framework (SPF)            April 2006
+
+
+   defines the "MAIL FROM" identity to be the mailbox composed of the
+   localpart "postmaster" and the "HELO" identity (which may or may not
+   have been checked separately before).
 
    SPF clients MUST check the "MAIL FROM" identity.  SPF clients check
    the "MAIL FROM" identity by applying the check_host() function to the
@@ -329,20 +302,12 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
    that they end in "-all", or redirect to other records that do, so
    that a definitive determination of authorization can be made.
 
-
-
-
-Wong & Schlitt          Expires December 8, 2005                [Page 6]
-
-Internet-Draft        Sender Policy Framework (SPF)            June 2005
-
-
    Domain holders may publish SPF records that explicitly authorize no
    hosts if mail should never originate using that domain.
 
    When changing SPF records, care must be taken to ensure that there is
    a transition period so that the old policy remains valid until all
-   legitimate e-mail has been checked.
+   legitimate E-Mail has been checked.
 
 2.4.  Checking Authorization
 
@@ -359,39 +324,37 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
    there are cases that are known to give incorrect results.  For
    example, almost all mailing lists rewrite the "MAIL FROM" identity
    (see Section 9.2), but some do not change any other identities in the
-   message.  The scenario described in Section 9.3.1.2 is another
-   example.  Documents that define other identities should define the
-   method for explicit approval.
+   message.  The scenario described in Section 9.3, sub-section 1.2, is
+   another example.  Documents that define other identities should
+   define the method for explicit approval.
 
    It is possible that mail receivers will use the SPF check as part of
    a larger set of tests on incoming mail.  The results of other tests
    may influence whether or not a particular SPF check is performed.
    For example, finding the sending host's IP address on a local white
+
+
+
+Wong & Schlitt                Experimental                      [Page 6]
+
+RFC 4408             Sender Policy Framework (SPF)            April 2006
+
+
    list may cause all other tests to be skipped and all mail from that
    host to be accepted.
 
    When a mail receiver decides to perform an SPF check, it MUST use a
    correctly-implemented check_host() function (Section 4) evaluated
-   with the correct parameters.  While the test as a whole is optional,
-   once it has been decided to perform a test it must be performed as
-   specified so that the correct semantics are preserved between
-   publisher and receiver.
+   with the correct parameters.  Although the test as a whole is
+   optional, once it has been decided to perform a test it must be
+   performed as specified so that the correct semantics are preserved
+   between publisher and receiver.
 
    To make the test, the mail receiver MUST evaluate the check_host()
    function with the arguments set as follows:
 
         - the IP address of the SMTP client that is emitting the
-            mail, either IPv4 or IPv6.
-
-
-
-
-
-
-Wong & Schlitt          Expires December 8, 2005                [Page 7]
-
-Internet-Draft        Sender Policy Framework (SPF)            June 2005
-
+              mail, either IPv4 or IPv6.
 
     - the domain portion of the "MAIL FROM" or "HELO" identity.
 
@@ -403,18 +366,18 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
    cases, check_host() is defined in Section 4.3 to return a "None"
    result.
 
-   While invalid, malformed, or non-existent domains cause SPF checks to
-   return "None" because no SPF record can be found, it has long been
-   the policy of many MTAs to reject e-mail from such domains,
+   Although invalid, malformed, or non-existent domains cause SPF checks
+   to return "None" because no SPF record can be found, it has long been
+   the policy of many MTAs to reject E-Mail from such domains,
    especially in the case of invalid "MAIL FROM".  In order to prevent
-   the circumvention of SPF records, rejecting e-mail from invalid
+   the circumvention of SPF records, rejecting E-Mail from invalid
    domains should be considered.
 
    Implementations must take care to correctly extract the  from
    the data given with the SMTP MAIL FROM command as many MTAs will
-   still accept such things as source routes (see [RFC2821] appendix C),
-   the %-hack (see [RFC1123]), and bang paths (see [RFC1983]).  These
-   archaic features have been maliciously used to bypass security
+   still accept such things as source routes (see [RFC2821], Appendix
+   C), the %-hack (see [RFC1123]), and bang paths (see [RFC1983]).
+   These archaic features have been maliciously used to bypass security
    systems.
 
 2.5.  Interpreting the Result
@@ -423,13 +386,21 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
    should interpret the results of the check_host() function.  The
    authorization check SHOULD be performed during the processing of the
    SMTP transaction that sends the mail.  This allows errors to be
-   returned directly to the sending server by way of SMTP replies.
+   returned directly to the sending MTA by way of SMTP replies.
+
+
+
+
+Wong & Schlitt                Experimental                      [Page 7]
+
+RFC 4408             Sender Policy Framework (SPF)            April 2006
+
 
    Performing the authorization after the SMTP transaction has finished
-   may cause problems, such as: 1) It may be difficult to accurately
-   extract the required information from potentially deceptive headers.
-   2) Legitimate e-mail may fail because the sender's policy may have
-   since changed.
+   may cause problems, such as the following: (1) It may be difficult to
+   accurately extract the required information from potentially
+   deceptive headers; (2) legitimate E-Mail may fail because the
+   sender's policy may have since changed.
 
    Generating non-delivery notifications to forged identities that have
    failed the authorization check is generally abusive and against the
@@ -437,26 +408,19 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
 
 2.5.1.  None
 
-   A result of "None" means that no records were published by the
-   domain, or that no checkable sender domain could be determined from
-   the given identity.  The checking software cannot ascertain whether
-   the client host is authorized or not.
-
-
-
-Wong & Schlitt          Expires December 8, 2005                [Page 8]
-
-Internet-Draft        Sender Policy Framework (SPF)            June 2005
-
+   A result of "None" means that no records were published by the domain
+   or that no checkable sender domain could be determined from the given
+   identity.  The checking software cannot ascertain whether or not the
+   client host is authorized.
 
 2.5.2.  Neutral
 
-   The domain owner has explicitly stated that they cannot or do not
-   want to assert whether the IP address is authorized or not.  A
+   The domain owner has explicitly stated that he cannot or does not
+   want to assert whether or not the IP address is authorized.  A
    "Neutral" result MUST be treated exactly like the "None" result; the
    distinction exists only for informational purposes.  Treating
-   "Neutral" more harshly than "None" will discourage domain owners from
-   testing the use of SPF records (see Section 9.1).
+   "Neutral" more harshly than "None" would discourage domain owners
+   from testing the use of SPF records (see Section 9.1).
 
 2.5.3.  Pass
 
@@ -470,7 +434,7 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
 
    A "Fail" result is an explicit statement that the client is not
    authorized to use the domain in the given identity.  The checking
-   software can choose to mark the mail based on this, or to reject the
+   software can choose to mark the mail based on this or to reject the
    mail outright.
 
    If the checking software chooses to reject the mail during the SMTP
@@ -478,10 +442,18 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
    [RFC2821]) and, if supported, the 5.7.1 Delivery Status Notification
    (DSN) code (see [RFC3464]), in addition to an appropriate reply text.
    The check_host() function may return either a default explanation
-   string, or one from the domain that published the SPF records (see
-   Section 6.2).  If the information doesn't originate with the checking
-   software, it should be made clear that the text is provided by the
-   sender's domain.  For example:
+   string or one from the domain that published the SPF records (see
+   Section 6.2).  If the information does not originate with the
+
+
+
+Wong & Schlitt                Experimental                      [Page 8]
+
+RFC 4408             Sender Policy Framework (SPF)            April 2006
+
+
+   checking software, it should be made clear that the text is provided
+   by the sender's domain.  For example:
 
        550-5.7.1 SPF MAIL FROM check failed:
        550-5.7.1 The domain example.com explains:
@@ -490,26 +462,18 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
 2.5.5.  SoftFail
 
    A "SoftFail" result should be treated as somewhere between a "Fail"
-   and a "Neutral".  The domain believes the host isn't authorized but
-   isn't willing to make that strong of a statement.  Receiving software
-   SHOULD NOT reject the message based solely on this result, but MAY
-   subject the message to closer scrutiny than normal.
+   and a "Neutral".  The domain believes the host is not authorized but
+   is not willing to make that strong of a statement.  Receiving
+   software SHOULD NOT reject the message based solely on this result,
+   but MAY subject the message to closer scrutiny than normal.
 
-   The domain owner wants to discourage the use of this host and so they
-   desire limited feedback when a "SoftFail" result occurs.  For
-
-
-
-Wong & Schlitt          Expires December 8, 2005                [Page 9]
-
-Internet-Draft        Sender Policy Framework (SPF)            June 2005
-
-
-   example, the recipient's MUA could highlight the "SoftFail" status,
-   or the receiving MTA could give the sender a message using a
-   technique called "greylisting" whereby the MTA can issue an SMTP
-   reply code of 451 (4.3.0 DSN code) with a note the first time the
-   message is received, but accept it the second time.
+   The domain owner wants to discourage the use of this host and thus
+   desires limited feedback when a "SoftFail" result occurs.  For
+   example, the recipient's Mail User Agent (MUA) could highlight the
+   "SoftFail" status, or the receiving MTA could give the sender a
+   message using a technique called "greylisting" whereby the MTA can
+   issue an SMTP reply code of 451 (4.3.0 DSN code) with a note the
+   first time the message is received, but accept it the second time.
 
 2.5.6.  TempError
 
@@ -522,54 +486,30 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
 
 2.5.7.  PermError
 
-   A "PermError" result means that the domain's published records
-   couldn't be correctly interpreted.  This signals an error condition
-   that requires manual intervention to be resolved, as opposed to the
+   A "PermError" result means that the domain's published records could
+   not be correctly interpreted.  This signals an error condition that
+   requires manual intervention to be resolved, as opposed to the
    TempError result.  Be aware that if the domain owner uses macros
    (Section 8), it is possible that this result is due to the checked
    identities having an unexpected format.
 
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Wong & Schlitt          Expires December 8, 2005               [Page 10]
-
-Internet-Draft        Sender Policy Framework (SPF)            June 2005
-
-
 3.  SPF Records
 
    An SPF record is a DNS Resource Record (RR) that declares which hosts
    are, and are not, authorized to use a domain name for the "HELO" and
    "MAIL FROM" identities.  Loosely, the record partitions all hosts
-   into permitted and not-permitted sets.  (Though some hosts might fall
-   into neither category.)
+   into permitted and not-permitted sets (though some hosts might fall
+   into neither category).
 
-   The SPF record is a single string of text.  An example record is:
+
+
+Wong & Schlitt                Experimental                      [Page 9]
+
+RFC 4408             Sender Policy Framework (SPF)            April 2006
+
+
+   The SPF record is a single string of text.  An example record is the
+   following:
 
       v=spf1 +mx a:colo.example.com/28 -all
 
@@ -582,10 +522,11 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
    for the hosts that are used in the "MAIL FROM" and "HELO" identities.
    The SPF records are placed in the DNS tree at the host name it
    pertains to, not a subdomain under it, such as is done with SRV
-   records.  This is the same whether the TXT or SPF RR type is used.
+   records.  This is the same whether the TXT or SPF RR type (see
+   Section 3.1.1) is used.
 
-   The example above in Section 3 might be published via this lines in a
-   domain zone file:
+   The example above in Section 3 might be published via these lines in
+   a domain zone file:
 
       example.com.          TXT "v=spf1 +mx a:colo.example.com/28 -all"
       smtp-out.example.com. TXT "v=spf1 a -all"
@@ -596,13 +537,9 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
 
 3.1.1.  DNS Resource Record Types
 
-   This document defines a new DNS RR of type SPF, type code to be
-   determined.  The format of this type is identical to the TXT RR
-   [RFC1035].  For either type, the character content of the record is
-   encoded as [US-ASCII].
-
-   RFC Editor Note: Please add the DNS RR type code once it has been
-   allocated by the IANA.
+   This document defines a new DNS RR of type SPF, code 99.  The format
+   of this type is identical to the TXT RR [RFC1035].  For either type,
+   the character content of the record is encoded as [US-ASCII].
 
    It is recognized that the current practice (using a TXT record) is
    not optimal, but it is necessary because there are a number of DNS
@@ -610,24 +547,26 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
    the new RR type.  The two-record-type scheme provides a forward path
    to the better solution of using an RR type reserved for this purpose.
 
-
-
-Wong & Schlitt          Expires December 8, 2005               [Page 11]
-
-Internet-Draft        Sender Policy Framework (SPF)            June 2005
-
-
    An SPF-compliant domain name SHOULD have SPF records of both RR
    types.  A compliant domain name MUST have a record of at least one
    type.  If a domain has records of both types, they MUST have
-   identical content.  For example, instead of just publishing one
+   identical content.  For example, instead of publishing just one
    record as in Section 3.1 above, it is better to publish:
 
       example.com. IN TXT "v=spf1 +mx a:colo.example.com/28 -all"
       example.com. IN SPF "v=spf1 +mx a:colo.example.com/28 -all"
 
-   Example RRs in this document are shown with the TXT record type,
-   however they could be published with the SPF type or with both types.
+
+
+
+Wong & Schlitt                Experimental                     [Page 10]
+
+RFC 4408             Sender Policy Framework (SPF)            April 2006
+
+
+   Example RRs in this document are shown with the TXT record type;
+   however, they could be published with the SPF type or with both
+   types.
 
 3.1.2.  Multiple DNS Records
 
@@ -638,7 +577,7 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
 3.1.3.  Multiple Strings in a Single DNS record
 
    As defined in [RFC1035] sections 3.3.14 and 3.3, a single text DNS
-   record (either TXT and SPF RR types) can be composed of more than one
+   record (either TXT or SPF RR types) can be composed of more than one
    string.  If a published record contains multiple strings, then the
    record MUST be treated as if those strings are concatenated together
    without adding spaces.  For example:
@@ -649,9 +588,9 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
 
       IN TXT "v=spf1 .... firstsecond string..."
 
-   SPF or TXT records containing multiple strings are useful in order to
-   construct records which would exceed the 255 byte maximum length of a
-   string within a single TXT or SPF RR record.
+   SPF or TXT records containing multiple strings are useful in
+   constructing records that would exceed the 255-byte maximum length of
+   a string within a single TXT or SPF RR record.
 
 3.1.4.  Record Size
 
@@ -665,14 +604,6 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
    DNS answers should fit in UDP packets.  Note that when computing the
    sizes for queries of the TXT format, one must take into account any
    other TXT records published at the domain name.  Records that are too
-
-
-
-Wong & Schlitt          Expires December 8, 2005               [Page 12]
-
-Internet-Draft        Sender Policy Framework (SPF)            June 2005
-
-
    long to fit in a single UDP packet MAY be silently ignored by SPF
    clients.
 
@@ -681,10 +612,18 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
    Use of wildcard records for publishing is not recommended.  Care must
    be taken if wildcard records are used.  If a domain publishes
    wildcard MX records, it may want to publish wildcard declarations,
+
+
+
+Wong & Schlitt                Experimental                     [Page 11]
+
+RFC 4408             Sender Policy Framework (SPF)            April 2006
+
+
    subject to the same requirements and problems.  In particular, the
    declaration must be repeated for any host that has any RR records at
    all, and for subdomains thereof.  For example, the example given in
-   [RFC1034], Section 4.3.3, could be extended with:
+   [RFC1034], Section 4.3.3, could be extended with the following:
 
        X.COM.          MX      10      A.X.COM
        X.COM.          TXT     "v=spf1 a:A.X.COM -all"
@@ -707,28 +646,6 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
    under the domain to exist and queries against arbitrary names will
    never return RCODE 3 (Name Error).
 
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Wong & Schlitt          Expires December 8, 2005               [Page 13]
-
-Internet-Draft        Sender Policy Framework (SPF)            June 2005
-
-
 4.  The check_host() Function
 
    The check_host() function fetches SPF records, parses them, and
@@ -743,14 +660,21 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
 
 4.1.  Arguments
 
-   The function check_host() takes these arguments:
+   The check_host() function takes these arguments:
 
         - the IP address of the SMTP client that is emitting the
-            mail, either IPv4 or IPv6.
+              mail, either IPv4 or IPv6.
 
     - the domain that provides the sought-after authorization
-            information; initially the domain portion of the "MAIL FROM"
-            or "HELO" identity.
+              information; initially, the domain portion of the "MAIL
+              FROM" or "HELO" identity.
+
+
+
+Wong & Schlitt                Experimental                     [Page 12]
+
+RFC 4408             Sender Policy Framework (SPF)            April 2006
+
 
     - the "MAIL FROM" or "HELO" identity.
 
@@ -770,31 +694,24 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
 
 4.3.  Initial Processing
 
-   If the  is malformed (label longer than 63 characters, zero
-   length label not at the end, etc.), is not a fully qualified domain
+   If the  is malformed (label longer than 63 characters, zero-
+   length label not at the end, etc.) or is not a fully qualified domain
    name, or if the DNS lookup returns "domain does not exist" (RCODE 3),
    check_host() immediately returns the result "None".
 
    If the  has no localpart, substitute the string "postmaster"
    for the localpart.
 
-
-
-Wong & Schlitt          Expires December 8, 2005               [Page 14]
-
-Internet-Draft        Sender Policy Framework (SPF)            June 2005
-
-
 4.4.  Record Lookup
 
-   In accordance with how the records are published, see Section 3.1
-   above, a DNS query needs to be made for the  name, querying
+   In accordance with how the records are published (see Section 3.1
+   above), a DNS query needs to be made for the  name, querying
    for either RR type TXT, SPF, or both.  If both SPF and TXT RRs are
    looked up, the queries MAY be done in parallel.
 
-   If the DNS lookup returns a server failure (RCODE 2), or other error
-   (RCODE other than 0 or 3), or the query times out, check_host() exits
-   immediately with the result "TempError".
+   If all DNS lookups that are made return a server failure (RCODE 2),
+   or other error (RCODE other than 0 or 3), or time out, then
+   check_host() exits immediately with the result "TempError".
 
 4.5.  Selecting Records
 
@@ -804,19 +721,25 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
    version          = "v=spf1"
 
    Starting with the set of records that were returned by the lookup,
-   record selection proceeds in three steps:
+   record selection proceeds in two steps:
 
-   1.  Records that do not begin with a version section of exactly
-       "v=spf1" are discarded.  Note that the version section is
-       terminated either by a SP character or the end of the record.  A
-       record with a version section of "v=spf10" does not match and
-       must be discarded.
 
-   2.  If there are both SPF and TXT records in the set and if they are
-       not all identical, return a "PermError".
 
-   3.  If any records of type SPF are in the set, then all records of
-       type TXT are discarded.
+
+
+Wong & Schlitt                Experimental                     [Page 13]
+
+RFC 4408             Sender Policy Framework (SPF)            April 2006
+
+
+   1. Records that do not begin with a version section of exactly
+      "v=spf1" are discarded.  Note that the version section is
+      terminated either by an SP character or the end of the record.  A
+      record with a version section of "v=spf10" does not match and must
+      be discarded.
+
+   2. If any records of type SPF are in the set, then all records of
+      type TXT are discarded.
 
    After the above steps, there should be exactly one record remaining
    and evaluation can proceed.  If there are two or more records
@@ -834,13 +757,6 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
    there are any syntax errors, check_host() returns immediately with
    the result "PermError".
 
-
-
-Wong & Schlitt          Expires December 8, 2005               [Page 15]
-
-Internet-Draft        Sender Policy Framework (SPF)            June 2005
-
-
    Implementations MAY choose to parse the entire record first and
    return "PermError" if the record is not syntactically well formed.
    However, in all cases, any syntax errors anywhere in the record MUST
@@ -849,7 +765,8 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
 4.6.1.  Term Evaluation
 
    There are two types of terms: mechanisms and modifiers.  A record
-   contains an ordered list of these as specified in the following ABNF.
+   contains an ordered list of these as specified in the following
+   Augmented Backus-Naur Form (ABNF).
 
    terms            = *( 1*SP ( directive / modifier ) )
 
@@ -864,15 +781,22 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
 
    Most mechanisms allow a ":" or "/" character after the name.
 
+
+
+Wong & Schlitt                Experimental                     [Page 14]
+
+RFC 4408             Sender Policy Framework (SPF)            April 2006
+
+
    Modifiers always contain an equals ('=') character immediately after
    the name, and before any ":" or "/" characters that may be part of
    the macro-string.
 
-   Terms that do not contain any of "=", ":" or "/" are mechanisms, as
+   Terms that do not contain any of "=", ":", or "/" are mechanisms, as
    defined in Section 5.
 
-   As per the definition of the ABNF notation in [I-D.crocker-abnf-
-   rfc2234bis], mechanism and modifier names are case-insensitive.
+   As per the definition of the ABNF notation in [RFC4234], mechanism
+   and modifier names are case-insensitive.
 
 4.6.2.  Mechanisms
 
@@ -880,22 +804,14 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
    are no more mechanisms, the result is specified in Section 4.7.
 
    When a mechanism is evaluated, one of three things can happen: it can
-   match, it can not match, or it can throw an exception.
+   match, not match, or throw an exception.
 
    If it matches, processing ends and the qualifier value is returned as
    the result of that record.  If it does not match, processing
    continues with the next mechanism.  If it throws an exception,
    mechanism processing ends and the exception value is returned.
 
-   The possible qualifiers, and the results they return are:
-
-
-
-
-Wong & Schlitt          Expires December 8, 2005               [Page 16]
-
-Internet-Draft        Sender Policy Framework (SPF)            June 2005
-
+   The possible qualifiers, and the results they return are as follows:
 
       "+" Pass
       "-" Fail
@@ -913,9 +829,20 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
 4.6.3.  Modifiers
 
    Modifiers are not mechanisms: they do not return match or not-match.
-   Instead they provide additional information.  While modifiers do not
-   directly affect the evaluation of the record, the "redirect" modifier
-   has an effect after all the mechanisms have been evaluated.
+   Instead they provide additional information.  Although modifiers do
+   not directly affect the evaluation of the record, the "redirect"
+   modifier has an effect after all the mechanisms have been evaluated.
+
+
+
+
+
+
+
+Wong & Schlitt                Experimental                     [Page 15]
+
+RFC 4408             Sender Policy Framework (SPF)            April 2006
+
 
 4.7.  Default Result
 
@@ -924,7 +851,7 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
    "?all" were specified as the last directive.  If there is a
    "redirect" modifier, check_host() proceeds as defined in Section 6.1.
 
-   Note that records SHOULD always either use a "redirect" modifier or
+   Note that records SHOULD always use either a "redirect" modifier or
    an "all" mechanism to explicitly terminate processing.
 
    For example:
@@ -943,72 +870,13 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
 
    Note: The result of the macro expansion is not subject to any further
    escaping.  Hence, this facility cannot produce all characters that
-   are legal in a DNS label (e.g. the control characters).  However,
-   this facility is powerful enough to express legal host names, and
-
-
-
-Wong & Schlitt          Expires December 8, 2005               [Page 17]
-
-Internet-Draft        Sender Policy Framework (SPF)            June 2005
-
-
+   are legal in a DNS label (e.g., the control characters).  However,
+   this facility is powerful enough to express legal host names and
    common utility labels (such as "_spf") that are used in DNS.
 
    For several mechanisms, the  is optional.  If it is not
    provided, the  is used as the .
 
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Wong & Schlitt          Expires December 8, 2005               [Page 18]
-
-Internet-Draft        Sender Policy Framework (SPF)            June 2005
-
-
 5.  Mechanism Definitions
 
    This section defines two types of mechanisms.
@@ -1023,6 +891,15 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
    addresses as being permitted or not permitted to use the  for
    sending mail.
 
+
+
+
+
+Wong & Schlitt                Experimental                     [Page 16]
+
+RFC 4408             Sender Policy Framework (SPF)            April 2006
+
+
       a
       mx
       ptr
@@ -1034,7 +911,8 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
    comparison between  and an IP address at any point:
 
    If no CIDR-length is given in the directive, then  and the IP
-   address are compared for equality.
+   address are compared for equality. (Here, CIDR is Classless Inter-
+   Domain Routing.)
 
    If a CIDR-length is specified, then only the specified number of
    high-order bits of  and the IP address are compared for equality.
@@ -1042,7 +920,7 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
    When any mechanism fetches host addresses to compare with , when
     is an IPv4 address, A records are fetched, when  is an IPv6
    address, AAAA records are fetched.  Even if the SMTP connection is
-   via IPv6, an IPv4-mapped IPv6 IP address (see [RFC3513] section
+   via IPv6, an IPv4-mapped IPv6 IP address (see [RFC3513], Section
    2.5.5) MUST still be considered an IPv4 address.
 
    Several mechanisms rely on information fetched from DNS.  For these
@@ -1057,14 +935,6 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
    all              = "all"
 
    The "all" mechanism is a test that always matches.  It is used as the
-
-
-
-Wong & Schlitt          Expires December 8, 2005               [Page 19]
-
-Internet-Draft        Sender Policy Framework (SPF)            June 2005
-
-
    rightmost mechanism in a record to provide an explicit default.
 
    For example:
@@ -1074,9 +944,21 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
    Mechanisms after "all" will never be tested.  Any "redirect" modifier
    (Section 6.1) has no effect when there is an "all" mechanism.
 
+
+
+
+
+
+
+
+Wong & Schlitt                Experimental                     [Page 17]
+
+RFC 4408             Sender Policy Framework (SPF)            April 2006
+
+
 5.2.  "include"
 
-   include          = "include"  ":" domain-spec
+      include          = "include"  ":" domain-spec
 
    The "include" mechanism triggers a recursive evaluation of
    check_host().  The domain-spec is expanded as per Section 8.  Then
@@ -1106,8 +988,6 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
    were not permitted for either of those domains would the result be
    "Fail".
 
-   Whether this mechanism matches, does not match, or throws an error,
-   depends on the result of the recursive evaluation of check_host():
 
 
 
@@ -1116,11 +996,26 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
 
 
 
-Wong & Schlitt          Expires December 8, 2005               [Page 20]
+
+
+
+
+
+
+
+
+
+
+
+Wong & Schlitt                Experimental                     [Page 18]
 
-Internet-Draft        Sender Policy Framework (SPF)            June 2005
+RFC 4408             Sender Policy Framework (SPF)            April 2006
 
 
+   Whether this mechanism matches, does not match, or throws an
+   exception depends on the result of the recursive evaluation of
+   check_host():
+
    +---------------------------------+---------------------------------+
    | A recursive check_host() result | Causes the "include" mechanism  |
    | of:                             | to:                             |
@@ -1141,12 +1036,12 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
    +---------------------------------+---------------------------------+
 
    The "include" mechanism is intended for crossing administrative
-   boundaries.  While it is possible to use includes to consolidate
+   boundaries.  Although it is possible to use includes to consolidate
    multiple domains that share the same set of designated hosts, domains
    are encouraged to use redirects where possible, and to minimize the
    number of includes within a single administrative domain.  For
    example, if example.com and example.org were managed by the same
-   entity, and if the permitted set of hosts for both domains were
+   entity, and if the permitted set of hosts for both domains was
    "mx:example.com", it would be possible for example.org to specify
    "include:example.com", but it would be preferable to specify
    "redirect=example.com" or even "mx:example.com".
@@ -1162,6 +1057,17 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
    to the returned address(es).  If any address matches, the mechanism
    matches.
 
+
+
+
+
+
+
+Wong & Schlitt                Experimental                     [Page 19]
+
+RFC 4408             Sender Policy Framework (SPF)            April 2006
+
+
 5.4.  "mx"
 
    This mechanism matches if  is one of the MX hosts for a domain
@@ -1169,36 +1075,28 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
 
    MX               = "mx"     [ ":" domain-spec ] [ dual-cidr-length ]
 
-
-
-
-Wong & Schlitt          Expires December 8, 2005               [Page 21]
-
-Internet-Draft        Sender Policy Framework (SPF)            June 2005
-
-
    check_host() first performs an MX lookup on the .  Then
    it performs an address lookup on each MX name returned.  The  is
-   compared to each returned IP address.  To prevent DoS attacks, more
-   than 10 MX names MUST NOT be looked up during the evaluation of an
-   "mx" mechanism (see Section 10).  If any address matches, the
-   mechanism matches.
+   compared to each returned IP address.  To prevent Denial of Service
+   (DoS) attacks, more than 10 MX names MUST NOT be looked up during the
+   evaluation of an "mx" mechanism (see Section 10).  If any address
+   matches, the mechanism matches.
 
-   Note regarding implicit MXes: If the  has no MX records,
+   Note regarding implicit MXs: If the  has no MX records,
    check_host() MUST NOT pretend the target is its single MX, and MUST
    NOT default to an A lookup on the  directly.  This
-   behavior breaks with the legacy "implicit MX" rule.  See [RFC2821]
+   behavior breaks with the legacy "implicit MX" rule.  See [RFC2821],
    Section 5.  If such behavior is desired, the publisher should specify
    an "a" directive.
 
 5.5.  "ptr"
 
-   This mechanism tests whether the DNS reverse mapping for  exists
+   This mechanism tests whether the DNS reverse-mapping for  exists
    and correctly points to a domain name within a particular domain.
 
    PTR              = "ptr"    [ ":" domain-spec ]
 
-   First the 's name is looked up using this procedure: perform a
+   First, the 's name is looked up using this procedure: perform a
    DNS reverse-mapping for , looking up the corresponding PTR record
    in "in-addr.arpa." if the address is an IPv4 one and in "ip6.arpa."
    if it is an IPv6 address.  For each record returned, validate the
@@ -1207,32 +1105,30 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
    a "ptr" mechanism (see Section 10).  If  is among the returned IP
    addresses, then that domain name is validated.  In pseudocode:
 
-   sending-domain_names := ptr_lookup(sending-host_IP);
-   if more than 10 sending-domain_names are found, use at most 10.
-   for each name in (sending-domain_names) {
+   sending-domain_names := ptr_lookup(sending-host_IP); if more than 10
+   sending-domain_names are found, use at most 10.  for each name in
+   (sending-domain_names) {
      IP_addresses := a_lookup(name);
      if the sending-domain_IP is one of the IP_addresses {
        validated-sending-domain_names += name;
-     }
-   }
+     } }
 
    Check all validated domain names to see if they end in the
     domain.  If any do, this mechanism matches.  If no
    validated domain name can be found, or if none of the validated
+
+
+
+Wong & Schlitt                Experimental                     [Page 20]
+
+RFC 4408             Sender Policy Framework (SPF)            April 2006
+
+
    domain names end in the , this mechanism fails to match.
    If a DNS error occurs while doing the PTR RR lookup, then this
    mechanism fails to match.  If a DNS error occurs while doing an A RR
    lookup, then that domain name is skipped and the search continues.
 
-
-
-
-
-Wong & Schlitt          Expires December 8, 2005               [Page 22]
-
-Internet-Draft        Sender Policy Framework (SPF)            June 2005
-
-
    Pseudocode:
 
    for each name in (validated-sending-domain_names) {
@@ -1242,15 +1138,15 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
    return no-match.
 
    This mechanism matches if the  is either an ancestor of
-   a validated domain name, or if the  and a validated
+   a validated domain name or if the  and a validated
    domain name are the same.  For example: "mail.example.com" is within
    the domain "example.com", but "mail.bad-example.com" is not.
 
-   Note: Use of this mechanism is discouraged because it is slow, is not
-   as reliable as other mechanisms in cases of DNS errors and it places
-   a large burden on the arpa name servers.  If used, proper PTR records
-   must be in place for the domain's hosts and the "ptr" mechanism
-   should be one of the last mechanisms checked.
+   Note: Use of this mechanism is discouraged because it is slow, it is
+   not as reliable as other mechanisms in cases of DNS errors, and it
+   places a large burden on the arpa name servers.  If used, proper PTR
+   records must be in place for the domain's hosts and the "ptr"
+   mechanism should be one of the last mechanisms checked.
 
 5.6.  "ip4" and "ip6"
 
@@ -1270,25 +1166,25 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
                       / "1" 2DIGIT          ; 100-199
                       / "2" %x30-34 DIGIT   ; 200-249
                       / "25" %x30-35        ; 250-255
-             ; as per conventional dotted quad notation.  e.g. 192.0.2.0
+            ; as per conventional dotted quad notation.  e.g., 192.0.2.0
    ip6-network      = 
-             ; e.g. 2001:DB8::CD30
+            ; e.g., 2001:DB8::CD30
 
    The  is compared to the given network.  If CIDR-length high-order
    bits match, the mechanism matches.
 
-   If ip4-cidr-length is omitted it is taken to be "/32".  If
-   ip6-cidr-length is omitted it is taken to be "/128".  It is not
+
+
+Wong & Schlitt                Experimental                     [Page 21]
+
+RFC 4408             Sender Policy Framework (SPF)            April 2006
+
+
+   If ip4-cidr-length is omitted, it is taken to be "/32".  If
+   ip6-cidr-length is omitted, it is taken to be "/128".  It is not
    permitted to omit parts of the IP address instead of using CIDR
    notations.  That is, use 192.0.2.0/24 instead of 192.0.2.
 
-
-
-Wong & Schlitt          Expires December 8, 2005               [Page 23]
-
-Internet-Draft        Sender Policy Framework (SPF)            June 2005
-
-
 5.7.  "exists"
 
    This mechanism is used to construct an arbitrary domain name that is
@@ -1300,7 +1196,7 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
 
    The domain-spec is expanded as per Section 8.  The resulting domain
    name is used for a DNS A RR lookup.  If any A record is returned,
-   this mechanism matches.  The lookup type is 'A' even when the
+   this mechanism matches.  The lookup type is A even when the
    connection type is IPv6.
 
    Domains can use this mechanism to specify arbitrarily complex
@@ -1315,36 +1211,6 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
    This mechanism enables queries that mimic the style of tests that
    existing anti-spam DNS blacklists (DNSBL) use.
 
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Wong & Schlitt          Expires December 8, 2005               [Page 24]
-
-Internet-Draft        Sender Policy Framework (SPF)            June 2005
-
-
 6.  Modifier Definitions
 
    Modifiers are name/value pairs that provide additional information.
@@ -1361,6 +1227,15 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
    gracefully handle records with modifiers that are defined in other
    specifications.
 
+
+
+
+
+Wong & Schlitt                Experimental                     [Page 22]
+
+RFC 4408             Sender Policy Framework (SPF)            April 2006
+
+
 6.1.  redirect: Redirected Query
 
    If all mechanisms fail to match, and a "redirect" modifier is
@@ -1393,21 +1268,13 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
    the same record.  This can be an administrative advantage.
 
    Note: In general, the domain "A" cannot reliably use a redirect to
-
-
-
-Wong & Schlitt          Expires December 8, 2005               [Page 25]
-
-Internet-Draft        Sender Policy Framework (SPF)            June 2005
-
-
    another domain "B" not under the same administrative control.  Since
    the  stays the same, there is no guarantee that the record at
    domain "B" will correctly work for mailboxes in domain "A",
    especially if domain "B" uses mechanisms involving localparts.  An
    "include" directive may be more appropriate.
 
-   For clarity it is RECOMMENDED that any "redirect" modifier appear as
+   For clarity, it is RECOMMENDED that any "redirect" modifier appear as
    the very last term in a record.
 
 6.2.  exp: Explanation
@@ -1417,6 +1284,14 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
    If check_host() results in a "Fail" due to a mechanism match (such as
    "-all"), and the "exp" modifier is present, then the explanation
    string returned is computed as described below.  If no "exp" modifier
+
+
+
+Wong & Schlitt                Experimental                     [Page 23]
+
+RFC 4408             Sender Policy Framework (SPF)            April 2006
+
+
    is present, then either a default explanation string or an empty
    explanation string may be returned.
 
@@ -1429,41 +1304,34 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
    explanation string, then proceed as if no exp modifier was given.
 
    The fetched TXT record's strings are concatenated with no spaces, and
-   then treated as an  which is macro-expanded.  This
+   then treated as an , which is macro-expanded.  This
    final result is the explanation string.  Implementations MAY limit
    the length of the resulting explanation string to allow for other
    protocol constraints and/or reasonable processing limits.  Since the
    explanation string is intended for an SMTP response and [RFC2821]
-   section 2.4 says that responses are in [US-ASCII], the explanation
+   Section 2.4 says that responses are in [US-ASCII], the explanation
    string is also limited to US-ASCII.
 
    Software evaluating check_host() can use this string to communicate
    information from the publishing domain in the form of a short message
    or URL.  Software SHOULD make it clear that the explanation string
    comes from a third party.  For example, it can prepend the macro
-   string "%{o} explains: " to the explanation, such as shown in
-   Section 2.5.4.
+   string "%{o} explains: " to the explanation, such as shown in Section
+   2.5.4.
 
    Suppose example.com has this record:
 
       v=spf1 mx -all exp=explain._spf.%{d}
 
    Here are some examples of possible explanation TXT records at
-
-
-
-Wong & Schlitt          Expires December 8, 2005               [Page 26]
-
-Internet-Draft        Sender Policy Framework (SPF)            June 2005
-
-
    explain._spf.example.com:
+
       "Mail from example.com should only be sent by its own servers."
          -- a simple, constant message
 
       "%{i} is not one of %{d}'s designated mail servers."
-         -- a message with a little more info, including the IP address
-            that failed the check
+         -- a message with a little more information, including the IP
+            address that failed the check
 
       "See http://%{d}/why.html?s=%{S}&i=%{I}"
          -- a complicated example that constructs a URL with the
@@ -1472,63 +1340,33 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
 
    Note: During recursion into an "include" mechanism, an exp= modifier
    from the  MUST NOT be used.  In contrast, when executing
+
+
+
+Wong & Schlitt                Experimental                     [Page 24]
+
+RFC 4408             Sender Policy Framework (SPF)            April 2006
+
+
    a "redirect" modifier, an exp= modifier from the original domain MUST
    NOT be used.
 
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Wong & Schlitt          Expires December 8, 2005               [Page 27]
-
-Internet-Draft        Sender Policy Framework (SPF)            June 2005
-
-
-7.  The Received-SPF header field
+7.  The Received-SPF Header Field
 
    It is RECOMMENDED that SMTP receivers record the result of SPF
-   processing in the message headers.  If an SMTP receiver chooses to do
-   so, it SHOULD use the "Received-SPF" header defined here for each
-   identity that was checked.  This information is intended for the
+   processing in the message header.  If an SMTP receiver chooses to do
+   so, it SHOULD use the "Received-SPF" header field defined here for
+   each identity that was checked.  This information is intended for the
    recipient.  (Information intended for the sender is described in
    Section 6.2, Explanation.)
 
-   The Received-SPF header is a trace field (see [RFC2822] section
-   3.6.7) and SHOULD be prepended to existing headers, above the
-   Received: header that is generated by the SMTP receiver.  It MUST
-   appear above any other Received-SPF headers in the message.  The
-   header has the format:
+   The Received-SPF header field is a trace field (see [RFC2822] Section
+   3.6.7) and SHOULD be prepended to the existing header, above the
+   Received: field that is generated by the SMTP receiver.  It MUST
+   appear above all other Received-SPF fields in the message.  The
+   header field has the following format:
 
-   header           = "Received-SPF:" [CFWS] result FWS [comment FWS]
+   header-field     = "Received-SPF:" [CFWS] result FWS [comment FWS]
                       [ key-value-list ] CRLF
 
    result           = "Pass" / "Fail" / "SoftFail" / "Neutral" /
@@ -1554,22 +1392,22 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
    FWS              = 
    CRLF             = 
 
-   The header SHOULD include a "(...)" style  after the result,
-   conveying supporting information for the result, such as ,
-    and .
+   The header field SHOULD include a "(...)" style  after the
+   result, conveying supporting information for the result, such as
+   , , and .
+
+
+
+
+Wong & Schlitt                Experimental                     [Page 25]
+
+RFC 4408             Sender Policy Framework (SPF)            April 2006
+
 
    The following key-value pairs are designed for later machine parsing.
    SPF clients SHOULD give enough information so that the SPF results
-   can be verified.  That is, at least the "client-ip", "helo", and, if
-
-
-
-Wong & Schlitt          Expires December 8, 2005               [Page 28]
-
-Internet-Draft        Sender Policy Framework (SPF)            June 2005
-
-
-   the "MAIL FROM" identity was checked, the "envelope-from".
+   can be verified.  That is, at least "client-ip", "helo", and, if the
+   "MAIL FROM" identity was checked, "envelope-from".
 
    client-ip      the IP address of the SMTP client
 
@@ -1578,30 +1416,30 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
    helo           the host name given in the HELO or EHLO command
 
    mechanism      the mechanism that matched (if no mechanisms matched,
-                  substitute the word "default".)
+                  substitute the word "default")
 
    problem        if an error was returned, details about the error
 
    receiver       the host name of the SPF client
 
-   identity       the identity that was checked, see the  ABNF
-                  rule.
+   identity       the identity that was checked; see the  ABNF
+                  rule
 
    Other keys may be defined by SPF clients.  Until a new key name
    becomes widely accepted, new key names should start with "x-".
 
-   SPF clients MUST make sure that the Received-SPF header does not
-   contain invalid characters, is not excessively long, and does not
+   SPF clients MUST make sure that the Received-SPF header field does
+   not contain invalid characters, is not excessively long, and does not
    contain malicious data that has been provided by the sender.
 
-   Examples of various header styles that could be generated:
+   Examples of various header styles that could be generated are the
+   following:
 
    Received-SPF: Pass (mybox.example.org: domain of
     myname@example.com designates 192.0.2.1 as permitted sender)
        receiver=mybox.example.org; client-ip=192.0.2.1;
        envelope-from=; helo=foo.example.com;
 
-
    Received-SPF: Fail (mybox.example.org: domain of
                      myname@example.com does not designate
                      192.0.2.1 as permitted sender)
@@ -1617,26 +1455,25 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
 
 
 
-
-
-
-Wong & Schlitt          Expires December 8, 2005               [Page 29]
+Wong & Schlitt                Experimental                     [Page 26]
 
-Internet-Draft        Sender Policy Framework (SPF)            June 2005
+RFC 4408             Sender Policy Framework (SPF)            April 2006
 
 
 8.  Macros
 
-8.1.  Macro definitions
+8.1.  Macro Definitions
 
    Many mechanisms and modifiers perform macro expansion on part of the
    term.
 
    domain-spec      = macro-string domain-end
-   domain-end       = ( "." toplabel ) / macro-expand
+   domain-end       = ( "." toplabel [ "." ] ) / macro-expand
 
-   toplabel         = ALPHA / ALPHA *[ alphanum / "-" ] alphanum
-                      ; LDH rule (See [RFC3696])
+   toplabel         = ( *alphanum ALPHA *alphanum ) /
+                      ( 1*alphanum "-" *( alphanum / "-" ) alphanum )
+                      ; LDH rule plus additional TLD restrictions
+                      ; (see [RFC3696], Section 2)
    alphanum         = ALPHA / DIGIT
 
    explain-string   = *( macro-string / SP )
@@ -1654,7 +1491,7 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
    A literal "%" is expressed by "%%".
 
       "%_" expands to a single " " space.
-      "%-" expands to a URL-encoded space, viz. "%20".
+      "%-" expands to a URL-encoded space, viz., "%20".
 
    The following macro letters are expanded in term arguments:
 
@@ -1667,22 +1504,26 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
       v = the string "in-addr" if  is ipv4, or "ip6" if  is ipv6
       h = HELO/EHLO domain
 
-   The following macro letters are only allowed in "exp" text:
+
+
+
+
+
+
+
+Wong & Schlitt                Experimental                     [Page 27]
+
+RFC 4408             Sender Policy Framework (SPF)            April 2006
+
+
+   The following macro letters are allowed only in "exp" text:
 
       c = SMTP client IP (easily readable format)
       r = domain name of host performing the check
       t = current timestamp
 
-
-
-
-Wong & Schlitt          Expires December 8, 2005               [Page 30]
-
-Internet-Draft        Sender Policy Framework (SPF)            June 2005
-
-
    A '%' character not followed by a '{', '%', '-', or '_' character is
-   a syntax error.  So,
+   a syntax error.  So
 
       -exists:%(ir).sbl.spamhaus.example.org
 
@@ -1691,7 +1532,7 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
 
       -exists:%{ir}.sbl.spamhaus.example.org
 
-   Optional transformers are:
+   Optional transformers are the following:
 
       *DIGIT = zero or more digits
       'r'    = reverse value, splitting on dots by default
@@ -1702,9 +1543,12 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
    using "." and not the original splitting characters.
 
    By default, strings are split on "." (dots).  Note that no special
-   treatment is given to leading, trailing or consecutive delimiters,
-   and so the list of parts may contain empty strings.  Macros may
-   specify delimiter characters which are used instead of ".".
+   treatment is given to leading, trailing, or consecutive delimiters,
+   and so the list of parts may contain empty strings.  Older
+   implementations of SPF prohibit trailing dots in domain names, so
+   trailing dots should not be published by domain owners, although they
+   must be accepted by implementations conforming to this document.
+   Macros may specify delimiter characters that are used instead of ".".
 
    The 'r' transformer indicates a reversal operation: if the client IP
    address were 192.0.2.1, the macro %{i} would expand to "192.0.2.1"
@@ -1719,48 +1563,49 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
    support at least a value of 128, as that is the maximum number of
    labels in a domain name.
 
-   The "s" macro expands to the  argument.  It is an e-mail
+
+
+
+
+Wong & Schlitt                Experimental                     [Page 28]
+
+RFC 4408             Sender Policy Framework (SPF)            April 2006
+
+
+   The "s" macro expands to the  argument.  It is an E-Mail
    address with a localpart, an "@" character, and a domain.  The "l"
    macro expands to just the localpart.  The "o" macro expands to just
    the domain part.  Note that these values remain the same during
    recursive and chained evaluations due to "include" and/or "redirect".
    Note also that if the original  had no localpart, the
-   localpart was set to "postmaster" in initial processing (see
-   Section 4.3).
+   localpart was set to "postmaster" in initial processing (see Section
+   4.3).
 
    For IPv4 addresses, both the "i" and "c" macros expand to the
-
-
-
-Wong & Schlitt          Expires December 8, 2005               [Page 31]
-
-Internet-Draft        Sender Policy Framework (SPF)            June 2005
-
-
    standard dotted-quad format.
 
    For IPv6 addresses, the "i" macro expands to a dot-format address; it
    is intended for use in %{ir}.  The "c" macro may expand to any of the
-   hexadecimal colon-format addresses specified in [RFC3513] section
+   hexadecimal colon-format addresses specified in [RFC3513], Section
    2.2.  It is intended for humans to read.
 
    The "p" macro expands to the validated domain name of .  The
-   procedure for finding the validated domain name is defined in
-   Section 5.5.  If the  is present in the list of validated
-   domains, it SHOULD be used.  Otherwise, if a subdomain of the
-    is present, it SHOULD be used.  Otherwise, any name from the
-   list may be used.  If there are no validated domain names or if a DNS
-   error occurs, the string "unknown" is used.
+   procedure for finding the validated domain name is defined in Section
+   5.5.  If the  is present in the list of validated domains, it
+   SHOULD be used.  Otherwise, if a subdomain of the  is
+   present, it SHOULD be used.  Otherwise, any name from the list may be
+   used.  If there are no validated domain names or if a DNS error
+   occurs, the string "unknown" is used.
 
    The "r" macro expands to the name of the receiving MTA.  This SHOULD
    be a fully qualified domain name, but if one does not exist (as when
    the checking is done by a MUA) or if policy restrictions dictate
    otherwise, the word "unknown" SHOULD be substituted.  The domain name
-   may be different than the name found in the MX record that the client
+   may be different from the name found in the MX record that the client
    MTA used to locate the receiving MTA.
 
    The "t" macro expands to the decimal representation of the
-   approximate number of seconds since the Epoch (Midnight, January 1st,
+   approximate number of seconds since the Epoch (Midnight, January 1,
    1970, UTC).  This is the same value as is returned by the POSIX
    time() function in most standards-compliant libraries.
 
@@ -1770,34 +1615,35 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
    successive domain labels until the total length does not exceed 253
    characters.
 
-   Uppercased macros expand exactly as their lower case equivalents, and
+   Uppercased macros expand exactly as their lowercased equivalents, and
    are then URL escaped.  URL escaping must be performed for characters
    not in the "uric" set, which is defined in [RFC3986].
 
+
+
+
+
+Wong & Schlitt                Experimental                     [Page 29]
+
+RFC 4408             Sender Policy Framework (SPF)            April 2006
+
+
    Note: Care must be taken so that macro expansion for legitimate
-   e-mail does not exceed the 63 character limit on DNS labels.  The
-   localpart of e-mail addresses, in particular, can have more than 63
+   E-Mail does not exceed the 63-character limit on DNS labels.  The
+   localpart of E-Mail addresses, in particular, can have more than 63
    characters between dots.
 
    Note: Domains should avoid using the "s", "l", "o", or "h" macros in
-   conjunction with any mechanism directive.  While these macros are
+   conjunction with any mechanism directive.  Although these macros are
    powerful and allow per-user records to be published, they severely
    limit the ability of implementations to cache results of check_host()
    and they reduce the effectiveness of DNS caches.
 
-
-
-
-Wong & Schlitt          Expires December 8, 2005               [Page 32]
-
-Internet-Draft        Sender Policy Framework (SPF)            June 2005
-
-
    Implementations should be aware that if no directive processed during
-   the evaluation of check_host() contains an "s", "l", "o" or "h"
+   the evaluation of check_host() contains an "s", "l", "o", or "h"
    macro, then the results of the evaluation can be cached on the basis
-   of  and  alone for as long as the shortest TTL of all the
-   DNS records involved.
+   of  and  alone for as long as the shortest Time To Live
+   (TTL) of all the DNS records involved.
 
 8.2.  Expansion Examples
 
@@ -1806,7 +1652,6 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
       The IPv6 SMTP client IP is 2001:DB8::CB01.
       The PTR domain name of the client IP is mx.example.org.
 
-
    macro                       expansion
    -------  ----------------------------
    %{s}     strong-bad@email.example.com
@@ -1824,6 +1669,21 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
    %{lr-}                     bad.strong
    %{l1r-}                        strong
 
+
+
+
+
+
+
+
+
+
+
+Wong & Schlitt                Experimental                     [Page 30]
+
+RFC 4408             Sender Policy Framework (SPF)            April 2006
+
+
    macro-string                                               expansion
    --------------------------------------------------------------------
    %{ir}.%{v}._spf.%{d2}             3.2.0.192.in-addr._spf.example.com
@@ -1842,21 +1702,14 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
    %{ir}.%{v}._spf.%{d2}                               1.0.B.C.0.0.0.0.
    0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.B.D.0.1.0.0.2.ip6._spf.example.com
 
-
-
-Wong & Schlitt          Expires December 8, 2005               [Page 33]
-
-Internet-Draft        Sender Policy Framework (SPF)            June 2005
-
-
 9.  Implications
 
    This section outlines the major implications that adoption of this
-   document will have on various entities involved in Internet e-mail.
+   document will have on various entities involved in Internet E-Mail.
    It is intended to make clear to the reader where this document
    knowingly affects the operation of such entities.  This section is
-   not a "how-to" manual, nor a "best practices" document, and is not a
-   comprehensive list of what such entities should do in light of this
+   not a "how-to" manual, or a "best practices" document, and it is not
+   a comprehensive list of what such entities should do in light of this
    document.
 
    This section is non-normative.
@@ -1876,15 +1729,26 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
 
       v=spf1 exists:_h.%{h}._l.%{l}._o.%{o}._i.%{i}._spf.%{d} ?all
 
+
+
+
+
+
+
+Wong & Schlitt                Experimental                     [Page 31]
+
+RFC 4408             Sender Policy Framework (SPF)            April 2006
+
+
 9.2.  Mailing Lists
 
    Mailing lists must be aware of how they re-inject mail that is sent
    to the list.  Mailing lists MUST comply with the requirements in
-   [RFC2821] Section 3.10 and [RFC1123] Section 5.3.6 that say that the
-   reverse-path MUST be changed to be the mailbox of a person or other
-   entity who administers the list.  While the reasons for changing the
-   reverse-path are many and long standing, SPF adds enforcement to this
-   requirement.
+   [RFC2821], Section 3.10, and [RFC1123], Section 5.3.6, that say that
+   the reverse-path MUST be changed to be the mailbox of a person or
+   other entity who administers the list.  Whereas the reasons for
+   changing the reverse-path are many and long-standing, SPF adds
+   enforcement to this requirement.
 
    In practice, almost all mailing list software in use already complies
    with this requirement.  Mailing lists that do not comply may or may
@@ -1897,129 +1761,125 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
 
    Forwarding services take mail that is received at a mailbox and
    direct it to some external mailbox.  At the time of this writing, the
-
-
-
-Wong & Schlitt          Expires December 8, 2005               [Page 34]
-
-Internet-Draft        Sender Policy Framework (SPF)            June 2005
-
-
    near-universal practice of such services is to use the original "MAIL
    FROM" of a message when re-injecting it for delivery to the external
    mailbox.  [RFC1123] and [RFC2821] describe this action as an "alias"
-   rather than a "mail list".  This means the external mailbox's MTA
-   sees all such mail in a connection from a host of the forwarding
+   rather than a "mail list".  This means that the external mailbox's
+   MTA sees all such mail in a connection from a host of the forwarding
    service, and so the "MAIL FROM" identity will not, in general, pass
    authorization.
 
    There are three places that techniques can be used to ameliorate this
    problem.
 
-   1.  The beginning, when e-mail is first sent.
+   1. The beginning, when E-Mail is first sent.
 
-       1.  "Neutral" results could be given for IP addresses that may be
-           forwarders, instead of "Fail" results.  For example:
+       1. "Neutral" results could be given for IP addresses that may be
+          forwarders, instead of "Fail" results.  For example:
 
-              "v=spf1 mx -exists:%{ir}.sbl.spamhaus.example.org ?all"
+             "v=spf1 mx -exists:%{ir}.sbl.spamhaus.example.org ?all"
 
-           This would cause a lookup on an anti-spam DNS blocklist
-           (DNSBL) and cause a result of "Fail" only for e-mail coming
-           from listed sources.  All other e-mail, including e-mail sent
-           through forwarders, would receive a "Neutral" result.  By
-           checking the DNSBL after the known good sources, problems
-           with incorrect listing on the DNSBL are greatly reduced.
-
-       2.  The "MAIL FROM" identity could have additional information in
-           the localpart that cryptographically identifies the mail as
-           coming from an authorized source.  In this case, such an SPF
-           record could be used:
-
-              "v=spf1 mx exists:%{l}._spf_verify.%{d} -all"
-
-           Then, a specialized DNS server can be set up to serve the
-           _spf_verify subdomain which validates the localpart.  While
-           this requires an extra DNS lookup, this only happens when the
-           e-mail would otherwise be rejected as not coming from a known
-           good source.
-
-           Note that due to the 63 character limit for domain labels,
-           this approach only works reliably if the localpart signature
-           scheme is guaranteed either to only produce localparts with a
-           maximum of 63 characters or to gracefully handle truncated
-           localparts.
-
-       3.  Similarly, a specialized DNS server could be set up that will
-           rate-limit the e-mail coming from unexpected IP addresses.
+          This would cause a lookup on an anti-spam DNS blacklist
+          (DNSBL) and cause a result of "Fail" only for E-Mail coming
+          from listed sources.  All other E-Mail, including E-Mail sent
+          through forwarders, would receive a "Neutral" result.  By
+          checking the DNSBL after the known good sources, problems with
+          incorrect listing on the DNSBL are greatly reduced.
 
 
 
 
 
-Wong & Schlitt          Expires December 8, 2005               [Page 35]
+
+Wong & Schlitt                Experimental                     [Page 32]
 
-Internet-Draft        Sender Policy Framework (SPF)            June 2005
+RFC 4408             Sender Policy Framework (SPF)            April 2006
 
 
-              "v=spf1 mx exists:%{ir}._spf_rate.%{d} -all"
+       2. The "MAIL FROM" identity could have additional information in
+          the localpart that cryptographically identifies the mail as
+          coming from an authorized source.  In this case, such an SPF
+          record could be used:
 
-       4.  SPF allows the creation of per-user policies for special
-           cases.  For example, the following SPF record and appropriate
-           wildcard DNS records can be used:
+             "v=spf1 mx exists:%{l}._spf_verify.%{d} -all"
 
-              "v=spf1 mx redirect=%{l1r+}._at_.%{o}._spf.%{d}"
+          Then, a specialized DNS server can be set up to serve the
+          _spf_verify subdomain that validates the localpart.  Although
+          this requires an extra DNS lookup, this happens only when the
+          E-Mail would otherwise be rejected as not coming from a known
+          good source.
 
-   2.  The middle, when e-mail is forwarded.
+          Note that due to the 63-character limit for domain labels,
+          this approach only works reliably if the localpart signature
+          scheme is guaranteed either to only produce localparts with a
+          maximum of 63 characters or to gracefully handle truncated
+          localparts.
 
-       1.  Forwarding services can solve the problem by rewriting the
-           "MAIL FROM" to be in their own domain.  This means that mail
-           bounced from the external mailbox will have to be re-bounced
-           by the forwarding service.  Various schemes to do this exist
-           though they vary widely in complexity and resource
-           requirements on the part of the forwarding service.
+       3. Similarly, a specialized DNS server could be set up that will
+          rate-limit the E-Mail coming from unexpected IP addresses.
 
-       2.  Several popular MTAs can be forced from "alias" semantics to
-           "mailing list" semantics by configuring an additional alias
-           with "owner-" prepended to the original alias name (e.g. an
-           alias of "friends: george@example.com, fred@example.org"
-           would need another alias of the form "owner-friends:
-           localowner").
+             "v=spf1 mx exists:%{ir}._spf_rate.%{d} -all"
 
-   3.  The end, when e-mail is received.
+       4. SPF allows the creation of per-user policies for special
+          cases.  For example, the following SPF record and appropriate
+          wildcard DNS records can be used:
 
-       1.  If the owner of the external mailbox wishes to trust the
-           forwarding service, they can direct the external mailbox's
-           MTA to skip SPF tests when the client host belongs to the
-           forwarding service.
+                 "v=spf1 mx redirect=%{l1r+}._at_.%{o}._spf.%{d}"
 
-       2.  Tests against other identities, such as the "HELO" identity,
-           may be used to override a failed test against the "MAIL FROM"
-           identity.
+   2.  The middle, when E-Mail is forwarded.
 
-       3.  For larger domains, it may not be possible to have a complete
-           or accurate list of forwarding services used by the owners of
-           the domain's mailboxes.  In such cases, whitelists of
-           generally-recognized forwarding services could be employed.
+       1. Forwarding services can solve the problem by rewriting the
+          "MAIL FROM" to be in their own domain.  This means that mail
+          bounced from the external mailbox will have to be re-bounced
+          by the forwarding service.  Various schemes to do this exist
+          though they vary widely in complexity and resource
+          requirements on the part of the forwarding service.
+
+       2. Several popular MTAs can be forced from "alias" semantics to
+          "mailing list" semantics by configuring an additional alias
+          with "owner-" prepended to the original alias name (e.g., an
+          alias of "friends: george@example.com, fred@example.org" would
+          need another alias of the form "owner-friends:  localowner").
+
+
+
+
+
+
+
+Wong & Schlitt                Experimental                     [Page 33]
+
+RFC 4408             Sender Policy Framework (SPF)            April 2006
+
+
+   3. The end, when E-Mail is received.
+
+       1. If the owner of the external mailbox wishes to trust the
+          forwarding service, he can direct the external mailbox's MTA
+          to skip SPF tests when the client host belongs to the
+          forwarding service.
+
+       2. Tests against other identities, such as the "HELO" identity,
+          may be used to override a failed test against the "MAIL FROM"
+          identity.
+
+       3. For larger domains, it may not be possible to have a complete
+          or accurate list of forwarding services used by the owners of
+          the domain's mailboxes.  In such cases, whitelists of
+          generally-recognized forwarding services could be employed.
 
 9.4.  Mail Services
 
    Service providers that offer mail services to third-party domains,
-   such as sending of bulk mail, may have to adjust their setup in light
+   such as sending of bulk mail, may want to adjust their setup in light
    of the authorization check described in this document.  If the "MAIL
-   FROM" identity used for such e-mail uses the domain of the service
-   provider, then the provider needs only to ensure that their sending
-   host is authorized by their own SPF record, if any.
-
-
-
-Wong & Schlitt          Expires December 8, 2005               [Page 36]
-
-Internet-Draft        Sender Policy Framework (SPF)            June 2005
-
+   FROM" identity used for such E-Mail uses the domain of the service
+   provider, then the provider needs only to ensure that its sending
+   host is authorized by its own SPF record, if any.
 
    If the "MAIL FROM" identity does not use the mail service provider's
    domain, then extra care must be taken.  The SPF record format has
-   several options for the third party domain to authorize the service
+   several options for the third-party domain to authorize the service
    provider's MTAs to send mail on its behalf.  For mail service
    providers, such as ISPs, that have a wide variety of customers using
    the same MTA, steps should be taken to prevent cross-customer forgery
@@ -2028,7 +1888,7 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
 9.5.  MTA Relays
 
    The authorization check generally precludes the use of arbitrary MTA
-   relays between sender and receiver of an e-mail message.
+   relays between sender and receiver of an E-Mail message.
 
    Within an organization, MTA relays can be effectively deployed.
    However, for purposes of this document, such relays are effectively
@@ -2040,57 +1900,41 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
    these are just the border MTAs as internal MTAs simply forward mail
    to these MTAs for delivery.
 
+
+
+
+Wong & Schlitt                Experimental                     [Page 34]
+
+RFC 4408             Sender Policy Framework (SPF)            April 2006
+
+
    Mail receivers will generally want to perform the authorization check
-   at the border MTAs, specifically including all secondary MXes.  This
+   at the border MTAs, specifically including all secondary MXs.  This
    allows mail that fails to be rejected during the SMTP session rather
    than bounced.  Internal MTAs then do not perform the authorization
    test.  To perform the authorization test other than at the border,
    the host that first transferred the message to the organization must
-   be determined, which can be difficult to extract from headers.
-   Testing other than at the border is not recommended.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Wong & Schlitt          Expires December 8, 2005               [Page 37]
-
-Internet-Draft        Sender Policy Framework (SPF)            June 2005
-
+   be determined, which can be difficult to extract from the message
+   header.  Testing other than at the border is not recommended.
 
 10.  Security Considerations
 
 10.1.  Processing Limits
 
-   As with most aspects of e-mail, there are a number of ways that
-   malicious parties could use the protocol as an avenue for a Denial-
-   of-Service (DoS) attack.  The processing limits outlined here are
-   designed to prevent attacks such as:
+   As with most aspects of E-Mail, there are a number of ways that
+   malicious parties could use the protocol as an avenue for a
+   Denial-of-Service (DoS) attack.  The processing limits outlined here
+   are designed to prevent attacks such as the following:
 
    o  A malicious party could create an SPF record with many references
-      to a victim's domain and send many e-mails to different SPF
+      to a victim's domain and send many E-Mails to different SPF
       clients; those SPF clients would then create a DoS attack.  In
       effect, the SPF clients are being used to amplify the attacker's
       bandwidth by using fewer bytes in the SMTP session than are used
       by the DNS queries.  Using SPF clients also allows the attacker to
       hide the true source of the attack.
 
-   o  While implementations of check_host() are supposed to limit the
+   o  Whereas implementations of check_host() are supposed to limit the
       number of DNS lookups, malicious domains could publish records
       that exceed these limits in an attempt to waste computation effort
       at their targets when they send them mail.  Malicious domains
@@ -2107,28 +1951,28 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
    the easiest for a DoS attack to effectively exploit.  As a result,
    limits that may seem reasonable for an individual mail server can
    still allow an unreasonable amount of bandwidth amplification.
-   Therefore the processing limits need to be quite low.
+   Therefore, the processing limits need to be quite low.
 
    SPF implementations MUST limit the number of mechanisms and modifiers
    that do DNS lookups to at most 10 per SPF check, including any
    lookups caused by the use of the "include" mechanism or the
+
+
+
+Wong & Schlitt                Experimental                     [Page 35]
+
+RFC 4408             Sender Policy Framework (SPF)            April 2006
+
+
    "redirect" modifier.  If this number is exceeded during a check, a
    PermError MUST be returned.  The "include", "a", "mx", "ptr", and
    "exists" mechanisms as well as the "redirect" modifier do count
-   against this limit.  The "all", "ip4" and "ip6" mechanisms do not
+   against this limit.  The "all", "ip4", and "ip6" mechanisms do not
    require DNS lookups and therefore do not count against this limit.
    The "exp" modifier does not count against this limit because the DNS
    lookup to fetch the explanation string occurs after the SPF record
    has been evaluated.
 
-
-
-
-Wong & Schlitt          Expires December 8, 2005               [Page 38]
-
-Internet-Draft        Sender Policy Framework (SPF)            June 2005
-
-
    When evaluating the "mx" and "ptr" mechanisms, or the %{p} macro,
    there MUST be a limit of no more than 10 MX or PTR RRs looked up and
    checked.
@@ -2136,8 +1980,8 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
    SPF implementations SHOULD limit the total amount of data obtained
    from the DNS queries.  For example, when DNS over TCP or EDNS0 are
    available, there may need to be an explicit limit to how much data
-   will be accepted to prevent excessive bandwidth usage or memory
-   usage, and DoS attacks.
+   will be accepted to prevent excessive bandwidth usage or memory usage
+   and DoS attacks.
 
    MTAs or other processors MAY also impose a limit on the maximum
    amount of elapsed time to evaluate check_host().  Such a limit SHOULD
@@ -2151,7 +1995,7 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
    that require less DNS information and placing lower-cost mechanisms
    earlier in the SPF record.
 
-   For example, consider a domain set up as:
+   For example, consider a domain set up as follows:
 
    example.com.      IN MX   10 mx.example.com.
    mx.example.com.   IN A    192.0.2.1
@@ -2161,32 +2005,32 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
 
    Evaluating check_host() for the domain "a.example.com" requires the
    MX records for "example.com", and then the A records for the listed
-   hosts.  Evaluating for "b.example.com" only requires the A records.
+   hosts.  Evaluating for "b.example.com" requires only the A records.
    Evaluating for "c.example.com" requires none.
 
    However, there may be administrative considerations: using "a" over
    "ip4" allows hosts to be renumbered easily.  Using "mx" over "a"
    allows the set of mail hosts to be changed easily.
 
-10.2.  SPF-Authorized E-Mail May Be UBE
+
+
+
+Wong & Schlitt                Experimental                     [Page 36]
+
+RFC 4408             Sender Policy Framework (SPF)            April 2006
+
+
+10.2.  SPF-Authorized E-Mail May Contain Other False Identities
 
    The "MAIL FROM" and "HELO" identity authorizations must not be
    construed to provide more assurance than they do.  It is entirely
-   possible for a malicious sender to inject a message using their own
+   possible for a malicious sender to inject a message using his own
    domain in the identities used by SPF, to have that domain's SPF
-   record authorize the sending host, and yet the message content can
-   easily claim other identities in the headers.  Unless the user or the
-   MUA takes care to note that the authorized identity does not match
-
-
-
-Wong & Schlitt          Expires December 8, 2005               [Page 39]
-
-Internet-Draft        Sender Policy Framework (SPF)            June 2005
-
-
-   the other more commonly-presented identities (such as the From:
-   header), the user may be lulled into a false sense of security.
+   record authorize the sending host, and yet the message can easily
+   list other identities in its header.  Unless the user or the MUA
+   takes care to note that the authorized identity does not match the
+   other more commonly-presented identities (such as the From:  header
+   field), the user may be lulled into a false sense of security.
 
 10.3.  Spoofed DNS and IP Data
 
@@ -2198,7 +2042,7 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
       check_host() to see spoofed DNS data, and then return incorrect
       results.  This could include returning "Pass" for an  value
       where the actual domain's record would evaluate to "Fail".  See
-      [RFC3833] for a description of the DNS weaknesses.
+      [RFC3833] for a description of DNS weaknesses.
 
    o  The client IP address, , is assumed to be correct.  A
       malicious attacker could spoof TCP sequence numbers to make mail
@@ -2208,39 +2052,42 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
 10.4.  Cross-User Forgery
 
    By definition, SPF policies just map domain names to sets of
-   authorized MTAs, not whole e-mail addresses to sets of authorized
+   authorized MTAs, not whole E-Mail addresses to sets of authorized
    users.  Although the "l" macro (Section 8) provides a limited way to
-   define individual sets of authorized MTAs for specific e-mail
+   define individual sets of authorized MTAs for specific E-Mail
    addresses, it is generally impossible to verify, through SPF, the use
-   of specific e-mail addresses by individual users of the same MTA.
+   of specific E-Mail addresses by individual users of the same MTA.
+
+   It is up to mail services and their MTAs to directly prevent
+   cross-user forgery: based on SMTP AUTH ([RFC2554]), users should be
+   restricted to using only those E-Mail addresses that are actually
+   under their control (see [RFC4409], Section 6.1).  Another means to
+   verify the identity of individual users is message cryptography such
+   as PGP ([RFC2440]) or S/MIME ([RFC3851]).
+
+
+
+
+
+
+
+Wong & Schlitt                Experimental                     [Page 37]
+
+RFC 4408             Sender Policy Framework (SPF)            April 2006
 
-   It is up to mail services and their MTAs to directly prevent cross-
-   user forgery: based on SMTP AUTH ([RFC2554]), users should be
-   restricted to using only those e-mail addresses that are actually
-   under their control (see [I-D.gellens-submit-bis] section 6.1).
-   Another means to verify the identity of individual users is message
-   cryptography such as PGP ([RFC2440]) or S/MIME ([RFC3851]).
 
 10.5.  Untrusted Information Sources
 
    SPF uses information supplied by third parties, such as the "HELO"
    domain name, the "MAIL FROM" address, and SPF records.  This
-   information is then passed to the receiver in the Received-SPF: mail
-   headers and possibly returned to the client MTA in the form of an
-   SMTP rejection message.  This information must be checked for invalid
+   information is then passed to the receiver in the Received-SPF: trace
+   fields and possibly returned to the client MTA in the form of an SMTP
+   rejection message.  This information must be checked for invalid
    characters and excessively long lines.
 
    When the authorization check fails, an explanation string may be
    included in the reject response.  Both the sender and the rejecting
    receiver need to be aware that the explanation was determined by the
-
-
-
-Wong & Schlitt          Expires December 8, 2005               [Page 40]
-
-Internet-Draft        Sender Policy Framework (SPF)            June 2005
-
-
    publisher of the SPF record checked and, in general, not the
    receiver.  The explanation may contain malicious URLs, or it may be
    offensive or misleading.
@@ -2252,62 +2099,39 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
    someone other than the actual sender, the only people who see
    malicious explanation strings are people whose messages claim to be
    from domains that publish such strings in their SPF records.  In
-   practice DSNs can be misdirected, such as when an MTA accepts an
-   e-mail and then later generates a DSN to a forged address, or when an
-   e-mail forwarder does not direct the DSN back to the original sender.
+   practice, DSNs can be misdirected, such as when an MTA accepts an
+   E-Mail and then later generates a DSN to a forged address, or when an
+   E-Mail forwarder does not direct the DSN back to the original sender.
 
 10.6.  Privacy Exposure
 
    Checking SPF records causes DNS queries to be sent to the domain
    owner.  These DNS queries, especially if they are caused by the
    "exists" mechanism, can contain information about who is sending
-   e-mail and likely to which MTA the e-mail is being sent to.  This can
+   E-Mail and likely to which MTA the E-Mail is being sent.  This can
    introduce some privacy concerns, which may be more or less of an
    issue depending on local laws and the relationship between the domain
-   owner and the person sending the e-mail.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Wong & Schlitt          Expires December 8, 2005               [Page 41]
-
-Internet-Draft        Sender Policy Framework (SPF)            June 2005
-
+   owner and the person sending the E-Mail.
 
 11.  Contributors and Acknowledgements
 
    This document is largely based on the work of Meng Weng Wong and Mark
-   Lentczner.  While, as this section acknowledges, many people have
+   Lentczner.  Although, as this section acknowledges, many people have
    contributed to this document, a very large portion of the writing and
    editing are due to Meng and Mark.
 
    This design owes a debt of parentage to [RMX] by Hadmut Danisch and
    to [DMP] by Gordon Fecyk.  The idea of using a DNS record to check
-   the legitimacy of an e-mail address traces its ancestry farther back
+   the legitimacy of an E-Mail address traces its ancestry further back
    through messages on the namedroppers mailing list by Paul Vixie
+
+
+
+Wong & Schlitt                Experimental                     [Page 38]
+
+RFC 4408             Sender Policy Framework (SPF)            April 2006
+
+
    [Vixie] (based on suggestion by Jim Miller) and by David Green
    [Green].
 
@@ -2317,7 +2141,7 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
 
    The authors would also like to thank the literally hundreds of
    individuals who have participated in the development of this design.
-   They are far too numerous to name, but they include:
+   They are far too numerous to name, but they include the following:
 
       The folks on the spf-discuss mailing list.
       The folks on the SPAM-L mailing list.
@@ -2325,42 +2149,14 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
       The folks on the IETF MARID mailing list.
       The folks on #perl.
 
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Wong & Schlitt          Expires December 8, 2005               [Page 42]
-
-Internet-Draft        Sender Policy Framework (SPF)            June 2005
-
-
 12.  IANA Considerations
 
 12.1.  The SPF DNS Record Type
 
-   The IANA needs to assign a new Resource Record Type and Qtype from
-   the DNS Parameters Registry for the SPF RR type.
+   The IANA has assigned a new Resource Record Type and Qtype from the
+   DNS Parameters Registry for the SPF RR type with code 99.
 
-12.2.  The Received-SPF mail header
+12.2.  The Received-SPF Mail Header Field
 
    Per [RFC3864], the "Received-SPF:" header field is added to the IANA
    Permanent Message Header Field Registry.  The following is the
@@ -2368,74 +2164,45 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
 
       Header field name: Received-SPF
       Applicable protocol: mail ([RFC2822])
-      Status: standard
-      (Note to RFC Editor: Replace the status with the final
-      determination by the IESG)
+      Status: Experimental
       Author/Change controller: IETF
-      Specification document(s): this Internet Draft
-      (Note to RFC Editor: Replace this with RFC YYYY (RFC number of
-      this spec))
+      Specification document(s): RFC 4408
       Related information:
       Requesting SPF Council review of any proposed changes and
-      additions to this field is recommended.  For information about SPF
-      Council see http://spf.mehnle.net/
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Wong & Schlitt          Expires December 8, 2005               [Page 43]
-
-Internet-Draft        Sender Policy Framework (SPF)            June 2005
-
+      additions to this field are recommended.  For information about
+      the SPF Council see http://www.openspf.org/Council
 
 13.  References
 
-13.1  Normative References
+13.1.  Normative References
 
    [RFC1035]  Mockapetris, P., "Domain names - implementation and
               specification", STD 13, RFC 1035, November 1987.
 
+
+
+
+
+Wong & Schlitt                Experimental                     [Page 39]
+
+RFC 4408             Sender Policy Framework (SPF)            April 2006
+
+
    [RFC1123]  Braden, R., "Requirements for Internet Hosts - Application
               and Support", STD 3, RFC 1123, October 1989.
 
    [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
               Requirement Levels", BCP 14, RFC 2119, March 1997.
 
-   [I-D.crocker-abnf-rfc2234bis]
-              Crocker, D. and P. Overell, "Augmented BNF for Syntax
-              Specifications: ABNF", draft-crocker-abnf-rfc2234bis-00
-              (work in progress), March 2005.
-
    [RFC2821]  Klensin, J., "Simple Mail Transfer Protocol", RFC 2821,
               April 2001.
 
-   [RFC2822]  Resnick, P., "Internet Message Format", RFC 2822,
-              April 2001.
+   [RFC2822]  Resnick, P., "Internet Message Format", RFC 2822, April
+              2001.
 
    [RFC3464]  Moore, K. and G. Vaudreuil, "An Extensible Message Format
-              for Delivery Status Notifications", RFC 3464,
-              January 2003.
+              for Delivery Status Notifications", RFC 3464, January
+              2003.
 
    [RFC3513]  Hinden, R. and S. Deering, "Internet Protocol Version 6
               (IPv6) Addressing Architecture", RFC 3513, April 2003.
@@ -2445,41 +2212,37 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
               September 2004.
 
    [RFC3986]  Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
-              Resource Identifier (URI): Generic Syntax", STD 66,
-              RFC 3986, January 2005.
+              Resource Identifier (URI): Generic Syntax", STD 66, RFC
+              3986, January 2005.
 
-   [US-ASCII]
-              American National Standards Institute (formerly United
+   [RFC4234]  Crocker, D. and P. Overell, "Augmented BNF for Syntax
+              Specifications: ABNF", RFC 4234, October 2005.
+
+   [US-ASCII] American National Standards Institute (formerly United
               States of America Standards Institute), "USA Code for
               Information Interchange, X3.4", 1968.
 
-              ANSI X3.4-1968 has been replaced by newer versions with
-              slight modifications, but the 1968 version remains
-              definitive for the Internet.
-
-
-
-
-Wong & Schlitt          Expires December 8, 2005               [Page 44]
-
-Internet-Draft        Sender Policy Framework (SPF)            June 2005
-
+   ANSI X3.4-1968 has been replaced by newer versions with slight
+              modifications, but the 1968 version remains definitive for
+              the Internet.
 
 13.2  Informative References
 
    [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",
               STD 13, RFC 1034, November 1987.
 
-   [RFC1983]  Malkin, G., "Internet Users' Glossary", RFC 1983,
-              August 1996.
+   [RFC1983]  Malkin, G., "Internet Users' Glossary", RFC 1983, August
+              1996.
 
    [RFC2440]  Callas, J., Donnerhacke, L., Finney, H., and R. Thayer,
               "OpenPGP Message Format", RFC 2440, November 1998.
 
-   [I-D.gellens-submit-bis]
-              Gellens, R. and J. Klensin, "Message Submission for Mail",
-              draft-gellens-submit-bis-02 (work in progress),
-              April 2005.
+
+
+Wong & Schlitt                Experimental                     [Page 40]
+
+RFC 4408             Sender Policy Framework (SPF)            April 2006
+
 
    [RFC2554]  Myers, J., "SMTP Service Extension for Authentication",
               RFC 2554, March 1999.
@@ -2494,14 +2257,13 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
               Extensions (S/MIME) Version 3.1 Message Specification",
               RFC 3851, July 2004.
 
+   [RFC4409]  Gellens, R. and J. Klensin, "Message Submission for Mail",
+              RFC 4409, April 2006.
+
    [RMX]      Danish, H., "The RMX DNS RR Type for light weight sender
-              authentication", October 2003.
+              authentication", Work In Progress
 
-              Work In Progress
-
-   [DMP]      Fecyk, G., "Designated Mailers Protocol", December 2003.
-
-              Work In Progress
+   [DMP]      Fecyk, G., "Designated Mailers Protocol", Work In Progress
 
    [Vixie]    Vixie, P., "Repudiating MAIL FROM", 2002.
 
@@ -2516,9 +2278,26 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
 
 
 
-Wong & Schlitt          Expires December 8, 2005               [Page 45]
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Wong & Schlitt                Experimental                     [Page 41]
 
-Internet-Draft        Sender Policy Framework (SPF)            June 2005
+RFC 4408             Sender Policy Framework (SPF)            April 2006
 
 
 Appendix A.  Collected ABNF
@@ -2527,10 +2306,9 @@ Appendix A.  Collected ABNF
    fragments in the preceding text are to be resolved in favor of this
    grammar.
 
-   See [I-D.crocker-abnf-rfc2234bis] for ABNF notation.  Please note
-   that as per this ABNF definition, literal text strings (those in
-   quotes) are case-insensitive.  Hence, "mx" matches "mx", "MX", "mX"
-   and "Mx".
+   See [RFC4234] for ABNF notation.  Please note that as per this ABNF
+   definition, literal text strings (those in quotes) are case-
+   insensitive.  Hence, "mx" matches "mx", "MX", "mX", and "Mx".
 
    record           = version terms *SP
    version          = "v=spf1"
@@ -2566,21 +2344,25 @@ Appendix A.  Collected ABNF
                       / "1" 2DIGIT          ; 100-199
                       / "2" %x30-34 DIGIT   ; 200-249
                       / "25" %x30-35        ; 250-255
-             ; conventional dotted quad notation.  e.g. 192.0.2.0
+             ; conventional dotted quad notation.  e.g., 192.0.2.0
    ip6-network      = 
-             ; e.g. 2001:DB8::CD30
+             ; e.g., 2001:DB8::CD30
 
 
 
-Wong & Schlitt          Expires December 8, 2005               [Page 46]
+
+Wong & Schlitt                Experimental                     [Page 42]
 
-Internet-Draft        Sender Policy Framework (SPF)            June 2005
+RFC 4408             Sender Policy Framework (SPF)            April 2006
 
 
    domain-spec      = macro-string domain-end
-   domain-end       = ( "." toplabel ) / macro-expand
-   toplabel         = ALPHA / ALPHA *[ alphanum / "-" ] alphanum
-                      ; LDH rule (See [RFC3696])
+   domain-end       = ( "." toplabel [ "." ] ) / macro-expand
+   toplabel         = ( *alphanum ALPHA *alphanum ) /
+                      ( 1*alphanum "-" *( alphanum / "-" ) alphanum )
+                      ; LDH rule plus additional TLD restrictions
+                      ; (see [RFC3696], Section 2)
+
    alphanum         = ALPHA / DIGIT
 
    explain-string   = *( macro-string / SP )
@@ -2597,7 +2379,7 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
 
    name             = ALPHA *( ALPHA / DIGIT / "-" / "_" / "." )
 
-   header           = "Received-SPF:" [CFWS] result FWS [comment FWS]
+   header-field     = "Received-SPF:" [CFWS] result FWS [comment FWS]
                       [ key-value-list ] CRLF
 
    result           = "Pass" / "Fail" / "SoftFail" / "Neutral" /
@@ -2625,12 +2407,9 @@ Internet-Draft        Sender Policy Framework (SPF)            June 2005
 
 
 
-
-
-
-Wong & Schlitt          Expires December 8, 2005               [Page 47]
+Wong & Schlitt                Experimental                     [Page 43]
 
-Internet-Draft        Sender Policy Framework (SPF)            June 2005
+RFC 4408             Sender Policy Framework (SPF)            April 2006
 
 
 Appendix B.  Extended Examples
@@ -2684,9 +2463,9 @@ B.1.  Simple Examples
 
 
 
-Wong & Schlitt          Expires December 8, 2005               [Page 48]
+Wong & Schlitt                Experimental                     [Page 44]
 
-Internet-Draft        Sender Policy Framework (SPF)            June 2005
+RFC 4408             Sender Policy Framework (SPF)            April 2006
 
 
    v=spf1 a:example.org -all
@@ -2740,9 +2519,9 @@ B.2.  Multiple Domain Example
 
 
 
-Wong & Schlitt          Expires December 8, 2005               [Page 49]
+Wong & Schlitt                Experimental                     [Page 45]
 
-Internet-Draft        Sender Policy Framework (SPF)            June 2005
+RFC 4408             Sender Policy Framework (SPF)            April 2006
 
 
 B.3.  DNSBL Style Example
@@ -2750,9 +2529,8 @@ B.3.  DNSBL Style Example
    Imagine that, in addition to the domain records listed above, there
    are these:
 
-   $ORIGIN _spf.example.com.
-   mary.mobile-users                   A 127.0.0.2
-   fred.mobile-users                   A 127.0.0.2
+   $ORIGIN _spf.example.com.  mary.mobile-users                   A
+   127.0.0.2 fred.mobile-users                   A 127.0.0.2
    15.15.168.192.joel.remote-users     A 127.0.0.2
    16.15.168.192.joel.remote-users     A 127.0.0.2
 
@@ -2776,9 +2554,9 @@ B.3.  DNSBL Style Example
 
 B.4.  Multiple Requirements Example
 
-   Say that your sender policy requires that both the IP address is
+   Say that your sender policy requires both that the IP address is
    within a certain range and that the reverse DNS for the IP matches.
-   This can be done several ways, including:
+   This can be done several ways, including the following:
 
    example.com.           SPF  ( "v=spf1 "
                                  "-include:ip4._spf.%{d} "
@@ -2788,241 +2566,18 @@ B.4.  Multiple Requirements Example
    ptr._spf.example.com.  SPF  "v=spf1 -ptr +all"
 
    This example shows how the "-include" mechanism can be useful, how an
-   SPF record that ends in "+all" can be very restrictive and the use of
-   De Morgan's Law.
+   SPF record that ends in "+all" can be very restrictive, and the use
+   of De Morgan's Law.
 
 
 
 
 
 
-Wong & Schlitt          Expires December 8, 2005               [Page 50]
+
+Wong & Schlitt                Experimental                     [Page 46]
 
-Internet-Draft        Sender Policy Framework (SPF)            June 2005
-
-
-Appendix C.  Change Log
-
-   RFC Editor Note: This section is to be removed during the final
-   publication of the document.
-
-C.1.  Changes in Version -02
-
-   o  The abstract notes that SPF-classic covers both the HELO and MAIL
-      FROM identities. (ietf-822 review)
-
-   o  In section 2.3 "Publishing Authorization", it now makes it clear
-      that publishing is optional. (ietf-smtp review)
-
-   o  The definition of the "SoftFail" result have been recast from
-      Receiver Policy to Sender Policy.
-
-   o  The definitions of Neutral, Pass and PermError have been updated/
-      clarified to more correctly reflect the semantics of
-      draft-mengwong-spf-01.
-
-   o  A note to the RFC editor was made indicating that the SPF DNS RR
-      type number should be added to the draft once the IANA has made an
-      allocation.
-
-   o  The ip4-network ABNF has been fixed to give the ABNF of the
-      dotted-quad format, rather than just using words to explain it.
-
-   o  The ABNF for the Received-SPF header now shows that it ends with a
-      CRLF. (ietf-822 review)
-
-   o  The new, optional, "scope" keyword-value pair has been renamed to
-      "identity".
-
-   o  The "exp=" modifier no longer counts toward the DoS DNS lookup
-      limits.
-
-   o  In section 10.5 "Untrusted Information Sources", the explanation
-      about explanation strings going to only the sender has been fixed
-      to note that, in some cases, it can go to other people. (ietf-822
-      review)
-
-   o  Sections 3.1.2 and 3.1.3 were updated to make the distinction
-      between "multiple TXT RRs" and "multiple strings within a TXT"
-      clearer. (ietf-822 review)
-
-   o  A normative reference to US-ASCII has been added.
-
-
-
-
-
-Wong & Schlitt          Expires December 8, 2005               [Page 51]
-
-Internet-Draft        Sender Policy Framework (SPF)            June 2005
-
-
-   o  Text describing how to lookup and process the SPF records has been
-      removed from section 3.1.1 "DNS Resource Record Types" and merged
-      into similar text in sections 4.4 "Record Lookup" and 4.5
-      "Selecting Records"
-
-   o  Section 4.5 "Selecting Records" has been updated to give an
-      algorithm that says to return a PermError when it discovers that
-      SPF and TXT records don't match.
-
-   o  In section 6.1 "redirect: Redirected Query", the semantics have
-      been changed to specify a result of PermError instead of None in
-      cases where the target domain does not have any SPF records.  It
-      makes no sense to return None, that is "no SPF records found",
-      when SPF records were found.
-
-   o  In section 6.2 "exp: Explanation", it is explained that the record
-      must be in US-ASCII due to requirements of RFC2821.
-
-   o  In section 6.2 "exp: Explanation", the duplicate warning about
-      source being from a third party was deleted.
-
-   o  A note has been added to section 9.3.1.2 warning about domain
-      labels being over 63 characters.
-
-   o  The "prefix" ABNF rule was renamed to "qualifier" to reflect the
-      semantics of the rule, rather than the syntax.
-
-C.2.  Changes in Version -01
-
-   o  IETF boilerplate was updated to BCP 79.
-
-   o  A version number was added to the title.  (IESG review)
-
-   o  Many grammatical, typographical and spelling errors were
-      corrected, along with rephrasing sentences to make the intent and
-      meaning clearer.
-
-   o  Sections have been re-ordered in so that they conform to the
-      instructions2authors.txt document.  All required sections and
-      arrangements are included, and only the "Security Considerations"
-      section is not in the suggested order.  Since the Security
-      Considerations is such an important part of the spec, it has been
-      moved before the Acknowledgement section.
-
-   o  The HELO identity checking has been changed from "MAY" to
-      "RECOMMENDED".
-
-
-
-
-
-Wong & Schlitt          Expires December 8, 2005               [Page 52]
-
-Internet-Draft        Sender Policy Framework (SPF)            June 2005
-
-
-   o  The e-mail receiver policy definition on how to handle HELO
-      checking was removed.  It was copied incorrectly from
-      draft-mengwong-spf-01, changing its meaning.
-
-   o  A note was added that when changing SPF records, there needs to be
-      a transitional period to prevent incorrect results.
-
-   o  The RECOMMENDATION not to use other identities with version 1 SPF
-      records has been clarified.  Example cases where checking other
-      identities will cause incorrect results have been cited.  (IESG
-      review)
-
-   o  The "zone cut" method of determining if there is an SPF record at
-      the top of the zone has been removed.  It wasn't implemented very
-      often and could not always be easily done.  (IESG/namedroppers'
-      review)
-
-   o  A note was added that receivers should consider rejecting e-mail
-      for non-existent domains in order to prevent circumvention of SPF
-      policies.  This is due to the remove of "zone cuts".
-      (namedroppers' review)
-
-   o  The RECOMMENDATION to perform SPF checks during the SMTP session
-      has been clarified and strengthened.
-
-   o  Note added about the consequences of treating "Neutral" results
-      worse than "None".
-
-   o  The suggested e-mail receiver policy when a "PermError" is
-      encountered has been changed to be, effectively, the same
-      semantics as were in draft-mengwong-spf-01.  (MAAWG review)
-
-   o  ABNF cleaned up to pass Bill Fenner's checker and not just the one
-      at http://www.apps.ietf.org/abnf.html
-
-   o  A few host names/IP addresses were fixed to use appropriate ones
-      for I-Ds.
-
-   o  A definition of what to should be done if there are syntax errors
-      in the explanation string was added.  (E.g. use the default.)
-
-   o  Section 10 "Security Considerations" has been broken up into
-      subsections and reorganized.
-
-   o  Section 7.1 "Process Limits" has been merged into the similar
-      language in the "Security Considerations" section.
-
-
-
-
-
-Wong & Schlitt          Expires December 8, 2005               [Page 53]
-
-Internet-Draft        Sender Policy Framework (SPF)            June 2005
-
-
-   o  The ABNF for the Received-SPF e-mail header has been made to be
-      more compatible with draft-mengwong-spf-01.  It was fixed to
-      require whitespace when needed and to show where the suggested
-      comment should be added to the header.
-
-   o  The IANA Considerations section now has the required information
-      to document the Received-SPF header.
-
-   o  A new, optional, "scope" keyword has added to the Received-SPF
-      header.
-
-   o  The non-normative Section 9.3 "Forwarding Services and Aliases"
-      has been expanded to more thoroughly cover the subject.
-
-   o  New Security Considerations sections on "Privacy Exposure" and
-      "Cross-User Forgery" have been added.
-
-   o  A new example of an SPF policy with a non-obvious implementation
-      has been added.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Wong & Schlitt          Expires December 8, 2005               [Page 54]
-
-Internet-Draft        Sender Policy Framework (SPF)            June 2005
+RFC 4408             Sender Policy Framework (SPF)            April 2006
 
 
 Authors' Addresses
@@ -3030,8 +2585,7 @@ Authors' Addresses
    Meng Weng Wong
    Singapore
 
-   Email: mengwong+spf@pobox.com
-   URI:   http://spf.pobox.com/
+   EMail: mengwong+spf@pobox.com
 
 
    Wayne Schlitt
@@ -3039,7 +2593,7 @@ Authors' Addresses
    Lincoln Nebraska, NE  68506
    United States of America
 
-   Email: wayne@schlitt.net
+   EMail: wayne@schlitt.net
    URI:   http://www.schlitt.net/spf/
 
 
@@ -3076,12 +2630,29 @@ Authors' Addresses
 
 
 
-Wong & Schlitt          Expires December 8, 2005               [Page 55]
+
+Wong & Schlitt                Experimental                     [Page 47]
 
-Internet-Draft        Sender Policy Framework (SPF)            June 2005
+RFC 4408             Sender Policy Framework (SPF)            April 2006
 
 
-Intellectual Property Statement
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (2006).
+
+   This document is subject to the rights, licenses and restrictions
+   contained in BCP 78, and except as set forth therein, the authors
+   retain all their rights.
+
+   This document and the information contained herein are provided on an
+   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Intellectual Property
 
    The IETF takes no position regarding the validity or scope of any
    Intellectual Property Rights or other rights that might be claimed to
@@ -3105,32 +2676,16 @@ Intellectual Property Statement
    this standard.  Please address the information to the IETF at
    ietf-ipr@ietf.org.
 
+Acknowledgement
 
-Disclaimer of Validity
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Copyright Statement
-
-   Copyright (C) The Internet Society (2005).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-
-Acknowledgment
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
+   Funding for the RFC Editor function is provided by the IETF
+   Administrative Support Activity (IASA).
 
 
 
 
-Wong & Schlitt          Expires December 8, 2005               [Page 56]
+
+
+
+Wong & Schlitt                Experimental                     [Page 48]
 

From a9365554b6c9f1294de1623f787843befa0000be Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 18 May 2006 02:00:11 +0000
Subject: [PATCH 200/465] 2022.   [bug]           If dnssec validation is
 disabled only assert CD if                         CD was requested. [RT
 #16037]

2021.   [bug]           dnssec-enable no; triggered a REQUIRE. [RT #16037]
---
 bin/named/server.c | 22 ++++++++--------------
 1 file changed, 8 insertions(+), 14 deletions(-)

diff --git a/bin/named/server.c b/bin/named/server.c
index 9cab092b88..c3fbe7fb38 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.c,v 1.463 2006/05/03 01:54:53 marka Exp $ */
+/* $Id: server.c,v 1.464 2006/05/18 02:00:11 marka Exp $ */
 
 /*! \file */
 
@@ -1545,19 +1545,13 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	 * For now, there is only one kind of trusted keys, the
 	 * "security roots".
 	 */
-	if (view->enablednssec) {
-		CHECK(configure_view_dnsseckeys(vconfig, config, mctx,
-						&view->secroots));
-		dns_resolver_resetmustbesecure(view->resolver);
-		obj = NULL;
-		result = ns_config_get(maps, "dnssec-must-be-secure", &obj);
-		if (result == ISC_R_SUCCESS)
-			CHECK(mustbesecure(obj, view->resolver));
-	} else {
-		if (view->secroots != NULL)
-			dns_keytable_detach(&view->secroots);
-		dns_resolver_resetmustbesecure(view->resolver);
-	}
+	CHECK(configure_view_dnsseckeys(vconfig, config, mctx,
+					&view->secroots));
+	dns_resolver_resetmustbesecure(view->resolver);
+	obj = NULL;
+	result = ns_config_get(maps, "dnssec-must-be-secure", &obj);
+	if (result == ISC_R_SUCCESS)
+		CHECK(mustbesecure(obj, view->resolver));
 
 	obj = NULL;
 	result = ns_config_get(maps, "max-cache-ttl", &obj);

From f04809663f4ba3df0e2ef1247d67bdd6ce0157d6 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 18 May 2006 02:03:37 +0000
Subject: [PATCH 201/465] 2024.   [bug]           named emited spurious "zone
 serial unchanged"                         messages on reload. [RT #16027]

---
 CHANGES        |  3 +++
 lib/dns/zone.c | 14 ++++++++++++--
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index 938acd50c2..f4a25f01fd 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2024.	[bug]		named emited spurious "zone serial unchanged"
+			messages on reload. [RT #16027]
+
 2023.	[bug]		"make install" should create ${localstatedir}/run and
 			${sysconfdir} if they do not exist. [RT #16033]
 
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 4a9e53294e..e6d0082eb8 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.c,v 1.453 2006/02/28 02:39:51 marka Exp $ */
+/* $Id: zone.c,v 1.454 2006/05/18 02:03:37 marka Exp $ */
 
 /*! \file */
 
@@ -1138,7 +1138,7 @@ zone_load(dns_zone_t *zone, unsigned int flags) {
 		result = isc_file_getmodtime(zone->masterfile, &filetime);
 		if (result == ISC_R_SUCCESS) {
 			if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_HASINCLUDE) &&
-			    isc_time_compare(&filetime, &zone->loadtime) < 0) {
+			    isc_time_compare(&filetime, &zone->loadtime) <= 0) {
 				dns_zone_log(zone, ISC_LOG_DEBUG(1),
 					     "skipping load: master file "
 					     "older than last load");
@@ -1151,6 +1151,16 @@ zone_load(dns_zone_t *zone, unsigned int flags) {
 
 	INSIST(zone->db_argc >= 1);
 
+	/*
+	 * Built in zones don't need to be reloaded.
+	 */
+	if (zone->type == dns_zone_master &&
+	    strcmp(zone->db_argv[0], "_builtin") == 0 &&
+	    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED)) {
+		result = ISC_R_SUCCESS;
+		goto cleanup;
+	}
+
 	if ((zone->type == dns_zone_slave || zone->type == dns_zone_stub) &&
 	    (strcmp(zone->db_argv[0], "rbt") == 0 ||
 	     strcmp(zone->db_argv[0], "rbt64") == 0)) {

From 6227cb415da553a7490dd6289622f52b0b0ccbe9 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 18 May 2006 02:30:20 +0000
Subject: [PATCH 202/465] 2024.   [bug]           named emited spurious "zone
 serial unchanged"                         messages on reload. [RT #16027]

---
 CHANGES        |  3 +++
 lib/dns/zone.c | 14 ++++++++++++--
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index 2e481c609d..813e552cce 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2024.	[bug]		named emited spurious "zone serial unchanged"
+			messages on reload. [RT #16027]
+
 2023.	[bug]		"make install" should create ${localstatedir}/run and
 			${sysconfdir} if they do not exist. [RT #16033]
 
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index ce09bbcbca..cee46e1525 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.c,v 1.333.2.43 2006/03/01 01:34:05 marka Exp $ */
+/* $Id: zone.c,v 1.333.2.44 2006/05/18 02:30:20 marka Exp $ */
 
 #include 
 
@@ -945,7 +945,7 @@ zone_load(dns_zone_t *zone, unsigned int flags) {
 			result = isc_file_getmodtime(zone->masterfile,
 						     &filetime);
 			if (result == ISC_R_SUCCESS &&
-			    isc_time_compare(&filetime, &zone->loadtime) < 0) {
+			    isc_time_compare(&filetime, &zone->loadtime) <= 0) {
 				dns_zone_log(zone, ISC_LOG_DEBUG(1),
 					     "skipping load: master file older "
 					     "than last load");
@@ -957,6 +957,16 @@ zone_load(dns_zone_t *zone, unsigned int flags) {
 
 	INSIST(zone->db_argc >= 1);
 
+	/*
+	 * Built in zones don't need to be reloaded.
+	 */
+	if (zone->type == dns_zone_master &&
+	    strcmp(zone->db_argv[0], "_builtin") == 0 &&
+	    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED)) {
+		result = ISC_R_SUCCESS;
+		goto cleanup;
+	}
+
 	if ((zone->type == dns_zone_slave || zone->type == dns_zone_stub) &&
 	    (strcmp(zone->db_argv[0], "rbt") == 0 ||
 	     strcmp(zone->db_argv[0], "rbt64") == 0)) {

From cd6d8d61b076eea02826596334a105b918393627 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 18 May 2006 02:35:26 +0000
Subject: [PATCH 203/465] 2025.   [func]          Update "zone serial
 unchanged" message. [RT #16026]

---
 CHANGES        | 2 ++
 lib/dns/zone.c | 6 ++++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index f4a25f01fd..3bb0ed08b7 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+2025.	[func]		Update "zone serial unchanged" message. [RT #16026]
+
 2024.	[bug]		named emited spurious "zone serial unchanged"
 			messages on reload. [RT #16027]
 
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index e6d0082eb8..22b483777a 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.c,v 1.454 2006/05/18 02:03:37 marka Exp $ */
+/* $Id: zone.c,v 1.455 2006/05/18 02:35:26 marka Exp $ */
 
 /*! \file */
 
@@ -1964,7 +1964,9 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 					     "zone serial has gone backwards");
 			else if (serial == zone->serial && !hasinclude) 
 				dns_zone_log(zone, ISC_LOG_ERROR,
-					     "zone serial unchanged");
+					     "zone serial unchanged. "
+					     "zone may fail to transfer "
+					     "to slaves.");
 		}
 		zone->serial = serial;
 		zone->refresh = RANGE(refresh,

From 444bbadb54d4a676aa4b20685d3178d7988534b3 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 18 May 2006 03:12:36 +0000
Subject: [PATCH 204/465] 2026.   [bug]           Rate limit the two recursive
 client exceeded messages.                         [RT #16044]

---
 CHANGES           |  3 +++
 bin/named/query.c | 32 +++++++++++++++++++++++---------
 2 files changed, 26 insertions(+), 9 deletions(-)

diff --git a/CHANGES b/CHANGES
index 3bb0ed08b7..b1e5dd63fe 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2026.	[bug]		Rate limit the two recursive client exceeded messages.
+			[RT #16044]
+
 2025.	[func]		Update "zone serial unchanged" message. [RT #16026]
 
 2024.	[bug]		named emited spurious "zone serial unchanged"
diff --git a/bin/named/query.c b/bin/named/query.c
index b3afcb0396..f8d83225b0 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: query.c,v 1.285 2006/05/16 03:10:23 marka Exp $ */
+/* $Id: query.c,v 1.286 2006/05/18 03:12:36 marka Exp $ */
 
 /*! \file */
 
@@ -2958,17 +2958,31 @@ query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qdomain,
 		result = isc_quota_attach(&ns_g_server->recursionquota,
 					  &client->recursionquota);
 		if  (result == ISC_R_SOFTQUOTA) {
-			ns_client_log(client, NS_LOGCATEGORY_CLIENT,
-				      NS_LOGMODULE_QUERY, ISC_LOG_WARNING,
-				      "recursive-clients soft limit exceeded, "
-				      "aborting oldest query");
+			static isc_stdtime_t last = 0;
+			isc_stdtime_t now;
+			isc_stdtime_get(&now);
+			if (now != last) {
+				last = now;
+				ns_client_log(client, NS_LOGCATEGORY_CLIENT,
+					      NS_LOGMODULE_QUERY,
+					      ISC_LOG_WARNING,
+					      "recursive-clients soft limit "
+					      "exceeded, aborting oldest query");
+			}
 			ns_client_killoldestquery(client);
 			result = ISC_R_SUCCESS;
 		} else if (result == ISC_R_QUOTA) {
-			ns_client_log(client, NS_LOGCATEGORY_CLIENT,
-				      NS_LOGMODULE_QUERY, ISC_LOG_WARNING,
-				      "no more recursive clients: %s",
-				      isc_result_totext(result));
+			static isc_stdtime_t last = 0;
+			isc_stdtime_t now;
+			isc_stdtime_get(&now);
+			if (now != last) {
+				last = now;
+				ns_client_log(client, NS_LOGCATEGORY_CLIENT,
+					      NS_LOGMODULE_QUERY,
+					      ISC_LOG_WARNING,
+					      "no more recursive clients: %s",
+					      isc_result_totext(result));
+			}
 			ns_client_killoldestquery(client);
 		}
 		if (result == ISC_R_SUCCESS && !client->mortal &&

From 1e9b309b45338e8d00034592c3b8c055f6d2a94c Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 18 May 2006 03:19:09 +0000
Subject: [PATCH 205/465] 2026.   [bug]           Rate limit the recursive
 client exceeded message.                         [RT #16044]

---
 CHANGES           |  3 +++
 bin/named/query.c | 17 ++++++++++++-----
 2 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/CHANGES b/CHANGES
index 813e552cce..0e780773dd 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2026.	[bug]		Rate limit the recursive client exceeded message.
+			[RT #16044]
+
 2024.	[bug]		named emited spurious "zone serial unchanged"
 			messages on reload. [RT #16027]
 
diff --git a/bin/named/query.c b/bin/named/query.c
index 329d7ca87e..3927d8a5e7 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: query.c,v 1.198.2.26 2006/05/16 03:31:09 marka Exp $ */
+/* $Id: query.c,v 1.198.2.27 2006/05/18 03:19:09 marka Exp $ */
 
 #include 
 
@@ -2117,10 +2117,17 @@ query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qdomain,
 		    (client->attributes & NS_CLIENTATTR_TCP) == 0)
 			result = ns_client_replace(client);
 		if (result != ISC_R_SUCCESS) {
-			ns_client_log(client, NS_LOGCATEGORY_CLIENT,
-				      NS_LOGMODULE_QUERY, ISC_LOG_WARNING,
-				      "no more recursive clients: %s",
-				      isc_result_totext(result));
+			static isc_stdtime_t last = 0;
+			isc_stdtime_t now;
+			isc_stdtime_get(&now);
+			if (now != last) {
+				last = now;
+				ns_client_log(client, NS_LOGCATEGORY_CLIENT,
+					      NS_LOGMODULE_QUERY,
+					      ISC_LOG_WARNING,
+					      "no more recursive clients: %s",
+					      isc_result_totext(result));
+			}
 			return (result);
 		}
 	}

From 8aafde566c67e74a8a5e65986c207b901a6b7af1 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 18 May 2006 23:17:00 +0000
Subject: [PATCH 206/465] auto update

---
 doc/private/branches | 1 +
 1 file changed, 1 insertion(+)

diff --git a/doc/private/branches b/doc/private/branches
index 45bb83c82b..bcc3a9f7c7 100644
--- a/doc/private/branches
+++ b/doc/private/branches
@@ -79,6 +79,7 @@ rt15992				new
 rt16020				new	
 rt16026				new	
 rt16027				new	
+rt16030				new	
 rt16034				new	
 rt16037				new	
 rt1727				open		// ixfr-from-differences workfile

From 92d126ef947e593a576dd863dab97f222c6aeade Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 18 May 2006 23:30:04 +0000
Subject: [PATCH 207/465] newcopyrights

---
 util/copyrights | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/util/copyrights b/util/copyrights
index 1f4bc7b504..994451d616 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -4,7 +4,7 @@
 ./EXCLUDED					X	2001,2002,2003
 ./FAQ						X	2000,2001,2002,2003,2004,2005,2006
 ./FAQ.xml					SGML	2000,2001,2002,2003,2004,2005,2006
-./Makefile.in					MAKE	1998,1999,2000,2001,2003,2004
+./Makefile.in					MAKE	1998,1999,2000,2001,2003,2004,2006
 ./README					X	1999,2000,2001,2005,2006
 ./acconfig.h					C	1999,2000,2001,2003,2004
 ./aclocal.m4					X	1999,2000,2001

From 2a40fdc2d34adb8a5c72a748449699666032d461 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 18 May 2006 23:30:30 +0000
Subject: [PATCH 208/465] newcopyrights

---
 util/copyrights | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/util/copyrights b/util/copyrights
index 5207e19958..abe2f39192 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -3,7 +3,7 @@
 ./COPYRIGHT					TXT	1996,1997,1998,1999,2000,2001,2002,2003,2004,2005,2006
 ./FAQ						X	2000,2001,2002,2003,2004,2005,2006
 ./FAQ.xml					SGML	2000,2001,2002,2003,2004,2005,2006
-./Makefile.in					MAKE	1998,1999,2000,2001,2002,2004,2005
+./Makefile.in					MAKE	1998,1999,2000,2001,2002,2004,2005,2006
 ./README					X	1999,2000,2001,2005,2006
 ./README.idnkit					X	2005
 ./acconfig.h					C	1999,2000,2001,2002,2003,2004,2005

From da61fde0a62140ed2f23a5d7531c4d0802be9ded Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 19 May 2006 00:03:59 +0000
Subject: [PATCH 209/465] update copyright notice

---
 Makefile.in | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Makefile.in b/Makefile.in
index 41b992525d..8f7945cb23 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2001, 2003  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.41.2.4 2006/05/18 01:21:07 marka Exp $
+# $Id: Makefile.in,v 1.41.2.5 2006/05/19 00:03:59 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@

From fb60765e69976e9df4bd2e9432d7af8f4297888b Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 19 May 2006 00:04:02 +0000
Subject: [PATCH 210/465] update copyright notice

---
 Makefile.in | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Makefile.in b/Makefile.in
index 00dd56e48c..4f3b62a098 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.46 2006/05/18 00:59:40 marka Exp $
+# $Id: Makefile.in,v 1.47 2006/05/19 00:04:02 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@

From 11e43ff752bab2983d9328b6624bbcef613a93e1 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 19 May 2006 02:33:40 +0000
Subject: [PATCH 211/465] 2027.   [port]          libbind: solaris x68 suport.
 [RT #16020]

---
 CHANGES                                | 2 ++
 lib/bind/include/arpa/nameser_compat.h | 7 ++++---
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/CHANGES b/CHANGES
index b1e5dd63fe..6cf3d2ca21 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+2027.	[port]		libbind: Solaris x68 suport. [RT #16020]
+
 2026.	[bug]		Rate limit the two recursive client exceeded messages.
 			[RT #16044]
 
diff --git a/lib/bind/include/arpa/nameser_compat.h b/lib/bind/include/arpa/nameser_compat.h
index 8778bf9ad4..5c6988288b 100644
--- a/lib/bind/include/arpa/nameser_compat.h
+++ b/lib/bind/include/arpa/nameser_compat.h
@@ -32,7 +32,7 @@
 
 /*%
  *      from nameser.h	8.1 (Berkeley) 6/2/93
- *	$Id: nameser_compat.h,v 1.7 2005/04/27 04:56:16 sra Exp $
+ *	$Id: nameser_compat.h,v 1.8 2006/05/19 02:33:40 marka Exp $
  */
 
 #ifndef _ARPA_NAMESER_COMPAT_
@@ -50,8 +50,9 @@
 #define	BIG_ENDIAN	4321	/*%< most-significant byte first (IBM, net) */
 #define	PDP_ENDIAN	3412	/*%< LSB first in word, MSW first in long (pdp) */
 #if defined(vax) || defined(ns32000) || defined(sun386) || defined(i386) || \
-    defined(MIPSEL) || defined(_MIPSEL) || defined(BIT_ZERO_ON_RIGHT) || \
-    defined(__alpha__) || defined(__alpha) || \
+    defined(__i386__) || defined(__i386) || defined(__amd64__) || \
+    defined(__x86_64__) || defined(MIPSEL) || defined(_MIPSEL) || \
+    defined(BIT_ZERO_ON_RIGHT) || defined(__alpha__) || defined(__alpha) || \
     (defined(__Lynx__) && defined(__x86__))
 #define BYTE_ORDER	LITTLE_ENDIAN
 #endif

From f12d48cf21a296771a0598bea62d92e2bafc84ac Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 19 May 2006 02:38:58 +0000
Subject: [PATCH 212/465] 2027.   [port]          libbind: solaris x68 support.
 [RT #16020]

---
 CHANGES                                | 2 ++
 lib/bind/include/arpa/nameser_compat.h | 7 ++++---
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/CHANGES b/CHANGES
index 0e780773dd..dcaaff5b74 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+2027.	[port]		libbind: Solaris x68 support. [RT #16020]
+
 2026.	[bug]		Rate limit the recursive client exceeded message.
 			[RT #16044]
 
diff --git a/lib/bind/include/arpa/nameser_compat.h b/lib/bind/include/arpa/nameser_compat.h
index 9eabb16cce..0291c24347 100644
--- a/lib/bind/include/arpa/nameser_compat.h
+++ b/lib/bind/include/arpa/nameser_compat.h
@@ -32,7 +32,7 @@
 
 /*
  *      from nameser.h	8.1 (Berkeley) 6/2/93
- *	$Id: nameser_compat.h,v 1.1.2.5 2004/07/01 04:42:04 marka Exp $
+ *	$Id: nameser_compat.h,v 1.1.2.6 2006/05/19 02:38:58 marka Exp $
  */
 
 #ifndef _ARPA_NAMESER_COMPAT_
@@ -52,8 +52,9 @@
 #define	PDP_ENDIAN	3412	/* LSB first in word, MSW first in long (pdp)*/
 
 #if defined(vax) || defined(ns32000) || defined(sun386) || defined(i386) || \
-    defined(MIPSEL) || defined(_MIPSEL) || defined(BIT_ZERO_ON_RIGHT) || \
-    defined(__alpha__) || defined(__alpha) || \
+    defined(__i386__) || defined(__i386) || defined(__amd64__) || \
+    defined(__x86_64__) || defined(MIPSEL) || defined(_MIPSEL) || \
+    defined(BIT_ZERO_ON_RIGHT) || defined(__alpha__) || defined(__alpha) || \
     (defined(__Lynx__) && defined(__x86__))
 #define BYTE_ORDER	LITTLE_ENDIAN
 #endif

From c6a5d06a45854d076db701363e41b75c8045cc72 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 19 May 2006 02:43:46 +0000
Subject: [PATCH 213/465] spelling

---
 CHANGES | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index 6cf3d2ca21..9613358bd2 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,4 @@
-2027.	[port]		libbind: Solaris x68 suport. [RT #16020]
+2027.	[port]		libbind: Solaris x68 support. [RT #16020]
 
 2026.	[bug]		Rate limit the two recursive client exceeded messages.
 			[RT #16044]

From 529035492ea0a427cc8d007cd743934d4494d9d3 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 19 May 2006 02:47:18 +0000
Subject: [PATCH 214/465] 2026.   [port]          linux: socket.c compatability
 for old systems.                         [RT #16015]

---
 CHANGES               | 3 +++
 lib/isc/unix/socket.c | 4 ++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index 9613358bd2..a8143fb58d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2026.	[port]		linux: socket.c compatability for old systems.
+			[RT #16015]
+
 2027.	[port]		libbind: Solaris x68 support. [RT #16020]
 
 2026.	[bug]		Rate limit the two recursive client exceeded messages.
diff --git a/lib/isc/unix/socket.c b/lib/isc/unix/socket.c
index 65bc00f0f4..e53d692fff 100644
--- a/lib/isc/unix/socket.c
+++ b/lib/isc/unix/socket.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: socket.c,v 1.263 2006/02/03 23:51:39 marka Exp $ */
+/* $Id: socket.c,v 1.264 2006/05/19 02:47:18 marka Exp $ */
 
 /*! \file */
 
@@ -115,7 +115,7 @@ typedef isc_event_t intev_t;
  * to collect the destination address and interface so the client can
  * set them on outgoing packets.
  */
-#ifdef ISC_PLATFORM_HAVEIPV6
+#ifdef ISC_PLATFORM_HAVEIN6PKTINFO
 #ifndef USE_CMSG
 #define USE_CMSG	1
 #endif

From 9c420baae0dce935d70df3852bc3abdfe5caf093 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 19 May 2006 02:51:37 +0000
Subject: [PATCH 215/465] change number

---
 CHANGES | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index a8143fb58d..22af8fd5da 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,4 @@
-2026.	[port]		linux: socket.c compatability for old systems.
+2028.	[port]		linux: socket.c compatability for old systems.
 			[RT #16015]
 
 2027.	[port]		libbind: Solaris x68 support. [RT #16020]

From 6a28831cd5f80f78ee0a37baa2571551c0ceff54 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 19 May 2006 02:54:38 +0000
Subject: [PATCH 216/465] 2028.   [port]          linux: socket.c compatability
 for old systems.                         [RT #16015]

---
 CHANGES               | 3 +++
 lib/isc/unix/socket.c | 4 ++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index dcaaff5b74..16aaed0f61 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2028.	[port]		linux: socket.c compatability for old systems.
+			[RT #16015]
+
 2027.	[port]		libbind: Solaris x68 support. [RT #16020]
 
 2026.	[bug]		Rate limit the recursive client exceeded message.
diff --git a/lib/isc/unix/socket.c b/lib/isc/unix/socket.c
index 66fd1cf7cb..eafcedd680 100644
--- a/lib/isc/unix/socket.c
+++ b/lib/isc/unix/socket.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: socket.c,v 1.207.2.40 2006/02/03 23:51:36 marka Exp $ */
+/* $Id: socket.c,v 1.207.2.41 2006/05/19 02:54:38 marka Exp $ */
 
 #include 
 
@@ -109,7 +109,7 @@ typedef isc_event_t intev_t;
  * to collect the destination address and interface so the client can
  * set them on outgoing packets.
  */
-#ifdef ISC_PLATFORM_HAVEIPV6
+#ifdef ISC_PLATFORM_HAVEIN6PKTINFO
 #ifndef USE_CMSG
 #define USE_CMSG	1
 #endif

From 60b6efc6cbcc933c85774228ef361a07ddab1634 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 19 May 2006 04:43:09 +0000
Subject: [PATCH 217/465] s/x68/x86/

---
 CHANGES | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index 16aaed0f61..81490aafed 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,7 +1,7 @@
 2028.	[port]		linux: socket.c compatability for old systems.
 			[RT #16015]
 
-2027.	[port]		libbind: Solaris x68 support. [RT #16020]
+2027.	[port]		libbind: Solaris x86 support. [RT #16020]
 
 2026.	[bug]		Rate limit the recursive client exceeded message.
 			[RT #16044]

From ff6bd86d5778de50cb1b4e93591e22354062ee17 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 19 May 2006 04:43:12 +0000
Subject: [PATCH 218/465] s/x68/x86/

---
 CHANGES | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index 22af8fd5da..769edd415c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,7 +1,7 @@
 2028.	[port]		linux: socket.c compatability for old systems.
 			[RT #16015]
 
-2027.	[port]		libbind: Solaris x68 support. [RT #16020]
+2027.	[port]		libbind: Solaris x86 support. [RT #16020]
 
 2026.	[bug]		Rate limit the two recursive client exceeded messages.
 			[RT #16044]

From 9b99f469d6306216498675d4b38024f67a924cce Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 19 May 2006 23:30:04 +0000
Subject: [PATCH 219/465] newcopyrights

---
 util/copyrights | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/util/copyrights b/util/copyrights
index 994451d616..ba7e305958 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -1185,7 +1185,7 @@
 ./lib/bind/include/Makefile.in			MAKE	2001,2004
 ./lib/bind/include/arpa/inet.h			X	2001
 ./lib/bind/include/arpa/nameser.h		X	2001
-./lib/bind/include/arpa/nameser_compat.h	X	2001
+./lib/bind/include/arpa/nameser_compat.h	X	2001,2006
 ./lib/bind/include/fd_setsize.h			X	2001
 ./lib/bind/include/hesiod.h			X	2001
 ./lib/bind/include/irp.h			X	2001

From 58716626c97aa324433b76b8788eca7190f0a8e0 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 19 May 2006 23:30:27 +0000
Subject: [PATCH 220/465] newcopyrights

---
 util/copyrights | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/util/copyrights b/util/copyrights
index abe2f39192..3c35f7f4a0 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -1308,7 +1308,7 @@
 ./lib/bind/include/Makefile.in			MAKE	2001,2004
 ./lib/bind/include/arpa/inet.h			X	2001,2005
 ./lib/bind/include/arpa/nameser.h		X	2001,2005
-./lib/bind/include/arpa/nameser_compat.h	X	2001,2005
+./lib/bind/include/arpa/nameser_compat.h	X	2001,2005,2006
 ./lib/bind/include/fd_setsize.h			X	2001,2005
 ./lib/bind/include/hesiod.h			X	2001,2005
 ./lib/bind/include/irp.h			X	2001,2005

From e22bd3c4bc0de0b96531fab5c2c944251e02e975 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 23 May 2006 04:37:28 +0000
Subject: [PATCH 221/465] 2029.   [bug]           host printed out the server
 multiple times when                         specified on the command line.
 [RT #15992]

---
 CHANGES        | 3 +++
 bin/dig/host.c | 6 ++++--
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index 769edd415c..0aca9be232 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2029.	[bug]		host printed out the server multiple times when
+			specified on the command line. [RT #15992]
+
 2028.	[port]		linux: socket.c compatability for old systems.
 			[RT #16015]
 
diff --git a/bin/dig/host.c b/bin/dig/host.c
index 1582f31ce8..821bd87716 100644
--- a/bin/dig/host.c
+++ b/bin/dig/host.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: host.c,v 1.108 2006/03/02 23:48:50 marka Exp $ */
+/* $Id: host.c,v 1.109 2006/05/23 04:37:28 marka Exp $ */
 
 /*! \file */
 
@@ -48,6 +48,7 @@ static isc_boolean_t default_lookups = ISC_TRUE;
 static int seen_error = -1;
 static isc_boolean_t list_addresses = ISC_TRUE;
 static dns_rdatatype_t list_type = dns_rdatatype_a;
+static printed_server = ISC_FALSE;
 
 static const char *opcodetext[] = {
 	"QUERY",
@@ -398,7 +399,7 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
 	 */
 	force_error = (seen_error == 1) ? 1 : 0;
 	seen_error = 1;
-	if (listed_server) {
+	if (listed_server && !printed_server) {
 		char sockstr[ISC_SOCKADDR_FORMATSIZE];
 
 		printf("Using domain server:\n");
@@ -407,6 +408,7 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
 				    sizeof(sockstr));
 		printf("Address: %s\n", sockstr);
 		printf("Aliases: \n\n");
+		printed_server = ISC_TRUE;
 	}
 
 	if (msg->rcode != 0) {

From 8d18fc189ff99f37544b1a0763e8931a7305a7f8 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 23 May 2006 04:38:28 +0000
Subject: [PATCH 222/465] missing type

---
 bin/dig/host.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/bin/dig/host.c b/bin/dig/host.c
index 821bd87716..ce92eb5ca2 100644
--- a/bin/dig/host.c
+++ b/bin/dig/host.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: host.c,v 1.109 2006/05/23 04:37:28 marka Exp $ */
+/* $Id: host.c,v 1.110 2006/05/23 04:38:28 marka Exp $ */
 
 /*! \file */
 
@@ -48,7 +48,7 @@ static isc_boolean_t default_lookups = ISC_TRUE;
 static int seen_error = -1;
 static isc_boolean_t list_addresses = ISC_TRUE;
 static dns_rdatatype_t list_type = dns_rdatatype_a;
-static printed_server = ISC_FALSE;
+static isc_boolean_t printed_server = ISC_FALSE;
 
 static const char *opcodetext[] = {
 	"QUERY",

From 12b1bf8b14ac3b6ec4de9cae6fea10f389b5e5db Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 23 May 2006 04:49:19 +0000
Subject: [PATCH 223/465] 2030.   [bug]           We were being overly
 conservative when disabling                         openssl engine support.
 [RT #16030]

---
 CHANGES                | 3 +++
 lib/dns/openssl_link.c | 6 +++---
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/CHANGES b/CHANGES
index 0aca9be232..898fb3cecf 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2030.	[bug]		We were being overly conservative when disabling
+			openssl engine support. [RT #16030]
+
 2029.	[bug]		host printed out the server multiple times when
 			specified on the command line. [RT #15992]
 
diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
index a8fbd05261..7179e90a00 100644
--- a/lib/dns/openssl_link.c
+++ b/lib/dns/openssl_link.c
@@ -18,7 +18,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: openssl_link.c,v 1.7 2005/09/01 02:24:59 marka Exp $
+ * $Id: openssl_link.c,v 1.8 2006/05/23 04:49:19 marka Exp $
  */
 #ifdef OPENSSL
 
@@ -41,7 +41,7 @@
 #include 
 #include 
 
-#if defined(CRYPTO_LOCK_ENGINE) && (OPENSSL_VERSION_NUMBER < 0x00907000L)
+#if defined(CRYPTO_LOCK_ENGINE) && (OPENSSL_VERSION_NUMBER != 0x00907000L)
 #define USE_ENGINE 1
 #endif
 
@@ -167,7 +167,7 @@ dst__openssl_init() {
 		goto cleanup_rm;
 	}
 	ENGINE_set_RAND(e, rm);
-	RAND_set_rand_method(e);
+	RAND_set_rand_method(rm);
 #else
 	RAND_set_rand_method(rm);
 #endif

From 461830029ec7dbb19d183ea39ca136b09e0517d9 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 23 May 2006 04:52:13 +0000
Subject: [PATCH 224/465] 2030.   [bug]           We were being overly
 conservative when disabling                         openssl engine support.
 [RT #16030]

---
 CHANGES                | 3 +++
 lib/dns/openssl_link.c | 6 +++---
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/CHANGES b/CHANGES
index 81490aafed..8146317e4e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2030.	[bug]		We were being overly conservative when disabling
+			openssl engine support. [RT #16030]
+
 2028.	[port]		linux: socket.c compatability for old systems.
 			[RT #16015]
 
diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
index 5439c623b3..7a521db456 100644
--- a/lib/dns/openssl_link.c
+++ b/lib/dns/openssl_link.c
@@ -18,7 +18,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: openssl_link.c,v 1.1.2.1 2004/12/09 03:18:18 marka Exp $
+ * $Id: openssl_link.c,v 1.1.2.2 2006/05/23 04:52:13 marka Exp $
  */
 #ifdef OPENSSL
 
@@ -37,7 +37,7 @@
 #include 
 #include 
 
-#if defined(CRYPTO_LOCK_ENGINE) && (OPENSSL_VERSION_NUMBER < 0x00907000L)
+#if defined(CRYPTO_LOCK_ENGINE) && (OPENSSL_VERSION_NUMBER != 0x00907000L)
 #define USE_ENGINE 1
 #endif
 
@@ -130,7 +130,7 @@ dst__openssl_init() {
 		goto cleanup_rm;
 	}
 	ENGINE_set_RAND(e, rm);
-	RAND_set_rand_method(e);
+	RAND_set_rand_method(rm);
 #else
 	RAND_set_rand_method(rm);
 #endif

From 414947dd0af0147ecbefe5956d293f88c6ebe480 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 23 May 2006 23:16:52 +0000
Subject: [PATCH 225/465] auto update

---
 doc/private/branches | 1 +
 1 file changed, 1 insertion(+)

diff --git a/doc/private/branches b/doc/private/branches
index bcc3a9f7c7..a43ad137b6 100644
--- a/doc/private/branches
+++ b/doc/private/branches
@@ -82,6 +82,7 @@ rt16027				new
 rt16030				new	
 rt16034				new	
 rt16037				new	
+rt16073				new	
 rt1727				open		// ixfr-from-differences workfile
 rt6496a				review	marka
 rt6496b				new	

From 1d9dca8416d314892900b014402481f1134db37f Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 23 May 2006 23:30:04 +0000
Subject: [PATCH 226/465] newcopyrights

---
 util/copyrights | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/util/copyrights b/util/copyrights
index ba7e305958..04535ba574 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -1680,7 +1680,7 @@
 ./lib/dns/name.c				C	1998,1999,2000,2001,2002,2003,2004,2005,2006
 ./lib/dns/ncache.c				C	1999,2000,2001,2002,2003,2004
 ./lib/dns/nxt.c					C	1999,2000,2001,2003,2004
-./lib/dns/openssl_link.c			C.NAI	1999,2000,2001,2003,2004
+./lib/dns/openssl_link.c			C.NAI	1999,2000,2001,2003,2004,2006
 ./lib/dns/openssldh_link.c			C.NAI	1999,2000,2001,2004,2006
 ./lib/dns/openssldsa_link.c			C.NAI	1999,2000,2001,2004,2006
 ./lib/dns/opensslrsa_link.c			C	2000,2001,2003,2004,2006

From 412c80a1e63b34c589a36ee93800850ae9248659 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 23 May 2006 23:30:29 +0000
Subject: [PATCH 227/465] newcopyrights

---
 util/copyrights | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/util/copyrights b/util/copyrights
index 3c35f7f4a0..ce63b58487 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -1833,7 +1833,7 @@
 ./lib/dns/name.c				C	1998,1999,2000,2001,2002,2003,2004,2005,2006
 ./lib/dns/ncache.c				C	1999,2000,2001,2002,2003,2004,2005
 ./lib/dns/nsec.c				C	1999,2000,2001,2003,2004,2005
-./lib/dns/openssl_link.c			C.NAI	1999,2000,2001,2002,2003,2004,2005
+./lib/dns/openssl_link.c			C.NAI	1999,2000,2001,2002,2003,2004,2005,2006
 ./lib/dns/openssldh_link.c			C.NAI	1999,2000,2001,2002,2004,2005,2006
 ./lib/dns/openssldsa_link.c			C.NAI	1999,2000,2001,2002,2004,2005,2006
 ./lib/dns/opensslrsa_link.c			C	2000,2001,2002,2003,2004,2005,2006

From 53f8a2b94bb7143fe6f38e04b76474a76df5af09 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 23 May 2006 23:51:02 +0000
Subject: [PATCH 228/465] update copyright notice

---
 lib/dns/openssl_link.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
index 7a521db456..0ca8ba9afd 100644
--- a/lib/dns/openssl_link.c
+++ b/lib/dns/openssl_link.c
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
  *
@@ -18,7 +18,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: openssl_link.c,v 1.1.2.2 2006/05/23 04:52:13 marka Exp $
+ * $Id: openssl_link.c,v 1.1.2.3 2006/05/23 23:51:02 marka Exp $
  */
 #ifdef OPENSSL
 

From 37e75a624c0dda1618e43072012b6d3bedc4609d Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 23 May 2006 23:51:07 +0000
Subject: [PATCH 229/465] update copyright notice

---
 lib/dns/openssl_link.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
index 7179e90a00..c6d7658a27 100644
--- a/lib/dns/openssl_link.c
+++ b/lib/dns/openssl_link.c
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2003  Internet Software Consortium.
  * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
  *
@@ -18,7 +18,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: openssl_link.c,v 1.8 2006/05/23 04:49:19 marka Exp $
+ * $Id: openssl_link.c,v 1.9 2006/05/23 23:51:05 marka Exp $
  */
 #ifdef OPENSSL
 

From c79e85f7d77317a9b5c34b4bb94eaf1779fc0b6e Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 24 May 2006 04:23:15 +0000
Subject: [PATCH 230/465] 2031.   [bug]           Emit a error message when
 "rndc refresh" is called on                         a non slave/stub zone.
 [RT # 16073]

---
 CHANGES            |  3 +++
 bin/named/server.c | 25 +++++++++++++++++--------
 2 files changed, 20 insertions(+), 8 deletions(-)

diff --git a/CHANGES b/CHANGES
index 898fb3cecf..fae5647d8a 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2031.	[bug]		Emit a error message when "rndc refresh" is called on
+			a non slave/stub zone. [RT # 16073]
+
 2030.	[bug]		We were being overly conservative when disabling
 			openssl engine support. [RT #16030]
 
diff --git a/bin/named/server.c b/bin/named/server.c
index c3fbe7fb38..2f9ae8c5c0 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.c,v 1.464 2006/05/18 02:00:11 marka Exp $ */
+/* $Id: server.c,v 1.465 2006/05/24 04:23:15 marka Exp $ */
 
 /*! \file */
 
@@ -4021,20 +4021,29 @@ isc_result_t
 ns_server_refreshcommand(ns_server_t *server, char *args, isc_buffer_t *text) {
 	isc_result_t result;
 	dns_zone_t *zone = NULL;
-	const unsigned char msg[] = "zone refresh queued";
+	const unsigned char msg1[] = "zone refresh queued";
+	const unsigned char msg2[] = "not a slave or stub zone";
+	dns_zonetype_t type;
 
 	result = zone_from_args(server, args, &zone);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 	if (zone == NULL)
 		return (ISC_R_UNEXPECTEDEND);
-	
-	dns_zone_refresh(zone);
-	dns_zone_detach(&zone);
-	if (sizeof(msg) <= isc_buffer_availablelength(text))
-		isc_buffer_putmem(text, msg, sizeof(msg));
 
-	return (ISC_R_SUCCESS);
+	type = dns_zone_gettype(zone);
+	if (type == dns_zone_slave || type == dns_zone_stub) {
+		dns_zone_refresh(zone);
+		dns_zone_detach(&zone);
+		if (sizeof(msg1) <= isc_buffer_availablelength(text))
+			isc_buffer_putmem(text, msg1, sizeof(msg1));
+		return (ISC_R_SUCCESS);
+	}
+		
+	dns_zone_detach(&zone);
+	if (sizeof(msg2) <= isc_buffer_availablelength(text))
+		isc_buffer_putmem(text, msg2, sizeof(msg2));
+	return (ISC_R_FAILURE);
 }	
 
 isc_result_t

From 10a1bc7d191e64a106137ea86681bb332c661f98 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 24 May 2006 23:18:00 +0000
Subject: [PATCH 231/465] auto update

---
 doc/private/branches | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/doc/private/branches b/doc/private/branches
index a43ad137b6..8a7dd79eff 100644
--- a/doc/private/branches
+++ b/doc/private/branches
@@ -83,6 +83,8 @@ rt16030				new
 rt16034				new	
 rt16037				new	
 rt16073				new	
+rt16074				new	
+rt16075				new	
 rt1727				open		// ixfr-from-differences workfile
 rt6496a				review	marka
 rt6496b				new	

From d440718f8da90359dcf287c18050ae5f692ff154 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 25 May 2006 06:17:08 +0000
Subject: [PATCH 232/465] 9.2.7b1

---
 CHANGES | 3 +++
 version | 8 ++++----
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/CHANGES b/CHANGES
index 8146317e4e..3aca395b4c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+
+	--- 9.2.7b1 released ---
+
 2030.	[bug]		We were being overly conservative when disabling
 			openssl engine support. [RT #16030]
 
diff --git a/version b/version
index df461d3455..4e84990d04 100644
--- a/version
+++ b/version
@@ -1,10 +1,10 @@
-# $Id: version,v 1.26.2.42 2005/12/14 00:40:26 marka Exp $
+# $Id: version,v 1.26.2.43 2006/05/25 06:17:08 marka Exp $
 #
 # This file must follow /bin/sh rules.  It is imported directly via
 # configure.
 #
 MAJORVER=9
 MINORVER=2
-PATCHVER=6
-RELEASETYPE=
-RELEASEVER=
+PATCHVER=7
+RELEASETYPE=b
+RELEASEVER=1

From c0f29a77f56b89ab53fdca92af10d6dd71b03659 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 25 May 2006 06:49:00 +0000
Subject: [PATCH 233/465] win32

---
 config.h.win32 | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/config.h.win32 b/config.h.win32
index 318df49bd0..71c729e14c 100644
--- a/config.h.win32
+++ b/config.h.win32
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.h.win32,v 1.6.2.3 2004/04/19 06:56:23 marka Exp $ */
+/* $Id: config.h.win32,v 1.6.2.4 2006/05/25 06:49:00 marka Exp $ */
 
 /*
  * win32 configuration file
@@ -104,6 +104,9 @@
 /* Define if you have h_errno */
 #define HAVE_H_ERRNO
 
+/* Define if libcrypto has RSA_generate_key */
+#define HAVE_RSA_GENERATE_KEY
+
 #define S_IFMT   _S_IFMT         /* file type mask */
 #define S_IFDIR  _S_IFDIR        /* directory */
 #define S_IFCHR  _S_IFCHR        /* character special */

From 0614d8a35a32835ecec55d963e408a4c2eceb4c1 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 25 May 2006 08:10:12 +0000
Subject: [PATCH 234/465] win32

---
 config.h.win32 | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/config.h.win32 b/config.h.win32
index 71c729e14c..4e7cb25cf8 100644
--- a/config.h.win32
+++ b/config.h.win32
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.h.win32,v 1.6.2.4 2006/05/25 06:49:00 marka Exp $ */
+/* $Id: config.h.win32,v 1.6.2.5 2006/05/25 08:10:12 marka Exp $ */
 
 /*
  * win32 configuration file
@@ -107,6 +107,12 @@
 /* Define if libcrypto has RSA_generate_key */
 #define HAVE_RSA_GENERATE_KEY
 
+/* Define if libcrypto has DSA_generate_parameters */
+#define HAVE_DSA_GENERATE_PARAMETERS
+
+/* Define if libcrypto has DH_generate_parameters */
+#define HAVE_DH_GENERATE_PARAMETERS
+
 #define S_IFMT   _S_IFMT         /* file type mask */
 #define S_IFDIR  _S_IFDIR        /* directory */
 #define S_IFCHR  _S_IFCHR        /* character special */

From eb7f66159a1d1ade07adcaab032ce3f4e6e46fe3 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 25 May 2006 08:18:01 +0000
Subject: [PATCH 235/465] 9.2.7b1

---
 doc/arm/Bv9ARM.pdf | 5743 ++++++++++++++++++++++----------------------
 1 file changed, 2882 insertions(+), 2861 deletions(-)

diff --git a/doc/arm/Bv9ARM.pdf b/doc/arm/Bv9ARM.pdf
index 0577d75646..175bc71fbf 100755
--- a/doc/arm/Bv9ARM.pdf
+++ b/doc/arm/Bv9ARM.pdf
@@ -891,13 +891,11 @@ endobj
 << /S /GoTo /D [598 0 R  /FitH ] >>
 endobj
 600 0 obj <<
-/Length 221       
+/Length 220       
 /Filter /FlateDecode
 >>
 stream
-xÚOKAÅïû)rlÁ‰“Ý™£¥*
-ö s“Öv*…îÖêçw¶[‹ É!$ùñy¾A0ôê¨hžÖmåá­Üî+:3j‚¦"eøãê$
-•ŽC@³ÿÄ~ᤊµ„μa,â>OÕõ2PL¦¶@±f/páÒæe2X.¦ŽÍOâØn6í®Û½ûæxèÇÕsÞæ>wë<ŽOM÷Ñ짫ôX,ˆ0šñÉ‚%(¸ 8l'‡åá3·¯ù¬¥Wcgïm¨nÓå—ïðÄpˆçßÑ}ÂmR_endstream
+xÚ=O1†÷û[‰3þ¼$#©(êpj¯¨=¤£ü{r½R!Á€2$¶ûu^*‡!:’&ƒØa½¯^Jí®âc®è¦Z‚?ªµ&Åh¡–ѽ‘ŸØ/œÍ0hLP;9¦2|Ĺº¼5(ìyl	ƒÂ™Ë›çÙâþñz^‹Ó,M×Õf¿ëw=¼
Sê©ÛvCׯ»)\¶ýGû:_å‡"¡ÀŒÉ]Ž0P(«GÃ&Š%–íçÔ(~qz5cu“ÏùvNGoþíÛiÔP·endstream
 endobj
 598 0 obj <<
 /Type /Page
@@ -917,12 +915,11 @@ endobj
 /ProcSet [ /PDF /Text ]
 >> endobj
 612 0 obj <<
-/Length 302       
+/Length 308       
 /Filter /FlateDecode
 >>
 stream
-xÚµ’ÁNÃ0@ïýŠWiõ;N–+CãºÞ4º±ÃZÔ¡ý=	ekCì‚zˆ-?ÙÉ«µÂði%¬'¯œ7 ¨E­v	ªM¨Ý%ú‹1 †9$ª»)’„ÈÀ4tR?hÍÈìTæăeâˆßÉdfXyð–¬*ÖJ³ƒxŸUpËкC¿%!šqš‘`¥‹æU[6UÙvÙâ°oËݾKòºÚ×M»}Ûì
-ÒŒ5†y‚K"3_äñ©Žã“Ûâd&Šk­rF‡âåOŸt6Ä/kã|ßõ7ôŸ±÷¨ûú/Ú­×íûS“êé¨R/M/íUwëuûùÒäTŒªK‹áÒ¿ÓV[†´·ÿÞé/6¯žendstream
 endobj
 611 0 obj <<
 /Type /Page
@@ -1439,23 +1436,27 @@ endobj
 /ProcSet [ /PDF /Text ]
 >> endobj
 719 0 obj <<
-/Length 2595      
+/Length 2598      
 /Filter /FlateDecode
 >>
 stream
-xÚÅZK“Ûƾï¯à-dU8Á<1ðMq$g]ÉÖÒqªd°ÈE+Üýë݃yà5×µ©JñÀÁ ÑÝÓÏoÀ«~xʼnVaÄ0_%Ç›`u€{?Ü`C³µDÛ>Õßw7{'ð*B‘ bµÛ÷xIH‰W»ôÓš"†6À!X¿ó¯·wo?n8_ÿþ¶„ë?½ýøf²õîöÃû»Í6ä[ÿÏ7?í,]xúûïßÝþðKÇaóy÷ãÍÛÓ¼¿:P¥ö×›OŸƒU
-‹üñ&@4’|õÂQDVÇÆ)âŒR;SÜÜÝüìöî¶z­…D¨ s1â3 „:saD6[ÁúMzÌ˼nNq“?ezÑ»
Æx]UE­VÚ‹ø¢Gq©ÿó²É§¸0÷ãScçÍÆË1.ãCvÌJCPí
#ýWg§§ì¤Ü‚&>Á(ÄX¬Â€ ¶œ±¡&Úö©Lh©Ô¢Ëø˜¥Ûä!K¾$U¹ËÇT ˆ‚SpT
úÇ£9TafÒÎék‹#„E€5G¼%A!‰°¡Õ|";*%ñT¦ÉXhBñhY¨%ò5C¬úÕ@è®m{’¬Û”ËŽUc®[#Á¯Ó¦K=ùÓèä,ôÄo|ù+·!`—6Òˆ¨k À	kžÃô‡‰¸(ªçZkÓX…ëä±%èPZ›þ0ÕT37º`AÕ»­Ýt ‘Vê1SX¯]0ãÀ¬ÿ”UúÈlKƒh}kh.ÕYN¹>—>³p<'âŠY"f3ã9oªscÔ(/F¯G¥c­/rs÷9/
-=JóÚ@S«»XŸÛúÒÎÀ"º‹¸6öÐCEȬ=tÞW­ñ¿›+L\Á¼@¾­ôYÌ—JGuµVrÂ@ú´Òg1_+•sæBU„}”Uí
-ÐäO‚UÂàɶöp¤IÁ-ª4aéåH#cŽW9>V§ÆWq)„g0Ñðr•ß—̇ǰD°Wû€k'Õñ¨ú¹§€KµoÃ/mŒ„2»@„ÐgO*o)`–‡
->I$:å9Hjè.”»ˆÜ€™¶©öwn¢ó./“̳AÊB 	Gˑܧґ,=‘ì¨ÚHΊ*N'Hð0På:ª©à!–„"ǘ`CɵdÕ®;œ]9!=ê2¨Ñ¬™~JÃ+fêQ-˜ÉR
ÍQ&'áãÁ-rý|òpic•{0”œM°Y66äŸòìÙ§Ë0£'ЇP蔀ç—m騦ƶ7µá$Z³ïz—‡ü)+;'ÏûÃN6äâŠ{T>¶TÚÇûSV?øœ<@‹KNž€ÓY÷üŸ½ÌwDàªEk:ª©9G^†í³º;°çì%Ò³Íàß]ù;ÆêܬŒËd¼ûÓ±@%EP…Ør,ô©æcÁQéXèšö 0‚—	®HvTSÑÃÂHbêÄs ÛeÆ"0˜VH˜tƺB {¸„ÐhmÑü«Gëû^ÂdZªÊLè]A÷xö
P64¥ŽG_ª’4€¨‡f9ÀÕ™ö^­sÕê"©ÖqÑ3q{´
-sÉC\²€5ã6'mŸTÏÔúþÞîúa®yhÏ\a6Öû3Àßi§&Zè@w¯l,OaïÆ…%{~°ú‚žÚZ˜U)Ö—EÜÞlÁ4Ì–çã½VPªžÞÚƒ¦€	ëÖ:žï³$>×&Îss?Uy:>œ,³ÌÖÈJÿgßbØûdãÃå*Í•O’^ïlò£8A=eŒ+çó‹HèÜò
-ìèS-ä—¥jl7õu`Ä |,‹uTS¹ÃäøÏ´Ýà_Õ^î”7Ùàä]A'ñI=´zwZ<"˜9Ûµv!Q;ÿà
-éSÍÏQ©5|=g§KQͧEÉ]qšˆö§ìÝ&"°]?¨²Cq¨uQCȘ†r¡Þ@a²þyrC?¨DV³qQWzê>Ó3Ðîóí¤y8ûöXäIÞ=Ÿæ:A“Æ°”v—?í¾Ò¤ôÍmøCÆdwr_"Á"K©ŠZ™¾’Qȹ-9ýWDž2À:rï¬ý<>¦÷³“E¹ÝÆd"Ø¿1HþHg¾)P;þâbàÍ\¥H‹k5‚˜v±l¾Õ‚ù,•.°ÕãÄxG<€P]”ꨦbGõ5€ Åd(÷NÉ…'©1º34AˆøEÃ
-uóìú-\é#/˜×/LáZc…Z_ã4³2ôqßùð 'Òužè‹óc7†²…˜ðûŸw,#¸mÛí!•ÃR¡\wªM‡®¶¤3Þž¾ž˜k½Z£me±rkÀårdô©æ#ÃQ©e=ÄE3‹R»È˜ˆõGÆ@®ŽJ"mJ»´R“ùŠQÖ)ìÛš-gÀ°Eî‚@Ñë PÓƒ P·\¨Š²2²t¨™… 0ï%5:f.(×Sœó.`Ò@‹¶C‹¶Ýq-Ü›‡ÌAu¡¹2µzÖêØ	Mq4Bµ0¶þou>•q1fdhÛ׬;(T;ô£ÛžJi´95
-‹ÏE#HÒ^‰ÆÕB4Zª¶³žâ$›‚‹b; 8‘ë‚Á·eb^ƒ¸¯2FåÞ(ÍîÏ¿¨Ë67æƒû‹;Ø›5\$PFxÙn=¢y³Y¢ÕFGÃíêضêp’ÓEÅ,ÍD±¡]¹zŸÉè@³»¬©¯7Ïy›:¤UÚ-†úê).Îó¶QrÅÔͼ¥
Io€
-ÀžZéhÆ2G`! ²žÌÿ•	4÷„‰ú*Ë£uàà_ýñW÷œŠ&)g`	Á˜¥”0™¾5_‰MUÿ%$Ywendstream
+xÚÅZK“Ûƾï¯à-ܪp‚ybà›âHκ*’­¥ãTÉ:`,‰(Üýë݃yà5×µ©JñÀÁ ÑÝÓÏoÀ«~xʼnVaÄ0_%‡›`µƒ{?Ü`C³±D›>Õß·7{'ð*B‘ bµ}ìñ’(¯¶é§5E݇`ýþÍ¿ÞÞ¿ýxËùúßð·!¼¿¿Ý„ÚE|Ñ£¸ÔÿyÙd»S\˜ûñ©±óæá½árˆËx—²ÒT†‘þ«³ÓSvRnAŸ`b,Va@[ÎØPmúT&´TjÑe|ÈÒM²Ï’/IU>Žåc*PDÁ)‹
+8*}ƒc†Q„‰ª°3içôµÅÂ"Œ@ÀŒš#Þ’ DØÐO·X®+ðÎAÛ¸}´ù¥¾”Mümì“–7ûºÐ,¤}eÐŒ‚ "7¤¿)²©[!ˆ%WBR$9öZ+›¶Œ|&Á™XBÚôYL}.1âQÄ;AJ©_jˆÆY•BŒd¥ê*õX´*
ŒéT²T>ÿn$ô§M£
,Dßœƒ¦ÚÂi~Ê’¦:]<~ã	ÂmL|6\}àÚIu8¨~î)àRíÛðK[Á#¡Ì.!ôÙ“¤
+˜%Ä¡‚OÉàåÛ–ÜOè@”»ÐÜž¶ñöw#n«¢s3/w“ì´ÌBÀ
+GËÑÞ§ÒÑ.=Ñî¨ÚhÏŠ*N'h03P9å:ª©à!Þ„BȘ`CɵdçöÛ]É¡Aüz¨Ñ¬™l
+(
¯˜©Gµ`&K54D¢œ„˜ÛÈ9„ôÉÃ¥gîÁYr6	gÙØ´xʳgŸ.ìŸÀ#B¡›B”/ÛÒQM9lêP ’xh;ë]ìò§¬ìœ<ïc»Ý‹+>îQ-øØRi?ž²zïsòQ.9y`gÝóö2l«­é¨¦æy¶ØêîÀž÷°ßHÏ6ƒwå﫳µ2.“ñVïOÇ•Ab˱ЧšG¥c¡kìƒÂ^f$¸"ÙQME#eˆ©SÑl—T‹À`Z!aÒUHë
+	ƒîáB£´Eó¯j­Z
+“ie¨*3¡wÝãÙ7@âД:}©lÒ¢šä{gÚ{Q´ÎU«‹¤ZÇEÏìãöøæ’}\î²À7ã:nÛ'Õ3µ¾ÿhO`®Ù·ç²0ë‰Ç3@äi‡&Zè€y¯l,OaÇ…%{Þ[}AOm-̪ëË"no¶€fËóáA+(UOoíASà…ÁwëÏYŸkç¹93ŽŸª<`–Yfkd¥ÿ³o1ì²ñt•æÊ'I¯w6ùÁ
+œ ž2Æ•óùE$tnyvô©òËRµ ·‰›zŠ:0bP>–Å:ª©ÜarÁ	h»Á¿ªýÞ)o²Á鼃N*â“zhõîDyD0sþkíB¢‰(¸FúTóÆsTj
_ÏÙéRTóÅiQrWœ&¢ýÅi {{ØÒïTÙ¡8Ôº¨!dLC¹Po©0Yÿ<¹¡HT"«Ù¸¨+=õéè	…ŠùvÒ<œ};y’7ÅEϧ¹NФ1,¥=	•iRúæ6ü!c²;]¬>TûËÀvs
+±oS ‘`‘Û@¡*³ÂWr 
+9·%§ÿÉSÆXGî=ƒµŸ‡'l4DÔí“®T¾
Cœö’W°	HjAë|s¦àÈ•ܧZrKÕýŸÇôavc²(·Û˜Lû7&ÉÿÉãÌ7ejÇ_\ì¼™«©cq­FÓ.–Í×£Z0Ÿ¥Ò¶:NŒpÄÕE©Žj*vT_RL†rï•\x’cÀ ;gS„H€_4¬P7Ϯߕ>ƒÉqýR®5V¨õÅ!N3+C	žw{=‘^ ¨óD_œiÜÊbÂÿÝÞ}4²Œà¶mC¶‡TK…rÝ©6ºØ’Îx{ú
+c®õj^´•ÅÊ­—ˑѧšG¥–µ‹f62¥v‘1ëŒ\”DÚ”vi¥&ó£¬SØ7:Î$€aŠÜ¢×A ¦A n¹ P6eedé P3A`Þ]jtÌ\P®¦8ç]À¤	€m‡m»#] x0™ÃìBsejô¬Õ±šâ`„jalýßê|*ãb ÍÈÐ0¶¯Yw˜¨>ˆèG·=•ÒhsjŸ‹F"¤!½=ª…h´Tmg=ÅI6Åv@p"ׂïÊļ*q_nŒÊ½1Pš=œ
~Q—lnÌG!w°7k¸H  Œð²ÝzDóf³D«Ž†‡ZÕ±mÕá$§‹ŠYš‰bC»rõΓÑf÷YS_ožó6uH«´[
ÿôÕS\œçm-8¢äŠ©;šyK“þÞ%€<µ ÒÑŒeŽ ÀB@d=™ÿ+hî#0õå–GëÀÒ¿ú±î[9MRÎÀ‚$01J)`2}ik¾$›ªþ
¢b
+endstream
 endobj
 718 0 obj <<
 /Type /Page
@@ -1666,13 +1667,15 @@ endobj
 /ProcSet [ /PDF /Text ]
 >> endobj
 757 0 obj <<
-/Length 1919      
+/Length 1925      
 /Filter /FlateDecode
 >>
 stream
-xÚåYKsÛ6¾ëWhr©Ô	a€àŒOiâ4Τnk:Ir %ØRC‘ŠHYQ:ùï]¼H„('žjϘKp±Ïo“1†_2f!Â4	Æq “p<_ðø¾ý:"šÇ3LžÍõËltö""ã%‘g·–,†0cd<[¼Ÿ<{ùôÍìâÝÔóC<	ÐÔ#ÕŸÛ@9”ÐM.s5Vl§DˆÑ"nM€Ûe[–ðMQ9§Øðm6%“ƒD·ðÚ´×À#YxYd`TäF4o{«Š§Ž“¿Ž“ Uœ%ã$)a“xÞpõœùŒý»RÛáÚ‡ö´SM„¤†tÍK¾U6‹S’¨Û	kQ퉷;¾]q!Q-ù¶&Jmê£v>H—`$ÍË=oÜ_ê©lïIÔvC"üÃt=ëscŒoŒ¡u™5Æx.[i0AaûTÃGGü&RT±;ñ:’­@›Ä×l}8tb­ŒÀ±-Ô±xUŽ¨`i5‰4 %U¨§´ 6ãÓ5 }ŸÚ1Æy¶ây¥åèˆÐÓ’-c$&ôYs…27ÕÛÂÈêm”QD4Z,},òìàè€$A,½[5‹¥VY[,¢å˜"?˜#¯Ã8׸vA	žÌTôd©í2í4+;uÈó[•ˆ¹AÄý*5ÙÎø¼‚f¥^ET20T6W't;uVØå­Ö˜-q’–Æ ž½ˆ›~†û‘'°xÑ´¨ ^¨5è±’p™Ï]+Q"?ô}=å§ÒÕXà´;šèçvÓ›Œ›ºyrlù|‚€sxÿbsÉÕš–Ñ	ŒZ²„í0‰»J	`Rk­¹újÛ˜Å@Q[íë¢Ð]c·ÑaÈMá[MheD%ÏÞ"ØD™Š(W'Ž|Qј™âÒ!*A4ŒK’ooH\ՈŞ,‰ô”¯EÎUÇrfª’AYžÈ Å5AÃu:ƒCZ­vÕº3h«ý/3ˆì†Ö1†EˆÄ{@*i+•'Eš°(`S•Odó£h8‘6×ñDÖ\'9¨µIdO­3‘-µOd¯__ʘòêx¬"8ø,>+‹k V†ët¬†´Z±êªuÇÊV{ñe¾Ló;í¾Ú|«ö^-]kÀÓ+}ü³6_b]â…è*j¹öÁ¹h­v/›ÍðѨÛ¤=hA	)tczb=±˜ò¢™N§e@¥••ŽNwR,ÿ¿¥$$Ї)œ¡†“gq
dÏpNßV+]µîÚjOWd"ò ,†>‚]ü ,Fß½Šü`Çpè÷¡Ì“¤Sæú¸ÅÁDî·á™æê©•©—úX!.©>'Á¸ÚÆÇú.ØþÊJr¯‡þÚ••¢¼œoW7r¯.TÝ÷\lø™\7¢ÒÊPÆ(ó”'“¶Ežël_Û(SV®åÀyçða}j·»¥Ù'›Ódç\¥ÅNúZDž3xùØxÒaˆ”8t1æK¬ªÛ»±"ÞYà®ù={BÜ}¹"×âd¼¢ˆô¬‰ ï$mczõe˜NX`Š_°3øú¼l¯=³x;¶Oe€E»LIK発¶3+]©^ÿÖ—z1Ô_„à/>óƒs=˜ˆA†ˆ=øíÜÀÆ\ëµÄ›³-^_x«MéÝÞ’oùqj—Zl{-þ™l¡!äº92¬®AJª(ˆsWh.yàÖ.@ €8;S-1æ¶ßêÍœØö)΀¨}…‹ý›ÓÒ4ËŠ½WmÓ¼¼°žCY5†Yå@©û“ ]2>àç…	‡Wâ
-§šªnFlÝ5ÂÎ;°¢‘eÏ–—Õv5¯Ô›%P\—åqÝ[>ßmKY¥ú…¾˜Õ×q„øÀ¼*»Ù²KDu:¡ñ‘:-Y‹Ò£jÔ?’©5@ÆdHÊ:ŒÚömôaÓšã†ùÊ~´>ët>P@viÔcvF…!,¦ñ€%©¼V’U‹ëÜvYÒ׶
"™U«kxzZf⪒‚éQà9kÎ;i–1æû1â;1ò€¼—YzÏO¥½<ëëpú¬PtlÁ -w]_Ø¡î®ù×ÿ kvÐAŒ(¬µî¥–âÎ…IlŒþõwÏõÒú¦ÿX&ÿendstream
+xÚåYKsÛ6¾ëWhr©Ô	a€ H0>¥‰Ó8“ºI¬ét&É–`K
E*"eEéä¿wñ"A
+’œtzª=c.ÁÅ>¿]ÞÄÃøñj€M9ná#’¦áp9ˆE,¢ÔŽäƒëÁÛF óUMõ„QŽODXâ‹K‡‘Ÿ¥âTÚKPQ¦>\^ƒãÑoê'Áú)¾Ôb]d9AâK¶\åMË%’RÎ^DÔQX¡IPš&©{UnÇ¥lTϳÚRb§©l:+3ºÌ¹¦ÊB>£Ñ˜gù­3ϬØÕóEq§ßE#Ñhcõ[!êm¹þôÞXÜ2ÝdU½(ÍÔyYÕ•&·‹¼™(f*Nœ!(e,TÎÔ%|ÇéèS¡¼jn	ý‰f"_Ü‹µ4>5ŸS×@5”Ð".=V®ÇDŠ1"nKC€ÛUW–ôMS+5§\‰u>&£B·ô:ŒŒ×À£XDUæ`TV´èz«‹§‰“¿‰“$uœ$¥â¤(i“|Þýœ–ŌûVÛãZ•‡î²Sm„”†l)*±Ö6Ë[ŠhÛHkQ㉷±^)S#‡®&–*mú£q>(—`$+ª­hÝ‘_vú©mß“hì†D„)†éfÖçÖ˜ÐC›2k	|´vÒ`ƒ¶™‰øM6ý¤©rs(âM$;¶‰oØöáЋµn0Ç!´PÇòU;J ‚•Õ$6€VT©ŸÐ’ZŒ[L7€CêƧùBµ‘c"B˜¦#[ÅHNØfÃÅTnvº·±Øém”SD94Z¬|,‹|çé€$E<–½[7‹¹QÙX,£D˜¢0Š¸'¯Çqnpí‚<šèè©RÛä&ÛY^õêP·:S‹ˆûEf³‹i
ÍJ¿Ê¨ä`¨j®^˜vê­°Ë[£<°Zá$«¬A¢°z
WûÞ<Å‹F EõB¯Aµ„Ëbê[‰C!C3å§Ê×XZàt;šìçn³›\غyrhùC‚8€óøþÅåR«5‰£S 9udIÛ?`’ô•Á¤(9®µáÚWÛÅ,:Š»j_—¥é›•	C±kßiB$:yî„P†`e+¢ZÔ‚xòECDn‹K6J¨Q–DŽ¤ÐÝøªË=Y›)_ËBèŽåÍ T%‡²<‘A‡ëH-×éÓêd°¯ÖŸAWí™Aä6´ž1«!ONÄÊá:+Ëu:VÇ´:±ê«õÇÊU{ñe:ÏŠ;ã¾Þ|ëö^Ï}kÀÓ+süs6_r]¥ì*z¹Á¹è¬v/ÛÍðÁ¨Ú¤=hAaº1=±ž8LGòb˜N§åˆJ'+=þ¤8:ÿK	#Ї)œ¡Ž'Ïá:’=Ëu:}Ç´:ùë«õ'ÐU{ºª £‘e‘…vtɃ²÷*òƒY¡?„2OÓ^™›ãx”D#µß†gVè§Q¦_šc…<¸dæœãzŸ˜s¸$`û«*È­úkSÕšš‰jº^ܨ½ºTuSÞ¹áçdtUÖŠÊjKY£ìSLº¾³}c£JX¹Tç½Ã‡ó©ÛîævŸlO“½s•Ü•#èkuÎÕc{}HG„#Q>ŒàÐÅy¨°ª?®ï†šx瀻áÜ	ûàÞ—+q-Ï@Ö+ŠÈž51ô´kÌ^}Y¦SôeI,9FŒñÞBsÙY¯zõnàŸxjËè°¹>dfÓ\ßéÙe°Ò¯›¿Š3FðŸ…ѹLå GÄüvn1eïü:âírÚoî‚Ū
+îÊ`.Öâ€8½…-W’½‘á^[v ŒòÝ”Öw$3-UV˹¯<—: @œéŽY®ßúÍç[ã®)Þ€èM‡ý›×Ò,ÏËmP¯³¢º•p^@͵†Y‘ã@eš—¤}2>`†‹Ò†IÀ+ñ…SOÕ×&®îaç=H8Ñرg-ªz½˜ÖúÍ(ê°îµ˜nÖ•*á#ú¥¾„Ô×
+ñ„øÀ‚*ûÙrKD·A©ñ‘>J9+Ö£j4<©%@ÆfHÉ’:¬ÚîUõnÕ™ã‡ùÂ
+~´<Û7èüH¹¥Ñ Œ»•†°‚ØÆ–dêÎIUE"·%¼wædÈÜ鶈leÖ:là™©¯J~¦ç­9î”YÖ˜ïÇHèÅÈò^åÙ½8•öêl_‡×g¢Cí¸ëÛÃö=òŸ.pãÈ¿þïY»½ŽDa‰õ¯ÃÇphLk”ôokÝü›mßôf-dendstream
 endobj
 756 0 obj <<
 /Type /Page
@@ -1785,19 +1788,22 @@ endobj
 /ProcSet [ /PDF /Text ]
 >> endobj
 777 0 obj <<
-/Length 2381      
+/Length 2387      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥ksÛÆñ»~'_LNÍî…G=ù ËŠ£4‰][íL'Í8RpI€@Ój&ÿ={·{ @ž$»Í÷ØÛÛÛ÷.ù$‚?>Ñ1‹3‘M’L1q=Yn/¢Éö^_p‚™{ ùêåíÅ·ßÇ|’±,ñäv5À•²(Mùä¶øuª˜b3ÀMoßß¼žÍ…”*^ýpùööúLu4õ—¯þ9ãœO/¹º~…[Wo`üööýì·Û/®o{’†dóHZz>^üú[4)€ú/"&³TO0‰Ï21Ù^(-™VRú•ÍÅû‹¿÷»îh
™¦ÅI½:Ùý›¹6ÓzJûן˶3ÕÒXæ	r Šh ,ÓØÝ}³Í×eE€:Ê(T)°pwuÛñ:¡Xgš òª`â“:‘LH¦á‹\x|ÍŒ§Szä¢îîpÔ"3@9$íñ\XÕ›M}èyW7ò¢01¬Æ¯É—#T³y¢¦ÏZ¢=Ò£9‹"íÙPå[S°e]­´Ç‚‰8ö¼øw‰ùkç\	ÎÒLâȈiž9øÿ˜ûÙ<p¬žÛÿ‚áÊïI¯Fó^Ÿ,‡6ëº)»»-ÝæËù¶Ð/܉hÛšec:üæ§üÛk}õáuöæ/uË?|Œrñ¡¸üî»oðèüä64Ù?^„5
-Ÿ0N2GÒž[9©ž6šZñX°ÎÃ×ÕæÞŽ8Œh©ÝïvuÓYñÙõÅ=.¿¼ùåÃ¥þ6û8§,nÐÜY›Ê49!2õ'ÃBüz_ZšËX‡/&²á›Û\kŸ•‰iÙ
áôw—õvk*§‡ˆ.'0ý(žÔŒóT~‘âI¦"™è‚h®êj~¨›
݉„äE¾ØG«œÖ'‡ŽXtÒਵ'â/JzMW~òFi4²?2ìtH® ¡x–wcëlö=îÅ}ˆU™ï›|	§Àí&IoÍ(õ¹q‘ÂcáÕ±D{¼t„Ä$z¡“é®.++f¡Sïzc4[;ðP^àëªü/Œ¨)nÇÓ­É+‚ô…³+¿BX½[²cBh€çt0÷¨Ú6_ûåºB.%ÎNƤ[*m}Òó’X¾Ì+ÀÕåêþ$ÆØònÔë½Y=DKûåÒ˜¢}~Š0í®®Z3ùñ)=exˆGþMŒä<
-´Ö)%Lžö!Võ!¶íš=èðAv¬ÅÿhÍy°},®ê‘ïˆRKg‹£>œÉ(›¶w4-psaºƒ1NºCè´ó(DÐ)é=[Ú+‹o÷m‡ø´ÛÕºápçÑ?@RW{Rð»o«T;?P/¹Ý	˜.粌Xþ¯áÕþ&”Àp&ž=•Àp¦“ÔC‘’–§z}ó¶éí1;¿9/#Å0uO¦NžuIr&˜&Rqk#®—¿ëþø#‰÷éFëH;^üÎÄç?ï7]¹sbJ2ºR$ ¥ù=.-hkG\5è`Aáû·0-°#”·²oZÚwŒƒ/)«Ìbïmò4b\Q:QÕBÂuyYáj^ÑuÇÐî|W
->¶Û¹O|Ô &–Õ(º 8(þ3Aº	iWÆ”LåÓy¹TÂçÑÀ×Â=c‡•@;’>ÁÈó-Ç)ûqoZ┳æщE8.©£˜FwÊÍGÚîݼÛu¹}â+,µ;³,-oLAaZ²$ôXO‚ÀˆQ*6¨Ê¾ª‚!2mð Ñ¢Nœ­vìà†Q‹^~±0çôð/ˆpP6€L3ÉOÒ4—¶Ü–›¼¡Ié-ä›N1&8£2ø˜.€ªê¶RÐX=éÇFôY‹Á¦¬ðÖ{HµËºÂÅÞi»±ŽÜës¸Xçö÷ônั¶Î”?í¦ï¯q²tü^W$!™Ö€xäÆ–R‰€aG(–_õì`ò”@œ€âæ<	Ò”QË…Ò7x™·^+/!eóî
-œcSožn%تÌ2‡CåI“‡ÀÈi׎rqL°KUƒ&¯3椪|ä€óª°qyõ
-c·«Òª!éûÀ—ABÑ3Þùæ‚¥rŽp\
9œB‘Ð'«¦<‘¢}qsÂ’AúÑ'X4Ò«° ]ùBp„G¦LðL=‚g®tdËšl¬‚û]n „Q1žx·¸6a1ïI…P×sÑÒGX¨oïr7P 0›]Ú‘ùÜQ­kœ@mÁlÙK¤|Xp¶~»­rE
»fKs<‚e¬ê½+%ݸWˆä¦r†³$ãÉyÌpª=Jy‚ú=ò´•ùv烷oÅùÒ	•ŠXïVE³ƒ‹	¡Dï$#älôŒ^<žŸQ«¦OؽÅZ‚ï!
/—8ÁKOC–tÄÌÏBYó™<ä”xù1èaãÀ”"	¡BYƒîmã	qjÛ™Õ>%²(û¸
-–«x,îÍ21­÷'¹Ý!¯º13|BGXÔûî„
ÛzXïêƒiVûMà=Âji_!ëç»zS.CglýGßöÆ|Ì=OãÂK–“€ÎD§¶E›Íz‚ƒwƒžv?Àž¶	ᯫ­¾×d1T$B0uJ’Òài­F$5×{¨'9Çöp€T
-} c
-×MS7íÓ…>6 ¥¢œª¶ÓÕÃvÍz)½Ã³+^ñíø˜Ø™ë¾Ø…I(p^Vˆ¤5Påå\4
^çºà:®c7r>¿‡°Ñu˜ûÙ‘«úáH*ðm÷ŽÜ5@ùáØ‘Oû.U¢\Ýœig°þý›w?_¿{‡ʨa´ cTUí ¶Ø.±»h6é 6B‚Eöb ¤$bpÎ7àÜ·vvÉñÉtê¿9~†¼·sçÞá»-[ŸÐÎø”rZK»â=íÒ/òØ’2ñé·Ä¾ŠýBi6]vÎqÊt+û†CV{\U1"Òÿ\Ö—P¢tÐ<ëÈö)Õrôˆ‘=ôkšÔÌþ0Ϩ·«ÿû—¶ã¯‰*a2MEØΡJd*$D”}®ˆÎ(÷?É“þ'mU§endstream
+xÚ¥YësÛ6ÿî¿BÓ/‘æ"”>šéÇqS÷•œíëÌM¯(’™“H…¤¢¸þï]`IÁÜgL<‹Åîb÷·ŸðÇ'*bQ*ÒIœ†L\M–Û³`²†¹·gœhæŽhÞ§z}{öõwŸ¤,D4¹]õx%,H>¹Í›†,d3àLoo®ÞÎæBÊ0™^|þþöòº*˜:‚ó7¿Î8çÓó_..ßàÔÅ;h¿¿½™ý~ûÃÙåm'R_lH#Ïdzß~&9HÿÃYÀdš¨É:ãi*&Û³PI¦B)ÝÈæìæìŸÃÞ¬]êU˜‘ðè!ÎYª”(B¥,’BvŠ³9‚`zU®ªz[”kª·­9V*¦EÛ§SSœ]VÛ­.­"»ŒÈ4(üÏãxR1Îù,Ç“,dJ¤’¹¬Êù¡ª7´'
+’åÙb£­¬rZÕNZb|ÐZ_@ VBŒÌŸtš¶øä.¥~ð’eøé‰aº}1p/Š‹hY;¼½`ƒÍ¾ã½¸÷©*•}ãçh
+Ânw·­>—á.8,œ:’xÏ­ ™^¨xº«ŠÒ˜Y¨Ä…Þ¯­i8*gðuYü‚€bE
+nŠÓÑt«³’(ÝaaíÊW–L›jÐ9-Ì«¦ÉÖnE±.QK±½'CÑ”&¾ôùyA*_f%6`ëbu?Ê1fƒ¬Ý£4z¯VÑÐ~¹Ô:o^ŽH‘¦ÙUe£‡&?% £ôwóbˉ‘‰Ö¥˜	Á“.ņ]ŠmÚz>ü@’zñ¿}šlË«j;‚ÄÈÙ`«Kg2H§Íusœ\èö u‰öPaäZmã#|JºÈ–tÎbÚÛ}Ó"ÿͶՆv8Ü9öˆÔVNüîëÀa¢lœõ¸ÎóSn{§=W—s(#’ÿkzu‰¿öÎdÌÓ§g*N9i1öë«÷ÝÁÈoPìt碌}è$ž„NNu€$9Lzƒ9‹”J‡×Ùßäu·üàÀÜhÑ°ãÕ_~, ž~ÞoÚbgͧ´¥ˆÁK³{ZÐÔŽ´ª1À‚Ã-ö-N!,0-´,7¶¯š·Šƒ/9«L#mrœ±€.¯4­(«©ÀáÚ¬(q4+i»cj·±+[
ï„O2a‚§á#|æ¡
+LY“]p¿Ë!ø8†ŒÇ.,®=†YÄ;Ñ)Ô¾¹(é2,Ô·w™m„`0ƒ.MKn©Ö5Ö ¦`6êÆ!r>,87ÝT–yH:fÌ”æ¸Ë,;T{[JÚq.×ÉuîÕgqÊãÓœa]{y¼þ=ˆ´¥KÙvç’·{Šs¥:©ÞŽxŠfw›|@o£†L{˜í‘7£Wã3zªé»»±Fà{€áÅ;¸é8ÕaIG@|æCÍ'Að=RâeǤ‡¦ ˆ$Dè»Ð©¹ÐÝÝxœʼÌ*‰Ë.¯ÂMŒÂhhîÏR1­ö#lwÈÊv¨èè‹jߎ԰­úõð®:èzµßxÎ#Œ—vŪ~¾«6ÅÒWqF&~tÏýœØsô0.!½¤)	HéLÄQbž¨q²^O°qÝ{Óîèçýø¦-Fóµõ¯ñ÷Š.E‰,‹*ˆ4±
+"<®wTOrÊíá t"Ôi‚Œ(A^ÖuU7Oú¬xL˜ª2‰ëa³ÑG.àÁHçøÐîAèáëwï=
”N8ažYª¡ÊË6ØÑ5ng_ÁEšàSG|ï߇¸5¸a?±Ž|\iÞë|¥>A@X>ßå¡KågÚêY¤–Œ÷îúçËëkì´g~Ù°eô;ù	¤ÁAoA]¸'Ëv_ÃQˆwƒï*fï×Q€¬î ±‡\Õ"¢
Zç9Ÿ{·³_[IÂEH¡¦î›õE##Á°µ4|·E3B¾FpWNpÕ¼é‚@:|¡›_´6¼Š>¢vÏF–Yåx•yOBJ²žrÕS§xßm;àµüRffýæ&3?”y.qÐݾÿû÷¸ãoŽaÌd’4€Z’…	0!¡ÌÑEp"¹ûáîTô¿„“_endstream
 endobj
 776 0 obj <<
 /Type /Page
@@ -1846,22 +1852,16 @@ endobj
 /ProcSet [ /PDF /Text ]
 >> endobj
 787 0 obj <<
-/Length 3093      
+/Length 3102      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥ZKsÜ6¾ëWèfªÊC“ÁGùdKr¬l­ãgwk+É3ƒÑpÍ!™!G²òë·_àKt”ª-4@£Ñ=
-/ø/3í*/Ó<öuêËíñ"¸¼‡±.BáY9¦Õ˜ëýúâ͇$¼Ìý<‰’Ëõ~´VæY^®w¿x×ß}^ßþ|µŠtàÅþÕJ'÷îæ_Wazï>]ßÞðÐõOÐþ¼þ½(Or`Õ¼þÛí®~[ÿxq»îE‹
-åùýâ—ß‚ËHÿãEà«<Ó—Ð	ü0Ï£ËãE¬•¯c¥¥¼ørñ~ÁÑ(M]RƒV™¯³(]ÐC¬–ô s?Q‘"=Üí¯V*Ê<ßõ—»°•zæÑœ®Â̳<ÐÚÓƒ=q›é[[<Øv4;õŽ¶mͽ›QÜWvÇíÍ“ðUü=W_«ú±âY_íiý5tãÌë–é¼MÛÔU+K>e)Z·lÚX…¡ŸkÑÑ‹î\*”%¡!ÇSg¿u¶Ú‘|@·'Ú¬>qw[ï,³µ¶“%jþ¾wƒ÷ŽòúL!
Â×ð·E8Ñ t{
B{¦A˜fx`Ð t†˜¥óáÉMwî÷8¨AyƒÔÛÕ´2ЪZH¦,v¦³¨ç(¥ÏôSDÏ0¶J¯g¢Š`´¡,"ÇÒH³@kE³0€šŠý’ôkÔ3¬ès‡T'¤$èÊ^Ыº½Š¡=Sñ0{P1tä$¸3uÅQ†ês×;×Ùó—Ï‹ìeY?Ò!aÒÉT÷¤VȱpYS%GJ‹’#•’‘âTÌ£(ŽÒ–Hâc#iP1ÒG*Æ.«ÙÈx‘„JÅ/(u}÷÷Û×Äã«UCº 	CP~ú*‰˜Ä5ÝQî+çÀLž ŠÑd£HÁ¹¶Sí‘©{2 ›sWMWl
+ÆîmeO@ªî……ÉíAÜhÇäÖn¹ßñøÆvÖV<Ø=ÖL=Ôm×¢‡XÖ9"I6tp5¸CS’zWî$-ÿ
-sŽp-6Ð¥b¼ÔçÊÒ±ŸeI(jøŽ®TàkÄÂ$Vl»-ö˜ˆb²?2UZQ"JÑòWtÅ>®8‚ٴ즈ÀºÞß}ºa†âØ”öh«Næ×U)›Õ•Š€K¬=u#g¾yî‘.0ž„‘‹°wSìQ©ä«¶,ä<À΢˜ÔÐî-zŠÎ¼÷5Åà «bžáj€ÎíßÏEýÈB¶Ž³Ìƒìm˜°,2ÈU,G½mM_Š68[¦ìõùž"†Ìâ
-ò#w–¦Á×RÙÀ4–‡9ÌeO3¯‘€wÂÓŠŠþ€‹iBŸsÓš#÷ÌæT˜úq®Ò?7:0k^™0ñÆ5F2Þé’E8·"Ü·`ñsPÚÔ+$^QSjÈQîYÈöÄí
ù¶ƒnH©e¨ì ?£¢3Ò˜¨æ\v2gÉߢXûi…/žⲞ§œCK>-Ù,´ä.M@‹sHDUÉqébRJI5ì<™š›Ó‡jI¡š1™¿p>€ËAœÄ//	3wÿ,%¬iÊVRÉ_‘w”,v¶´ŒNý^"®hZ…|FxÅŠúÜR(Zž|ÖH)?IÀtVaîÄg,Ûtø‘ÖÉ‹q4
t¼dÒJç&ñ[]!aR³5ª„ñ,t·eAÞ‡mŠ ðíQšc'Zµ£¬4š;xÈ\üÜ%þ’üJ˜~?Û“ì…>QTÛò,;	±{¢†·T’ä3„ÓÈñ›sŠ!¯EÏâáVøþLyä­Æ5LÝÙA`þCvÈѵ{ a°f‰iÏ£hô•mAœV`è$Ìá¾­«Î`äcñ!Èø°ßwƒÚ¢ÎgQ:ÈOBcd†”¹Þp²¢xM{ïöE±_}8 å’†½0''1˜Ø˜€™¢1”b‘•ŽÙJÒ	P‹
- Ÿºê1‰þì¡9mz:•dDF‹ù,pa¿÷×·ø~R§ýf¶7§ŸVoÀ²¥SS¾ÎÜanÕYèF¿hÔa âÊõ©÷ïƒ4pnÞ
‡É¦‰[,ÂDž3â’úsñâÈÑ1^/Ó™‰÷A{ò=ä~€æ€-= $;+ØÉd\8ÀxØÇDýQfAÆB–ÝÁâÁÊlŠ7@$«"=¤Ê"MÕ06µ?‡ùJ`~"0œs4ƒûŒ£Ty9~"ÞXð:PÛsÓÔ'2w¼ùôåËí5Lö!J¯Ð,± 3öI} e&#Kæg4‚ïÏ®™#Ò
-+]*Íö‚T×.á½æ¼)‹íp÷ã_ðC|˜€µv¼xÄ%nÜëo[ñ ÂðÅ^UJv”ÆžÐÏ]>¥h÷ÜÃkŽnuSUg0m·ÌFhiáÁ‡Ò¾uY·x(JÛã‰>õ»„ïÜþõÉåüªp´é!A]¹,?¨…Èé÷¢Pîf£—Všñj<¿‡IÅ ê8Àˆ9WAv¯LwÓg½{© ‘s=5]
ÕŠ­Ôw†(Á!mTêe¥jƒ¹PÒqÄTH§©á©¾)­«Gqa˜0.Kõ‹}±Ûó©è¤ð„º`Á)R<2xIŽûîUîÃóÝ=D§°¬ý&	8V±f‘šUlÕÂIèÑGÑÝ°š¹@¢44\”ÁÖΦ Š6h…v{*6¶½$K3p²ßòCfjÜ}â™Ù> ÛE{½«øM-‘€mÀ…H$sYç†	†»n#æÙŽjÛš6J×ã3.ËJ6
-W§â-Ò:ÛéÌìÀT~›#q#ëík.î"´JSWâ†|±nçVíëâ®æE¥nñ½q>™
-ÍOGä-*ÇXÈ”¦”ã÷§ÓUì·¦¤ÏK%ýRÇzÌx×}uΉÏ:i&·–bq{)@»ªªRý¯4ÕîÄMÒq©.ðã$w¯ÇÕaÁCœƒ¾È+Ö
Û$¶!sA-âgazXfBYÐÍEl¨ÄnNMÐ#’ÐÀü©î¬³Óøˆ³&¢Ü4gÅ%ÞµŸ„A~ºX%‘Gñ¬ÁH5p)ÎE„}K6I%Ž Ää”ÜU_íSÞc}úÊÏSèìD”mWŸ†ßÊÂdØËÙÕh…Þê™hc…ÕiÔ6 O?ð¿qsdQŠrË‚É»ò<Á³c1„Ãì$õ‘æÌ?PpŽ°Ðw¢Æ¸Š¬W5Óº/¶Èo%H:ÏÕtÿ“‰v?™à¼¼ìÀJ ÉÕ§–9¨˜3/!ØæP”;fûƒÊ¸4Sd!Ä},U$Ïš\à‚×1<™	Õ
->Hiœ‰ˆÐÁ4YM¢U.Ñ
-(®°ãîF&±äÓã¹­˜…~) ¹?ä²çžß˜þŠåuÙã2‡»àse,É9¹Ì"¶úÀEõÈ«¹œ©b÷3iËtþ50-Œ,¸ÓÉmâÐEK ¸,‘Ì|âaQ»Â)¶7 dËMÔ°ûûðè@w½?/̸ÿ=å™ì÷jñ§#g/#¨ïphïK<{—E)S>³©züê~?ZÌ_Œmøjð$üÒXú—…¿I¨¥0úHýÿ;Ãð/qê«,‹–ÿSò”ŸEyê„BuFá\òþÿž‹þ?‚‹ûƒendstream
+xÚ¥ZKsÛ8¾ûWøº*bH‚à£rJlg’ÙÚLv¢Ý­­É(	²°¡HF¤ìx~ýö|™OÕ–
 ÑèLJ–ÃËþÂËLûÊãË4}„úr{¼.ï`짋PxVŽi5æz»¾xõ.	/s?O¢är½­•ùA–…—ëÝoÞõû7ŸÖ·¿^­"x±µÒIཹù×U†Þ›×·7 ›mVŸ¸»­w†ÙZÓÉ5ß¾¹Á{Gy}¦á[ð·E8Ñ t{
B{¦A˜VðÀ Aè(–·'/ºs¿GÀA”7H½]M+­ª…t_”vWtõ¢”à‰žaŠèÆ6BéõLTŒ6”EäØ@iècÍ hP³“C±_’žcz†}îŠã„”]ÙZcC·W1´g*f*†Žœ—b¦Îe¨>w­Ý¹Îž¿|^d/Ëú	“NEuGj…—5Ur¤´(9R	))NÅ<Š‚á(m‰$>6’#}¤b첊‘ŒI¨Tü‚R×þ~û’‡‹JÜᑶrF½=táhÅî¿ç¶#i²Èkq¯L‰)"…—‡ÆL@Ùb@@îÚóv÷³?—å#SàBí— ˆÌŒ!ÃùPñ@Q=ò\¼ÙgX·5-3‡íåâ_´#iDY°Šm—Ì‘Uy€Tß¿¬¯ÒØ{óÏõ{&|	t@.†â»UÝ‚›í`$ôqQˆÃÑeû`*bØ#N|•ª˜ö€˜}µ
+ƒ`H)4aÜÀ¯B_%ó¸Æá=Ê}¥ã¸‘Éâ)£Í:Šœ}{(*Û™º'c:\˜cw¦2' UwÂÂäö ®¶crk¶Üïx|cºc*ìj¦ê¶kÑ‹¾㜕$:¸ÜsQÒ¬ÜI&7ñæá¶Zl ÛÅxñO•¥c?Ë’PÔð]©À×:ˆ…I¢&¬Ø6fk÷˜¬b²?0Uœ^Q¦"Šmù+ºâ8 8ʹhÙ•)€¾ýðñ†ì±)Í,Dæ×U)›Õ•ŠÀM¬=u5gâyî‘.0æ„‘‹Âwc÷¨Tò—Õ{S–Gr0`gÑL|h	w½IgÞÛšâpÐU1Ïp5@çö·³í¯YÈpVq/{LXä*–#㶦/E¤Œœª(»C}¾£(ˆaÕ^AåÎÒ2xø²/ª%¹q˜Ca&17ó	Jp'<ÍV{vˆÝzœr-ù,´d³Ð’»T-Îx T%Ç¥‹Ø)a$ÕÂódjnNc°%ÍjÆmþÂùRq?{¼$ÌÜý³”˜ÊVÒÉ_‘w”Pv¦4ŒNý^"®hZV¾‡BxÅïm}n)”­O>k$Œ”Ÿ$`:«0÷áÀY¶é(ð#­“gãhèxɤ•Î9Lâ·²•0©ÙU˜ºÛÒ’÷a›"(|{$ç؉Ví(+æ2?w	‚¿$¿¦ogs’½Ð'lµ-ϲ#o°'jxo%I>CA¿9áQ10§òZô,oÁ’)¼Õņ©;; ÌaÈ9¡v¦ ,žÂL  1íy̓¾ 2#­,ÀðJ˜æ}[W]‘Å[„ ãÃþØ
Bh‹:ŸDé Ì	(ŽÑRæzÃQÈVˆàÅí½ÙwÅ|Rà€–KböBÀ¥œÄ`bSœÌئ ‹¬œ pÌT’N€j+€@|êªÇ$ú“Çæ´xèéh+ɈŒ(óYàÂ~ﯯñ¥Nó½ØvÜœ~Z½Ë–NMù:sψ¹Ug9 ý¬Q‡vLˆ(ק޿FÐÀ¹ex7&›&n±tyÌ@ˆKêOÅ‹#?DÇxN¼Lgj$ÞKöÉøš¶ô€Lì¬`'qáã!`_õG™­,»ƒGƽ‘Ùo€HVEzH•D:šªaljó•ÀüD`þ8ç.(h÷=F©òrüD¼±àu ¶ç¦©Odî0xóñóçÛk™ìC”^ª-X¢%3öI
¡e¦B–"0ÌO/ hß_ß]3G¤VÃTš-ì©®]Â{ÍySÚí+p÷ûÂ%>¾à!-†“—¸Äbn+C¾Ø«JÉŽ2Иú¹Ë§tíž„˜`‹£[½¨*Š3˜¶[f#´´ð(Di_»¬kïmiz<ѧ~—ðï@ãÛ¿>¹œ_YGÛ=$¨+—åµp£9ý^ÊÝlTâÒJ3^ç÷0©*ÄCí1ÇãJÉénúôw/¤1rŽGsYn?©&Ä"ýh#©ù‘´•H÷–y®|€«?«,¾Ç1¾žéÉåEFt¥Áð*ï:slfù²L¤yåîÆUÉ®‚‹~·0S:JJç‹÷º$mḮçõ'™Ã6lŠc;µâþ âêÏS'ør1³ÚŠ&è†Õ4È¥¡á¢t¶vp6™P´A+´Û“ݘvfô’,‹“ý–2SãîÏÌ&ðÝ.Ú뇊ßÔ	Ø\¬D2—Þpn˜Pp×mÄ<ÛQý[ÓfCy{®b¾7% }^*é—:Öc&À»…í€sâ3…NšÉ­¥X_
+ЮòªTÿKN@µ;q“t\ªü8ÉÝëquXð§Ä ¯òŠuÃ6‰mÈÁ\P‹øY…Ö™PZº¹ˆ
•Ø‹dSôˆ$40¬;ãl¦èÆ?ŽDƒYQîš³âïÚOB€ ?o¬’È£xV„`¤¸‚ç"¾%›¤GPbrJö)ï¡>}åç)tv"ʶ«OÃïia2ìåìj´BouŠL´1ÂêŒ4ê
Чøß¹9²(E¹eÁä]	ŸàÙ±Âav’z†Hsæ1¸GXèQc\EÖ‰«šiÝ[ä÷?6çjHºÿYE»ŸUpÞ^v`%äêS˃ÔFLM1/!Øæ`˳ýAe\š)²â>ÚEɳ&8¤àµ;Åã` iO`fÂÅ_´ÂRg""t0MV“h•K´Š+츻‘Ilùôxn+f¡_
+HDî¹ì©ç7EÅr€ºìq™Ã]ð¹2–ä€\Å"¶zÇEõÈ«¹œ©b÷SjËtþÅ0-Œ,¸ÓÉmâÐEK ¸,‘Ì|äaQ»Â)¶7 dÃMÔ°ûûðè@w½;/̸ÿÍå™ì÷bñç%g/#¨ïphïK<{—E)S¾bSß÷øÕ%ü~ÔÎ_Œmøjð$üÒXú·…¿I¨¥BúHýÿËÃðoqê«,‹–ÿ›ò”ŸEyê„BuFá\òþ#žŠþ?}­Sendstream
 endobj
 786 0 obj <<
 /Type /Page
@@ -1874,7 +1874,7 @@ endobj
 /D [786 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 190 0 obj <<
-/D [786 0 R /XYZ 85.0394 667.1054 null]
+/D [786 0 R /XYZ 85.0394 665.1229 null]
 >> endobj
 789 0 obj <<
 /D [786 0 R /XYZ 85.0394 629.6667 null]
@@ -2047,20 +2047,16 @@ endobj
 /ProcSet [ /PDF /Text ]
 >> endobj
 819 0 obj <<
-/Length 1967      
+/Length 1954      
 /Filter /FlateDecode
 >>
 stream
-xÚXO“Û¶¿çSø¨‰‰ÔßÓ›äm_'6“i·§¦Z’לȢkJq÷Û @YòÊÍÏX€$þ*ÙÄðK6e&bU¥›¢JE'Ù¦>¾‰7Ï0ö㛄eÒL‰,U
-^VF·™*EVÊb³ùðôæÝÿR¹‘±Ès™mžöÓ\yQŠJ¥Õæ©ù#úïAŸ†öü°•Ye>ýDj©(Ê"Aµ¦ÈDQÅ¥Wx:´$üáã§G¢*zülžÃ¥ÅbüÚ:Û}ãÁj’
-•æ’­æJyLËÈDò°Mâ8¾Ú¿oŽ‡wg}~aÛjS‰*—9›–¥È‹JÑ‚ª8:ëÆÆöºë^`¢*ôéÔ™Z#Óç ¿µHÑ®m{âu¦ÿÚ6D_Ìp qM7Œ;¢ÎIMË#EZž—z`•¶oÜ\§ÏÎмyôøé7RøklϦu¸9ÜN’ˆ*ˤßÎ`iÿš­uGd­ëƒéŸé¥×Gö£kϸª"Äd¯€€ŒA{?ËA°("Ó~M¶k˜ÛóúöBDm§®ýÛ/“°%jðbrˆN%Þ‰,‚=÷8e¹±>Иæ9ö¶ëì…V¯ïy9õA›žEtßñøéý/?¬¹…½iý³ÁÉTœ³úÝÇnÐ}kG4Yeà8ûu<m÷ô_¤D±b܃¬¦áºÖ‰‡mšæ˜¬®åa¤—½±
{¦§9ž¬sf×±”÷ ,Πk·k»:¶='¿éa®	ÍQö¹ˆÔ"ïF½wC«tSžòQVi‚G¶o¦ÁD@Împ‘‡™eê »Q©‰¬º3°1’š‡íqgz}5ˆq˜ÆÁ’yH¢ Ö±ê¬püTª®Çu|0‘«é±<­Èit{¤EÈyÊñ2ûžW¯"T”ø‹«è`ݹ‘•eÈ
äÂFchÌɸ¦ÅVÚŠO	Ìá8úýñóv§]ë“©
-Ëlm;_ÂÁ±/R¦Ý6Qÿf·À™›@R&ÂqãèÙ7˜¾h|OZG#ŸAKeË`£_­êû±ã„õX‡Ä|5âN©Hc!sUr©\*~
Q™Œe‘x¤¸þ?5BF¬£ãµN‹în+ÑÒ¥t<¡ˆîuݾ½Ñu/pÐŽDG7À”º}mµ™/_Ζ¯ò\djgì—ß]έkV¶©bQ•*c1B‚­ª
-hÒ4 ¹õ»Ê£¦Ýk€J܇*oª$Žsê"I+WÙƒÔm=DÎt ñåb|€æQm‰i>×…
-èGB'¯óå§Ñ¬µ§íÚ	Úéú+ÖÒjŽÛÄøC“$Ã/—„ض§çÉž¢*™Ì}EMɪ±Z³ÚŽ%,lùlš¦
ü—µøÅ…¥oé(~\¤_G0M„,Ò<š¾å‰
çEVÌí*!3ˆ,I¿k‡úÝÙ‡!„¾LD™Hµ<µí÷+SK%ª$N§äŠWq{E+@¦¬¦x5øcËõíKËP„‡ «{wñ‰1œ}ä9ßÐÔÅC“×¼VÙbfo^š‰µ§¢›{D^ñTCO+epìÞZvQ*+‘«µkD9@¾â¨Le*8ê?©ƒ$³M {ÚÄüøcÇæ%-':êÌ	$¯BÑt~éa‹JOËËkÀ€†®“¬õöÃȲ} °3rD–‚@í·DíÆáŽÌ~Æi‡(À‚GÍÂ✠s&ÒYÒ¡ÎÔ'¥ÝZü ;ó,[¤z ,"ˆiàÖ’¼eY eôþôñ7¦À,çE|åÜק;Y'ßg)Ê"à“TT€ñ‰ùÜ&\ZbºxLþ–b†j÷‘b$ñt¸wÄ|âØìa‘àN:lhêÞY" çÍ×úî	é«bQÏéž5Ç™®BýâôÜ	€Ü²ئY}hkMé‚}ò@
-}Û6nŽŵ ‚˜å	Zí3(¾¿”“
àÁ5Ï=5WÞÜÝ»Å_£	Y­xÛ]•øæߦ7Gß*ìl{¾çñìK'v„°™ßûŽšJ¿Jx›
CG]ŒÃ6Ba[1ô¸†zÔtªq¤ˆóx=Ûdm­u¸©“uîŸ,ª„c·(>ª”wŠO.Ê*W+ÅçN©*H¨©¶i¶
àwáëì
-‘&)¡Ÿ™¥tç,Qµ>i¥‚âF7`6–l Éc¥¼½ÂøœN*	eà6©õ8ØÞá®è1±g¶}»âîÔÖãÙ67×­ò_pBÆ"+“ô»8‘"ò78¡ cõˆŠ{(lCT•¬åŒÒ'¯±À¤T"U2¦Fs/v9€lÉ‚nxñþ³7‰OLät˜Ò©,ÖS'N+.À9ßEódæ«»kƒÎ^í0‚eúZÄYEï‰É_Il>à=׿R­	ò,²Ð³ÈyíYõ@„òþº„„£M¯Ë¹zÕíã
-5ßk·¼å§Û‡ûÉtçVÓ
-Û€Jfó´Z+|œí"™BwÓÅ׆×A4(òé|ÿkvd•(Š¬œß;Þüð4}³_"U&ð»æÚWÍ ²½ÊÐ'Íåõ p;ÂÉdv;Ûôôõtÿˆ=µendstream
+xÚX[ܶ~ϯ˜G/QlI¾=I·=ÈAíöé¤[³#Ä—éÈÎtÿý!EÚkÏzÓ`€1MQER)'»~É®HE¬J½ËK-Ò8IwUû&Þ=ÂØÞ$,£S%R­¼lŒîSUˆ´ùn¿TòááÍ»ŸµÜÉXd™LwÇy­,/D©t¹{¨ÿýx2çÁ^îö2£ôÿÒ4-ò"OpZK¤"/ã"Lx8YþðñÓ=Q%=~q§ájñŸ¿[ß7_Aù¤5ÑBéL²ÖL‰<‹ÉŒT$wû$Žãgý¯«ãáÃÅ\žX·Ú•¢Ìdƪe!²¼Tdð]GS»Áõiš'X¨Ì"s>7®2ÈôÄ9™¯©<:XÛ¯qÝ[}uÉÆ
1ü0ˆºÜ%E4›Gɼ ?œÌÀSlWûåœj¼xGëfÑý§?hÂߣ½8ëqs¸$ešÊ°¡§ýz4}e"+S\÷H/iÙÞ^Ъ\GbÖ—C@Æ ¾¿}Í@0Ï#×
Á¦¾+X;ð:{%¢êÛscÿqÃÓ,Ü5„€1;aD§ïLAŸœBG~¬N4fxcß4ý•,‡×÷lNu2®cÓÕDÜzÿëO[naoöáYãb*Îxúݵc3˜Îö#ª,Sp\ÿe<Ýé	¾ÐDñÄtr²êšwè­w{­3LVoy˜éåDo¬£¿ÐÓµçÞ{whX*xŒsèÚýÖ®ZÛqò»nöá9¡9Ê!‘Zåâ«Qïü`MnÊ4e¥<Êøà°}u5&rnƒ‹<Ì,WM¸¥å”‘Ȫàñч#ix¸o®3Ï
+1ó8hrwI´ä‘›ÎšŽŸÒêùøáœLäz¬O+rjc[2B.Sv/¢±ëØz‘ ¢Ä_íXE§ÞiQL¹\Øh;vˆ6̘}6­¶’ÐVBJ`ÇÑŸ÷¿íÆÛLådÞÐW}ƒáKØû,¥n–°‰óovœ¥
+œB“	¤pÜyzÖή«?Ò¬–Æȧ@©¬tt› 5úql8aÖ!±´F¼R*t,d¦
+.’KÅïSTc]$î)®ßS#dÄÀ:z¶u6º¹­Dk—Òñ„"z4•}{3×?ÁAk‰nG?+À”º}©µ^š/æ«,©„Úó›ëÅúzc›*e¡R#$Ø«2‡6Aë	È­ð°€j{4•°-ó›*‰ãSêI ”ä ýœt¥¼Mº 3Hx¹:L¤Zó…•@ž/çB	ô¯ e¹`ês ~>˜êH©|‰ØÈ(¢Ï1´G21üxIH.hxžûË@‚¥Lðç’Ú‘
ePŸLG–èa¯W×–Õž¶"§µ(Ë$™#Çåùeì´YªfA×Y^ØqF¤ù*#Dœ$’¥ßÙ¡zGÑÖRžTß”ËQõÝqcéú½Té9möiOžÐÏ`©ÔHà!¶À
+ÁÆç8–$Ô•À4¿†ŒXò ŠBÈ9ÓP@Ó•@	çúºš²*Ê4vì/´ói«#@o¸â-ãXñŽ}/ì?
\Ônx¨(¡­V9ËÿÀ(š2."ñl}`ÏÝÁòÄc“æ{>ó܃àœeÆ!#¬R(Z.ì1^‘éuq§:+æH!
&iël‘Õw…Í'Ò±ü0) ~KÔa^‘9ŽÃ8ïX°5¼*®	s.DúžæP³‰j
2~#Fs&gŽc¨ýFìd)Š"Ÿ°“ûÓÇ?˜µ”“àç¾<Ö	ÜÁò8ùW<–¢È³	§ð$%Õ\|b"wƒ›î)1Ý5ææ~O1CuøH1„zºjÄ|ÔXíS‘Ã8NsXѲФ‰€67Ûjµç:Uæ«N-íÅpœéöÓM”%‚Š?È­‹ÿ^§IôÁV†Ò[ã&tÖÖž•ôôœk(ˆõ¼€5!ƒ€Âà‡K@1ëp¬zZ÷ØQ?Ô½zø{tϨ€•„~ß[×¹6t~
+›Ùïq¼„j‰ 	›ù³k¸`ĉ ³fe訫óØ9(ì$âhñvSÄq"Îã
´i³¶­ná¦HÔy­ê¤™PEšßTB¾ZuŠ2SËùíÊR–P:ã	†uø]ùÆ»ÂÖ#Ñ„6ae–2ÌÙ„[”*øÒ̺§Æ¤˜ú„BÞÞZ2K)ry›Ôfú®oáz0qdî;»âþl+‡ñ´õÍ
«øNÈX¤E¢ÿ'4"O~ƒÔ/qÅÞ*ôe²•_¡Õ¯aÆF“B	­ä\˜õ«]€lÁ‚~xj¸»I|b"§±ÜDn¦N%7Îõwt,ÉÂW¯ÚÍü\ŽÁ¢œZYÄYFï‰ÉF&ؼëmx¥ZäYd¡g‘óÒ³8€åÃ
		O†^×׆òEƒ¾ÊîyëÛßMW’ùš3l¦¶:¥L—iµUør8Ûy2‡®£«/ƒhgóùþfv¤¥Èó´X^5Þüô0¦œ>>ªTà§Ì­™“ÈþY†¾b®o49€Û“"\L¦·«ÍßD_.÷âG²endstream
 endobj
 818 0 obj <<
 /Type /Page
@@ -2221,25 +2217,22 @@ endobj
 /ProcSet [ /PDF /Text ]
 >> endobj
 846 0 obj <<
-/Length 2605      
+/Length 2608      
 /Filter /FlateDecode
 >>
 stream
-xÚ­YK“Û6¾Ï¯P*‡ÕxF Ersr&3ɤ²“][®Ýª$J‚$–)R)Ëú÷Û/ð!ql§âÒ
 ÑhôãCƒR#~j‡žo’`%ú*-¶Wþh
s?^)á™8¦I—ëûÙÕÝãT/™êéh¶êÈŠ=?ŽÕh¶üm|ÿÓëÏÞ\Otè§Þõ$œúãà‘„›û_ŸŸ~|÷æõuŒgO¿>óð›‡Ç‡7Ï÷ÐÑ°^‰„<>ýòÀÔÃ/ÿzxž½½þcöóÕì9L÷ÀÊ7x’?¯~ûÃ-áÜ?_ùžIâpt„Žï©$Ñ£íU/Œq#ùÕÛ«ÿ4;³´tÈ€¡‰½0ÖÑ€3dÁ0ñ¦F²à7¶¸ž˜ *»d*­¤•™t±°ŽÁÉeQï¯U<.sžÌ³ª¾,•òHQ“®ÓÚÉÛ¦õb#¢ò¼Ã»-Eæl#Ry
-¶"%Àºca=5ž& i„ge­NÂÜuG8õ‚ Š„ùv@ÜÔóý†¥ýy°ûAa¡g`ígdM{²ê}ZT+0Ð¥¸)„oO?!o„
-Î
-¾Hòa·ï
É5 f¢œàôKÉ
-H¢“yæyºx¿)ó!iAäÅadÚCü	ˆÇå’½O~…H@bØVÌVo2Œ› 
-Ço³íµgyºÏO×J©1‡J0ŽÚeÀa‹IYðH¹«3G3§ÃC„Ât¢Œ,ˆ#g(F.’ˆPRÙýðÑuÉ-Ä”;¡ÑõûÔÁ‰¡8ÉÀJD8¹Ût±É
-ûYб…“qÜdh
$—ç‹¥zñì^“z±g4T‹!:‰C:f5®O¦²†êrWæåúÄ=Î"´¯OY¬=ä@&§¬}}ؤÜ,A«´XX–0O
JÑ)«eÁ®¬2ö•L ;:2ìhBµßýÐo†yY¡·n]X3!Εg< ä^¢«zs¡Å¢e¦jSîë‹ÚÃv7›Ûúh	Æ¡“ÕÜ2¢F,rà¤wp8¼ôÌ4¿»L;È‹g 9¶‘š[nÓªÊÖ…ce7ÓšÙö°åNÇ;Ð[ñͱ=[!)ºŠ*ßÂáà[G>—T,;ÚÝö×Í®(êC€Žbw˜ZÛZx¸é¨Š|’0AÛB»:ìI!š¯7x;ÒrJA úÑCÈms»µ:YÇ»\4!íÆ$pÀa­hÈE8˜Žß[FŸ‰ä"\Ð.‹aàwß×ûªž8×Â\Zíì¢îð;Ä£É|]î!™·¨¼©(ÀqÑÀq§B--nPÆàj­óÊÖ}R6'¶Ò`&{95Ñ|bÖ˜’ä£EbÈÌr+ós»*›°‰ƒváœÃ/]Ò®°¦ã–ĬSj—9‡p‘°ü¸±¢0tlÖÒ Ðx3“ð:QzüX:îév—ÛÁXåÓž_‚À T,W›ò´gîtð–*Éø(HtÌ£ž2ß
\Pë™(qã‡6ÍìéÖè8E`¢ÉŽ imá$&ˆ$6NÎ]háL#µ	îÊ-‘G‚z’Dž†
- çÚ¼,ßv	f¼"›© £+ÓÕ¨œ3•ilÂÃLïRœßUY±*Ñ”]:Ä2ß0wkJŠñFö¥a#¨9Ô4”åë)ÖQEI‚`¼ã@›ƒF<5?ñÄ&ý€jµÀó‘Y4”î:ð“¾aæy¹xïr~~:»	2W
-Ì®h „Ú@BHÞìw6%Õ>H®æzÃJÖ¯±[£Ë
-£Ö€éŒ
-H3|,éë‰ò}x.•[I^óöTÔéÇËz¡M9ÍÏ5¤lF „%ŒU,Žèæñ4…	UãÌ-Ãtï"ëngÓ=˃Ð;ößì)¤æk¬véBÈmzê‰@£ŒÊÅUˆroε/0*Ö‡½óM¢)Nr‹¨¯ŠÙ5Œ”²7È™®eL¢g½OádûŠ%á‚\¸ßgŲ¢òIaDœd÷Tv¤KŽ˜µeÒ÷·ÒÞÜ¿‚¦jcóüng÷#p¶
-^ñø°¨+o »0H’8iƒÄS&ÝÈ£—#ãŽT	½$ŠðuáE	iâM8/t&fD¯©Ï%¶)7줚 ¢YÇ]p{Ï‚4¡ØS”éŒßIÚú‰§Uöoà»;–û·õº¹ºà¿ý:Òq²úÝóÓÿ˜"Ÿ;yX¨ A!ð…îv¨ðWY‹P\÷ñ®J×öóqߤ6?Iÿ\nËû§“ÛŒciݼoj+Yý¢€ÌéÆMûíè2aÐåñ€Sî'U}Êí%(µµ?â
=‹äÓ„€ÑQ¾F,6é>]Ô”ò8q÷ŠÇñRåiå¾T 8¬Û¢¨Î6ËDwWwIùã:o*wƒO8·wÊÍÞLòø™EsÈ–ÃÓX.ɳ·7Œ8{{Èël—7¯_(j?íyÝó¼6Çü¤6‚ÈøñÉV\!ßH…£M…½P®xºæðÎãšA>L¡ÜFè‡4Ï–N¾+ûj€.Y“­~C~†r_øñÞ­5äÙÀWwÿ†ñ~§í	•8…D¿vÀNä
èR`USqJ˜v!±Ù­'s¢"/1:îÐW¹¤
-È‹r¿§'
Ã…½Ý5n1j(^:ºñ/§Ñ_¹½Œò½Ø@1ü«áƒÛ¼,ÖXQvozþ^h£}ãix|¹6gWÔᑧ‚Xƒ–¾§c°?åÚÍM“mAÒÍ6èI )¸‡,ˆ³´¨ƒ³ØÇÛÛ.Î’8‘ÜåÛ‹6…œ*Nly¶u|T²ugv›S5,&)½˜¦„2ˆÈ&ÆùăE&hÄ1QbÉÝtÁE#?Ô¦ìÂnÜߣ§ä4`\…1x˜oY‘—ëvM‹»Ð!ˆÕÀ¼•Ï©ûšØïöàà„Q«‹6ä’s4“ïB¸ûè [°óK0éÅÂì¯ ÍDi’a]j~”t¸ÿºmÏê´Â{’o¹g?ØÂ)…Ï1Y[÷eˆ{òÓ'܆ŸÀ¸ÝÞ~ÈÊCu™¼—EY7ßb}ØÍALç	¬yNr(“8•áàËhe÷mf}.‹›Èè&¡ ð‚©qoûo‡¾‹ƒj_ï¡_¶sz$ãÎÙº­šjµ›ïŒ™`Œ†Ïj¤ò,‚­«u/>Ì·ÉèòA’$­ú%)VÿRŠ²}¼—þn4¡‡ÿü9è77Ñßþ+²ý£6ˆ<Çzø_F¨ø¼X'‘S
-­£“sÍ›ÿ,/Uÿ?¡oÝ:endstream
+xÚ­YÝsÛ6÷_¡NNŽ-šH‘¼>¥®ÝºÓsïeîfÚ>P$qB‘ªHEÑû~Ht’N3zÀX,ØÝv)5òá§Fqèù&	FQx¡¯ÂÑb{åÖ0÷ã•ž‰cšt¹¾Ÿ]Ý=NÕ(ñ’©žŽf«Ž¬ØóãXfËßÆ÷?½þ÷ìáÍõD‡þxê]O©?þþéùI¸¹ÿõùñéÇwo^_GÁxöôë3¿yx|xóð|ÿ]
ë•HxaÁãÓ/L=üòð¯‡çÙÛë?f?_=ÌšÃt¬|ƒ'ùóê·?üÑÎýó•ï™$GGèøžJ=Ú^¡ñÂÀ7’_½½úO#°3KK‡.04±Æ:¸ÁÀÝ`˜xS£
Ýà7¶¸ž˜ *»d*­¤•™t±°ŽÁÉeQï¯U<.sžÌ³ª¾n*å‘¢,&…]§µ“·MëÅFDåyy¬ÎÄÒVno‘Ѭ‡=;ë—¶Èl…×gŸ(å%a¨é ,

F㧰3®7–”µØÕã¬â¶(yš£ò¡iµiøﶙ³HYä)Ü)7¬;7¬§ÆóÃT#𬓢¬³ÕI˜»æ§^D‘0߈›z¾ß0°´?v?(,ô¬ýŒ¬iOV½O‹jt)n
+îÇÓOÈ›¡‚³B§o’|Ø-ÁzCr
¨™(§ýR²Òïdžyž.ÞoÊ|HZyq™öP`?DGFüq¹dë“]aÆ9足՛ý&ˆÂñÛl{­ÆYžîóÓµRjŒÎ¡ô£vpØbR™ÊzªË]™—ë÷8Šð~}Šzdí!295€díëþ¨x åf	Z¥Å²„yÚhPŠNY-ve•±­dzEØБaCªýî‡~3¼ÈË
+­…t3èÜ
+˜	9p®<ã%÷"MÕ›
È-3U›r__ìÔ¶»ÙÜÖGK0¬æ–5b‘'e¿ƒÃá£g¦Ñø5ÜË´ƒ¼Øq÷$û6RsËmZUÙºp¬lfZó1Û¶ÜéXz+~9¶g+$@WQá[8|ëȧó’ŠeG»ÛþáºÑE}ÐQìŽSk[7U‘O‚&h[hW‡=)Dóõ_GZN!Dß{a€}¹mn·¶@#ë8`Ó ƒó&¤À˜¬
±(Ãñ{Ëè3Ñ€\„ÚE1üîûz_ÕgZ˜K«]Ô~‡x4™¯Ë=ó•×!%8.8îT¨¥Å
+Â\Í£Õa^Ùº¯Q
+`Ã×	ƒ­4˜É^M¼>¹Ö˜‚äãÄ™åVæçvU6níÂ9»_º¤]aMÇ,‰„Y§Ô.svà"…aùqcEaèج¥ÉA -ðe #ás¢ôø±tÜÓí.·ƒ¾Ê§=A©Xž6åiÏÜéà;LU’ñ7è˜G=e¾x!×3QâÆmš%ØÓí¥ã‰¦{Mk 1'ñUàäܹÎ4Rᮼ‚Àá€yÄ©'IäiÈz¦ÍËòýa‡ž`Æ+º3ttÅaz•3¦2Íð°…«w!ÆŒÇ窱X¥h
+Ò.r3ß0w{•äãìË‹ çPÓP–£¯$_G%‚ñŽmñÔüÄ›ôªÕÏG×¢!uןô/fž—‹÷.æ秳™!s©Àüà’B8Ì	ÄEäÍ^qgSRîƒäªa®7¬ôa½ñš{ktY¡×¸:£Ò‹%}=Q¾åR¹•à9oOE~¸9 C/Ô" I§¹\C*ÁF¡Š[ÂXÅâˆnŠ ÉM(gn¦wYw;›îY¸Þ±_°¥˜¯e°Ú¥!·é©'f2J#g!ÊÕœ	j_ W¬{g›D“ŸäQªŠÙ5Œ”²7È™®eL¼g½OádûŠ%á‚\¸ßgŲ¢ôI¡Gœd÷Tv¤GŽ˜µeÒ÷·ÒÞÜ¿‚¦jcóüng÷â#p¶
+ª¿x|XÔ•7]è$8Iœ´Nâ)q“®g„ÑËžqGª„^EX]xQ`BšxEÎ
+‰ÙÑkêsŠ€mÊ
›©Æ©hÖqÜÞ³`Mȇöe:ãw¶~âi†ýøîŽåþm½nn†øo¿Žtœ,…~÷üô?¦ÈæN&*H|¡¹*üÀ™@Ö"ç=@¼«Òµý]Ôø8q÷ŠÇ±©ò´rß+PfïT”í›e¢»Ç«;!	°
+m'J
†q“:§_Š>$¼
”B§—.@iól›ñ§ߕƧ2°rkš#ÞJ&¯w#ž ‰¹°Ë‡)?btçMå…ð±s{§Üì r’’<âb‹æð-‡YžÊ³
+FŒ½=äu¶Ë›RÛO[^÷,¯
2ÖFp?AÙŠóDãÉa´É¡ÊCO¾|œ9Èç)”ÛýæÙÒÉwÉ¿Q­Ð%k‚¤ÕoÈÎà@îû—ðÝŒCŠûç0˜÷ ð+€9mOØÄ!„$Úµyr oèD—«šRTB¶‰Ín=™y‰Ñqß¾ÊSU8X^”û=b4Ïöv×t¸E¯!7xéèƼ8œFå
3Ê÷b)ñgn
Ënló²Xc^Ù}K¨¾ÐFûÆÓP‡|¹6gd㑧‚Xƒ–¾§c¸Šµ››&Ú‚¤mÐ'AR<8på,ˆ³´¨ƒ³ØÇ7Û.Î’8‘Üå7Œ6…˜*Nly¶u|”¸ugv›S5L))ÕMSBDdcš|âA‡"H4â˜(±änºàԑ˵i»°‡÷÷¨° œŒ«0å‰ð–…y¹n×´¸‚ÈPÌ[ùh‘ºoŠ-ðnNµºhC&	1F3ù:4€»º;¿“^LÏþ
+ÒL”&Ö…æGY@‡°¯Ûö,[+ì±'ù–{öƒ-œRX”ÉÚº/CÌ“Ÿ†,á6üÆíööCVªËà½Lͺø³ÄnbØ8K`¶ÈsC™ÄÀ©<?F+»o#ësQÜxF7xŒ
	…L«ð¿ú:ª­áC¿8lçT*ãÎÙº­šœµp	ŸåHå™[—ñ^|žoƒÑŃIZõSR¬$åûñ^úÓÑ„þS8ð¡ß¼DûÉöïÚ òLëáÿ!ãóbDN)¼œkÞüsy©úÿ,3ÞOendstream
 endobj
 845 0 obj <<
 /Type /Page
@@ -2346,28 +2339,31 @@ endobj
 /ProcSet [ /PDF /Text ]
 >> endobj
 866 0 obj <<
-/Length 3942      
+/Length 3976      
 /Filter /FlateDecode
 >>
 stream
-xÚÅ[ÝsÛ6÷_¡·“o"ßÒ§\’öÒiÓžã>µ-Ñ6'¥3©¸ž»ûßoPü’å\ܹÑA\,v‹ß. 1ãð3gW^Ï2¯™áÂÌ–›3>»¶oÏDì³HÝ^»<ûê+fžy+íìòºCË1]®~™¿þû«Ÿ.ß^œ/¤ásËÎÆòùßÞ½C5ž¯|ÿÍ»o¾xužéùå»ßSõÅÛoÞ^¼}ÿúíùB8#à{)ùà›wß¿¥Ò·¯~øáÕÅùo—ß½½lçÒ¯à
-'òϳ_~ã³Lû»3Δwfv/œ	ïåls¦bF+•jÖgÎþÑì´†O§äg”cÆÉlB€ZM	Ðxf•TA€ï·Mq¾PÊ̛ۼÁ’çÕä«Õݹp󢮩a“7Ë[j[—uó—X]å›Hc³¯#«X³*~å\VÅŠªïËæ…¬Ék2sÌóæƒ<åËuìÓe_XÆ­v±ÏUq½%æhœ2Ž»LÌv¾¯il3/Öuq[ÐW_C]æçÕGš-$HÎgÂÍB0oŒƒÀ÷yè¿"µÓ·×‘Fµ,jªÏ+áe½ÞÞ+(s ˜1¯¤/oc§ë-ö*«z}õúû)RWûrÝ,ÊêåÐЄÐ,Ë29Ë `œx’©òA„YÖ7µÿí«Ä?Hì(ôZ±˜¾è“Z´“Zd\2P»8r×Z„LX‡%+ÀòƒÕTVãS˜h5? ·J[¯©p»­›š
El¸cZ[X/f¾l‚
-¸±Úÿ™Yϙ͸?!3ê”&3AÕ¶*>Oh°`ž"³.3Ï%3©˜Ô©ŽH¦/ŽËÌZ–YnOÉÌI¦¸ÔAëí2_ãôŸ.8¥8¸×‚
-ï~ú¤©Ôñ¯©×öŸ‚l+ª¢¹ßÞ}¤—²jŠ»ë|Ùö®´ë‡zѺŽ#kŠÍ#ºêáËûçêJKæÑ|LWÆÁ ò *`ý6.uð$PPÁÈ©
-%5yEï¤D,µ
-ÂfÜ“Bíým‰;%Öå`(ô@åÛ¼n	Nè«Uô#Zëˆã¹´vÿ­Dxɸ‘8âP0¾‹vF¨GïwÒê±V§7þqÔc`–:ãY»
QˆðL{‘Lâ±u®®•ðJµš¦fè;b‰@Lr™†HÀÉù
-]­SàrªXîï"ðhÖÔVïw»í]l£´Tý+7œðÖ—õ‹Iþ<
-\ôS§«cÏÕ¶ˆFÎT†X×hAAÖ3.mÖ·lq£ÌLâ73}Oø	‰cR±
-ÿD±4}¦a,b
-‰éÌÄ5
-….{ >1orð«!¿qÑ× gA5«}¤Ðl$×ùò#IDX0TáD’…0èò¡GÝÀÄ{ sS4·ÛXNW8ˆMYµ²IÀr¹ÝìÖEßê¢é$FÅ83ÚˆŸÞõØBÁ°V­F¯ÑsAü¡§Ýc(ñçÈJÕÜmבâ‡&÷¶#¨»|³y’&ë((J+ÚS„r bæ¿‚(¤8Mœ,vBó§R¹û=L.¼ü›¾å‚Yá<|Ì2­ˆí¿RS¤Öi 
	ŸÓB‹Té%Ô¼Ÿ¸‹U0&ó÷`b¿c¬þ׆aÎÂæÓ3„ÅCÝ'5½¿¦¯3àO‰c“gŒÅ~äïu¿#™Ð¢íŒiµ¨Ÿ¢Å7Þ•MvH´—*šêÏu~3.ê=ꊹ2) lYSÛs­—­;Ì©ÉrÃ)ä£C$„Û5uYÞæUU„ÉÁ[X»ðÄØQ¶±c¨y g»‡c˜¼ÂX7wy³½Pȯq”ëbY¨W„ ÊÛÅ„ÔlYÝdj
­\›ŠÕí†:Œ¼ëâîÌôœ4%ZÔÞŸ/Væo‡XÈÆÉBu˜lq¬Üx•Ê’nîªÕrB/`{B$½ì›r]6‰ê–žuQLV‰QpÕªn»Ð2‘°#k—õ×IkaÄ}sWŸŠT‹7ï?t›ëýºI>D±é9¶¡sÌ˨ŒWÕ”…–6¥#Âò›ÈY@Ñ	Ù5ãVÒ'mà‹ƒ]š*sz½|ý½×ÛåÇàÅ¡ŒÎ ˆNúä±:BL7¯wŲÄYLíR[fxånˆ-A©ÈÍ@½L:oŸ‚%ÌйiD·h).º$Çè]9 ­•=ŒŒ;aZ‚qon!dþd€ïäNè£2Ðê	ã=›ZŠ'd ©~½'ƒ°{MË@¥å…€I©s„…£¡Ýp=p*KŠ^(7&¥§÷ÍØ9Å/-ÔÁ>l€þ…ËcËS>;*X©=ƒ*–ü‡6_,Ø–â¢Kr,XXÆÌhØÛn	À8†›‘r®dÄ怆‘ƒÏÍ:½h‰
-ïvÑ}¯‹‚ŽÑm«3¿/׫åöµò5iœKÛ
luÜýDQOõmH¡¿q”¡Åg¾\;âÞÂrrÁ4Äü!Ö]Ó“8ƒí‚'»–Ogû8¬ECùòÜËyˆdLt_ýZ¢)z±Ãéö	£±{ƒ»UËè؇áôÈ=D…Àlf‚i©Åc"¸èRÛ"ž]Àz÷qSôÖ©¦h½NÞìåË©-(îœÔ•¢õüÝ5Iña»§B4(m«[FEë-Чw-Úø8¨Ú'ˆBB0^‡¸âúD[´±õ{nwW@…·ÞV ?‹ˆ¢mZÄ2X
-LL0j,@ic£Sá
-Œ	ëlߦ^¾œ¢GI’Ne”u“ Ú)ªU±ÄZ›ür³ß¤Ð
â}DM€£".Y$ò=xBg
-ÍU‚YRÌ’8r½í¶yB}sÛvèÑ(q²ÅU€»–Ñy	‚Œ‘Ôd”xº¢Û|I˜&¬&cV{w*«Â­LæB¦i'6Á®u¾'¤ œy
1¢K<ór ×Ö‰‚E´òiånŠÍUb]®	ÀszÍ[ݜћ&¸f…y>	$‚' Á!Y®|_“†‰èÑÙÌ>#‰â)&
„˜Æš>“ÇÓ⎛b»ƒý”7U<*_!x:FÐØT ËãKÿ£D
•«b‡WL@s½mNà¤Ì†?mÀ®ÞÜøø€£…)JªÊœüòÅ‘(.º$§O’ŒQò0ògøƒ…jþ6_N^r€ÁUöÈœ1RTN<ãœÅSsÆØpEoÊÇüçVµiÄ*−a?'lŽOXjÉ„ÉžqÂ-Å–Ú0¡AqOR²e.Ë’±”éšGÀ–ž!¨‚gL¦µ-ržïAH)”ËœÒó²‹ÈŒH‰-‘Övÿ¢Nȶz§Yß›òÆSJdÎa‰NƒÅ«„Š„Uð!>WåMÙÀdâk
î"àp|)òpßJðޘϥO‹æ¾H·ÃÅ,Z(‡©(:O¬„‰öÏ:E„g%elµxþCQŒ†x;g†!mf³pÒGmw73*\tŽS÷E·ÿødpD¹ùå¢Ø„+QÈÎûp±	Kor¨®¨üº¡"ßíÖ¨T@k¿rjaÕƒºº¼Œ3S¯,+`ÙqØU{<6ì
-ËÀséž*±¶ÿ©ñGtqü™Iù1Áä„r
Î6¨GåÐö:ÁǘZ
-·ÊÏæ¯ÖQ7¦ãbÔ"ïÐ|Ð%xœ‰Á:;€|ŒÒÂ%·p=+²ÁšIÁ\ˆ„ðÀ­*ú'oeJCw”¡‚~Â)Þ¶OøvÛnÝ“™éǯ±@¸Èìig(Ö9qˆ¤ƒ»ƒgÄ54L&{ѦÝ0©>µ{(Å„jó˜t&SBa¿£gNUqï×±­z	ÓÑŠ0½Ô¸0b‰”ILBÄ*ø5ƒ³±þ…G§;©xUÑ«A}Ð%(i…mËí>@¦Ï±éåK4F0¥ù»Šº4·eül	¨éæDzÍ|]o©ßýmð­î´VÆ3a;­YiumÇš
“¨Sìq1é¾[îè›®¬\íc!¥Ët”®³|Š—\ò)°ˆÊyåOíVg½ ýÅd2q÷C“ûõ
Ùƒx|³‹\SŠM#@`©wuÒ~E/‡,ˆ0&|Õ9M’úpí=’¶áx¹cY¸Ü×ÅT€ðáÓi,¥a¦Š“Çã—?Î*—øUÑLfæ ”à\T<$Ÿ2VÖø˜°Aií­~¨Áä®WåTÒÒJ˜}›P»Iílèó "5­c)ÞÚƺÔ®¿&¯ïm.ÊK²O‚RHp*u'aºj
¼ùãRVB¨V<¨µ)uçæû$v×ËÂ0§ÚkCH|ò¹Á‰áü"Ÿ:ðàsÛ`€@žãÖŒó{ÊÆÞ=Ép¬×Éç^ƒÄöm ç\¶ó®¨%,h(ò:ö¹z(ÜåUý¡¸x0	v4EõBÉ…¾ÇóªsL1RïU‡—Š<9ºðÀ1­1XR·â~ïÂÜN¬&nGB9k~¡¡ö€…á%¢ÛدíÓÜîcUà«wX —ºO9)¹L}*O©÷?\fèax×ñMþ‘ØÂyDîx?ð×Ûº.¯ÖñæBº‡@Ç$ñN?>‹?`Ÿ¤]š£R Þµ$ÐèoöwéôŠÎ+t(#ôeþcw%*”è
å”Á4ÀpëxÛ"it(,J¶÷ËŽ)HædgâKežWC0.´,ö:bx°·üabp<·"é`zhL:ÊìÖÐâ€g‡ŽÖ0áf’$P0!ô*þ(–û(}Ž¬¡Ð‰Ž¾EÂ.”ÖŸç\< ?-ÛDúu2ý6=h-îýxûÄŠÓi¦‡ 2Œàsê.Ê0üwÊ–糓wÜŸú'˜Ã?„`UÁn)'éFhd
-g¢Ä(Ñœþ-3fý¿%e§endstream
+xÚÅ[Ý“Û¶¿¿BoÕu,ß'×vRg'µ/OI&ÓxwK”*R¾xÚþïÝÅüu:×—éè .»‹Åo˜qø‰™7Œ«LÏ\¦™áÂÌ–›>»…¶o/Dì³Hý^»ºøê+fˬ´³«›-ϸ÷bvµúeþòï/~ºzýîr!
Ÿ[v¹0–Ïÿöæí+ªÉèñòÇ·ß¼ùöçw/.ž_½ùñ-U¿{ýÍëw¯ß¾|}¹Þø^F
+'>øæÍ÷¯©ôí»?üðâÝåoWß]¼¾jçÒŸ¯à
+'òÏ‹_~ã³Lû»ÎTæÍì^8Y&g›m3Z©T³¾xñ–`¯5|:%?£<3^º	j5%@“1«¤
+|»mŠË…RfÞÜå
–ì<¯¨&_­ö—ÂÏ‹º¦†MÞ,ï¨m]ÖÍ_bu•o"Í¡Ž4®cͪø•sY+ª¾/›;°&{¬IçYÆÌyÊ—ëاϾ°Œ[ícŸëâfKÌÑ8ew™˜'ìüPÓØf^¬ëâþ® ¯¾†:—Í«-Ž4[H\æ„Ÿ-„`™12CÜç¡ÿŠÔNßÞDÕ²¨©>O¬„—õz{_¬X Ì¢c™’>P¼º‹n¶Ø«¬néõÅËï§H]Êu³(«çcCB3眜9(/ej |¡sCSûß¾JŒðNb'9 ï8ЊÅôÅÔ¢ÔÂqÉ@í¢3ä¾µ)˜0°(‡%+ÀòƒÕTŸ&¬&SL	c¢Õü€Ü*m½¦Âݶnj6±ážima½ô˜ù²	*àÆZhÿ3df3άãÙ™YP§4ÎyTÛªø<¡Á‚yŒÌúÌ<•Ì¤bÙƒNõˆdúâ´Ì¬eÎr{Nf^2Å¥âXo—ù§ÿxÁ)ÅÁ½TxóÓGM¥žM½¶7ød›XQÍývÿ^ʪ)ö7ù²í]hןêEëvzŽ¬)6èª'„/쟫+-™7Dó!]ƒÈNU Áú3l\êàI  ‚‘SJkòŠÞI‰Xj„͸'…Úû»wJ¬ÊÁ:PèÊwyÝœÐW«è´ÖÇSi­ÿ­Dd’q#
pÄ¡`²>Ú9B=
+|¿— +`uf&{õ˜¥vܵÛð1
+Ó™H&ñÐ:×
+WŒJx¥ZMS³^ô‰°D &¹LÃF$àå|…®Ö+p¹
U,û<šõ'j«»ÝvÛÁ(-UÿÊ
'<‡õeýl’¿Œ	.ú±ÓÕ±çj[D#g*C¬kH´  ›1.­Z6Ž€¸Q:“øufè	Ÿ!!qJª V‘=R¬
Äi‹˜†BbÚ™¸F¡ÐgÄ'æM~a5æ7.úä,¨fuˆšíˆä:_~ ‰†*¼H¡]~€#ô¨˜øtnŠænË©óª±)«@6	X.·›Ýºhâ[]4ÃĨ§cŽ6"§û[(Öê£Õè
z.ˆ?´â´;b¥ žâY©šýv)¾orp`»1‚Úç›
Ì34®§8 (-¬èŒ"”ŽŠšÿ
+¢Lzä4q²Ø	ÍŸJåî÷0¹ðòoú–f…Ïàcæ´"¶ÿJM‘Z¯4,$|N-R¥—Pð~â.VÁ˜ Ì߃‰ýŽ±RløO\†y›ÏÀ>Ÿê!¨|ü5}í€?%NMž1û‘¿×ÃŽDdB‹<¶7¦Õ¢~Œ_QxW6eØ!Ñ^ªhª?×ùí¸©÷¤+æʤ€°eá˜Øžo½lÝcN9X$Ëu§{Œ‘Vl×Ôey—WU&oaíÂcGÙÆŽ¡æ=Û=Ãä.ÀºÙçÍv?¢ßà(7Å2²Q¯A”·;Š	©-ز»É<
+ÔZ¹69«Û%uy×Åþ#tzέjÎ+ºùÂ[kÙ8Y¨“#«7^¥\Ò;Z-'ô¶'DÒË¡)×e“¨néYÈd•gP­ê¶-	;²ön¸NZ#î›}Y|,RtR-^½}ßo®ë&ù4ÅfàØÆ"Lh̳LFe¼¨¦,–°´)–ßDΊ^Ⱦ·ÚYÒ¾xØ¥©2§×«—?Ñ{½]~^ÊèŠèô¡O«#ÄôózW,K\‘ÅÔÞ)µe†' QîÆØ”ÊÀ€üÔˤÏìc „z?è-ÅEŸä1zWHke»‘‘Ãàc'LK0žÙ„[™?Zà;¹ú¤4„zFÂxO&ƒ–âh@ªF€_È ì^Ó2Piy!`R*Æaáhh7\œJÈIïÉ¿ùlžÞc45aקK¥6ÿ¢¥9±,G¸¥N
+VÄ䦤ÿ¡Í¶¥¸è“<¬„ˆP—u#?$XØ3¹N+|ï1>‘ZÅeĦÃãÈã37ëõB\’Ã
+Þ—õ‡}\ø ûôí¢S¾Å_Ó“Ìz%]ùù}¹^-;¤ˆúìt•  %íȶàv–¸Å`"0*Â|8À6Eð»\»À¾…Dƒ‹‘q¨¸¡'e @cÈ»«1²²6¨ËLηÔN¾¢QzDÉ
+#ƒÝ\'æÞ0°”¸A±X5í`½¹“Ö*,¸J@ï°ÛAO©Å[kKqÑ'9‘È€°É«º‘²Vˆ§…5g¬Õé6º|þ|j—Š‚¤.¸Ê
ØÙ
‰ïÓöÆ•eÉF8¦0üÄ
+ùX¸™C€ Ïm¼éyq$Hf£Eƒuz´J
{ߨçvw1i»wfA+À Zì(V±°0'äOà·Ÿ˜àÞBö¾ÝƒöÓ‚Œ¯[ÁO‘IqïÅJʺaÕªXB³MþG¹9lR¤·<ìdìŠ0fá>qm‡h†Ž $ˆê:¡2)•I¹>Äö&ƒ[DH¡¾¹k;ðŒèã™8ÙÂ0€iKòjÐ1 ÌHjaJ<ŒÑIt_MXcVgî\†[™6ÊaMš¢œPÚ:?¯B{z	ˆ2‚Q<"räJ;?*³ÿñIÆéF"Ê\OD™ïáohÙa@߈àõ:¯S1@œ>ÕÁÁ\ûm]wŒ”SNOÊœ·Ib¤# Ç´ì€û¦ñþ)P¤¸è“œ@@gÚÂfÕvC6)M3Nƒ‚E;„OÆdKñ“ •V™QúÄúÖv¯¬õ¬Ç:_+0ë92+°Ô£-‰K&!
+0ÞŽùò-)Q\ôINlIÜ0˜¶9lš«é­D«,¡ÀM±¹.BhÌ5űðœ^ó°ëÁ†¬6MpÌ
+ótHÏ@‚C²\eCL&n7Þ:û„<&Šç˜8ì5C&O¦eZ´¡`ç‡@?åmOÖWXnlª¬åñeøÑv
•«b‡WÌWs½eCÁ+HéF†?mÀ®™íÜøñy8,FS”
+Tå¼üòÅ‘(.ú$§žŒQ²ù3ü€5/'ïDàæ­ÜsÆÀRyñ„sNÏÍCUé†S>å2nÛ¨0äÅ	%Ã~NØœž°Ô¹'œpKñÌ„¥†PPñã”l™w.+A9‘n…DléqxÆÜ[Û"çù„Tá	D¹Ì)›/ûˆÌˆ”	aí`÷/"ê¶z¯GIâÛòcˆµ„‹pKm‰V		«àB6|®ÊÛ²ÉÄ×Üarx)òp=JðÞ˜þ¥O‹æ¾H·ÃŤ[(‡©(:O¬„‰#=áYI	^-Š_GC	¼Ì3“‚3g]8¤¶ýíŒ
+ïz'‰©û¢ßÿø ñˆ*róË»bnP!;oÃ=(,½Ê¡º¢òË„Š|·[£R­ýv”‚«ÔÕçåøì3õ:ò–=‡]uÀ3aÃÁ¨°2qÈ#%Öö?7þ]ÿ=AfDL0yB¹gÔƒrh{áã˜Z
+·Êwó먛Þ
+Óq1jwhîtIAž;1ZgÈÇ(-܉·¹Ò¡¬™Ì…HÏçªbxPW¦¬u?Ÿ*èœ(úm‡„ï¶íÖ=™ÈƘ^
+o½p‘îqG.Ö¶é‚þ™îžÔÐ0uøœˆ6í¾€9ø©ÝC)&”M#Q‰Ó©&;zæôX7ùaÛ†¡—0=­3ȤJpá“4í)«±Š~>™t3òº—1€W½Ô]b!&´ m¹=È”ã1"6=ŽÆ¦4SQ—殌Ÿ-5Ó­§„º|]o©ßý]ð­þ´V&cÂ^³³ðÚk6L¢Nq0&¨ºcErË=}Ó
—ëC,Ä“w™NÞÃí—ñNL>öQùLeçƒv«Ý h6™L`Ü?ÂÐd—¼Ž††ìA<¾ÙE®)E‚¦ °ÔÝÕž´_ÑK—ÑÆ„¯z‡ORw·$Ð#iN£é).×ÅTR	€pwÞ‰©5Ò8AÅÉãñžË?NP)ŸøUÑLfé ”à\t	*’OŽƒÕuà~LØ ´öVªÁänVåTÓJ˜½Iw²Ýnìó "5­c)^òƺÔnË&¯ï)ÏŒmK²O‚RHp‚oÐŒÅPkäÍ–²BµâA­=K©;??$±ûA†yÕÞ2Bâ”Ï-NÏïùÔYB>·
Xò<·æ8¿7¡lЉáîQ†c³öä$vh=—§ÔŒg.³õ°¼iˆø&ÿ@lá<¢¿×E²l䯷u]^¯ãE‡tm!šÈø|À>I»$4G¥@½oïS ÑßöéÂôŠÎ+t(#ô¥ÉÀ«Jô–r*‹Á4Àpëx9#it,,J¶×ÑN/HæegâMœjò¼‚q¡ýh±×ýåŸ&Ç#t+’¦‡Æ¤3 ÌÞÐaèŒÄÏ(­;`ÂÍ.$I .`BèUüQ,Qú:pC¡|‹„\(­?Ϲd€üt{
+‘ß4!Óßc3­Å½/«˜Ñ¹r:­ÀôD†|Ný/F†f™Àò|vöJücÿ3Óý¡Vì–òDp’.F¦p&J%šÓŸkŽYÿ/€HϘendstream
 endobj
 865 0 obj <<
 /Type /Page
@@ -2417,17 +2413,37 @@ endobj
 /ProcSet [ /PDF /Text ]
 >> endobj
 877 0 obj <<
-/Length 2846      
+/Length 2823      
 /Filter /FlateDecode
 >>
 stream
-xÚµ]sã¶ñÝ¿BôÌ	‡Ohž.‰ïê´¹´>g¦$“¡DÊâœD*"uŽûñß»‹]R”D÷<½éøË°X,ö[V3	jæR‘fY°ÂIåfËí•œ=ÀÜ»+Åkæý¢ùxÕ×÷W¯ß¦jDHu:»_hy!½W³ûâ§$Z\™|óÃû··ï~¼{sÙäþö‡÷×sídòööÏ7½»{óý÷oî®çÊ;•|óÇ7¹¿¹£©”i|}ûþ[ž!zwóöæîæý77׿Üwus?Üe|_%
^ä·«Ÿ~‘³®ýÝ•&x7{„)Tz¶½²Îgé1›«WŽfãÖIù))´Iõ„­™ "5ÚD~¨êey=7R'ݺÄû¼~ë²Ñ.«EpVÃQ¸|_Kñ±|¢…§ä¥ð:³¼pUæÝa­|ÂÔ«–Ʀ޽¡1ßlšÇ#Cqå"_~|Ì#µb¾l¶»¼«&|hó›ôŽ¸ÓbÙÔsdy6Fd^¥³¹Rp/§#³?K©{ ÚÔðÂ&D̦l_Á—•Àrø“k!¢hÊ8哺éµÎ?ñdN3ëêaÍ«ËÚ\Ò2Œxà¯çaQmªîéZ)•d>Mþ~àj^™×|PÉÛ
-…ñë¼~àcù!á%Nn‰Ï67@·Î·(0%“fO’4 Úê%¡¢,•ì§TÒ–K⽩&mC+ž·¸bÝ6!·ùGÞ—O(•vØ°ôc­¬¦Ô*>hÇ+«nMdáÔ=_â±&_P&ÕjXCˆÇª]ÓûeDÈÀ X4äFPù´—G)z¼xÓFÅSÕ-<‡•2¹Ÿ4¥0
-P/±“Té~!)˜oZæc·trÕµ„Ù•ûmÕ¶  ŒhËŽÃrݳ™3ŽŒŒnÁÄAJåžÁU¿žôd®2'‚ööÒ*6l?K's<´H	¡x"]Q®˜!­ì]ª[1!/TàUäT²¿öÉ¡®Aàô·p¶"”Ÿ‘ËeÙò†ªÃ‡IMr­¿×G˜)ʶ:º •°íå]Ï>ÜД¿Wlrì”øtC
Ü}ϲ’è=Od…"Á‡É$éŒÌã¥tÒÀŽ4eB8Ú•š^„àó¶y]ô'¬Ëš xUêýèøøåpYf§žÒÚœ¶Q/3Cë}¯µÀQ%3G¨êh$!7‡}2Eý5bO½%fÂ:0„KÌ)ÂŽ©8Ùk6@À^—WÑ\¯ÝôòðqÝл#„Ù'»þYÄà ½Pšcá}¤–¦ÉïoÿFG¬l‘‡¸å¨ë’¿»§oŠV#'yb쀥ä·Ñv»fßÅÃùú|cÀ¸“)ó@"=’(ß•ËB|s%”YÜ1tãQÖ'«Ã(ŠÁ7Á(e£NˆÖ„Sñ]mF,À÷ŽÖ¶eÝñ¦Io+G2ã=mj¸v¬hvK_9
|{Øï	1Š‰—I>éÕ˜5?°V=Ô
qWLÅ?’&ª+J¾'7ƒkϦyx(‹3õ ý÷1Ó²¢jY£ÇZÈfÊë¨&¯åÃkËí®{šðXV.d‰rœpŸàd•é³AĘ i½HÓ4LÒTöYš+¶Å	ŠJƒíîé«)&lý5Ä@bxx§E0'2kÝÒ;ÈÒ%¸rHN7‡‚%÷a¤E˜Ïïsö~«Á»A4Ö*d¬ôL$Š«jSb@újŠ#yÉIúN¾-Q-ëŠÕ4>2+Á19½”΋CNq*dÈÓƒ$s0¡	¤ÁŸkÚ±mà»–>8„›¤÷Q!×”~›Q°7IÞ­Þ5U=àƳêkpÁ™2žašù-ëes¨1^G«9@Mø¨Só~V†’Õ—°V—]²£}–¬ò%¦€‹ÉWÚgUèi·U]µÝà£<ŸM80˜ä‚V,žhŒÉ]ב3“ï£ç0Óp‚µœgYìã¾ê8eI¹r¥Çd_¦œÅvqè#
-bbŠsÜ,KÞÆ°åïùv®Ñ}-€DÇÏ…Q’ò~˜ìñ»}õ)& øÙ0Ô=/9ïÍ9M8ì³ÜÁ
y­“$º£/G“=ÿš•ºx¡qglܱpø	¤Déת øŸñNÈlœ†¢ÍCµÞÒJÐxš¯¦"6V]˜éŸ/›OÒý÷snÍfàJ çìoî?sóÿ£KSiÖ[ýtkdðfÂ1ðce{òüí:ï?}µ*}×\¡bŸÄcª(ºÿpûîU¿¿ÃÃ%µ!hÃV„1©=K†¦Ÿ×‹LÉÏþû‘CŽ,Û
+6ÀâQŠCrHIGÍ$ü©™KE굟eÞ
+'•›-·Wrökï®ÓÌ#Ñ|LõíýÕ7oS5ó§:ݯF¼r!ó\ÍîËI*´¸2ùî§÷ooßý|÷æ:³ÉýíOï¯çÚÉäíí_ozw÷æÇßÜ]ÏUîTòÝŸßüíþ掖Ræñííûï	ãéñÓ»›·7w7ï¿»¹þõþ‡«›ûA—±¾JTä÷«¿ÊY	jÿp%…ñ¹›=‹Ê{=Û^Yg„³ÆDÌæêÃÕ߆£Õðé¤ý”Ú¤z€ÖLÐy‘m‚?ÔͲºž©“~]¡>ß¼uÙè+«…wVÃVH¾oÊ¥øT=á){)rY&\UEØ_«`6U÷
+Þ¬APzÄŸ¨…ˆ²­ÂRž4mO¨uñ™ZY×k¦®èãŠVP`ă|Q†E½©û§k¥T"Pø4ùçµÕLY4¼p)ºðë¢yàmù á$N´Äc›àÛ[4˜’I»'Y]ý¯ŠPÁ–JÆ%•tÕ’dïÁ*F§I×ÅÊ(ÖíaSr[|âïŠ	§Ò.ƒ–ùØ«À«)·JEîµcÊǺ_[ØuÏJ<6„beR¯B<ÖÝšÎß(#|Ŧ¡4‚Χsy´bŽŠ·]Ñ®[b:B˜s²‹Ç"†™¥ù.¼ÜRüüþöáv$Ê&dˆ¦ÚÐjÿ´ã/BH¥ñæAÂœáâ€'%mºÃn×îûp\@†þ6þP';xí¤nÄÌu†C:MP…µ“ÄO6õ„«„BDëŒKç$2W
+šR1+Cœ ~·¯?‡ª_°Ä…Â?ÊRð·—]9ù¬ pC±ê$™#ÒàçŸÁS ý/;t_“bƒ”8ýV—ÿ;èÕ™ÇþþD³bóÐÂa­·D	þGózêBÆV
+Ë÷s²ù$ßÿ>—Öl©
+ɨyþÍÿ)M¥YŒúé®h¤ÏÍD(âÅK‚UÝÉñwëâxñãûЀÒû æ
+ûä>¦6¡û·ï^Åï«óyqPEep*Ð7-M˜œÐâþaFÀÝhÔ2ÐÏÇ\ŽZ.ù†YKµ<šÞ
+{.•©À˜ùŸg ú‚—܆K>µPšÔžCÓÇ›‹LÉ//#VM¯´Ô¶!Ð.—Ø´#XðeEÈ1}»#̦úêk¤_Ù‰ìÈ¡…Æ/˜=\uɸbB'Èjzx½~®«Ç©rÇ
+èܹVOµwÉ_ª§Žv(+ž.™4Ð)O4ÒMðbc©²†'è;'U'úg¸Fí0"xÖâÞÊ‹wÄLÀ¢¢'„Ɖ;\B ò]hlÔ)ÅéSˆŸS=¦¬®u@f^Pïæ"G3ûM°¦U
+RçέéäD(gSðvír<4ÿ…HŽäó1ýe]p½ˆcL¼‘¬Hî=‘æ"’ª/qÉí H„í¡ã”¸¨N*gÎØ<=
vFèœ2#r©Ý3)!MϜϤg:6οS© ‚¤6Ï^2	×Âçy>=ŸG†ó1Gú‘`,˜‡ŠÏæþ¸o(§¦OÑ¥H…Ð|ª8ƒ¶óSÆŠ܉r/œñÅ£ÓP Ä¶•‰
+Z)ÛmQó÷4nEèÐÔ¿ªPí`g[‚§×«'ªuzºÁ0ÖÉ-·ØÔ,"¿ŽkP:‚*¥ÏÚ_œeÑÚX™ü¢µ¥r
+!Z×|89né¹,BœãWtå‚Ø]è7ð›r.ü,Þ±¡\;Y]0§ZùЙŽç¸áÛšùF­±.Å‘
+³	ZÀçEYò”¢›ª©¶Eæ Ú$›:ÈŠ`˜†Á„K3Ž†IÛ(hîÙüæLS0QœÁÚ¢
+#7€¢s™PAöCÒœù÷€¢Çh,_M•ÉCev¬z¦çÓñéE®‡¡ù±0HS^)ñµBª¾:J†óÇË(U8ú…5ìû|”:%­ψUZ9.	Å.б`|ÅGÝ?}Sp€Ú×K®!Çh"ü%Pf4
+Äþ¹
+ÙŒ­	I#¡€895Ø«éÃgÖŒç}øÊŽou¨L	w!
ÍòÄÏ&p®YfbÞ]o‹å|[º	»Akk™
“š¹Ëý3¾¢sam69Ôšœ×É9”ø>Éð‡M—µ§çc–—®bÀÎà%þ¸3
+{ù]ÎÏt>Ô¡Á_lœyàaŒZˆ°ÐÒY,ø‡›d™;kÁ¹v5¨ÃE:
+âÓ†*ŽûaïâÓ&gQtÕ<µ<>„|TíNÐñ¥]¯çÞG”w¾¢ó˜;^•Á¯ÏÜý#Q3ñÑËotë°A/j¹ã ]‚P`ql·íé©ðæÙùW1|;2lÛÞDÿ‡‡fSoëpL«úõ¹ßñÁÊøãûDñ&‡óøêßøÿQkò\OWЭ›
+m`ô…äñŸ.EÿúgxÁendstream
 endobj
 876 0 obj <<
 /Type /Page
@@ -2528,24 +2544,30 @@ endobj
 /ProcSet [ /PDF /Text ]
 >> endobj
 894 0 obj <<
-/Length 3906      
+/Length 3899      
 /Filter /FlateDecode
 >>
 stream
-xÚ­:Û’Û¸•ïý]ó¹ªÅ%®ÇOÎÄžqvÇIïS&5Å–(‰e‰TDªåÎÖþ{ÎÁ9€H5Ôn'S]]ÂÀ¹á\!nsø·Æf¶”åmQêÌäÂÜ.v7ùíæ~¼¼fÍÇ«~ÿéæ¿ÞYq[f¥•ööÓj´—ËrçÄí§åßf6“Ù+Ø!Ÿýð§ïÞÿø¿ß¼*ôìÓû?}x5—&Ÿ½{ÿ?o©õãÇ7?ÿüæ㫹pFÌ~øéÍŸ?½ýHS–÷øýû ‘’~®lúñí»·ß~øáí«¿úãÍÛO—1¾"WˆÈ?nþö÷üv	hÿñ&ÏTéÌí	:y&ÊRÞîn´Q™ÑJ…‘íÍ_oþ7ÍúO“ôy&••	j•" )3«¤ò<¼nV·Õ®i×€\™Ïš~]9ëÚí#,»¶¦ÖiS·Ô65-û%Ïå–§ïë¸K·¯ÛzIKê/‹º^öãñœvÙ,ª!,ê›ÖÀ­òÙ‡Ž†î«ÅçãžV?Ô‡¾éZÞ¤"°‘ü@ƒ¹YiŒô}®÷qéþ‘~—õª:n‡×Ô«Z®¿4ý@ðBoÛq#âc˜ðÛ7»ý–?«ö€Ù²^fñð2ËsãÏþ´ñ Ýåˆî°À©Ù…kO^4fŽÌ3gâEÝ~d_Í•(f«î€
Çõ4Úðï±GâôÐÑȶÙ57)œ[{zu§aƒ’.äìýŠVxnœ7§ÁˆÍ­À9À†ç…;h*cmeeEf‹Â2: ^åS¤Üc¯:5Û­'*ÍŒ*Ì”³ýС0(3;ætoI Ð@ä ´-P¬§6R7T)fY™9-#¢Ø=^癑¦¼à˜ß·ï»Eâà6Æ`l ¿Ê§?NE‡öHÄqqßA¡¾Ã&qÌIæ*SÖÉ@$Rˆ#!‘ç=”tÓ»í–ä&yѲî‡æ>ßwüEÕ†1úië5QAÛJ¸óëc‹·4,Ua<Ÿ,YVáû.%*Âe¢pö™,¥˜ÅP¸³?a×Ï]VCE´R òt‘Sòì€ý¢`
¨â°ã/þnx–®4ŽíÐð—}·ãÙî8Ì»Õüž¨»z±©Ú¦ßQ— Ûu{þàÀû^9ØuaíÄI3­©Ú”þ£kŠjW}ivÇ]Ð`^»*‘{%5Ö‹¬,ëMõÐ HcÅ×v<í/ªIR.~(ìã5šou«‹)’Æ©ªÔ¥‡óí—
-”*¯;öÕ:±ÇSi)mVH0u_Ó¥¢Ôaò#©”•)^vÍA“M¥®ÿžšb´p.
-lÐnbPÚ„Åæù컪ýµ&¼å‰ïhæÿ<‰¤ÊJt&]5H%ÿ9›Xðwg=E?ÄlÉ|÷z*$¤%ö‡¦æC³ãuuÿ:%L´%sÝ/ÖΓàþÿëa[•C/ÏÛI㬼}ìQúFLK)ç@{)¨Xù–r¶ØV`©½lèÒ-†žØùg¶øÑîbÎêµï–ØÙû°©ÕõqW·4a&~OþD©f«jÑlЗÃ#
T=QÏ€:+ÀPo¬Œu	>ý¦/Ca2«KýU‚ÉL[ð²]Å{îáÊeÈR;ûï¶;ñ(;4^Aäi]²K›¬Tñ
-}®mê.Š,WáöÜ%¶^ˆpîØ/«-äKwÙUÍ6­t÷ê&Aþ–èêFÞ7‘î¥ÀTG0þ×€y1JW™+]BT¼tŸí>I_•=‹Ð\ƒ°æ:a ¥1A-eþH&B¹=ûÔ.2³N»¯íœÇÅ!É,œRš—‚‚¼•÷âz‰Î‡~éN«aιxé&ÛnQmóm@m.¿iñïïcÆûÈßõí£#¼ÌoMíSBœSè¯9$Ú*7ÞªxHsiÕlÓ|ÌFÁS^fE¡ÕÔâ“'W‚S¿ÝRc¬éýD8 Ó÷ûî@tɸÆ}x¨8ÃåÞ`öÞPªÙOÝ) seʳïöœ}wCòÑñ°ØË-ƒ·7ÌCÞ³lÉÑ9nØʪ¼3kõ…OE¸û^±·«ÇÆ×·ô›6¾B:Ù¢kW	œ¨D)&&wf¬dN!ÀðØiÜñš†*ˆN	´O›f±¡Y0™=
ò:„Gšê¶Ë8Ô“ƒn•Òðº̕Òs<’EÔ†ŠpLÀ9#ïÑ×C'ŽÆnS?
+®Øbb+Ú}L)8¿ä&‡ÿ”>Óhël`É
-b*ŽùŒ6´B|ÅI²g<šuË1%g|0fBà?	g®º´RÄH¤ÇKŠR— ¨ËŒ!>ƒef§îð™åsÛ|Nº\	-¿ÍSø]OÛÿ"¥“×¼&¸Ã.†©ʤ™È`Ÿdy¤±	±Ðw4yÏ SN
-[ÍTªÇY
sNãx²
-«³á»Èùªf½ÁÓeIâ¿(éj”ªƒ!ÐF˜t e´Ž=ïÿÄwu™pÅ7zW>w£f?Ÿ•®¢,Ç)›:ã(ÿnëªç¦qUˆ“a J¯|ð¡	4×ÍC͸œÓc>дå…N‹±ú}ˆËë-D>ÄŠœÒˆ“àœc ΋ŽTê(
-ßñëCØ/‰™’W³’]-Pz.³¤|WP×iQ’T`#;Gˆ•®°
$]És&õ¥>ñ\[Á×H+g•y™:7™*¢‰:_ÚŸ¨áñòWCnËz¨»¦eOþBa¨ØG°«ÔßW=jNÒ4À^¥µ¹LðP&ï¸Æd®uböÎg’
-¼³>?€çÎÄÒz#
qšÏâÁ¢úbçl±G©+XzfµîSy»\d"wòká’Î1ú|Þ÷`È”ù9¤¿?^‰cMn‚Ž¼?Ù„86g«_jð¦òÊ­ÓR‘FáÊr‚HvªíyùI3GM:‹œ©ôË„I´“T `½
P¹ÝMœÀ»‰£ædªßÄ`:lÚ´«.›;Eþª[Šµ¶<¨˜f‘ʸ©}¶@JV*ΪÊÙ’v¿6T¹"+•sSÕ§sÒŸÔ\
®„@÷tÎ*ç–ó©èÚÔË;ªPøD{mëÏT#r=ðXcÀ“Ç0ÌC’—òuVõº$aB[ÆÄ¥ƒMP¹ Ù«òZ6ðò§é²Z¨2[èsqêŽ[6
>ËÇz;(ò©99_N§Õ`•‚Y!ÞîҶ囊dàSEl†e}8\‰¤´,’É?SŽ§ò"ùg#på(ùgا0åy¶¯¾þøÙp9ÈH-iB‡xø›Îªvè#(H’;YÎâo;øº!ià³åòB?‘‰vrF8€fçz«¹I'#xئR-–°€@šÇ}ËQ:~VìÁrðØ.é³=õÀê;
-ë"uÌÎO ðªy}>‡~@±¡¥YÕ<•mFþ\“à'üJACºþÄë›^?º¨Þ»˜>—©	.þö¡èœØ¤½[Rñ™*£B^GòH’¯·Ý}…Òä,Û.hÑ‹ƒQâ“å2l]
ÄÀ"xª0õOÒmg„	Á
-,™ÜzHiâ„Ie]¡ãý.˜® âyð¨€â úÂlB{†Ð—“ŒëëkÝwÕ_,«ã\ŠkH.§T¡„N½¨\Æ(éÀõgVè±Pý´æRä`ÁLðA橽1L—yÐý §ªbWÝvÛ¨îyF«¢Ÿ}Ƨyàê8^^ öú¬—•™…º|ørt¶÷EiwQ-9´Ëp ª¤iÕ:s™QR*æ,|9[‘³08MºOи§š-6=_ý¡ýŽ¥Ï±ˆãcáƒ.œ5ô¼FÁ"5ý·†^]ÀŠg©¡J	\‰U5$B,ü—ÚØ'‘Íâ(•oå™8ZšÙºåô긱IsŽ4zß¹‘b-CòÅ9Rqî|k8:ó×Ô1¡`>ÆI‰µ|àšÔŒÆ*5ùBŒÃäæA¼P5Û`d»ã°?\¿ý¬WÈ ÄÜK¿¯Í*¼R¡n^„’/6Žæ„³»‹‘ժ̙?SÞ$šÅ¯þœ_=ößTà\uÝw¯Óš($¸ŽÑð%Ïÿ´ɱ«ÅÛ=¹ËL}šòq±ñ‚Y_tõ«Ôå÷&VðK#t<|UÚ`TУÂfÙ6Y¶Mvj›,Ù&ŸçÕì~­Ù	'¡
-oC®(15'‚T†Â\ŽKØ«¾t!2+cædùˆOÇiçV›XUåèÑ5ˆpÚ¥Ó%Š	ÔÜøI‰5v}DÍQ³ÊrwûMýÙwôžïµEâõA–±˜9ª¡'°w™+bH/Ž4¾3ñf]çgª1»ŽüÕ*X}|U˜[‚³@-Ò5:Š±ìjzÀ‚¿¬9ʺŒrËrƒ o€~W=Ži•€ê
ÒeVã3¶‹P#!DHæµ¥mðXÙÜ‘Cí€{Ø(UœGÁÁ}øñ
1ød­]¤SÌàˆ_Fê_$¤<"cOGrQž™``	íC•–,¡A%•1°¹xwñk³â\-
-Å­-`“ËÃk!Xò‘2ºô,i…e¨Lè†WØó*¥0çi¾@ôßó4	µ½´¯oQ·(p5ßA˜†¼	ƃ—”–àîÄLÑᙼ9È[!܈|{£¦6TÅ@â0w8L6üTl”ð‚«ÿÔmEoáâÊHìp¶Æ?ƒãOùÎui¯„ºR•™’1%F8^‰uóÒL_1ÕãôØðTÒ“ÁÖÝä;Ö(ôÊW0Æ·´Ï=sDÛSõÈï=£ã^66üâ‘ß^Zö©ãÛLrt –ÿž2Bx
ü;Fw· ÊM}’ŒÒ£EIÖ€úRÖ|•3@?|I}Á™s‘+¼ek“ÅŒÂ4¶žéæïêû¹Ìóœ<a¾ÏÍ÷58ËïºÖu[ª-Ð"šœ³q¡w8;Û©éÊdøŒ<ñ~þ™:ÿñkõóS~]dÊ9™~ˆ.±bå`
-ÑWú	äáYûSÐÿ¨ÍŽüendstream
+xÚ­Ù’ÛÆñ}¿bË/¡ª–æÄÀzRÉ–+‰¢<Å)–I”H€À¥6©ü{º§{pPÃÕ*qmmq.Ìô5}Ž¸MáOÜ›Ø\æ·Y®“
+s»:ܤ·[˜ûþFðšeX´œ®ú݇›ß¾±â6Or+íí‡Íd/—¤Î‰Ûë¿/l"“°CºøîOïÞ¼ýþoï_½ÈôâÃÛ?½{±”&]¼yûÇ×Ôúþý«Ÿ~zõþÅR8#ßýðêÏ^¿§)Ë{üîí»ßÓHN?W6}ÿúÍë÷¯ß}÷úÅ?>üxóúÀË_‘*DäŸ7ÿGz»´¼I•;s{†Nšˆ<—·‡mTb´Radó×›¿Nfý§Qú‰4‘ÊʵŠÐä‰URy¶/„[”uq¨ê- —§‹ªƒ_—/šzÿH#ë¦.©uÞ•5µú]IË~NS¹çéûrØ¥9–u¹¦%å§UY®»é‡xN½®VEuÕ¿J`ƒVéâ]CC÷ÅêãéH«ʶ«šš7)l$?Ð`)D’#=BËcO\º¤ßu¹)Nûþ%õŠš‡ËOU×¼ÐÛ7Üð1L
+øíªÃqÏŸGÀl]®“áð®ôîÕM‚ü­ÐÕ1Œ¼o"Ýs)N`ü¯ól”®2Wº„({î>ûc”¾*y¡¥aM
tfÂ
+þ@Lc‚ZÈòô)L"„r{:­Ž±]dbv_Ú%8«6Ê,œ\šç‚‚¼•÷ãzŽÎ‡~îN›þxΩxî&ûfUìÓm@m*¿jñ¿ïc¦ûÈ_	õ+í£%¼Ì¯í“Cœ“é/9$Ú*7Ý*{HKiÕbל}ÌFÁSš'Y¦ÕÜâ“'—ƒS¿ßScªéýÄp@§;MKtɸûð¾-8ÃåÞ`vÞPªÅÍ9‚ seòÑw{ʾ»CòÑñ°Øë=ƒw7ÌCÞ±lÉÑ9®Øʪ43kõ…OE¸û^±·«§Æ××ô7¾Bï³!b't’USo"8P‰RÌL0îÌ&XÉ”B€á±9Ѹã%
408%Ð>ïªÕŽfÁdv4Èë@iªÙ¯‡¡Ž$è4›˜†Ö%.¿žâ‘Ìm¡Çœ3ò}É1DæØaê6uó°â
+‰-&¶»)%ççÔ¤ðÓgm
,Ù@LÅ1"ŸQ‡Vˆogq–ìÙ€j[sLÉ™øÏ™«.­C$Òá%E©‹Ô%Fˆ`™Å¹i?²|î«Q7Ð+¡å×y
+¿éhûŸ¥Ô`òšÖk‚;ìÒa˜ú¡Lšì“,4¶"!6 º†&ïdÊIa«šKõ4«aÆ4Ž'«°:ɾ‹œO[TÛž.søEIW“T6¤-ÛyØ uêxÿÏ|W——}¥wås7jñÓ¨|àˆpe>MÙ„ÐGùw_7}Œ«BœƒdðÊš@s[=”ŒË˜ó¦Í/tګ߇¸¼ÜCäC¬H)8Î9â¼èD¥N¢ð¿lÃ~˜	@ y5+éÉÙÅ
+¥ç2KÊwu9I6Âaç±Ò¶¤+9fRŸë/µ|ýñ€¸²‰pV™ç©s“¨l0Qãõ¡ý‰/54à¶.û²=T5ãxö
+[@ź?]}¤þ±èPs’¦ö*­Íe‚‡2y§-&s­‹7>“”áõùÄ85p&^ÚiˆÓ|
¡/vFCˆ=J]ÁÒ‘Õ~¸‹åíR‘ˆÔÉ/…K:Åèóiß‚!“§cHºÇšÔyê	:²95plÉV?×àM¥”ÛÆ¥
+"Ìåù‘ä\´õ¸|
+†„¤2GU<‹œ©ôó„IO´“T `½
P©œÜMœÀ»‰£æd®ßÄ`:lZÕ›&›;5ˆüU·kmiP1Õ*–qS)úl&”¬TœU•‹5	ìñ8ØPå²$WÎÍ}TŸ>NMHPp5¸Ýó˜UN-çSѵ)×wT¡ð‰öÚb¨37!çËé´¬R0+ÄÛCܶ|U‘|ª›~]¶í•HJË,šü3ùÄqÊ/’v.Ÿ$ÿû&g»²õõ/`ÀoøË®‡ËAFjM‹:Ä»åoz:«8   Iîd¾~ëÞ×
9HŸ-•ú‰L´“Â4;×[]ÈM:9€‡m*Õbi¤éqܸ¥#ágÃ,WOõš>;R¬¾£°n€ ²ó3(¼jÞŽçÐ(6´4ÛS[,cÙfäÏ5IàŽqȯä4T ËO@¼®zàõS0 ‹ê­=9à±L-Hpñ·EçÈ íÍšŠÏT¥ò8’‡H’|»oî”&gÙvA3¼8%>Y.ÖEOÌ‚§
+Sÿ"ÝÖxF˜¬À’É­‡”&ΘTö×:Þï‚é"ž
+(¢/ÌF!´#„¾œa\Wö¤XËŠ¼k¬þbYÇàR´¬!¹8S…"8õ¬:p>DI-ןY¡…êÏk.Y
+ÌdÛÃt™Ýrª
+yÓì÷Í™êž#Zý0>ÕWÇñòµ·£^VfêòáËÉ-ŒØÜ¥ÝEµ¤­×+Ö?m5­Z'$b‚(jxùÈYTxÌYã΢²+X7’kSÍ7=ËU_\8•¿8njÐœ#=à‚Öwn¢VózqŽœïÇfþ’:¦ÌQRd-¸%ååò±FMžã0»w-Õ>˜ØæÔO=Wo¿#Ûò'Cæ¥;–«jÞ¨LÆP3¯BÁ—dË	!w"+ÿX‘3}¢¸I T«_ü9¿x쿪¼¹išo^ÆõPGp£ážÿo%’#W‹w»'žÊL}šòQ±Ãõ²¾äêWµÔå×&þ=²Û᫬Ò“‚þD6˖ɲe²sËdÉ2ùË¥ÙùÚ²N¡
+/C®™'17&‚MT‚ÂœOKØ«žt&@
y“õ#>[Å][m†šÒ$s@O–¨Aô€Ó.].‘Í äÆOš€ÈOc×ÇÓ3ƒq—‘ßÜ›
YGï÷^ËPDÞ€rJ™“
+z{—¸lÿ轑ÆW&Þ¨ëtÔ sëÈ_­‚Í×ÁS…¹5¸
+Ô"]£q‚!–]MÏWð"€-ÇX—1®qIª‡è+ ?ÓC&Z% €zƒt™Õøˆí"ЈÅÇYñ‘yF%@iüV6wlÍü+Eþ5JgQpðØ~|C>X«Wñ3X¢Ë8ý‹€„„gFdìèHŽ²À3ì!¡½åVqÉTR>„5¯.>‡ÇÚ$kE¡Ô¡µlRyáax­ñÏ„J>NF‡ž%-³u†éÜðÆ{^¥dfœæD±àÁð=O“àQÛK{†Ñúu‹Gó
iÈ›`l0t‰ÑAi™81äˆOdÍAÞ2á&t àë»!fªCM$3‡ó¸dÇÅ&é.豺ñÝ6ônX9Ð;œ«ñàøS¾€KÛ+®Ty¢ä#¯Dºéà÷ñ»#¢xœJz0"ØúàÀª9Üsˆ|Ç…^ùúÅô–ÖÃcEÏ\p2‹ý¹xä׈žÑ0æÁ
ï+~ïÈ//-{ÔÃËLrt ’ÿ–òAx
ü+F7Š[	åæ>IBIžÊé3È*¼¬é¼1JEÀw“µÖg2¢ÏãhQ”5 ¾”5_äÐßQ_pf,q…—luô™˜Q˜ÄÖsƒ#ÝòMy¿”iš’g#Ì·©ùbgùU׶¬Ë¶Ø-!žI9zíèmÇÞ£+“à#òÈëqøgêüßoÕLJü:KÀÉ—ñgèëU6a }¥?ƒ<> endobj
 898 0 obj <<
-/Length 2155      
+/Length 2162      
 /Filter /FlateDecode
 >>
 stream
-xÚÍY_oã6ϧ0ö%
-°ÖŠ”(QÍSºM¶)Úl/um±PlÚ*K®$7õî»ßg(K²6›Ã½y05ç?dÄ,€?1ÓÊÂ4š%iä«@¨ÙrwÌ60÷áB0ÏÜ1Íû\_/.ÞÝÅb–úi,ãÙbÝ“¥ý@k1[¬~ñÞ{óãâöñj.UàÅþÕ\Å÷õýÃ7DIéçýLJ»û??Þ\%‘·¸ÿø@äÇÛ»ÛÇÛ‡÷·Ws¡•€õ’%|fÁÝý÷·4úðxóÃ7W¿-¾»¸]t¶ôíAˆ†üqñËoÁlfwøaªÕì>_¤©œí."ú*
-CG).~ºøG'°7k—NùO…ÚWZ&ŒÂ)ªÔCZ.¶¦¾Ú3`WzÙéCzëêPyOä•ù5diVD]n³²4ECÜí6kÏ„„Þ¡qìëªFV²§•¥/Ó [PŸ2Û?±õ•?Mع.¹2ëìP´¤@Qm6y¹a·iQTÏ
Ä5Œ´÷mõLävkŽ´Ê)[ÎpÊ—:R³¹~ª”´»±	ö¼¡ß•i–uþÔ‘Ëq"ˆ$òc)ÁÙQâÇI"0$4Yof4xìÅ°ãŸ÷œÇð\.*ø“Y¶yUº*{¾«$#á‡Ð•Î’©ãú‚"çÒPŸ"§’ç\(P)FÛ„öãXS9y®æqxo8Ÿšca|CÔÛ ÈÐO±–!!>b[efW•×PÄ¡„ÏwïˆÜ˜rE£¶bŠ]„¹sZF[Å×mA¶89ël™y{ä²²6æOS#‹]—ëêL›ª,Žc½öu^
—Mi#Údnñ6ß`é’RaŠífdÀ®íl€óèÂ迯ÌÓáE·“Èu^^iÕ¯å´UD=[ŸÁ(3t}Çílý²¥P¢,®ª·um£–×ìU}t¶M-}¨Zó{»]™ºæ]9òTϤGÓšl5”5µ>3ø¥­óõHûÆÔCš6«[³zIÎsÞnG’.çëKÖiåîOf¤˜ÈÈՔϗgêJ;÷„ÖP*_ÓòPצäõ6X6hPL§§œLÏð¥¶`£Øåç\Ÿ¥[3*u
-ûçû‡¿ž
-üß­˜_ï­òPƒ‰Ÿ†ú’-JûµUÓ8Ží¶+·¦mËöHá‹$ˆ§‹V²§YߤhʤѹÂQ‹¸ƒ'S˜!ð#é°€ÃãPQ‚M/LÈÄkÀ˜ôS­õ4›wç}‘t4öµp4Ƹ¾c#5±4&€ôUh6¦h˜ÄÞAL˜$T–Hiöf™g=¨ ÷O̺¯ò²í¨K(È
 5wØd¼´§kómög·Qç óFØ¢ >£ÄÑÝÁç"0´pÊòæ¬ØÛ:kÌ4’±X¿Ñ„irz^üâílBòÉ0ˆy*¯©hÂÚ‚¼Ö‘H!ÔŠ$:ížkˆÄìЯ2Ä~8j+šjs?;lž­b°4¡¾§¢’("´µtšÚT©ÊË–h(ϦdJf™-9±12²ÉbÁyÃBªõ V8!×tNwü]t(9¡p¬ƒJb²—%dÛ™¦É6†uæ«ìèÁHLê^ÈC™‚K°ñ"«)„°‘b½”vóŠHPá9êŸ
-‰ƒ“½Íµ»íâ'8z©9Ø—½‰´Î›HψÖÒÎ\i§7¶+ç±Ý`è%®«Cl§ƒÚåS›uAÉW<=(u¶ö¯Ž§;ãÔ;Óõä3S_s?¹Á¢‘Ћ±²d왿²Ý¾0Ö#¶L{ÙÐD“‰“Ý»ò^Q†Yæ7"Š¬lYŒcÍè“ŽÞÍvÎÁYÑ0¿Û,ö~7fÏÛÚÚR/—Æu:l¨º!ÜrñQœÁü?¯R	gø%n§*ì·è.ò/FQLÜhwÇOΟxfâ‘j„{TýõH~s=ÝŒÎoü|oˆï?«M½úCåáSýijjÐa‰ÿû?§—D‰j-§ßgázákèON)Ôüüp=O"ïñîã=‘nnonîßßÌB+ë%KøÌ‚Û»ïohôááú‡®æ¿=~wqóØÙÒ·W!òÇÅ/¿³˜ýÝEà‡©V³gø|‘¦r¶»ˆTè«(¥¸øéâÀÞ¬]:å?j_i™L80
+§¨R?ehø¸5õ\hÏ€]qèe§é­«CMä=‘Wæ× ¥Yu¹ÍÊÒ
q·Û¬=z‡Æ±¯«ýZÉžV2”¾LƒlA}ÊlüÄÖW>ü4
cæºlHäʬ³CÑ’EµÙäå†uhܦEQ=7×0ÒÞ·Õ3‘Û­9Ò*§,l9Ã)_êHÍBø©RÒîÆ&@Øó†~W¦YÖùSG.lj ’È¥gG‰'‰ÀÐd½™Ñà¡ÃŽÑ_pÃs¹¨àOfÙæUéª@Bîùr¬’Œ„BT:K¦ŽëŠœKCE|ŠœJzœ¡@¥mÚcANåä™/â ðÞp ?5ÇÂø†¨ÿ¶A‘¡Ÿb-
BB|ĶÊÌ®*¯ ˆC	ŸïÞ¹1åŠFmÅ»sç´Œ¶
+Š¯Û‚lqrÖÙ2/òöÈ2demÌŸ¦F» /×Õ™6UYÇzíë¼.›ÒF´ÉÜâm¾ÁÒ%¥ÂÛÍÈ€ÿ\ÙÙçÑ…Ñ~_™§Ã‹n'‘ë¼0¼Òª_Ê7h«ˆz¶>ƒQfèúŽÛÙúeK¡DY\UÿnëÚF-¯!Ù«úèl›Zz_µæ+öv»2uÍ»rä©žI¦5Ùj(kþj}fðK[çë‘ö©!9†
+4mV·fõ’œç¼ÝŽ$].Ö—¬ÓËÝŸÌH1‘‘«#(Ÿ/ÏÕ•vî	­¡T¾¦å¡®MÉëm±lР˜NO9™žáKmÁF±ËÏ…>K·fTêöÏ÷;5ø¿[1¿Þ[å¡(5,?
ô%!Z”ö-j«¦q:ÛmWnMÚ–í‘ÂIO¬d1N³¾IÑ”I£s„£>qO¦0CàGÒa‡Æ'0 ¢›^˜(ˆ×€1é§Zëi(¶è$.ú"éhìk'àhŒq}ÇFjbiLé«0ÐlLÐ0‰½-‚˜0I¨,‘ÒìÍ2Ïxš@Yµ75fR‚ኼ%
+ej{uXš†çíþÀüÏ[S:n/n\€€¹,4„1=Å^ö³Ðƒj~€”ʪü!Ì
+1˜¼»ÖÍÔ»¬@õðË1Ž±ˆñ7£Äœxìàx	+> ˜ô…ÖIFÚóæÜãG´v€3gØdíÆÁÐnRÎ@ûå„éBx܈à ö£$‰‡8ç¶BF Z¥møE2²¦*›·s\Ê!À9R¿Ò›°UD¡¯S!Ø‚ÅaÂH!b±‚¬ÈeµÛÙ¶ƒE^ÚŸ(Dµ¡ƒ_<&­nÊj4¡‡½HÄêu>OdêJ¶‹ho·%{¤µ UÂÔ%Ç&pErÔ>²uk&/Ò×BË/Ý'à^¥´s¡­4©[‚õšó0q©¡½Ò<åç»oÞÒˆ|	sÐ7‰ÒÕƒî*ÉSšš­SXp¥Îµoû‘N“ÿIýœµ·¸‚U{‡=»/‘€×‡-›‡$oÚ¼(hXÏaUY’ø¶^I8Y«
+-IBÚ
¨«¼YÒíiq‡DÑÒ»[Óܱ:Р4†÷±Þ„ße¶oÝ
1	ùÐÀ)òzV'»CÓöõcq6(¨?×+Ž-jš@U]q¦¢àP“:u-a±ymA©àT9*pÉpuŸ:w–ØcDAŒ‚®­_h|®»ÀÍ4RÂ5
+âÇrÉŒKÒøt~ JKyݵÝV3H_oÅã'CF}kÅpXEe°8ö²ð¾ðjúâö2yÑ.lƒÅ§×`:ù¦ &úv*nOvmköõ®Zåëã¨wŸÞTÐ{€'fÝWyÙvÔ%ä`›;y2^ÚÓµ¿ù6û³Û¨sÐy
#†QPŸQbè.ä2zÜšÁæ¬ØÛ:kÌ4"’±r?Ø„irzk0ãílBòÉ0ˆy*¯©hÂÚ‚¼Ö‘H!‹$:úžkˆÄìЯ2‚8j+šjs?;lž­b°4¡¾§¢’("´µtšÚT©ÊË–h(ϦdJf™-9±1L²ÉbÁyÃBªõ V8!×tNwü]t(9¡p¬ƒJb²7'dÛ™¦É6†uæ{íèFÁ°Lê^ÈC™‚K°ñ"«)·‘b½”v‹HPá9ŸÊO]Ïêo®ÝÕ<¡ÀÑ›H¥ÈÁ¾ìM¤uÞDzF´®ÐvæªH;½±]	8Õè:CÏr]b;Ô.œÚ¬Ã“J¾šèàÁèu©³µ<] §®&ßD˜úšËÊ5„^Œ•%cÏü•íö…±°eÚˆ&šìHœìîØ•(ðŠ2Ì2w¸ÉPdeËbkFŸt\ðn¶s¶ÈŠ†ùÝf±÷»1{ÞÖÖ>z¹4®ÓaC5Ð
áÊ‹/äŒìÿ9O%œá—|¸ª°ß¢»È¿E1q½Ý?9_|♉«Jì½Xõ×#ùÍÕt3:¿þó%v ¾ÿÆ6õ/¨<|·Ÿxc
:,ñÿ{àô¿“(ñC­åôc-ÞL4ô'§jª±æÝÿÎUÿ/-˜endstream
 endobj
 897 0 obj <<
 /Type /Page
@@ -2649,38 +2672,34 @@ endobj
 /ProcSet [ /PDF /Text ]
 >> endobj
 911 0 obj <<
-/Length 1989      
+/Length 1969      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥XYsã8~÷¯ð£\µb‹¤¨c穧;éÍÔNf7yš™J)m³Z‡G’sìñß (ù’ÝéíJÅ¢  H>àÏÅ™†ó8
™
-¸šçÕ,˜¯àÛ§w<þÀäïsýx?{wñyÊÒHDóû垬„IÂç÷ÅoÞ‡¿½ÿÇýÕÝÂ*ð"¶ðUx?ÞÜ~$JJ¿Ü^ß|úõîý"½û›_n‰|wu}uwuûájáóDq˜/œ„3®oþ~E£OwïþùýÝâûŸfW÷ãZö×ˉùsöÛÁ¼€eÿ4˜L5†—€ñ4ój*ÉT(å@)gŸgÿî}µS§ü§dÂT"â	ªxÏœ‡,±œÇ*e‘Òz°ÓY›¯~Þ¿éQ4Ufê‡:«4~‰3ðÁsÿý]vùœ³T)auÔEÓwÄZo«GÝ—/R–$qzÈL"Þ]‡b>’—(1„eò0±L*.@i2ËçVw—Ï}ÖëJ×=½~Ô¿¨Mošš(Y]Ðà×.[i§Iîy		ÅT“¢ûµÍÙ1‰€	A±,¤þT’HXḺeR¥^ÞÔhÚjÛ.xâ¡ùHíA›‹qÔéöI·8N¼¾!ZVvÃ(wò2'!£GiVëþYã/œš¦tÂFÁð¿!‰€ ñ¬`¡	:Š8‹DjMÛÕœwûPøýý	Š®9•‹.ú¬sŸ€JÅ’”é.„`§bâØNÎcË@Ì£ C¬¦eäò÷ÙN­;•†ÄCž" È—dL•½â öž±WmËÞlÊ)ôpI-”ø~ÀŠ|t„ŸŽôìdê©<:ò]ØcÐ;â6ýšÈ…Y:ÏóD‚*<ÌÉ¥[óWûÚltÛݱ1ç&#•^Nœ€§ÃÂM×ëÚ‡¸ž.>”‚‰Ô‘Êë6:7¸v›52²˜:Š#B³$JVÎñ*ï÷@¶ ߦiû(œ¾õëÌ	è×Æñ›´×¹>Õn[8èaU´ÛÞé>×ÚÌb€Òå„‚T±(äÃ
-‘AêÝôd»ÛÄžL¡Ý*3zÐF‚£fIiž†F@sj‡‡ê¶6ØFÛ²66ø²ÙèºjœõÛXˬ7OŽÏf5
+„˜'Ûkt9â‚^§¦{²­H“”O8]î…R‡ñ:Ù­.Ä;Ãè»4Ÿ	w¢F¹ÿWÀ…¤€+,[…ÉAiçÖd«Ð+e¯vUâá(
-ŽºOSm+Fîƒã˜Ú Ññ):¤dôzfbEÌÐW×ä‡CyÆÑØŒ³;*"ðm˜—9%ú…Ú ÙÚIÔ²i¾l7D~ÔËÆq¢°`^âÇ·›¬w#]Ž­æ9<³3§41¥ êŒ§4éNiÍ[øésÚ§6«*Psá8;Ü›!IÜÓE1ðVNõËÝ×	¼B&…*T&ƒe
-ððx
-±»4u@7–,ÀöÏ¥„º8ÚH0Eƒ5Ø°•ú¯"á¼0ðmtP
-F¿Ò	ã|t®v'ôýö…|îå¶vØq'í…iuÞ7¸;ã‡=ùOŸðq}þž.r»³Üýê™°»q8+ø×ðKì0Ø»„À·>;³ˆmµñ—¦Ôo1«Ò†ª¿É»7ÌrÝ–)ÞÌûMâɨ5µöwóhÊ«îšö¡n&µdÛ~í×/û¾<¡ÐYY6Xá0æëÓ_žÅ@²
 ?'u,³/Ú7®ÝûºIK¨õkUnõ[LYgß”…Ÿ—†ÊÖ׬›®ÿF¿Mñ«ìåôRëS¦6Ðõú­ë´ß¤h¸;ðs×|}JÝôfyìYzý=ô˦4¹é'Í„Tß˺Úe.døýëFó·L€.Ú‡,Ù4Mù–h"l{ø÷Í˲õ³N¿	1Mûœµ±â1ŸFM]¾øaiÚ®¹ø%Yö¦Ä]ŒÚëM³y°w
-”·ö\y÷ræNtêšX*†w»wUÁ¸«~÷òî~=Œ™L’3—^2€½NÀÆíŒB7ÈøäBp¸k>5ý¿¡Q†endstream
+xÚ¥XYsã8~ϯð£]µR‹‡®§žî¤7S;™Ý$ó43•b$Êfµ$çØã¿/@Pò%;éíêJ‹A>€ Ù,€l–„~ R9‹Sé‡gYuÌ–0÷å‚9o`òv¹~¼¿øp±Yê§f÷ÅŽ¬Ä’„ÍîóßæŸþöñ÷—·‡Á<ò^ó¯o>%¥Ï§_n®®¿üzûqËùýõ/7D¾½¼º¼½¼ùt¹ðX2XÏ„®®ÿ~I£/·þùãíâûŸ..ïǽìî—7òçÅo³¶ýÓEà‹4	gÏð#ðYšòYu!Cá‡RˆR^Ü]üs¸3k—Nù/‰&<žp`ï81é§<³8LýHpa=ØiÕf«…ÁüßôÉ›J™ú¡V•&Âà ~b?¾ï;Žÿþ€.»<Æü4¹ÕQçMßk½©uK\Oý$‰Ó}fñáJòÙH.P¢„m2™X&ã 4™ås«;ŠË]¯z]麧ŸŸõïAÀkÓ›¦&ŠªsüÚ©¥všÄŽ—@ý0ŽIÑýJæl™8„# ©?–Ä1,ÁÀÕm-q0ÏšM[nÚKæh¾ˆÒyÚì4¹GnŸtKã¾!6Uv
QTæä©Î}‰£4ËUï=küЄÓÓ”£´\骩!r,ø=ƒ;­O:’™|È¢¹v9£ÁíT*ïò[$îyæH*:èNg.L)›‡>?4…	îó@Æ{¶%ÃÈõ†	ÇÒÐÜÀžO.#ƒ*õJƒGKà7ër
+%ŒÇ><|'±5â¤#ù[ ˜zI$Ü!¶hË~l‘…PãD<›~å.€´I£ý„ËMë·ß!wÖög³ÖmotçyôÃô|r,6mº^×ÄõxãRøPŽÓC„ón­3ƒû¶™!"‹k £8"4QTž»íwÄZ,Ûˆ›ï$ Ð(Cà­àfO€5Óé4;UŸoîh€õ¿s“Ò—!;HÚµÊ4úN$s<¸4B›[k8»ÖMÝib‚õ%ýxtlPcº¾]$óMF‘²I1HuL=’pT©º¶ûļ숦èS7m¥œtÚ íë°´ÏVTȆÜCÛêvcsX•#Vå>VÅ| oÑ)DàS˜Îu¡ JyGÃ*Ì
+›;)uvnT9ž»Š(å®d1ZíÔ«šxtK…´µNäUßšåÒ©Ê¿
ÿL¦ñ€mêåŽS@0ŸK9Qk¹Lì¦ð‰lžT9Ò-l%5%šAf]ä÷©vÇÂ^ŸFÛcáƒî³­Í,PZL(HC?’Lº¤óëžlw‡Ø“ɵۥ¢$8j
+J3ð44ü ˜SË;T·•ÁVÙ–µ±9Àëµ®ó¡ÆY¿Õ±T½yr|6«ih\!ÄÜ8:^£óçlð:5Ö“-Eš¤­'	÷<÷ã
t²;<ï4–Ñwi>î$åþ_ç‚bÙÊMJ;·'[½€^({µ«¨/@QìWSm*&#wIÁqLíÐè
+ƒRýÜ3±"fhÖ5òr(Ï8quGEæ†uÊ)Ñ/ÔâÉÖN¢–Móu³&ò£.Ɖ‚y‰“nתw#]Žmæ)<û'nb"òêÎxî&Ö¬±…Ÿ¾‹}iUUš3W®ØáÞIâ¾.ŠÁ|édP/Qlg'ð
+™$C94߃e
+ð°x
+±Û4uìA7~€íŸK	u~
+´\7¢h°¶RÿuB$4ì¾öJÁèWº¥cœîÎîà„žßÞ¡Ïýx€£NÜÉ‹ynZ¸u5x:ã
+‡½ÝOßâqÞÞÎr“)ýWýê
™°}U8)øWð?±Ã`ç¡õêÄ&6ÕÚ+L©ßcV¥+1T“uïXåº-“¿›÷›Ä“Qÿjjím×Ñ’WÝ=4íCÝLjQ›~åÕ/»>¿ ת,,póô‹éϯb ªÄBchÇ„ÅI…úª=ãÚ½·M* Ö¯¼e¹Ñï1e¥:¯)s/+
•­·¬š®ÿF¿,ñ*õrüpuˆ)Sèz½ÖuÚïR4¼x™ë
+Þ^R7½)=K?ÿCý².MfúI3!Õ7;åá¼®¶È¸¯]köžÐE{%ë¦)ßM„mžy)ZïQuú]ˆiÚgÕæÄŠ×|5uùºç‡Â´]?r±s²ì+‰{ü´O˜fý`ß(oí½4"òöljwÏ©—3úø~;ñVŒ§êw?oÞdì‹$9ñè%8ë8ÜÎ(tƒˆ-ß“MÿQK.endstream
 endobj
 910 0 obj <<
 /Type /Page
 /Contents 911 0 R
 /Resources 909 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 917 0 R
-/Annots [ 914 0 R 915 0 R ]
+/Parent 916 0 R
+/Annots [ 914 0 R ]
 >> endobj
 914 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [519.8432 657.8237 539.579 669.8833]
-/Subtype /Link
-/A << /S /GoTo /D (lwresd) >>
->> endobj
-915 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [84.0431 645.8685 118.7265 657.9281]
+/Rect [84.0431 645.8685 133.201 657.9281]
 /Subtype /Link
 /A << /S /GoTo /D (lwresd) >>
 >> endobj
@@ -2696,14 +2715,14 @@ endobj
 338 0 obj <<
 /D [910 0 R /XYZ 85.0394 449.6033 null]
 >> endobj
-916 0 obj <<
+915 0 obj <<
 /D [910 0 R /XYZ 85.0394 421.758 null]
 >> endobj
 909 0 obj <<
 /Font << /F61 642 0 R /F57 632 0 R /F42 605 0 R /F43 608 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-920 0 obj <<
+919 0 obj <<
 /Length 1166      
 /Filter /FlateDecode
 >>
@@ -2711,21 +2730,21 @@ stream
 xÚµXÝ“Ú6ç¯ð#tFª%[þ˜>]®\z™æÒRú”f-MlË‘—k›ÿ½ò6`À„ëð`³Ú¯ßjwµ²lóCñ âÐòC+JG¶õdÖÞŽPÍ&Ðåz3ýxç!+„¡‡=k¾ìè
  ÈšÇÇÄpb4ØãÛw÷oÿœÝL|w<¿ÿð0˜Øã»û_§ÕÛÛÙÍû÷7³	@AãÛ_n~›OgÕ’WëxsÿðsE	«Ç¥³éÝt6}¸N>Íߦó-–.^d;/£Ÿl+6°ßl脱žÍ¢0ÄV:r‰‰ë8
%ý1ú}«°³ZŠöÆÙ;î	 ñ;ÙhqÔ@c‘o{ÿ3hç¨~t´oCÙxtJ¿n«hž2ÀëÌÖé#“½¹q($Öú„T)'gL:mªrPG9ˆÎ2­ÎZ¨[φ
–PLršT-HªÙY:œ7°¼ÒTë~nˆŒÃð¼w*¥4{©éêÌQÒPå”y~*š[î!ÛÜrçAvÚ¦Ù4hyîò|èøØ­‹Àí¡ï{V‡ÞÖ@Okì”òè~Ð݆Ð:æ:è{=ÕÙuŒ\æXˆ °¿°j.B ‹|üº^yÈŒanp«óá*Bî†á+ïcì“ýQE‰¾±i§…U\UÇ@Þâ!¬…¾íhüëR‚D<Åÿfg$2³aËX¼-T΢.ô½Š©¦C%*Kž4i»Òf<ºÌ§(a4ãÙ“i9fžÞÐä,î£R?2ª‡‹”ŒK±!"¨¢Í,Ä#5ÜŒ¹0ÛwÍ®LÞ´<ß5¢I©˜BÆ{xIÙÙŽ*{èmÂÇ'MóU´NÕYDÍ·ÔövŠÂ]Ç‹?³5<æú¥w£NdkÊ3 …8y´W>­+‹³b|aj!ä"'tçRlxÜ+udÜ0S€Òø›s¨(€Hª€ÊiÓð‡¸VÂfK“Q«rJ-³/‰¡Ž5mF¢‹m](tÐû¿Pc“*æ‹ÒÌ]K)R@×z5> endobj
-921 0 obj <<
-/D [919 0 R /XYZ 56.6929 794.5015 null]
->> endobj
 918 0 obj <<
+/Type /Page
+/Contents 919 0 R
+/Resources 917 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 916 0 R
+>> endobj
+920 0 obj <<
+/D [918 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+917 0 obj <<
 /Font << /F61 642 0 R /F57 632 0 R /F43 608 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-925 0 obj <<
+924 0 obj <<
 /Length 3088      
 /Filter /FlateDecode
 >>
@@ -2742,28 +2761,28 @@ l8
 zmRBæ_ç·@ÛÀü·I¤«ƒ”#hÓ/'úS)ŸÜGü‚ºÖ‹¹þG½Û´{_Ô:™€Y²ö™Ô¥u^ëZ(gRŽ»ý¢+#Ë+2Ëgp 	ÜÃâŠfFËrŠÓTÒ¸ÊwêÆœV›ô“—ñC2Ƈ˜YB:kýUïj’YcÌô«Ú¢ÝqÑßòôÉLiÁ$r®²È&àF+ѯqLj‰Ä%‘yFKzP´$@9—ïð} ¨›bUŸS—Xƒ²ö2-Ô…‰-ä3Béð—÷¿\½Ö´•Þ*LoPô¬4ÀCÑÐóÇÃQ!Æà3¾ë¹nw`¿Oå‘•Ôæ_ŠÆ=ÓÿLC¢KO`–%jü"òmòÌèší‹3ó·2üÜëiØø®8€êx&තJ¾Jð•qïãgDŸÏøîÄ©t3½­ã°—ï†#-
 Ô-ðe"ÖˆôÞu…—­0ª	§‚õ]àÖ1E˜$7ÞAàÎþ—ó›Ó§ˆ)	âÞžEę٧$Úº@œúî¬ÜÀ‹Ûœ½®àD³þ¡ÂÆ‹ÞÎîPƒõî9‚ó82°„DçÎÙÄÄ@!AòüG±ÛoÝ“‹¦*SaëË=г'W¯mÂb«YŸ¹ßv_˜ÇŸë»_|›4-ЫÂ$z˜„‹öZˤê²5@.3.²s&Lêí9ù¬ç€N1_õ `¾Ÿ.’¿O:×Þù{3åï“Ö|¹ÚdãË•¾ê¶Êk?pû:T/1-K$Õða‚Š*WècÞ¡ëÞ2¨˜zj’4¨©26x¥!…žªµN/Çò.¸çV@ØýËžê_›û¦¡ùHäÍ€]ùÑÃ4›´¡¹Ç´ô=ª&â)èGz^eº­‡ÓÞFã+ÄJ¥{½÷eOîIõñRÝ1d~Ã_ßLÈo-Ü7ÿȧûVr‘Ó’ª I7k¢ðÊŽ)o
tJúÊ0&endstream
 endobj
-924 0 obj <<
+923 0 obj <<
 /Type /Page
-/Contents 925 0 R
-/Resources 923 0 R
+/Contents 924 0 R
+/Resources 922 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 917 0 R
+/Parent 916 0 R
 >> endobj
-922 0 obj <<
+921 0 obj <<
 /Type /XObject
 /Subtype /Form
 /FormType 1
 /PTEX.FileName (/usr/local/share/db2latex/xsl/figures/note.pdf)
 /PTEX.PageNumber 1
-/PTEX.InfoDict 928 0 R 
+/PTEX.InfoDict 927 0 R 
 /Matrix [1.00000000 0.00000000 0.00000000 1.00000000 0.00000000 0.00000000]
 /BBox [0.00000000 0.00000000 27.00000000 27.00000000]
 /Resources <<
 /ProcSet [ /PDF ]
 /ExtGState <<
-/R4 929 0 R
+/R4 928 0 R
 >>>>
-/Length 930 0 R
+/Length 929 0 R
 /Filter /FlateDecode
 >>
 stream
@@ -2776,12 +2795,12 @@ q
 n*Œ1½÷¨¾x¥Æˆpîâ‹&XîÃœ§³±è\íD¤ßä0}#XŒûž˜‹¸À>#^V°¡|2Îi‰9ÊÎr)`˜¢Xh¡Ò& „hb—H°Œe"Ãêʱ„£~Ï“a³tŒºìZDß!#Z¶ÚÂk! e'jÝ=§ _tsÙ¬ûÍ&­Nå@‚i¬ˆ3t%kÐE„\H–YZxÿ/U¥Ç™åë—Φ@±¯iWH
 þrÓGçX5¾ûû8‡´ÕªOª«t–Ô³$Ây°‰—BÒ›ÀÄ5©/¨vp÷o`kA“ôr±ñœÓ4N.4Žæ&F°ÑTÆG%V½ Î'ÌØR5¬BÔ‹`qUžv-UÍ=ëÆåQv2ë_ ”¿­qq‚~èr¯Ú5ÌJ¼ð˜°h»P¡õ‹kÜàéÚýªå>Ò¸D°o»Îi¸CrT]¿MJ¥ ÆÖ¹’°;¿ö‹ûóZ¼¬å[Ç-œÁ¤ŸBx¿ýpü|üÈÂendstream
 endobj
-928 0 obj
+927 0 obj
 <<
 /Producer (AFPL Ghostscript 6.50)
 >>
 endobj
-929 0 obj
+928 0 obj
 <<
 /Type /ExtGState
 /Name /R4
@@ -2791,72 +2810,72 @@ endobj
 /SA true
 >>
 endobj
-930 0 obj
+929 0 obj
 1049
 endobj
-926 0 obj <<
-/D [924 0 R /XYZ 85.0394 794.5015 null]
+925 0 obj <<
+/D [923 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 342 0 obj <<
-/D [924 0 R /XYZ 85.0394 694.7722 null]
+/D [923 0 R /XYZ 85.0394 694.7722 null]
 >> endobj
-927 0 obj <<
-/D [924 0 R /XYZ 85.0394 663.4969 null]
+926 0 obj <<
+/D [923 0 R /XYZ 85.0394 663.4969 null]
 >> endobj
-923 0 obj <<
+922 0 obj <<
 /Font << /F61 642 0 R /F57 632 0 R /F42 605 0 R /F43 608 0 R /F56 626 0 R /F84 858 0 R >>
-/XObject << /Im2 922 0 R >>
+/XObject << /Im2 921 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-933 0 obj <<
-/Length 3480      
+932 0 obj <<
+/Length 3484      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥]sÛ¸ñÝ¿Bs/•g"„øNž|‰su{q®ŽÓéÍõh’’ØH¤N¤ì¸þ÷îbIQÎÝ4™1ÀX,ö›’³þËY‹8Ué,IC2šåÛ‹`¶‚¹.$ã,Ò¢õýýÅë÷±œ¥"U<»_öö2"0FÎî‹_æ±Pâvæo?Þ¾¿ùáóÝÕeÎïo>Þ^.TÌßßüxMÐwW>\Ý].¤‰äüퟯ~º¿¾£©˜÷øþæö¤ÔœÙôîúýõÝõíÛëË_ïÿrq}ïïÒ¿¯4^ä·‹_~
f\û/Щ‰fOÐ	„LS5Û^„‘Q¨µÙ\|ºø›ß°7k—Nñ/ŒŒˆT'•H#£§¹,E"% %¡Ä-•çr¨¦¸ì°Ëm—uUÛUy»øg¨M9¾·”ZÄ‘IfýÍOHðX4è
R‡q¿./:绬[×Ù–{ÍÛhÞ¹i¦ÐÂ~°-÷åž0³Ý®¬‹–'üÕxECíÓº¬	½ªÛni懼+‹!RÁmÛê¡­êòfÄÔ…ND²^(¢íë"‡u1Ñòº>#BЇ(M{ˆBƒäÞ,iQÝt¼zWæÞº,^ÁHªøÚ0U”Ëì°±xz^ñQÒçuƒ¤Jwòµçè‰S¡“D1nUÓ!|šöL]ùSKsùa¿¿”f^ÖLlQQ?ïšýó¥”Ò]ŸNœ-Tˆ@§ŽW¤çËf¿Í:Ò>|qlí¹¸G.iÛ¢ló}õ€/f‡ë±È*šÿf‰LD¬AäAir¿šp×^¿è/8ÞÓ}‘þOp᪩¹QB‚ˆNhJ#¡d¬4¨‘
-á„õ]§ÂP½¬ï±IDd@ë^Ôw…Ôîš}7¦-‰D$•œõ·;9Ô!MÚç‘	D˜êpx(ë·™~÷Óëû·?QÇ’P2¯ÛRaãôÚôô´-[Bi¡!–µ²zDÅ´CY]¸¥uáGßÝ~¢¥;»¤éš¼ÙðYûl‰c(e9khB/¬t'–Cµö:§¢„ÅÑÌÁŒÃnZÁJJæÍÎI„™»±mVÕ›g«; ˜¯„€»1¢t%X®zõz±œg§dì0Ï?q®&òžÝ:«ö^ÁPûžªÍ†D×Xß²§yh±Í›íöPWyÖñÄSÕ­G»Ú4o	¬'~”…7Öà1t(¿!á=¬$ÜaYÛbÐlEùXå§ÞL…"‰ùòñkâü7S©H@h†Xi—i¾ã`E.ç>Z7lÁb’(îžiù‹í#‚¸<â0üž$`‡Aê\7CÃv·¯¶Ù¾Úðp]–…ÛÕJð@Ÿ®ß’q
X.“%¾Ù•û…¹Eÿ#Õ¼=äkT–Úû¿^ÿL¨SÝf֢Ч©ÓH°ÙÏà~ªœ:‡]a%aòñp¯jU—Œüï¦.[TÇ(e¥²˜;ÞØ¢£c\L	´õ–ˆ%û’è,­0¬!
-¬‘. €Iý%±rK½§ue/‹lXCdu²‚zý‡dA.¹q{|Å„¸6s$à±ÈQôXÜ?â·Cµ'6:gpeÕ×á6«¢ G%’53éùR€×øz8ûp)ç¥C-¿®³C±Z´„.‚Ød’`¨$r»Ëžm¼Çlsà“&C&à& è¥pã5¼ÏkÒÛ©ÐĈ\bÀÏk_$VF"
ÃQì…¬ƒógô®*L7"'P‚‡è^ш•Qj;‚¬ý|ªÚù¤Î'Œ¬RF­e'vgt$€à!ddï!à´.û‚‹`iÝÑ"
-ê‹æ£¨b5ÇC¹¯êª«œáÍ›_iu É¢ÁM“qÈä­£?	0PÝw‡[ójëœ@]£/ÐÓ†xÈnûöðÐïm8ˆ}BÂCÛ³N2aä·œ@ë¼ðXö1š¦ƒ§Ø”+Ë€Eƒ¾wì¢@(PÇ—©ðXd|A„žŠ‡tÜ_¢9ß#‹ ¶°¬2èó’x˜o‰]†’œm'+^xÿã»–Fè]`ˆCûXÓIì›-.ÐŒX1JÀeI=ŠpʯùæPðÛo {Þà`jNïmãüÛ89aÊPbèá©sûñÞíîZNj(
-¬F—b…ª&¡§Tøîÿ¾âi¼„Ìçï£ÁÏŸðïHJqèÃçOן? „@L˜Ÿà_•ÈÁ³ü‡¢¿D¤Z™QV7%Tv‘gí`›ïŠò»7n=xh=¸?غîßлLM“ãÜ”4@CBpžÆ¾l‚8øvý¾i6eÆLÿÈ=£Š ÕßÐÆ>ÖymôXHSvèÖ‹ú+˜Çì4[¡’òåã=ÖÄù5ÔR„
-‡€##)0=TˆÝtè²ãçr*+voA8è°•u¨õ1W9}x&’]]MíkDK‡òPqTq’“mž²g†Û²£Ãššnÿñî㇫›[ê±;ÛÁ³–-X>–Œ[-©HªöÌÀÚP
-•`í¦/qäó
øǼ;d²D©}ÊfCRÒUè!C•PÌ‹óÇ0À˜£ï7ƒ»+‘˜È¹Íº™âB(o·­‚C\›Q“CŽ³*éÈc‡3\õÈXBc
-i ÿÜxo® ã’*ØØôÌüI!3ô·Í¦ðIŽ3†Ëc;E§°ÍØÚa>Lªì[ÏÚù‰	®aÕýÄõ¬×ÕJ©Ï”zÞÃzAÏåÇ (
¦‡`å×ê¤Ô 5~I¾LƒÇš bpßP‰0†—Páòð —‡C@l#ÞHrrÅ•#ÛkÆPPºËú˜çë2ÿÂYwàÒvxÛr‹/‹¶öK;Œ‹
Ö¹I:ÈÊTK5©taµ£Üºïòœ±@R	,§×YÂÏGaÊHà^úbS뼘¤6$[’Â8°9õ²Ü»­r²o­ëVA‘¿äÓf¼[”+lÞƤzTË¢·Yè(‚@¯þ‚¾Ã(ŸóÂhŽaX–ÐQ< ³«uGn=V)°ÔÓh
øŠUUgå²€ÓK±q¥È
-ð .ó‡)›¬âfEÅù‘/ ¨þc‰ºšºîtQ)VÈ1q:-¬œ8£
-€År¢è-¥§Fl
-mÛŽ«ÐMÄ‘‹^ú{ÅFy±æÑ^6¯ÂÒÊ‘2[3Dü†Z¬íseqá½hƒÅË—|æškµ o ”ûªtjAÂœ¸z@ãz)eˆK¼,¹ÕZ	¹tþ;E8=/¿îªcXçT|^V¿²W¤Äƒä’mŒ?QÃË{…ôÕR«í”h¼¯j«)*E¹âÏ°¬$Y¾® ,(xô™ÚÞO†©e’‡Ê{º%}Âì¥B†¡sˆ.P„émjù׺Ë!¼¡ÊVXŸ˜:=Ú„ñàt6é²€$Õñm»¬mA¦~T	¥#9¢0<]¡<Òž.š¡À/ÆAŠ$[ƒ$$/ÄÀò;uW?z‰¼çØÃR\vz‘“›Ëþ”LNhTnù¸H&§¤á ÎÖpª³†Iï8έ=ª%,be“ç”
¿ï¨Té?¢l¿hT‘î«'¾§¬´Ðø«à["
-­u2Üö_‡–£Á¢j1çoOƒÍSÆ`Î=`ª8÷»1	ü±×D®ø8òÿþMÙñwÀKmÌ™¬Y%ìØ„‰BV„Áiy¿|€Å<%ýåÁ Qendstream
+xÚ¥]sÛ¸ñÝ¿Bs/•g"„øNž|‰su{q®ŽÓéÍõh’’ØH¤N¤ì¸þ÷îbIQÎÝ4™1ÀX,ö›’³þËY‹8Ué,IC2šåÛ‹`¶‚¹.$ã,Ò¢õýýÅë÷±œ¥"U<»_öö2"0FÎî‹_æ±Pâvæo?Þ¾¿ùáóÝÕeÎïo>Þ^.TÌßßüxMÐwW>\Ý].¤‰äüퟯ~º¿¾£©˜÷øþæö¤ÔœÙôîúýõÝõíÛëË_ïÿrq}ïïÒ¿¯4^ä·‹_~
f\û/Щ‰fOÐ	„LS5Û^„‘Q¨µÙ\|ºø›ß°7k—Nñ/ŒŒˆT'•H#£§¹,E"% %¡Ä-•çr¨¦¸ì°Ëm—uUÛUy»øg¨M9¾·”ZÄ‘IfýÍOHðX4è
R‡q¿./:绬[×Ù–{ÍÛhÞ¹i¦ÐÂ~°-÷åž0³Ý®¬‹–'üÕxECíÓº¬	½ªÛni懼+‹!RÁmÛê¡­êòfÄÔ…ND²^(¢íë"‡u1Ñòº>#BЇ(M{ˆBƒäÞ,iQÝt¼zWæÞº,^ÁHªøÚ0U”Ëì°±xz^ñQÒçuƒ¤Jwòµçè‰S¡“D1nUÓ!|šöL]ùSKsùa¿¿”f^ÖLlQQ?ïšýó¥”Ò]ŸNœ-Tˆ@§ŽW¤çËf¿Í:Ò>|qlí¹¸G.iÛ¢ló}õ€/f‡ë±È*šÿf‰LD¬AäAir¿šp×^¿è/8ÞÓ}‘þOp᪩¹QB‚ˆNhJ#¡d¬4¨‘Çú%'»‘m†Ø$"2 /Z>Öyëá±ðÄ]³ïƇ&‘ˆ¤’/ê&íßÓ"Lu8<”­…™~÷Óëû·?QÇ’P2¯Û2ÆY	Ó³ îmÙ*È
±ä–Õ#ª¹ÊêÂ-­?úîö-ÝÙ%M×ä͆ÏÚgKC™ÍAôCzÑ— ‰±	¯Á*JX¸Íœì¦¬¤¡dÞìœ|™¹ÛfU½y決
+IøJ¸#JW‚¬Wo ËyvŠ@æÍó,ñç`"ïÙ­³ÚÑiïuù©ÚlH¬	Càµ7{pzŒ&Û¼Ùnu•gO]¿%S°ƒ&J|³+÷
+s‹ÞLªy{Èר< -µ÷½þ™ P§ºÍ¬mE¡OS§‘àžÁ™U9u»ÂJÂ1À½ªU]2ò¿›ºlQ£”•Êbîxc‹Žnv1%ÐÖ÷"–tÎP¢ëµÂ°„(°FDºðF$õ—ÄÊ-õžÖ•½,,²A‘ÕÉ
+êõ’½'„ÌØã+&ĵ™#EŽê Çâþ¿ª=™°Ñ9ƒ+«¾'ð°YÅ…L*‘¬™IÏ3¼Æ×ÃÙ‡K9/jùuZˆ¬Ð¢%tÄ&Ó£èF%‘Û]öl#à=f›Ÿ4èè07!4/¯á}^“ÞN:F„Pü¼öõHbe$Ò0ErÈ:8xFïªÂÔq r%xˆîXE ±#ÈÚϧª-‘Aê|ÂÈú(e„ÑÊQvbwF×HEBFöNë²/(°–Ö-!>¡~q !°h>&K!ò3q<”ûª®ºÊÞ¼©ñ•V’,Ü4`.x;ú“ÃÞ}wر5¯¶Î	ÔÅ0–=mˆ‡<á¶o-ðÞ—Ø'$<´=ë ŸF~Ë	ô±Î;e£i:xŠM¹²X4è{Ǿ 
+„u|™
+5AÆÀDà©xHÇý%šó=²bË*>/‰‡ù–Øe(u¹1Ñv²â…÷?¾ki„Þ†È04¼‹54Á¾ÙâÒ	Ȉ£\–Ô£§üšo¿ýr1á
&úµÞ6Îÿ·“¦%†ž:·ï]
+à®å¤†‚¡Àjt)V¨jzJ…ï®ñï+žðÇKÈ£þ>üü	ÿŽ¤‡>|þtýùBhÄ„ùëhÈkÂPõ”ÈÁ³ü‡¢¿D¤Z™QŽ8%Tv‘gí`›ïŠò»7n=xh=¸?غîßлLM“ãL”4@CBpžÆ¾ƒù8øvý¾i6eÆLÿÈ=£NŠ ÕßÐÆ>ÖymôXHSvèÖ‹ú+˜Çì4÷¡’òåã=ÖÄù5ÔR„
+‡€##)0=TˆÝtèríçr*ÇvoA8è°•u¨õ1W9}x&’]]MíkDK‡òPqTq’“mž²g†Û²£Ãššnÿñî㇫›[ê±;ÛÁ³–-X>–Œ[-©HªöÌÀÚP
+•`%¨/qäó
øǼ;d²D©}ÊfCRÒUè!C•PÌ‹óÇ0À˜£ï7ƒ»+‘˜È¹Íº™âB(o·­‚C\›Q“CŽ³*éÈc‡3\CÈXBc
+i ÿÜxo® ã’*ØØôÌüI!3ô·Í¦ðIŽ3†Ëc;E§°ÍØÚa>Lªì[ÏÚù‰	®a9ÖýÄõ¬×ÕJ©Ï0zÞÃzAÏåÇ (
¦‡`å×ê¤Ô 5~I¾LƒÇš bpßP‰0†—Páòð —‡C@l#ÞHrrÅu(Û+͆PPºËú˜çë2ÿÂYwàÒvxÛr‹å3‹¶öK;Œ‹
Ö¹I:ÈÊTK5©taµ£Üºïòœ±@R	,Î×YÂÏGaÊHà^ª^–‡>ÖyyðXV  …rt¬‰E”ÉËÇ:¤‰cûJª•;ií!VBù;Ô'9Z{å­½rÙ¤’ÇÒª䌰k©ŸÙT\$†cÜ¢5æž	éh|0ImH¶$…q„asêe¹w[ådßZ×'¬‚"É!¦Íx·(!VØ4¼Iõ¨–Eo³ÐQ^ý}‡Q>ç…Ñð,¡£xþ@gVëŽ&Üz¬R`;¨§Ñð«ªÎ:Êe§—bã
+J‘6àA\æS6YÅÍŠŠó#_ƞȆ9”Kºóœô©ð	µKç‰ÏväyÇÕ,d„ITŽ™7˜³q=á¸#šŒDó@Û8\̲lòÏ­
Öö£‡+
ÔtZ6UÌh×\ÓS¶f¸‡¼öu{ B¥óT#”†Ê§§ëò»Ô…ÛiB¤.‘ϵÙĨùºÙ•ËÅÐõYi¤œA‚ÈážÖÞ³eÚ³MËæ´=ì\Þ–.þH
ÄÉH>©ÅÉ'†¿?p¦Ëšb]lï%,þ¨º‹éŽۣWÊ
¦ãk‘$æ÷‡)‚Óó$‚ÀR«AÊ4]A©ˆ±äŒ¬åè­„	Óh\:H
‡Xh#íÞBÛ+ÕЀõviz&h•‘WªÝ!Uù4A‰Š„|Ù†
Ì饌öŠ}Ÿ‰ š‰gjñW‰©0UO+[#$?ÏZ¾™“ mÉ,˜ïøé!Æ a³Uʼnåõ)é	ì„Éïx›á{ðãËßêøø>ýX¨˜ÃpXjcþ<S
?Ưmg]Ë	ãrC±9nâÝÀ\´£Vkc4ÔÝ`oÈÅoÞÿL°+2–-ãØhenŸã1›ìÑ–cuÌß8Î~FÀrfeSÍ,×Z:ƒ©mÍÉ:+„ýwÍ1
+Ö$jéVDX-à9tM±³Åû&³¥
noöÒ\á…!PŸøÃðØsxáóúQ:pºZ>éh|@PýÇu5uÝÿÒè¢R¬câtZX!9qF'ŠåDÑ[JO!ŒØ0Ú¶;<W¡›ˆ#½ô÷<Šòb34Ì£4¼:l2^…¥•#e¶fˆø
µXÛçÊâÂ{Ñ‹)–/ùÌ5×jAÞ@(÷UéÔ‚„9qõ"€8ÆõRÊ—xYr'ªµrèü!wŠ pz^~ÝUÇ°Ωø¼¬(*~e¯H‰ÿÉ%ÛL£†—÷
+é«¥V!Û)Ñx_ÕVSTŠrÅŸ6<`5XI²|]AXPðè3µ½DSË$*•÷tJú„ÙK…Cç] ÓÛ Ôòo9t—CxB•­°>1uz ´	ãÁélÒ5dIªã!ÛvYÛ‚MýD#JGrDaxºBy¤+<]4C_Œƒ;I¶(<8HH^†	åwê®Byϱ‡¥¸ìô"'7—ý)™œÐ¨ Üòq‘LNIÃA6œ9¬áT#f
“Þqœ[{TKXÄÊ&Ï)~ßQ©ÒDÙ~Ѩ"ÝW;N|OYi¡ñ[Á·D$Zëd("¸í¿-GƒEÕbÎßž›§ŒÁœ{ÀTqîWh:øÓ±‰\7ðqäÿýµãÏ÷€—Ú˜3Y³J Ø3°	…¬ƒÓò~ù‹yJúÿç®0endstream
 endobj
-932 0 obj <<
+931 0 obj <<
 /Type /Page
-/Contents 933 0 R
-/Resources 931 0 R
+/Contents 932 0 R
+/Resources 930 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 917 0 R
-/Annots [ 935 0 R ]
+/Parent 916 0 R
+/Annots [ 934 0 R ]
 >> endobj
-935 0 obj <<
+934 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [222.5592 716.4773 296.2125 725.8869]
 /Subtype /Link
 /A << /S /GoTo /D (statsfile) >>
 >> endobj
-934 0 obj <<
-/D [932 0 R /XYZ 56.6929 794.5015 null]
+933 0 obj <<
+/D [931 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 346 0 obj <<
-/D [932 0 R /XYZ 56.6929 432.3083 null]
+/D [931 0 R /XYZ 56.6929 432.3083 null]
 >> endobj
 716 0 obj <<
-/D [932 0 R /XYZ 56.6929 404.567 null]
+/D [931 0 R /XYZ 56.6929 404.567 null]
 >> endobj
-931 0 obj <<
+930 0 obj <<
 /Font << /F61 642 0 R /F42 605 0 R /F43 608 0 R /F57 632 0 R /F58 635 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-939 0 obj <<
+938 0 obj <<
 /Length 3307      
 /Filter /FlateDecode
 >>
@@ -2878,98 +2897,98 @@ C
 WGv«e
 µŒHfDÿ?:œ:endstream
 endobj
-938 0 obj <<
+937 0 obj <<
 /Type /Page
-/Contents 939 0 R
-/Resources 937 0 R
+/Contents 938 0 R
+/Resources 936 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 917 0 R
-/Annots [ 941 0 R ]
+/Parent 916 0 R
+/Annots [ 940 0 R ]
 >> endobj
-941 0 obj <<
+940 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [182.6146 339.5936 231.8861 351.6533]
 /Subtype /Link
 /A << /S /GoTo /D (notify) >>
 >> endobj
-940 0 obj <<
-/D [938 0 R /XYZ 85.0394 794.5015 null]
+939 0 obj <<
+/D [937 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-937 0 obj <<
+936 0 obj <<
 /Font << /F61 642 0 R /F42 605 0 R /F43 608 0 R /F58 635 0 R /F56 626 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-944 0 obj <<
-/Length 3698      
+943 0 obj <<
+/Length 3695      
 /Filter /FlateDecode
 >>
 stream
-xÚ­]sã6î=¿ÂÊÌZå‡HQsOén¶—Î5{—Mç:ÓöA±åD³²äµä¸¹_Ê’­8{×nf–‚ ⃴œ	ø“3cc›©l–fIl„4³ÅúBÌaì‡É8ó€4b}ñÝG+gYœYeg÷«-çäì~ùkdc_½ÿtûñ懟ï®.Ó$º¿ùt{9WFDoþqM½î®~úéêîr.‘Ñû¿_ýóþúŽ†,ÓøþæöA2j^!zwýñúîúöýõåï÷?^\ß÷{îW
-ùzñëïb¶„mÿx!b93ÛLje–©Ùú"1:6‰ÖR]|¾øWOp0ê§NÉ/Q.¶Ú¦3à-ÖÂÈoYV;/E7½¬eÈØ
-k^§EóÐân˜1&5w26Yffs›¥±qYÖ«7Ñ3)ãÌ…úui¬RdŒ[Òï-JØcf±±‰DD)b£UÔãÓåÜÊèþWщ>œ3а&c§•—ÌìëLÆ"É2MHƒ¾ßëAðÝÍZÍ>4°£ÙpSLx>¤ì7å’ÍJ¥A5À}*]ìR«iSMv”ºèåR‰¨àr½©ŠuQwÅ’5µl•ÐËâã
&6‹•ËÜl(Ü?§/
Š°ïü`sΚæ*‹K3o Ê8;íd´`'ÀX¦•;؉šp=Jt×ór9ß4Mu,!)\œŠÔ̆dOï±NW7v¨P	
-ÅŽ–¿*[òͦ+›šú=ì¡mª¢+¦ÈØc›2x!-'¼P^íó—6ô«f‘w~ÝÛêÞ|`Øj{)]Ô¬y5(šë	"·‰¡Ú·ô2À:£—€…;úOSó¶Ë»²íÊE{¢%bgezžk‚=:l&vqp³"±7ÀÌü™g©¿í„fdJê%œw ÄDFÝSí¢¶Ø>[êï˪âñT…΢e±Êw—2ª:X4UU,:
ò„E^ñŒ¼Ë‰œ·€€¢	€2l©[òØ1œÐv„K,ZohÞ+eÈ/øXØÈ@s%M´Î_¨óPP›/EÛz$8WeýÈÒ*[‚ˆUf%‹g[/4éO‰3ѱHíPœJEû§rñDóPˆÔ[îÖZv¹&X×pûÄ\þ&„ª¸_Á~ˆ_CbÄS®•PpxCà8ˆbNÓàÔ…±YE ^jÂB’fŒîç¢Ç´mN¬]C°I2³ÒÆ©Õ€Óàö‘ÎÝÐîþ|8aÂîOè"GŸÁÞzW„ið+Í1O
-ƒ©ã.qr{¬789¥F²yÅígb	ßy·3ÄzÝíôX}8øüàѤ"Fºó¤Ó…G‘ ³…h9^˜Î’>`¿‡½2§VdkJ…¾ËÏ{ivÔ©4tìá‰ÀvY¶ùžü¸ùåãÝx8§f“oÁÎwU¾¥ï྘$$˜$fìNÊzÕl×ùÁÐB;}AT"íïfÛ<—˃¦ŽDb tI8`£ÀZŸ˜±µH˜ér–doœ¬€>âO˜ó1Õése¹Ñˆ 5#vNì¬Çzƒ‹Sjßêp´uP<ˆoKÿG'tO“Äê$U•ü¡•Jõ§ÔλšDÅÚ¸ô
W3À:ãjÖ”>•ÄAÔ;»z5±üÈ̓OM,H£õ{ ØeÑ.¶åà¸4«‰£å‚P‰ûŽâÄñƒ/³ÆŒ6zîüü7¶|J÷[O`"c™u5Ö\•PéhÈ•ô+Áï` (©”yÃ:–OŒ
-HÐÛnÚ:TER«ÙîDaÂXË­#‰S†ëÿ5Öq¼‹cëÿ$ûØ5a©'G=gÿ-ŸÒýVëÐiìDó³’W‚T¿Ñ8’k\«ÏG…œvÛ"ïæ_­ÍóvÞnòEqZ"egdr6\`¢Db¬	>Æ©b	š0cF¸|…:¥²ÐßçÜQ9J¯Â*ôF
µëüK1,•`N_*!ÐïvÍUQ¾Ý–ù#Ï ±n·åE~Fü¦TB'“QH„Ü[ˆÉלě`ÀV«c—š@×õ$óõ”oóÅ°*HÝ8ïé|¦¤RËûLÓ¨Í×ö¾¦‚Ž åôIúõ]Lºp¤Ë@KvTËayä4	ÆVù¢¬J¨VxrÕäK,Ë<8¾ˆU"õ¨`᥽2‘j~¾½ù…Ù}ªií·(ÆO÷Dú¤úz,êb›S©•¢àœÛÛ{jýÖ ýðé3uÖù⩬_ ºè†Ñƒ	Ù({GíCÓ=Q¹„Þkú—)Ýz}£þë	ýƒV]ªúÛY†ý|Ç[0¯±‘šX§2û­p¼“¡þEûðf›àÍ£Áwh·u±¯Ê:\å½z/™‹bš~ÇŸ^&Ã(2uÍU>Ö
\¾š†%êÌ$ÎûÒÖ_°pcùrY"Ky5_m›õ<ßuOû£¡Ø㉛UbIªÝy{¬	Ç…ƒ¾óHw3ƒê‹­ES“cl*h3Ž<Oùs*´†ËÁœËJÜc³EÇP>‡*Í©XsT¥œ(퟊{È´pÀ½#Á¼I,Ñ2ËßÌ`8(xB/HÁ;+qbµ?ôCê"Z5UÕì{êïo¯~ºë.§ÜÎÂ@3,ë6î±ðŠ›þíék©Ø[`Ï‹ÚŽÅ+å@¼ï­?Z¼m÷ØÍĽ L„ú³÷‚JÆB÷%,Æ(Òô·~UGqįŒçÆwˆ-¾¬EHÉÌ=^D„݇ËÓ¹~|ÇIf¤Gi`	à²úE&ò˜ƒŠ¸©1N<îúq¼¬}ÌéO:€ÈvpOïŽF†æà3KZÑÏYŒòKì}­¸©^Î70ðPŒíBîß*Ïa–Q’9¾˜ô ^€ƒ‹o€ƒø¼Æ'ņ[U­™øp¾c†ì„¯Ä
-_k›5¶e·ËÙÜhšwˆÈk;eç»Rðr‹·6ï0$ê¨Ýù[ÐLQ€ŽBüØIÑV¨¾E±eœ†ò«à8h|KÓl“©zMMÆÂ1
“(™hÄü0
-j+ï!”=Õ:¾Xعx%Ú p€­›e‰ú-øÛߟÂ"*¹# UÏSðZE‹9…µÑUÕ6h:åÏMÉÉ‘
*´h‘ä¼ á{Õl§¶ÂºsjlÜN#ƒ¶W€µ‡À݆Ú>Ùuè„0]bÃ@’µÄ lš¶-ýå‚‹?6EÝòWÕ	ªwÒSi[3<^mS=óyÛS>‡½fWq$÷‡c_¶Eô蕈NÞ,û»¶qè?>ö|ؼ5ñôÑ[•Ias9¾nzâ¢rEÐœšþ
 í—–z«0Õç—Ðþôµl×Mod=5mÇ~=:m|2™a¯½jš˜9ŠÍzê].‹­ÕÃç
-“…4²öK‘8^cgÇ1n®µˆµÒz¬+òþbWŽØ•&–‡Çܸ"’‚Úu^V=ûuÑM=M@Éj„ÍY!se¢¯k«ê…‡.¯T¶æl¼­–Ð1’\½#„+Ë9ÈÉè
-þ…Ø'Â	;V„ü$1A°~+,¨ÌÅiâŽê¬óÛ´
-tvÉS§dÍÐY³æŠFö¿Ù	2F}©›}í‹}.ºŽœp^Ý>¯ðp°‚fê•É
-Øc/üº™T¤õ½ø?Ð%'ä÷ÉW(C|Á1öèþ½áÇ¿ÓT)d›ZÒ!ø8¤C½}WÔ^:øåvvm?Ží8Õ„mó¦ö6¤ûw´Ca¡4Q#o?KGÏe±dxƒ-]uP—n:äVdô!çm"ãGAšx˜.vNë³ÂOâTȤ7àpÇÔý-:-¸)åêå•çO‘‚åÙÃýØb·m鹈ÔÍߦŒUÇÒfjd¬ˆ½ÈIÚ‚ÃÂú÷™åÄe¨Ez\¼*´ö¨€«šÇѯöù¶&C‡5œþü±˜2¦Ï礑€ÈeoïÓå5õŠ6 –—Vo—/ ª(9TÓ‘„È	/1ìPr9­Ö1RÈQœH41	†LqŒ²jkâìøž‡Â¾¶(¹æËnƒV	‘àÁÛ‹Á^l¨|p1)©0&$ÕâÊòéÅÞê,<Z*¤wײØOôYc_ ‡âÐRœ&úS‡jêRðæ|Åç	Åð> ·¤Ó\2dõ#,ürT	îòþ® Ý¯vøê3¥ŽjºN“‡ÇJ„zz«›zÎLáÉ{.ü†$þõ© 9Ïbš:ÜqÉ„)j¶‰57Ô­‹YÈ7ÅÔóûFŠõË€»å”Ì1F¯ˆ¿Û@s*x}U0…–>Ð
0µµw›}~Á*ÄåU±Ýæ]ZiEׯ8JÆК†—=<í‡7˜!îxtE}}3‘erQ¥­¢€IÝ
•º£oOŪ`¼ª¯|¡‹J@ÓOÒèsY/Š#Ìpâ[´"yX̱‡²ÀPd®àÁAíluÿŒ}¤¢¾²üÛˆ²盄d_o¢ñ7>ŒÆÏî‰"éC;H70æ8sÌ ï7N}*ü±Ë”9ïTõkNuÞÏí÷Éç??þ¸ñqŽj0L~4–¸PvåþîÏJoº8#”éY(06
Ç•GêX€ôwI4ÓßëÂÝõÇŸ?_ˆ	~4ŸBaâøš'LŽÞ¡X=¬ÙÍ´dPØÉþPõ²?¹ÿä…â×ÝÁÛúÕ5Û#×Z»Ãe³„?¡Š_ûm°61þ wâ~Qô?‡ýÓ¿>ü¨:Icíœzý	-Át‰™Bù&êôöVÐØ)ëÿîž]òendstream
+xÚ­]sÛ6òÝ¿BôLÄ‚sOnâôܹ:wŽ;×™¶´DÙœP¤"RV}¿þv±ˆ”h9wm<‚‹Åb±ßJÌø3mb“Ë|–åi¬¡g‹õE2{„¹.ãÌ=Ò|ˆõýýÅw˜åqn¤™Ý¯´lœX+f÷Ë_#Ëø($ÑûO·o~øùîê2K£û›O·—s©“èãÍ?®iôÃÝÕO?]Ý]Î…Õ"zÿ÷«Þ_ßÑ”aßßÜ~ HNWˆÞ]¼¾»¾}}ùûý×÷á,ÃóŠDáA¾^üú{2[±¼Hb•[=ÛÃK‹<—³õEªU¬S¥<¤¾ø|ñ¯@p0ë–NÉ/•66Êd3à-V‰ß²­²NŠvzÛ”!b“ý:-Z—-úcRs+bçz67yk›çA½©š	çZKÔ¯Íb™Y £5èÜ~oQÂ3µI"Š$ÖJ¦@1>]ΈîáèÚ8]k"¶J:É̾ÎDœ¤y®i0vg=ÈÀ¾»YËÙ‡N4Š	χ”Ý¡l:°Y!¨¸Ï„mfªíÁŽ2½\Ê$*ù¥Zoêr]6}¹d@CO¶JåññS“ÇÒæv6îŸÓ—E˜Œw~°¹?gMs™ÇÖf¹3P©­™"a°`,WÒìDN„€…Ýuå¼ZÎ7m[KH$6Î’LφdO6X§»k3T¨…âAGÛß?UE†vÓWmCã{èÚºìË){r ¶T˦QH‰‰(TÔûâ¥óãº]}ɯ_wåö…†7¶Ú^
+µk^@͉õx‘›4¡š·ô2À:£…'úOÛ”ó®/úªë«Ew¢™ÄÖˆì<k‚5r6[€Œ8¸Y‘ص`æÎçYê/e7¡‘‘z	ç1QÿTÂ@Ù¨+·Ïå–Æûª®yþU¡òhY®ŠÝ¥ˆêž'm]—‹žf½<aQÔ¼¢è"ç¬  h ;V—UW< 'àËÍ/ïÆÓ=6Åì|W[z÷áË15‚uþ…I²#a‚Ī ÕãpR5«v».†æŸÓ¢J²x7Ûö¹Z4u$
õ M½ƒksbÆÆ@"Ma
”Ëyš¿áY}>ÄŸ0çcªÓ~eŽ¹Qˆ €Õ#vNì,`½ÁÅ)µo
8ÊXh’oKÀ‹£º'‚IcyRª
+(þЂÎJ%`½ÁÃ)µó¡&•±Ò6{#Ô°Î„5eÄ£€®’ZÈzgwXÛÂ<ÄÔÔ@ƒ4Ú?åF,Ën±­îÒ®&\Ú…D¦öÿqÅ	÷ƒ/7ZzÎÿ<þG>¥û­˜ŠXdC]Mz ÇzƒSjçm
*¤ÔoØÚ댭y,Wf•Pîwý´­%Ðc	%Ïï°&¶ÛZgλ†ûÿ5¶v|Šc[ƒh'B&œ°µÌ‚£ƒž³5ÿÆ‘Oé~«­©,¶R¿¡÷€õ§ÔÎÚZšakmÔy[b½nkwì·eÑÏ®•œݼÛ‹ò´Ë¡ÊÅy6Öã:6…ê1ÑcF¸·†&*”0ÞÜQ¯’&Tû„ÛgYîÚZz®‹/å°ƒ5¡C ;+œš[¶b»­ŠG^AsýnË›ü–èä7)S2`‘Žò54IâÛŒfÂ!Ò8/ôþ0á*¶™öpØO0_OŶX[–ÌŽ‹²Þ•q23|Î,‹ºb]hï>8ÂTA¯¤_7ÄŠgúâ´eO&önV‘PanU,ªº‚VŠ×m±ÄžÑQ€hà€ØÂÒˆº)ÞÚ)Y¡ÇÏ·7¿0»/ÐÒ­Ý“q7Ö?‘~à %é„Þ˦ÜÔ¦š(¸àçí==ÝÑàùáÓg¬‹ÅSÕ”®{¶Ñ
£{2QþŽžmÿD#æF¯é_dt%÷úo&ôZµ™èßgéÏóA¿ÆF¦c•‰ü´ÂñI†VøÙmŠ×¢ð¡Ý6å¾®³Uõ߀-å4ýŽ_L†Iiê®zlZ"¸|=–
+h°Ì9KXgb©ÇƒËe…,õ|µm×ób×?yî¦`'aVjHM™²ç9X,Ž»'|1æ‘.Ž­+w‚‹¶¡ÀØÖP$fœy(ŸŠçÊ·-÷ª÷¼xÆv‹¡zö-¤•q¢õQéCp*“hÿT68@¦w'ðš³BË ,wm„Cà äA4ƒj ãÔ(çôCêI´jëºÝêïo¯~ºöû.§ÂÎÂ@A0¬š.XxÿNHÿvô•-päÄÏžÅ+Ä@¼VŽ/~
+pØíÄ¥¥È’Xª³—–Rĉ
+ý5æ(ÒtW’uOyÄíŒ~ãÄß$#¤bæJ'"Âî|Àåe‡[f7¿ãŒ$rËì(!
,BV¸íi"9I ˆÛóÄã.lˆóUãrNðt‘íà™ÞÍÍÁª´£[³•«bí¸©_Î×’0ñPŽíB.kÇažS’[¾5u Þ€ƒ[y€ƒ¸º&Æžâfý•/Î6L|¸Þ2ÃvÒWª5¥/€uíšg»ªßln´ÌDäµ›²ó]}µÅ+¥w˜UÔíÜm.©`€@n„wÒ0A¤%ªoQn§¥úÊšßÒ²EÇdªND“±ð`ÌDË$*&æbBA]í"„4¡Ë·Þ{à90§Dã°u»¬P¿%¿»Ë}@Øa@D%÷~¤ê8`
+찦0&ºª»­J§â¹­¸82^…-’¢€4¼¯ÚíÔQXwVŽÛ
+od0Ãö
+°nãî
+¸ÛÐ3»ƒ–KlH²§'1›¶ë*w³ˆàòMÙt<åTu†Azªlk‡îÕµõ3ûÛžê9µ»š3¹sŽ}Õ•Áõèy^T,ÃEà8õ»=;ûQ´&ž>:«Ò®ÀO¯.„بZ´ GøÀîKG£•_êêKxþô=Ù®Û`d=µ]Ïq=mü\¥sÍQ{Õ¶1s/ÚõÔGÃ<6F
¿¥èÜ—APµ_ŠˆÄñ;;ÎqГ&±’JuEÑ?Ô•#v…ŽÅáËÜ$I$z®‹ªì7e?õÝD‰X'&T…èæRG
Þ%×õ%$N]N©l7ÌÙøX¡c&¹zGW†)r’Ñüó¹/ñv¬
õIª½`ÝQXP¹³ÔõYçil, óebì˜*#k†ç‘5+îÈ`f_òÅ„Œ@_šv߸&EGŸË¾§ \Wà0ÔVÐN}3	œ1¿i'e}aðt)¹s@ñåÛÐ?/áåÆèã@Ë_&OK%_m*5(‡àåP)Œö}Ù8éà›s#ìº0Ïq©	Ç.çmãlH…h
šÒBi¡gÞ°JEÏU¹Txƒ#]õЗnzä6Éé+Kb¹nKrþbÉS_M[«ÔYá§q–ˆ4˜
p¸cê6Ü”‹jõòÊ·Ù$Ë3‡ë¶ÅnÛÑ·( Ò´›2V“Ë‘±"ö¢ i'œ®>
$ph¯È  /Cï˜dÇÍû¨C뎸º}ýda_l2txYƒ÷å”1}>'D.‚½O·[àjòm@//ŒðÑ®X@9USq(‡ž‘úÌ	'1Pq9˜íÖ3RãÉQžH1	†LyŒªj£ãüøž‡Ò¾2(¹öËnƒV	™àÁÙ‹I¼½ßùà$bRQ`,HªÅTåÓÏ	ŒÊý÷LC4âî:–ÃBW5†î™84‡†ò4ÑŸrª)7¤äÍõŠ«Êá}@°¤ÓZÒWõ#,ürÔ	îŠpWÐíÊ×;üI®*jè:M¾¤"ÔÑXÓ6sf
+=ï¹t*ø§¤n€¼Ši*Ç%R¦¨ØZöÜзz,f¡Ø”ÐÈ)6/î–S2Çb£"þ¨ÍºàAö•Þ:zÁ0äÁôĬ½Ûì‹C
+–>/¯Êí¶¨éÒJIº~ÅY2Ö¶¼íá»3¼8ƒâŽgWDÑõ7U&7UÊHJ˜4ÜpRizzwTŒôÆ+CçCTš~šEŸ«fQaz“lÑ’äa°ÆÊCYŠ¹’'½³Qáû‘ŠBdø‡/eÁ7õžòÑDáJ’><åƧcŽäâÆiL…†?¶¹Ô烪z-¨ÎÃúÑyŸ\ýøCéÜ
¢ˆËsÔƒañ£°Å…¶«pwF8ÓžMÏ}ƒ±i)©Xî/N˜ ¹Þ¡Y=¬9ÌtdP8ÉþÐÙŸÜòÆñëîmÝ/þÚíQÄÖîpÙÁ,áï»â×~¸¬tŒ¿6ž¸_LÂouÿôš¿øN³XY+_ÿ"—b¹ÄL¡|Syz{‹×bFN°þ_aâ~Uendstream
 endobj
-943 0 obj <<
+942 0 obj <<
 /Type /Page
-/Contents 944 0 R
-/Resources 942 0 R
+/Contents 943 0 R
+/Resources 941 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 917 0 R
-/Annots [ 946 0 R 947 0 R 948 0 R 949 0 R 950 0 R ]
+/Parent 916 0 R
+/Annots [ 945 0 R 946 0 R 947 0 R 948 0 R 949 0 R ]
 >> endobj
-946 0 obj <<
+945 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [137.8681 615.6107 211.5214 625.0402]
 /Subtype /Link
 /A << /S /GoTo /D (statsfile) >>
 >> endobj
-947 0 obj <<
+946 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [265.4578 569.7892 326.6578 581.8489]
 /Subtype /Link
 /A << /S /GoTo /D (server_statement_definition_and_usage) >>
 >> endobj
-948 0 obj <<
+947 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [367.5441 569.7892 416.2908 581.8489]
 /Subtype /Link
 /A << /S /GoTo /D (incremental_zone_transfers) >>
 >> endobj
-949 0 obj <<
+948 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [280.9692 538.553 342.1692 550.6127]
 /Subtype /Link
 /A << /S /GoTo /D (server_statement_definition_and_usage) >>
 >> endobj
-950 0 obj <<
+949 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [277.6219 507.3168 338.8219 519.3765]
 /Subtype /Link
 /A << /S /GoTo /D (server_statement_definition_and_usage) >>
 >> endobj
-945 0 obj <<
-/D [943 0 R /XYZ 56.6929 794.5015 null]
+944 0 obj <<
+/D [942 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-942 0 obj <<
+941 0 obj <<
 /Font << /F61 642 0 R /F43 608 0 R /F84 858 0 R /F42 605 0 R /F56 626 0 R /F58 635 0 R /F14 616 0 R /F57 632 0 R >>
-/XObject << /Im2 922 0 R >>
+/XObject << /Im2 921 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-954 0 obj <<
+953 0 obj <<
 /Length 3442      
 /Filter /FlateDecode
 >>
@@ -2992,1408 +3011,1402 @@ k
 
 üêqÆTàŸƒÚÿüqåñËS›AgŸŸèçLE®‹Ì…‚[sò¢w*úßÃÕOendstream
 endobj
-953 0 obj <<
+952 0 obj <<
 /Type /Page
-/Contents 954 0 R
-/Resources 952 0 R
+/Contents 953 0 R
+/Resources 951 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 961 0 R
-/Annots [ 957 0 R 959 0 R 960 0 R ]
+/Parent 960 0 R
+/Annots [ 956 0 R 958 0 R 959 0 R ]
 >> endobj
-957 0 obj <<
+956 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [367.5469 453.6623 428.747 465.5625]
 /Subtype /Link
 /A << /S /GoTo /D (zone_statement_grammar) >>
 >> endobj
-959 0 obj <<
+958 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [483.4431 396.26 539.579 408.3196]
 /Subtype /Link
 /A << /S /GoTo /D (address_match_lists) >>
 >> endobj
-960 0 obj <<
+959 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [120.1376 159.8067 193.791 169.0221]
 /Subtype /Link
 /A << /S /GoTo /D (synthesis) >>
 >> endobj
-955 0 obj <<
-/D [953 0 R /XYZ 85.0394 794.5015 null]
+954 0 obj <<
+/D [952 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 350 0 obj <<
-/D [953 0 R /XYZ 85.0394 682.6783 null]
+/D [952 0 R /XYZ 85.0394 682.6783 null]
 >> endobj
-956 0 obj <<
-/D [953 0 R /XYZ 85.0394 657.8964 null]
+955 0 obj <<
+/D [952 0 R /XYZ 85.0394 657.8964 null]
 >> endobj
 354 0 obj <<
-/D [953 0 R /XYZ 85.0394 440.2898 null]
+/D [952 0 R /XYZ 85.0394 440.2898 null]
 >> endobj
-958 0 obj <<
-/D [953 0 R /XYZ 85.0394 417.8192 null]
+957 0 obj <<
+/D [952 0 R /XYZ 85.0394 417.8192 null]
 >> endobj
-952 0 obj <<
+951 0 obj <<
 /Font << /F61 642 0 R /F42 605 0 R /F43 608 0 R /F58 635 0 R /F57 632 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-966 0 obj <<
-/Length 2347      
+965 0 obj <<
+/Length 2351      
 /Filter /FlateDecode
 >>
 stream
-xÚ­YKsÛF¾ëW`O¡¶Œñ¼ë“bË^¥Ö²£e[IY,“€LBÖª¶ö¿§{zHHV¬˜GOOwO?¾Š‚ÃOÆ2d(\ÐÌpaŠ‹Õ/>ÁÜ»‘hÊLT©~œ¼|kEX°Òó«/ϸ÷¢˜_þ:³L²CàÀg¯?œ¾=y÷ËÙÑ¡Ó³ùɇÓÃR>{{ò¯cj½;;zÿþèì°ÞˆÙë}œŸÑ”M<~<9}C#>0=;~{|v|úúøð÷ùOÇó^—¡¾‚+TäËÁ¯¿óâÔþé€3¼)î Ã™A«m3Z©<²<ø÷ÁÏ=ÃÁl\:i?Á™TVNPË)šÀ¬’ª7 ÐLƒY8糓¦«×WÕE½AÕ€0àE)³RÇ•óë¬Äl±]}9«šKš¸i×݆šÝuÕÑl——mêõ×zMí»År™oîòè—Ûz½¨‡«õ¡ð³vEd«êž†ÏkØÜÔ‹ß8—uÚüv³h>åÍë¤ÍÐZ(&ŒA3¢:ËŦ«›²m&/{ÚRŒ‘qI{Ó-Ú†MðV–ynüXkŬ׉°«>£ºJ	°}ij‰=-úšF•edkÜ€­Päô21®./×õf³ë®Jxf¼ð…“œq£ÄSV²à½ŸvײçXYF_ɧ¤`Æq»ÝÅ\UÝÅõžF…U¡™ã·„4†q
§>Osâ ¥bCžŽ	ÅHŠ<¤ììØ&gÇ9F:膎¸‚IàRJɤ•fìs£`3‘¼½‹>ó{úRŒá,œ;†
ž} Ç&nb*Q•Èéƒ^F­EZÖ´i`f/v‰¢o
-f”'‰q»©/c˜`
-9ãCÔæýí²[Ü,'ÓC¦±á)!$™w>Snºª«WuÓe‘FÖJj¿m×4\ÿ·Z/&©ô€1”GroÅ)-dÍÿÑÇ0Ëó¯¨÷ÿW½ÆƒóÛYIÖÖJ¸ýM@jVL'vÐ{)ìˆ÷~zV‚9¡ÉOÓ1x7«›ê|YS›\Mµªû}”¿é<¡Ï¾Wíz´ÖÏN>ÒÀؽp	Y]#ØT&y“¶qî*ñj&yú~qÊâ»]U׋&ï¢IþZ'Ÿ«å¨òédçIÍ‘Ñ´.
-êƒþӚإ>nûƒ…SNØn›‡Â/ÏTyÙ6eŠ¥5Ì9\CMç“E(„•»*–_í„–€/œÈå”ê C¯0¦éÚ	®îÓ`Ô7de`èîz‘óVOÖ	ç÷£ä¹(AsÑ®IÆÑÎÀÙ¨±Om }d‘ûU'¿ÚI‰I^ß„íË34¶¢Ÿaã|ñ€­*ÓßTkÈV©×^|®)Ú¿u…Zcw§Vœ‰×0^â@ú.º]I¢93p÷ˆ›N0W‡~Mµ,§bí®º¬²•S	¿‚÷ÂFç½¼ |I#y£íG#(~£0rË®m–÷ÔúZ-oë´k_ù°“Tã[¬7®äÖ3'•{i¹Ë8]	Çk	n?iôË!Ë}¤¡g^C õdÂ!À÷ðBøë„ì9~CHÃ5S’»±À¡Rk¼*8?ö r…O·«>Âr*˜é3§	"Y¿Æ8`¢ÄÐÇéÆaÊpÕÜç¢;]s‡k°âíoÀ'7mS¿zŒç÷B¤ÇŒFé9%Ù‹ªÙÇkãÓ™*=«,Y_ˆ6ÿ˜2opLiõ‚Biw V²œÀãj‚ÕªÚeö8†šBŠl3tþ\?R¦{81e*Øu[Dö ù‹Þêßvž}e‡îôt;Ø<ův‚Î3¬9u/]`VpHq*0)­¾}˜ôöñ3À‚Äøh[ }A+*G/ÐØjƒƒPxáæ×üÐQÿsÓÞ%r§¢ðˆã-q©¨8eQ”˜Õ4±>ãLºB:Â2÷4Øv×ĈÀý¤9TÀLÞ§Õȣܴ·ë‹z*•÷äcÔŸ)>YX›Œ`Í’à½U@ƒi(ÅàX,ÝØØÜ"ØÁÉÐXã蚆ý{P¤ŽN†Ô-YÆÐðy$˜Y—AÑ,²$yqB^û¶ÙI.CÛL€7òA+^ÿ•F÷˜ÈÚ–AUûPd‡¯òŒ÷d‹Í8‡Ro\FÜŸ’{ÑÐJ2ÙBê ⮋	é9Z&Ç€
Gð²‡äãS…‰ß¸áSRæ1ÚÛ´ëÉéÑ›7g{PÐöR)&„ÑχZ™c9d¹ÿ
-ª
gÚ¿Ý¥<:ýÏÔ›Žd6è¬	è+z#-É(çt'-µ°L;±óXCïù‰e"áî¡L>ŸB:ã!<æ˜Ü”Ä,BÜ`˜›·n0xZCÈÆ·V¬KÍÍzñu±¬?eT°½t>ôÖužçY_U6ßDbN1/cƒŠ7ÊNT÷1Si(œJ(nZ™­	
-:	Q&²‰@|èJû‹ΙáÂ¥Ù”áñô°/ŸV=í¤÷Ä“Å`b,ž«¢|v¸èÕCB
iÛË'½—jÁ &ƒ‹Çg0«Ux˜­ãÀ+5óŠÝÛFþ·Çræ@¼m”ªÞ$è±’AME´#\TõtàÚÆ"’‰IÐ@$&çþ' ¶•VÎöþžÜÌ÷Žqáî\|Sr8VE4ƒvÔtk8ðòd%‹7-èSTÊ|Ë㨒×à Å+(L
-n*¸íÛNÙ5fV-ÕøÏœÅw-üö—$H¯ÃÇ~
	 Ë9Bš9æ¡„Ÿ—
‚<
èØì<ØÄí’T¤qäêPñ˜9°sHƒZ¿¼ùH”éâÉ.“Þh=“ùëøb¨³lP„ ŽÃ³Ž·³sò6¾
šų̈1öÌÒxus³¤¿ƒ`ŽÞ"yK#QØݳ‘UÈ@œ—wHX¡’÷iƒ„ÆwñæGçg‡RŽ„>æHâ¹M”0ÜkÀößÂ_Pˆç†°	€ÄËí…Ï{©Yà—'þwä}¸>û_ÎmR€"®ü8)*¡óPâ	ÔMä…ç¡õ^úˇ&ªèá¾ýendstream
+xÚ­YYsÛF~ׯÀ>…Ü2Æsë'Å’¼J­eGËa@ɧ¨Ñ‚‹Ö€L	f¡”ÎN«¦Ü^Ër‡ªÑc@³œ¢¹ô+×%Xñ٪[}>+ªË0q[o›]h6×Ef›´lWnïËmh?¬Öë´x÷F¿Þ•ÛU9\mçÌÎêM Ûaø¢»Ûr¹úR^ÆÍïv«êKÚ¼ŒÚôÍ!™ L)4#ª³^íš²ÊëjBñ¼¥Í#N)î—Էͪ®Èo¡‰¥Ê¾€µD[	›âÕ‚Â7ìQ¬±G½Eß@S±`åHéÙ*ÓcË„9-Œ‹ËËm¹Ûí»«`–(Ëlf8%T	ö‡åÄYk§Ý5o9æ}–Þò	Έ2Tw;£˜›¢Y^„T(´ø…L¿%¤R„J8õxšÉqòÁà˜P1‚‡”œÛÁÙ±#tŽ¸€IàRrN¸æjèsƒ`Sž¼~ð>‹Çð
1†³pî6xö~ XØ7qsS0ˆú«H>èe¡µŠËª:ôÂìÍ>±áƒå‰bÜíÊK&˜B˜#FYçµùx·nV·ëÉð¤i´{IqbM”»¦hÊMY5É@ÁkEµOêm.ÿ[l@Š7”[HÀʹ;qr
Yóᣈ&†Øw¡÷ÿw­Æ½óÛ[¬‡-Æ…pûƒÔ,ˆŒì ÷–éïqzŒ&ƒŸÆc°fVVÅźíàШŠMÙ¦`è£Døç	-žð½ª·ƒµvvú9Ý— k8Á$ï ­Ÿ»Š¼ªIž¶]³ø¾A7ÅòzUÅó]UÑ_Ëè“`µÅS>í<é )2ªzÂE!@­“ÚC“ãXjã¶=˜A8¥tíºz*üÒL‘–u)#¨˜kEŒAÀÕ×t1Y$‚i¾¯b~¯'´|aX*§¡nÒµ
+c#MÝ3ÁÕcôÚC#ᆤ=\¯RÞjÉZ#áüØH0<%¨–õ&à I¸ÂÃ(81ô©¤$r»êôó½žôŸä™³­@ؾ¬1CcËû6.VØ*ým±…l{õò¦Œ¤hü–j-Ü=´Ú㌼úñââwÕìKâÍ™»{ÜtZ¹
+ï€ÔµkŠu>kÅ£g•¬;xHøm‚!h+¬wÞËeHÁ—a¤'¯¢ýÂʇ_/ïØÕÕú1´î‹õ]wm+v¢j´ÃzÃJ®-1\˜çáÔ»”‘™âp¼:ÀíW!–cÞg9FÒPb%ZKö$|O/¸¿NÈ–ã7„TTÁ©
+ùʥī‚±C
+®ðånÓFXJÓ Ý`æTîO$ m÷ÀL”xú(ÇÍ0¬c.ªÇTt§kn
V¼ñt’qUWå»çx~/DzÎ8nžc’]Õ¯
Ogªôl’dm!ÚýcʼÎ!ÅS
+¥ÝƒBXÉz@¨wÏCª	V#TµÏìyµ˜CŠ¬t¾)Ÿ)Ó-œ˜2ìÚ‘4ÓZýÛÎ3V¶ïN/×ì;€ÍKüj/è¾ê¼ÂšS÷ñÜ8¢…'á\ëþÛ‡Šo?,ˆŒ»ñìZQ˜ðÂN„Â;‡›_õCú7UýÉa<¬`탇¯—"t§ì<Šb3°š¤Ì×gœ‰WH°Ìc¬›ëÀˆöÀý¤9„ÃLÞ¦UÏ#ßÕwÛe9•Ê[ò!HjÏŸ,´ŽFÐjIp&¼U@#&Ò„ƒc¾tccw‡`'#@| •	×4$h߃<µw2¤®ƒÅaýŸGœš5	TšU’$-ŽÈkl›½äÒ·Ít€ÔÆØAbŦò÷ꉬ-	µbŒDöØ
+C¤e²»3Œ9AZJEŠ¿O‰†ÏI²ß¨¢Óvµ»6O×bæ2|}¤j9˜Ü4!Jƒ¹prˆâÌßafx[ƒÜe*£P
ØC%uNÏŽÎGøËÂUL€á¹„1 ~5þJó>ËñÓ¨´Ò¤Æ–¥<<ûÏÔC'ÚIÝY•…‹„Tx¨=ÀóÔcHzw›
+ *£"š˜	!²Qçž÷ÍZ6SÞ¡‰ký+½„¤„Ýsƒî]hqì`Q‹êv»º_­Ë/	*t7Ñgu^¤ÄY^€ v߆gT'™ÂAÒ
+¥½‹¥ŒqE¦â½‚D¨ÎY:ÞD2r@ÐZã&VÆèþ¢€Erfêù¤1O
+pŸÅäH<–õ&†âÙ‰E^:Õ_óî©¿&äaù‹^Q%ƒèòQ;]Ô?Ži)ÜÓ¼Â:
+¼b3­Ø¿ƒ¤ÿ€4%ÄëÂT´†.Ë	T:8€2L1ãU=ëù¶Òˆo®2F‰> endobj
-967 0 obj <<
-/D [965 0 R /XYZ 56.6929 794.5015 null]
+966 0 obj <<
+/D [964 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 358 0 obj <<
-/D [965 0 R /XYZ 56.6929 769.5949 null]
+/D [964 0 R /XYZ 56.6929 769.5949 null]
 >> endobj
-968 0 obj <<
-/D [965 0 R /XYZ 56.6929 751.5879 null]
+967 0 obj <<
+/D [964 0 R /XYZ 56.6929 751.5879 null]
 >> endobj
 362 0 obj <<
-/D [965 0 R /XYZ 56.6929 301.5992 null]
+/D [964 0 R /XYZ 56.6929 301.5992 null]
 >> endobj
-969 0 obj <<
-/D [965 0 R /XYZ 56.6929 274.1347 null]
+968 0 obj <<
+/D [964 0 R /XYZ 56.6929 274.1347 null]
 >> endobj
-964 0 obj <<
-/Font << /F61 642 0 R /F42 605 0 R /F43 608 0 R /F57 632 0 R /F84 858 0 R /F86 972 0 R >>
-/XObject << /Im2 922 0 R >>
+963 0 obj <<
+/Font << /F61 642 0 R /F42 605 0 R /F43 608 0 R /F57 632 0 R /F84 858 0 R /F86 971 0 R >>
+/XObject << /Im2 921 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
+974 0 obj <<
+/Length 2662      
+/Filter /FlateDecode
+>>
+stream
+xÚÅZÝsÛ6÷_¡·R3ŠÓÄɹsurŽnnîÚ>ÐmqB‘ŽHÅçþõ·‹(R¦äö’¹›Ì˜KpÝÅþöPÄŒÃ?1³šqåÒYæR¦¹Ð³Õö‚ÏîáÛ»x‘i1äúqyñÃ[#fŽ9#Íly7XË2n­˜-׿$¯ÿòêÃòòf¾š'†ÍÚðäÇ«ë74âèñúýõÛ«w¿y5ÏÒdyõþš†o.ß^Þ\^¿¾œ/„Õæ˰‰	o¯þzIÔ»›W?ÿüêfþÛò§‹ËeoËÐ^Áòùâ—ßøl
fÿtÁ™rVÏá…3᜜m/R­˜N•Š#ÕÅÇ‹¿õ¾ú©Sû×ó,Rˤ€5þˆX!™s:ËÁ‚#ÒÓkÑ<k2Î/up¯ÉRf$w½{S5‚9­%ú×q–	pk¦ã8î½Æ
öŒŽi“
+äœi%AqÏñ~¾0"YÂ_™\»–Lq?ŒµÌ	‹‚gŸg‚ñÔ9E<Ú[zØ?ðÃÕVÎÞ4`Ïl`R\w1XØ[dÓ`…ÌÏRï4³‚‹ ”Ù$¯Ú†Ì³f0+`ž2Á¼n—×íÝ\ð¤ØÍ%Om³÷Īs‡3ÍTjâܼ^O¬/S6,uÓ•wOç5®t˜ÁŽ÷8u3ʨ¹W|=`šÚ7[@ÿÕpF_8ž~›Ð0Ì ;ÿ„¥aÆ©ÐÐ J;ýBh
ÇEö-cC[Ç2“eß>8†+Ÿ‹.ļ¦èhª|éX'e;_(ËÀD" =Qžª„¨ð#ë¦üi"ÚýÃCŸSžÄ‘¢ëÊú^2—t›"ŒøWÎ×ë]ц•îæŠ'M°|ýwÝß;ôm›Î'üStí”:!C/p¾}ˆŒ±È8@QNa-Á·ŽSJú) øÁ'œóä_M]P•\Î…‰OaÅ®à5.G	èõëPÝVÆ$›¼%b[¬6y]¶Ûð^Öô|¨rï3 »ŸYr—¯Ê¹LtyWÐÐï^ÏÔ+á_	I@$ˆ¨ÊmÙ…¯MBAöm³¯cs&4ùš¤t›¼›ÂÆ@&nFPI€O/‰ö©íŠ-4
+2ý2ŽÞ5UÕ»A;Šf@&¿êmhtÕ<<E˜°¼>§4
+Ÿ®Åú{Lf6D‘Ow%bŠÞ(«l…Ü·bMqþHÞwAÒõÇq0P£Nª¯ÿ\0©‚Ú´Aý¤ãɦ¨éñÏ¢n÷q[¥a·ñX^m÷³6
u	ß˪"êó¾\}òã§×¸µ°ò}©i.˜˜W݆ƒùAÕ«»©ÏëÕäšØb‰Ø†#âÆZ0k¤
+¼N	õÚïìæ}ù¥¨ÃPxæ"¡•ÊŸwÿsY%ÎÄN®Å<¹€~ËBÁíHbØ4Ô€ù»r]Ðnð”­Ð­ÛÔ…E9
+=k9´Î™åîXFQ¡,ž ªGÛýß§&7AeLh军àyOo>´ܤÇ*Ð,B¦¢D×LÈ´’Y©UßOOH€Š,‚ûxƒÆÙÇkàmð†<6帷äÈAµÎ´CVÑâ7,x!ƒ³¶‚-Åòm¬Z´W@Åì†tŸÝB
ÛÅZ—w‡:u\êÖÅ]¾¯CÙ•ÇbûÐ…bÔêW®yJ_LðH£ÝXV9¥¶8øÅÉzu6ЉóõpÈuºö\¸WÛüß‹XŽÑ½‹®Ü‹²~Va§4éyMz®	UF³xPÈìX—«úúßC§±D5쬂Lm“}]S£Ÿ«¦¾§6‘˜×‘¢=ë'š¹-ë}W„aBR·QN±Û–Vú88¢»†ø[ÿ!dÉآȈIäšúö¼Ç¥bZòì¸Îx‚!×iô\¾ƒ,ve^->ï‹ÝÓb‡×ÇÎ7·Ð‚ŸU¡çšÐaä|£áU~¤ÄÇ*ÿ‚Û§äá'Uš0üj6ër•WþDß¼Æôq›·|Ì—t,ƒ§?`¯‰ñíË;)†d—yXï··áh¶€¦[©Cé§ÖdC:[—à}ϽGB*Mr™¯64Þî#•rO½2P9=a(ÜÚHKy£–—«z‰då|‘¥Éwaµºè›Ý'z¹Íëõc¹î6l긜;8)'8‰„¤‚`¬×h¯ĸ"ñ‚x2—RÄŸ®€Ç
–lÖôТՃ¸Ç
Þ}­Â‚¸Ct@F–þ
/­?aA“oC÷—¼ÚS¦yuù©“Ÿ4L»Ãùm
+úGxÍ2HQZŒŽŠh·‰/0ϸ]u|¾ø¨çáVY Ó–Ûý–^YÄÕ=XÏE<£pú8´jê5£³Õ’lùbëì–“ùGòÓ™Žþ"æ…Ì2à:“Y"×Ñö–tq4J+iÆ8Ç´rN~Ï5¡À(­@êtÓÊPƒ+ôt¡Ò&=¤Ô	x4ÂœŸÐÿH¨I™LÓt„
HçoG€‘`´G|ð€1ðïj¿#Ü{÷ûeB>¢9¡	èCŸ%#¿žRö€$8áºjý
|ñweðô%žÛ¢šê)rwôÊ$á"¿aGˆ?4g:^yÃwGðCPôC°‡¬âÅn‚¼h5~o&o¦FQè‡
x– |6Çîþ¾nBÝ?$œ‰ËD¨ëï<þˆk—fäÚƒ®j¼q£ä'éj”óâÝèrœóRÌyðè5upœÈŽ:Ëþþà`.Þœ÷ùpt…‘·±å ä5½îÛþþýÄnÀ‘\Öü¹<˜¥™=Úÿ•@i†¿íO4ï"üêÿfpøõr„²§îÜ7ÌJ—E¥PýTk®숕لêÿbZ·endstream
+endobj
+973 0 obj <<
+/Type /Page
+/Contents 974 0 R
+/Resources 972 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 960 0 R
+>> endobj
 975 0 obj <<
-/Length 3073      
-/Filter /FlateDecode
->>
-stream
-xÚÅ]sÛ6òÝ¿Bo¥g"Ÿ$ð˜6NΫÓKtss×ö–h‹‰TD*®û뻋(’¢ä\;s7ž1–À»‹ý 1ãð'fÖ0®œžeN3Ã…™-·W|öcï®DÀ™G¤yë»ÅÕ·oS1sÌ¥2-zkYÆ­³Åêçäû¿½þiqóáz.
ORv=7)O¾»½{C=Žšïßß½½}÷ϯ¯3,nßßQ÷‡›·7n¹žkÌ—a…3ÞÞþý† w^ÿøãë׿.~¸ºYt²ôå\¡ Ÿ¯~þ•ÏV öWœ)gÍì	>8ÎÉÙöJÅŒV*öl®>^ý£[°7ê§Ní_‡3×–Ik|
Y!™sFO“å ÁÒTèókÑ<k0Î.uToši–Jî:õj5‚9c$ê×q–	Pk¦ãØê½Ã
öˆŽ™TÄœ%qñþzžŠdÿer3V,©q?Rk™	Ï>ÏãÚ9E8=ØKzÜßñííVÎÞÔ Ï¬'R\wÞ[ØKduÏ`…ÌÏ4w†Ù;áE&”Ù$ß45‰gÓÞ,-@<•ñÚ}^5ׂ'ÅþZòdÞÔ,‹0·O13Lé4ÎÍ«ÕÄúÂ1e³€RÕmùð|yÑ…+f°ñk—±T¥jFêÝ`Ð4KÝl~4ú¿fÎC”RC¨ç4Ĥ`‚™ÑÚKŒQA€h$8çÉꪠ°¸B$^AžéYj\¼L 5Üú…(,©4MÖyCÀ¶X®óªl¶á»¬¨ÝmrÐ…ÛÛ,yÈ—åµH6e›·uýîYñHþ5ï¦h	ؔ۲
£u Ò®Ãì|[ª€X?„	u¾"*í:oQ8§s×Î4=MÜÀ2‚H[Oæ¹i‹-ÄV†¼ˆ½õfS?•Õc˜µk˺
-«å»Ýæ9¬RSû{·ñåc´BÄF«E*¦óM@š÷±ÎC‡å}
-œvN^3¦-˜–Ó/ï°&¨÷mG(Ç$Øàü›âÎeU &%„l²äqSßçêÚ”MK×$ŒÞþW«ýµ°IÑ4q~D©òmA=M±ÿBf$ƒæi.Í¸”ËOÞaüô
-·V~,Â"ÍóM»¦Î ~`õöaÊÇó*„590MÌ "f™¡GŒÌØfS©.§„Tí÷vó±üRT¡+´ùIÈÙ1±yõŸÒ’Ps¹4&ªãäô.k’²%ŠaÓ€P
âïËUA_¸ÁS²B1bµ‹c2zQr¨2ËݘF^¡,9V·û_k¿NMn‚ʘ0Êõ7Áãžß|EhªÇ,Ð,²LE)¶ž i%³Ò¨®\˜ QйŽæª|ôñ
£çÀËÚÃ
qlJRp'É&é:3fhr°zô¿aA%léÀ—ïcÖ¢½(F7„»èrØ>溼=æ©qª[ùaÊf”‹í®
É.°Ð/Üð*¤¾àF¹1	,s
-mqà‹³ùPgŠ¸Ì]·}¬óù°Ã½Úæ¿Íc:FõÎÛr[ÌËê$9ÂN;™êËœtX¬L¼Fí—ÛêêŒáVÇP¿6²
-"µMUåËÞÔÕ£ODˆ
-ÅX„|fh›WÏ4s[V‡¶ÝdMÝG:Å~[ÎÉ°2à/…sÁÀ®*ð¿ÕWY†<[$-B¸†‚½¹¬q¨<¥äú÷°.hÜýÀÞ0¥ŽIŸ4¿&ž­Kð¦çÑÛ€–ir“/×Ôß"™ð@U2@95d
¡+Ü×HKGxì£b—ÛtIÊëy¦“oÂjUÑ>ÕûOôqŸW«§rÕ®ÙÔÙoqíàŒ˜Úüõ‚&‚¾Ž€=˜
-㊄Rà™\JïäÇõ–lFkz»¢Õ¹§5Þz-¸Ct4F”îô?[UÙà^€ý%ߊ©Óºg—Ÿ;óÉ”w<¹MÙýÈ\3¨IR#‡D”[ˆÄ§Ž§Û¶ÀŒº#Þßy¸@ˆ±åö°¥²,ˆì¥ç"žN¸·úØGÿ£SÕ‚dÁ¹b3l_¹“‘Gòó1E@ æ/ä•Ò…˜F{[Ò}Ñ  èŒqŽåñé”ú  @¼tJü-êFºh›Ò&u£ÔÃHQpp~†ùÍT3©µX¤37Ð#ÝCÏQ÷ÐÛé¼î¡4»<ìÉâ½âý2!Ñœ€Ôž'aȯ§”=ÚdT8Hoê'ë#þ~ZŸÖ …Ø´àÏ”C»¥J„ËÃ*ßÎ2¯¹aÜQ³ª‰žõoâ‰'»ô¢Ô8^OÞF
8"§p|ÇŠþ±ªC®?†š‰´N×Ýs|j—é@µ!úÜVxËFaOÒ­Ó ÚÅûàeí4F;utoª!²Q5ÙÝÅÅÛò.®-ò&–tk¼¢ÏCÓݹŸÙ
8†Ø’ÿ.f:³£
9LˆÆyöÂí|ë|8é°úO¾{¨÷Ûü´>5'ÚËLtX\Ã
-ŒB0²AOD™~EŠŸKÌ܇qÒBA)~ÒSMÀ
-Š$Ô¡’`Í«©Ô¥2f]rªbôŸ`þÄ5™w9«{+¹³ÜE¯Àš8¬7éÒŒ¼â©>Å›»¡/¦­ÎA¸4rððy¢Ê±Ù	fR«Æ!ÖØÓ2_‚PO	.d¡ÉºRÉ#ÔÔ®
-¸«:ù¦Çü¡Ð‚*Wô 5¾¶¨ÛÓIØnY&„߸ŸÑ—J™ÄŸÐ2T*/ÆO`êÍÝGê	7”Ôë‹ì
Q°¦7ÿºØõÆwš·žÆVS2I“2à_¥eÀÙ]t7²»|ù)ðîŸA¢?mÑl*Áñôè^ü”w)²ñ›uæ¡ÝÕMSÞo*T_u§&ì›´Cɬ_kõ–qÑ]Ê—ú¶>Ö¦YRx7ö—¶ex*¹÷Gd.Lª+j¨9ìvõߣ(À¡É:3ºMº÷ÈQ…›¼…l¼	}UñD@<
ˆîiÏS×ñÔ!lØ1ÛUè·αDzß2%VZl—ë"|àºá]åx/¨™c†ÑY;Ö¥üLAªxŠ;rª
K‹ôO£ñ“”ìÝcÑWF°MÓýb›?·tÅ÷¤•¯‰xxgçÞäðs–¡‡îó†nR¯Nì
-‰»¦³óïÂ2OÈý
ËNÎDzú,ÆÎývI†?&šH‹¼û¹Î_þ]ÓñP¿+kåt~…]`Vº,2…h3æÜ(¨W¬Ì&XÿÌ hendstream
-endobj
-974 0 obj <<
-/Type /Page
-/Contents 975 0 R
-/Resources 973 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 961 0 R
->> endobj
-976 0 obj <<
-/D [974 0 R /XYZ 85.0394 794.5015 null]
+/D [973 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 366 0 obj <<
-/D [974 0 R /XYZ 85.0394 649.7307 null]
+/D [973 0 R /XYZ 85.0394 545.7078 null]
 >> endobj
 715 0 obj <<
-/D [974 0 R /XYZ 85.0394 625.7015 null]
+/D [973 0 R /XYZ 85.0394 521.7654 null]
 >> endobj
-973 0 obj <<
-/Font << /F61 642 0 R /F43 608 0 R /F84 858 0 R /F86 972 0 R /F42 605 0 R >>
-/XObject << /Im2 922 0 R >>
+972 0 obj <<
+/Font << /F61 642 0 R /F43 608 0 R /F84 858 0 R /F86 971 0 R /F42 605 0 R >>
+/XObject << /Im2 921 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-979 0 obj <<
-/Length 3783      
+978 0 obj <<
+/Length 3526      
 /Filter /FlateDecode
 >>
 stream
-xÚ­ZK“Û6¾Ï¯˜[4Uƒ’GDZ³Nem¯=9ì&9P5ÊD*¤8ãɯßntƒ/A£qí–£nÝýu”×~òÚØÈf*»N²82BšëõþJ\ßAßOW’i–žh9¦úáöêûwV^gQf•½¾ÝŽæJ#‘¦òúvóÛÂF*ºÄâÍÇïÞÿôëç×7I¼¸}ÿñÃÍR±x÷þ—·Túéóëþóõ盥L\¼ùÇëO·o?S—å9~xÿáGjÉèï̤Ÿß¾{ûùí‡7ooþ¸ýùêím¿–ñz¥Ð¸¿®~ûC\o`Ù?_‰Hg©¹~„Šˆd–©ëýUltdb­}ËîêËÕ¿ú	G½nhhÿb“FFÅöz©ã(þá]–Q"%%&‹¬VºßåX…vÙSá.›¼j·EÓ.Ëj¾d)²H£®Çóžpï©ìõˆ½”q¤´5Sþ·÷ÅÍR«x±Ï¿–ûnO•ªÛ¯Š†Êõ–þËjUwÕ†*×ëÀÕûüH¥u^QaÅ”ÍMºèªª¬î˜ ®Ö]ÓÜÈtQTÇÝÓ”rꢕvö]¬	¬RF.eÞÛ¼Û!aù®+¨X¶8æûw&-;‘Qªãö
-‡JA$³¡¹‰$ˆA%ßWk-oQb59N¥B[5?Ç 6¨‚D¼ÏŸHâöP*vüÇ
äÕÀö<N„»¢Zs£;¸Ë¸	¢}e \u¼+呶Oft_Í60ßµ5™›“å°Ü‚Zœ XØÕù†JuuÒµÎwTlŸÚc±NÌ–m#&²ÆÚ4¢zÆ€<ÕtãëîxbA óà0âçÙ÷TþS=É¢$íšà,(–Ù`AXñ+á
Û@@6!¬‘	aidBHN&„΄°°bʱ	!é"ËI#™X9=ùÿ8¦î™)ÕhŠ¿º¢=¶^!è¿øº.ZnÃ…LϿ܃¦¹âc¹cMXã9·][l"TOA[…]½c…-Ø1
Y°G-2©¾Å„Ïh¡µÜ	lʳZ8¦:¯…=ÕTd³Ëª=QF•Fq¬åóRôT1&+Ö:ŠUl¦rÐK1(#V¼2*‘ÑJ1¸s¬.bi¤‹®êtÇ9]ĦSžèÞd|ÃNÓmkªâÌë!ɹuãj„‘,rú»+ŠŠŠ4í¾>T¯ò}Ñ
:DðÍè¢SÉؽ#@H@HÂê¤b%±’¬+*ä­£,Iì€Ù‹ð ÍNñ`ª3N	„"M¦¸0.°‹(–éÔŒXhÉ`¡E, ×tz°€¦, N#°€þòHØB‚@Ó&,	ŸŠZ¸KNOêóÓ;Ý<1]ßKwPÕdñd÷REGªõêáfã”
-ÚkþÏ©ÛOÍ’ÑP8Ý–‹ODÖµ±@Ó‘¢’™ì Ü‘ÑVÏO> 0¨ž3Oy¸oh[Q¶-q³Xj›‚Òš©±à§l4¼"=bÓs@f°Ñ³nѤ&JŒ¸ÝŽ©Î»Åžj¼´Ïu׬‹S¯™	ZÛ³BôT¤*C•x‘se‚MKzSÜÇ¢Ù—`-à×@·ïËõ=}Ѓ³Ù®·žŒPP³›Äö²h:55½ÿôSéöÍ'*€ýVÅúXÖ¤çxÎß 3»oŠ¥4üo‹£“ŠÎ¶¹×{a'<¾Éœv;J‚ät1ñ®ZC|¤,¦Ó=™Œ…=ENk®óÍhƒ^¹…Í='yì¢>àâóèóÜÉâ×?QË¡nŽ¯¨ÍoC²ØÖÍ„Þú¨ƒ¹ÞS#6MIbÛ'~ÌáÆÏ·y_U®©¿;lÀrZÜ‹ÚIU§+ñÆè¤B)åQ©¥š;0åœþQ¸Le8ü#áánç6AÑ«I½ Ôµo–"‡çxÜsaª—ŠÜ‹Rè^n䢠rYÁqnó5ù]©x½«Ûeèœ .Ä]€	j¤Ã2³ÃƉ¿‡Ž¢ÂˆÏÀ^ÜÞ;w
-4‘hßù9óáÈj-+æsÏsMçÖ8÷wmÀEji##mÆö›S?.{Ë?5w›D±P;HýˆêC¯Ž2	îzŠMn“µöA“ÆýwGØß©ñ¡Vh»(·DÐ*[j¬_—¿¡(L†6Íõy×MC@Ǹ#Z@¶¬Ìˆ.º=%úàšì	ääÇ”hC±œUSͧ8BÎø¥%††	cûsªz~(‹G&hˆÀ÷ð5ôx`ÆâAl²ë6ÎÐœ•`C}ëŽÈH(ÏÑÓëÄqšMuâ±<Þ—£äøT’8!<¢IÝŠO9ÈY•xië&0pM­ñ¹ý	Î#’>]`ý9Mêú\ªÞ]×äd؈-»âl´Ãe å³Ñ˜ê|´ÐS9žåƒ=	 ±¥¹ GOd’FAH¦³d*HŸ§¶¸R)ùXߤ\àvÒ´¿Žz5äØΆÿ>ÉÐ9ù&¤â>00Õ}Á3£b°×ž?ºV	à~áèFTϧ…(–Û§s!žL"q‰»'ºÀ]*<§D_`?ßu8dce ¶CË‹÷fÛaë8¨Á®I(ãnÛ\ ¤ãàë.fÁ1³ 1A7ö®øjS
-HDÎB!Äû.bÀÿ¶p|l²øðñöý»S+dTm~ç¢kµZè˜-RÐb—Z›ÐÂœ´È†³DÛÇ‚KÃXk3P|5$^Ëó×çZͼœ±H Bë/}½Ë;º}Ì×eì± ¬rXÅIŸNä“*„’úÜzâ­•x¹P7ñ€lÆ€‹U\(…½ºÔô'‰—ࢪ(ZO°×F7gYŸ+ËÙ96ÒÅ‹Éz½ÑàÞp¢ðk•¢¤\)Añ¦œ!*v|?í ƆZ¤qY‚’c¨Åjj•Q:=2½`+ŒêÃŽñ¶Ãü=œªspš©(6R>ƒNÍDœÌn¿_€«/Âçÿ7®j£´œó˜ê¼sî©NÎ"ˆ¨"JaíÏ
-à‰è¹Eh£§üRþ¼9EásãUFDžË)t²™ôm;NñgÇ‚§ä§v˜Œìlã-'O5xPô¯ëie¤ŒÆãÐx.¦1ŧ„píB,>‚iÁé{`þâ3>|å,x•®öÞ¢‡Ü'$aÊ@x®FQ‰š»g×ÔáÒ¨H©>GTOLßçš)§S¶ñxr2PXñ,îfŸ3½ø¨H™iJ™)b¬ ÿ%ª0µà]~³}ò÷Á³Är.òSÄ¡-¶vñÎeòÖ¯ùþ°+^±Ž¤éIþz#°è6½÷¥dEðm¡Pxæ °_9W`;ì ÑÒC„-E¢“X¦ps&ÑG‰5MË»B•|´jZ*½ó)ʱpWÞ嫧cTGˆ*NÅ,/ë*>ÄÐE$¤# 55{ýÑf4–ªmáÒØ”pZ86£‡¨äy¹ËW;îË÷uÇ׎sË·èocÓGdtˆ â(KSOr´3þþ	ʵå\zÌ™ŒcñùÁ“‡dDàþÚJxûqoj®;÷¾ã˜7ÇþQëK10Ýíº)ƒãêtDF÷hÒ–ŸÎ¬ßh™Àve‘²iü’¯nXþæaÙϸOyŠ#Zaä&ÌÀÙÉJ‚Eca¼†Ÿ~Ç ì%$Z“ePgswM…Ï#¨ééBNtãd^äÿ…îQýç'r.M,RP= O~ú凧º Ãélý$,l_&¯íSTŒßè4^4¡Ç쯎(‹pŠcäé[Á!ï˵øNI¾Ósh†û"W¨(£uXµ¡õ@×øÒËwP_jO7pß$¿˜lêê;ô_©\´ÝsjoÝ\ŸY4!={ø«ÄtäùHŸ>òƒMÛ¹ü,õצ#Ç2¦‡†ÙTý
çY0÷Š§,Û¶s®ËÛÉKÎ|9]Å‚ûÄzôÀ]¶>×FÓ?ÃÉ,‰.|æ0¦:ÃõT®ê¦¹ˆLG
-¯9že쉌Ǻœ’fvƸ¿=º@eòM@îßñ5ŦÛž}û¿ÐB\(ÒÔ^‡@$î#Âó‡ba=2ÑeDõÌ¡x*'Y~ÌÏJ‚`ó,cO`<;”R)cÚÌLŽ*·TvÇ’	'"“ûºy¢òÑ‹{)1Žù3,×4TÂ_i`$œ%æ›
ùë‹arðâ%©=€¹µ˜Å=?ÛPÍiF7Ìø?¬+-ÜPœŒPÚBxå¨ÓþUZùà,K`Ç®áÒ®p—:®ÑO?,Ó‚Ããh
	júç»EªüøáË0ª\Sü9û5ág7¶~”1´j„óá}ÅÒÃþ7œ=¸[3ëðm‡¾Ûj¼num9ý=æLãðÂ2LÏ·=œ-`LêˆYlˆÁ
-Žö‰Šg°`xu¡oÆ©¦6ôÀ§-'MPXñ£ùiRóvu“—-wzú	¦›¦[o¯Pb;qmâZ~>B½¬™~Ïo6–®m ÐAºE},ó©îèŸÇÒ½–
-~[†ÏWø§^hë}ŒàLÚz#©_¿àæñÐé†J÷Œ;äriÉþ–ñër¯ï‹¥w¹|-ûÀjJÜÒ(‹cŸ6źkÚò¡X~©4zªÝë]YTÁü\ChÒébÿùœË!ωf"­.}‡ÖÓ<óÑ º^:ùì?’J?ÇÑ“œp/¿CJµsäH6'É𵔊À¿—ÍUŽ~Ø‚&ìÄ Ã¼'…ƒ.ƒÒ¹O…ñŽ½bÀ(}æÓ/è(FÌdƒh–곡…¿g3~BØTÑ“ø?©>|Æi»NS> •¤xBÚ…‚ÇöT~®¢ÿÜH8ûendstream
+xÚ­ZYsã6~÷¯ÐÛÊU#'	¹^ær™pNN®¿NóLe—0ƒ˜þðñû«÷¿|~}Y˜éõÕÇ—3eÅôÝÕOo‰zÿùõÏ?¿þ|9“ÎÊéÿ|ýéúígÊyŽï¯>¼¡O?g&ýüöÝÛÏo?üðöò÷ë/Þ^÷gžW
+ùãâ×ßÅdÇþñBdÚ;;y€†È¤÷j²¾0VgÖh{V_.þÕO8
ŽÉÏX—YeòÉL›ÌÁúãR–Y!%0Ög¹Vº—²QcRŽ\(åݶlºeµ½”n:[¶Ûu¹;>¹T„§?ÙDÏ5²=Ø…Ô"Ë8R²ÿ¶M×çm¿¡Žšó²!â†Ç»ªÙµïêæ–zh‰XÔK<	¨g¥ƒu¯ðhGRQºÈœ7xÜìcx€	ˆw¸wJ,md-›ÅÈ|ÒeNÀEϺly¾ndÂÜfÎIÌrÀ¥«<“xçRfÞZƮ缾Å|¦L¿¡3wy´f!3›;Ï»ÙÕmƒºï¦u‡¿¶ZPOÙÁêX—Ýl]µ½'Zú]T0¼®f¸«çwÄÍû¡…øîrÑe#çÒ/Å
î„E#ªºMesö¾4ø´UšŽÔáXÅô͇/Ô³®º®¼åÞ
ž
+{I‰ºvˆy5ì·áwADÑÓØbìL
+ìöo^¨>3ÒZfÞ”ó¯¼÷²£ñyŠÎU&4¬ÅB!÷yºw%‹£½wÔYòï¦íºúfŬu.Çé‡e”ê¡ÊÀo¿TëÁËK홹æÕ×´)^½
+vü›j^ƒ¿‚^¥§7ûoŽj›Õ#QÝ~³i·»jABQ¹
²2Õ”›À¯pUîêûjÅ}Mõ@D·*ï+&ƒŠwauKe–Ž%æbTÊ3Ï¡Çe2s³ bSîæw7p^°¼xŽåñ„&ó™…ॅ8cü"=ÛóBwJE“ê­Ñ³ÙÃo¹êZ¢²Í 5ï£ò¯Šý?×óÐÕví’»þ}i-h΢}àI›Ô†¤‡1քÄéÕ¥œ.ËýjGWw˜¨qÝ©›ãpÅ·øX;ô±GÓ™÷Ú}›U™òÖ÷;	i-CÂßλ­‹ªÁ¶~ûKúÙðôу†GË/¹ox6pHîF5@ØÁÇmðt§»¿) !\ª1Ý®ÜUk¸Îìì0¢Èa_<;†\çaGÏ5”r7«›¼! ªáŸ\½çY>ÁÒdJç6]?(¡{]—ÖëýšÍ~}îh´Hü­››vŒ¿(r5€)¡y‡Ö„T,HÜ0çöÒM÷MCW‰m3ßo#>ï#¥œ"JÕ*:øtبH¯kQ‘±€K°Óûrµ¯ˆŒ&b‹4Ê;m¢‰H1¢qîh3Høª!›®Ê |§:gÁœ„ά%Þã1`²™õ0ôH;î6ú$÷ü5„0°ÄsOæq[5sî—’kF¯³Î‚(Ø•æÈ­ŠÔ—°ƒ”v‚D}8nE=uÄtÕ–¢%CórEd÷€h}Ö€¬ì/ž±ŸÓyó‰L©ÔÛý)\…‡$Å<¹vÏtºxª">+
+P¬áêÁvŒôÛÁF´£D¸.ìƒÝ±ñ`‹Œ©ñ ;ãAâ†9‡Æƒ¬gŒ‡lÆe²È">%áö¢c-šâ}Õíº¨
+ô[ý9 Ã7¿<¾ùzMàULêëÀM5œs‰ð·ë`¨·]l°í†EÇlWCf(|¦^d¼çôÏ ˆO+à€ë	
Œ\©
+Æ`Öt§‰£ËŒÑòé]ô\#ÛHGÈvÒ}„¥8(#6¢2*áZ‰ƒ#Çé"R]Í ‹ø\ÐEìºaÎÝKžß²»buÊøÔ÷,	)a QãÏ-ÀφHšvÝî*jpÖ'Ð9;ÉQF¡ 8„‚b\”ÑYaTÌÕ˜Ÿ†ÈXäƒH‹½(8	R…8NÂǺ=ÒÆ)"°t—šqŒƒF:
»–4ÃtõaÂJ0^€€==‚KB²$„°Ã:’éíAûøöžï/•ÄSëM"=§j8ÂNèoù·¤á؉2ìDò‘Ø"ì„®s°Rëã›Ù0¨^n|äÜÜmI¬¸·%­6¾$µé›ÑY€«!:åyÄøÏãZ³k¯ÌÓnqÈuÞ-ö\'Ù&ßóêÔ+šÌ¢µ=¹‰žë™]HåQ%^´‹ce¡½)ö•t„ Û±t£p-f±àÂBd£(¨ÙMâ/{Y4–º®>Ý¢®øDØoSÍw!&È&!|ƒbÙ}_ŠŠ¦eµ£’’#ÛæÑ´þÂe¦Þã[OIì°”•xW­úrU*ÂD—Ê$yvXV6–(T
Š6çÂ[¹
+qÚz®‘$i@2í‹t#}žÚp%ªó9p
+ߤ\àvœëQ¯9ö†³á¿N2tN¾Ëþ}4À@°[qI†1*’{óóW§TVϽ!×W¹ð ëåã9ˆ'‹L<·zdzfu©Àì|¡ŸYþXêpÉ6—#Øý-X¬˜1¶ÃÞä=%P&ÔÙ@Ö!xÁvÀ,øcd¦Ð£7\Ô”TÎj?ñïÄ€¿øZ©búáãõÕ»ÿP/¿~Bt’ç:ZH-rR Å¡hsGæ¤@›÷ïyhEʈŽÇÚ܃â«Câ…oAÇòïëµ:òVX€/ ²yHæ«rOi¦¡H 
mãQ3²|+˜Ë<	ù¤
+cI=Öîtt®´VøBFáÁrƒ€š!à"5îÕ¥XáûLëj˜熱籉CvnbvNt
+=àˆæèz„Â%±6´Ã/½­„fQÃ6¡(Œp¬ÅÁ&nk±9kUa2iMþrY/ò“(æïãiQœÍˆu/û¤ÄÖèÿW`u_X˜]!äK>¦Ñ.|äÆ?¦ô^€›.`×gç¢çÌÅd|"jw7“¹8\Øa íe¿œ8¸V)¸¶Þ}ÑæFòëJ«{çñüX üWÓ“¯Œ\Žï¨ÌDêçpéÉ0:ãCE$t8ëA¡ã»«µš¼iáD“á¡xâÙpæp(g’h«ñœ¾!I¶ü¥]¡•á]8L?…{Ë$‘€¨˜gU‡âô,ÚŠù1‡½Z¾‡8=ÕnG˜ìœý”͈VÏÎÝO——ø>u;–‘Rq¡Àô|~©Äô+þC‡›:ÑA¾Tá7&Ã[þ{Š£A#r/ }:|Òõ÷Ôzªå\Ñ»ç ¨4 i
+ÀÝ“8¦ç:ñZ£àSd¼ÄpêìIL#H+ø6s€;ÓüT-2¡ðSÀ:W­Ò2E™ôµ"ÉÍfÅÕÁ…$ÁSòû@Æ‚É-xcòT°Q~º^CfÊjvyV¨Bõ_3â;7°!Äô#¡r×cØ/±8‚_ VQ÷±õ¾pC¿q)æf€àÕ1”	]{ú´	I*‹xúzˆøûºÌé÷Nü<½	â†g	oÁ8{×Ó/€ ©Šã¨ŠÃð;6«—üYñŒ¡°|ŒïNŽŠ0#ß_	E«‡¯Iò|ú.`
+!!¥(×›U5ö‰¾9’¶wÀòýØû4¸ WÄB5%ö‚+ëBE*°^ò*¹âû:Eeú|¥(ta¤Sf£a}AôUKÓ²T¨QNMG¥·áŠ?cⶾ-ow#lŸufø¥éˆíŠ>¢ýíZ_ûBî~íÌ;epЙq0	o
+nòÓNàgjdëÿó)1­endstream
 endobj
-978 0 obj <<
+977 0 obj <<
 /Type /Page
-/Contents 979 0 R
-/Resources 977 0 R
+/Contents 978 0 R
+/Resources 976 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 961 0 R
-/Annots [ 982 0 R ]
+/Parent 960 0 R
 >> endobj
+979 0 obj <<
+/D [977 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+370 0 obj <<
+/D [977 0 R /XYZ 56.6929 120.0048 null]
+>> endobj
+980 0 obj <<
+/D [977 0 R /XYZ 56.6929 93.6379 null]
+>> endobj
+976 0 obj <<
+/Font << /F61 642 0 R /F42 605 0 R /F43 608 0 R /F57 632 0 R /F84 858 0 R >>
+/XObject << /Im2 921 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+983 0 obj <<
+/Length 3141      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥Ërã6òî¯Ð-rU„Ńx°ö4™x²N%“¬Ç[{Hr€$ÚfD*"eóõÛø(9S[SS
týnYÌ8ü3§Wy6³yÆ4z¶Ú^ñÙ#¬ýp%"Î"!-†XßÝ_ýンœåFšÙýÃà,Ǹsbv¿þmþþ_ï~½¿¹»^HÍç†]/´áóïn?~Oœ>ïùøáö‡ÿܽ»¶Ùüþö—¾»ùpswóñýÍõB8-`¿Œ'œÙðáö§ýp÷îçŸßÝ]ÿqÿãÕÍ}w—á}Wx‘?¯~ûƒÏÖpí¯8S¹Ó³˜p&ò\ζW™VLgJ%ÈæêÓÕ¿»«aëÔûiå˜vÒN<`&§PçÌ(©ÂªM¹-ÛbW
j°!³Ì
+n
+b›Š¦mà”ì¥iS|‹#7¯÷iŸ
+lý—r{ØÒÄ?ûrã—›¸æ·õ¡jY¤?dXÁœÉtd`]<øæ`Te,w.áÍýÀg‚ù8zñ­¬ðÌÙBeð|FÁC
+Ár­e8î¡7_$ù—§¢¢ƒ¦Ø?û¸E`ë÷ð4 PJðù§¢8Ú´.šÕ¾Üµe«¦ž@s¦•MWkÊ¿ŠcS "Î:9³ /c­ø;Z'ñÁÜ´Î-ºÃ#OJiò±=áÀâ®XMˆHJ–qíâ=èÅG·È9Ë·£[ÐâþqFƒ»Òwø<ŽTãä\¤ÿ©Xõo˜8æ&S–I‘å#nN¯Ãzƒ‡ÓÓ•NK&¬Ö t9S6šå=i®íÛlê—²z¤i&èmz×&h±÷m‡Ô¼6m±¥1YmSz%†ÁšDaOƒ6Ѭü¶H¢ftN¨WEÓ Rólþ©Nx=x'>6 b¨)'çëºú¦Å¡˜7‡Ý®Þ·oÂY8Bvðë«WÂÀÀˆ{`Âr=ÿ¥ŠVOqDôÀe"›{¾ø}(LÊ͆Î^Æ#˦9 ã½ÑuDô˜‘ñà÷@’sa\КÎÀÄÌXŸ9£S	i1Ä:ïË;,älUï‹)!¤¿&ß ÜaMj³CÒíûä×zWN¹IÞ-|=}VäT“/2ÏAËÔ'P­À9@]åXçc”`,Þ Ë×£­ãq{”‰,êðxÉS€«[¬üê©X$¯{äX,ä½JäÝWë‰3…cy»bñS¬û¦|.Ñç8H‘…VãZmÊ¢j›©
+E2¥]Oë³8ŒmÈÔŸO°¼3NÈËaiˆu>,uXÈÅïœËMÑœD%WËœ½L¸Ãš <ŠJÜ1§Æ„crk‡e¡W‡í’rMKúßÄb˜´i[Ÿ•ÚèÑ æ|"÷…›w¡BƒÑª®@lä;ª¼‡bt\÷LôN)Áp'cä:™Q©~¹T5kŒnP<½‘mhnA%àÄËb`]kÂ
+Þ¨õ«ÏÓé†f¹Õæ2ék‚öH°Šƒâ›|L|:
ì\Á lFÜäÎÕ$dÊ«¿>OTÀ©ëkϯÊ*
+I²ÉÀX–C&P±q$2æ®Á,8û=ëw¡öJ̓Ÿ¨î:%
®Ó7­óþ•Ì‡åŸ’®w¸Ê?¤j.`TkÓ	éÁ™~7¦št½/qì¥T<àpŠ4|ÊבHQuM‘5-—U[ì++¯4—>A&…ñí)Þqseqgˆ€g­Jå9ÔàÚ/ZÕë¼UuX)¦”_­›úq1ia2oÇóËltX|Œ,Ìf”cFbþ^¦ïat°eSoŠ¶øgÕ¥~µ*v]ኖ«˜ŽEõô°•êRá¶Ý8–å¦l“?='c™Õ™~C¬²HXã`<¸#9èœYéôe:¬	Ær€ì‚çù˜‰)O'ú 6ôt°¼i}UÔ‡†°è­ã%b¡®?vÍHùŸ³H¹=Œú´PêؼÔÀ¤QùØà–Å“ß ±"OI
+–6\Åk¸¡ugê6¡ræ°À$ÿˆ®nªÑ§XŽ­ï¾hãrþ]±ò”ÃÁá…刽C°ïŽ;ZŽ\yZ„¢fO€eÙoÕÕ¬¨˜3:×=Œ0©páÆ9;ùGzÕXâ++A™‚%§ùçrS/_ÛÛI*µ”qáÙoéˆM'§Â9–	nN2ÉóÙ¢µÌi™²E""!Ò¢tA˜ƒ#dçëbEïê©„ÁKŧàQ¤Qz¬$O5uôƒŽµOƒ¦VrƒÇ=oíœCdotO†X¬=aI­vgíÒj®¥½L¼Ãš >Îh «#ê÷©ôOLoæ0¦ÂÝ›9@:]†ñýû_#°®*ê>7©Úöí¨î¶£º»/éÉyǶ1fÎ×7'2’A920å	-˜áHûV"+µeÒ¾qHçÅž¦k¸±ƒWŒçÊ^$Þ!R]S;Æ­#ò”€e®»Êú’‚Ñ#BjÀz0ÅÌQ¹ŠƒGÃJ:ï8P¸&º«B_aÁå€ó4P©ü7üâ”N	ÒÏ2cñwYvlià76	°—RÑ—”,
£¿€9ꤱ#Sû=ªÑýÖN?Mê¥Óäâ»c“w
+Íø_ve×ý…9ý°Pl}{èÚ fÜ&mhW"!ø¯ºŠÈ[W¾
+ꇿ¤€7´b5Â|:÷5Ûúýç ÈöÍ”âª(•wM¦ʃ݄FAÍï ˆtG…z·"ÜCY—~
±y¯›ÞÛTÈ
ò
+¬„˜¤Ý¨„8ï•÷ÜAePÇ_sp5T2
{ÛáÄNM_Aൊ`¿sÍE–õ€âkuŸÄE¥õ@\£¾ø„¦èÑ›¯°ŒTch†W5¡—ð?Jæÿþó­þoÛ2PçÎ4É7ÌA⟘ÂçÌì1çÝßy²þ?U·Ù
endstream
+endobj
 982 0 obj <<
+/Type /Page
+/Contents 983 0 R
+/Resources 981 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 960 0 R
+/Annots [ 985 0 R ]
+>> endobj
+985 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [361.118 265.4627 409.8647 277.5224]
+/Rect [389.4645 743.8714 438.2112 755.9311]
 /Subtype /Link
 /A << /S /GoTo /D (configuration_file_elements) >>
 >> endobj
-980 0 obj <<
-/D [978 0 R /XYZ 56.6929 794.5015 null]
+984 0 obj <<
+/D [982 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-370 0 obj <<
-/D [978 0 R /XYZ 56.6929 345.6366 null]
+374 0 obj <<
+/D [982 0 R /XYZ 85.0394 485.9834 null]
+>> endobj
+986 0 obj <<
+/D [982 0 R /XYZ 85.0394 461.5576 null]
+>> endobj
+378 0 obj <<
+/D [982 0 R /XYZ 85.0394 188.0879 null]
+>> endobj
+987 0 obj <<
+/D [982 0 R /XYZ 85.0394 163.6621 null]
 >> endobj
 981 0 obj <<
-/D [978 0 R /XYZ 56.6929 320.5941 null]
->> endobj
-977 0 obj <<
 /Font << /F61 642 0 R /F42 605 0 R /F43 608 0 R /F57 632 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-985 0 obj <<
-/Length 2696      
-/Filter /FlateDecode
->>
-stream
-xÚ¥Ér7ö®¯àm¨ªÆÖXjN¶#{”r”ŒÂ©9$94IHêr³›a7%+_?x@/d“—K‡€·/ ØŒÂ›™ŒPaåL[I2ʲÙz{Eg°öñŠEœEBZ±Þ-¯Þ|Plf‰U\Í–ƒ³¡Æ°Ùróûüý¿Þþº¼¹¿^ðŒÎ¹^dŠÎßÝÞýˆ‹Ÿ÷¿Ü}¸ýøŸû·×ZΗ·¿Ü!øþæÃÍýÍÝû›ë3ƒý<žpfÇÛO78úxÿöçŸßÞ_ÿ¹üéêfÙñ2ä—Qáùëê÷?éllÿtE‰°&›½À„f-Ÿm¯d&H&…Hòê·«wVÃÖ)ùÉÌŒK5[d’X.ÏH™šÔZX’iÝ	Yò)!G$/ã¦Íן›âowÌ-ã±:S³Á‘'÷vH§‹ÁÅLPb3eG7/ŸŠ{›)¶‡-Nòm}¨Z×ø
4F\·­÷¯8nÓÛ?»}:,®úŒömÜC~(ãáEã9~ó!ÓBj@’À'1mˆ#Ž$#F
-ñHÄ
-{!hN)0}I	g‘ko†LVI)ÿ6 ýÞ5õa¿ŽÄ~*¶EÛL\MgN’YÑ‹Qp;¨Ë²~)ªG?5óz×uÕàZãZ”x*bTkÓ	IŽàÿˆ÷×ÌÌ®k6?„ñ:â®áìÃ6Ü‘NÉã9nÂK\õPÇ\.ªÖí«¼,_q¾zõLz¶+ÉÐ÷'•»Ï¼OÚÏ«#;¨w0‚ÂÎצu[râÆÑW×Dˆ¯9Ôë¼GuXžt°çEñå!p½(ëÇŤ{)F´¡ö2Ö#SŠhÅù˜åy”**>ÂVM]ºÖý3‚Ûñr¾^»]ë•fUê3­xõ†A˜
~ÖõvêXeѾ^3Æægu‘ÙŒ.Ùe]±Îë¢Ãò"Ø»õaßÏn±.W¡CôY¢9ß‹$tX4Œõ ‰¦ÖŽ‰˜Štl^¶«dÌ]¤ƒå²Í+WÄBYG&©¬ëχ]32~6ò“—¢,q
-Š7‚xOó™D+a“Ãñ@äÊ=å¥'Ã0$Ç€QfG%‘
3Œ£€;GÄyc!Ùc|ô¡n"’qA¬O¤)ˆÂ-|þέsˆÝx¸Ë×O8È!øwG.ÃŽG9.>äÅ«¢rÅRñùƒ‡˜N0L	ÿÌL„"×£áo¼”Óá<æ矋²^½¶®S…ÈÒ>=ÎËC:âA~í4g0cˆdTE‰Lï‘µ&&ã6îH~î¯
-™Ðßõ”?ÇÛÛ!«8߸5Ê5oBtöLEQpˆ(\‰ll$OuÓ6ÉÆÚ§h>§¤p0îyo‡ %¥á_ñöÖoOXASëÝY?ÎåúòåÖÄíã‚FÃõG·£X5ps˜tnã`ð=rs€t¶ãåû_#°®*·ŽiÜ0Çâ(Ü¥{·`t{að&Q•Ú—ÔcE~CM¤8ÉŒ¸ò„2M¬±
Ê¡)ÅK#HK_Vüë¼â;¬”r×+Üt®…:›Z¡/ßßaM0â*rª36¦Ë0izåi»jÖ/×÷±„õëÁ!ž„lVÒyÇE€§>ÈhÕÂBàªh6ÿï“«úS‚
HC·ll]­­8š&|7y›ãÈŸì¿hj0×â0F
˜{ËTBÝK!ø¸ª²~kg¥0ŽVÄ@߸Ž6å¥ã¿îË®H5¥Ÿïp²Í[¬I]yTB"{ßÎyòÎ"=Ü	í6$˜Òá[ÕÏ}Y;·qß@@‘~[ázŽŸÀ̵OIa!ŒÀ©Ü»2^ó\¸Ÿ
8×ûãÅ«v;ðû&»Ë¡|õÌ ±ùnª@ŽÚ ï`YðÅléGþâkËCNÕY4N€wÞî'Ó™Šp¯äʇ*E÷S§v=¥ooÌ‚uçö 4K=ŒNôë}£“êò1$"˜cý\oÓI
ÙƸFÁ¨¡)½®Êؾ/ˆ5R+£åòSÌ_½QMvoºmªÔdófcóö«Ûõ¦XÇ£CÒ˛ةÞú62s.Š,#’[s9±ÎÃ+XF‰:X‘„ÓÞB:Í]$¡Ãš a\óB4V‰&'…
-Þ^á½ßOÑûý(:qý³B6CߧÆÓ£X’GíE¦Â˃£„Ó!þ¼N(:PB%K|';41a”O~zlcC¹	êÉ!ž¶-ª†å‹ïø¾Ec5Ús›ÑCT€/ý¿UÝú[Ll·õ*Jÿìu6E`T*)¾b•¬V™°Béèò}»ry{Á,F˜Ë4tXDŒKF„Êؘ
-4KÚ§UIu²I€ví’ÿ]Wy›{š«¼
-FK-¸yƒk!c{Xžñû„móýç`ÎΛ)ó¾_·ÝƒS­Ân®€CtfŽš6ã\àCh“°Ð¶·Ðï=+T6%m	&i·7E?ïMÑ﹇.¡®òU·†®¦ÁqÉa;0€äÔøeÞä“YúšQ&åØúȾÕP]ØfÔ5z£€Èи½ùvÿàä2(—ýcˆuÞ?:¬.¨<äkwÁ?QL^&!!M0Ú†d6cb„²ƒz­—@×øäfÓ«ƒW®}©÷Ÿ³c×Ê¢iqt.ørAár›úÝiQnaÝí X
-ÈÇ°­)þ½ydiƒg‰a×dvaÞŸ$™D£( £@0:+F¬Â²—LŒ·€%ðX-+ca@#€ ÓûƒRþxðï—u\õ2"`­v\–u«TÍçoÚ 2ê\xº<ÅZm@°Ø7¸i„Ñ*à†Wö=¶ñ:<…o^½â ‚‚2 uœÇƒ¼ÿbA^?›´(ˆ»Ð&þ‰‹Éã8°¼êOXŠ%†SUŠ¼,ð­âøež£M2#Áâʧ<¼ç§×Ñ!{øÌã>£øÑciò—ôsCCVnƒÓ³Èaw6¢0£‰RZ]Ž(C¬ó¥ÃŠ?í´Àd±n.†*ÔWˆè°&¨8*”é#2îò­ëâ‰oh;²ü$”˜
Dú}JÞ+-…†®ÿ½ùûL¨ï’…$FÙÉGU:K)ë»0ïÿ›@BÙlνÎ
-ªˆáVCGJà,Ì•RK8Pù÷»„6 þ›¸Rendstream
-endobj
-984 0 obj <<
-/Type /Page
-/Contents 985 0 R
-/Resources 983 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 961 0 R
->> endobj
-986 0 obj <<
-/D [984 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-374 0 obj <<
-/D [984 0 R /XYZ 85.0394 716.6051 null]
->> endobj
-987 0 obj <<
-/D [984 0 R /XYZ 85.0394 691.176 null]
->> endobj
-378 0 obj <<
-/D [984 0 R /XYZ 85.0394 412.6901 null]
->> endobj
-988 0 obj <<
-/D [984 0 R /XYZ 85.0394 387.261 null]
->> endobj
-983 0 obj <<
-/Font << /F61 642 0 R /F42 605 0 R /F43 608 0 R /F57 632 0 R /F84 858 0 R >>
-/XObject << /Im2 922 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-991 0 obj <<
-/Length 3431      
-/Filter /FlateDecode
->>
-stream
-xÚ­]sÛ6òÝ¿B÷tôLÄà‹$0yrS§õMë´Žoî¡í-Ñ6'éˆTOçþûíb(Qvn’ñx°‹Åb±_œ	ø“³,Os§Ü¬p&Í„Ìf‹õ‰˜ÝÁØO'’qæicýp}òú].g.u¹Êg×·-›
-kåìzùG’§*=
-"yûþòÝÅOÿ¾:;-Lr}ñþòt®2‘¼»ø圠Ÿ®Î~ýõìêt.m&“·?Ÿýv}~EC9ÓøáâòGêqÔ!zuþîüêüòíùé_×ÿ:9¿öïW
-ùtòÇ_b¶„mÿëD¤ÚÙlö"•Î©ÙúÄd:͌֡guòáä÷`4ê§NÊOŠTé\MШ)f.͵҃%2rB$קRʤ}hWíÝnˆèˆˆ˜ÍUž
-#r?ýlµ:™'m_mìïëæ®#ø¦˜ÀêÓ¶\½8+’Çûª	È]µù(,îÛ¶«˜DIMS®«§o©ý´­6OÞnN¥MÚõhÞªîzfñvGiŽ[ÃÍH™º,S~3D¾µ“I
Ó@ªÉƒ§ZÝÂvhbGÚ¦
-=%#ׇ$X/ÊÕꉆ+ÜSÆ¿ïªÕ-¨_nlr
„Iâñ±iQ¤y¼"‹ýñ“1&Ê9Fìú²¯ÖUÖ;•Iù±bîÊfb[¤&/2ž_.IDs£]*³ÂŒEµÜT]·¯ýVÂÅ”jVP0+¿JýUꬵÓÊ?ç1ÅCŶ°ób·*ò·.ûÅý>RªTkm¿ƒÅ8”2KµxĤWÍÔEZh%ÃA4K84]$uÓWVƾã¾>Œaëu?»‡jQ—+úx,ŸüFWÈä¼ÁøÐ¥ùªú\­h.]¨VAs4/Uv]}×TÌ/´„9e³¨RÒ•"Ou.íXU.ÛfÞTw Ž8WÉ@é*‘ÜU=u—ôHRçMÙ…imCpýê
u=´]Ý×aÀzé~Bî/³vhpHr
Âõ—r³×IÊãÁº
-É·©ZžäåMO}he°‹ÇìÀE."üûvÓûuc*ÑÖ¡›oÁ„öUÕJÍ«°VDË°m?å:KΨ'zÀ;ƒþÇzµ¢Î›jÊFç­†ePøR¯·kêÏÊEæw4c̘¹‹Ûcw&Ž÷+’¦¥oÏ+
-ÎbÐY.—4§clÞ±"9ÒÍH‘&6÷x_£Зã²ØÞn7äÂðzCPÙ<ÐÄjŒt_b…~f0BЭccbL$¤%--O«¾”ë‡UõŠ¬DVŒ±´hKÆ~ažƒÿÛïYéÔa2Ú¹¯í›)þ‡„H@¿VæÍ”Àþ&€óZæoèC#%ý—æÌ'W¤ÁÃ0"âžQY9[úf—ŒÊ[ìlàF´›ô‘¶^EkÝúû¦,hd»Zµ^Æ€qóDí= N榩‘îë"spîÎefÚ÷æV®(Úž¦EóÐb0ÌØ#†H;—®°»(BÏͺåpÞ…Ì!+°©´ŽÜkt»²ÜHAˆ4ÓÊpñ„"!°ŸC¼y±IQ¨bf 	™ßËìÓâ.ã@J'‚ýNwð¯/Öjöcû™E[
-tça¿#k¢‡T`u%S)ôÇïÉæqT Î&ÃàIƒ­–±
ת ‡ŠmÓöܶÍ®·ØÁ˜œäÒ}™Ü¥`[ì,>«o;~T´Ìåpþ»,ïÛ”s¬QÚ9ý|J©p§„2¤„á>w´ì¼Þ‡!Ãx1K$
-Ú$ì»Ú¦ó=”áHIŸ?^~ oNë\—O4¸€i´<ôz+k°05œãhvëŨwÑúvÙÑD4™WW7âë¶Ý¬}¶Š£åÿCo2—D>	ËT=.þÝ€q&yÀ ¦¢…Ôav‡8,Q‰_ûo7
}“ÿpYôÃLL¾G£&ñ«Æ|0kH›e¡(쎓zy_À΄#ÀýÜl99誊s‰ÉÔ|Oa ;¢»¸ÙóvÄ÷T„“‰ÂL¤¯”ßì]C¥TjLnf.Bnr
ipsÇÆé**’øóxB°±‘: ‹ì|¨œg3á~¨žœI]rŠ—8(×X/qr@Å/9“»¾gá/V5KÊ
-»úL錶Kƃ¬c»âŽðÊͦlîÆgˆaœ§ÔX£IÉ2̹} È¡}ØÔpZ>üu\QÚ[îÚvt­pE¿EÈWLÏÛi˜‡µ
-29–<;
7^‰3Jv±bEl}âç·L/Äó{«a­Uòsû8Yª8[ÁÔC:òZda’^([¶ÔÂ5ìÂPÞOrøÓÁ6¤÷å!ßÕü)„ºÛr†¦²¸ÿøJ™'Àxá°k°€#,–‚Á²[ÕÔFÃÎG$h/ÜøèÔ%ÕMcHUê&¤4Á-	Þ+šÀI»÷‘‰ýrÒ§>×÷–:˜ºâ`‘P>mkÆeJƒÀÖ¶G'º+v¯B2×1ì$ƒÝ^d;LƵ—æ¹Wð‘‡N›4“6›°pàdѬ’5(yH[Ø19¸R\¹bºr'á¾Zçò¡t7YS²
·Z™ìý·V¿Šó˜äa”¡,Ø%w­Ði™§Æûýx(¾À#\õÔ:3y¼B§s=®Ð	qX¡Ã¾žÎ¬JC=ëvg	•êP©RLö×Â^ÐoŽ´˜K¹<âlQ	Œ+¾¢P¬S¡¤:ÔC¤½lýý‚T5ò@‡ ³Èe†Ľäuþ<ž0áë莼.2¶{¨8ÐkðØDÕñ‡^7`½ÄɵÈëjÈ–©~ê¡} €‹¨(´=iÖÏž˜4 GnÈUž7R›€¸Þv¾>àB½jÂäc­A#®å#>È“êËê^Ôý;¹I
 >oE$¤™…\%Qñí5ô@q“œ¨¡gàY±[ùx¡ßºì;2(¾Ä¤©UV™?‚˜Nz-̸œíâ¾Z|äš"ÆÊi.Üž*ïʺ	e…]X'ÝãXq\‡f„š€Û¦¯9²+©á§QÉ¿Ý6Ë©@ï=½i˜ð–@Ì6jï!¼ˆâÌ
"ß—ŒtC9†ß˜ª¥‚¼|wvDŠðÄ-Îéc 3’Œå#%é n»anK-¸0pôa™£ó›©]ÑÙ+·_YÂ祖Úuûy¯g˜tSÝÕMCéƒ"-ÇDÑýí¯F8±ÇçW,EPØp¹,&þÈ\[þŠjJ½Oôé©$­‚÷¢³ñÑðC!´=çôôÚ'‹ L›tdy*ît@za„~)‘‡‘ĨiQôêH[ìÞpçFi*€!º‡Ú§õ6TãUí™öDvéÖîfy//¶WGCb8øRFçæ—s€ðå|BBñÆ;ªGO…$0¬%ïUò°€<”™Ÿ¸ã–Ú¡&íëS+»Ö€ðçå†WÓÎËMrY}é	oí÷(‡O–a¨±ùådyo̬°Ä¬`k‰ÒÁEÏm*_+CCÌZjüa™Wk@,oýo8äª'àV5—…
$‹¤b’Ö‡ÀñˆFvO¼Â’òO8ÿ#	-'k ØßÝ·
ÑïGrÔ1
-%ZÆòÎ2ü>(&àï)&`GŠ©éG;Z
Óü+ 0’æ‘WY¥ølj¼]ÏŸßüSÊÝ›¦ÝÖª#€Â¦Æf
-¥mìçá7—‡¬ÿ\Å®endstream
-endobj
 990 0 obj <<
+/Length 2471      
+/Filter /FlateDecode
+>>
+stream
+xÚ­ËrÛ8òî¯àÞèªÁ‹ P9y'ë©g×ñžfæ@KÄ
+E:"Ç55ÿ¾
4@‘í$•”ËÐh4û…~À,¡ðÃ’\e¸I
+#INYž,¶g4YÃÞ»3p²ˆ”±~¹={ùV±Ä£¸JnW#ZšP­Yr»ü#U„“s @Ó×ï¯ß^½ûßÍÅy!ÓÛ«÷×çÏiúöê·Kœ½»¹øý÷‹›óŒéœ¥¯ÿ}ñŸÛËÜRÆ/W×obpx‚èÍåÛË›Ëë×—çÝþzvy;È2–—QáùtöÇ_4Y‚Ø¿žQ"ŒÎ“XPÂŒáÉöLæ‚äRˆ©Ï>œýw 8ÚõGçô'sMr.hR‚fh1¯eF
+Æ©”HNõ eÉç´±œ–«¦·»U¹°™Ÿ}.ëcÁ™È	WEžŒ©Ÿð0`Í0!FL0ØåRë)·ëÔoÒX°;˜ƒÉªºÐEÙଈíÚÝGÄ„À½ºêzœY öè:Rto
+àýi%q®a¹'¶U³ïmÎ%„öìÃ$3/@Œ˜<çwiWå¾vi™VóTQ\I&Ó«B;Û#Zß"€¾€Ñˆ‰¤°íÓTÍ‘‚ÂÞ6õ#ÂÚÅb¿CàÃÆ6D-hÑ6RÊ×û]ÙWmØu: »N0%«Y·åÒ.ðO/V½·XÁ]˜8¾Ç…òÆ°Ýu¸x„ÙÇ¥i×—»Þ.èy€±lqÒØD$„þ¤9½ß3¶Ÿ«e<„ƒ¥ßü”uÝ>ÎD´ÎÝ#^ümxì(†hYD?AY2`òÔ=$'ºÐ&`)˜eN]Œ¦¿ôŸõçGâyvÊg›ò³ÅÙºm¬|(Ûñ’PÔ'Œ‹Ú–×,ö÷ä$…h¡
+A„Ö_	)c¬§CÊ€ådƒö dµèž‰)’(m¾ÂÄ€5ÃÅ$¦CTAظ.·v'RØrë"jv¼æ`¬ÛõÚ+æOE¦5)„̃Ÿõ8t@¨SÒœÆjBèƒ/Â,½Ë/x¿žú¬¢Á™|¼3c¼pnÓâèãŒMXO„ŸuþÄ[ êåÆä‰âü›³oÉ{`—Æõ|ÞƒûW0¢¨ÊŸ¦…ç(Ð
+ÓxbJ*‹ÜeyzR¹;È 10€Ó¢æ‰b9Q’aÒ¹Y*¨7/äÁe°ÔûóL±ôþòô¤ Њ(’xËiáó]ò)a„Jc"æ^Öƒ<àåÕ–'oZ(gcÊ^(-ÇžÈQ¸Ï(‚g\·Î
+>žsšÚ°¨¶÷µÝÚ&„Y48ºªÈœØ\*C¸6:kõÇ%ÀÊ@Ù”ªs£±íѪ`χ¨œiÂ
ãCmÉ\%#¥LÌ$ŸûnÁãÌŸåðfÐs.Üå‘L¥-dNû
äáçwÖçd7µŸöe
—QæEHÀˆlq”›/6mÛÙ@¢Ä¡1°ÅñÓÞ…'?]aÜNÎa	äY\(es	ÉwÀ£0,­à˜wÇÔjW>Q	%e·ã“BÊ€\EÔ`µ€|ûˆ[‹ÚÉÔÇý€ßw¶^ASr(žŽÌ&(8Œ
+÷°Ú2êbnÌ({Gß;‡ÔÿÑîÊfæ;à—Ò•­x¾\¢Š2	)…å…œÖ=Ëíº™I5ø0¾)BrbžulO0S
    C—j»ß"tl+3
+¿“SÆ Ì¹R-`lb‚¼X¨¹µçÕ)NFb,—K<Óì lG2è›#Gš1àærzðíF¨Wû¦°Ðs„nÛ/_?ŽÜØ—‰¡·¦Ñ¡_ÄËØ~ o=EpL,ÅìÛ6³_JW°¼À(íô$3(N ²LC¦ ‹ÿí…†²È¸š‰]}©_Íéä_Jñ’ËÙÝ¿‘0à¼dê.„£ägÿà™lö‹¸yZGŒÙ
;¥[\‡¤ì{DÍFo°`ÇÐËótÛú…[ºjC¿ë1|‡ãž¥š $uí5ìnËî#áyNÜ/`¸nvN[èRŽÈJ‘
+Ç”ÌAØ~ƒÛÈ2Lì—…½€é‚ˆGFa·F¥gTàtÊ& F6=«ŽÑøõàû2<ÁÀxÐ9N–³O¶Œ߆fŠ2 Ž¬±è¨“óYtÑpïNúà?ϸ¶êJ+§žW£5ÈßMÅ7=[Bz‡ÂZ>Û¾qö½í›;qTHÏÃÌYLöDû¦ÀÞS	g‚@-«~Fû4iÁ‹„ùf‡«ŸÖ¾EÂÙ˜òiûf4,ø¾+bK:ÔÂZK#˜Š|¶ž„ZXÛx³
+̪nlÚoéqöL_86×y€óµÜ(ó=}áóþ9v*	ßüÊËcŠ@”`“¶Å¶0Þè
+—Cæû0t_í‘‚iÈß÷mÓy6Cn§Äå›ë¸­›ný+l.à~ >p1¦º¯§h÷~²˜@­—tAóæ¦óaÜc­ÚÝ_‘a·üz³ý¤ãÓÈøÛ‡×O	áõ›®ÅÙðFg†l·,aéV¡þßï\c1y
+ôãI×€Oveê¿ŽÓ¸ç8XAkØ,-”£ 9˜¡A.`g&8yîö¡Aè¬
ýÄlû
+¤"þ·`·>²v¹Lî_yäL‹=ÎÑ-äœ)•L”ë®|ë…[»uM7£7Ô;; Ÿ¾ ÓtŒ|°‹ÐeñfðnŒ$¦
ÈŸ¼ã8ÏópD)¨œ…îv¾¨« =8iýÛ
+Øm—º}7Ä+w»²YOí6—+EN¤³²Ð$zÄÿÿï¨dá^­ùj)4‘ˆD®œ^¤>}Õ§„Åç˜ÿ?®:Djendstream
+endobj
+989 0 obj <<
 /Type /Page
-/Contents 991 0 R
-/Resources 989 0 R
+/Contents 990 0 R
+/Resources 988 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 961 0 R
-/Annots [ 995 0 R 996 0 R ]
+/Parent 960 0 R
+/Annots [ 994 0 R ]
 >> endobj
-995 0 obj <<
+994 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [221.4501 308.8411 295.9714 320.9007]
+/Rect [221.4501 61.5153 295.9714 73.5749]
 /Subtype /Link
 /A << /S /GoTo /D (rrset_ordering) >>
 >> endobj
+991 0 obj <<
+/D [989 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+382 0 obj <<
+/D [989 0 R /XYZ 56.6929 533.7018 null]
+>> endobj
+992 0 obj <<
+/D [989 0 R /XYZ 56.6929 508.0329 null]
+>> endobj
+386 0 obj <<
+/D [989 0 R /XYZ 56.6929 131.4617 null]
+>> endobj
+993 0 obj <<
+/D [989 0 R /XYZ 56.6929 108.2635 null]
+>> endobj
+988 0 obj <<
+/Font << /F61 642 0 R /F42 605 0 R /F43 608 0 R /F84 858 0 R /F57 632 0 R /F86 971 0 R >>
+/XObject << /Im2 921 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+997 0 obj <<
+/Length 3049      
+/Filter /FlateDecode
+>>
+stream
+xÚ½]oÜ6òÝ¿bßN²
+?%
+}JsNë¢MZׇ{hû ïjm!Zi+iãEÿûÍpH-õ±±qÉCü‡3Ãùâòƒ?¾2:f2S«4S±f\¯6û¶º‡¹ï.¸ƒY{ uõííÅË7	_eq–ˆdu»p™˜ÃW·Ûߢ×ß¿úùöêær-4‹’ør­}{ýöŸ4’Ñçõ»·o®¿û×Í«ËTE·×ïÞÒðÍÕ›«›«·¯¯.×Ühë…ÃpfÁ›ë¯¨õÝÍ«Ÿ~zusùÇíW·ÃYÂór&ñ ^üö[máØ?\°XfF¯¡Ãbžebµ¿PZÆZIéGª‹_/~³véÿ´4±6"]` ’KÔYœH!-on:;Ýû:ßD$©##¡Zªj‘@ Ç#21Oµ±ˆn	?\\7$Q
+€=/«²ë`x§$\8°°‡³w²dÑïL³®(¨sWTÍ#Œp )ƒ•¿/:šá,P—ÚdYâ0#W£S{#9˜‡Ô¤«”éXgü9GÄ™1fÙܬ„ë#™’:É“X'©öE÷y¿y˜Q¨Tl$_Bð	
+UÁøˆÂ3Bäi,É=«ë-É¥¬û¢u©w²*{X”šFöÍÉ
+ÀÅ9›uî*è:*ÜZ8‰’f|AÁ¢âEJ¸Wñé@þ*KQ}shªæþÓõJÆL?f*ˆ¸·½[‰°Ê8ŽYÌ”JWI&Á%À•^Òd{¿¢ÆMàiøu¸`îiæx‘´_Á4–;4úZŽNr®Ò,6ÜŒHš¹<ô3\HÞA´LJEW9(,É 9P£ÉVı	+ËÏŠ‹ƒ¾ÉŒëg™.Û²?vßÕŽTF1ÀÆ”=´Þ2‘õL)Š‡ªÜ”ý9‰Š€~Þzp£âLBp‘'†¥_|9Œëåüvr“Æ™â´óY"ÀÔ€…;‘Æ'ˆàxŠZyΆ@PŠv“þXö$«¦.HX6h€þ±¡FQYåB/	–Ô:"ˆÖ£E¥€üŒfåÆ¡Þ矨qçV’^ˆèúgÒ"®E,¸ÛÀ?c8dZ,³_gòŽW¯¤ú_jÙsÁ£ˆÔê¢ë!R˜k¤,ÖRë'šâ¤rày’Å©Ðú+ø‡q¢\r
+ì(Ó§Ïû´øj@ü_Hñ)"S‹\ÕˆÈs*©b€ÏÃ)ô°ÛÑ·°Ö[ÖúaÃY?Û,/ydÕ:6*…ïæ¡Ø¼'ñ®0JŽ!ÊX¿îó²îúi@ÙP¼)fQ¢‹*w“‹Ö‹Çº/]L—Ó‡ÄB±«C°kŽõvâÑ}gÓÐBŽ©Ä˜°<
+W8rø!w@w…
 eé)¶x[•ãÅÂñW
ÞÅ’ĊЅзGƹím ŒKÑ~,e4dpC‘¸ ÔÎ7ýÑ&	œÃ5.÷e_~(¨{²$œ¹t‡åÔðŒøcþÀ€UŠ:¤@Š:BY4~k-£_Åø‰bt ˜ÐËéã4LrËM‹Ý*`qsAÃq¥N½NŽËº¶ïʸr^1ÆÂîj+Æ6HÑé­
4|AcyX¤Ö³ê©@(?ñüY ÿÄ-M¹¥G×ø”ð8na\]Óˆ#,vWnwŸ,-€è)4íYh|DxJÏ33Ç̵šãGµÛ²¥æ¶ËÖ®
+;Ü`,¬†{ùåÉ?MŠ©CÕÜ*‹þ²D	gø2bô_a
2ð¼ŒF^¾¤™ë7ø&Ãœé`©iY¾€›ÏpíÝ7ˆ)	pß~õ–Z»²õÄîJ×@%ìTx¦=&^4¼ˆ_{ü–æÀgà8±¤mŽÐP}¿ÉÓÐßó/UŠl™3]dÁ”ÊL,qØxSåèɱùz²þIANwJÌ"¿fÌ_8n·n@Lúò<óÿo|_È7ñl¾‰çòMLùÆÿk¾ñÿßäòM>›oò¹|“OñM|	ßÄ—ñm²šo Ç¤áq±Ú` &GÒî̇–œYµ¼¬Ò’Qòô.rŸ&'9Ê$‚¾¥À>	­ v]äLòkغ·
+l¹|·kêüÎÃÝù‡Ò†W£kô~ÿ–MòÃØr©
+
uÔ¤g‡dêí`ääíÎÇ3ö%S˜èÚ–µWsJ£®Ü—UÞÒ ½Q{âôˆxèQ.LOJ`‰õžásx2ü!‰TœÅ7AË((²Ä5-‚‹ë²ámš>ú‚	OþÁF.0HÉ‹tUD™pŒY‹#A Ý04M“ð8KÇ°úž’*è„‘*Q± .ÿó#ÙA²‡¡œ>€0à€Ş©Æ]Ý$¼‚!ÚIøF¨V`Å<ˆe“ËiíðkŠ”yšÂGﻡÎÚöÅö³¡Zz6TKtœj©žÕ¦áU`çØùÅsàõdC>62bL½Ò±1	áõ¯‡5Ø°ñæ¦+'ÞµÛÂ泋–JèXdFY$ô;‘@.z¬úr0NN=è]wÛÈ) úcëj&ÚÕ>è¡Ä‚×Ý£•Î9»dßkpàΡ÷´;V4fïn2ûÍÈÈÞÙ_ž M…³ƒÖ¦$úd§¤/ÜùC•o,ÕJâ7n«”ÃC³"©9÷	Éc06¾ÜÕ¶ uƒÌ_à¼f±NE¶ðF
[Šv_ÚË
+„œÎŸ»Çb€°ç„ï@åÀr/°n²Ä
+¸Üp–ŽµÔÿüÅ?.œ´a(yA/<›1Žßîíïìèöñ))J$±ÄwööÙÓýóY¦˜†øÜ¯í¤Žñ'r»Á¿“óÿïô3E|é7FœáKHÃQH¸Ê¦”?Ù›“þð;üendstream
+endobj
 996 0 obj <<
+/Type /Page
+/Contents 997 0 R
+/Resources 995 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1001 0 R
+/Annots [ 999 0 R 1000 0 R ]
+>> endobj
+999 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [209.702 230.3842 283.4678 242.4439]
+/Rect [238.0484 689.8302 311.8142 701.8898]
 /Subtype /Link
 /A << /S /GoTo /D (topology) >>
 >> endobj
-992 0 obj <<
-/D [990 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-382 0 obj <<
-/D [990 0 R /XYZ 56.6929 769.5949 null]
->> endobj
-993 0 obj <<
-/D [990 0 R /XYZ 56.6929 749.6227 null]
->> endobj
-386 0 obj <<
-/D [990 0 R /XYZ 56.6929 377.478 null]
->> endobj
-994 0 obj <<
-/D [990 0 R /XYZ 56.6929 355.0589 null]
->> endobj
-989 0 obj <<
-/Font << /F61 642 0 R /F42 605 0 R /F43 608 0 R /F57 632 0 R /F84 858 0 R /F86 972 0 R >>
-/XObject << /Im2 922 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-999 0 obj <<
-/Length 2136      
-/Filter /FlateDecode
->>
-stream
-xÚÅYßsã¶~÷_¡¹'ºÁøIwOÎÕ¾8“ø:N’éÐesJ‘Ž(ŸÏÍôïP EÙjÜ›Ž.€Åî‡ÅîŠM(üØD+B…‘“ÌH¢(S“Åú„Nn¡ïÃ	óc¦aÐ4õíüäì2eCLÊÓÉ|éÒ„jÍ&óåÏÉûïÎÿ2¿˜N¹¢IJN§*¥É·W×F‰ÁÇû×—Wþ:;?Íd2¿úxâÙÅåÅìâúýÅé”iÅ`>÷L¸¼úá[fç?þx>;ýuþýÉżó%ö—Qaùíäç_éd	nB‰0ZMá…fŸ¬O¤DI!‚¤:ùtòS§0êuSÇðSB¥y6 c*CRÁ…°.¶Í柧S¡²ä±¬*lÝoN™NŠU±Á÷f{šùr‰m[´V¤“¦Æ®í]¾ÅVOí¶	Ý6˜á„¥šð3.½ÒzÙï¾KU-±`ƒÇSƈQŠ;óz(6%ša4kQ”Ÿ‹%Î]9Q³Æþ…wM»EÚ­ƒa¦[]úÕaÈæÀ54»„”ê	e}0sÄ›´6Ь‰ö	SÊ
6—¥wtk°’ES×ðj½¶¯=ÄÎ.U]1#F@¸ØÛf³­J‹GJiò»3ŠblðöLûGTÍ"¯,€ï`)FArv†=W—öQŠHuc±é ßé–‡uƒíí;«)tÏ¿»¸ÆÖªÜcW¥oXˆR¿ðˆý˜(¶1Ø6«_ýÎæUSUÍcYߢ&kÄØþxCãð}׉èßûO«r*3¢9ÍžÕ¬4|áàð¢ÊÛ›ïóÇÀfÏ­”êQ¼Z¿™„}ãÑÞx¼‹ƒçëãÆ_‰?7~,n|ˆûø±¯†›x%nâhÜı¸‰—pã¯Á¿·ÁrÕ_ ‹Ý-WÞ9pIyŸï7X,0«åÛ.+õ“ìE;D`Pæ6aó4³ }-¾äëûÊ÷a]³­[(¯ØÂ2”·Mß„q7Å]þ¹´¡Fß؆5|Q°M¬Ã¶åªµØt…žƒj’]µIÑ»Ú7\'Wv•&¥+§YÒ–ë²Ê7(´¼Ä=qªg<¼5«AwTžQ`«'ê-k”ê™&’òÅ[1+Úû¦ö5¦õ¶oÁoÆX]iqiˆ0GÛô|FtäCñÉ?;æ¼~†õÇ>;}h­$"ö5Seiì†íE7œÆŸö%â^ÞŠ‘àõ¼’kÑí½æ¸÷ Êñ1Ð10ûâ#Fż˩Ð+áJÜŸ2+ióuÑÓ
-ÎKÚßCè—G¶'¸$,ÚRl²Ü¬Ùbã¦À§¡bù,UÓ©ZªH¦ÄxÆ©Ú^EyŽ¾ÈÅâ¤8Xpdxßz	ŽLà{·bp)ÖàhãlÖ‰›%@Yg4Sq8H’I§äow…Ë
-*Y?TÛ²KN><÷\¶8$GiŸÆã÷¯÷{Z­Ÿ K–áÎ $yJÜY{í}gèF½`Ⱦ6k	^ߧBBšTösÛy=†{j¿WdÎ.Pc÷càœp¹Ædì˜/.œ­õø÷–i§q«D'{Æq¾ÉÝÂnËï‹ÅHXpN$UáÜ•¾&,{lêpiϽIXûv¤ @&&’d=ì"Vîšÿ¨]c–ÊoŸî=Ÿ¶­¸›¶çͲYçeí:ß §6DëÌJ›ÃßóÕƒ	‚•èT)*±s¯Vøá£nðÓˆ7ÙŠÊS–ø¦E¯´˜KàÁB§á£‹Í«θŸÒŽpî4 Ÿ_ÿ}|#R#CDT‡Æio™'0é¾èÖrm3±mú€m™ ’w	ä9ÛÒçmÃ]Û-xCrš¥ýÍê›R›;o®}	±øçrÌpªaáNFýiÄl	žÀV?çξ "»jÀ‚Uq›{Fô9¯Š.ø7#fh
”ˆÁxôAnÉLW´<x»—4DF¤Êä„JxFù1ICHM2`3ý´ñÇfCèîÒvÐœGA—o†üœ‚«5¤_e̼%Ñ'¶°
-ã6Bå^¨ásU!õH–¤É’lH² ÛÕi¢†ÄtåO{Šú©&
´Ðä_M]ŒÝ&쬪 {åMkMS>‰¡yÜvciéݱ;^e˜qx¡’K
-yê…Tp²Ãïø¸Cã•ñ¿Ø@ãÞ±¤níˆVÛ¬Ã\?Nw»™ÉäØ#^‡Ñ×…]B–F½»´!ň[<-ªrñÕ`Ï£ÍC½œbë&ô»‘gÿ«
Øý!õÿH,5Dd\@Õ„eYLX÷ˆ« iw‡€M„½~öÿ1`t*óå²ñ×yÿ1ìí{ºRkö®UÑM=TÁ^¾Š¨ÛÕõŽ§aëÜõÛ5{™'Þ²hÖo":†M<œïý-	äÌþ—8BîéäÅuì_–»ÿs¥¥&š¸®„MñFY<¤ZÞý·¹oú$F°endstream
-endobj
-998 0 obj <<
-/Type /Page
-/Contents 999 0 R
-/Resources 997 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1004 0 R
-/Annots [ 1001 0 R ]
->> endobj
-1001 0 obj <<
+1000 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [353.6787 309.2241 427.332 321.2838]
+/Rect [353.6787 61.5153 427.332 73.5749]
 /Subtype /Link
 /A << /S /GoTo /D (the_sortlist_statement) >>
 >> endobj
-1000 0 obj <<
-/D [998 0 R /XYZ 85.0394 794.5015 null]
+998 0 obj <<
+/D [996 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 390 0 obj <<
-/D [998 0 R /XYZ 85.0394 379.8143 null]
+/D [996 0 R /XYZ 85.0394 132.7054 null]
 >> endobj
 703 0 obj <<
-/D [998 0 R /XYZ 85.0394 352.2229 null]
+/D [996 0 R /XYZ 85.0394 104.7571 null]
 >> endobj
-1002 0 obj <<
-/D [998 0 R /XYZ 85.0394 202.6239 null]
->> endobj
-1003 0 obj <<
-/D [998 0 R /XYZ 85.0394 190.6687 null]
->> endobj
-997 0 obj <<
-/Font << /F61 642 0 R /F43 608 0 R /F57 632 0 R /F42 605 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1007 0 obj <<
-/Length 3164      
-/Filter /FlateDecode
->>
-stream
-xÚµZ_sÛF÷§Ð#5m÷?—Ó'7±{î4NÎÑÍ=´} %*æT"U‘²£›¹ï~Àb—"eÊÎ]ríL´Äb±XüZL8ü/&Æ2›Él’fš.Ìd±¹à“Ï0÷ó…<³È4ësý4¿øáÚŠIÆ2+íd¾êÉrŒ;'&óåo‰e’MAOÞ~¸½¾ùùw—ÓT'ó›·Ó™4<¹¾ùõŠF?ß]¾y7	gDòöo—çWw4eƒŒŸnnß%£Ÿ3Bï®®¯î®nß^Mÿ˜ÿrq5ïÎÒ?¯à
-ò×ÅoðÉŽýËg*sfòœ‰,““Í…6Š­T¤¬/>]ü½Ø›õKGí'8“ÊÊš´gÀT3+’šŒY%•7`½[»éÌrž,‹u¹øÏ4™‰”eJ:–#=ó¿ýä×ZõÄòÉLvJÐy*×k°’µÉ"ß7
óê@ƒÝT¸¤h¶uÕ
’ÒdUïh®=lûeŸyQûßeCIJ
-Ò×yH7·$©}È[¢<äAÔïRjRz`™I¦RvõJ?ÔMËŠ/ùf».Ø¢ÞŒ33Ìj¡Ã/–Ž”Èé§Ù¯PÛß9—_Þ)I[“I•Ç2Ú4_?准üê¾ _:x»ßUÅ’(þÔ8“WKPσ]àõs‚+Á“Ko|œlð½¥õÍÄœ¨¯íG>1ºž	Þ½p`H“ù³Ü¬ˆs³_·%˜2˜Qǫ̈3&¬vÁŒ»]S´3òÁç&7ü43·ió¶ØUO°Ý¹×å
àć‘ÃUuÎRoîËî„ðÓn
À£k]Ý&ë²hع‹naÒe_uÑ…dYfôøEKfŠi#΋¢eD…aX0t§Æ
-æ”ë‚ضs¼ÕÄú`'VKÆK½o{oÁ€»##D£dtü+D2‡eò,üLž‚ƒˆCÜÿ&Mã:Ë1õÆþ¤GxÂ79yWÃ&½3EÁ³¾d(§ûwÔ1àJ'VdÀ¯éLó‡à‡Îög:U¦óé0	ùâTò¤óÇxˆÅÎ¥îÔáæ)™”
ýzwÃÁq#2£ûyBE¿”rp”aâ¶O¡ŸÅ~·ƒ•ë…ãÊBäD‘f¿ÝbÕàÎx?2>¼>ÐCS¦}Ì‚s‚Sc™ÑÕù)€Êê3^©,Kž ˆ4M·$C+—âÉãTšÄÇ åÒ¦:Y<Ô5Åx¯AŒ^g
4†
A¤Ñɶ.½=<Ò>x#Ù»¦ó°Ñv¸ð¶&U3`­0ê-5
-çÄù
ò6Ê€Ñ@i2´×Ðv—<Ñ©·[¿)ù®Þ£^8&ƒÁ ˆ”zu2ŽƒÃ2ÌUÅ¢hšœL|ù^Ú—€Q`…|wˆÈÍ6„FgLæ`,3Û3ÙåÝÇËqt˜YlŠ
-ТTx°®Ñš"ÃÍk´#Ÿê0(›‡0(‹ºOßCê>®lö‹°€nŽNn'å„%iß¼
-K @/¼MûÂ}lÃ¥1eô³.??´Oþ;æÙý¨Si—u곡vÉÖ3Öå“Nä40šžQOß·`Tùz} 0ˆoi>ÜÈè58¼Ð0¾&òпFRÙÀÛ::Âê Î
-(9.i:Pª›íÂ-51Ddœß:ñ—Û€€œh!’U‘c²$pŒ„8±,›‚ÄŸÀõZ¬rP’üÖ8X àà>)ªn­ØA2rzÜ~»`
•üº¼‰ûÆòåÒ»’•
€B3Õá5x£õÓìÑÎè®t³C|á
‰[yy¢å ŒhãÕŠ¬ë18æï¶[.!Õ4§yX€b©’Í¡JWî«ê}Țι3Y³“8다^H_;aR†Ç…Z‚¯Ã}>ÕÑ¥ÌiÀÄßOÇ(ñ53àÄš¡’kH¾#ïC¦,=–zŸÇ<têêõ±>„†øFkê=(§)8sŒ×±€NèFL_oÛňtå’pùv#¢„b’«¨ÂcY<ÈL’Y{ZBôOüó¡¨Hé²%¥}UÏኽ	¹°—¶è&}‘`¿kJßýHÓ8`ô׾ؕŽÈŒ™4X4EXÿèÑ<Ôšhdv¾&FNŸa€×¹|…g
-~qnIƒ²ÃºyX¿Ê˵ÏöpqÔ¯‹¼l,5Ü¢:™Eo©à°õJL^8¤b=ÃÞËbQKÜDñx´Ìž„[ ûÝl×üÈBK'ÖM6!ŒŽ­¡‡Gá1"³ÏcñLCöøTnÊu¾ƒ$ º½9ŸüºW§Œ ¯ Àwo©åT$Õì u±T¯#5ÔÒÑ©Y‡‚ƒKà†9QâkU„yFö„{ílj¾ê€:Rƈ}aˆ±T‡±|Ú·±ºãÞ³«ÇÀù53îÐÀù;ïòI²×ýê¼óü14€\ã^7[ZÅÀHäü|N¹ÃS~N?Í°Æ9“Þ_8†T)¤´4hWn-ÃRúõSP…°ä°þ ô5PMÉì9jFj¸â('®ùüWzÆKƒ„¨±Ë¡3¬¡>]½%–Ç|].sŒ¼Äê—œl¬øiï9Ë°}hºpß+ñl]¿ä´é@ÕD±ü±Ãd´`U?_Ç>µ!0
½«"NÞÔò4
ð~ç1´£ûðò],M¸Ê£Ä¢=Ûh”P¹[ËÓïÒiLA¨æò¿èÄçª|(á—ܼÒl”Ž3­¸þžÍF©,¤p«¿³±/™šv¤Ù(µ.m;`Š­DNOè°U)˜°<ÆáÒ'f{vPþn^M•oºckkãÃp‰ð@ º¡1Ó*ˆ<
ÐÙeI»`|ß.0»¡£>ƒ´ôX.
-<ÍùTxïöÛ]éÿÙƒ’FRŠ—{PÂ	<‹ô tèAͧâÍÞ_ÿÓ+*X*À¹…VL£ãŒ¤#¦YŸë]"—ÇÌù¦˜µíútã±ë‹G¦‘Ÿ·à=:!†*¼siâ–VIµßÜûÔ
-D‡à·lPùþ	0xìÄE¾ 5Ò§8˜ÁcÄkjl„/¡BÇàŸ°¸K8ÑCE¤¢44½H¶t¨®õBš<®°#dÄ'·Æ’:1€ˆ2=
-¥ë
€óe±dØ—¡lïbIìq3
-Å fÛZÎÇʈƒRu_á0‚‡ogeµo‹†:A~Ë÷ù—r³ý Wî‹—vG€§;ÉÂoåoWÌàîjl÷s~Î!V8k^ñó×~¹¨€ý2«¼ßŒy»
-\Šü÷ï¸Fè[@HÇ8~ˆh0ŸfàÖèS.øÀr¿(è¹*Ú§z÷'>`1”wßy4O¥ÊjAkó&,Å`^ï6ye…ëÔ«º€Ø´‚4qÃÏp/‹(¾y*vT s†ÝkNš¢Ï­yZ0;fEç)þ*IìLû|!ÃM–*Ô?0À{,5
-þ´l!
yøæוþžÃˆš¿H‚4háôPVÝ|Ü+Ø£›Ô1¼¨µœ5 ð´ëX=7’QLƒÁ×'3RóüªeÌ:·àã7MA¥®ß°»HiRºw4|¨!3w—îDsIŽkù¿i¾È«CÓ¤ø‚å1Ó`¯ð·T¹‡úÊâ'V1ŒˆGTÿH¡)ׄ²	Øî¦Ò#DòXàx÷ßð•}Ùý•C¹êàî3”BŸÃíic	çcÞYd¬Ã?	¼ƒ ßüw8G,¡S¦œ“ãQE¦ŽiB‚Rh9ßÒð;ÏUÿcÌ-§endstream
-endobj
-1006 0 obj <<
-/Type /Page
-/Contents 1007 0 R
-/Resources 1005 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1004 0 R
->> endobj
-1008 0 obj <<
-/D [1006 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-394 0 obj <<
-/D [1006 0 R /XYZ 56.6929 540.2336 null]
->> endobj
-963 0 obj <<
-/D [1006 0 R /XYZ 56.6929 515.792 null]
->> endobj
-398 0 obj <<
-/D [1006 0 R /XYZ 56.6929 195.4161 null]
->> endobj
-1009 0 obj <<
-/D [1006 0 R /XYZ 56.6929 171.1539 null]
->> endobj
-1005 0 obj <<
-/Font << /F61 642 0 R /F57 632 0 R /F43 608 0 R /F42 605 0 R /F84 858 0 R /F86 972 0 R /F14 616 0 R /F68 724 0 R >>
-/XObject << /Im2 922 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1012 0 obj <<
-/Length 3015      
-/Filter /FlateDecode
->>
-stream
-xÚµZÝsä¶
÷_±o•''…ŸÙ7÷ìK/“Ø­íÌt&Ƀ¼+ÛšìJ¾•Ö¾í__€ %j?l·—ÎÍÜ’ ~ø Ìgþñ™Ñ“VÍ
-«2͸žÍW'löc?œpÏ“¦4æúÛíÉ÷Ÿr>³™ÍE>»½d™ŒÃg·‹_“?ûÇíÅõi*4Kòì4Õ9Kþöùòœ(–~>^]~úüÃ/×g§…Jn?_]ùúâÓÅõÅåÇ‹Ó”Ía¾ðŽLøôù§jýp}öóÏgק¿ßþxrq;œ%>/gòåä×ßÙlÇþñ„eÒ={˸µb¶:QZfZI(Ë“›“£Q7õÐý)m2-T>KµÈ‡/™eLÃ¥¥…âYníxÉJºäÀ…—üØv}Úõe_w}=ïÒUùu÷à<·RÌbñ{›¸ìBF»à^œh²Ï
ܽUA½V&æÃi*™Nº§j^ÿƘ¨:bé+jÀVëÕfEìÍfuW­i ½§_<µüOyRωR5ýºD¶ô{W‘°?ª§¬E)‘\¶=ÞÇ,ÍaÛÚ€"8ϬÖÂm»^=-«Ȫd;uC¿‘™f{†äՇόÎÕë:¹ŽëtàÂ]ÁŤórþX¥}¿ÜÓ¦Ò™T¼¾üÀõÆú\ƒñ
-ÅßØÀŽ
ä"+¬5°rwUz'%ÕÂ¥ªEj½òäûvM¤—ÇzþH4?‡ƒ˜õ³³ ¾ÔË%QÝ6¨	“¹IuS®·ÄöÓì©íê¾~® ÍIÓàÜ/
-;UuÙt/Õº³œ%·a§‹ê¾Ü,{¯ýŽ~ÛƾTÕãR…ŸRn;\í¸a€Ó3.å†q½bËé¥nÒuÛÂuï…°™äh¯-=pX{ââReàN|º¸¿2ƒ»ʵ£ß€ó[øuz‚méµ£¡þ±ì©Ewm‰¹ú²©©± Qo)&)§\U×ï0xû±“UÍΪ-±>8
-œu@B᪜Ï6ª…·óÃp^ M¬"¼Mi½ˆ~¢3[¹gØ3΀€4ç*+
-­ß‘¤qÖŽHÀ@™å¯È¢ydùf˜1•†Ý¥â2±©~¶Âu–UÌrÆ!zg»Œ.@…;N–i€W§iΓ[ø_${7B%(n¦u‘)Î9.>û2ãSÖJâŠÚî°ã%8Â÷ŸWbvÞ‘fñ©‚ä4íÎeÔሆÁ n(­	/u&Ùž
-–T¾3
"HhèƒÈ~øP¶Èr™ËYt±ß¦*i@¢…”&3‘o3$ˆ¢¦BfÖ'KGn’›Ìä”۲˅Œú!}.—õ¢î·i
7·†Þž:+Œ³x}P\ö15Øn‘Cº2ÙÈMœH&	N°€
Ûlø‹È-*FL™L¸ßô‚)ê¿RNޔѯYnúvUö)SÁ2#¤ÞITæår¹%dz¨šj]:k“œ'eGä’º^²ƒ.$»½}±mÊfOHÜ<-@@G#Úvï^Š"ïžå™eΤhlýà}ì:RÂÀžFüû:Ø“êTPÍûºmhc¤ímNm¤#Ñ{V00½±]Y¸—9¸Õ)íÀ;©¾>ù€„y¤åýÜ=†¸€†¸PÄ–&y^x¤“ì@db
-|’XЮ2Ò¾bPx'ê§Ø+ÄÔ|ˆT7·Ü
b×g[8ÐÑ蓮·
x°	!1ióü-ýRÎÇv³¦Ö]ußÆ+õaóÍšèM¿»hÖÈ“%$ìËö…VDYxD¶v)Â.ëU=dáåªÝ4>ôRRÁ’ù²û\¬û£z9µ"9š€aeÆhàÕ,æ:Ž[×€U÷ëª{Lñ̆t÷ Ùq÷ëí>o î;$VCŠöê®g˜˜;”ºÊ€é!À˜:зp¹Îp:ꀕô”D-‰àôšCÁý—ΧPD;Øíô®z,Ÿk—šI€Í†~ÉVî=2=ÖÍÑKúù7™žT‰¾lÀhªõÖs)ŸéßÍÕ5æeóPuä·n¡u¼P?L£+륳*h÷k¨î}
•é/.5ê–ÖÃS°SZÝÚ"Õ†
-Oë÷fC
-h•ƒë@gÓU‹ w›žh=éaWf4Ïx7êÝv˜DUÙAØÄ7/÷¡~¦cÃ`·,Ÿ=ßPV¡èE:=šV
Å5„”vÝo„ÂÏ×@³p9”i°™z=rxÃ
-0=0ÑÈâ é-Næ*8Bt@:…Q¤-¢íø±–~Ýe8ê…ˆ£5O
µ'vvLo‡u°¢‡ÜU}UÃîÜ9eòT¹I)êÙy´HÏuõBLT›¨äaÙÞ9È…<3A«,ÜwsFµCÇåFÄä9èTû8Z¿¹#î§û0V€™åêéƇB¬{åp¸YÄ£}¨»ñ¢¼¥PiÅF‰ã{ŸK¶ù C,Öa–åPcH€'îŸ
ñ¥ãc
8&cQ©~3¼rù?pí¡•‘\ÅU\¶²¤Û™Ž{6¥TؽÛî½M:ˆVË2xŸ›²ññªiC͸À¼íÃîM•ý;W5;ÞTŒ'BSŠO„ýÅ´íZwÕCÝxêX/µú0qY7Õ}p#²¼0á]ç»ï¾#ö›u·uDn[È«lxŠÙ{9„œ
 –4˜&Ys¼Ç!ÿîUÎ	aL¾tžÊŒ k¡†
-¯©ÜºS¸«jÄ· Ê/Mý5íú­3`t6݃¿ º
-¬ª²ÛŒo(Ê‹î*̧BÓ/ÿ±l6ô4tîÅp§Fx±É§á1ú G:«P‚”-A‚r	ÒÎéÙH.5ò3:F.] gÍ1Ÿr´~ûä KyÔEšsRâ
R‡±0Ù»
- î“IÅib´ Ô€%e{Q MDXzçÁ@H
--¹·Î½S8(£U·!’†Yf”?Æá%˜®S!Ç1™ÐÙGÉlx^Šã-:³Ÿ}@}>ÊÂáW
-™'?ÑV¥Ðƒæ.nö†-ŠD0B'@ž›ZnØð>‘cˆw5%ÐÆ	ƒŒQ,z£Ÿ4ræ‘èÚo­…¤›
-IÞKÐãX‘ëè©4'©ÎÏ)°A¼
|“»„°J°„#¹Mî[^¼:JB,ˆÂ3ÛoB4q î—QÏ»`	Œñ–D>¥°K_ŸAÉõÔªÇGÐ1Dð$NNæ4;ƒ¿½kÂëc‰UxYØr0Öyö½(ÕÀz¤vQ-þº÷#‹LéBÍ8~ü+ì»Þ•”/v>™ýo³¢gMUdF°â¿x+3vŸ5ÙR®ò¬ÐæÈû;”à™‘RCP„„„3J&ºÍ|^uÝ+‚*´
-5?…h@ƒ!ŠôYKBHðBî7K¢ÙxLÇΪ\ø©.ë-ü÷270æª:°2zˆ™Â$gD‰×Â>®µ¥¦3Tø]T˜	5"r'”ôµæ4ø´p³vI¬¥pceryuq}}uM4ŸR>A¦[¥õé´ÅT6ÑÔÀ
UÚš 9$éºÿÂ
-µ{‘çb«øÛÌ
T²ÑwŠ3Ž[¢™Qæ-C”°cÉñ×áŠÞe‰Š‹Á±–¨¸-‰þ›6Ç7D´
-¤ B#A=(ãMõt¯èg<ø·ÝåÿU=ÖàÅ[êšE–p¢ùº^cµú>œ0fÄ	CŸÑ¤÷@Âc‚v°9ÕRP;8#ø݈ˆ½°YûÇP³„/›}y\[Ñ=ü¹ÚR¦¶
-1Q¼…ê–e:·>z]´ߧ-¬øÇØ­ýû¤µ…áû¶ÞÑ–€t¶†œ©¡æå¿Î¯~>û|y\ßô¡è¼ßv…ŠAy©èÇfÚªƒ}Øðíï›ÿ|füÛ"À\‰O‰‡ß0Yˆl‹™Ô™òŸ¢õÞG
ਸ¢­ÿCÛÖendstream
-endobj
-1011 0 obj <<
-/Type /Page
-/Contents 1012 0 R
-/Resources 1010 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1004 0 R
-/Annots [ 1014 0 R ]
->> endobj
-1014 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [326.242 503.0993 375.5914 515.1589]
-/Subtype /Link
-/A << /S /GoTo /D (dynamic_update) >>
->> endobj
-1013 0 obj <<
-/D [1011 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-402 0 obj <<
-/D [1011 0 R /XYZ 85.0394 357.4033 null]
->> endobj
-936 0 obj <<
-/D [1011 0 R /XYZ 85.0394 335.0921 null]
->> endobj
-1015 0 obj <<
-/D [1011 0 R /XYZ 85.0394 206.9327 null]
->> endobj
-1016 0 obj <<
-/D [1011 0 R /XYZ 85.0394 194.9775 null]
->> endobj
-1010 0 obj <<
-/Font << /F61 642 0 R /F42 605 0 R /F43 608 0 R /F58 635 0 R /F84 858 0 R /F57 632 0 R >>
-/XObject << /Im2 922 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1019 0 obj <<
-/Length 3156      
-/Filter /FlateDecode
->>
-stream
-xÚ­koãÆñ»…>ê€Ó–ûâî"Ÿ.‰/½ ½´h‘-Q6q©”}n›ÿÞ™YŠ”é;_0wg_ó~ìJ.2ø“›‹<¨°pÁ›I»Xï/²Å
Œ}s!yÎ*MZg}yuñ—×¹\r•/®¶£½¼È¼—‹«ÍË\(ñvÈ–_}÷öõ›o~x÷ê…3Ë«7ß½}±R6[¾~ó·Kj}óîÕßÿþêÝ‹•ôV.¿úë«\]¾£¡œ÷øòÍÛ¯	èóĦï.__¾»|ûÕå‹Ÿ¯¾½¸¼hÓ+3„üzñãÏÙbd{‘	¼]ÜC'2µØ_«…5Z'Èîâû‹ŽFãÒ9þ™L
-©¬NfÂHùô©tB§rSiÏé¡+™!áˆÄ‘…ì$£F"‘Ò
-ãÝÂÙ r­tI[®mW552èÑ`‹³ÆÁ)8óê¶~ærY÷×e‹mµl¶ûõX¶UÙQçþ¶ZßRs]»rCsû´AW¶w´\ö

 ýr…hÀ+)E°VÅ“·M»'QÆ9ÆTñ·‰c›¸/tã¾ðý)ËT½aXD ‹uŠº»‡U 2â\AŒu ¢,1ö	K/4Äb•&ü™òW0Ógêò×V8%ñ¶¨vǶ|žôµÕQú/äùŒ]Tü
- ­J
-€p’XwÜõ¨8ˆÑ‚º„@œ5^q¦ä?ºCSw,ä™d}[Ô©Õ¤ñ⺹+?"Ñ«þ,‰ž¬þSn׸̹‘ß·*!"ó ´³^)'¼
-rì~¹!å<(ƒV‹Uà óAiôŒÏ.y”ÃeÅ›û(öl†d›eu%
ƒ×ôv‡S’á#ð¾Úí¨}M(?ë~ÇËšºäÆ–Õs¬Í
-
-*“¬ŸÝq½.»nFµA[Åó^Îl•c­á	m¹-ÛœÃìN.^Ðô±ÔË,KlZ7G@åÌÿ?¯Î
°Hg
-Læо—Y‹´‰dYvŠ]°ç÷}ÑÇý8ei‹ý¾`Þ[7Âܘ²è$Èç¦=rد:ü,âΣÓSAxïÂ4^77ÇŽf=”Ý/MûKÝP÷‹¹yh›»jS®ªÛö9«$óì¹ëŸ½ŠÎ*7õg`Ö·pÁÄxIJ&žÄ)Í_aPô4ó§ÌfÔ'±âûÿ£Ï¾¨Þ
Kd:&~~žÃî}ùÐ%YÄO×·U}3,”ê1?Bjü6&e5+Êß¾˜S>@Ä82åNJ—Zé¾.c2mìÌ芛9Ã>ÓÆ«Y#”Sä.ù:F`ÆI@(Êód«Ý·
áÓB4üÛ¢÷yB×WënÞN‹®kÖU³ìßWý-ŒSÀ}Óó‚ºØ—Œ^Jဓ
-µ1ÀwÎ_œNp™ætêàäNƒG«©Ñ¬ÁWQ³à1Ê9³¾9dWÞ•;ž¿L‚šYvsl(²ã	
o_Õ˜7í\Ì¥!דV{Fø®*ïg¨Gë­D¨²vaùfûôþ+íAµ3g¦ªýô9.ƒÌdFKÒÜCp‹úÀAÁ‘RìNgdg2á}Žð”‘ŽïbÐ
-p$…&Jݲ8hC .$C]Ü &f¸ 2dâDì“L6â“åËÿP±­”/aÏ"!5Ãoyho‚M”úª´äx¾+îJ©cžØÑhT9ã»+ܦç3ç¼’ö™pCf)ãœjH¿u•5*{D8¹„€—*Ì'™XéÄvha–_2³¨/žŒ*ïÒŠCÓuÕõ®Âœ¦Hˆ`",èyÂÀ¨Dî?GçQ-p9¡7ÊùúÞ2ÚyE|Ú»Y")ùÌ•O §Á§nê3Fâuªb"†’ž@-rÞðÍ‚Ø}`³áéýi$°Z?ß63©ãšå>¸{UŸN!bì´ô½Ù5×Ñ—vÔ¹{}MÃ
-ó^ˆRø?Ѿ¢ŒÙç$×d×9XžL'ã­Jö¸žš!Ûb…}î’”Wä’Ø)/Oþ)(û#„M,W…“?Ây‘*˜Tð\¶fåk
BGvM«fÍÍYa²`§ü#ç£\>V`åìrKf¶çAÊrmò@›dóΞÑÁ8ü“+ÅðæsNNsÒVZÙ¿óÆR°ƒÑf{ÂaÆ%á­ ,÷Óbó¹µgÚŠ»Wì·!Ù„d(œ©ÙpýœòÇŒ“ÜlÐáK:Ë"ÒáÙô»´õÍ¿^ãë‰6gþl”R!Þwԡć7IƒWŽ<òƒÎC«$Gæ5'Z8뺉7c§Û¤;Јޗf%ÕžkxtÐ<èTÑ£‰`|Þ‡b9c±bŒÈ{= Èb<7•“–ÊõñææáìîhÝÝmª-’—Z7mûÂ/‡ž°Ôák"ZÌœ3‡õy!Ô™|q¼\œ¿Q0ƒ>Ù||<…N¬^O©¼L/M©<À†$JXôöP˜z^ÖЗqË˯ß~Ï+(Á–x±ßkpz1ðR0PLÙ³0pºÑÂùÖø>ë#ÅÜlÝ%s'25<.<'¿N¥—,óˆî™ ⎒͓š"‹=ÄŠû†À\…x=NÀÑ@ͦÃl:ƒ`¼Øj»þåìëNÞm¨íF·¼3ÞA	ëÔè
Ä€4ÈEèdØ ™Etºx5;.®1eÒÝ-pÖÐåš°ù©‹Ÿœ–
783¢‰×®	ÑÉõcªr/Ìào!fòÛzŒù9]p‘ù8Šg‹Ç>=òž2&¸7ñgŽ¨Ïµpö,ê|šð½§Ë‚‡{=è)øØA…XWn¢ß3+àå
-N¦E*]Õä}ÝÜ׌Ø*î°¬7€Gß4†?œ/ÀûŸ ^|`¹@˜~(úõm¹!å`&Ñ=)WÎS=_Ú[`cÂâ³@0Ë¿€ý‘â}16ºC¹®¶ÔIæxqí…ÚÑ÷¸ä{ ƒ6
-Þ$Ù%îÁWþ©D׃G2Ãæ`¥øË~_™I5†U¡SžŠ¥¿÷˜ŽÏ$2XßdŸw˜S"óÃUq¼qËפà;"ÇPMâ“#–vó„ú€ž÷œ<:ˆPˆÙò©7K§Á²™Ô³gNè0ðtŽGÄè÷™Ð¹;»ùIo$C@û1“¶˜©É¹ße‹¤¾ø—N§Ÿ È{5ÿëþ•°B2¬z„»Ì„Ò¹šCþÿÞ×í'endstream
-endobj
-1018 0 obj <<
-/Type /Page
-/Contents 1019 0 R
-/Resources 1017 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1004 0 R
->> endobj
-1020 0 obj <<
-/D [1018 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-406 0 obj <<
-/D [1018 0 R /XYZ 56.6929 643.233 null]
->> endobj
-1021 0 obj <<
-/D [1018 0 R /XYZ 56.6929 618.5258 null]
->> endobj
-410 0 obj <<
-/D [1018 0 R /XYZ 56.6929 477.1894 null]
->> endobj
-951 0 obj <<
-/D [1018 0 R /XYZ 56.6929 446.708 null]
->> endobj
-1017 0 obj <<
-/Font << /F61 642 0 R /F42 605 0 R /F43 608 0 R /F57 632 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1024 0 obj <<
-/Length 2909      
-/Filter /FlateDecode
->>
-stream
-xÚ­ZÝsÛ6÷_¡·Ê3Žø$0}r§çÎ5é9îÜCÛñPeqJ‘*IÙÍÝô¿],øi*Î4?\‹ÝÅû˜/"øã«Y$ZÄN1q½Ø.¢Åô}ÁØU;h5õÝÝÅ?Þ¾pÌaw»/Ë"kùânûËòõ?¯~º»¾½\	-
»\i-¿»y÷†(Ž~^¿÷öæûŸo¯.cµ¼»yÿŽÈ·×o¯o¯ß½¾¾\q«9ÌÙ	ooþuM­ïo¯~üñêöò·».®ï:]†úòH¢"\üò[´Ø‚Ú?\DL:«Oð1îœX.”–L+)[J~ñáâßÃA¯Ÿ:g?--ÓVÄ3Tb΀Ú1#…ôlª¤¨wiU£*0A&(Á´¾‘™Õ z-OuºÅ_6%Qòì5Ôlö)5ŠÓaV4®ÜmS›SU]r»L‹0!+Öå©ØÒÇË"
¬;±|ÇÎO*“EêcºÉ~"ÑJT§Õ#¬
-›)aÄÍõZ¬ZUVœ3§µðePzh%.Y,¬
-J¿`)#Fnò,Cèð¦Ò#ù^…D׽͆£Ó@H6›Ò+¼ÍŠ‡0¯ìç?—YˆˆÅÎMe^SÏfỦ+&TÔN*MVŒ¬%5g‘s€-n™’€;r7¿vÄ¢(nÙüž~œ[K(&
ŸšJJå•—RT!Uõ=[I¶ûHýÉÜV	Ø+)kOÏ#€„Ieå"Ž	iÍçœHÁœµvþ<®:Ž«!Ëç‡MÄЋ~e†¶3Æá´Ð-â¶)¦h­±úÏo¼í‰„`Êš²tÝ$MzË ¥ÖÁÚz¹ûÑïÃ0HK#ž’
âƒà!¬c2VãÃT§p¶³Å¢åÓ>-±Î-›$ÿÝÃÉ~µ¨=ÐKÎàP6)uŒ°Òîè8ø2Ç_Ò[;©§zÓ:‡SÝ›òÖ^§;:vi/äè”×îdË—~¾¼Œ˜1<~¶<¹#1¥µnMHÁ¬Ù'(Td‚Yvið•›´&zÖ0”Z/ÿCöR2œñÇ)­ïU"
â}þzãwsÈøøݽ×Ä[?ç]gEÒœZc!é)Ësj­å!-Ò
-´ÞÒç©F öÑ8^Éc¿Ð°c·Ž=û´ÛøIŠ@NŽÇ´ØÒ KØjàg—‡´®“‡C:Ë+"ŽtÁáe•=d 
a:ûX3â6B*tcù¾¬žS¬(ƒ?o×̨±»ôuˆhÔ¶O=¹û68 q8çKÖ­4ðÌWy³/O{82íáÂÆC•IE„ÕyTKÇb£ÍnN7râÆ‘k’çåSMmï8”?dy“ó0y®@è%8¾Ì?"#È°á1J
`Ô¬í`í7ŠÅ–»±ÕF¬XŸŽÇ²$²NónÆm)
³èFq>&<†Œ0BcUà'ÒíÊÛÃóúÐûŸ{¾:Ø
-Ø‚¹ŒUmž5äd€÷ÿ¼ÂfŠc_ÚTŽ8¬M¤>ÕŽÿÖ³ÕÌűùš\ýc!C€ fmìÆþë¯oÏØWYëØôöµŸkß7
3|(9*Âù÷H;ëOd-”‰m—1
ÄxÎòe!ìL$6êâuMŸoÞ}øpýšÚ}HÄ/r+eS3ÂýpdV·ÌêM•­½@r1Mh”ë9e*¶V`îA]Õ·ƒÊ ½ê‡Sª2Êc'Êu“d”
-ÌÿH=ïå‘ðyE­4kö>	Lã6!·†,0ü/æØ"þ0—½Éð‹”ÁVYµjj“¾l͈SAí4Ë÷èâ7)-œÌéG¦Öb¹OüÙGËø½TŠ¸k§AÄ„­¨©7¡Ï¦º´Kp‰Ü†ÈWÔMå•å•Ž¼’n|Ë.Û'ì“íTžÇ$϶íLÞú ±<’iÜpO±þ„*xŸ^w‚-©ËÜ5ïÖp*Ç&xÁÎ7@;¬Ý9ÀÎú„‹SF%¡¤,ÚÈ·Þ–€Qàë+qœÛVœÝùѽƒšM1κÑHk÷™nÔ2Ë™q£Òá	Á†Å­GÜµÏ ð+N‡0¬²³	¡8léfßÍ­³šR9çÕ…ßpÔ=‡ojKv!r‘ÒWäfâ˜ÙXè1T‹2y¨C
6½)7eþªÝ‹tûëIêêýužÌ¨aBx(m†Û»›Ì然÷³3"ìc–>ýÝÌ…ØxÝ£­èò¿z”ËHͬ™5‡¤ÙìW›<ƒ•»Ñþ'Ùn+HÑïýˆû<ÃŒé
™‰Ó n&Ÿ³—Å×bYáQ¨Á¯¯ÊóFþ1­ïËê¾(ÏgV¼3Ñ=Ý L¥ÉZè6Wˆ|Dé¦þÄ23ï»#3ÍÆggò¿™‰è%¬|I&?í>LÜÕÈ~ùÙ¢ƒK®æêxŠòX«'ôy,ŸÒjwʉX :HÞ¥ƒjU†b;è¦)ŽT‚c+O›1oþà’ÂS“¢~¢v7¢+|C•Y};¤à|ö;D›º…ȃg:,X¤Q³`aK)|¢Ññ÷i%®	1IW+jÄ¢›fÜ	!0vÊ“ªe‰ÙÆ´·;ÐÈà_Ñ Ýrõ1Ï/Riis:ÎV¹OÖž(ûäñÙ•¥Ò6®[;Ö³ñæúÌÅbÒéaÁ͆‹aº.¹ÏîJÈÇ–GçmÝ/‚	8í}L6-ºúÀ!ëÐWûÄ[þú®_Ɀå®\#¦½NCÚKxÁ+z3-mýHÌ‹còZTtÄ>œ[»|„”‹Ž0|ø¬ú|
-‡º¤#€
-à÷ÍOa2øL
-D5ͱî®F!Bè˜q!ÛCÜî´HV1I³àxqàŒýâÛ׎ãjÈÒ—#ù¤™v»a§VQê¢Øò¯'dÇñ!•à,2°É#!}КµaqÌ[ä—»~w|üM=s`4ÞëtëÚ‚J0ÈÝìÆæÒ7)X^Oïðû9Ê|¸è4l~èlþ’®›¿Â›ju·òY°I&c‰ÁN2®¸ù
-`WC–s`3LšÁŸÀ¤i*Ž¿žŒÇdÈ,îÞHÈsX‹¿Ýí:ù)Ûß„žÅš‰ àKóXãá©cÆÍ^»p×=\à°ºÔŸõVRJºbÅÆø¥Mjµ\—Í~ö¢“ƒ–„<z£7®ÍPè³/`ø|<âø‚j§t!j›îŒ¤	=ÈHâÓ^™c0fJûÃêK@éá±J}$‰¿ð†®Ú åK,‰Oy]É,|$ݸ#ÃzVQHµ#M'‰óŒ®0ɶ7‡;Èd2¬Ùp¥Cš5ÉÕ&_zI9¸ìÞÂÁ€IMïLû¾Â3ÃGc©{{ú¾®Á®ðvd:µ¾Ù@0¥÷øðFt¿*GTÕ{zx¦õE<0¢zÓœ¹c—‘bJwçã\öƒ¬âÓì%蔑ñ®ÅoljñW!bêL‚„eNÆñäƬM"ô°„`‰Á«Äà¦b;¾[è
-T¬ØÓ?›3å+
-YunfœËI€“’/Úȸuþá‰Å¿!€°sÿŠE)þÿÄÌ
eÔÕE_üoýÿ°¨˜IkÅüm'€œYî$…iùìnµýŽç¢ÿ#ªendstream
-endobj
-1023 0 obj <<
-/Type /Page
-/Contents 1024 0 R
-/Resources 1022 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1004 0 R
-/Annots [ 1028 0 R ]
->> endobj
-1028 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [461.1985 474.4244 510.2452 486.484]
-/Subtype /Link
-/A << /S /GoTo /D (DNSSEC) >>
->> endobj
-1025 0 obj <<
-/D [1023 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-414 0 obj <<
-/D [1023 0 R /XYZ 85.0394 631.8434 null]
->> endobj
-1026 0 obj <<
-/D [1023 0 R /XYZ 85.0394 603.796 null]
->> endobj
-418 0 obj <<
-/D [1023 0 R /XYZ 85.0394 524.3454 null]
->> endobj
-1027 0 obj <<
-/D [1023 0 R /XYZ 85.0394 493.4886 null]
->> endobj
-422 0 obj <<
-/D [1023 0 R /XYZ 85.0394 380.8349 null]
->> endobj
-1029 0 obj <<
-/D [1023 0 R /XYZ 85.0394 355.7523 null]
->> endobj
-426 0 obj <<
-/D [1023 0 R /XYZ 85.0394 225.5162 null]
->> endobj
-1030 0 obj <<
-/D [1023 0 R /XYZ 85.0394 194.6594 null]
->> endobj
-1022 0 obj <<
-/Font << /F61 642 0 R /F42 605 0 R /F43 608 0 R /F57 632 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1033 0 obj <<
-/Length 2105      
-/Filter /FlateDecode
->>
-stream
-xÚ­YÝoÛ8Ï_aôÉjF¤¾‘§´›v³¸fwÓÜpÛE Ht"T–¼’ì4wíÿ¾3œ¡-)LÒ"?h8¤†óñ›áP–3~rF"JU:‹Ó@„žgùêÀ›ÝÀÜûÉkvÑb¸êÍåÁÑ»HÎR‘F*š].²á%‰œ]Ì#¡Ä!Hðæo=wöþŸ'‡q0¿<ûõüp¡Boþîì§D½¿8ùðáäâp!“PÎßþ|òÛåéME,ãÍÙùOÄIéñˆÐ‹Ów§§çoOÿ¼üåàôrgËÐ^éùhÈ_üéÍ
-0û—OøiÎî`à	™¦j¶:B_„ï[Nuðñà÷ÀÁ¬yÕé?é	åGÊáÀÀw90LEä+ß8ð?M­»Ã….)ô'ÏSµ.hxWö·eMt††‚85'½Dø€(h[ê;^5ÜT…°—¯xQ×g½^麷[TQךžM]Ý9Yžë®+¯+÷
>½y^• ‡Uïo3¹ÊúüÖ2µCmÇBI/|Fm%¤%¼àIþæWÎá++¥HÃP™Eì¾²¾¨|tþ_p01š%=Q/3Õe+žªwzçV›ª/×sQËî5о?/Êå¡LæKÝâÃø—Ø}Òy‘õñò¬&⚧nÊ­fúŸNq©uïkc±7¶tÙ´”úK¶_Óè“RAY÷º­³
-iâfu±ŸÖ_¦Ó»0âÀïУ[WeOäO癧ûÍZì´JDäE‘ÑêCVßãŸ
Or42Ö}ÙÔ
¬€,ëýBÀƒHÈ0ˆVÈC°ø‘H|åÀ8ʦ‘U]CÔ5«µétA”Í5³Î¥J˜ˆ8‰Õ3 
D&rª‡	O`a¬­	È~‰ÀWÒ†—jj¶^cª4åtDêîÖ8
(ÂI×T[‚:°þÚè¶Ä2bV‚-H%œ•È3
-§
-)ãù¿wÂêf¿`Ñ­u^båÌ̪&²dá&x`/%‡w²®vö‘øF"¢ôùðBÁÁMV+°‘*cNFB/3Èd´;Pó€*ï…6]aÉœ0 ´q›mõH
Œ©¼vç.»wÉïºÍ]ÀQ’&Ѥj=%‡S«)	aƒNù0pÀd•9«ûì3/^vr]è:g^³Õ­•ÚX©¶¸-Ú§a ¾+1=O­ŒþDŠDùÁ¸Œüë0çXnAˆSF*Ó ¯²Žù{“:=œŸ-i z¼¶ä§¯’Ápúì|¼&6+]°Üó¦çÝ9¼JIe7«öõí^éÕ¦ëY‹¦î³iRpš“‹¡îpEHr)ïÊ}|¨p0qvnk7Ù€R2&òfµ.+],l÷ðåÍ:gõ6în²ó8žþûB×>CäCŒ½ï¨ŒANБ\RÕ`€×0´74B’9E^SC«mÊ2æ™>Dó|2I>íxW;¹éX]æUn0’DA(Ç™š“+@ulÐR:½üt%d¿&ž)öÈÁ­¥ÏW—»óÄ#gïz‰ïðJ•ܳ©i¸}³&N¥·º"ÏfŸk”aX_oÚÓ˜˜är6…!`<#Ãr6'®ô/NA9ÒsšÃÆë¬åœ0í®¸µ·&°gÕ0¯)†0¯¿@[’Ccâè-_‰”Ï‚Q&Aì#æö°àpÁìø‡º©ïˆ§Dª’ø™xúЋGŽ, ®ÖƒË”/ƒq•àR‚… Ï7­-Ïèn‡‰H>ŸŒŽ³…ëÂzs¡’IUþyPÙ“Åc©Áå÷ºs*(W0ã]„KÏÌ}¨€F×[žbx
-x6?§}ªÝ
NßjS˜öÚìW-Üu7–?ö4O}÷”ÝÔq,
ÁÉEí‹+¹H[èt°ã±óJXVá«ž(®_sÇ5–O¯~sOÊá¤çhZínŽ´pîó8d¡´?‰Õ1.ôrÓýT­†#¨þ@ëæG(³Êu}[榘½¡c'p_¹ƒ(u‰H­7×p<ÚÑðëÍÿ¥*IOî1Ï T>†RJò¿=asFìØKÜS<ágŽ@{rÕ´WuóÄ‹û²†ßÄ]‡¹‰váN_—eÛõ‹\k@ñÃÿ"Bx»Â÷â¿<öÿ±ð“D¹ÿÍP1´à	a¥Ðº0x ¹ýoä¡êYKendstream
-endobj
-1032 0 obj <<
-/Type /Page
-/Contents 1033 0 R
-/Resources 1031 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1004 0 R
->> endobj
-1034 0 obj <<
-/D [1032 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-430 0 obj <<
-/D [1032 0 R /XYZ 56.6929 267.2685 null]
->> endobj
-962 0 obj <<
-/D [1032 0 R /XYZ 56.6929 239.1296 null]
->> endobj
-1031 0 obj <<
+995 0 obj <<
 /Font << /F61 642 0 R /F43 608 0 R /F42 605 0 R /F57 632 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1037 0 obj <<
-/Length 2090      
+1004 0 obj <<
+/Length 3010      
 /Filter /FlateDecode
 >>
 stream
-xÚ­YÝsÛ6÷_¡Géæˆàƒ$Èé““Ú9÷.nÏq_®íd(´xG‘:’²¬´ýßoR”LEvr“É`¹À.‹ß~@ÿÄ$
-W±?ѱÏ.‚ÉbuÁ'0÷þB¸5^·È®z{ñæ:“˜Å¡'÷Ù@WÄx‰É}úËôÝß.º¿º›y2àÓͼ äÓ·7·ß'¦áÝ·×7ï¾»œizóã-±ï®®¯î®nß]Í<ä¥ÓpBàúæWD½¿»üðáònöÛýW÷ýY†ç\áAþ{ñËo|’±¸àLÅQ0ÙÂg"ŽåduኾR§¸øxñÏ^á`ÖŠŽù/P"©Gè…ðY,µšè f¡’Êz0«êmR§¦nf^Èùôwp†„1_JÒ´&溪[¢€½ÿøŽƘúó;ô˜å	Áâ v‹ü)«½yÒZÞ´u^>tN­oWk/Ë‹ó2„U’—-ü÷Ž6Û™æSU*«/ì·Jš¶?ÿ‰£þÞóÎzå?f×C!ñçÍx"ë‹êÁkòÏîåf57õþäµuR6™©½<-Œ——gEå	ÑjÓ~l›¯^´­8!úòm˪ͳÝèåþAƒyZù"o¿ d½™÷·4Üñ}~ýišjS/ÜÍýÊž¯ýbþ°²"ÔLi	O0í«Àjø‹
-X¬u0ðA‰8„(è	­˜òãøð Gvyáдð¹iÁìxÊ´ð«L‹“6A=¿È—9,˜/´tVù'¬ò_gU( §úÑáEXuÞ]{§ÿÝ¥c¦$ àÀ]Ÿ«ÒxM›´yÓæ‹æå٭ɼǤÈÓ¼ÝAˆB¦ƒ¯jš´É+÷
-òom²Ú4KÖ¯È$¯ƒÝÚz÷ú½Î	y2fQ¤á^¥b1Vr”¥êöæÚ—“^e†øšñ0ˆì"l"¤„zÈA^5áæÌÊ”-}~o~å\–y›W%q’2%âç&y0ýFûò
ûH(à¾ðû0ávúW¿Óý,`¬MsÜœØúh¢tÄÂ(Š^Òž¨X1ÍõQ{òuR!¼s«Ú’ã Ë‘ÝEªòúCy*ð™Ö‘¢ù‘í
-"QiØDòaåwÎVƒå2´‚FŠÛe÷Kô­LDŠôÃé2iˆ™ÐàtYzQ­w´ªÊˆÓv*0¤h
-:¯£9ÔiÑ‹¶yQkÞMÍ3†ì¶¢û_×3M«Ç쪂xúvG¬Ôdɦhÿ
-_š÷QC
-’þ¨°r•¤ŽÊ(–Vôe+õH!
-ìSLå*ôÉ
-d8'À#À—Ø%°`‘”´`nc™”&%¦G$}œîievŽ‰×ší°"8&×i Õ9%CØ6ëïçÈ` h€²€…¯E®|¨|ßÅ®-iìö4v¥×%KäÍo¼7Aÿ+1M2BŽê ¢âpn¿5^)WÓKÈhPJ!º\ý„U6ýáHâ4Ó:Üê*·nî–¥ˆû‘KÝæíVˆçç‘"õãÍ{š…wš%ãxz“+¡5rø~E–='ðö±˜"-*LIsd¹8Ê8㊀°€qã²{kÕ@±ŽÐƒrzC€ÞÂv†Ž¡»-u_y€Õ	9H¢•‘tõØd[QAˆ¤$ÚÇÈXM"D¼·Ar‹ä%ô¹÷kìÔC›[·ö®±ꤲ©½wc²x$½¨VÐh¥ÎÃ…y¹p:ðQˆU†î¹u¸“ZL†{»F‹¼Íš¾È@˜"‡.2“Ih(AIpů`ºE Ò„=ŒsаÍÓvÉƼv[ázås—8‘¢¤DA©êÁ­ °nèÃ>SÊN´ÓaJ7Ý©XnJQi7“uBÕ¦ÛûV1Æ/(‹ý†qà9iŠùô6®°iÌMã8ˆQälCDâø[7QFâ•Éʾ:ì‹¥Y9ôÈÈ
:$GÑ!@ƒƒaê®m¦yJVë LâÈÞ0»Â„d€(vM0)d€øìÇQ‡!á­A×CUØmÁ\áus.]PèsèSB®ºÖc•?,Ñua4]ÉÂV¸«3Qׇk)dƆøðÚ«ˆŸ£s	Ò(/Ã#'!ö|º?›£S@£i._xËî|\Ùy¾«âLlzV›…•ÒÓo,¬€"‡(:gÝs-¨€(LK¿óá‡E²Š:Ý9(þ¬¥¨UCeßÃ×~ ô!à*¨CQ›)ví+—æfIh ´£„ÐÕ¶Ø7waWmˆXã/aHÀ³îïDÑ­9•t§¨Æ%Ho£µõ¡pÍ~š»¼ØV`bʺðmõ‡ô7¶å>¼¤ío,!\‡c¿`óþ9ýÍ¿—ïÿ˜orE²¶Êùpò׎a¯7LÔŸàL*+'¨Õ”gVIx¶Æ=ÀHÙ),ãÊçÀ‡4ÛU¹ïÔçÌ:—™½b«’yçÜôFç‰á¼Ï‘61sfóÜwÑnÊeÜGÇR2Íû¨Z:½Uù#çr]®èµˆÍ7M]7í—ÄÇä=>sË™h¢"g^Iø-뢅¹–s"ÿ¹.îJ0/	
»Ã¦¤.¤ú=DbÏg«æ®¨Ö¡ó3\u&=à2‚ycDOýaF «õlj­Î•aÎ3›&$áÅÍ)´ûlÝàÓ%‰±©:Y$Qyª¤\}-Îf»Û’&¬Ê›b_ïâ”vÒT36wQÇg—ÿ˜>ëu²'FìH8…ó (iSvk…Î'eó}ÙܲåŠi©Í+d³ÏËF‡v\Ôír¦œ°Ã³Š‹VÄ%«‹ââK2Å¥ÔS‚sgþƒ„úÓ„Øv¦t€lÉ%„bŠ«|hª‹$E]~,j"ï‹z_v¶¿Ã9à`Tß
LŸ,GÏB‹í©pYùåØe?3k4sÜè×ø¥Ëy>r¿oV„Ã%QÌ?ë i^‘L3Fn«ÛÔÜ*ÎœC˜ö[Â0
îÍjË´²žÎ
,åðC5j
•Œ½*—MPê
+ÏKó¤b|Ñ»ý–\tWkz’ñÁ8ýHl?ë¡1"éz¾:ÇGðìöMÔS‚ýçÍ„Uó om-1|¨jŒàÖfËbß–DëdÖí¦Y·!¸Û<÷ÐG{Dê¬?¸K 1˜9r'%!‰JBN»ÛbG-·Å}du„0ƒÃ‘^‚­ˆÆ*œØ¦7Ìjч4qkQˆ‚íþ¥
¡1V.²]“0d†BæCõCqˆàúÅËÿŒ£…Së¨#|j ,nûÜ~Ÿ³‰¾ì	Ç2²q„¥8ð€dšœÀlüªÕ	Ž÷/ÅcH¥”Oð¸Ý»ò®\ïÒ6›²¢¡ìaboë&‚Z8Vð‘iƒp€ùƒAÅ¡$Ò"uU¶ì©DZs͸—¯ry¡1ïV>ú<¤¿)xÅ	#wÜÕ+ÀÐdévgyÂ
°3åþ$ÇvÙ;“	î3£d²üïÁYˆleö¨ÀH0{@QbÌÛ ÕÙ¦©‚>@²»
J‚æ˜Uëìêª-c?,Fm[ô\x_³u;R¡Û[ÅÖÄ,îû'$(v‰PÙD0xv—=Ю7›0[Š-B2¢Ia@”©¥¹õÄí Yžu¹,Û¶ €?Ÿq€t¤ónÖ¿âŸä4Ð9yßoÀpÏ;´¡’ú‰‚Y%s؉5ª+›
+Í„kä €‡5¨l—ÑÅû{W%&q‰Ì™4žjß¢8b¶ªç͘ÀþšÚ#6iêûrÛRݪ¤e±ù«ËDÔMó¯ý¦¥þ"Nêå©ØÌš¯Þ½ÎY¬	•íÛ(ÄløGCÇ‘zâÎZâ‰
+th\¢'ö†Ë^ïuu}]—ô^×eÝÆK/b ‡ö]r’C˜Ä%ËM‡z.Þ[vq¹˜*±@B,óTb¡Êa''­D›CÝ&QH`¼K"Ï®÷;·j¨›7é‚ó“&÷#ﺕ.×óvw¨S4ïÔÑž5Ž¯gö9d´ŽÐB±=$l€jb£'T怖ÞöTvvõþlß(Ñé–t‚ŠX*S¯ ¬wk7¨F$n›HTímì-Ëf
†¾/‡­û4³Ý/ãºH.Ah*KÒºÅ:Nÿ¼¼
*í3®
	ŠbHyzÔÕÇÛÝC‰§üjáˆê ™KÁPç!j—m(ݽ¯V[°£ €ÑôŽ¢„öýt
+^£¨ë…ûõÇ™Œû÷úÁÏ7Ô<4¯‰[90¶Î€Ž°z„4ã^&·Ã"?ÞË69»xIMòÞïW“6<…Ë·ˆM´ÙMY`¬$tŒ
©cUµøˆ¾åbk*
+ãKX‰%šבI¹îæ
+@Ä£ ×M–›ÔH)Ì+Ú´nZ©X­‚)z*o€âU×
+ü2¿·sº*]ïE¶©ö.úHËœ]Eø†X×/.3'x·Üj‘¦}T16€Är%gBkfyî>ù+SÇqÞgIûÒ	“3ü¤ÖB)ÁÖá>et€„5@â?NÆÄñ%1¯PÖ…¬!öNœDêü˜ë}œ²©ËקêXÎJ'º¬©ö œ&wàÌÑ]ØZÁç&Hßlvà‰	îÊ"á¢ûØ0õYD1ÉUá¾*¦¾ç í8ƒäŸ(øûm¹&¡«	’
+xWìóyiÌä‘…d¡­Bõ#Ï“ãêç}¹­Œ™*3yž hŽ¨þ>€yħ
µ!ŽÙ†¤G†X^¢(¼“óK}+"ªêqþMQÕ!ØÃvˆÅQ¾Îó²©Ðp‰âx‹¾£|ÃBÔ«0x!IÙºÇÚËrY–+\Dñ´5oG®·+~øXÒIi“Í¢ãB7±¡Gá5nÂÛǾx®!z|¨îªºØBàÝ>ŸŠ££SFƒWà໓ÃVü.ºž@€#7R½ÔSªûžHÅ:dMBQ[Ò±*‚<krH‡mn^t ™
+ß	úÂ	b©b…°oSrǃáÈ.ã×ÌXk‡6ÒYW’½êWgOoCÆ5îeÕ	ð{J?Å"ËÅÓ1ýù
+[
+ù±œßSœ'Âû3Û*‡–>bWË0“~y@%~ž÷#Ô€ö ¢)éƒfCW¤
+µX|Kïxi°áW
9´ÇêÃù[r_ÔÕª@ÏKCÔÑŠkÇ8²ŠËÇš¥’0¬+—Œk”L”«7&£	7Íãó:Ö©
i@è]1:1H剈ð~é1–£ûðì«”™pU$ŽåîÉJ£2g3ñ>{ñcãkÎsÌÙ5þ|ÀÉéO"ñÓ‰JB¡^
$yúÝÏcÑÿ”h)Íendstream
 endobj
-1036 0 obj <<
+1003 0 obj <<
 /Type /Page
-/Contents 1037 0 R
-/Resources 1035 0 R
+/Contents 1004 0 R
+/Resources 1002 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1043 0 R
+/Parent 1001 0 R
 >> endobj
-1038 0 obj <<
-/D [1036 0 R /XYZ 85.0394 794.5015 null]
+1005 0 obj <<
+/D [1003 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-434 0 obj <<
-/D [1036 0 R /XYZ 85.0394 445.5677 null]
+1006 0 obj <<
+/D [1003 0 R /XYZ 56.6929 667.1591 null]
 >> endobj
-1039 0 obj <<
-/D [1036 0 R /XYZ 85.0394 415.4538 null]
+1007 0 obj <<
+/D [1003 0 R /XYZ 56.6929 655.2039 null]
 >> endobj
-438 0 obj <<
-/D [1036 0 R /XYZ 85.0394 415.4538 null]
+394 0 obj <<
+/D [1003 0 R /XYZ 56.6929 286.3754 null]
 >> endobj
-1040 0 obj <<
-/D [1036 0 R /XYZ 85.0394 391.0424 null]
+962 0 obj <<
+/D [1003 0 R /XYZ 56.6929 260.2665 null]
 >> endobj
-1041 0 obj <<
-/D [1036 0 R /XYZ 85.0394 391.0424 null]
+1002 0 obj <<
+/Font << /F61 642 0 R /F43 608 0 R /F42 605 0 R /F57 632 0 R /F84 858 0 R /F86 971 0 R /F14 616 0 R /F68 724 0 R >>
+/XObject << /Im2 921 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
-1042 0 obj <<
-/D [1036 0 R /XYZ 85.0394 379.0873 null]
+1010 0 obj <<
+/Length 2784      
+/Filter /FlateDecode
+>>
+stream
+xÚ­]sÛ6òÝ¿BoGÍ„(>Ià1Mœ\:WçÎQŸÚ>Ðms"‘IÙqýíbŠ”h%fôš XJ®š>¸$ˆmìQYí¶%dÐÁ¼G›I÷²N¡ãQY®¿¡ÓÖF¬è=/'Ÿ>¥=Ï~Àšá?M2P¸J-¦„ªÊdAY08(˘?LñO÷Õú~²ÇB%®×̆²†”M6U]´ÏÁpóÐtU_®KªjpaH.©’Ö‡R¯U
âçö(lŽ* ÿmêžÊò3ÙÈñÏ–šCËù·”=Â:£ìˆå•]ÕiÛ4}wZ>;¦*úëk†÷DÑÐ=€‹ˆ)ó’,JÕë¾ÞM¨5
+Ò.h¶£¥ÐÙÁˆîÚ…”ûe_…
+…Vƒ­X
+¡¬²ë‚¹	W{ĵ!”›`	RƒÁ[B±^C(€òø\ilÇ*ÂÛT.ä%9“¹syãs0!8BóÉDnóïi•õoJöå×Á ÷5§‰
;Ž:Î(IÁLN}ñÌkˆ†ePü-”Æ
Vÿˆ÷$ª@sÈ
+Ì
+Ê/?äEd œŽIÓ›ˆž;8¢å 4æ“?–7¯Ü&ÏKÉ“2L¦™5}13¸—_Æ7ûÏ”¥,t\ý‡ó¦jg¸˜Jw¢å™X8YÎ$wßx°|áXÝ¥PU›ªN+¸ºf'f–[+c§a-bÍÈ1	k nžÁêDOãšCñP½ã †6chÃ/}Šc§Qe²ávßï)PÑü龬iôöêÓ§Ë74†“×ED<‹}ßìŠ><`åœY©ÌQù±.¶X›blº+ë²¥ÂT	‘šÊ>x!ØËðÍs]ì°&Bàþa:ZÁäv|÷JÂ%)¼{c˜4ä'´ØÞ/»iaÀOÇNµpJ—ªˆ5µ\(T_'Ò@%iÔðcâ'–0`}K†jáå <‹P‚7S~}‰	kD'(úÛŒù7Ì?^HˆŒ"‹
•šë¦ qmc7…ÖÅb±q
+£ÓÄ(K95"A£ù+ô­rè[eè…%63ЫUˆB¦4j‡eèe¨}`€-nÊÛfÌ©R¬÷-Áëþ˜i$6)’-hÛæéÐFãù´ã
½Ò¶ÚUC…]ìš}Rpš¬õ¶Y‡š¬û\>áÇ‹…˜ä‚i.åùBlŒu&zE¬¡+oÛ²»Oñ̯Â{ãs`ݷϧ¸xbïøÚg T;{„kæ{wš9(ñ§‡XÑ3†pp¹Þp:š€•ôTLm	àõƒX¤ç:ùWJ)¤}ðÛéMy_}كєísÀÒ¡â¼O_Ó`}_Ôwô¼µcFý°Œ®€æ~Cã¾…á64ÐuþÖ!«ƒ¡>¿>ô
GvJÜ£&¾£1Éæb5
+pƒëÀߣ^Q¹Ù÷‹ÏIG4GûlpS€Þ<›h°+:|W•ºwÕ#»mñð†IoÒéÑ«†ÆKÓvÑ¡«½ÐÄ,¼G>Æ÷¦jXøCä`Y6¶8¨}§2íjz"8%S„mFℵ†¾þ2<͇†ÄÃðáÒCcŠ“#Ó;Bì…àÑ!溺@:N… ¸)E=¿¢6‚«ò‰¨GÑÉݶ¹ñ!W€~|[Êã]àòp¸ç v˜ø
+‰Bãšpë÷7ByºW“e
1³Ø=Ìshžx°jœ\”Ãõf¼Ú·ñ.ª›>y
o9›Ñ£×ü‹/ôcŽƒ¤JAãiÕäg+¶d^°ÂÝàÚ3©•cÀ¸äfܾò¤;ÚŽ2FVþeðùä…gúPÐA¶ÚÑûü–}ÈWá‘p7øœÕÛ«ã›*úïäjÙK¿ß+Ãðõ™äÀ‡&íÿ¶øõQçLa°ŸÏ2<ƒºÕåQ(¼usRÉe™±2Ÿýÿú-endstream
+endobj
+1009 0 obj <<
+/Type /Page
+/Contents 1010 0 R
+/Resources 1008 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1001 0 R
+/Annots [ 1013 0 R ]
 >> endobj
+1013 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [326.242 251.4486 375.5914 263.5083]
+/Subtype /Link
+/A << /S /GoTo /D (dynamic_update) >>
+>> endobj
+1011 0 obj <<
+/D [1009 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+398 0 obj <<
+/D [1009 0 R /XYZ 85.0394 648.9507 null]
+>> endobj
+1012 0 obj <<
+/D [1009 0 R /XYZ 85.0394 625.2603 null]
+>> endobj
+402 0 obj <<
+/D [1009 0 R /XYZ 85.0394 105.5187 null]
+>> endobj
+935 0 obj <<
+/D [1009 0 R /XYZ 85.0394 83.1283 null]
+>> endobj
+1008 0 obj <<
+/Font << /F61 642 0 R /F43 608 0 R /F86 971 0 R /F84 858 0 R /F42 605 0 R /F57 632 0 R /F58 635 0 R >>
+/XObject << /Im2 921 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1016 0 obj <<
+/Length 2359      
+/Filter /FlateDecode
+>>
+stream
+xÚÍ]oÛ8ò=¿Â
+Zóø)RÛ§l›ôRl“½l
+°-
+ÅRaeÉ+ÉI½wûßwÈ!eÙ–_[à"r8r¾‡c6¡ðÇ&*&q“‰N$Q”©Él~D'w°ööˆyœi@š±~¼>úÇYÌ&	IbO®o´¡Æ°ÉuökNŽ^_^œ¿ýpur¬et}~yq<åŠFgç?âèíÕÉû÷'WÇSf‹^ÿóäçëÓ+\Š=Ï/Þ $ÁÏ¢W§g§W§¯O?]¿;:½îyò˨°Œü~ôë':É€íwG”ˆÄ¨É#L(aIÂ'ó#©QRˆ)~9úWOp°ê¶ŽÊQÂEÌG(ŘUBbÁ…àõ}Ž<µ]ÚmWÌZœgËùG7ù]QyècÑÝã(ÅOYTùË0ü-ÿÁJÎåƒsédÊ4I7îÄ/^ þ/['¾éOìQ>RE-@å‰L`ÂAÈð,;·g­pè¼¾Yþ‘R^9ÿ‡iÚnb&P.ܳû1ç@3ê–+,î]"¢‹ËÓ««Ë+„!R»¨«6GHÝYïv˜«ÁÖ€})ßú³EAÈtŒo$J¶ÍV*M$dÝÉPÁßf4Ö<Ô«“)$y²(Ü!vì·CÀà‰‰Ÿ±Caˆ‘¾&ˆè K”Œ÷–hÇÖ%k˳@Ô²z•AзVa!¶òZ¯õXϪ§}B?Æ¿M˜Ûú‘ßS?2Iˆ0†?£&!.cŠýÒ4mÞ&Ì EÁØ…		ʱÃMåXˆ+‹aGp»UpçPÕ>ѧ]º_YC)|_e}Wg’Ô¡õ3A]&ŒP˪+«mÏáÁ›½¡4Ý•‡dY1lFÑ îG4Ë%‰{žžÊOÀ=£4ˆ©ïÃ
Ãÿžû’þÜ^ "A98‹AXÒý kÎÔ1„YJשË÷=ß2oÒù<õ²Wz³™áÆUàÎV=è‹Ï "?ùzm ¼C0h˜mûiÚ¶õ¬Hû6éÎO(Þ‹ëÎo°mÖaƒØÉ]B*R‚Ü¢„–O3
+1SÀ¨H4aTiê+¦~­ïwõ!eþ—ÿvIØŸ¬Ìî–Mê5
+@)=BíÉU[d¡Ë=–€Z)aü…C“z‹+ˆ´F™®l›]'Ñùí~úö!LÕrÓ¶÷Ÿ£)”&#f¢ÃÏ*Î |Ö·`ì›h^ûêpDw¦V‡(K¶s|ë²VGbn2ëúQGébÑCkùçƒéÑÁÙV©^LQÃÎTW†móR¢ƒßL•QqWy^3Û]ÔÔiÀ¡!ƒm«Û£íd-6‹1wD>Š\mÔò‰ÃÇä#˜FÞì!¼í<.$áFò¯=kDørtà¥	ï"TÂ6Îÿp²û|ï‹WeëØÏÁ´Áßüãóú—y©·ÚX®€…·—²(¾sóð+õîÕÿOÀû/endstream
+endobj
+1015 0 obj <<
+/Type /Page
+/Contents 1016 0 R
+/Resources 1014 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1001 0 R
+>> endobj
+1017 0 obj <<
+/D [1015 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1018 0 obj <<
+/D [1015 0 R /XYZ 56.6929 607.3833 null]
+>> endobj
+1019 0 obj <<
+/D [1015 0 R /XYZ 56.6929 595.4281 null]
+>> endobj
+406 0 obj <<
+/D [1015 0 R /XYZ 56.6929 342.1161 null]
+>> endobj
+1020 0 obj <<
+/D [1015 0 R /XYZ 56.6929 315.4194 null]
+>> endobj
+410 0 obj <<
+/D [1015 0 R /XYZ 56.6929 169.5524 null]
+>> endobj
+950 0 obj <<
+/D [1015 0 R /XYZ 56.6929 137.0813 null]
+>> endobj
+1014 0 obj <<
+/Font << /F61 642 0 R /F43 608 0 R /F42 605 0 R /F57 632 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1023 0 obj <<
+/Length 3495      
+/Filter /FlateDecode
+>>
+stream
+xÚ­ZÝsã¶÷_á·Ê3K	Lžœ;_z™æÒúœi;i(‰–8'‘
+?ì¸þïÝÅ. ’¢ÏwMGß‹Ýß~€â2†Ÿ¸4:Š•M.3›D:úr}¸ˆ/·ÐöÝ…à>Kßi9ìõíýÅߥâÒF6•éåýÃ`.ÅƈËûÍÏ‹7ºùËýíÝÕRêx‘FWKÆ‹oßxKKo~üðîýw?ÝÝ\eÉâþýˆ|wûîöîöÛ۫¥0ZÀxÉ3¼0àÝû?ßRé»»›~¸¹»úåþû‹Ûûp–áyE¬ð ¿^üüK|¹cGÊ}ù•8ÖÊËÃE¢U¤¥À¨âÑ8Öm[®ö,S–d:fJ¥ækdÅB—ýöü¶Û°
+ýïxÛ£ûrûigéX#Sˆ±øTu5a$Úɇ”
+:tT€Ó"çÉÃkîÞͪ¦°`l”úrÝŒ…ôŒ«]YW4{YV¡”Åo ¡ÿí¾^95@šÚReúú	‹	#°D'‘L€ÿ#–lsFÓ|Q@ßW!	z$FI>ICzòâ±udOÂà!IIÄx$8á6:^ •ñi#Í•ö„GØÏ
+:åÜ—µYËRƒÔ^Ó¨YuËt”ÄVùGà#³t(À2Ó‹R³7º}gÚ#Ò†Mãsðž¡ß	JѼ™ÔI+68i¥‘Ýõ?Ðæ´Ö§=Ì@’΢DÍ}ýÚLªõDZqö’q;*îª	(y‹L2ìlpCÿ^†ÍË0VX†egÒÿ$­ïÿþH•Lðt”\h!Þ·T!Ç›7ÜLœÆ~ýñX7Üzš˜E	hyßÕ‡¼+A:÷ÏÔøSc~’;Ð`ݘ"¢â=
+9î¼R•-:OŸóƒc¥+7ŸYT…cPhôêÞïÌxéD\¡™/×;*o†'´á„h–7Ô>W“ŽBiã—¯»o ”0haS¸^h>¹c8zÎKÐßµVÖB.C¯/Ú]Ýïq—)š•§ü¹¥òSÝ|BÍISvvì°s\q
+’Ú—àÜÈ(ùr8mʤ÷‘k³@©“ D¯k\fí'ù\%ÿ»›v÷'w ãÜmwJ6塹
BG 3ÙXC!6È©«ñ·…€ÊŽG&È<”
+2£ØÑÂ^«Ý8¤1h¹2ÉúRO8IyàÅjn
’•Ò!š‹‡šg)~Ëè3ú=–¼#`£Âù§ªr’ò ¬úíö™‘¤bhY7y»ó±…G©uÝ4WfÑ;nÀP‡J||(1s&€õu&Ô$Âcq±©æÄ_&Q–yÞ¼0#Ó©D6på¡‘Ü zWhÁ‰‚2;QÐ!ïºâpìxXMÿ¼H¶¸}ûá# hëúpè+=gxÉ@¸jôÄÛ 7ßÅlÞ Œ¬ ÔOVð³ÁÜlÜ%Ò,Š¥H¾Â¿ö¡—]¦n»“K‹;p6ObŠ,6`+žj"sbÔÐGE€+¨7-zÓþ0Hþg˦!Ÿñ¥³Ð-Äv0ï&|*fÑAF:“zàSÃmD(¯X ;sÛiÛ|ËÔ#×è2F"›x˧ս+¬Š¦®ÉF9´Ã‰©~z5RG”ñFÁ(=ó¡æ®(5QðlfKK;›Ëáèáf>¿ÅÉà!&¢£Gè)œ#s探¡¢Lë1n¾~ÀÞS²ÀÇ[x¬I0øXAX—àn"î%à+`r;Ó @àÊq |ªê§Šˆn÷	wXï«
죫ë
ÓŸ‰Îi3 XžÿD1ÑoL#„îǼ[ïŠ
	a$ˆ¤m@°ïâ!ø§9±:iùÔ&‹\YØ}O
ë¼¢B{,ÖåÃ3UØ©p‰§/TvØ“yì‚3XÈy¯—8§ÌKŽ®D‚“ï"h)ð~	ó‚Ó6çj„Q£ã“ŸŠ¡¿1èŽÏ82ßÄ_·X&£ØH5[ŽI;ÇPLŠÍ5…vó5‘÷w¬pjÆ‚8²æžgÃÞòµ‡dŠÎ™ÛyÁ’2ø¾aÏË#‹ó¬”e˜åŠç•$K‹(¶V|a~5ŽC¦îSñü‚'¦R1e•R	)¯Ò,UHqX†->hÏgM%Ü•Rƒµ§Oè!¨Ä¨Ë$Îð	!û’ÇYcÌüSÄ2̸NIïcß”]eò´²Ó¡ÍœŸ%áÚKܦ@©<7V|þù‹GûËdÌ€éôPTA š 2jÍÜÖ”ô„õN÷@&—FyÂTQÍ™	À©²d5€n—n7®¾…`*ßóóFLbìþX;I.OœÚDÛ—„"³ØŠ×έmðþG(
+ÞKïÂ{Øxä¼ö*$N›œ{üБˆm0´áÙ×4ÙÙòœû‰Áq›zHœN	9w¶FEµvA–Ï¢K«#þÆîIê4Âgæ°«‚)¯Š)C|’_N2ûršÙÓÜú|î¶ÜVy×ßHœØÒŠ)Û¢*8õ†ª}ë#žI¸Â-¼F
+¶FfZBbÇ5;çË…_ÇcQQr>Ä_™ŸÏœ<Ô¥rqCÄÑY°{ݔ۲ÊùaO¶f4ÛHR¡aræ8žš—n¹ýÚ—ìö!Ýldªo[={¸÷Æ™#„XÌÆÈ7{pû-xu‰W.,l›üpȪ N^–je£,Õé+0Z'ÎrÑ8k¾ß×O-•p$NÉö]yÜsœã.Ì­0=ñŒtO`3ŠÇ +ЀQ+sË>O/Rˆï˜xœcÏ\ä@tè…Î!Jbt]Ýp|þÙÕRÄÈ«`¢Ø,;ÜTO0â^À™ÃnZÝ,	nœLS¶ÉÙR˜ûßî`Á,¾‘¡´kœ4b7ïG}®<ìÿ›|ê,KÿŸ³º¿(bAÚȘlòžöŸo^`/ÄÞ‰ÍÔ‰¿æKùû–ŒaÉÙóaòé'ŸËè„ñ/¿À çŸ_ÎLêÀFRšC"MÌuKÕ·>~¼}Cå“EÄ¡JÝa‚Å~سlýdíº)W\Mý™$îÙÄ€J¢T+÷q56ÛK*Ü
¾Šý—Ãç_EœÏ‹GýX¬™ñ°еéntœIìh3çfp§Wvp6圜Âßx~.½3®klÓ3Å'f+˜M5Êý‹¡k%UðQ sðbqìWûrMeBX Äª¢ÌüUuµÌ{@\XìÆ#åàEÅa=—~pš³@„¸¾ò[ñP')´öÏcKBšU¯º¼$—P¢+HÇs€¥k*%§1%ztkv³%W"ùëéúi,N,Ã'é T7~†–
+ÇüÁ»–Ü£¯È–¡åUéâGDûuAçs–’X­åbG¯UÈJKñÖ¶ýÀxr’JÓËŸÆpSÎ-9@öÖòšš)Ò’i¹î8Wúûé\ª|0`—o¦ûyÌ÷åÆdøZ€ú
ïÔ¥gµG¢éÙ}fnï웃8Ê*3"œ spí†÷ûÐyšt/+oW›úbÔ†/{†ï‚°Ò'°úºŒ|¬µýBH5‘i:©ÊRæ_ÁàêQîùy.8Xcå´(†ø}“ËË	¸RzrscÛ²åçmÅOWÊžžÛ`†?ðKñ…ßóCqÍÏØYd0e<º.E•o[çùÒ»z]ï¯ý]lv‡ë‰Á
+¡ÿ*$K“¡oÈ_t¡¯>¼Þ‡ÉHÖºÞè¥ïî”Æg¸90ŽƒaþÝßä>XLÀÚ#ça]Åid¤Íü¦…ZÿñÞùÖÿ[¨Áqendstream
+endobj
+1022 0 obj <<
+/Type /Page
+/Contents 1023 0 R
+/Resources 1021 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1001 0 R
+/Annots [ 1027 0 R ]
+>> endobj
+1027 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [461.1985 140.8476 510.2452 152.9073]
+/Subtype /Link
+/A << /S /GoTo /D (DNSSEC) >>
+>> endobj
+1024 0 obj <<
+/D [1022 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+414 0 obj <<
+/D [1022 0 R /XYZ 85.0394 306.4089 null]
+>> endobj
+1025 0 obj <<
+/D [1022 0 R /XYZ 85.0394 276.7192 null]
+>> endobj
+418 0 obj <<
+/D [1022 0 R /XYZ 85.0394 193.529 null]
+>> endobj
+1026 0 obj <<
+/D [1022 0 R /XYZ 85.0394 161.0298 null]
+>> endobj
+1021 0 obj <<
+/Font << /F61 642 0 R /F43 608 0 R /F42 605 0 R /F57 632 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1030 0 obj <<
+/Length 2834      
+/Filter /FlateDecode
+>>
+stream
+xÚ­Z_sÛ6÷§Ðäåä!‚'Oië´î4nÏqïf®ídh	Š9•HU¤ìúnòÝo» HŠ’iGàb±øí?Pr’ÀONL&²B“¼H…I¤™Ì×gÉäŒ}{&yÎ,Lš
g}u{öòM&'…(2•Mn—^V$ÖÊÉíâ—i&”8Éôë¯ß\}ûóÍëó<Þ^ýx}>S&™¾¹úá’ZßÞ¼~ûöõÍùLZ#§_÷ú§ÛËʘÇWW×ߥ Ç¦7—o.o.¯¿¾<ÿíöû³ËÛ~/ÃýÊDãFþ8ûå·d²€m–]X3y„N"dQ¨Éú,5Z˜Të@Y½;ûgÏp0ê_êO&BéLE˜ª‰”¢0F4h
+‘i¥{
JØ®L’dúP¹GÚâ»®ìÜÚÕ+o[®×å÷ûòÉÇ’L`‚0ÆæžqȘ×ûº\;êÎWeÛRóÈf¢°™1“Y/!¼¾.»ùýl¾ª`å~¶”‹ÅÖµí{?ãýªj;¢¤Ç+Ï3‰q[¸¶«ê²«šú¯°”–[7ßmÛêÁÍšzõDÓŸ\û¾Ù¾¯›áÛFyž¥òŠi6(Ï+š+„ˆ‰ÿߦv³$«æí'–9_|߆Z·}p[¢–uûHí~â7×ï¨ÿÇÎmŸø„Ra“ý	Ñ¡.ª%Ê´t$ZÝ!ðt–NnãêEU .*Ÿ÷
6íeû;LW—5½êƃ›rÛ­Êm`»kéÚËfKj½Yy…ö˵›Użh+HsÝnÓÆ ýXu÷ÍŽr_>x6ØîznÏítÇ°YïV]ëQôØî-Å
+mȇ]–óû`T
+NӜċJeÁ‹T Yd‡:’ÒŸP	øØòÀˆGÒ€¤ão7åœéh=V«M¹ã±Ö¹šZwO£uÚÝ(r¼{F8Ä´0Ó×tçY1Ö4ÍÕÙœœî;%>ìôáìÁ[0tZ~¬êxRÛà°õ¿.ÓïméÍë.Øí(B(“©t°Iöº‡¡SCt‚™C$
žà3‚§…µ6:g=ÇÙ¥‹#ù4„C•fû…{?ÿLF[ˆ\Ëìo”1p<%c¡D®’t,¤YLg"G—Mún–ûÃñ
Äï?Úˆ½€ò,±üE:F¬jLack#h-ðÌ	B?8°¥P€
5lÂ3k~êkH豆#XA­éW>Š5#•åL¤ÕÙ߀5æ8²Œa
’Wi²ýÊŸ›ÅdNýBŽ§„,¤H‹±ˆÇ –‹$/äjál|ã(Ô²DdÈús¡6Êáž‹È•…MGxÃœÞÓ+”IëiÝtÔh7n^¡_w‹ ˜tz×t±ðyiåHÈã˜Ï åÏŠž Î#	5jÆOl­ÀWúµpË¢"íc&>=Œ¤^`w"UZXú°“˜¡U9GòâˆâÀ­y‰¶˜dðZÛɇ+xÔÇÛèFÑ÷B‰‘Ïš#{…—lð?x8²€4¦Ûð+­]Y·$Wȼ̔plѶx	ÖE`J¡eR4ò­Ö‡;M—žÔ¬±göúôc}1‚C¾‘L6뛄R/v¼5$Ô­÷º@oüÌþ‘÷Êøn4ÕÕI* ôËNä.0ɦò0wá=U,r[}¨ýÁ¡²Œ¿*•Ó`ÉzRV:Ϥ>/ëuFÖ´îÜpJÛ¬§û'rz 1oêÎýɼ
+†£(ä¶w3ãLNœR}R™Êƒï'ˆx1øÉñƒË ðÖ¬ÛŽ2Éÿ4”íÙ'êbæŠûÁvó	pI“ôdº™i°Íçé¦_©áÜžÏÁr«»÷½@Í”z"Y´¥DŒ!Må¹P29•%cÒ‘ËÄBêéW¡Zh¯URzlª½)ëÓNUøÒ”þøj}É„¤ºoyÁØ PVÚD°~^Ñ”°N1]”]I4ïÕ°qÇCÀQ0É×ðŒ²+‚z/bÕ¶/Ž_îÏË£F³RipßÖå
+Û¥0’À†÷Îf`>%@Tiùë*Š ÒŠ•DoËú	§h63Ì¾
+ÁNP4«z?1‚ï4Ò¤Á%&‘Ü/V«Ä‘74(°`ëŽÅ‚½ V05?/&
+$Q¹ÍÕio`ì3ïèO'
çàw[‡À™‰T«ƒ‹‘r³ATEÁÖˆ­Ç{¯4hí!HXÈW¾$™°lÙà€6©É§ÿî™á¥N˜0ë휉åjç¨Y1sxƒôp^Ãë‘ó…¢!ÍŠÓÇþ"r½¢Š”ÅJÃIxåÀOzpö‚ûNÕô5@à‚¢$[+LÙƒ:„hÜ—nÄ‚:~«éÆèñÜŠŸ»J¦Ãá«ëñ4Ø­Ý‚ù^7¯ÎÖäSÔUX¬ž…×öB¯w>eA) û(m‚­œo¤ªï "Ù‘·ÕþxÈ“–«ëà¹iþ^«
éÎzS­ÜbNp^^ìà:K^¯>ƒ×F®×8Æþ}G¡j#e•†#N>Ã1¦iK/‰ü	@kx´¨‡MqŠ´¦†»Rýµ°ì05¸$—(0ÉAz©è¸qp×50»šÃ©rzEkšš¯<'U€è˜ž¼tÑC	IW×D£; àÒ±:O	-ûpâ}Q4s3‰Õ­!çqUTð-lÁQ	]³!ÊÊ=¸5}½Ì.Ê‚®wÛpDR9o…!à5#
d°êð
+ðh«gA6Ò±úX}¼í%ŠÏ|A,nšÉ¨šÚ5!Œ»?!)™WÇröÔJyŒÒ¦yŒhÛC‡Ãþ²å ~M?rž2…²ù‰óÔtiúlaÊi±~Åïã?»Pý4s¨3ƒwFuGä°	$ ™ù’še/{eÈÌ¡$;åïN!aËÁÄr”„ŽK,voÝÓ-ëD:É|ÃM(æv-_1žsjò¿°Íƒë'¨FµHljF»ÞX|²êÃω¶Y¦*Ø—/iÊ­G7¶Úûf·ZP›‹#lâu·oÞÔ«]÷Øl§9C^Xû"ûd)á/-‚ûÈ=õ§mó€xòþÆ„…wÛ‡jή‰I<’ÃÕHôƒ5™=:þ´P°äUDKçö_~Y€%ËzÏCŒN1Ç»$ë<Èa5ˆ½«}Ü|²uí˜ÿX9uí§öMé¦ÇÒ@ Ÿø:Í™óÓÆè´°bô£ó²Z0ŸñÄâîÅ+N·b_¿?Æåp0‰d¬aµˆY|éWöúé“XCáÆ-ýÅþçB5H8‚ê´n^ûÇìÿ&ùDÒÐþËÿÆØÿU%Í…¶Víÿh1¾h	…;1é3ÉÃß6ž‹þDZ5endstream
+endobj
+1029 0 obj <<
+/Type /Page
+/Contents 1030 0 R
+/Resources 1028 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1001 0 R
+>> endobj
+1031 0 obj <<
+/D [1029 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+422 0 obj <<
+/D [1029 0 R /XYZ 56.6929 769.5949 null]
+>> endobj
+1032 0 obj <<
+/D [1029 0 R /XYZ 56.6929 752.2115 null]
+>> endobj
+426 0 obj <<
+/D [1029 0 R /XYZ 56.6929 622.2614 null]
+>> endobj
+1033 0 obj <<
+/D [1029 0 R /XYZ 56.6929 591.5303 null]
+>> endobj
+1028 0 obj <<
+/Font << /F61 642 0 R /F42 605 0 R /F57 632 0 R /F43 608 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1036 0 obj <<
+/Length 1083      
+/Filter /FlateDecode
+>>
+stream
+xÚÍX[SÛ8~ϯððDvF²,_†'Ê–ΖvÓìS·“¶šúVIÒÂ_Ù²'˜@:ÓɃuûÎMŸtŽ‚,[ÿhãеüÐ…ÄFÄŠÒm]ë¹óª×€fè®z7yÈ
+aè9ž5™udÐdMâ/‡§|šŒÆCàûЃC@<ûðÝÅåŸf$4ŸÓ—gçÿŽO†¾{8¹øxi†Ç£³Ñxty:¤ñN-áÀÙÅß#Ó:Ÿ|øp2~¼Œ&­/]‘KG¾¾|µ­X»ý~`CĺÓ¢0t¬tà‰‹q3’>þivf+h_ü 	¿'€Äïù.ômŒ,Ÿ„Ðî"xt4žm~ù-™éPóL*Á#ÅbÓ¿åìδò™ùª›ÁîiZ$Fyj~ä+ãmÁgE_”gŠòŒg×µÄ,Y˜V1¿JxÔôh1)ùUR+ºÉ¥’°’¬=‡š
Ϊ‚Jqµô cÔúY68C%µ(j\J¥bâ¸ÏúOÖ„v¯g4ñÕÁ€5ùúXObUåfòèÌu¬3+•»¾ÞQßlUÉOi²ÚM|+.~VT±”eª¦¦ iJ…‘·B-Î!a‚×U¶¦Mën”P)Wâ…aXÒyÅŸþxú¾·êM’ü|Ÿ3±h¤š­cÍ09M©Šn¦	—ÊŒ?šOïYJÐLΘؓ¸yë¾A˜ñÓˆE®é»ê©™™š™©˜7$‚nc£ÌA–+>[Ê‹iie}hr¡ÚáeçX³ÅÙ~mkSzì5'ºaÑ7P²¥æÈ6±ï¨Èf”'ü:ËÓchC¤bN“ya˜ö4/ϳ
aX½òRj®þ¥¹ÐÅKóÊËåaÆ…T/V#™hù¿÷øñû™WTnëLµ^¥Ø*ÆT߬åí
+Ö”-˜œæbšåô¥ôÞÀ’üHþ£†fóôª9pÏâšs	x¬oÆ|®^Ä¢§XÅÓí°Fo÷d¬ù÷Ðä¦BŸ;®6Ñ9ç[<Õø\ûÅ0V™ÏEÄ–Dä…Û!ÒC…D„@ùeƒ¾‹I…ÿ£{›vÆ—ü}–…U–AÒƒôŪ¶
+Üz]ü§†ùb7÷k˜BìøäiÒR'2}ÑòHnÃVgɯÁ-MxÌÕhÒ3¡{[2GßÉt‡ƒ˜êó$ØL§…›Š£;p{'XW›‹@•®—@ ·þYÞV&Ý»o+Ö‹*™Ð[ÖW#tqO–{}VkÁ~uÁêlÓÒîMr“"í¡Hp~m‘€^]$8¿_‘€^Q$8{(Ê’_ntu¶¹W7Ž7”Æ}omýž*È=/c»}K½ù¾ü“B?Èp8íÛŶ=8¡ßU†ŠuËÛûSÓÿ[
+•Tendstream
+endobj
 1035 0 obj <<
+/Type /Page
+/Contents 1036 0 R
+/Resources 1034 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1038 0 R
+>> endobj
+1037 0 obj <<
+/D [1035 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+430 0 obj <<
+/D [1035 0 R /XYZ 85.0394 660.4512 null]
+>> endobj
+961 0 obj <<
+/D [1035 0 R /XYZ 85.0394 633.1083 null]
+>> endobj
+1034 0 obj <<
 /Font << /F61 642 0 R /F57 632 0 R /F42 605 0 R /F43 608 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1046 0 obj <<
-/Length 3499      
+1041 0 obj <<
+/Length 897       
 /Filter /FlateDecode
 >>
 stream
-xÚ¥ÙrÛFò]_Á·PU&<Gí“b˶R±”•”Ú­Mò‘ ˆ„”ÌýúíkpP uY®™ééÌôÝ=ÔÿôÄEA”št§aà”v“ùæLMaîý™œ™Gšõ±~¼?{ý.Ò“4H#Mî—½½’@%‰žÜ/~›F	Îa5}ssýîêý¯·çq8½¿º¹>Ÿ§¦ï®~¾äÞûÛ‹/nÏg:qzúæÃÅ/÷—·<É?^]¿eHÊ͉Mo/ß]Þ^^¿¹<ÿãþ§³Ëûö.ýûjeñ"Ÿýö‡š,àÚ?©À¦‰›<Ã@:MÍds:¸ÐZYŸÝý³Ý°7KKÇèDÆÙÉÌ$iàtžþ.CÁw¥k"(mã£ïθ‰VÀ§Â MbÝ2ÅÅ=¦¤''±KƒÈK<©›ýæõ»ÐöPã8°˜«é(iBÆ…žþ·*s†µÌ›bíxÐTŒ–ÉÜ:{t\ø
-»é4ÿ4Ï·,8×ÓU&ƒBÚݹN¦ùv]̳&—ÏTåúÀ{7«Ï
'œi¤Î:êõL[+‹çµ\maõ’'3n²ºÉw’A¯(š-†+ðkÈ˦ཻu V¹é“G€µ|JGŽZVÍLMV.ÁÛl'´ sè¼½¾û‡Ðn•I²ö`ݦËÊJÞŠ5ݦðݧ¿c”ÅÅI<­sü|’ðWPf›ÜOížPR±Ÿ-|þº&þk°o¡U‘è0n¶æU¹Qw°1˜AyŽ™Þ¯Šš?¹¯³G9I!ŸDáÅ«ÌŒ³®"7$µgÊfL4Ú1F¾>3Žƒ¢ø¸ß‘PÕd4щæÅÆÃ’”õ~»­vMÍ@²«€SŒ7‘ž¢”5t×^_òsŽÑµä±ÎŠcAä"]ë"’Õ‚ÃCÒ)“–;–søîœ=‘E3œ€êj½GÓ:\•ò±xBbÀÊ/*ôpÜ'²‘ȹƒ’ñ›b¾ç Ï»/ìUD¼}³ªvÆO¹Ç!~¢Î™WÉÒüÓlÔ/bÄAÆÆ	«ð¦°ˆdì!îK
-*[ÉmÆÍvW!ÔxÎv‹¯JËb5ý|'/ñ©QÈp‚G”¥A›qÞ:$ñ#ÆÀÞžâkV·Ñ–=ÑLìň?duúž¦ÎË72½…QƒW•‘•a&¡ AžÔP":s´Æ`§Û|ä@ý(J=ÉN“6ÔI½šiÆÍ0
YBüB6²}
-â‡/nr˜©ÖGJ[.^{0Ø×]âÄ÷%:ÞÃÀjcŽ©†Ó)3}^s4AºzÞÐAÀºÝb|…@lÿÞç»BÂF†„Y:K5]¹±,ìœöŇØ0š>ÔâIp²9Á`F©éÕR@Õ4jE’&_Ev%Ž_Êî^x㻡Œnźs	˜ø¥¬äq¾Ù6Z–£|Ó&ŒŽ¿êÄ&ˆâÔ³˜T¶%
-¢ÓK‰tr‚Rœð‘NÒ¥tIÙ!{˜ÙV+* |\0ýµòÁ±òa4Îë‘Kš`Y9ž‚˜“£×ySóBŠ(`"+íÞþ„Þæ¹S
-,@%ü;" ‰gÚT´ÚR^8B=PDG/l¦sóœ=Åg†¢büÚ¡Ú3à™ò:@Åv†t¢BV‘1!9D€HlÉˈîè]hìP–櫬¤\ÙŸÙaX1gAD·F4_æÀãºzO;"L Ô‰Ö_4.6
PëÍxëß•S>„\ª~Åñß±Ë`97¹èÈB¡_ؑ̃N7®Dé/~é@ç0…k±cÖ)À}*æ9C0&Èdöa/_î„w†>Tñ†!­%mlñC&-G6Ða*Ù”Ó‘P>Gpâ¡‹€µ²åÁ‡&y#î¥ýt´Ò¾3°è¢•X£ïü†-eÁÉHEÛ Váç#1ˆJÑ|1L¹çj¨bY4RÎFZª]RDÁ–ÓäJ è"Z~ÒâZÖùú%eH‘ñ1_ÚžoÔÊGOš‹ž&~—nwÆ"ãžDßb-x…9i.ŒUN%öóæB9°ŽÍÅ"_çTéQïË–*TnÊ­/Œ „âVhóÒ—@r™XåŒÛ}'¸¦ˆ=Œö²3¥
-+ÇË]V7»sPìyûd2Â:_ÁïšX[u <7_1üúòß etsû}NÀ£
-” “•õs¾ó‘»h1sV·ÚÑà‚g0 ¯öÍ©úv¤ø„edž`Ä×Ñ»M1`Ÿ&4)­øV×m<¬!ÒäPBJ?vÃÇÌšñÒ6ù`í¦×ÿ~{óñâê:Àa$lʼnE•Kà#©	â‘ÑÔmíÇyCSÙ6ÿ°Åìv»ûpóëÏoG_oîÙ_?ˆǯÇNgKÒÌѾ_è4lë“3*:`/Zl»xšÇHjlY8y(Ϊ^MçEf’¬Éœøª ¥¯Ðßg#:³Ó=…ém×Ä*>z[ÿÿVùƒhÈ\“ctcƒ0´ý'ùOó&N‚0AÊU%­eDåþw:¶AJÍÛ`àï|¦¤µäHFÄAa
-«tØ…F:eû¡æ>Û°GEFìpHÑ+aY­×Õ3JAe6ã†\-)	§ÙÇSÜ-üWQ±ÓóÝ蟕÷Ù/•Á‚ÏIAE¸Á/¾¼08²$Œ½AGƒ9^óÔq*ãóæ+ª>æc±e‰Qq·¡~År	P¦æ(·/Út Þã(‡pb3œjççÕNÔ¬i#û£¸ÿ)«en“ýém$Œ*1ô6ÖE™p!k’–Í#W†®rž4«¼.ªÉJ­Oˆ…sV~z-½ìr—{èÐÓ‚!¯Ví6bð@O=è*	½{š‚ÑÇ«ûdË_xâO¢.0ÙËÐÑ'ºj†×
-ù15à6Výß=Ì\¤i—zGCÍ*ÊS
¤Þeð(‡rûšgð]íA!­‚t`Õ-Z.ô,I³ªñ=ö[¾ÝQa[væwfXCE)š_
-5+&BþÊÏU—%Ÿr,lîÆ4 Ëã’~™Çq³ÓCY•‡Í‘ȱ,Hµß¯HÔEé£SKŒÃz÷§|]m¹î…3…üðå͇‹›;Ð'Th›øß¿ü|qÍë¸V5Õ¼ZóÔ¼çØy§’QÛÂlŠ˜‹XÕòë—ÿÈhByúDd¾•‡z`]u¬H,6L /Ç¢…/éÆß)OZºä˜™ÀÆIÔW àÔoÁ,¦évì—[ð_„÷»'ÖýˆŒ$V¦ó3ƒª·÷Gr(<½‹^œ\«À@Ö;rôÿ-Â,µendstream
+xÚÕX]sÛ(}ׯУ½3°‚ÉSšu²élÓ]¯÷©Ûñ(6r˜Ê’r·É_ddY±åÄq=mv2pî=÷.ùýC>e	,üH„ˆú£©ø;wá¡j
X-ÍUoÞ¯çù
+†™?H²88Gþ`ü¡Ã †]+!蜽¿:¿¼ø§ÚÂÎàòýU`tÎ/ÿè¹ÞEÿôÝ»Ó~ NQçì÷Ó?½¾›b•Œ7—W¿¹ášBû½ó^¿wuÖë~¼õzƒÚ–¦½( ¥!Ÿ½lÍ~ëNý[û@$ö§^H	¤!!«‘ÔûÛû«ؘ]B[ý‡ˆ	Ã-¤QÃœAÊîGT@F0Y:pßu—hæ`ÔWÙ,:Ù|z-µëŸ”VZU!((Å5®Ðqf©§¨ì`h>/žÅ¢ml¡¦‡ª]B÷Që°Y^¨dá,¤æz˜åîóÞ5òn–ª‘*žà>›_’‹m»ú¦Ð*›<Áª¶Æäs=ª"÷o@5‡ñx¬WK,b$­…„.%ü²œ¢PDóãVràY®+›Ôl¸þp|Š´§X/¬IŒm㫯"î ¾Œ˜@s=Ž€ã~(ÂÇuCv‡¼-¹övWéòPˆ#ÇQ@‚£H~Í3	LÊjdZÓ¿5ÓÇq_ÇFî™ÇS•--ÍÍrc¾`C¿†Ú
+½x¹®ç@Èy$cj‰˜@Q–…•s¶ì
³x%v”Ʀòõ·%p…z¼Ë³jýÊŠ“füY›äú6ÖãuNåYº¸O”6Å:9ZM®R×dÂ.Ö9¹3­–
„°=´ªËTNlzå(iíŸ`£9úJŸ™µe–mvŸÄ*½W“,×rÓ¾ŸS̯ۢãÖÅišß‚Ïs©µ“˦t°4f8‹ÑÍ0µûÏ?Û'›Qq:Ÿ¹®?Ìge|žÂÄD¥ûž¯4‹WwSÔòwˆúV=«µ¾#ØN“Áîø÷F¶ï­ê]jÈñ/5®Âþ?®5ÔiüCê4:¬Nã]§Qk%¿¯ JPD»‹Á«>äö?åJ™Ý w²ëaNì­ž¶g´ý¯$÷£}ý‹Fh'ÎqýIã=Ž#Cn…T¤J‹(Ûb¾zÝoSÿO•)endstream
 endobj
-1045 0 obj <<
+1040 0 obj <<
 /Type /Page
-/Contents 1046 0 R
-/Resources 1044 0 R
+/Contents 1041 0 R
+/Resources 1039 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1043 0 R
+/Parent 1038 0 R
 >> endobj
-1047 0 obj <<
-/D [1045 0 R /XYZ 56.6929 794.5015 null]
+1042 0 obj <<
+/D [1040 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-442 0 obj <<
-/D [1045 0 R /XYZ 56.6929 191.8813 null]
->> endobj
-1048 0 obj <<
-/D [1045 0 R /XYZ 56.6929 166.7606 null]
->> endobj
-1044 0 obj <<
-/Font << /F61 642 0 R /F57 632 0 R /F43 608 0 R /F42 605 0 R >>
+1039 0 obj <<
+/Font << /F61 642 0 R /F57 632 0 R /F43 608 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1051 0 obj <<
-/Length 3366      
+1045 0 obj <<
+/Length 3481      
 /Filter /FlateDecode
 >>
 stream
-xÚ­Ûnã6ö=_aôe`¬ò"J"æiÚfº)¶™n’>ì¶}-9"K®%7]ì¿ï9<$u±lÐ"D‘G<ž;Ígþø,Q“:œÅ:ãj¶ÚÞ°Ù¬}Ã-ÌÂ-úPß<ß|ý1â3èHD³çuo¯$`IÂgÏÙ/óoÿþá§ç»ÇÛ…Pl·±ù7÷ßÑŒ¦Ç·Ÿ>Þÿóã‡Û8œ?ßz éÇ»wwßÞÝ.x¢8|/ìg>øxÿ;}ÿøáÇ?<ÞþöüÃÍݳç¥Ï/gùýæ—ßØ,¶¸aÔ‰šá…\k1ÛÞ„J*”ÒÍ”7O7ÿôöVͧSòS2	T"â	†bJ€J‘Òy" ÆØüßu•‡ŸvmQWÍ	‡,`
-„„qtæD-Тu …¥eYUÝë·1rò Lâ+Ø=ÔzÙCÏÃ(£d„ÿ)·h7våÍj_qÐD½FÂFÌè8`"Ô@Â#Ô*	´Ì\TcF%—AÄu4`”÷/3<öXöðWX>Ý—X^uÌ¡BðbLªÐúŠì%¨ÐP„BéËê%F,º¬ªìï‡|?¡`$	ï}0­jûP;T #°ªú¿R;<c刃Dâóʲe ¿>•ÃÂ_áøtß/WŽ}r]½@Ï-´úRíAD"Œ¯h‡ƒêÛîÓªYçûSÑàë’Yã	ý  	ôõPa ˜–CüN=’zô¹!¢ Š÷Y
—N/iˆƒ¿Âôé¾_®!Zq®ßC]#äd7$$8¬à+®IrEßzPôÍAu'uØei›Ÿj8%ôeìjýPßÀmI h€ÿi—¯Š_yâgÉü¸)VÆóMÝ´v6ÝßòdžÛ¤9Ϩ­i²9,·EKãïÞªt[¬໇'š%&š]×{šÝ¦M›Ûñ;4@	ÍŸ7F³…ñ¶‰Fy •†ì,_§‡²%)k2µ³˜êFJxYê-½40\ž=xH‹‚„ÇñåƒïC?x…i‹]]«‰@”\ˆð2z5xòsÉxHÀðäQ"ôøv|*¶»Òú0΃?}xÿÙŽPôn9àœƒù€_fƇ7‚äTBøêSzÉŸ8ø+¬î;éO ?
Ç$…`Ååe{¨+„œîvÑŸ(Å!çWüIê‚Z9¨±?Y€‘Ó}VT/c:dY½&—	ñP”ô™L"öÙ:U°Hz×CçZ`ع|ñ®^Œ=ÃÓ»w®_ŒkAgçýÏÊô³õ!àìy"¸ó!Tùoƒ:b?Qb¾Ìé‡te†X"éâ²tŽÊ;£ö±ñXf¥çœ$:'~UÒhCm¡øûßÛE¥S½§áÿ¦²:@å*ì7ïh{'S$(‡po‰Ý¤}eɶƬ¢ïÖ$kPX¡†Ö±º³€ð8?Æa†			fvùvÚæòÏôüùV‹yM0y•.KçQ‡q_°°ó;nPQ\•3”“æWBÒšIåÆÜÐÂø°¢M«7'Ù÷gEëÐ`	Åü‘e$ %›NË*ŽkPƒ=
AÖÕé\Bû$ü8ÆÆ„££ÞOí+‚(
-GÛöØ›ÚÃ!£¶ÉžeáÐ@žoô²ªhóŽBdvXYåÀr/–a4´œ¶øœ¿ÃC#+ªž­v–:@Ýì ø/–EY´o@1¼FÀdºZåMCãøl>o‰ˆ’æšM}(3Û[ÚåX´›fŸLà‡ùþ3Ù§%jé¹cCU1þ‚2³¤¡HeäÇj$W‚®’eI§â¤ Ø†œv¼áx¨ív.O[Oqã>SÚˆ¼–™±˜ñ6}³hÿ³«›ÜM»p3Åa+I“MaCcQ5£à~ÿ“ͲÌ
-Û&Ë´!OȺS¨7Uï¸z9XÚ¶éêµyOoÍDF ¡P‰š…Â5ã×2¿è0•Ø÷=ÉâÓâ"„$Zs°Öþæ§É€ƒºBC‰YȤÒ@êø·u_äYÞ¦Ey>
EÄDþ‹©Bê|ªà¡È›6õ¹6™„ÚT‡W{¨	ìrä
-E¬Fè?Uè|„Ð&pn®%½S.° %+9±³}1¨/µŠuÏ×áŽé
-]é`ÐnÜ2f9	
-â0×ä-
 Ü&*ÓÕ¦ ŒÁ|œÚuaD§ºÊ=ªÔúï¸O`¤À¯ø0Ž)•9œ1‡–ûðéùþã¿&؉r)]Ø‚=¦/èDBüá€øÃѦ'‹#šAf2;sØÑÙħ©‹èsQàe2Cò•;Oc&~eŠ¹`h>J«Áçz¾ÛÛ”ÚThÅD÷ œƒ8º2a9…sªÒ1S»òÐÐ(­Þh€>ËLt>Ë„iø®ñ)hF0&fœ*—ˆ FPQ×>XÆغA›•À˜,$ñüƒ%¯Þ·4²›rÊ-â€^y 8ç^&°I(ˆsй	rÃ(±P_D­‘£và×úkLÞš¼ÊìŒ:ì–fÙjØà#
-Y°h™†	§	ÌkÓ݆>/6 kZ…Ôk‚Ã…N‚/3‚¹Â)âP…}ÓWÌF}ôº}/ƒí玛ö°¤‘ë?`ûÜõߦZ
n5ßîZÛl@;9ëÅ¡F…“¾ÖGèC÷â
-ù\mòÕëÂØåiAQ¢¯ ÷P؇íl8ôPôÏäd˜š×¶E‰ãcj'&kÀQa—èj
G	=H™”OîöŪµ+¤8
-xL÷àÂIµ¹fƒrMϬަn’Ä¥M“Èâ ‰päfÑ*K*9ø•ìk£s&林ÇúÞ># ^ƒ	ÞHE°ÊÛc½
ÈØ«EÐôÈê<‚ENÚÚ!´ÒÀmì~¼/
|EiL$}&l¡úZÙ[ Ù˜ü¬ÊÜz>¶ÓüÙæUÛéú„Ëd!äBÚ9¡‘ŽÛÍP„Ì™&iÊYSxõ‰÷+M¥uÞT<”i¦mŠy쉈0H þ»ŒÙCM Ø	¤ IÄÅ·-&QìQJ	®ñm—Ó”Qexzi½¦Ù¥…²æZï… M[ïmqá6™˜°Žše]}Ó}²®±¨ì0ᎡÒP\š°=yŽc$v™‹§¯ùÛ‘r^“FÄ6
gWtæ>ÇHíbJt«4r)ÊqS´`‹é*_dyYlûiÔùÈã¡Œ§,àw'q‡cÅe¼jñ î€þ$øŸæ¿æçý'÷¹Œ|U~z‰(µŽ,^èòxø+Ìžî{^mÇWúŠÔ=ÔBNw»xïÃA`\ÉmúP4ÌAÑ…h™¿¤Èý¢ÆÆÊXÕTèD_Æï€&ð
²9…À€
-µÿ VÈô…Ɔ*w»² Ä\û¢sSTm/h"c8励ªëûµ]Í[¿ÃÄmAÈ`ìñ6™Š
-0¦]û¬bX¥j—:áU¸éìò ð¤‘¨¦1®u2*$lüH}TM­×+l6^ŒêHÚ¸wÇçèƒjW¡žU®D躬[= óªå€lÛïYN“f¨˜ë‹X=Ð)ÚaÊJI9ÀKýA)Õ r7qiMó6*)Ÿí†ÒšJéÑ¿È£°Ú:¢Wè~d0.m¶â|ÏÄÙÓX‘$Þórd¢4á\¥j@.ObYׯ¦Õ&mÅ‹ë´({wW’óQ»cME^°·ÝûØ–1;a)û„Å—¼mý'æ0ƪ¯9ú;G˜J—Ó"àAÔÝD¹ôyB
-æg¥N
-G{W3º«³4ÑLUï·˜•à”‡á­¦9gZ"K¢ptç´/ð¦ñÌÏe¥
-ð7®:ÿV¤ú§´ÝïŒÃ˜~“2X$};¢z)÷¿¹=%ýÿ&3ó4endstream
+xÚ¥Ërã6òî¯ÐQ®Š8xòQ9M&ö¬³›Ivƹl’-R7©ˆ”§*ÿ¾ýIÑôÌd§\.4Ðè' ½P𧩔ÍÜ"É\ä•ö‹õþB-î¡ïí…šU Z©¾¹½xuëEe±‰·›¯4Riª·ÅÏË7ÿxýãíÕûË•ñjG—+«å77ï¾eLÆÍ›Þ]ß¼ýéýëËÄ-oo~xÇè÷W×Wï¯Þ½¹º\éÔko„îoþuÅÐÛ÷¯¿ÿþõûË_o¿»¸ºí÷2Þ¯V7òûÅÏ¿ªEÛþîBE6Kýâ>T¤³Ì,öÎÛÈ;kfwñáâß=ÃQ/
“Ÿ·iäS“ÌÐ'sôY[cI€}{xuíÌBë(óÞ ©Z¬\©Ø§D„‚1¤¤”ZþÙÔ%áC—w徬;þü¶üE)SW]ÕÔŒÉë‚ŸÚü¾ì'–óeN»Ñ<‘–™þÓÏt{™©åÓ¡l§×†ûÄ-âØG±6éçˆÜf6JT2ùÿ7*,wb£ì£‡Îãð0Œ8gµê7µŠ†9ͪŽ¬µ~û$2$‹BÜçmWEØvDž$@
Ê¡ˆìv‹²u~Ù–Ç 8^nó–‘97‹àusxbªfØ.°(ò.ç®Msœô‰º OÒ z¬v;FÝ…®»©Š±WCXd×ðùŽ—:]6U!
+‘Ÿºms¬@«‡€ªÛÇòØò¯€ª‹¦:ãU™86‹±t¿ìÄP7,8%Pe#c“ìïðC^TîbJ
¬E #ѵ»ü¡ü¤¼¾\Yå…ÀXΑUËmÎ
AyØUëœ)Q
FýAWp¥.‰IÏž¾Ñœ¸‘UðÐvfµ6‰2¥b¡ÛUm'>”ë
+Ý
»t#0(…Agúú¾ƒÔÚ}ÃÛÀ/½¼ù‘±yQ0ºmËVld@°€ÙRZÛmóŽÑ¬êØÏRDpÝÔ]¾î„¨ñ™rsì:Àn>ŽAM[ÄÊâ„Wf÷Bµ>[~óĨ¢Üä§]÷|%0Íl`Ã+y¿U Üç…@¶¥=šc7gyÞÂL±_¢+·±ãU B„ð5œ®1€&-‚u^3Á])ˆm^ß—#ÉÈÑô±»&y$ë橪ïçÖ„Šf7ØbŠHZQÖÜÇ+×ï=4)ÌÜZÁ»wÄœ	"ñ¢nˆéð#LWò6’0eÒG@…A¢’¸ÊÔH<4¯m×€‰<´·‘™ó•5èlXƒQ¤/ˆËùsk&ìÛ.?vtÖ˜…Q›³Qƒt3^3àxôºÙC¢Uˆ„Á
+«z-<ªŽ4׌$á|Ê‚$`‡u!Œ+:øC„aAÕ¾ªÁ1Ɉœ›xì@[ñË,«Á¥&ÿý´hï€ÑcUtÛhn)ïtxÖ)qŸ±k`Çë^(ظ[þøEyUÕahàQÖÒXlOµØUz6aPsjam-pÒsÇÊ„i
ŽÅ¬ƒ,p"5¨ÐK@ƒ2G
+r~@pW¶‚AMEÌ©-Èÿ(;ÐÔãê|žŽ§Xo!•f%2#<Ñç4ô``R¢±:Њk
+s€,ÿÈ÷‡]‰Ê’¥t„€á	Á i&© ÙpøSÜÇ$Ï0ÞG)ä>‹eŠH¯ô-xÍ4	é­Äʆd_ÝoQtqº<ìò5ÅŽ,D›4d#€Âˆ
+þ±e|U“ c–o<ˆá5°ä™è3¿¤ß«É. ÝH!#<׌·a2¶.H‚ÏóY­Š’³I?ÉÔÊ&ËÿžH­bXÞç±Ç’R°+»ŽmÅr․2&	B•K\0a´¨ï›–ƒÿ*ÌÑëd’=@4B5üüŸ}Ëwå–µ	`P%ÌG,æ‘ÍãՆۧæÄÀáÔ1ÅÝ?âS–|¦È&—	«z5g÷;Iù‹J¼c×À
+´ÖË(˜÷lÂ?Σ¿09eü±”¶Éßa†¼˜ñëÄGΫì¿ÝRYÌn¾;Ý}N¾oŒcZ€lp*€ã€}àÿÑÓˆá(€}âBÄŒ2Péuyè˜PÒbÃ>ÛQäç ¸¦&-!úÙèÿîª€í£µĬãXcyQð9$EývªjÀæÅùI¤Ü3­>=–q—X6‚leªÁº§£nºsuf˜¾àŽC~YÐ:LXß¾ûðµHz[ŠH†¼}`º)óî4Æ÷I×úü zÎt	6#Ù
+ý^ÚPž9¥YÖõÀĘó{ÀQ~ˆpc8æ¹!uôV(1w`”Äz&|*þ9
+Á„ÍS˜çøÄݘ+½Pž¤	ÄVœÂ(Í’²Ó
]R=<©9qowjë>ŽÀÌC	ŒÌŠ‚áfÆÖ}%‰O…ô9dü–K4˜òD·pV2%*/‡>*vç[š$Ÿœ¯s ñ\ËAU¼?I©ZòZrJè—Y’1¢=°Škɬ^1/¼‰õµ¬£ÅÀÇc.ŽŸµè¦f´Ì{•ârb|àÎ
+e#•¶üÇŠ…ßÃ8Hºw§¢œ=}‰¶žÚºç®;‡â¿DÏ,ËÕNô¡æ>Žâ>$ÊÖåa+r¦Ð½/s2¡ÄüÔûgò“B Ù‹sXç\ñ¢÷;&A º9í
+ö'÷eðj(aBIõHtá¼99@n`.Âpðóó'ÊBÓv¸<ÒC‚0;°ÔÄg–¯{çí \åsGdƆ4GõÖ+­0l`‹Ûò#™6Z=ßl"4:9pd7ð¹)Ç>h(¤j…œP%9ëHU!Ä‹1î-ðì [¯6#_ÔïÆgsKíƒ_ÂW*| ð‘ss¦ÌIoPãò]oâú£Kú¼@èBÚ\YQù¬ø&ûŸ…p=º€\•.ÎT¨7”¸g£Òó5ªàt’«
€8†Ð0Ál{öÂæ!O‹ì	Îz'CBj4wÎra<ÝäÇ£wC•h%0Ž‹(
+‘¾‘€É[¡áO²)ü&+÷¬ç0ïš#‘÷m>d@m³;ñ½ÐxT>'÷ûê®MÀË
F8†IlJ¤*Ää¤ZŸ8ãáòŠH7¹jïãW:T	ä³éz_Š†[9ƒ;ÍáˆHWu*/1MAc«¹Í¹9«¾0Õ¨PüãžSÛ³zýFg:]Çq‰ª0Ÿ'ðÈ°êcÙõ!Ä⤪j)û´ÚÕ$‡c­"¨gp­6óã!Ÿ+©rÕ‹¥XÓ&}ÅD‡'5 ÔTå±ÎwŒ9a3–L²ãþÈÁ‚úS·ý©Ëâe=gî_]¤
+ÀTðå7˜q¡ó…ÕÓP’iEËÙÏgÚy±$äüxE¦ã6lÇc~,>«*KÔòˆž<$	?·bñM¦bï®ØÐÕÃíD}9â)áAî+Fá>X<ÆŒõÜåm…ŸeÖûüEÇÅQbuPöá
+iªÅÖ¥NˆÚáýØ%œ/»<ÕÓaîÉ(õQg!~Y´Ž®R„Œœ32§™ªæòöxnA|’=>­@Í­õÄlëâUðg|-È%Ií9ßùÇ.ï" ™J\§Wfù¸­Ö脼‘»sç!e=0ÃB$ª¶¿ŸJ2]rND)é*Ó°tåç2W7„„%ŠXóãŒK:I\Ÿ+E„jf„ ³8ŠÓ,ý,)XðIò\G{5~îóÉd'ñïœI`	&‘‰žJð^tèžäg!„6³ç¦‹ŒN>kÅ&Š“ÌŽ.ï-In`“ð B¯hb“´)Äàbb{®Y|ØV+N+ ,Xþ:Üëp'N}pôxŒ_ñÀêrJ+:Y'ç¯ôF‰)§ÐøŒþÔó+^z•@?óÐ!œ>ñ&‘7>Ts Êpî‰6­ãg>:•Î‰24Ã÷‰0ß'¢bçüËy'‡CZQ%£È™ŽB"`ÂïWtx–]Å`wÎL/¯é­++j;Ë·ž	Ý)ÑÂE îwÍÄÚe¥Nµþ¤s±Y”‚YŸÉŒYãum(¡š¢çJȧ!ƒõaì㉇êoŽñ']ƒ#Q;]´ÐÏ#Øq=uÂ6´½@³‚\zïN2ƒœŽ“ÌÓ…d%8ÄP¾>W¨öÙ	þ®CZÎm`)Úðª—0¢*T	òƒ­x~WÉI9fÔÿ`d¤í/ç+£,à3иȘ˜~39ä=óã.Õÿ*ë‹J6üÎÎAò‘¦C&s®‚
+ì|ÖÂBbf9ñÉ3y„ßœ	ÕhéÿÄ-6ðendstream
 endobj
-1050 0 obj <<
+1044 0 obj <<
 /Type /Page
-/Contents 1051 0 R
-/Resources 1049 0 R
+/Contents 1045 0 R
+/Resources 1043 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1043 0 R
-/Annots [ 1054 0 R 1055 0 R 1056 0 R 1057 0 R 1058 0 R 1059 0 R ]
+/Parent 1038 0 R
 >> endobj
-1054 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [312.6233 716.6708 381.2953 728.7304]
-/Subtype /Link
-/A << /S /GoTo /D (access_control) >>
+1046 0 obj <<
+/D [1044 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1055 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [310.4119 685.2449 379.0839 697.3045]
-/Subtype /Link
-/A << /S /GoTo /D (access_control) >>
+434 0 obj <<
+/D [1044 0 R /XYZ 85.0394 732.4917 null]
 >> endobj
-1056 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [328.1051 653.819 396.7771 665.8786]
-/Subtype /Link
-/A << /S /GoTo /D (access_control) >>
+1047 0 obj <<
+/D [1044 0 R /XYZ 85.0394 702.3779 null]
+>> endobj
+438 0 obj <<
+/D [1044 0 R /XYZ 85.0394 702.3779 null]
+>> endobj
+1048 0 obj <<
+/D [1044 0 R /XYZ 85.0394 677.9665 null]
+>> endobj
+1049 0 obj <<
+/D [1044 0 R /XYZ 85.0394 677.9665 null]
+>> endobj
+1050 0 obj <<
+/D [1044 0 R /XYZ 85.0394 666.0113 null]
+>> endobj
+1043 0 obj <<
+/Font << /F61 642 0 R /F57 632 0 R /F42 605 0 R /F43 608 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1053 0 obj <<
+/Length 3284      
+/Filter /FlateDecode
+>>
+stream
+xÚ­ZÝsã6Ï_á·:3k•_ÉéSº›Ý¦ÓuzI:÷ÑöA±åX­,¹–¼izsÿû)K–bï];›$H‚$ðšOüã“8‰+ìD[ŌǓÅæ‚Mž íÃ÷<³À4ër}ýpñåû„Old‘LV±LČᓇåÓ$Ñ%ŒÀ¦ooçïo>üpwu©Õôáæv~91›¾¿ùwW?^Ý]θ‰ùôí7Wß?\ßQSâÇøúfþŽj,}^ôîúýõÝõüíõåÏß^\?´ké®—3‰ùíâÇŸÙd	Ëþö‚EÒšxòqkÅds¡bÅJÊPS\Ü_ü­°Ó꺎íŸ2JD,'3Ø!¹~}Zš‚Á´žÔ<Ò’M:3°ÎàDœXÓžH¬;'bEdžèØF‰ÒÈ:/Ü•/ß+ÙaÕ:’N–9¦‡uv9“‰˜æeÞäi>­³†j«}w—ÜL«Ê×–é&«³Ý§lWûεï·ÍùOŒ‰lI
û:/ŸˆLéó“ÊIæ:üQ•ÖD((ˆ4ã<²q,œl_g%œ²5Ó¥D‚fõt“îššèýö
ÈÙ4o|EÕG}kÀÊ8*ú¢àå’èt¬®{6&iKè‰C ñä6Ñx	ØTµ¯rãf‹¬ôå"-nÇMwf,uvD5½ñ|eEßpÚÑÈ,q‡AzA‡$„ì6¬ª‹"­k"oæoˆ›¶jÚ­"ì.4§¾gµÙæE¶œå%U,³Uº/šÐµÛ5\ª°¢·Éaw4’N	V¬d2}‹ÒÑ©‚b‚\;âi.ùt–T¸™Sû:ý”UVô}ÜçECòÙV¾zL.?é (
6Ä­žt-ñOÙ¶´2’€Ÿ`å öóG¤âu¸à"ŠÔ'á"1:²Œ\,³"{J›¼*gUY¼|r B)Oé«P+–Tƒ…߬DÝ‚Ó]d¾aïa6jpS:
+̺Ùû‘QC;/W»´nv—`Ø‹fOÖ3vt¨íˆE€†Å,‹žÐŸÄ <·ßPýüú]ˆ/ÝÞ}FQéª|!"-ëggÐ@7ë´!ÊÁœä­õæŸÎAËsÞ¬«ý¨–£…(ØŠß·E¾pð%gqðÍ7Xë+»{âý—Lˆt³ìòæ…Šu¶Ì
+$(
+ª~ôÜ
‰™6 ä0¤hI<žÎÿñîöãÕÍ<Âbâ–Uæ©ÒÙ&év‹Ç„|4y4Дn³ß#BÌÃh÷ßÜþðÝ»±
šß>/w‚ÃgÉ8AÁÍß"KWD¹3ŽH?{Z}4îy…†ÐÀÆRx…^ãŽÄp¼ˆøÍV¸«Ï˸Õø%åðÌ}]ˆ%›®Ï6Ôî
€ÜÆ,ÌØ;‰çÔ±,¸¿Š:ƒþsq€C$s.4Â>šé£Ðèÿëá–GFC°2:JâXuCªAh%´‰”Á­‹
Ħ¢	)1›Æ1‹¬Jd›
+øƒˆ“1FždD@Dq›ClÄ-iÜ5Ñ艉ڤ/DT[T²´(|ùÑ3¬ª¢¨žQ-\­oMéã|­³æ|ùq‘y˜-‰ŽóFÍ‚ÓZƒ§cÁ½vƒc.˜ËÈ(Õu8G?!tªl²]™—JGF0}¿!ÅW€±ÊŠ¸¯ùÐâëz¿É–Åp4bÖ¶/ª·³†*(dAxX{Ðø”Ö¾m“þ@J•GEZ{Ôp8Ím{Ì#K’ÅakÖYWË‘K1+­gó''!>ËýõeI¤	VºÇG|¬ÀØ'G_éØ[ÁÒÇ›‡/üßSÃ/n7°â
+v¡LÑÓ+ºiúWF
+¡T
+ðë´ãAÁž"k­êƒgO4ÔÑôý¶z—Wûšêë—ºÉ65µ,Ó&}ÄFïÊà>°_¬}wÏÒ쨕MŸhûm`ßîrT-?rJ±8ŒRÑ·*]$ÈÉ0±æ×ìå™ðuyʲ}s?f*Rhאָô©_ʪ|Ù©é©Ò,ôïiÔUÂSé	t¢Ún\Ð-n6øÂøöì	
ZÒÕj¿»šS¿-mSS-ª‚šÏN#•ÄJÖ›|	p¡"Œ„@ê_䜡ˆ˜iAØ»¡Šèåˆn¹o€
+zV8Ü@ÿ˜…­u‹3 Im’®yßÞƒõd6&IÀIt„qØ¥v¿LèÖar=È
+@ ÎyL÷óaÄ3ͺ\¯{š–ËEUù38ÿ|õr<9¸å
+Ðñäì-×Èô=ÍãBô§¿Ï²#\\fõb—o½! ·×êˆ	ÎêxG3#`H£‚Í”Çë&ŽÞwº ÆÝÓ„ˆ»®kügV<—–¼8,õLR‹$cThqæà[®3‚GCA¢W•M—PÉeëpP¶Àu8§ßöÙnD×DĤ²§'o¹Ffïëè‡`ª7ý_©lí"Žu

+ÙFcº&#–À	tpR×<ÿ™Çý|]S6ÒŠ‹Ó[ßrd8Úi]äfVŸÓµ×	]\‡cjvpùYe»º	èÌãÓó·\#ôÔ
±>9–à¯T·î:Ž&O`õÚÊW5"—HÇÊö–zBãZþ3‹Žûù—èHIíäî·\çŒvRã„.ÍâÓ×åz]ãZ®ÃIí·±dCxƒCe‰:={Ë52}_ß8æÃtþû6ÞÁ8™éó:wá,ÓÓuU7¾6ÄÒT7>dr©¨¬÷cýî.ù‚ÞÍï©–YS-ÅeP»+MæiŸô€¨7	¸TÁ¥Ûqœö™×Î*dQ–YéïE‡)ãnÊÂE¿.“„‘.®òõƒÇ»1òÌÁw¸N|àÂh³mUä‹Çx¨c{zú–kdþþÉ+0:-ûôOþpÀ—Š{LÙyüãÜ·§åœàÈEe¿ÎùÔ_mÃŽWÂV§º’žÂ“ÀfiÃqGñ¢g5ÉšHžÞã–ëœ ƒÑNã	³èyÏ©U‡ë„Z®c<™‘=§»%¾N+Ät†1yZ–kD’ž‚éN¡»¬¡‚%²… ´y€,´ÐgÏðm¡è´`ÁA;ïv+ðy„2’qÄà£itû.±ð·@9¥£|å’šˆ%<áK+R{í/ìÐÒ'‰àD—FÓ
¼D¡¦
+þ÷ß—³„aþ«Ì¾"ò?cQ¢Œ´5¡Ï>ì)
+”»÷ºl>V–^lïa\k?[+´?$­D/]ë^6…ÒmêÝøÔ»žn³¦O(£Åìô៬ˆ'+ÓÇÂóµS+ÝÝXù
1»;w¸„õ÷ÉâÕCˆ^X3ªÜ“™ç•ý|ˆßÚ´|	;ûÕÙ­u¯)œôwõBo»“oÅžÞ]Xx™C²YSFáHtŽ8 …ùߎX#v„å¶YÊÞ¸"J¥ûÃv–76*lgI'ýƒrïë=es±°¨ö˜”òY˜å~á•CÂ=]KˆÇ{ÊÑäŸ2—Í#ËËEæŸ(×Yç©3«·UYçyAYJ+½Ï†V# 2],²Ú?„.³¹Òqi ¨«×Õ¾Xíöo¨>3Ó¹
&°#=åúW0&ýg{ßF¼ÏžÎ+W*ÞÉ‚Š“r€bÓó·2íÚîk»¯ËÒömÏU¸´¨r1ˆPËÕ´îÊPÞMûû¶ª³PIË=0×c`4[AšìnÞ5æe}äÜo¾÷±Àré7Û˜ðô±öÄ\κìW'K›&]üZå³j#f;.Ôñù€À³Ïºü#nøxÔA8 ‡7tœ$}Y†?{	\gDPpÿcqbû2´‰ÕMÕÝïeÖ¤yñzøi,þÂæL˜Ðaz=JL„£uõZúŽÅ‘UpK85sË4œºŸPaÑñÔ·î	\ëÜhäj_P9»Öš¸›…{5Y'€Œµí&¸aÄt@E´ÿù‡C
Íèÿ#‚rÝPç~„„{QA)ÓÅ:§8ÁuN}»w‡@uÞFý´#Yb‘Ä‘Ò-²càB—Ø"ÍÔà­øæý?Çßa¸”û7`…é“{G1áÙÅøõ!EoÕHQ
.fékö[úºâC·!êî9ðÇ:ô¦bŽ~
+%Œ{D.Ðu¢Çž¶»ÅWŽMJÉ.¢Iî*xáë˜ÿJeXTm|‰A*u?^‘ÊUÊ9guôÛäqžb¨\"›Aœ’&=«86k4æÖïbˆ`ôôÊ‹Wí¢> endobj
 1057 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [359.1386 579.0121 427.8106 591.0717]
+/Rect [284.2769 367.346 352.9489 379.4056]
 /Subtype /Link
-/A << /S /GoTo /D (dynamic_update_policies) >>
+/A << /S /GoTo /D (access_control) >>
 >> endobj
 1058 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [398.1622 456.3844 446.9089 468.4441]
+/Rect [282.0654 337.3189 350.7374 349.3786]
 /Subtype /Link
-/A << /S /GoTo /D (dynamic_update_security) >>
+/A << /S /GoTo /D (access_control) >>
 >> endobj
 1059 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [259.4835 160.2326 328.1555 172.2922]
+/Rect [299.7586 307.2919 368.4306 319.3515]
 /Subtype /Link
-/A << /S /GoTo /D (boolean_options) >>
+/A << /S /GoTo /D (access_control) >>
 >> endobj
-1052 0 obj <<
-/D [1050 0 R /XYZ 85.0394 794.5015 null]
+1060 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [330.7921 235.2826 399.4641 247.3423]
+/Subtype /Link
+/A << /S /GoTo /D (dynamic_update_policies) >>
+>> endobj
+1061 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [369.8158 115.4527 418.5625 127.5123]
+/Subtype /Link
+/A << /S /GoTo /D (dynamic_update_security) >>
+>> endobj
+1054 0 obj <<
+/D [1052 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+442 0 obj <<
+/D [1052 0 R /XYZ 56.6929 569.0182 null]
+>> endobj
+1055 0 obj <<
+/D [1052 0 R /XYZ 56.6929 543.6932 null]
 >> endobj
 446 0 obj <<
-/D [1050 0 R /XYZ 85.0394 769.5949 null]
+/D [1052 0 R /XYZ 56.6929 423.5151 null]
 >> endobj
-1053 0 obj <<
-/D [1050 0 R /XYZ 85.0394 749.332 null]
+1056 0 obj <<
+/D [1052 0 R /XYZ 56.6929 398.6084 null]
 >> endobj
-1049 0 obj <<
-/Font << /F61 642 0 R /F42 605 0 R /F43 608 0 R /F58 635 0 R /F57 632 0 R >>
+1051 0 obj <<
+/Font << /F61 642 0 R /F57 632 0 R /F43 608 0 R /F42 605 0 R /F58 635 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1063 0 obj <<
-/Length 3047      
+1065 0 obj <<
+/Length 3260      
 /Filter /FlateDecode
 >>
 stream
-xÚµZÛrÜ6}×WèqTåÁâJ‚µOŽ#{•Ú8YY©Ýª$ô%3‘“!GÊäë·›
px•Š]*Aà°ÑÝ8¸tÄ%‡?qi"%2¹ŒÍæróxÁ/ íÝ…p˜µ­»¨oî.þñ6—	K"]ÞÝwdYÆ­—wÛŸW“ì
-$ðÕ›Þ¿½y÷Óíë«X¯în~xµ–†¯ÞÞüûšJïn_ÿýëÛ«µ°F¬Þüëõw×·Ô9ßܼÿ–jz̽½~{}{ýþÍõÕ¯wß]\ßµ¶tí\¡!¿_üü+¿Ü‚Ùß]p¦k.Ÿá…3‘$òòñBÅŒVÊ×ì.>\ü§Øim>òŸ6–©#ð¤d‰ˆå´—‹…P¬3V«ÖËZNyÙ£ÐË÷åá9=l³C54Xð†Ì˜Ë®ÔQß-j¢sÕé\Á´l¿÷Ÿªl~ñª.ñiWåSv8äÛÌÕ~r…]^ÕT*ï	ø°+?¦;ª##® 
—I²º¹§ÆÜ}˜WôaQºŠjŸmò_8—^‡¼ DJ¯–EÖíÔ9í3tÓÀ±Ê$,–‘t\ê€]'(ð•‚"á^!ÆXFLàƒ‡cdÓV”DÇŽeyñ@u!ðÜ’~„¢ù
-¨û?u­Ç \îë¼,œ êÀ¡È=P8ÂØ°Ñ,pT‹’„¡QA:v@ólô ´:ÿã¾Qeý1­²a×IÄ”QI°kwÝã"L)ðt·ïÿ^%r•‚GDbÛ±¤N`
­X²Ô€„Å׆E÷'zi|­Eú˜Qr§Ó…CZTéýOØ]ù@-¿pÃ+‡"ÝAQøJ.wNj3ÎX¹=AùÆ)»ß¦uFdÀDebO&ZIÓ	‰ÕÍÿÞÞ2*ºõ0¢õ*ò‡¢$TTA¼‰\¿¡2Êht–¤‡ƒ>Êf׉Jç™Ä|MºõßQø]>ÒÛ6¯>cËÛü
-T&®­ôP†M’÷§³2éYi4Œ÷-òS»os”Á ¹—¾é.
4bóä…>bË"æ.*@_B}ѥ몆Á«ê|3N/KÎl$â°-jBƒÞ¶û&•{ܸ5bíñY$•?úÈÕÁÜÐ+PŸŠN¢U•`à¨üœïvTúœe{×îMN]S^¥=‰¡‚7­ „Îj:²À¿|ó‰j7©ûâ£ë{{|Üg[¢=-çb@ûNúj¼þÃúªm»°ŸÇ¦“:¸Â$L›ö‹m†Àb˜˜i©ÖºæœažåŠf¥\8vQó¼kQYùÃú)ÝåÛ¼>­qe:ÀÛT¬5ð*¨F‹šÐc$k©úz|™MzÖšq€,¬ãó²b6–t-	È¿`úXî잭DzaF-PÁƒôÉ
-îØJ
-ÃÎ0ù:¨ù<ª™Ýã{U›qBVjfâxA‰5¡EáK˜1-¾L\;`8O•í=|¡{8UêL¥r\´Ø”ÆÔÇÞ•‡æ6ÌlwîDÄýá+ÝíÊçõùÐĶʵðàb;%³Ì±?–‘¨õÇf*?ÁˆÇíFM¾3Ç¥ öÈÙ§lwºBøë9CEü…EXÆuLÛìÝ´…Í5¦Ú‡ÚXø_B6»ôXe”²y.Ÿ«NöUs§iMOTHÓŠG«=ñ”—G×ò”*º.‡oÈ!|"#ojz6´r°p@AEO®Æ
Â
-©AÞÆïš@¯Ç¼ªÚ=Å'tŽI“§®·7”øÛöo)µ ó¦Q¾yÈZ‚.ŠÅ³¡|9KàôœÆE*EáYdÏ®SÒÏq¨IèAéM, Üge›…7ÊH­Áó9%¦ &UM‰Ù	.)-MÏŸÒšJçéŠòH!Ìþ3kx#ÃÕkt YUYsYÒå¥áÙ܈ÛQÖ¸›šº{Ó´™'¨kOv¾wiVYÚdýÎ2\u£u Ï®¦Ãµo³"Ï\Ý™;®âÞ£ÜEµóg­'V'$
-°†Øg5å­¿j¸u•'ª$áX8PCg€ 6ë¼-ÁwZhº˜kµ£¡íÜf(¶œ¨‘%×’7Íýõ7Ã!e}YnÑA`Šq>ô›áÌH|Á_Å"iã…¶1SW‹õî*Z<ÂÚ7WÜÓ¬ѪKõÕýÕ—ï¾°Ì&"YÜo;{Ã÷›–ïþñö_÷7w×+¡¢e®W*‰–_Ý~øšf,ý¼ûøáýí7ßß½½Öñòþöãš¾»yswóáÝÍõŠÅá~áw8sÃûÛÞÐè›»·ß}÷öîú§ûo¯nî[]ºúòH¢"¿\ýðS´Ø€Úß^ELZ£/p1n­Xì®b%™Š¥3ÅÕ§«·vVÝ­SöSÒ0e„ž0`,;äŒãd¡•e‰Òð%ož®W22Ë,]?¡>p—èÜ'Lj¡€’§E]­ÊªÉ·¯ž¶ËA	&E¢ífs¸æ°q]‡¦Â_»¬³rãgž2ø-ÝònH³ÞMf™Òâ¾:44QÁ͇°MZÒr»á&Û¦Ç"niŒ9¡á
+• éWœ3«”ø-šr¦c{MóšPä4Øei™—ÛcA×Ûê@ƒº9>ÐèU™Õ7É£å=J“­ÔxvmÂj¶Û7¯4,òºa#ôE,Ràšk&´ÓÞæ‰V]*‹˜ò¶@…z®Ÿ²õóªLá	
yóX²ÄØÌ[ª	î=¨ÆðHt4`ÿ”;P¨eµoòª¤ñKê'u¶¡Qî—(àÈÐI-=.›C¾nü
+GŽé!]7-Xõ„!µÜT»4ìO–è±Ü¥5ÞÖY¬À/µˆã>®~Œ"Qà]"áË´Ü|é 1çëŸhÒ·¯Êšè"?µÎòϨ"mÝTµ£+‚–YóRžW±,ýlªìš/=sB뉡·nã÷ã]kà%ZU‹‚N…Ñ6¾Þ6ÎÈ68LÑÝi=zJ¾ÛÙ.+›ÖÇ*¢˜YnCÀp€„3GÁ5	)g]%I$ã¨g]¥KuÞUZ*ä»I›ô!­³‘Ÿˆ˜8Âæ9·T¬{~",3	}ÞŸöÙš¢i쥔_÷M9(Ão+#­W4û੼;Å>z!IÝTkÝcŠd´Žâ	j|H£{N·l«¢¨^z;L„cc®Db]{Œ1…G‘ñü9{@D£ôB»0ê~K€ñž°Þ8Õœ*~1¥«4r6‚—§¼_L×Ùj“ù.÷·êeà‚A\³‘Æ°€~ûdÙÒó…‡ ÷(<8'±Ú{!NÊMÃ|CyÌ¥å+
êãCýr$‡²)=éOû´vÏØ-ôè’AŒj^¿üõCé3²ºsz#RúyIý©V#pÑk
ªÁ	ØáŒÓ`Ö25LJãÏ	$ˆyç8…‹ÜeºÁ2…Œå‹ÃCóÅÂÐËÀ=ÕÜO†à
+;Û¿ù 
+ã2m H{Žåj—íªÃ+]’6«‡"…ðÕÐeÔ+†;Òþ¤=ud@c
+ÞEV@Þh’¾Õ›ôÙÛ¨÷<§ŒõѧQ2^~N‹£;Ϥ<öU]çEFKù–f!¿Ë1¸¦ÍwÃI¼ÜÀ¿ÛSúÙO?dYIsE^>;_‚Y@IE³>\ÅpÔà~Ì¿]NΗŸª]6uøÔ)!éIõ,@n]7€”õö¡•c¤z8Rb30‡U™Mlè"úáµ—È=w”LX,Õ…s§KuþÜi©\œÌá!îG§ÇT‹y¾-ÕãÞ©Ú`5Òãü)ˆ&Íêõ!ߟ,
+Auï­f‘ˆƒsä0•à©‰	)Ø{ "¤-,ÖV÷T¤ÅÃã‚we[úÊŽ÷%e×'µ°nÓñ¡HñWö‚Õ[ª‚ŒwCAÎ#,J@(!/ ¬C5ƒ°@åžPVd)j¿ªÊâu5•0kì<ÿ@4Á¿4Èå,–=è …ÓN
+™>Ò؉B…â~_ä”–Û¶ä|Ê˦sd"•b8J±ØèåíÖ¯fM»ÃøØ€Èã8䯓‰¨à,Šày
xE¿Fµ!qn/yQxñ ì¤‘?O¡@”ÌZ3(#üñ‘¶gjê£^îsñ|PEÒÆSwøÛ#õTŸžW馱—*Ì.ÕypµT¨¤š/éa3Κ9SšÛyÆ-Õç~Öœ0¥¤ì³þH’ªW½»ÓiKóþlRmÆÃÁVÓTJ?$¿Ë¸üáûZΰØAw¢¼QÓQÛ7	^5„ÈÊ5÷Dî¬&žëôXgžW+bQUÏGIi^¦„…"IrÞ?IÓ-zppxuiºÐ¡¸ÔÑH9\¤³¦io)+šLËú…qLšt‚ét1mÎc¤×.¤ÐVp°`…—êXxþ)–^&š)«Ãsœ
+æpºU4LhÁ"“Œ,Ï6ç ²,±‘ºàªT@û}@BMÂͲD¬{ á—è]ÞßS5À}NýȦP´øÙ'? 2	G®òdz¨œ­a®†Õuqs£KÜøFL´¹Á¥TÜ5þð’|îÄ“ê 	(Ie™Iˆ»ˆ2Ç.Õy8¶T.Ïú•M«s½
gð<û–j‚ÿ°—‘@„ëðŸk+ÜÙÆmèðq;pàa82´€ÈÅË:ô@ðÂÙW±gDS¢Î¬RŸÕ!mQ=ÒÊ‘Š~®Ž(t`ÈÃ$¶ñˆÒ=oœÜ¼ƒ|í…ÝCAäC$ÌZ*=è0—¾—wûß÷wŒ† Ô’ý¦]þXV¾E7èö…6¨o%ú–	²³<®›á
¤?N9':-ñ¥×è‚v¸àJd°ßg¥‡=\þ(Dì3#ÝmÆÁeC€fÁ«ülï¼ù¹,&Ü’kf¥©•c3ÝðÊP]1ö7‘&ç’+!¡|žwœÕŒãªžã4»ýÊ›sÔ2ÇW>â‚-Õ„ý–¹b\Ë­ûPÖ‡’rS­]G $U§H¥ìé-šñ¯)n[ nΑڳ–F0«'f—ê¼¥[*Tq—þºrλͼÅó]¶ˆ\fEÏKÒRMˆÒ3·¬<Ò¦/Ë«æç4ˆañíœÖg«bi‹­=¥gªâ–þ‚úã}ÏUÅÉP$  ‚̳ϡ¥º Èx·ÙªX(D—ªâ.Õ
+Õä3Ë7Å4
+!¿P‰—¤¥š¥BÌãñ1teùs:1s
Q(Y1ƒBx6غèj3‹BOAýñ¾¿…1¾‡(9ûZª‚Œw›G!‡Ãyv¨fP¨ÎGŽêØŒ`hb'*™¥¥š¥C‚º+Ì_îJ£/ »à‰=Dk™Ò‰ê©=Ä@Áã};X¹ô Ñ1F{Í¢²
+%RŸÑy¢óac‚PòÛd^Ž–h,H€	K´îKòÆ]}†qÐÂ#Öñüb0˜V]•gÑçÉç•íú;°1
×Ü4ó2wš^™ÖâÏ#¯C5½@Eezø\§ÿòC€lJÎóm©&÷_~hDdÒçüç`íìçFj€$IοüP	‹´2=ç^~úÊŽ÷ý/?Àžê’Õ[ª‚Œw›G˜äøÒæRlëPÍ ,P!Çýñá9›@Ü5Ï·¥š`Üo„ÄÌkúœoÑÞ:µŒöT
–ð®3mc÷Yð
|Io>µò½)˜ö
ß²©i£‚v0pì«h¸uvSíퟳ½©OO,]ÔuþX¦þ#|¥KÓ/ü›ã©Ÿ!¨™ƒ¿_øôéæq'³ 9<é‹{‹‚#p´Wúe»6é&Ü×ùF
+®6yí¾‹Šx°!LZ¿VÔo¤àöõ$Lzzâ3‡à
Ⱦí¶ß=õ;8Ý(qáó$­™ÐÉ…<±C4óŸ'BaÑž«º'W7ùzâS>˦ósÜ[¢1û–„cUÿívâ•$ÐBοPëw†ÞЧþ«”$|0àÆô>
GÏY¶÷ëAáÔ/ååßxüÂÞ£`„¦zãßÑ=åë'š]§þŽÏ{sÜí³
!^sf¢hÐêê6¯&Þ~h›$¼Û>=™Nãhøý)$ܪ½c“!a9lË´(kMsj5³sŸ.KÅð{ã‰gÿñø³æÓ7ß1~ßiÄ™¨%Ì«ƒP¨«²CÉÛïŸÇ¢ÿ
+"÷endstream
 endobj
-1062 0 obj <<
+1064 0 obj <<
 /Type /Page
-/Contents 1063 0 R
-/Resources 1061 0 R
+/Contents 1065 0 R
+/Resources 1063 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1043 0 R
-/Annots [ 1065 0 R 1066 0 R 1067 0 R 1068 0 R 1069 0 R 1070 0 R 1071 0 R 1072 0 R 1073 0 R 1074 0 R 1075 0 R ]
->> endobj
-1065 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [359.1555 611.9038 427.8275 623.9635]
-/Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
->> endobj
-1066 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [353.6164 581.9007 422.2884 593.9604]
-/Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
+/Parent 1038 0 R
+/Annots [ 1067 0 R 1068 0 R 1069 0 R 1070 0 R 1071 0 R 1072 0 R ]
 >> endobj
 1067 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [370.2338 551.8976 438.9058 563.9572]
+/Rect [259.4835 532.6298 328.1555 544.6894]
 /Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
+/A << /S /GoTo /D (boolean_options) >>
 >> endobj
 1068 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [364.6948 521.8945 433.3668 533.9541]
+/Rect [387.5019 279.1398 456.1739 291.1994]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
 1069 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [226.7331 491.8914 295.4051 503.951]
+/Rect [381.9629 248.8466 450.6349 260.9062]
 /Subtype /Link
-/A << /S /GoTo /D (boolean_options) >>
+/A << /S /GoTo /D (zone_transfers) >>
 >> endobj
 1070 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [352.879 366.0166 426.5323 378.0762]
+/Rect [398.5803 218.5535 467.2523 230.6131]
 /Subtype /Link
-/A << /S /GoTo /D (tuning) >>
+/A << /S /GoTo /D (zone_transfers) >>
 >> endobj
 1071 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [307.1508 336.0135 375.8228 348.0731]
+/Rect [393.0412 188.2603 461.7132 200.3199]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
 1072 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [334.8268 306.0103 403.4988 318.07]
+/Rect [255.0796 157.9671 323.7516 170.0268]
 /Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
+/A << /S /GoTo /D (boolean_options) >>
 >> endobj
-1073 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [292.0276 276.0072 360.6996 288.0669]
-/Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
+1066 0 obj <<
+/D [1064 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1074 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [319.7036 246.0041 388.3756 258.0638]
-/Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
+1063 0 obj <<
+/Font << /F61 642 0 R /F43 608 0 R /F42 605 0 R /F58 635 0 R /F57 632 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
 1075 0 obj <<
+/Length 2903      
+/Filter /FlateDecode
+>>
+stream
+xÚÍZÝsÛÆ×_ÁGjÆDîûpí“’È®2µœÊÊ´$0	Q˜€B€’™éß]ì>TgÚñX8ì-övoûqùŒÁ?>Ó&2N¸™u*ÒŒëÙr{Áfk˜{wÁ=Ï"0-º\_ß_|õÖ𙋜fvÿБG,Žùì~õãÜD"º	lþ͇۷7ï~¸»º´j~óáör!4›¿½ùë5ÞÝ]½uw¹à±æóoþrõýýõM/ãë›Ûo‰âèrBèÝõÛë»ëÛo®/¾ÿîâú¾±¥k/g
ùõâÇŸÙlfwÁ"éb={qçÄl{¡´Œ´’2P6/þÖìÌÖŽíŸÒq¤…2°“"Š™ßdYÎÇ*:ºv“•ÛäÀ…›\fëÅs²ÉVYuXdy•îàîØt®l¤·³î5®=dG¦(!ûz|LSÚÿêÑVi¹ÜeOUVäD(P¯#£œ˜P4˜´æH'#!òOeù±Á\[-zÓän=£Á]Çô†ÿŒéC¹dû²µQÏaêX'%t¤¥™öA`:£Ç@ª
ïq¢ÓàëpM€/páŠÕ.ɡtwÉãù¢,ö»e:€ž€¼aí%®-zÐ.ÒúH‹ß½Øƒè„-G
+Xˆu«'€Çbp½å=s§€øÏ>”{
+xf ’UQ,Œžö@ÃuN‘´I虘GNH;
½.×iè5\'ܵxØÎe)®ÏèÑp(ÒCŸ’ém_‘?}Þœ#b	.'(5øGòžÅSüglÊ}5Ð:=턆ëŒ"CiÓ„bŤŽÏ°Ã5ÀÀ…+æE•=Ne=Þ=·z`Y½ŸóÀNgeù/SoF­m iá°Å§Ð& 3!ãž¡hkøÏØ<”ûút§]d™”Ó{ßpQd(mm•²çÐÖáš@[à8j4ѱ(†º4©@`Q 8uètúü€Ïpì×ü4æ¤`ØóÄ=[§2\à?cöPîë1[hœœÞþ†ëœ"i“˜ÓNDB;7¹.×iÌ5\¸â6Ë»ôa—–‹*Û¦oh¶ÉçQrÍ]íCÞ@l›î•5mBÃ5bCoÛŒ‰tlm߈¶ÜyØâ [$!¦`InxÜSlb
ÿ‡r{CeN´„G°a˜öwà:£ÉPZƒ±#h,”ųwØ+Dœw÷OZ3Ææßòd›-Éë?<­’Ê'‰ï‹M¶ÌÒr$ÐÔ9ÅU-Ñð•©øp)÷OOÅ®*ñNÏ«—‚ÈÉŽ…yReÏ)¶iõX¬JºT_×ÐPUÙ%Ÿçk",7YšWž‹rvÙú±ò´‚zJwÅnKÄUcÜìk»Ê.;¨ƒ–¡-Ð;
GC´å·"!°,òŸë}ÝÛ¥+¢~:´Ét¸çœÀ	Ía²Ù/ZýD‘fŠæ|5&ÑERÛÐ6’¨Åúæ0&¹¡¤i×wï	Ó uµL¿Þ2'uà.+`Þ‚ó[Æã͆úPÂÚê4ªÃ‘Ðm[ÛHbº£Ì´£[2;>å¡XÄø«!7f\w
+d‹¸ª·PÆàÃXô¿cî¹µ'ꀎ#ÁšŠû´8ëFô²"àÁÊyú9Aœ—D§èrÈü@´„n}2øs7›àõR˔ؒÕÊÛUCæ׀æǓPØÜÑnÐC›ô9Áí-’™OáúX¼ôòG'“c(×¥*kÏ‹›¢ø¥üm™¶G­¯‹âØRßçra ®+
ÿEÈ-QJÂQ›pðÓyuxJÛ;hÊ‘xªñÆÕ)Å\S]‚`l­1¦­EÔ>r›Zd°‰Êž³Mº¦ðÕñüC¾ô&tis9<ú˜øçÊýr	(Q_R-CKzªÔ©&¤RT*`5š•£e`»MW °^ vd
+—ŽlYјRò‚®û¯ðD§ä#o[ú\À46
J˜ºij»pC)#îX	ÄLuõÈ×Hâ`¤\Ó“ådÑ©KÁfu\™ÚÖp\H;ß@Òå$€uc¡_‚ƺÏö/ýd+JçðÆ"¼óÐM»VI„„.ìŽêwgâ%Û¬–Ih›k„Ùœµ+¶‘3X±Æ+]ž“
t)c±,cY«BM©UÆf ÎÂì͈ü¾.C%(÷ŸVÅ6¡Wƒ³;äÛXNˆZ((.>>ƒøMYÈT6Š³ÌCápf—2nÊPºy¼Œd.âðŒ†c§1ü5ßÚ¥Š#ËìÑ·öÿî© &ºzß'¾öÓsdùax¢/jѵ>ºóƸ·=gcb¦Ì(,Ã/á¼õ¾
Ñ&Cè! Á¶½9PCäúÓò9Æ'’ã©ÎSùXª9¯•¶‘âílÇïÛbt¦dP–þ¯qÇ#
zžñ³‹­8„'\Çò®ãÐ6úwŽªuRCÒ¢Rºm׫©Ø
!ÙKÑ
ŠŽ½6H¼ï…Í^3:†ŸŽFÎ*Œnl;N{¿»­_Öûê‹zßØÈHͧ½ÏñÕ5î\¶<·†…¸…ãŒoZX'nM³»Æ×QàKè¶þÙ
ÓÏOIîß ôG¼ß/ug^ýqÝݲÿç¸VPñMö´gµ‹ 4½šõJ¯*¼ªÂ¹­WÛ
+ä¬<â+›©äx*4È#NõÝ Us쮹ïY&b»9©¬sÿrfʵ=ûR®m÷¿¨ôÜ@§a4<ªáÞ¯«_I„σÄ)wâK\ó£'	kètQ¿ÜÒœŽ
+ZøCVMj@?~%LuN¼Û˜s|0š~^¦O‘ñu§öLÌo?zÁ?\y’ïÛùüö÷÷OCÛßÍBc-ãXœø™áP¥êklø¡—EB1¢ú¿sÉendstream
+endobj
+1074 0 obj <<
+/Type /Page
+/Contents 1075 0 R
+/Resources 1073 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1038 0 R
+/Annots [ 1077 0 R 1078 0 R 1079 0 R 1080 0 R 1081 0 R 1082 0 R ]
+>> endobj
+1077 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [460.1655 216.001 533.2211 228.0607]
+/Rect [352.879 737.8938 426.5323 749.9535]
 /Subtype /Link
 /A << /S /GoTo /D (tuning) >>
 >> endobj
-1064 0 obj <<
-/D [1062 0 R /XYZ 56.6929 794.5015 null]
+1078 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [307.1508 708.0059 375.8228 720.0656]
+/Subtype /Link
+/A << /S /GoTo /D (zone_transfers) >>
+>> endobj
+1079 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [334.8268 678.118 403.4988 690.1776]
+/Subtype /Link
+/A << /S /GoTo /D (zone_transfers) >>
+>> endobj
+1080 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [292.0276 648.2301 360.6996 660.2897]
+/Subtype /Link
+/A << /S /GoTo /D (zone_transfers) >>
+>> endobj
+1081 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [319.7036 618.3422 388.3756 630.4018]
+/Subtype /Link
+/A << /S /GoTo /D (zone_transfers) >>
+>> endobj
+1082 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [460.1655 588.4542 533.2211 600.5139]
+/Subtype /Link
+/A << /S /GoTo /D (tuning) >>
+>> endobj
+1076 0 obj <<
+/D [1074 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 450 0 obj <<
-/D [1062 0 R /XYZ 56.6929 201.5418 null]
+/D [1074 0 R /XYZ 56.6929 574.2651 null]
 >> endobj
 784 0 obj <<
-/D [1062 0 R /XYZ 56.6929 176.5907 null]
+/D [1074 0 R /XYZ 56.6929 549.4832 null]
 >> endobj
-1061 0 obj <<
-/Font << /F61 642 0 R /F42 605 0 R /F43 608 0 R /F57 632 0 R /F58 635 0 R >>
+1083 0 obj <<
+/D [1074 0 R /XYZ 56.6929 251.7198 null]
+>> endobj
+1084 0 obj <<
+/D [1074 0 R /XYZ 56.6929 239.7646 null]
+>> endobj
+1073 0 obj <<
+/Font << /F61 642 0 R /F42 605 0 R /F43 608 0 R /F57 632 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1078 0 obj <<
-/Length 2945      
+1087 0 obj <<
+/Length 3071      
 /Filter /FlateDecode
 >>
 stream
-xÚÍZÝsãÆ
÷_¡GzæÄî'?Ò§ËÅ—\&õµ²2ióñ@“´Í©Dª"eŸ3ýã,@r%Q²ÓK'?p‹ý°ÀåLÀŸœ%6:5³85¡ÒÎòõ…˜ÝÃØ×’yæ=ÓÜçúryñ§÷‘œ¥a©h¶¼óÖJB‘$r¶,~
-Þ}óö¯Ë«Åå\YDáåÜF"øòÃõWDIéóîãõû_¿x{›`ùáã5‘Wï¯W×ï®.çR«`ÍKüøñúŠ˜Þøîêò—å·WËáÈþµ¤ÐxÞ]üô‹˜p»o/D¨ÓÄΞ #B™¦j¶¾0V‡ÖhÝSV7ôFÝÔ)1Y„6Qñ„œŒž’“MÃH+íä´Ø­Ê.ÅA¶½”IPR§Ý”yõ³ª,UMÝC‰·†µ•·¶”:‘‰áD¸ênSd]9ß4«*fvÿ(‘
c#%sÿÚÔ¼k³éª¦~XY],
-šzõLäu™ÕU}·[Qÿ®Ùò@Övå–Øqít§#üðPÖx˜Ù\ÆI˜›@K†©µÊãÄÕ¢0Š…yýÍRm#æn;`^—u‡I@†(é$6t¡ð®©
ªŽŒºyS£îwÛCÄr릻ÛB—®œÒŒ2""MùDÙjÕ<ÍéSÇסŒ"9}ü®¡nK’¢‹Šµ/Dïn(ö8–“ç²I¨„Ô¿Á`Ò88W¬z“ˆuP~ÊÖUíè(Gn«ûÚ2ß-£îºlÛì¾ü3ÞÌx3š»G^[V|¯–*Þ£n:6)¥Ã0KƒÜMZ•ŠZ؈JÃòÁ­þ¤ÿ>4OÔÈè³½Lx¤Ô)J´‡ºbkʪiþÙ~A"³±'2ØH¥a’€Ôp£Ÿ…—óHˆà~›¡ä°ùoúeýL-à’Ôª€ØUÓël]vÏ›rìkTÐDb;¡°ƒÝ¯²üäx踣´ü°ùõ¾UɴͶz¬Vå==a›뜧fôaýÑÔ‡Œçµ»<‡p
ä,€/ëò‡Þ—e{GqîF°îñ ›rxn°hÕzó̼Z¯Ë¢3t$)]Åmôo3¥»Ô&wº¡ïÝn{niŸ¥eÞÁãA‡ºo‰:Ê:ä6ï–@|BwçZt5hðC˜¸Íd$~ëö\8Xo˜È°5½È8¾¿	Äç$óÃ~Âúä^ýà™ÅüÌÐ`SÿFØã)Ô÷j‰Ñ‡­Z¨Voà©Z9©ªYCôèbÜq|:G;:{ņ¡Ïc¶Ú•“Y'2ŒccÙº#?:tArUo&ÖA| ÷¾»-šuVÕKî<¥Ï,57,Ò$Òû†ÄB)&Ö4q˜(kVp¼¸2¡ÖÉFËÕÝ!Ô’:ÍÌB,×±’¯[Ú$a,â°õßÍê‚žŽå~ò4OÀZܤú`©ùp©¹µ&4‘Œ(·'it˜hmáòÝ¡qÆ*€%UZ±,ÿ2¾ÑÁEØÞE€‡¥H\µºìaF>p%<”Ùá7«žò5§=Cx¨eƒ#ŠÔŒå‘|¾ŒQ›ò„ÿÚ´!ö›—Ôf¢P€szñžÐL
ëNxìÈÕ˜QwHíÝ–qºCJFÝq?GE@„d^Åftòê—{ß±âé¡rßyì|µ+ÎD…ªÃ÷ÈãŒú=¹þ¾ê׿«ú$˜Ø¼ ~¥B™0<ã0O½\ÈCùåBVøEx/7Äq(¾Œºc*æ)?m²ºe #ó‚{ê—þ99Ú¨ðEÓ8£ZOfÿÇ/Û$*ŒµxÉ!›òšXÙ½¸õJµÕ«ÕôÉ4FµÙËÈU{À×CÙáP’'5#Â؈°%ã–3¯{HWîë†PêÝúBû½t;VBþˆh/£Ñ€²:öK2G¥
¶¨4ó@•ÆÉ¥£!.€½9Õ|À÷h%åVqªåHc~t#¿¡a~†ÊÏ¥Î%ÖŽV-?åå¦#ò͇¯/%a4\ßðÂ7ß2‰Á»®ÿ¾dëÁÞò`l¿"^öLô[ÿ¬ó)÷âƒüÛçÑßøQ¤ªïÙ$•2o¯ÿŸ1èa"ᛊñ¦Â»©è/Àûx+ÏØ«Õå£KÓðdü$øQAË7$€VVO鯡Š4ùø(Ô[äË?R­ë‡ØŽSû'é¦B°‹b™öSCÉ“÷¤ËË•%–+ò²ïåͶhr¬é	ªâÀ÷û–'À‹_ŸÈàM˜ºc¡sð¶Ì¹J=X‘-Þ»DXæ»m¸>õ„êÄ	wÔ_Óøâý;"Ã+7¼Àƒ|[Ý–¼ƒ³_äÍ›š…T¼.3êÒ­û"[oÎñ	9Ð&*i¸‰”jZ„Á !Ü[öXK”®f´ŠÇv-eáiÜT®T:-LØìnWUÎ¥q'†/]ý•JŒ*[½.Ÿh‰Å‚·zÈyùÛ²?å®üP&|ù ìj½Y¹úØɬù«ë›pÐ~ožWÁgÓ6{®'ªxh¬`Ÿ’«îÎXs¶Ë-í-ÂÐ81j<`ÙØ—AK”ŒYš‚RoÍŦžH-Nµö¶ì¨Að7æJoRn»ú®Ù®³¾*-’ÞAà ónظeîr½éž/¥”Ÿdù0tqs¥RzÁ*Ø\iáoNlYÛ6yÅhúOU÷À#4c“m»*ßá›tdŽáŠó7…/j½iZ·€Ãþm	3±"ìz`„„f0€¥wåÜ Í›xHÎx•áß
-ÕÙàC×5\Ý6±+šÒ §ÌÜ•$ÝgÄШ˲oõìÎûšh¬1o{2nìèÛö
mÖËvåÑ\}¸.Àáš :>¾“Š‰0iß åoÀÇ=zÂ…#¬ƒ\òõz·êªÍŠñ8I	È=0ß”ÛuÁ¶cð.û_2¤û=d]ý:T#Aû-ê¯åýN,n¨–	dçãêÂíÝótžu{uæ=ÛqQ/Ûö˜$º»mU#@ܶ#È›²<„B­K€ÇF¹œ‹Æ¶÷3j,<Ø4°Ï=þcÔt´*Þ놢SÿÃ$ZüÓát”„i*• côÖ3?†Žeh×þ18Öìí™
-ÈRõJ!ì/ì~¸êI!¨#˜©Ðž•qœ?Àþ*¸{È?Å;E"š¨Ä:x…ž¨.©þï¡™Ì5ƒ;숗~r¸úâdePF6„mÕXì_ÜëóŸ~ÆÉDTB&¡éRÇÊòPi#X'‰œÌ›§º½’4Á@i÷³¾'t#¸‹ýDð®ÙÕgR@︟'1Ô6L"kÃ’ýŒÓBµ"²/IÕX,·NáßÃLdÌ´2AYç€8~*Ȉˆ·øã.6\yŸÆÈû"qïW$œD·>’Žô‡H1”G%š"ð^(ÞƒÆ"v¿¡x1…wFjÿÎë&{IÝÈs‡úp±ÉÙmÛm³¼ó™æ“ègس=c6žB>OÉ£Ýô¿?¼~É~ÆI»‰Ò0Jlò’Ùˆ4„9”Ð-—ßÕØ”Ÿ”aµv­”…™«ê‘ÇœîE:2/!58#ƒ±¡@ƒd"&.M‚1­¨KVˆãÜ“ò†ý
‘žvuå|³&Œ_Hýšº Õ'—:&W ñÿªu¶­ÜO¢ÐÝ1ÎŒ	é,F¤§þŸ2À$Ü÷™@Lp¾¤&#S£8ŒÉ‰^‰]ú=ÂÈ	qT’sërõvæ¹mû‚Dy×øΰbèÔ>4»U±‹ŠªíˤçJcžå|ž1!ÂXEèM¨¬J¦"¹˜½‰^û/Iã¿eÁt’œˆDCéž%®…"µé¡8†ÿ]b.ïèÿ%©T/endstream
+xÚÝZYsã8~ϯð£S5æðÒµo™ÄéÎIÖöÔ3ó ËL¬YòJrÒÙ_¿ AÊ´c[ÝÛéÚÔ¦«Zx|€Ìþ±A*9ˆIÊ‚A¶:£ƒGèûpÆ옑4òGý0;ûþ:dƒ„$!³o­˜Ð8fƒÙâ·áåÇ‹ûÙxr>â†ä|„tøÃÍíR|\ÞÝ^ß|øurqÉáìæîÉ“ñõx2¾½Ÿ˜‡„]âŸw·ct}óóøüÙgãYDz,F…æ÷_g¿ýA8Ýg”ˆ$ÏðB	K>XÉ@@
+á(ÅÙôì¯Ý‚^¯™zHLˆIó耜$0I„ùŽ ‚„ð8âFPp48%¥p´ªTöhy¡ôÑpF’ 0ÐÁHPF,vS	³“gç	¾¬Uƒ+TV’ª©6u¦Ü[VÕ;$-ØøÛR•Øj+|þÚØ	³¥ZYF„§qàƒK’H&
³ekŠ 6*kóªüÞâpX¤õ9‹‡ªxÑÝÉp^Õ†R=«NxÀ÷öO®/‘º“v‘…j²:Ÿ+»C»T86«ÊL­[¤êãjbŠ¯xj½rfG›“k‚Ý÷wÐÉþgv"ΩOÖÉN¦>­‹4/õÞŒŸ C•fK¤å¶oÓ¨˜¨L¢á4/Ͷ@EnaÂz3/ò,ÕÂÁÃ1<ñÈÐpGæZŠOªN¤—ê—˜LìVËôÉ.?WŽ¡|¡Ê6ÿR®ö‚×±Sv¾Zjƒ•#8Ý/­Î¯n§¤Ó¾3Ô¤{)šÊMΊÍBŸÜY뎑°Of‚1ÖÎ\Ûe¯¥]Àtð¢Z¥šoÝ.ӕ–'ƒ)©R-”>R"†c£8GÄÖ2ÝÞ¨ZGú‰g÷MÊlW>Tõ*µöÎiö‘»ÕWé6æv´Z­Û—sÆØÐrÂ=dqfsμÁð|½9Ô߇¥MSeyŠj…÷ç¼]Úœ±Në6Ï6úN2ÊM·´	ëgV­ÖUc´Û¿Q0ÖÅ70Bà_PäÅ{¥ênÞcãå2DsƒgŠ<®¦›~­KhòÇÒ(3KKKB#†F©”k¹áZÎú¹¶òRõ“3±cáĆ^7ßáfN¶…G«j]Á…°M-:˾‘
+Œj÷µ‡FnïNȆÁÇÁª:®é…C1l*P@ù¨_¬taØjS´9ÜH¤¢”€œÛçZÕ«üœ
[Ô+PШÖm¾ÊÿíLf¯7µÖ_c÷ëFªO©¾ô–l|vlÞK•ÖFªÐF‰b{nïs[çνh
ÖM«†ÑáT©ýÍ“ˆAå ˆ‰ca‚'vÖlL¼hÛù0ÚúžãõºúhSP–pá™±}žD“$a|‡§Wq¿ÕɈ‘1Kv9±ggÛ„’X$üsEÑïcàÕºGEÁ÷yèB‚ÓrÀ!=<ì­£0ANED†4ŒHñÏb
+kKÆ+•àÙ÷MêœÎ5º`bC½ºþ²2&`ß ‘”Dq}Z2&öÐâ7Ë1âݾ£à<
+kÙ¦›±»Ô¨;Ô(à1(Q“ Š'’%辪çÒ]eâ$Ú"v½~h=k?¹Ýè‰ÿ¹UÜCµ)(ìØ€â(|ìóûu2ÐÒˆ@+ q|É’nÆQ±Ê„ƒ£>©r
+6-t§ËÏG¡¸ôáÉ¡*3€‹ò`ÈB$ÎóOi±Q؇®X¿vàF[ê1f}M2 ÒïBÅŒÌE‹Æ©]¸áãd™ð¬Ÿ-Bzzül©î¢ià3?ÙŽyÐê0G“ÓyÓÖiÖúƒF‡‚évÏæ¸Ùxúø:o­FF$æôK–t3Ž[À½†¢ÇldùcÛ¬jö3XMØ+eD˜¯L+±ÂŒ‡EþdûŒîu<™lØôúŒù$#169ô	Ž¯h…ºr„GT^¢íâ¨
mÊÜ8gˆY?!¬ÊB*—i9·ÃÖu¾Jë\§…úucAg„PMì3$™ä뀕Ày_Ñd€í6-L•ÜÆ qꆗPê×eõŒð©¨œ1ZÌ"nÝóƒˆÝl»pè¡òanqT³¬6Åb$-ò&K-v>á}Óù:sÜZ85ž,¼ZÒÍ8náœ.Â>!‰àW@Ò&.¤DÇ(„ç…DÇD4Ih8Ç}- bôð²›ùé‘)>0¨Ú*«
+ú®´Ý0fk—Ù6mZ:L±:üeOhn+’¯“ò7UœÐ8™}M2n3B×4¹Â‚þïB=BstŒÃp$C›¯iRS­”ö]
ÒâGµªRëé‹´MíFµ†v2zuÙû븆ü³¿•Š¶…Âÿ–daBDĘJDh´[±|ÁÐ{Y5®¨±XXqWú;¾U:ò-C!µ£>`)¨$2²ùÈ„Õëi(›û§ðKDãíù¶¢ao)ǺœÀ{DÃ!XŒäþ î@°ÞY¯à’W]mÝÅvTj>;ïØ xë>N	-¦$Û¡]O¯~©qÇ;æ¾yø‚ƒ	CÀŸ§îƒ­ÍÚRáØx^púè|›£Çñ{–k1”³¸O°aLBj3ÀËñä2Ÿ™AXڃݷ;—B<æ­
™ª[[0oO`Ÿ‘÷,¯@†}	BáàåíÅ/c°žP&{)Á>„|®*·1y[ÉêP~é¾såé	?hYŒÞyÅŠ³ˆpÊzý ”$Lb÷%Ä¿#ˆH/Ô£û„ÙjÐÑõé««à¹C]º…1$Ój]¤™IÏ`)`
[RÔ*’>*GRêÕ¿HÀ/\ºúÄ5úe;C×Hôsnß‹ªúÓMÞ¬¯.ÕÕ‘Ú“É,ö>‘šoµºÁÈŸ°OàoU“ú7ŒP@ŸYPS–EOÿáþnªK}€¦~9rçz=ÕÜÝ­uÕäÚ`ÜçŸIùÀP]ÅÄ~Fúùîò„D·¬¾c—ÅAxBû\A§Ô}!Xñ›àì=P§vAI"ñ¹~ÇÙÔ
+bÚ—T±ÈTØÑ/þ4þÈ6àà[[éÜ…$øClÿ©œIú?Nœëöf]ÝN·Áø„`=Žß³ÕÐtÐ'ØÊ&e?ýâ$ì€H÷¤©>eËt['xp%Küfó%âôø|Ïâ”$¯”õ‰S&„!&rNÀNÁ­îû€NZ¦0cjVðòá~êBýCåýVa7ìC–¾rÐNúù·’ñ7¨3ÎH$½±&0Ê
ü&$ì•ÉÆXs`»[Îfñ
•
púW~	­äŠ’£aÉíÌ£`q¡ZØðb÷OùVõÞoað4$°š1&`A†g¿½¸ŸM4¶~F“nÚ%˜yûâà˜þ¨g~”tBHÞîï8z%<¯7xQó
ƒ×íôâDÅ]Q°TísUÿ¹­?äî‹Ošeºš³Ûqyœ¼c/
+܆‰ì‹I±þe2M¬¸tH
+ã-uæ¸éIm#Œÿ°m4Òèv~8r\‚o_w\HíHÄC`@	‡xzèKtÐ+ÞÏýyøö'ò2dI²»ï,çéµÌïa_ýê¬û¹å±þt’øEendstream
 endobj
-1077 0 obj <<
+1086 0 obj <<
 /Type /Page
-/Contents 1078 0 R
-/Resources 1076 0 R
+/Contents 1087 0 R
+/Resources 1085 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1043 0 R
-/Annots [ 1084 0 R 1085 0 R ]
+/Parent 1097 0 R
+/Annots [ 1091 0 R 1092 0 R ]
 >> endobj
-1084 0 obj <<
+1091 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [296.3342 194.6174 369.9875 206.677]
+/Rect [296.3342 570.0778 369.9875 582.1375]
 /Subtype /Link
 /A << /S /GoTo /D (the_sortlist_statement) >>
 >> endobj
-1085 0 obj <<
+1092 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [389.843 194.6174 463.4963 206.677]
+/Rect [389.843 570.0778 463.4963 582.1375]
 /Subtype /Link
 /A << /S /GoTo /D (rrset_ordering) >>
 >> endobj
-1079 0 obj <<
-/D [1077 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-1080 0 obj <<
-/D [1077 0 R /XYZ 85.0394 590.7258 null]
->> endobj
-1081 0 obj <<
-/D [1077 0 R /XYZ 85.0394 578.7706 null]
+1088 0 obj <<
+/D [1086 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 454 0 obj <<
-/D [1077 0 R /XYZ 85.0394 404.9277 null]
+/D [1086 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-1082 0 obj <<
-/D [1077 0 R /XYZ 85.0394 372.8221 null]
+1089 0 obj <<
+/D [1086 0 R /XYZ 85.0394 748.2826 null]
 >> endobj
 458 0 obj <<
-/D [1077 0 R /XYZ 85.0394 372.8221 null]
+/D [1086 0 R /XYZ 85.0394 748.2826 null]
 >> endobj
 651 0 obj <<
-/D [1077 0 R /XYZ 85.0394 342.9663 null]
+/D [1086 0 R /XYZ 85.0394 718.4268 null]
 >> endobj
 462 0 obj <<
-/D [1077 0 R /XYZ 85.0394 286.3084 null]
->> endobj
-1083 0 obj <<
-/D [1077 0 R /XYZ 85.0394 263.9972 null]
->> endobj
-1086 0 obj <<
-/D [1077 0 R /XYZ 85.0394 177.6809 null]
->> endobj
-1087 0 obj <<
-/D [1077 0 R /XYZ 85.0394 165.7257 null]
->> endobj
-1076 0 obj <<
-/Font << /F61 642 0 R /F43 608 0 R /F42 605 0 R /F57 632 0 R >>
-/ProcSet [ /PDF /Text ]
+/D [1086 0 R /XYZ 85.0394 661.7689 null]
 >> endobj
 1090 0 obj <<
-/Length 3056      
-/Filter /FlateDecode
->>
-stream
-xÚÝ[[sÛ6~÷¯Ð£<¡¸Ü7×—ÔíÖöJînvÛ>Ðcq"‹Z‘¶“ýõ{(Q´%&2«m2c‚ ‚Îå;èqø/zÆ2›È¤çÍ¦7~8â½{xööHÄ6ƒºÑ ÙêûÛ£ï.¬è%,±Òönß7ÆòŒ{/z·“_û–)v#ðþ¿®¯ÎÒðþÅå_¡$”6²úÃÉÍíùØØôûË«3ªIèrz}uqùö—áɱÓýÛËë+ªž_œϯNÏ¿ýñèüv5åæg	®p¾ÿ>úõwÞ›À×ýxÄ™J¼é=Ã
g"IdïáHÅŒVª®™Žþ¶°ñ4t}
&ÍÒ(Œ3-Äö·Ò8¼5¥b	Îsó¥Á&à ¯5ã	_#¯Uy!ÓÞõœI˜URädz´,ViÝOçÇ¥T?›‹I6ÁÝ–*ïòŠ
-Oéì1£gÕôXôÓŠnòI6¯òß8—YI-Sº,–ÇÂ÷‹ª3jú>}ÈgŸp9z¾É	_!¨€“*–´rù¼¬Òù8£»â=]Sº4‡eí¥ÕƸ	|l’¯ƒYiÏHloP7ØçÊIhé¹ìX9e˜“"	 
ÏHÎñÏÉñ@'°ÒÖô«O‹P²°¨ª*‹‡¬Êpq°>,ü`’-`	³9®ÕOÒ*cLÓº.¼¶X¤»åx™ßᨸ(aX‹“•Åc(Œ³+Ôøô}­ÐZÿºû8îZ
-ýÇzÕ6aÊ‚
¤cÜm‚A:‹«U0F0ªÚ"µµ²N3ç¸àß¼5ᅦe,f³â9ŸßSMJK€¸walc$—0“âa””’m¼0Ö‰Ø*è
-Ê/Ê't7–TøŽòw*Y5a(cÕ,/«lòëe?UÓâñ~JæEEÍ‹»²˜eUZ‰Õüóìã"[‚ðÎ+˜@膯üDì¼
-*¥@¤Ø”Ñ)¼¾XæãÐÙÐ|§±3ZÔ,̺Ίù}¶2Bt½ÏæÙ²à±Ì°û_ÚR½Òh«³FÊÿ•òµEý|½ª{l5SÝi¥¬J˜ôÊäÁ2ÀÚÚhO‹²Š˜O&ÑF”ÛmCã}_÷	kÓð-P]qZøXÀ(éIoOÀ«Z‰¸D麼y²_Lã•ûEFìhá¼í¸*§ˆœÀ?ð:ZÈþu4„ËûbùV›TàUÔ¶ƒÖ˜Í‹“IÀ>+ÑÁâ,GùóÉÅèì{@Mz¾aƒ)§U^Ì7ƒT@w—–ã2[>eK»¼NF7°»Û¥±9ãCÖ;æU»5‰`ÚJ"Y§t($ùš¯Ù¤Ü`¡“ü>¯j¯0ΖĀòŒ§9V^ãK¤èà¤Ø„’Cp]üA›²:iÅäpœÎ‹ùÚÏÓ‡6ÅâšÎòt‡lÎp_@‚ÇñÖ|‰(×=¶©9ãÆtXAcƒ™‘Û<‹@¯ÑðAÉ) á³ì>*³Öha=>TÜŒ*Æ0Ce¶^ô‡Ùb–ŽCh-ÂRà“â!†ƒÜ	xåËPŒÖFs°
‹lLË9¡Šçâ¿P‚å„—t³îQt½‹÷³¢øPw~\À¼¨ÔYŒ-økQÅd“‚
/N© ­“;Ä¢÷×­á·5GÒ3Á»¢u£³Þ*oo®ÁnkÄa´ZŽ¶vÝÏŠ»ZµE™£ÀD‹>z„°PôAP&5¶wŸèú×ëÓˆ6¦zÈ^X&´é2ð"aNÅ(ú‡Ë«‹k€Tx¹ËbÞüÒ
-®G«H …dƒêî@´1ÕCF”khÉE¢ÜAH
-Ä
-½]CGãÚT„lÒ"š&ä/‰	õn1º¬ÅHºèMZ8¶Â}©:Ô_'`™¤ ¯ðÓù?Y#ÁC8KàlæÄïfù˜Ê²Z˲çÀH¢œ’Ýnô:»­ñvXó=dT=gÒ%Á˜ö
-¾¥`ì§wà"…¯€´…eöqS¿Zk˜¯îpZÚ@±D~…0å…ÀzʳÀHÝŒJµÄÒ­ȳA .0µ¼wýÄéuÏ­,q’UðÂL½ù‘ûJò~qW’ÒîN+Ë8|Zøô«“›Û!rZÕdÒÇj
-B^}ªiX>¯ÀháÞQãåjÉ!àÓÉ°íBnëjtr9¿Jγê¹X~X'òz“'1…³Fm^뉲åží»ü‘L(£#^è¬_ÓÏZœ€0=ek÷B隶+³X÷«•{+„ÉíC퀰ð/±ºu­*Ë™“¾K-yÜH
-¾»
^HE‚n¸a$^ÁEÎO©Œ1ªá	ᘶª²Ù§ºõ$Ç<=§Í0¬›X …Ótñ<‘±ud,e˜	Ö¤tÁ¼QJurÕ
-¬;ÚÜq	õ“"Ž‚û%XÈ>æeÕï•Pú?Ń}÷±°þ6¼{߆¥á®´)E·Þ†Áúw§
-ÊMÊcã5LªÑ+OÄh‹£—F™–@w:—¦x|È}SK6lœLvK±2’)“˜€Yp-ƪdEð£#!M/ê˜4¦_B‹tÙJ’W›Ö s+éS¼;ð
?ôPUWöÂuZ¥9Ó\“¡½AâWŸ%x>}ÏCºX€ÄÆ»;ðWYÖÎBy)[Iw065|ÝŠmcÖû%©{=Ÿ À?%Üu«Jz¦!L¤ó	7\¹8x>îäPèõh}YÌKº‰Ø- "¿›eTI&
-$ÒPX±W•HˆÛíðç$š_¹ßÃ"{¤÷,I\‡;T\3£|<,w1lk‡HCPU6¨¦±|‚žÞ¡¯@Ó7ÑÜ›Ü*©XEïa‚‡ÂkðP¡Uú”Õ²|¹ÓIÖÛ)´ðãªÎULj
-D^#
H½èHžHc™ž]Ÿ mUfW2º¬^øø¨Dõ6¬Q!ÄŽà³9×öCR&LJÑ‘,‘Z3Ü_
ˆÁþüi”Õ›ÎG9ÓOïÀòahp6›Qå‡y0HX¹24X#Õ’¡bÅ”6í¬½"ÿÄÀÿñÓ•múÏ:dŽIk;„¸ÜIé‘Û‡Y%úUö±jîŒ)ƒ=Ù¥ç÷ðþ®ðy_—žC¬ígj‰X¤SGÑœo³£¤P|ö<ÍÇSª%YÅR”U|¾vŠ.YÉê›íf¹|Ãá!Ñ’®£ŸooŽ…Lúoèž|{hA—UJ‹bYk|ÿ‡Õ;ììVÛ=¨“×âÒz¿lž=×ÁË0ñ®•§²]<š¸ð>/ÕÚtdÌ„SÏ~"2ï¤AçÝÚA;vÐÀ¶‹×w{cëµ<@u›$ÉÄ}&IjÎ_Zøÿy@Whø.ëõîºsŸ*¦‡o§«ãkõéÜ—r-îW°|}$ÿõ3¹à%¬HãLî+G­_5²$:žÂy\Òí¼šEU|JgyëÌÅŠu‰Û~ÜU qsÒþ¹Ž»&|¬ëR\Niè°÷}…?¥0vÚ%¦k@#sûTVÙÃvUk¼ð€w¼F¶q00±	ãCj™ÂÏ‹õ/:šî
%2º7¤¬!‰åtp>x?›Ô~¡V‰
j;–oꄬ
©rà´²«iÀdéÙò¾G…aCÇWÍö/?îŨaB´ºúž&™x±¾˜Q‰jNæåƒêF»§ðb,œÂv‰j¬ÕŸÃvkÂs¯x|ÚghcÉ{Rÿ¹?éZÿ¬M;¦¼ßrrå#@úa¬ø«6þâg‚ƒ·ëfÉÿ¾‹h.endstream
-endobj
-1089 0 obj <<
-/Type /Page
-/Contents 1090 0 R
-/Resources 1088 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1043 0 R
-/Annots [ 1096 0 R ]
->> endobj
-1096 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [370.4473 83.966 429.4355 97.9137]
-/Subtype /Link
-/A << /S /GoTo /D (classes_of_resource_records) >>
->> endobj
-1091 0 obj <<
-/D [1089 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-1092 0 obj <<
-/D [1089 0 R /XYZ 56.6929 660.0058 null]
+/D [1086 0 R /XYZ 85.0394 639.4577 null]
 >> endobj
 1093 0 obj <<
-/D [1089 0 R /XYZ 56.6929 648.0507 null]
+/D [1086 0 R /XYZ 85.0394 553.1414 null]
 >> endobj
 1094 0 obj <<
-/D [1089 0 R /XYZ 56.6929 121.2263 null]
+/D [1086 0 R /XYZ 85.0394 541.1862 null]
 >> endobj
 1095 0 obj <<
-/D [1089 0 R /XYZ 56.6929 109.2711 null]
+/D [1086 0 R /XYZ 85.0394 337.1513 null]
 >> endobj
-1088 0 obj <<
-/Font << /F61 642 0 R /F43 608 0 R /F56 626 0 R >>
+1096 0 obj <<
+/D [1086 0 R /XYZ 85.0394 325.1962 null]
+>> endobj
+1085 0 obj <<
+/Font << /F61 642 0 R /F42 605 0 R /F43 608 0 R /F56 626 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
 1100 0 obj <<
-/Length 3360      
+/Length 3265      
 /Filter /FlateDecode
 >>
 stream
-xÚÍ]sã¶ñÝ¿Bo•gN Ù>9wvêLâ»ú”6Ó$	[ìQ¤N$íóýúîb$%Sv®çL3ž1€°Xì÷‚3þÄ,=_%Á,J/ôE8Ë6'þìæ¾;¼fá-Æ«¾]ž|s¡Å,ñ-õly3Â{~‹Ù2ÿeþúïgï–çקúsí.BíÏ¿½¼zC„š×o¯..¿ûéúì4
-æËË·W¾>¿8¿>¿z}~º*% PŒâßo¯ÎiÑÅå秿-¿?9_ö$¯%|…ô~<ùå7–Ãí¾?ñ=•Äáì¾'’DÎ6'A¨¼0PÊAÊ“÷'ÿèŽfíÖ)6I%¼(T³…
-¼XŠÑ¢G‹•¯½X&05L<­¤ê™ê)¦ÂÓIZ¦^¿9;
Ãùò4‘ó3¼û7mR¡'@‰oW
1ª]î.©¨—ÏêIã¦[µ4f@}ƒmH
-y½8®ölnQìÌ-JæÍ6Í˜S  X¤€gGp-¼ÖY	ã°jKÃhê$nAÏ/[ei×ÀM‘†‘GÇӛϔpNÓÝà%¬!DØ{àLJÃÙ&'ÑŠ`¤!+;š¶h»Ö-%€Séhï-ìH*›ÿ΂gVÛ6ÿÇUõ˜ῳ't{¤4_§ˆƒnc¡ÃðPºGu;L ‘‰~N·¥ôB©)ÙùñgÈøæ°’s¡±U÷À>òÆP[e†Ü¥eghɯ~è—õ=ªÎØŒÀ+Ó‚eÀ¤ øM]⪜x U)
×uÓ×tÖo*Q–d_0°ª¬ö¬%@ÚpK
HI=ó)¸e$6"àF²3€Ô÷•µí÷&w îhlÇ5dÌú¯çaT/ÂXy~ÏhHkOkº÷Õ{pBÇ."Üteù@Ý]ZhõV¦_-Æ„¼T´ø#ø	O*6žâ(mäCìC†½[^c¥’æ‘¢þìƒzKèà¹øj	ÕœO)åû·¢CýÎsgviÉò©ÌŸÈÅƇ½O†ôÿQ5	x*‚ru!#0ýZø‰27„êXÇѶ»27
-¸SÈõ¥õ}rð}ÒÅfì¡·“7­©´Ù–EV´˜¬«xÈ.¤ï²i]+ç?0pÀ¢jÍ­•+Ž¶é®uÈÝv>õúÚ£ÎEͧ͘Ž5|æ&­¦œ3Òݘ(-IèDHʬááÉ¢Þ(áò©0Çv6kê5° žwYÛqqÒ#àýkÞZÚ )æè0Ìe_J`Á“"•Ex?FWÛŒé†1AÚZ¾ ú T&¢}0\ØJËΆ@©K.q@Ytl^f¬^C
dµ}|­ÀÊ7PCýåòÜ°î~]dkÚ^ðIY]5EÓÒŒ©Æ‚ÀrGžÃeaÉ£%wé®HWåä=I7ÈúC/=czöžIðjíáIeLÎ0›‡>õ~ŸéËB÷ð’{=y‘—(.~Éf€šII*
-IHªàAØ…ÑÀș̌¼ºØðò²Ø-ëŠÚu}Ïs5ÂE@Pî8ÎR^»b4Ì–±ÕÞIYš­m^ƒ`׎:uBym•> ˜!òvk-)\>¨k×õ®hÓ¶¸34EYØ#üùçº2Íß@³ÀZžcäiÙ0*äDNÀºC÷øb¾êøì•;˜¸ëdxâ\³Ä|[£{r´£FN\®¯¬4àIz¹t0’[¢J@u›¦¸­,qµ”$Á€#ÍÁ×€+´î@ä'`ëÞAÔ»_›qõÇ+”ãÖ»â¶ÀZ²±¤Éù¿ÖÅ¡¡põÌG#ˆRÝPϪvlE-Ôn9õl­-¼)>·!Cþ¡¡Æ	jL†
-Íg"·î¡—ÀëJ¦ðµ˜n)OkÅ‚ k‘Ð^Zm&pkvè¯S[k()¡0¼½5MK²~êÓç.¨PË×ugMNJ2
h­YÑPHñKr ’ ‰ÆBroOYdä-Wð­\B¥Ì{Sj¸Î˜¸¬L˜*äw
-»qç3‚Ø–°&BçÑ&âiÞeV+°ÝDkB¶)Ghú¢§ŸLF€£¢ê]yö@ ¼Ûq'QNháu/¦UÞ{ÙʽÃe,ûÆeº«4ûÀËj^ä<7
-Ûð++-ëÅÞ3÷>œ?ðÏñàŸ¥îßÔµo]‘t¥ö‚
-šþ¹PsÌЫq§yÈÒ¿bp¥)©Ò´sõf…†ËXD¡»>¦EƺcêKØeóoŠãKwûÊy8„~ä
>vŸ]éÑõ’H›Ñhm3¥fxýtÒ©)»Ûÿ@á½°¼÷ø‰%œ@¼RP®ðg*ü°$<	É’éÎòTȘ>µËôͧíÎ4MÿbëÂ6Šàñ÷@./	½Z’œ9b¨Ï
ðÁÞ>¡Ð„zÁ$’³CìѬӖ³«ìƒiùKW"‡Ù7Xãzö‰mÕå+÷àÍ'îÑÕ5e¥Oiɘp ëâvm·Æø”˜AÖ˜Ó€émˆ±!J©¶fWA3öfЦÔ3kn]‚TâX¦¥Ì^ònvíËË^EŽ»¾xMô_¯¦n•Òw¦}°ÏØÿT¦;Ð÷ƒÞíû.¨!¬ào
-›ü¯Ç”«4üeâ>åŽbë‡Ã}ã(Ð%0‚Ü»C™$p’˜ì26. Õ³i»¶ü¡
Åäc©g˜ÚHÎ7øÖµp4é®HF:
ž_Q×Z„ §1<Ö"¨,*ë¥}‚† w»¦	¤µ¨:çŒ`.m¨;:BG
F·*ùØ®!_‹¼¬²!¶yÊ×*%íÐ%¯§œ³UödìÉù-¤‰ÍÁ,Wž“;m)ˆKžI	è "B®Ä(ù¥Ø-ƒÉ2­> {@8—Žœ\0
-Èõ:ÌC'¤ç|âʸ¿†Þ²GNu¨MÕlçwEݹçg{Gè|‹ÔòG*–Õ¡OçBœ£kÙåÎ÷Ÿ·8âæ骀ŒëÁzÙIÉ]UéÈ=‚FÌ0zô`‰žß3¼,lî5^
-ùÉ+Q‰ë©â˜­$çÍÁN*ñ¡ózXÔoDdÔës°qS™M]Y3Y³ØxUWõ5íü°v	¬öû€žrԵϤ(㛺çû8o Ú°ÇUÞ#ä1âÎDòÛ4‚Ó»ºpTAŽpÛ¡hö20¶†“gTQÊ5ƒq®°×sìÆ
×Ô÷†ºNÞà|4t?Tõ}iò[sU_¯2
ŠSŸÒýJ¯uÄìöXÎõÀ=ïÛ@ºÂ¾"êV
-}á8­‰‹óMÈQšô¶w±¿v^%ñL]P/Ëßõn«}Ok~á»íä®G¿vy‘Çt¾¤Ë¡ÅÑðÛ¥hü–®"/Ãd&||3VÚÊäòý¥wþæ'|íQ±o?ïE*’~’ïž__Ÿyý²Ã§õD0t8ú+_Öo /ú#ÇŸ¿&ˆdš?2H<€ª&‘ˆxøܹϳŸ{neÆèœeÆ‹*K,¼8ÒÏ)KzVô`_ÀÈ"ÐpSQ‚’±—x@<ʖщ^¶h`‚ý¨rZG"å…>W«=à`@xœ#Ü_Gnàk/òƒÀþº1ˆ§éÏžeÏïýÁåð£Ó òTùÀÙ_R 5¬4Z²#T±Ʋ_5"ý¿NÞw]endstream
+xÚåksã¶ñ»…¾•š‰¼I´Ÿœ‹/qšø®²ÚÜ4ÉZ¢-N(Q©³_ß], QïKO7½Içf`‰Çjß»À‰‡¢g,³Nº^ê43\˜ÞhzÁ{ðí›æ\ÆI—ÝY_
/¾|mEÏ1g¥í
:{eŒg™è
Ç?%–)Ö‡xòï7·×ýKixòúæ{è	¥L^}{õvx= 6Lýêæök‚8j^½¹}}óÍ?WýT'Û7·\¿¾\ß¾ºîÿ2üîâz¸B¹û³Wˆïo?ýÂ{cøuß]p¦\fzO0àL8'{Óm3Z©©.î.þ±Ú°óÕ/ÝG&ÍÒ( “fJŠ#ÇÒŽ
]²LòtëÔKÁð¶”03ãrEz­:¤Â0¥½Ô8f•Tžô·ï†@N-T²lŠ1ty–”3j¿¾½»»~Eý¶ÆÖ%M1Z.ú"KŠê%Η£¼-è{;É[‚
užÊvBóò ¿Ü#sAD¤~š‹þ¥–"™åÓ{Òc‚œšQ±hs‚ÉÕ,³Úbñ>¯>®Ã.uKâ¹lÚíý¾‰Áïõ6TÆžcꬎžüoÃÞ`@mû2/ì¦INT!øœM1êEÜšZÔå&¤åì‘ Ⱥ<¹+Š ̯_QDÈPÏoqÄ©¶-çÚ¤LŒïˆÇljœÒS ¾k~ø–qÅa)æ“ÒœbØ&Âz’½Ð&(‡‚‚¤˜×^&h€¢‹m1‰Ày¾h©W?„i“@ãq=õBy@½fžú LGÈ»ÆûãHñI©keÒºì8y­s,3Vyßõ/-\ëú}9F©GªLóù6Œî‹ö©(f[¢šI0¦Î;¦9°ñ8èJSÝ.Öç"®T̵û;[Ƈ‰›J¦Œ;!»6K™ã‚ðà­'®L~æ†?ÄIS0 ØÓ¼-ëb;/M=khh7@y_$‹ièH£1q2¹~¾¡f‘èÏ«¡àÇ¿ß¡¶&÷w}ÆmRËR‘ð<&ƒ3¸ÎüOú<Ì*‘´ÅsÚ`ãkߎ(z÷¼sI¥2,³æøø¸â0YÀòfFžPtcíl” ‹L•—¢I²íðÈEÅoO“r4!(É*ö‚¬â÷µWLÝJV¿8,–ÍÒog!{k¨½ûaø¶/¤K¾ 19w?ƒšUaA–óy½h½Ë5Yò-$~`jFy…‹ÓÈf¯ã}	áýKtæO1{„ZHTZDåˆxtèþq¼ü¤™‰‘Ë\z"x6JB«‰4ï¤A÷
éw7z+š®Óð()`ݽ͇öÃÕ8{-Þ“¤K?0Lêþ€s©áº”tª6…kRžnÕ¦þ»UaS©Tà¤RÆÓÍšÖNmtX£@{LK~€•±ðs‘¥)Àè¶ꪪŸ0–:ùÚØÎJ«ËLÃq¸dTåÈ#š·q‚tL*àÍ‹N>°µ¦@lTìµ²a4
 r£á¬­‚.¾Ï«2$³±T°Š; Œû붌¬¤\£u“:ý_q”ÕÕÀReOå½ÚÌXRÝ›[Œ}
-ÒíK6 Š!z{iÚbzXÙºG~Æå­5à«Eb`g¯³œ‡,ôuŒð7Šepr¹úZVª½Âq5ŽÞ!êÅF„;4afSÛTU)è«Vv K=ê:š¾šÙ]°ûûv÷õ¡&ä­«ŸtÅ$;\Kª•SøìÖÒã¬Xìî†X­Ïþ¿í¸†¤Ë©t-½Ö8ÚqåUSÄ6øú
+c’aßÉäjiÆÈÂLs¹´aEýr\Ì‹ÙØϽwåzû#¥á´GaE3Z”÷;á¶8l¦¸&2ÌŸËL£:f™=‘BÇt*IK ϶©¶ëªÃÚ\ßv¸òÅF~­BÁ÷¾¹y»S‚:¬~],?ãZ¯Ò)s©=AK«˜!Ĺ²XYbNó9æÆ\"ÁW«tûtå€=¼¸ÀÖßÁä›·ïm€¬éøòl¸dóߨYÕê4µs›‡µ¯YWÆyõµ*òñêb
+«b!´ÆÂË3ŽW?ÆØ5ÅΛ¼ŸWI”e\òUD¥³<¥’W·W?\Ù­^Ý@m_"¡Jç¼s‰{¼¶;ãݲÌ2&9'ÈþÅë™D“é­«#åt’WîÑå*HT?‡¾|œ2£K|«ëU7Ëû–Æ€AŽr†ŒÆõ‘;Ž kX	 ]Ã2ÀÒoÐ%ÉcN÷„§æz¤RÏ`6€mU„mê1ÞÔZg“›–@£|R“ít¾©ý•"œÓ,ðGxꦦdGaøÛ²N,)û$•®"ì/4^·ÑÈÑ´e»lãT2>™í¬Ýsåý@\™îd0žq»ÙÑ_‚GE',ðÏÕaÑîÊ̹.œ?A]JÉ”Ò'L¹LË„H¸Þõ/V2[<‚}|(Bæè³M˜‰ã² )X²€L×GíðŇB¾/ZPŒPÊ8åÞµxÀÍÊiˆLûD-ˆ·E‰¨*R/KâÊîx}„,kù–ЊzÅóäÿ1lB×Z°Ô áÑv£Æñ]];" ÊÆ•)©auêô	Ñà­,EÁ·w`„Í¢;xXV±tðÛ2¯èÂbüG]Eóæ¼g-KÌ·¤>f‚3.B2¶ó‚ãLë`ò	$¤YÚº¾UJθ1éÖ
XS¼/øøɇfH¦êØ]A÷¬?]rë˜1ô¾é’[‘Yf$×Ç‹”¦,µ*[)•\>ý2öЂû->‚ñ é¼*Ge‹QºÊÖ‘…ä1²Þ®†ØGò$ñÓ£ç+Žè¹m—‡SF_6ÂNñœÃ±E8sšÏ^öYfÄ/?Š…ÏEèDȼÞáÑ¢^'Ø┎c;É›	õ˜%ËQ¼6oV„õ“°4Ä0no)¡Âs;øΆ² N¯ýi>Fzë!К¼‡ƒ¼Øó³4”¯hA·%Zz"6Z×wupg8µ§/’goh`<¬Ç»g˜„Þ‹˜éjµÎz¡?~Ü5Ì‹—O°¼‡ðuNÓRÉÆ”UÁ„Ü_Nyã^ôFJS`SÞç‹2Ç—={"Éõ6Dn#&ølTEð×µÛ%‘YQŒ›áö×Ëï‹U"ë,c¶BÕØNE_6Ó"'fàÝ°—_’L¨G`»hàu	ïÃìr¦Wå´l	HwÓ‚ §ð­¦SBæÿPÆ£<̽ÛüZÌÃ.ålã¤Q>šø`>ÆN"têŒkºæïMU
+<Ÿ{JEÈÖÏò¶ôO}àÕ­°GЫ„æo Ü
+`mø6Ï«&l…”°^¢]Ñ\$÷Ëpö}<˜¨yøX9	lɼF»qG‰Ü£K«t
+Qš¤ —Ã#¾¹À*¢ÛàÛ@=&N¯÷ÈÇ`ä@
Àz» 2°tã ê=MŠnÊf¨H7Lúåc‰	dãQ“É“²Úk >*A&ë†z^$°ãÓ(hé4ö|‚-"<-/â‚Ò5sAQ3RTh~'tëÕ1Ô	yï¤ÄÒȾ}HÛnUeëÙ‚ ¯‘ЮnFöbá/	|†¡¤„lðñ±hZ„Wg¾Ö>tA„š0yR/½ÊIIª­W+Z”ü‘ã’ÁIàÄKØ…øØ]–o¸i€I
+>Ú—‡µ95!»8ð0B}Mo=¶½8ïŒÂ>ôÑþú?.@ꩲC6BØ "Rþ¿-ÈÌgRY¹õÿ}Âm/endstream
 endobj
 1099 0 obj <<
 /Type /Page
 /Contents 1100 0 R
 /Resources 1098 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1107 0 R
->> endobj
-1101 0 obj <<
-/D [1099 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-1102 0 obj <<
-/D [1099 0 R /XYZ 85.0394 738.8901 null]
->> endobj
-1103 0 obj <<
-/D [1099 0 R /XYZ 85.0394 726.9349 null]
->> endobj
-466 0 obj <<
-/D [1099 0 R /XYZ 85.0394 340.3424 null]
+/Parent 1097 0 R
+/Annots [ 1104 0 R ]
 >> endobj
 1104 0 obj <<
-/D [1099 0 R /XYZ 85.0394 315.6401 null]
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [370.4473 443.4181 429.4355 457.3658]
+/Subtype /Link
+/A << /S /GoTo /D (classes_of_resource_records) >>
+>> endobj
+1101 0 obj <<
+/D [1099 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1102 0 obj <<
+/D [1099 0 R /XYZ 56.6929 480.6783 null]
+>> endobj
+1103 0 obj <<
+/D [1099 0 R /XYZ 56.6929 468.7232 null]
 >> endobj
 1105 0 obj <<
-/D [1099 0 R /XYZ 85.0394 130.0959 null]
+/D [1099 0 R /XYZ 56.6929 396.1951 null]
 >> endobj
 1106 0 obj <<
-/D [1099 0 R /XYZ 85.0394 118.1407 null]
+/D [1099 0 R /XYZ 56.6929 384.24 null]
 >> endobj
 1098 0 obj <<
-/Font << /F61 642 0 R /F56 626 0 R /F43 608 0 R /F42 605 0 R /F57 632 0 R >>
+/Font << /F61 642 0 R /F43 608 0 R /F56 626 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
 1110 0 obj <<
-/Length 2819      
+/Length 2901      
 /Filter /FlateDecode
 >>
 stream
-xÚÍ]sÛ6òÝ¿BôLŒÃ7‰¾¹‰ÓªÓº=ǽÉ\ÛZ¢-N%Ñ'Rq}¿þv±Š’©Øm|3O_û½Ø]HM$ü©‰óÂ&y°ÂIå&³Õ‰œÜÁÜ7'Š×œ¥EgÃU__Ÿüã½W“ ‚×~r};8«²(ÔäzþKæ…§p‚ÌþýãåÅé™v2{?ýzÊX§³·ßžÿt}qEž—~=½|G#š·?^¾Ÿ~óóÕùin³ëé—4|uñþâêâòíÅéo×ß\\÷(ÉRÒ ¾ÿ9ùå79™ußHaBá&ð!…
-AOV'Öá¬1idyòáäŸýƒÙ¸uŒMVæùd
-a+Žƒ%ÀrW)œ;„z¸eìY$IëòžõÐݱ^É‚	v’» ¼Ñ&òþ_çÏÅôÃT\¼ûùô`Ëìü„˜ëLI¡üË9g½,s3ü2"Œ@Þ5<ÿšl±VÈ Ý8[´–¢ˆ±¹ðyN*Ùó@"Œ9΄Áñ¯Ä„=§‘¸Å{íö5ò¯íJx¨Ü	cè¨Î…Ì÷5ù‰F빈|V`QÊìøl͈å{°|_È"²ùzQÒi›ýð‘Ú««–:‹òSœ2Y¹æ©wdÙøß9
µÕ¬«žXÔ³ugͺ­ÛŽjn©-é<åéó¦î¨³Þ®nª
õo›å²y¨æ¼äq°ÓfófUÖm]®*:\蕶'	O9ŸoNU‘UmËžèŠ;Û6-¡¦íÊõ¼Œ‹ç42ýéÈ·ÍfUvÔïjÚ.â58Òhj#‘Ø©×]µYWÝ“swDä"äR3Àêru¿d|ÛEóÀãmýGOÕê=ÔÝ‚1{hHN8WåŒ× TâÚa ±<>Ä/ø}¨Wõ²Ü,2o^ÕwÔVÕW‡&‹šgŒxã@ó—ÙWøKö>c_@‹6"|öÎyâ2ÒŽ—‘H:ó ƒyáú~'¤nâÁ¤AÈ6rñãGñýÛâ‡é5zÿQmž^ÆQ¥‚0Ò‡ÉpŒ°0Já=Ö>u‘9¸Ö>@îËèEξî=ÑsÐ… €÷á^±Š#—·ßBŒ"óÜ13tÖ3óÌK™i«åQ®~éÅþüÅñúŠ­r è/\.×Â8ûÌÅáœV«ü…ª÷A_Wí¼(JåPÄ€†2IŽX­ßC¬0p‘yÍËßspì‘çõ-bq[2köS³eÉ>Nß	Ž‡i'
-P¾N(%},kÔ:P¯wu;Û¶m¼‡ ñ6î·š5›y;‚;ú +‚Uä	Îñªô:›WílSßÄûÏÃÕ{Ó|ªÞ`X¸sÌ8ÞV›OÕ†÷´]C$Ñ\½¦;Šîe˜/y]Ùï­+Š73Œ±|šmìÌ*š¥Ñ>o#Š<ÜMÿˆóâ‹…nT”4÷妫g[¸=ø»® v#û Ý#!n½i¶(/#Ó)wõ§Š'ûúxcQïWé$G$ñHFbÛnË%\[
-ü&jŒqÙ

›òèÝ#‰2Q™lÑ´@PàflÈ9Œ‚ñ¶F[h1°_§Ð0F
-8Ð-êõï4™§t:ðêŠ>Oü.SËï£NÀÈ}YohŽ0Ù¼ìJŽ.Òò^W`–X‚=àèUŸDñA‘‰Y}*£­X‹€¶+äšuÎi°W?þæ(gš(è¨Qšå¿M$‡föE
1¨‚vQ-ïù˜Ç¶«V-£PAµª×¼ýaQ¥}@ÙWœµ&o5$j4²‰0èÀòÓ`ÙZT¥(èEñ
-ãŠfIój	zºy¤¯(/h+γhgXsp)‘zí=ˆ¨šÕ¿J©„(L„”–ï£Ç‹–ÔÜoêfSw<Ê‹fGØÔ+ŒÍ9²Ž×'acƒ³¬ÒÙÒ|—2B1œ‡O:Ó÷¹Eê©;`®mimÙ¸ï»jŽ:«¤¦C(˜"€‘ØgÊ%´)2dà¦1ŸAè”M£s	|/Á4Ó!~÷ÂÅ
-—·h>ä+,û°‚ý/-¨yû|¹¤"Û·›»™=øx>8ùð»ã–šÞ»…çG¤¶Ã¸è}ø}³ž×ë;Ä7h&£°1×u€¬ÚtôYÞÑUX å.yÍmI=ÈÀÊÙOá6¹®þà3–„È]t|8Õ#Íô[%³ŸzÂ-$§––Ï›1êȃS£TTëJüHCåMÛ,·]E_«ª\Í´æW­sLÓòžQ°àÀ¯Át³^òÂÄDÌkÐH8®‚ó6Ô÷{ÔÀIà$7?ŠÖ±yé+›Öllnæ:›¼7ôX'°-ÅY¶‡Ò-¢OŒ£
µÉæöFÛsIØØ»I`ÉÉ—3NÓŽã4?ˆ]L°BÚ<^«mÛD8Þ@¼îy—LI|(„t¾8Pé¶mfuÙUœˆŸÝöÎÝá+—ç?\ìûyRŒH·1ìC_0««'NŸÒí÷QdžìÏïìº$4§nç[ŒšÀŸ(´7M¼ú|žÎIˆùâ)mÝw¨zõd1'Ã;ºjˆ
-9^ü®6ä¨7Xµ‰™vDÙü!ÔDÀ¶¾[7;}° ÈÓ5ÜÅeôÌR&W’w	rä=µ¢!r%÷¹ó§Ø¿Ü}‹5ïJÐ"ýaD)`ì¾ÁBËΈ_¹yL…j >â0Mô—æE1ј%漤>­ƒp9¤H*©ß5¨V¼Z®h6‚öÃõ2žkçj;‹¤+á ñŽlãWê#üÑCþ=¶÷¢ÙÜ}†;¸cî8
UØg¬Í9á-ÛSóØ}gqE,ÀQ¥bíOçÐößؾ¬Ä7@ó‡,V|BèYt`C`¦Ÿá‘>Σô×âÑË+ÿK-® L¦Xk¥0Ý|¾¨ ôÁ¸Aì´+~5šUS€ õ çÓZ¥pÆc¸mŸýÑ']ᇅB§@^Þ¦ôÀXF‚Ñ(i™‚Q€O
À)?8S?s(¾pºHq0Vœb¬‚T¬™À>ÆjÑÎF8þÂìV^éýø¤æ"⺪9ãØ{­iÒãU»Íª˜%Çò掯Na›•1*Ù¶s²c\ÓBaYXãCÇ¡]|TbY©Ÿz…Zû´~j¸~ú¡ê:JÜà´ëëï_P)¥ç=ˆp»z•z
µKJÙ ¹åó2çT‚6Æ•Ë9ÇÈí èÏéÉZz²‹1tWÝEÀ›÷œ Vdö‘vžm×u×îƒo!8]Ç©ÎÕ.Ú¯OUÆ !Q^•›:¦Ÿx–”Ž…¬ƒ:í’+±øJ™ŠIé.ôfåŒǺb‹w‡-ãò™:©ØÌ'-šê,›(oˆ3†¹‡ç2¨›jhžÆn›]Rd2â¢Á'í²_3–xÌëvƯ¯1Ñ0Jî^qéA¸W’ƒ×J,$¶ûBä¡vöØ`™»IuÿôhIõ;z›Ý{)øo³æ]¨.ËêIøQà;»ïð%]¿è¹'‘ËüÈ/W [AA\nàš²¹û銜<˜¼ô‡2»Ù\˜¢8âîûkÌÎâß
-=¹FþNÅøݲòÿ¯£Å‘endstream
+xÚÍ]sã6î=¿ÂÎLÂ?ôuoÛݤ—N/íeÓ›kû HJÌ«,¹–œ¬ï×@€2mË›½vgn'3‚ ‚ZÎ"ø“³,‘ÎÍ,͈#ÏÊåY4{‚¾oÏ$Ó\z¢Ëê›û³¿\'r–‹=èÁ­>—´ 7`4@‚¨×[ V`¶õÀ38¹à;öÂò‰ž&ꆮì<Ë‘æ
†¾=¹6=¬ºÙ~RH'ÆÄ©[ا…š™9×®räÐ`ùz¡#˜Å`l»
+êq+ƒoAg:õúÙí1´;þ²,]ƒ=pBÀ©ç7<šVŽó,–«ÆY´xù϶:œîîú-É>Ú\LYvêR ﶩÿÔkj8·…ßE1 $Ù’‡“àwY€ÿbú_¢H9¹°ñR0Pƒ°Ýöpi¨ª÷¦’ó~ѽøIY$p’à!æ†v€_0=ÔO’8ýÐÛOmîP1 ÃTñ|Ùõ°S“íÊ<°øàü-îD`?÷€ÿhjB5¶uXÁž6âÛ<-¨eµíÆ;#†¤=ÁD::8t
O»éÉ×b“µ €>ôHǾVÃÎë@òzÚ;[ífFH͟쳓!ì…e:û›yw'¸áž‚øxŽ"â“m™å‹t6Eûª6‡ãÒ‰™-³(ú~³™0Qïê÷×Ã)Úwªd¦¡‰ùœ?ÛnÓ{ÿ&ø¥%ÐïÕ¡Oï‡ º6›Ê»óÇŽÝ4Gܪx°¶ÎËNîÜõ.°ê$e#€”‡=XžÌ_ßX´×=RÈO.µ]ÕLï<âÊ”É<Fº5#ðvG4DfÁ!?¸lëe×Ú²ŸÚ¡ªÆsߎÑù¡{v‡#ñ~‚«Ë©\J0†`ðp¶ŸÈp»QïaÞ@²!„SÕM…ë0’\#Fü3qä¡‹çÎz© GxÚàÖìe&pØð䱸nš	BËÐÆ+ÁJ\sg/ШlÿoîÈVg¸ø)*^zï¨ÒÝ$´jhÕÁdØŠI‡È­y)¶ƒ`*%2ì€îæ6”úäºÀ|i{|
+øÊè–vÆ@Ñg铉12Me,.ß¡ çóORAÆõ‰ƒ“†.o%7(ë“NŽ¦ð=Ê5M˜köz^Ý8àŽ¾»uC]'ð>ÀßÚ«§ú+Ø9[ºk8È4(:LGªá²&ÕqíIYå|xáqKHWØRDÝãJ¡/Óê`»8ß„¥/žFû×ÃK ÔR¸ŒÎLšÂrÐϸê$I¢âýkàå	ÜÑI	h\¼ôjßgu9.
+2‹X(Ëñ’§A,u*²8Îg&ÉD¦bÚ”›÷7âêÝOpEó¿8¿Luª ÿdßÿ¼º½º{#F²š\ŠÔhÐh0÷Ÿ[jlpgf_RCpiW™Î§5¤L.”¨gâDdi;
«ä͇Q!§õÌôëÃHa>}Íb\ dLu‰}‹€³–‚Ý€·JsÔ‘ÊD.@$uZ34gö•kFåB§:yÍR´dD¾pTL:ˆ?¡ƒ€ûW¬ðÞFfæ5ëP°Z>,{g²¼Ð4@PЊJOk%˜ï+ÖJ“hõšeDpLží[†?ú´ö_H	»
+åÿ#ÖÉ4Úäù<…ˆÒýRéQÉTGàzUž1:Ïõé’)ÎÅ:Þ%\n¸è³ñë²ųëÒs*åZˆs-l¼,l¹ KžÌÊ]Q”«Œ ?™PóÁ´›åƒ+(Ã5I*½É6iÆÒœ7C1•_…¼¢ª8ë2"w÷	² ¸`·e„œ&Ýüx‚Õö+yX(+pçt£µC·õpÄ÷D"lû½Ôo—æ1¾·ÇUù¼îè(ÙKw°d/s]”‹Ãë3Irªü9yÃ}O$_ûœÊHëú8›T‰ÈÑ%€¹Š(ÉÓÏ;aù:aù§³I¥!@êYãÈiø‡~Î/
+N«2ÎOz-4zˆä"$Yë‡âû·ïÅßoîÇlñРᆇX)!Fé,ì‚c˜i¸LA¤À?cŽdÎœd(ÛŸ[/jöGŠ)TdÔkLŒHó(ã×1,{§iÌÚPóQ™.ù„ØVK0áŸùÿ;¾¼eË4™ZFò3c‡Ýš;”„P›Õçù¨Ñ
î®Þ9RzzØßâT	©U⟎‰§ŠL‹$K$“_œòqì”+ûˆR<Ö¾ø:–%Ø
»W–ñ€=‚ZâXd´©!$'Y>¾¶ø·–w¶/7/+O®Ën]zeµÆ†WªSóªî˵}p‹k\hÓùÎ5#žžxÌøA}¶¥(E‘ú¦+Ʊ¶f•õDÁ{	[rå­wrHÖo8šBÿÔ;&…FW¿’n´«Ç
¶Ü¸׶µ«ðh~ÕÓr	nèC·ÁíÒ‘çâ‹6Ž1KÓA¿DqÄ9‰cÉBø",B]P
íXÃàŽªº|N‘z¾èúfø>‘§œH¾·®8†©Ä÷‘-¡ÝÓ‡tïXˆF”SžTž!V¦°‰rb»ð_¸]9›Ìª°kBí*Hô4Í䣭@/©!Ð(¨CÎ='Êh–‰Ý£íoêçÂã*p›%jÍÄ\XäÞK´9ÁžÎm@à,—íËžÆl5 \ZßEݬ˜Í¶êeÏ"ÔH-é‘ÂŒrÆœzJ¿ãNxg.jo3¸åùX¾Ð`ÆOȱn¨õøPÛ^M© Kê¨êìßA5›7~kØœ…k¶$uÕM„úîQi]œgp›©¹\~,y)éã~¹àÊáÙV¾wBM£Á˜”sk=I:À¼L®³§þÁ†o~Ð$žÉx;”[=z¶'Úb€í^ñ¯6RéÍ4œ/	pÈ&âoX”G®¹fžÐC—Î9,A7¯É9Cl•ûÌWèszƒ"_a؇eóñi,/Á'KÊækÐv·l|­;˜?/ÃŒ½wsü¥ÏèÝòæOü@Bþªfâç4ÑìÕís¼³û“¼"ËN\2Ç„‚…ráòèê>þÊçXôÿ·«èendstream
 endobj
 1109 0 obj <<
 /Type /Page
 /Contents 1110 0 R
 /Resources 1108 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1107 0 R
+/Parent 1097 0 R
 >> endobj
 1111 0 obj <<
-/D [1109 0 R /XYZ 56.6929 794.5015 null]
+/D [1109 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+466 0 obj <<
+/D [1109 0 R /XYZ 85.0394 699.7944 null]
 >> endobj
 1112 0 obj <<
-/D [1109 0 R /XYZ 56.6929 648.0507 null]
+/D [1109 0 R /XYZ 85.0394 675.0921 null]
 >> endobj
 1113 0 obj <<
-/D [1109 0 R /XYZ 56.6929 636.0955 null]
->> endobj
-470 0 obj <<
-/D [1109 0 R /XYZ 56.6929 536.427 null]
+/D [1109 0 R /XYZ 85.0394 489.5479 null]
 >> endobj
 1114 0 obj <<
-/D [1109 0 R /XYZ 56.6929 512.0874 null]
+/D [1109 0 R /XYZ 85.0394 477.5928 null]
 >> endobj
 1115 0 obj <<
-/D [1109 0 R /XYZ 56.6929 312.2328 null]
+/D [1109 0 R /XYZ 85.0394 309.4234 null]
 >> endobj
 1116 0 obj <<
-/D [1109 0 R /XYZ 56.6929 300.2776 null]
+/D [1109 0 R /XYZ 85.0394 297.4682 null]
 >> endobj
-474 0 obj <<
-/D [1109 0 R /XYZ 56.6929 146.8108 null]
+470 0 obj <<
+/D [1109 0 R /XYZ 85.0394 197.3098 null]
 >> endobj
 1117 0 obj <<
-/D [1109 0 R /XYZ 56.6929 119.5063 null]
->> endobj
-1118 0 obj <<
-/D [1109 0 R /XYZ 56.6929 78.0338 null]
->> endobj
-1119 0 obj <<
-/D [1109 0 R /XYZ 56.6929 66.0787 null]
+/D [1109 0 R /XYZ 85.0394 172.8568 null]
 >> endobj
 1108 0 obj <<
-/Font << /F61 642 0 R /F57 632 0 R /F43 608 0 R /F42 605 0 R /F56 626 0 R >>
+/Font << /F61 642 0 R /F43 608 0 R /F42 605 0 R /F57 632 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1122 0 obj <<
-/Length 2769      
-/Filter /FlateDecode
->>
-stream
-xÚÍZÝoÛ8Ï_¡‡{Šå‡>¨Åá€lêô¼h“^꽶×Å–c²äZrÓì_¿3R–9í^z¸Ã53‡Ãùø
µÂãðŸðtĸJC/ICqy‹Í÷î`îõ™°Ô{6ä"=­A¹¿É¾›½ån‹%¯ê
úæâ}sqkZî+úY×û¥ êjJ³ã(‰¸†Ž¥×wˆç9º³‚à÷†ôÉÐ{$Ò­8é·±NXÊ…ú–ßrÅB˜BÛþüüVjEfVR[š’‰¿,è
-dUœÌZúm‰;ñÛzK”ze	NÎïueGèÿ¥åG{ßæxg(ùH„¹Rï`ÓÆîzÚ‹—ù*Û—-]¦Ñ|à9xóƒÍ–6ËÞ-Ü¿]‘ÑO³Íª¹8Ôäíi¿èüy—xìáõ‹8Rž~Ã/â$eÜ‚1«3%I”?…€‚¡ŒhRbV¨h°ÎLÔÁ(£²þÝÐ/å4‰	ÒԒƇ¼ÕçÍÍ@Zng›‘pïC²;í˜ÿÌ1\®ã‡\Çû¹ŽÛ³Ø¼aSHëÅSNгîr‚CýÏêãóªªH!Ý%
-µLO†åüQYW<†T—&àg*f‘P'üÌaŽXhiAtŽ×©RAÙ#•hò&'¹—ùDø6Ì
SMûªh-­Ö½š˜Ô0Õû»õ³ »ÆU·v«üë¶,E[>½KùÒHŠ)¡àTþ5ÛlËüúÃËË(éð¨n‰µâbB¦Lë$väb–CzÝÚÞò*bBðØ°"ºêqÎýY…®kÝóm¶ÝJõãÙ»/áÈî ¤„ÄŠâ<·rT
-4ÚªtêJw]îÛ¢®h3w»68
-²1Äë.«š2³|0s¨ê¸jöŽ¨Ùri…64a.&pS›ôS*Ô†Š7¨¶$êíQ79ìE$ºpŠQºŠøôUU`öô̲Ý6±X‘FÒÞŠ7J'~†éJéØ7¿¡­ŠTÖ
±Dr
-	©0ÑâØ–6C8RÁLöéJ"Ll²e>”Tæ€'ƒ¶65àJLyÓyªšâ®¢R–UXä4)š›Ý1©‚ËÓfÙ’8Ê|ex•¹¤ìŠ»5d½ 䉃˜@¥_QQôv[7E›ù°‘™t²,·òï³¢ WàoÏ+r+º3Îï›}V–võ®hƒ1„Øæ3(4Ý£_*N•]ÆÀ@—Ré'²ÉöÖ=å±{Jë_8! E2É”PïM½‚	[óÒn'ð‡â]R<¢G?ºxi½¾ÛhäH
-öЛ±ãåpP¥d‡úµ“%~³¶ÚÕjÔŒÆyñoÚ{3Xä4=tiâ¼_×^fmFÄ^/£-¬N\¡ì+cìiŸÇпw-Æ?É1GÂTbn]ATåo ùÛÒ. ÃÀà(‰X¬è—´‚ÙJˆÛoYÎMC‰Ÿ¼tpœxt-û—Rö+€QÂsÌ#røh¹Ù¢Þ|"ÅüOÇ€¢Ãka”2Àbéÿªü÷ŽòýÆ­8	BCèˆ&8”΄†Ð‡)!lwr}3{=»š€*¸?ˆ.‚²þnÏ;Á”ý7Œå=‰Óè[FQ)SQL‘™H'`´KyÎÄVuÍzÞv±Ú]ãiœÿĪÁRáÓˆU‚]“”ãC¸þ®ç/!åGáÉÑŠéX‹?aS·âȦÝk"TièÓyÔ‡Ó=Œ˜r–X®b‰ "檇l¢8Æ8¶u¡E6×à,€­á_é?z™¡Õ”€Æ6¯{Ÿ=Áx˜¦Š˜zcsÖƒ
áål#½W5œÈëÊ	ú’Í¡t8ðxl8`VA+‘ÈÃû9•î#<¸CîT.S__d2€&¾jŽEufO ª(~,K¶³S+œ¢€ûÛ]=‘ÿ¥ $lFiyÛ·'…ð†
+—òQWåC€kN> ö‚Þ§¦ßªní _H”€EiÙ È‘†c<þšÍÍä¢Eã}“Ýå¨?¢Vëv3'Æjâ
-©àÐFcK4Á<ø-õ,²ÖQM«@#KêÁ®hèw—cñeíÄ‘ÌnmY4-¶8®íáïŠêQ–Ó„A#ª¼~øzoà“Æ/ÚÂásÄý+sKf––Þ\^ApÑÈ´T8 $LÍþ¶É?ïóªuÒnó¼¢Qþþ2_2j8?¬Q«§@Ww„5º#˜&/W÷áE™5ë¡—ù÷¬Ü3!=„óÀÙk¹³§¶ßì+ìÖRêÕÑ3S“¹7m£Ëá5‹šý`4.üUÿ¥¶ÓjQî—y÷¾ÐK³
-Ü)‰ÅXòø&O)"Ë÷bD -”4»ºxóë«éX{
!”ȃ$²Wµ)C@=:q2Í—“1e•,åÂ|@ŠB(Ü]<0a#¢ûXÐaÇA <äDïª6ûúÓˆ^€š"Vœ8~d´xð’˜Æèñæ1@²0tñqD,‘8»¬Û OŽÜ P9AŸFÔB¨P&Czâò¦B“È&o_	ç®Â?|’]ã'\Þ‡‘û|$¬ÇS•ÂH¶œ5ýfÕ
öÕg¨SöáV<~jQBA
-Èí¾­üÝf?a£Y˜>uçJÜQ¬÷"BŠaa>Ëu=¡°ßäà×t†°s±¡—±¨S‰NÇDô?‡1(!Ý]ýuä%š—°‹<[Ï¢ .$©vñ÷·­¢ØXd2h82>pÞÅÞ>fTcG…hÖÉ!DO»9©eëLyp´wÝÙ,l½ÊÜÂÀTÄÑ0Ï÷^g‡ù·{(§L$iümeÁI„tÚÒ3ÔÝ~ÓÕ€ÂÕ‹vX723éìÖ<˜æläFá1S¡Ç£Ï4pÇÍÛ1âúðáƒyÚâþÅÕù[üè¯aŒß\ƒ÷Ó›NoN}æ‡Ì*%ƾÊsÏíðìÿàjÐ’ZËñïÝ÷§•IâêQ·ªð3LÆ”ÿè>õendstream
-endobj
-1121 0 obj <<
-/Type /Page
-/Contents 1122 0 R
-/Resources 1120 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1107 0 R
->> endobj
-1123 0 obj <<
-/D [1121 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-478 0 obj <<
-/D [1121 0 R /XYZ 85.0394 591.3162 null]
->> endobj
-1124 0 obj <<
-/D [1121 0 R /XYZ 85.0394 561.3268 null]
->> endobj
-1125 0 obj <<
-/D [1121 0 R /XYZ 85.0394 472.0336 null]
->> endobj
-1126 0 obj <<
-/D [1121 0 R /XYZ 85.0394 460.0784 null]
->> endobj
-482 0 obj <<
-/D [1121 0 R /XYZ 85.0394 269.8779 null]
->> endobj
-1127 0 obj <<
-/D [1121 0 R /XYZ 85.0394 246.4658 null]
->> endobj
-486 0 obj <<
-/D [1121 0 R /XYZ 85.0394 180.2927 null]
->> endobj
-1128 0 obj <<
-/D [1121 0 R /XYZ 85.0394 155.1251 null]
->> endobj
 1120 0 obj <<
-/Font << /F61 642 0 R /F43 608 0 R /F57 632 0 R /F42 605 0 R /F56 626 0 R /F84 858 0 R /F86 972 0 R /F66 714 0 R /F11 1131 0 R >>
-/XObject << /Im2 922 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1134 0 obj <<
-/Length 2179      
+/Length 2891      
 /Filter /FlateDecode
 >>
 stream
-xÚµ]oÛ8ò=¿B}°5Ão‰û–Mœž‰Ós¼ÛÃuû Øt,À¶\Kn6ÿþ†Ò–j5Í^PGÃá3œOš%þX¢4ц›$5’(ÊT2[ŸÑäæÞŸ±@3ˆDƒ&ÕoÓ³ókÍCŒæ:™.¼2B³Œ%Óù§ž&‚ôíý÷n<츢½ëÑ
@LHÅ{—ÿºø0NpBÒßFã+Ä.ïÆ×£÷L.ú©ìMGwcDO†×ÃÉp|9ìžþ~6œŽÜ‹QáÎûåìÓgšÌAºßÏ(&SÉ|PÂŒáÉúL*A”"bVg÷gÿ>0lÌú¥jb”p¡y‡ž¤èÒ“2D.¼žŠ
-E²_öÅ×|e75~×¥“íüZ¥
4°”Á3¿öãÇdøŸ‹Û7CrywJÔt6¾¸"x{1?‡“6¡g-y›µ„±Æõ)Âá¶(ð™.-žêÝh|yóÇU¸Ï«bgguñÕ~¢ÍKb$“žßýó¦Îÿþµcc¡ˆbZÁGwØÀjÝTŸ"Tè*_wm­à®ì‹„Ÿ:X	 Hã–å®x,6|àd™V‘ì3ÊÜÅÎÆážnV®×îOùIF2yà³£%	F¨äi¼ÙÔONl>‡ýDÖË7H{Û]Ÿe½rf«
-gj)üE)_ÙsaŒñÊìU*cYEÈÃÅ·.jü~²þaÛb3[íç6¯Ø€ÅvžËOçuœ,óm	KÀdսѢÃ08NÀM~tM(L ‹ì«­îp@¯hI%É”qŠfÄ(Å=y-ûpX€£O6TîÅÔSQ/;Îê4MçÑŠï&£÷£q—
¤`zºÊ½Çe0öö„K8ål$
-Àl¿Ã9˜[ëL)Ü~*ÿ院ð{™ êDšB€£Y;ú`PY¼£¹ÊhÒ´égæå:äÞ=„4_í.Pyùd¨
-yò±Ë<ì·ÝåîtiG¼ÑŒ¤iw¼iûÄ)£]•›™m±‹bšd3¢EaälÒ2Ê|°vƒÊ™£j»R—2œ¨sÈsãÄ%»s„`#çÚ|Ÿ®£À+€qE›Õ±Æ¡¤n¦¸ƒC-͉H™NTêÈ:YÓè”–Ì['%Jð¤ï _±ÞþóÞIRž4…À¨ TJe2·uò%qqÓD
ØËzÔGœÖ<¹*A¢¤!TdV§â¤:No~^eꘟÖ~r€4±¨›ÛE¾_Õƒº^uì¬3Â¥d¯-Lÿa%	!±AÓÓÊÒ÷¾Ä0±j œ?¦}>¼¶ñËð^‰ðÓž‡þ¢Š‚ð00D,¼ùPí*h\0µ›˜Üf¥ç"}Éä¡ýfn]|ÜøjÊí7½©Àé$˜øŸnë|U4fÄzù¡æ´óÖ(LË·BÈ7Áè€3™ÊLh™"¦‚ƒmæÕwšŸ¦ÎŽWÝÒzûªcÔÉÕŽ!Ï£Kà
-§ãžT9ˆü`hŒQ}0mûØßæ•û¾‹.by1ü»¶›
-âɯxX£0|÷~8BÓ*þÄ^­µË©1k¨ß©ˆ)¾q7«eÐ]ý¼
¨ Nñ ùSæÑ@À‹º×lÄ:dl»4'©Ò¢i\ùÚ!_‹rÝ›…º¯¶ˆÏq¨ì®°a‘·m‘²*÷ðU'08u-ÇÛ·x³zFh],¼¹À÷›˜5²±ùlV`jvàCXšop,ÀÖrÈ–îÑ¥Ë]QêVbû¡ª$ašÅ;˜¹Í„Ö˜Xutæ0Ngn´9Ï?Ú;S õ†îÐÐ@Uù<S'zr“ˆü²/hí“BÛnK×wxŽûιl.†Î¤
-õG¤%ýÜ®ìcî’û!.T³]ñðB\`iðÛËU^U+lìaj¶‹««	¹˜|pʼˆüâ䥗¡´ÕìùW è!sÒà{AºJ“pƒÓðzÄ<0Àa|#>(½;¼(½Šã)‚ïN^©ÞÚ”š½åÌ)àT]B±ïÅ^àCºñµÃ^bÔÐÒ½òöø+™ò×1E‘	逧¯!P~g¿fÝšA©Ç¨I‡:‰¦¯©1Ô«)M¿y¼ýÿV5Úæøò÷úº9®ø¦È"
@v!›ÃÍx
-“&K¡60Ð_f²‘.OÝ"•x4¼Áx¿ÐÆS¸xêÆrãó
- ê§(ßÖ•=ÐsUu¾«ÐmêŽGü9T[÷N§…{§CVË°‰+}vUÝe9nÞ„w]7†Ϥ_ÏzüpüÛ„þYÌ>BÃÈÜï`L«"|´w”î˜Ð	ͳÂaý#T›õz_ž¶Ë ·eU¸êè´™JA÷̤Iãßf’û+ó-¡Ý?*ÐC¥øæŸ0VJD–ñî_' $P.ûc;^¾•'¯Tñ·Ž@Õ8úÿ¿êM.endstream
+xÚÍZÝsÛ6÷_¡‡>Ð3ŠO’è››:9w;§èf:—ä–(‰s©©8î_ì‚¢$ÊI.î4£€Àb,ö㷀ĈÃOŒLÌb+í(±š.Ìh¶¾à£%ô½ºD3Dã>Õ/Ó‹Ÿ^Æbd™e<š.z¼RÆÓTŒ¦ówQÌ»<ú÷ÝíõåX½¼ùjBi#£ÿ¸z3½ž`GL¤¿ÜÜþŠ-‹w·/o^ýkru™èhzsw‹Í“ë—דëÛ×—¦¿]\O»%÷·%¸rëýïÅ»|4‡ÝývÁ™²©=ÀgÂZ9Z_h£˜ÑJ…–òâíÅ?;†½^?tPL‚3©b9 '­†äd,‹•T^NÙöR¤QûJU„õfSWó¢ZþVFíÊ÷êh%ÒµÛ¬ªm‹ŸÙ2¯Z¤y(J¢YdXÓÑ}6û«©,«üñ(q!˼!N›mQo‹öñRÁùhÁ£7¡Í©vëû|Û ù¼vgÁ¬1Òﮪ7™F«ì£›RÚ(«±)»oêr×æøµÎ³
+öŒ4ï¥L°VÈ;AÖËücVÑuUab>k‹0©ß¸£~[¬¾þ£ÏjVûrÞ`ç¢Þ†ù³éæ5È¿Üd¶ÎA@±”ÑÔ	V¨}Ýõcm	¢Æ¢Á²
#ÖÙlUTôáÖëʇU1[:5ð½þ°]í>L›—0niNkºiÝ¢ziâž.*ÐT®	{q[Xï¢:ÐX	DÜÆD„gè¦ÉP `ñ&Nƒ<Ðô³¦©gEÖæs´Ö+,mtÐÎÒo¯^“›p¢q%*TšÝÂyϹœ ê¬;…„Y%S?ëKd1(
+$kWÅÃpæ”ȨX`£×Ò(øô“By*âjI১;p³U]K¯W'Ä49ÞYªþR’¨ ŽùÖ÷
8AÏHùiT‘Ìßr¯®,–U½×
Š|S5mž¹)΃+°Á»ÀS&j…MèJ,‡†&ß~ô¶åê`|…;®@í·b{³ùýÛ¥€¶M]Tmožƒ}¢ŠÝ?¢f ¿ >ì8Ä)‹“4ÅqÌ’˜Ç_¤e&Éa<øÿF…uôNéì
+p^T
#YÞƱÑ,åFwÁÆ$=ÓMX¦NG±Ia
+ÔŽüS¶Þ”9›Õkç”ÖÑ
DT%9TÒHðËqÂÉÏ°ƒ!GÒÕ6a©vÔ_É·mΉQ$JîOûå¥%,AÁ©¼@8ëQ¬c¦Ul½ÄŽÅcƒx”üBùôf~^ù<«>)ÎR‹"J>J3‚¦ËGöåÃôØmX½]>!޼߱t ÔYeíg¬MJfdl0¨žÐXõl.uQ¥^§˜û‰ó"êMþAE@
+O‹vžRu":2"oOÈHž—Qoöç’ÑôÿQÙ\ʵHO³“,D&)Ø¥[µI€+Ð?…˜XÀܦ‡ ŒÒIü|°ÐÖ_#@DIpÀãmà´{¸eÖ¶ùzƒ!>1„©ƒ02´Xzd+`Ô4`”Ð1W‚Š{<åg˜B’ÈR™üžÛEE$p’o¡WüHÙᯱJKc!q˜™ÂæeðQ/h©›< ÛÙ,Ï=:4¼/WÃψ-†³U î=±íìÔ$tˆ÷ñ¡!hewVŒïÍFþ,Ná˜÷3Ö%÷
+2yòmÞ¶˜¸·éô÷f` IJX-´>EœDm±µËS6¨yi¹ž@<™`éqe9'ŒÜô@)‰å}ÑÝæKð`sC	bN ³CÚI´«Š¶9œ¾pZÍ»Åí—"¢©!Q^gÛ§ŸŽG“BsYã.ǯ˘;CÓÃ
+3Ò]¨Í ̱:™4.tè4N99cež7³mqŸ§Uý€•²öGµ,0	|iªû¼7Ñ<´-ê}R¤"”¢ŠšU½+;š!@>/šYFvâ
%8­´bQ—eýÐ)I»Â9¨·}ÜäÍ¡…àöœvv«Ù!8¸’lÄ“ÆŠF`ñg]Ñ(§.`þÇq#7(¸i;üN^YÅž¨¯sòãz©Ç&yò+Œ8
+\aO15K´à,„k
)¬Âã{{qVƒc	‡¦£2ó7A€äö(g2/…C%Ýh¸†6p¨òeFW0õŒTÀë/C¢é*Œ;k1Ñ-ìsÚìt-6hFöDnLw©ULBýð¸sv¦3&¨Võœîj.h\›óú·üz÷úêæÖùxlÝ_Æ5y3¤ó\íõì±Þ±!»ï¬`}*Ö;¢&ÏçcbÅ^\¼/®ýˆÂ¬qÛ톼bå}
+°Xa“QO¾M¿œ&+ž¦àÍ°þª„&Œ8«²1d
+­à¬Îª"O"1Šüངv7‘xíaÛ±€C¢«©ët7y
+­7ØâüŽo|Ð}¸ºìvÂî»Èf`¨;®Õ]>54ëyžç‹lW¶G>¯Sˆ|&tQþp¢Þµ®®»l™1jòö	¥èÉûÛŽðX+ôsj…P/{9û VÉt,Ñ(ƒ¤<˜¨è:sw¨R씆‚ Tµ´ñ„…ç¾,Ñ›IC@ë{EuD9™x‡Û[×@²é»¹óšq¶¼ß{9Þ÷rœöB#?º+žÒ€žlŸK¾È‘ß¼ù¨?ŸCLrâ£,/,©Ý£ë][Ôö:·ï8Ž¢@|D+3¢ƒž}M÷ô¨°†@IoÒZÅt¹×~aÃoÙrx×»7û@×SÞæ>—IȤcnÕߘI?Ûµ@…ä,6úÌ£PIj
+v?ÜMn^¹ëk#¡óჀ¬?×·-Èþ‰ððPjŸ–ˆL¦±¸ 4Y8¡Äà༸ʢ®Ÿ~@ë$Ó›ó¹$ó½@U
K¬~ªJÁËá«tèoH|ôÙ³þÒ?=íÿø¥¦ÒTã@Ös¼<ÔÓ'É
+ÿŽ"ªÞÒÿIã-Qendstream
 endobj
-1133 0 obj <<
+1119 0 obj <<
 /Type /Page
-/Contents 1134 0 R
-/Resources 1132 0 R
+/Contents 1120 0 R
+/Resources 1118 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1107 0 R
+/Parent 1097 0 R
 >> endobj
-1135 0 obj <<
-/D [1133 0 R /XYZ 56.6929 794.5015 null]
+1121 0 obj <<
+/D [1119 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-490 0 obj <<
-/D [1133 0 R /XYZ 56.6929 726.3249 null]
+1122 0 obj <<
+/D [1119 0 R /XYZ 56.6929 679.1143 null]
 >> endobj
-1136 0 obj <<
-/D [1133 0 R /XYZ 56.6929 700.4371 null]
+1123 0 obj <<
+/D [1119 0 R /XYZ 56.6929 667.1591 null]
 >> endobj
-494 0 obj <<
-/D [1133 0 R /XYZ 56.6929 478.7894 null]
+474 0 obj <<
+/D [1119 0 R /XYZ 56.6929 513.6923 null]
 >> endobj
-1137 0 obj <<
-/D [1133 0 R /XYZ 56.6929 456.5132 null]
+1124 0 obj <<
+/D [1119 0 R /XYZ 56.6929 486.3878 null]
 >> endobj
-498 0 obj <<
-/D [1133 0 R /XYZ 56.6929 375.5744 null]
+1125 0 obj <<
+/D [1119 0 R /XYZ 56.6929 444.9153 null]
 >> endobj
-1138 0 obj <<
-/D [1133 0 R /XYZ 56.6929 348.4134 null]
+1126 0 obj <<
+/D [1119 0 R /XYZ 56.6929 432.9601 null]
 >> endobj
-1139 0 obj <<
-/D [1133 0 R /XYZ 56.6929 140.5607 null]
+478 0 obj <<
+/D [1119 0 R /XYZ 56.6929 264.2455 null]
 >> endobj
-1140 0 obj <<
-/D [1133 0 R /XYZ 56.6929 128.6055 null]
+1127 0 obj <<
+/D [1119 0 R /XYZ 56.6929 234.2561 null]
+>> endobj
+1128 0 obj <<
+/D [1119 0 R /XYZ 56.6929 144.9629 null]
+>> endobj
+1129 0 obj <<
+/D [1119 0 R /XYZ 56.6929 133.0078 null]
+>> endobj
+1118 0 obj <<
+/Font << /F61 642 0 R /F43 608 0 R /F56 626 0 R /F57 632 0 R /F42 605 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
 1132 0 obj <<
-/Font << /F61 642 0 R /F43 608 0 R /F57 632 0 R /F42 605 0 R /F66 714 0 R /F84 858 0 R /F86 972 0 R >>
-/XObject << /Im2 922 0 R >>
+/Length 2326      
+/Filter /FlateDecode
+>>
+stream
+xÚ½]oÛ8ò=¿Â÷ 5—ß’‡²©ÓË"MöRïö°Ý>(6“°¥Ô’“ö~ýÍpHYJ”¤wmÂ9Îç“b’ÆU®'i®™áÂL–›>¹†µ7"àÌ"Ò¬õóâà§c+&9Ë­´“ÅUVÆx–‰Ébõ!9úÇᯋùÅt&
O,›ÎŒåÉÏ'g¯i&§áèüìøäÍo‡ÓT'‹“ó3š¾˜Ï/ægGóéL(m$PÄçgsB:>9O?.~9˜/:–ûb	®ßO>òÉ
+¤ûå€3•gfrœ‰<—“Í6Š­TœY¼;øgG°·ê·Ž©©Ã™éŒI4¾æX!Yž=~,å+–YPæ“´hZŒ;†¤ö·h­dZhÙÝ¢V!XnŒÄkÌ9KlO•b§àÏPÁ1gÆjx‚3£$0î1Χ3+’ü—É£ë’õa³Œå"Ã'Ÿ&‚qçŠpz°—t¯?ñÓÉFN^× Ï¤'R¤;ëöeºg—B¦Œ§ oÊSfs“y†7Ž„ÊlW#FD¡þr~qòæ$? ©5Ë·o]V®™ÎTΓ²¢±òpSÅ“ÏÅævQŠmXºÂ¥zK·Ûz*LrW®Êꚦ–uÕÒö6­Ÿ#\‚&Ë9h¤»P`¯®Ö_f¸GòäËt¦¹LV5UÝÀ-]ÓÀ0Q®Zq{ëpa”G¸_\¶»bMð®)®òî™
+ëµ»?ÍKŒr7¸•ç˜y½qˆ+ÓÌ‹cY­ÊeÑÆÙ›¢P˜ê)!ìhhܺuÑ–wSi’4»½ë²i×Aøë²b-Xç`:ʪIßy¾ÍÑóMnóÉlS¾-Z]âtºwqÙwñˆg¥aÒZã5±Õ€8çÉ9(hKáõºr!Жë½.·n	š%£q!º\(UY–w~6“Y–¼-@Õ[‚©,OŽëíÆß(ÌÞ
eU¶e±F[ÁÏ•û“sYù{ò«´õâøˆ& ‚Š*àÜ©·®Z¹جyƒ\Ø$YÈ݉0ÐF'ÀeÛ¸õU€—ë¢	 ز»Å3«€B°
+`hYûqÕ¡¬çŽßìš@ì2ÌÔŽï¦Ø¸/¬ò”Jµrœ8Ü41F·¸Z®w«=Á°z‘RF–Z1>6‚áSBAx¯FHi–gBEB'gG§¿½žP2àD©ÜS"}U«’R3¥²4Ò\,NI3i!•åHA¹ R±÷&‚G,¢.£PCGxÙÞ}©Úâó_GøR†aGsŽµ”sΪÞe5«ðjnáfµŽña„šbJ¤QoËz³A›¹)Á2­"¡#ìÏD®¤×thOÏ\~Ê nˆ÷иÖÛ•ˆæ*‚hC^
+¦+bäè¾$¯Áâ)O¡'̚ƢúBÀ®ú™ªÄ(B8ò¡¿APBApáÜ‚vþ;D?¼Y$HdÛ´d9Q”A¸ Ò$4ù0Œ>¢âB˜nh,ü²JJH_å²lǼJ€¥`F#"ú¸¶À„Œwõ7€$°ÇHá¢:@Ùzö3 ¥,”ñÑÿþ>ÂÕ€óL¦M™!÷y—»-©¡¼9K÷.ú´	yIZ§Ê½ ¾ëNï¤á`UþÞ”_¸8òøæÖ-{F²¿íÍX´³9in_fŒDÈÈmáÅ¿ÞmºPÆ|Ñó†¯Í|8»lêõ®uläFAË4Ö¾£Þ7³»G¼œå·÷ï߃ùc”;:;|‹ÍVðÛÓ³Ù»ùÅïнF·þy‘gHµå]±îdƒ[xÌóƒ½p<›ÿëðí¯§svtþ–Ó;ädˆøøNøX—bxÌ'?,ˆÖ ¬ŠÖp™ö‰n ]
+|1„×[,\Gèg™5¦‹à^æ1r`ÎÒ¤ÿKF%)ìà怊‚*f*…6Í¿ÆfƒVÈ?@Ç[»s`«Fëì«T&².|áï_p´÷/ø¾ßb\¥j&°WV>nŒðå—‹6.–øm
[0{p›œ\UÚèLª¯‰ƒUÞi@¾’(ãpì<óô‰
+µc¶Gz*í¾loF3
Ü¢êBÕ׆4Há·‡xëaˆ;ª²Sà}Ù¸Õéó)A¤pûؽÿwågžÁ0"AËLBù&Z§yh¢uÆ{1§¡%rg‚á ;xWÀÙÞÃ	M47õn½"L,Ñqn뚶޺0[\ùfŠjäN)ɬÙ{=±rƒø×3þÌP@ûîPk“\âËÔy×Ö'œÄxcSRñ‚p]Îý£÷œ$°W|Äh€è
<±¨€‹uS‡óƒãEæ†ÍCPVAÊ„—r•|)‡×š¼„˜Jöü8{›°wá“N.‰
¿ÃÅ©ªiéÞvnE´‹€^аòkwe1d8m‰êÁw³«m½!ˆ^dRz‘yE`–+ÚÝÖ?¾Ú?¹áˆr<ýæœÕ~»ÿÿÈ77äRJ.úon’ã­î•§êQyºXœþ¸Ò‰?.þ$$G[¹«b·ngm»þ??.€S™«aš~çkŒøö@à‘>S>¼qñ+—IMð)jÏCrÃAxM\yó`ÿHHßãòP3yhWõ_$ñ¼Å)¾ h0ñßñèb]öV¡ï¬øº¼k,6dÛ¢º¶À±‰…N[Y†Ç<`¬Z5Of^¸nüjä*Þ¥¸oþ=loöXveÙàǤ~Qf%¡Z
Ly£797*c&“éëÿ3‡ê¼endstream
+endobj
+1131 0 obj <<
+/Type /Page
+/Contents 1132 0 R
+/Resources 1130 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1097 0 R
+>> endobj
+1133 0 obj <<
+/D [1131 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+482 0 obj <<
+/D [1131 0 R /XYZ 85.0394 641.1347 null]
+>> endobj
+1134 0 obj <<
+/D [1131 0 R /XYZ 85.0394 617.8999 null]
+>> endobj
+486 0 obj <<
+/D [1131 0 R /XYZ 85.0394 552.2511 null]
+>> endobj
+1135 0 obj <<
+/D [1131 0 R /XYZ 85.0394 527.2608 null]
+>> endobj
+490 0 obj <<
+/D [1131 0 R /XYZ 85.0394 385.255 null]
+>> endobj
+1139 0 obj <<
+/D [1131 0 R /XYZ 85.0394 358.9197 null]
+>> endobj
+494 0 obj <<
+/D [1131 0 R /XYZ 85.0394 135.339 null]
+>> endobj
+1140 0 obj <<
+/D [1131 0 R /XYZ 85.0394 112.6153 null]
+>> endobj
+1130 0 obj <<
+/Font << /F61 642 0 R /F43 608 0 R /F84 858 0 R /F86 971 0 R /F42 605 0 R /F66 714 0 R /F11 1138 0 R /F57 632 0 R >>
+/XObject << /Im2 921 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
 1143 0 obj <<
-/Length 1840      
+/Length 2569      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥XKsÛ6¾ëWèà5#¡xàÑMåÔVi]u¦Ó$Š¤,N)R©8ίïJ”Ûi#ðàb}|»°1…?E¨HäX'’(ÊÔ8ÛŽèø¾½1O3ë‰fCªï—£ïnb6NHóx¼\xBaãeþ>zóãõ¯ËùÝdÆb2™©˜Fßß.~À™›7ï7·oÿ¸»žh-oß-pún~3¿›/ÞÌ'3&¤âÀ@x½[Ì‘èæöçùäãò§Ñ|y<òP,F…=ï?£÷é8é~Q"£Æ0 „%	oGR	¢¤ýL5ú}ôÛ‘áà«[R“ä‚Ä\‰ñŒF¦Íóûâöõ]¦‘L_î;cL’DiP~Ì8QFè£ò%(ŸqF„j¬UBbÁ…Ó~µi'°PÄ®J‚Ub°*áDH“ÀV–:/Úl_®
-X#”‰ºMæ¡.öØ­Óm?¹¶­>Qí'ÌDEÛ\';›Í×æ=çÛ•'Ê*튜ØS‚ØT%Œ•ÄWÜïº~œX-GmYßW…—g¨°Rì¬äè¯BƒºóíãvÕT-2}(»MYÛ>wB=åÚ¢"V~qX£ÌXÏ3ýe^ ÷EÄï³hW¥Y‘ãäÊçj;eW8ÂY¯NÅõ¹NÒT;“@ö)­ Ã0€Ð$áQƒó÷E‡›+lœ¨ÌÛÏN4‡nwð¤Í;uáŽÇÐfÒY8Kw~IXMÜ"¨2/[àì	­—ƒ‚¥b½€@ÀÔ°™îøRF«4û»­Òvƒl™°Õ{ibÏ·l`2¬÷)p=䞘	ˆOø3þ³«×v³¦Ih´êLXÉùËŽnÕlÓGTJ³ëʦN«êÑk§ÀùuSU̓³t®….ƒe.Î]hÛäåJy±$€
¢‡M™m°›mÒú¾À¾óÛèƒñ×­u,;^;7m¶de
ìü‚:èZP¹}ªÜïSæß'­swDz~´UÚZ—–”E¿œÒ°¢¸¡v/º(\­Uör»-òT噢‚sÚ½ÂH`œ)èKH8Û%mL@?1DŸãâ* •ó7y!Ó³{2ãû©3Åû©Õ÷ÇÎ	#q¬´_yÿ¾.Á×OÈ:š€ú\+O¯	ÒK:ãt*¦y€Ôð$yáØ®5í#†w|ÁhÔVÝ>ͺ‡œb{ru;òVÇ„¯øÉDè½Ùa>Z; HÑ	q´ÛƒÏ¶8ï!£úz¨ü‚´Åù‡y‘•Û´Â9À
¿`²hpr—æ¹Ãô˜SÖèœÙÜg«)ÙúJŸk›A>¥e•®ª?õ	Âö×Í~kϦ™ÍΟN_>PEC¨€¢L3Õ[/X%†R÷¡Ø°)rl²™óç˜EØ)6ÞŠ(‘°oäg#ÛcS|NAŒ>'IF¤­}ÏrŠ(ås§à
-üî蟟ƒ¸—P#÷Ç܇ÔĈ¡GIþ¦ªùG:ìvè
-€ÙÊg-J
Ô,r~&­#­St2œâ¿CÝŠBLC01ûfÐötJÃeP@1öZ¤‘§Hc…»]£,á8,(I¨J^,Ü\õað3`”-^2ê¦ÃNºj›êÐS"r¡3ÄzÈ–6}ãÌÕ»»Û··‹lP÷2Þ{~¿{
-&­ÏvÏæbo[”÷us¹‚ò‹ÂùÆù†VQÖ€lwiW®ÊªìqÖ£²t‘ðÄŸ ÕBqöN4?æ­«PfƒëJœèx(
-0m;8AYU8êo÷uÙ:ñ4Æ3mÃ[^fi׿p£ƒš8T:aSÙ’µu®m\˜jù¼2*jc>Þ³¾ñòW¨„æ3¸&ŒÊÿÀWˆçïƒÊk!^¹ÆTμºÇ]
-FuŠ¦ºîl
-С0¹ô%X!„/MmË ;ÕB´iöµý`ù·øå˜ìü¯Ë»)N¿Y\ÿ2ŸâìÇ>ä›i(/]ÃÏ[¸öÞ¿øýyÓ
Uòmj>Y®÷·ÿà
^€ç-§¤ÌðW,§l÷§‰}0hÎi|ãcÆ1v`“7Û´‡ÆWÁÜvçÔhó&+Ú¶7m¹…*`ï
-ßAô(ú‚!~›ÖN†8½¼¼ö”c×hª/žrþߪþ *`(I„ÍÄŸ€ž<AGOà®®dWfN¶'3Å
T‰³bø‚	„źOaWoç‹ù«Ñ–óPý$¥âXa•>Îvå§"觹âsWÔ6ì_Àî˜wéÞ÷ìÐYdm; GÜûU_šÚ³Fåû¶xLŸFà^PÂI!XèŽ_…ã×¾è^5mÎ5C4Š³ÒÁ[²?•Uh¬žx¾04¸þ_ʉ“endstream
+xÚÅËrÛ8òî¯ÐÁºÊBð"@ÎM“(YO%NÖÑnMm6J¤mÖR¤F¤’x¾~»Ñ DIìÙÖ>
ôû1âð/F±a&•éȦšÅ\Ä£Åò‚àÛ»áaÆ=ÐxõëìâÕ[#F)K4£ÙýWÂx’ˆÑ,ÿ¦Ø`àÑ¿>ÞN¯Æ2æÑÛ›÷0JÇ2zý·É§ÙôŽ>úëÍíZIixýñöíÍ»ÜM®¬Žf7oiùnúvz7½}=½ú:ûíb:Û^yH–à
+ïûÇÅ—¯|”u¿]p¦Ò$}‡œ‰4•£å…Ž‹µRýJuñùâï[„ƒ¯nkM‚3©ŒðIËŸâ”%•ãÓålö©X5€•†%nÃPÙÝyñoÎe]äô³¬=;Þ¾¦‰TáGZücSÒdïµ›ÕªYwãfN“WR7+Ö­³  Þ²G}^TÅCÖIn½C»X—ó3ÞAXo½¯«¬m«¢õ;onÇ“7oîØäî2sÒãëð"‰í¾!ï©íÇ»›w7àŸ
8ÎЙJ6À;q8Ü®c	¢ãÀ}b,=n?Óøyz÷ÏéÝ%›þ>ùðéýô•£ÒÒô’†×·“þã%ãa×D%{N¥ø-«ÐÊɃ4ÏspÌ‚QâQòB$Ï"ç
8CpÏJX._ˆT¾)Ý”±0Ò¾”yâ¼aº@D<é4†¤Ò—ä*UÌr{/üo»ú{p—ǧo@û8àòÓ~Ç>ªqOÓXàMt8Ö¤‰éIJØÆj/
Ãj’ùÑÙ£³“GÅ	zT›ÚM,EXè¾74¹oÖˇ×eënÜvÍÊïZÓ¸[È
+S£¢›Õ£?S uÛ…”OA§œñâè}¼Ðn¿ˆjúø÷Á¯ÓÄùh椠N“ª¢çï¯y
s™FD®fu~ˆz¹i=Îy2ŸUÓ–˜%©¥¶À{‘‚t"ü9­@ýƒä0Ä1ÓÂÊ¿€s»å”ª)®™1BžWµX€	¤ä\]>f„2nHÃ$S:õ×6Uì5'Í÷
+œÖÙ²_D1ÅvuœÝìV‡Q174Î=Ð.‡ÊÉ)¡“V&ûj7©!gÐT£¬ª"¿@a\A¡*D0°z›-¶OËySµ„ô{Ù=b,×R:¢Ž±³¸2}Jf¨€ÚÜPæaψDúáç"ZUÙ
çž8ÇPœ`²†€ãž% _pºûÊí²¹±0ˆÐñqÆ1Ãô¢¡õ´8œd4\ÒàH^~¸ÐlºÕƃ>5šÔ…»ž ™i'áE¶ò[Âl’	Ú@œœ—‚Þ:ºMë)”À`ÐÞ}¡ƒ¨á0­ÜõµŽæÙâ?-¤U„ê›×èÞ:T-€‰ˆ^?À¹@­ì)é¶4¬C5ÓÙås§¡hRn=Ä3…”ËóŠjÕ,³'bJ³Â¼1«ª'Ï‚Öj¾;Ùi§Z¤BP·©T¤÷Ë&/ÑÙC|…2ˆ¾?–®–€éâÑ×v©ô‘‹êçÊñ÷ ‚•õ Ú@GÎ¥*E•ûsʼóç [¸îyÖ¢Jk.¢{·LÄ΢d‚IxG—È7ΠÀ?ð-W€ÇO„ìuô>™µÛ‚¸„ò3/ÁAU)1Ø)'ž¶!9ÓΈu
–¯©a6Õæ ¥PåôMÐtRcwbüríDñåùýõks* ð@&N;^ ë1£·è›”ˆ£âG¶\UÅuàJ&aVjþOP5–üZ]ç<LH¡ aBlíÝÛ^
+Çn-\=
+?%÷ÞJB­¬cÔÀ´ö¶ ãh±Y“ººê¾8o}s­Ö ¾íÞ݇ÓMÕ†Ìd4äÅ¢\f}s%hÿ-Žþ¤¸ÑÐâ*Ëó"h];c4‰O%íÖ(aI¹ÔëT°ÐoYYeóªÏ@}°À.ç¤åMÂúîŠ.›Œy(V(ñRö.;uOl/@#k¼Ð¢#äörÈÑtºS÷î˜Å*âödxo4ÆP&b~à0AwÄñ“ÄI•é­ÿGÐú9ÔDý×!"˜Ö²ÏÐ~ª­82—äÕ6«iÁL)cèhc~@^Üg¤\ðcð·Ål=p“2kRûœ©ªçLµ·e~ÍÆ
+Õ±Úö“^âlÀEbã³…ݾ»<á ±MÓóÀ˜aò«ºéh’ÍÛ¦ÚtÎ’¥ðÖëC{	Õ‚;M¶qÁ÷tt @ɃÓ3m»0‡WãÇþlÌÑû4BG¬Dºo÷Î-K%±«ºÊºr^Ve÷DK˜Ó¬ÈÖUYxHl’¹X€Ë¡<Ù6ƒ/CQNH&m,†tÒ¶+±èÃi_&<Ô%uXa-ó`e—‹¬ëÓàD‚xȱk”ù>´ëtV¾u¾ß¨Û¶Ôɉ.‡åÖO–p»ºP*@~îÉäg¿ãTUé³1OÏV…˜D@¢eÈ°9ÿ\ÿaâŠjщ"‘]Jôu!|¡Ö4.ùF+õ¬ÃßÒ—mDÀõO³»kZv}¤kZ}³'Ñä:Ôo˜ÀŸoí»®·ŸOËmÈŸãñ œ÷×ùªàwœf>)äTgÅEŸJüVø%å@j¾§Ü,³^ßɸ~ôï­ö=W’m³(Ú¶og·åýÚå¹Ô…ívÎ0|@ÊÏqgÇðÝCàÿ£S( á…¬Cc8wcÓá‹äÑˤ´	Ó	$—`Ý	ÍS;¡ªÀˤ„º ¶&ö}¾`d‚ÙØôô{Ü~ŽäÞãú¸šû×zܸw»WÈ¢o<°/Šp¨"ÙÚÏ\†8ôŸmàdà~ןԙ„fý›&&ˆÙ±Ÿí¹išR¡'_>zÖì^úÀ¼{d×,*‘a	m%é/åžoÍÑÍû—èã«ÿ»ÛŸøendstream
 endobj
 1142 0 obj <<
 /Type /Page
 /Contents 1143 0 R
 /Resources 1141 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1107 0 R
+/Parent 1097 0 R
 >> endobj
 1144 0 obj <<
-/D [1142 0 R /XYZ 85.0394 794.5015 null]
+/D [1142 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1141 0 obj <<
-/Font << /F61 642 0 R /F42 605 0 R /F43 608 0 R /F14 616 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1147 0 obj <<
-/Length 69        
-/Filter /FlateDecode
->>
-stream
-xÚ3T0BCS3=3K#KsK=SCS…ä\.…t œ;—!T‰©±ž©‰±1ƒEV.­knj©g`fA‚!ÂVŒendstream
-endobj
-1146 0 obj <<
-/Type /Page
-/Contents 1147 0 R
-/Resources 1145 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1107 0 R
->> endobj
-1148 0 obj <<
-/D [1146 0 R /XYZ 56.6929 794.5015 null]
+498 0 obj <<
+/D [1142 0 R /XYZ 56.6929 743.3113 null]
 >> endobj
 1145 0 obj <<
-/ProcSet [ /PDF ]
+/D [1142 0 R /XYZ 56.6929 716.1502 null]
 >> endobj
-1151 0 obj <<
-/Length 1537      
+1146 0 obj <<
+/D [1142 0 R /XYZ 56.6929 508.2976 null]
+>> endobj
+1147 0 obj <<
+/D [1142 0 R /XYZ 56.6929 496.3424 null]
+>> endobj
+1141 0 obj <<
+/Font << /F61 642 0 R /F42 605 0 R /F43 608 0 R /F66 714 0 R /F57 632 0 R /F14 616 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1150 0 obj <<
+/Length 1534      
 /Filter /FlateDecode
 >>
 stream
-xÚ•XÝoÛ6÷_!äI*Z¤>(µÃ€4m·vÅ°5éSÛY¦m!²¨ITÜlØÿ¾#´e[mŽäñÇã}ÓÔázYBÂ(=žÇ$	iâ•»Yèm`í—µŸ¹{‡ÛbÂ3Nõ¶ÐRJbÊS³áåÛß_!wŽŸ[Q]¥qt#›¾Z‰®PP<“(N™ÃËI”ñÌàqBç
Ãп.KÑ÷ÕÉï«^9¨ÈËIž²Ô"E)ÉãÄ·'¸}N3!baÖ>‡Ix}ó¾‡/}¦§R¿0¼׋Õ
-‡û»B•[\«0j[(\”N•EƒD/ìÒÐZÌf…DS•÷M±³G­e‡|ëA
c†ÞUsPáɽ)%y’0sñ¢®å>h¤ªÖZJRÇœÃ.Íül/&yF#Ë€h
¢›KÀŽŒ>
¬ÓÒƒ?Lr
-®@Óÿ¸¬‹ò~+k1Ç$cô‰U]Ñôk€K¼4&4ËŽ¢_ª$š\2BÃ4÷ñ™äûªÙ+ç¾v2¤ÌQ–FoᙯæÔ—Hn‹«ŸÃ5&aPžx1LÈ·´ßJËc|NŸáÜðà˧}­ÞÇcs‡,ö÷•ÚÊAY€zP´ÔúZg¾…:D @(-äGš¬…
Z‹Ôvؤúrß·àwh¢'îtT&†ô[1J"¿êñ[ •’td%––‚ÐJ)WvÏJSNBI–sçÀJ"³‰7Mh›–"žcÌFœŽéÄF«rM#Sl¥gŽj'sÈ 9ä ]¥ŒwhÆËÍÑåfC/Ñá ThŸŲ́Ó-*´-:U9cØd¶µ5b‹ê~‰¾•Òxœµ¦MS¡ÿJÞÚ¥ à,d±)ª¦Wç1¾è‰1"~ÇÌSâQ6ž¾»¶§²•{$´bŽ’ËVtµ­3EÛ:RÛì¹õ~V’И90C¨ë•BBû¶þjQôpÐA³Bòj)7CßÕ_á¦}Mí«ºFjYËòÉonhN3ômQŠgSaådÙo+]Z4©£¿¥Üíd£ïfdì$Uã@¥\/2²£}ÈÔ!EéäswÀá?ø	‰ù[d/pLÏÆì|=×3ð¿`±c6™"ÇtÊ!K¦fŠ²M3œLíä¿/Nï@Ÿh´’¬Ó¸f ïK¬QDeC8:McºÂ9»Ø‰ÂêL')ãÃn)º(Øw¢ß¯Äüµu˜ ß¸²
é['‹¥9œFNTCȤPߘ—õ±”NôïZἌ?à»B«ùñà®ß•ÉAgÊAäi1þ–=êÊæávõCU«ÇÖîÛ=ËIðuåîqµ[Œá_<ÅEóxzí`R"\œè‡MÂÃÎúÎxzD£Cÿ¡iLÆÆ’ºéÐSZ
-S7ô@çàˆÆzâPŠ€^cÞáèÀr¨Bz045¶ÓôÛè©ma×–B4x”«K•„–hèuîÓÓ«ª&U·„@ŸìÞ`?Mý<Ö©íy‘à2~™«3ÔÖæúnêz7˜Â%êJ¥ÂW©Ú`ÁR/ìÉZC—-KÄ ‹†±kD¯?ÞÞ¼þ0‡nÿnªaá$‡—ŠkZWU/»G<J‘Ù@é¸EUqpÜð“昽¾;¼Á=HÊ<99a<¥ø¦ÄÕ{ÏQ¿Þ—nC0Úaž—'Õö×Ä„jŸ£ÇЧ¥ð†=ËîÀ@Š¡/E§ˆì6@/Úa¹°SwÝÅõû`$ºtä¹ÖYáãr|³˜¥$Kxâ¥ðHaFÌ¿fŸ¾„Þ
-.øn’(Ïoƒóv3‚,sãzv;ûóxñ^p¼¼·¾XC_f™ô½VòR8°#ç9	wñ’?ðœxbßs$}àÏçǹ·>äýËÁÔiŽ%8òàcï‹BÐ˹Ò‡¥ü§ÜO—Çýc~A¯endstream
+xÚ•XYÛ6~÷¯öI"Z¤î¤(°Ù$í¦AÑf7OId™¶…•EE¢Öq‹þ÷9¤|H9‹…†ä𛓜¡©ãÃuÒˆøA:I’ȧ‘Sìf¾³µßfÔð„Q@¢0`0±êEAJ¢”%Žw
+òò~¶x2‡ù$ŽYäܯYq‘(cÎýê£{³ÍÉÛ¹Ç"ßMæŸïßâ®$iBÕ.$d„A¢7¼¼ýórgø¹ãEß–ò€£Qw劷¹,ðhH‚0f/NõƒTã9÷¨ïûîuQð®`d+*¼+;i¡'#YÌbƒ€g2sÜáî9M]D
‚^ûäGþõÍ»¾ô™šŠÝ\ór\ÏW+"XèîrYlq­:ÂÈm.qý zœ*ò‰Ž›¥¾1˜õ
+‰º,ê|gD­E‹|ë^ö§:ô!Êzðà™Ù”’,Š0‚yU‰½WY®NŠb†I»ó³	¼d)
¢}éy;	A}X«¤ƒt˜L(	Rÿ,à²Ê‹‡­¨øT’”Ñ'*Û¼îÖÿc¼8$4MªéTä² Š22Hâ8s•koÕ¾$Ô6¤¡»/åVôÒT½„ó¯´Vf]ä&°o¥”’)²âæÌ*\¤¶ý†#5œßküÞþ…ß“ƒÆ;b¥£3ñª¹ƒ(pË¿9F	\}ŒË‹!
+¥+³gÅó©$¡$Í›ÀR ³>oŠP1/I†g6€Ãi™Î¡Õ1.W42…ÆQjæèv2÷bšÁ´+¥ÎÅ8ÞŒ7kzyÀ„ƒ£BãÐƇj Œê¶E‡6y+KsA,xe‚Ø »y-q¢k„Ðg¢i®)ß}%îÌŒ”pàd¾É˺“—qjèDçÇ›ÍסDQæ<}ÍwMÅÏ3d+öH(Ç5
o+Sfò¦±¤ŠÙs“ɨ:°ÀÇ:³X@|U®$*·ÕW©¢¾€ƒ„:4+$¯–bÓw5—ÝN൯¨}YUH-+Q< ùþÍ
ÍhŠƒ®ÉþlêXY]öÛR•E*Ǩo!v;Q+Û´ŽÕ¤¬-¨kEZwŒ™’V?kÿÅOôß"}cz1f—뙚ÿ-t	ÈX¦j·d¬§(;A¢qŠ“±™üïÅ<É ;xbÐ
+¸d­¯ 5=e/1Aá
”
nh=×ΙŖçÆgê’Ò¹Ðï–¼ýƒ­¼3ÿ~%úïè­a‚ŽL>;Ò
vNKqØå3é„L*5š¦£²~ª¥Uý*±É2þd€o(u¬æ§ˆCºþ¤7éœélúGÔFÔ•¹w·«ºZ³o—wP,'ã¶.­W»Å)üw\:ŽG^ÎÍþž}“íðpáÝëLh0ôŠÆËXGR5jJi¡ë†¨;8 !ž	51”" ×xïp4°UH
úºÂÂv.L¥šÚæfmÉy¢l]*´D}§î>5½*;oÒuK8襛¯7ØOSw'Ž5‡ÁÕ	öN?Hp¿ÌÖjê³}7µ½Láµ%HòBâ‚-€Ô=o°`©ãF²òиe	Ü¢~hÑëw7¯ßÏ¡Û¿ŸjX’ÁKÅ6­«Ç²íC)Ò(=mÑÁUI˜š
¿(ŽÙëûáµÁK,N<8p\LñE‰«Ž¥þ8y]Ú
ÞÉý¸<«¶#\}&dó³8„>-†ìÙ‘Y,€ä}WðVÑn€^4ýra¦ÖÜÅõ;oîEªtd™òYáÛòÔ²Å$’ȉá‘´š_f?ûÎ
+|;óI¥‘³‡O‡9»ƒAšÚq5»›ý}4|ÀóŽ€c»•ai}™aRv­ÄX9ˆc’dôD¹Ñ;~à¹xßK$%ð×Kqö¥DDýn0%ͲxGüÉà4û|À²Ä)aq2Ê)ûÄXÜÿ¡EAendstream
 endobj
-1150 0 obj <<
+1149 0 obj <<
 /Type /Page
-/Contents 1151 0 R
-/Resources 1149 0 R
+/Contents 1150 0 R
+/Resources 1148 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1157 0 R
-/Annots [ 1155 0 R 1156 0 R ]
+/Parent 1156 0 R
+/Annots [ 1154 0 R 1155 0 R ]
 >> endobj
-1155 0 obj <<
+1154 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[0 1 1]
 /Rect [513.6761 73.4705 539.579 85.5301]
 /Subtype/Link/A<>
 >> endobj
-1156 0 obj <<
+1155 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[0 1 1]
 /Rect [84.0431 62.7606 448.7754 72.9224]
 /Subtype/Link/A<>
 >> endobj
-1152 0 obj <<
-/D [1150 0 R /XYZ 85.0394 794.5015 null]
+1151 0 obj <<
+/D [1149 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 502 0 obj <<
-/D [1150 0 R /XYZ 85.0394 769.5949 null]
+/D [1149 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-1153 0 obj <<
-/D [1150 0 R /XYZ 85.0394 565.4467 null]
+1152 0 obj <<
+/D [1149 0 R /XYZ 85.0394 570.0146 null]
 >> endobj
 506 0 obj <<
-/D [1150 0 R /XYZ 85.0394 565.4467 null]
+/D [1149 0 R /XYZ 85.0394 570.0146 null]
 >> endobj
-1154 0 obj <<
-/D [1150 0 R /XYZ 85.0394 528.8591 null]
+1153 0 obj <<
+/D [1149 0 R /XYZ 85.0394 536.782 null]
 >> endobj
-1149 0 obj <<
-/Font << /F42 605 0 R /F43 608 0 R /F56 626 0 R /F57 632 0 R /F11 1131 0 R >>
+1148 0 obj <<
+/Font << /F42 605 0 R /F43 608 0 R /F56 626 0 R /F57 632 0 R /F11 1138 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1160 0 obj <<
-/Length 3196      
+1159 0 obj <<
+/Length 3198      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥ZKsã6¾ûWè¶tÕˆ&	÷6Éxç0“Œ5»›Jr€HXâE*|XQ~ýv£)Ó5Sµö`hî¯T¸
-à?\ʼnŸdQ¶J3éÇA¯òÃM°ÚAß7!Y»Aëé¨ï67wï“p•ùY%«ÍÓ„—ò¥ÂÕ¦øÍKýÈ¿ýcóÓÝû,˜Œ?Ž°Ç1ßÿøéãÇ
šq”Ê—¡ŠxØÛï–8%~$BÉcï7ŸÞ-±
-aXÌ£~âàýÇO·ë(¼ÏþC­ÇûO·qìýëþÓ#Œoa‚„ͽýysÏcSÿ¤xß=À^,%sS¿ÿüéaó+½}ÿñÃãûûOooSémà
wts¿e:•{èŸ7¿ý¬
-ÿO7/2¯Nðøa–E«ÃŒ…K!¥ºy¼ùed8éµSï1@I´p‘2Z…Ò:§7g~¤ÒÈÝäí:‚ÀË÷mÓôtT]ÔèL?”ÜFù>5íµ|;Ó>›¶³²µ7$Å䆂Õ:R~’fÂ.÷±ÆIá8=tÓßÐ[Ùó³£ç±éºr[zëz¶·Ê˜“»4˜ÃMÛˆ“©>…ÂWÚ¤*pÖÛPyp^S,lZ€öÅ2äÁ¦~.ix}05o…Á3£ÉÌ$ˆÃË2°}E:"SHÔECâ¾=³pŽ&/ŸÎe½cìY¿G‘äc¦~Jùq2šÖº_X2ý,ŽÝÇgµ–点ØÝû²©Ñi¯	·p‡iʲmu[Z…×7Ô’±‡4\¡Þžˆâ,¥Ly?6'´~ÌR­'MΦ.(¾ñ6 qæ‰ø
-{· ƒ¬ÆNNø^€zÐgÍrÈq!ʶf=çqTŸz×][ÁÒÔW¡ó¼w…y¾ûÛ´ÍR¨ ü4Sœ%ˆ¯¦ÆÒeÕ‚­ ]CL#äט‰)³ªÙ-Ù&ì?
-ÒICiô]Ó.y@Áx}gúœ"…¾<,Yªh©"ü¥àüäoJ©—A‚Kð?Ï#Üùýû¡Î¸¾,üÜ–M;µ¤h„Ëð•:|ð†É·XUæl’–7”µ@,Fë-ó‡ÐB¾¦
$.øg¸«$p8:ôcúDi½;R¾×õÎ8ºQKˆ4]GtŠQxhŠåºçÜ
d·9ÖE@‚h›ñÜX¬ EüjÒîWfcˆÕœ–®G€¹XÏå@Àv
Ï·9P˾[0Œ3ÈOÌ `
-®
R)=,Ä——EƒKŠyœ|*°þ‡ÓÜU3ðóB©ý½­æV}:›Ÿ;·¨;ÀmÄ·øøOe“õãX,¤t³ÄÉR‚QèeËÜóö|ì›]«{—âa·`5f}½aF[^ã`t½™¨‚	„°–t:gÃH°ê¿«ÇjqGƒ0~Û<>üÀ…p¶!‹‡ÎÒªl"_ÃÔ,ñåå£××15G3
–q>G_ATëûhC°?¢}1gjÔ·Xl^‡Þ’¶»$}…Ð
-hɹÒ-è–aír…ˆ‰›	¸6H>Ætü™àm
-b,Ÿ
ì/C—Œ:‰ÔB¤-3?H„K²HLëcS•ùy9sŒS‘\KË7¶f¬®öÁT"’«Jñcs0Nzºx¬ä6MÇdk9ðübÌ‘zµµ 1Ž1ô6^аwy˜î5µ¬Nèë®8l!5Ö%« å3Ð]h	—p¬r<~½ÌD(Žë3»„À‚æQ·Ä
-ÞÐYûd)ì a$ÆK»*¹ãº2p“—¹ÔÊ›º‡õpð‚L”MãÓâÚe"Š"wáÊ'@°Ú&^zG1–÷®x¶•‹qOf{õ¥Ž_Í>ˆ;esêñã:Ú!ƒœÆÍÃ$nÖ—±þk¿2ÀÇB,ý& +ÿ÷/.?‘î+]~\0O©•/0áM¡¼õbçî§
-/·þ?Æ,3endstream
+xÚ¥ZKsã6¾ûWè¶tÕˆ&	÷6Éxç0“kv7•ä‘°ÄŠÔòaGùõÛnP¤D—Sµö`hî¯T¸
+à?\ʼnŸdQ¶J3éÇA¯òÃM°ÚAß7!Y»Aëé¨ï67w“p•ùY%«ÍÓ„—ò¥ÂÕ¦øÕKýÈ¿ý}óÓÝÇ,˜Œ?Ž°Ç1ßÿøåóç
šq”Ê—¡ŠxØûO–8%~$BÉcï7_>,±
+aXÌ£~âàãç/·ë(¼¯ŸþM­Çû/·qìýóþË#Œoa‚„ͽÿysÏcSÿ¤xß=À^,%sS¿ÿúåaó½}ÿùÓãÇû/ïoSémà
wts¿e:•{èo~ý=X þŸn_d*^½ÀKà‡Y­72~,…p”êæñæ#ÃI¯ºxaBH¢…‹”Ñ*”¾Ð9½É8ó#•Fî&o×a^¾o›¦§£êº Fgú¡ä6Ê÷©i/åÛ™öÙ´•­½!)&7¬Ö‘ò“4v¹Ï5N
+Çé¡›þŽÞÊžŸ=MוÛÊÐ[ßг½UÞÀœÜ¥Á¦hÚFœLõ)¾’Ð&U³Þ†ÊƒóšbaÓ´/–!6õsIÃ냩yƒ(žMf&X@ž—%pè+Ò1˜B¢Î
+÷퉅s4yùt*ë`Ï’ø-Š$3ðSÊ“Ñ´ÖýÂ’aègqì†8>«µ”8´È
ÀîæØ—Mæ!#o³Ç[Qê度ÆÞTGl)¯<IFφººS×›·M>´e¢·í‰¦+Û“!‘®[%óÖ4
+wØ>n›?ÞÙÝÚΗ}™ï¹YVµªò€úƒ³PPx¬À‡p«Ð½3¤·ESs«|b­Ÿ*4wuôÌw¾Cٙ™§~ë’Õ
,‹¥ô†Î<
¶…÷dt?ØÙ†:­¦B]'Ø …+ýƒÔé½y¢'«9L²[
+OžÞ–•®¥6ôMdºL¡Í¡a¢f6šuSÛò¹¬ÌŽLâ,:R8P{ÆÝ‹JDêÀx=0\O­ÀHÊØ©»åx­ ý2'&ê'ÂÀû×my|cÝ°Û™ŽÁŠŽZ³‘t²óuÎOfIç³¼ìMíh#VžÓŽR4V9·í%›Ÿ”Ž^pr÷¤4k‘J?MƒÔ)OjÇýhFQðD;çùCŽw‚. U:_3ÙÞ<<«FÔbQj„Æù¹„Àk«¿ŒYÊÂØÏ™æc	X(çÃïžu{WëÃ"àÂ%ƒGr<ѨŒÐx2wÑ+ÅÒÏÒFÇEÔ"ÜC–ÎU™ÚÂÑ?
dÊ|ÈÛLµ%
+¢¿³æ«É´µ›7»Ñ»¡kïª&×Õݶ¬ùèë<-؆};&ôô¼’Q4Â5¹R¸ª0Ò1ÙwoölS'~~‹}Ö²c±F[n !0´±jXà‰Á]zÖßK‹ÆÎ.õUFo„ðE¯yS䎢Æå^šöQm¦­NÔWÖn'4@·}™•æÄÕä}ÓžhÈ°à›Ð»ä‚Íù*ˆ¦ŠêÔGøI˹yM‰£ÌW*Í&ÈŠ,ÒÈ;5páB*窠UTláÑñ	JI=ªL­íãû•À쬽æVYçÕP˜Žƒÿ8õ{r«ðÎnØáŠÝ|I²'uOzÙ½ÑÉÝYfvƒÌþ†È”e˜•v/ |ÖEé¹4/ˆÑK"Î2?UYøW°B¨4Nl”¼žõa¸š܈ìÖ&ß‚ ªp2ð6Þ/¸)¼ìç+FtvrCO]ügèú‹õžu5˜n\ÍJ'L,´ÅKÁ;Ÿªüf&­kãIá˜Qâ$ÚËš{-)Àk&α"*^s3_œ…v,‹5	b9æLTrq:Ï›¡fàƒ|P¤Ž½V˜D‡Éâ¾Ö|L‚`û=¶Ïè¶*)
+1žéX*’UE’gzGMkØG7ƒ¤þt,6«ÓR /aûYèö_/"NcÒÑðEKv$’¢¹²zåV ~¿ò$׈&²ÀYz×ëž÷kW©­ø`™²†.8¹}@ËHÅÉ…+Úk‚-Üaš²l[Ý–VáÀã
µEbì!
W¨·/Dq–€ñQ¦¼›´~LN­MŦ.(¬ñ6ò qæ‰ð
+{· ƒ¬ÆNNø^€zÐ'ÍrÈq!¸¶fæqTŸz×]ZÁRp!¡s¸w…y¾ûÓ´ÍR„ ü43›%ˆg¦ÆŠeÕ‚­ ]BL#ä[ÌÄ”YÕì–l]`NΞâcÈÄÅhxw¦Ï):èËÃ’™*fêì/ SÂ1ð¹
+\RÿuÕ^åô‡:GÔz;@ø¹-›vjFÑ<ð–á+qsøà
+“¿bR™3üAD*ɪW–/ÓÌù8•š—5ßôb^ TâpþO®Þ©sR¬PÉÓ·Á4ÈP7]¡(àssÞ£Ý54ÄuÌ/Wti@ø"‰Õ%\ñ¼a´	å}ý€¢1mÍ¿Qœ¤ÆmÝ•6x„ö%à;«¬Bï}Õ5,ª‹§ÙæSºÂù¦
/cåK%0Åæ×nFd€’ÑèŽß¸™õ8|!"@ã,õß3É¡a€×ôè*ýÌCGìŠÎ¾« u¦¡¤¡ùB!5¾®#¢àÆ~wáyK
1p»¤õ¶èÅ‚<‹Åª"‡ý@Ö}w[Pç–©ÝÇÎÆzV
®ØÆÎ^`OýŽÚî¨ÐÏ®ˆ“3R}5Y`ŧáù6AjÙwK†qù‰™¬SÁ¥!@¥‡…øò¼hpÎ/“ÏÖÿp®€»j~!Cc^(¯DØUŸÎ&çÎ-êpñ-~†þSÍdg}À8‹§Ý,q²U”`ÔzÙ2÷¼=ûf×êãÞåwØ­ØA)_o˜Ñ–×8]/C&ª`!,ä$ÎÙ0¬ôïê±BÜÑ Œß6?pñ‡mÈ⡳´*›È×05K|yþÐõ6¦fáhæ£ÁÂ2Χââè+ˆj}möG´oæDúÌëÐ; QÒ6c—¡¯Z-#9WºÝ2¬]®
+1q3×ÉǘŽ?
¼¯@á@Œå³ý…aè2±Q'1Zˆ´eæ‰pEÓúØTe~ZNãT$—Ò²†À­kÆ…«÷C0•@ö?/<6ã4 §‹ÇêmÓtL¶–ÏoÆ©W[ûãChã
ûð鑇é^S˺ᄾˆàŠÃòb]²
+R>Ý…€–p	7À*Çã×KÁL„â¸>³K¬fuK¬à
µO–ÂFb¼ä®Jº«X;®+7yžK­¼©{Xß!ÈD)Ð4>-®=P&¢(r®v«mâÚ;Š±¶wqÀã°­\Œûb¶_ÇáøÕì#¸S6÷¡©?¨£òwÇiÜ> endobj
-1161 0 obj <<
-/D [1159 0 R /XYZ 56.6929 794.5015 null]
+1160 0 obj <<
+/D [1158 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 510 0 obj <<
-/D [1159 0 R /XYZ 56.6929 769.5949 null]
+/D [1158 0 R /XYZ 56.6929 769.5949 null]
 >> endobj
-1165 0 obj <<
-/D [1159 0 R /XYZ 56.6929 747.0488 null]
+1164 0 obj <<
+/D [1158 0 R /XYZ 56.6929 747.0488 null]
 >> endobj
 514 0 obj <<
-/D [1159 0 R /XYZ 56.6929 613.0366 null]
+/D [1158 0 R /XYZ 56.6929 613.0366 null]
 >> endobj
-1166 0 obj <<
-/D [1159 0 R /XYZ 56.6929 586.6546 null]
+1165 0 obj <<
+/D [1158 0 R /XYZ 56.6929 586.6546 null]
 >> endobj
 518 0 obj <<
-/D [1159 0 R /XYZ 56.6929 473.2336 null]
+/D [1158 0 R /XYZ 56.6929 473.2336 null]
 >> endobj
-1167 0 obj <<
-/D [1159 0 R /XYZ 56.6929 445.9291 null]
+1166 0 obj <<
+/D [1158 0 R /XYZ 56.6929 445.9291 null]
 >> endobj
 522 0 obj <<
-/D [1159 0 R /XYZ 56.6929 376.148 null]
+/D [1158 0 R /XYZ 56.6929 376.148 null]
 >> endobj
-1060 0 obj <<
-/D [1159 0 R /XYZ 56.6929 340.4845 null]
+1062 0 obj <<
+/D [1158 0 R /XYZ 56.6929 340.4845 null]
 >> endobj
-1158 0 obj <<
-/Font << /F61 642 0 R /F90 1164 0 R /F42 605 0 R /F43 608 0 R /F56 626 0 R /F57 632 0 R /F66 714 0 R /F58 635 0 R >>
+1157 0 obj <<
+/Font << /F61 642 0 R /F90 1163 0 R /F42 605 0 R /F43 608 0 R /F56 626 0 R /F57 632 0 R /F66 714 0 R /F58 635 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1170 0 obj <<
+1169 0 obj <<
 /Length 1975      
 /Filter /FlateDecode
 >>
@@ -4404,134 +4417,134 @@ xÚ¥Û’
 À™+¡Ó/Õñé­ê³SGñYŽN¸¼ûÑ	éYhíŸ#:GÑmH'9ðära¯cûÅ“n~‘. Pp7tÙ”`è7u”²®‰Š8‹ó(3"|’ üŠ [âV£$ÄÜïf|Gö’Qe}ÃÉ]&ì6!0C¯Lç=LüA×ÂÍ5ˆmƒâCÄýÛ!y½¼†Í4Ï”èÆ}Ñl4löªÒ¬ùÈâ®ææx_èMMDº”=£}ͼ“l‹âàL™˜­Î«Eú¹;eÓÿo‹LÄ‹ÌߎÒnÞO7{ù·’«ô;Ùž¾üýmåÅÞÏ=4XOʼj¯/WsùIõ£t3uôŒEõüá‰Ë	¯=rïyªç¦ÃÍMQ³†V,éxéJ˜N'PÊ×@?ßAç¦bÖò@^˜Å/º¯ÁÆ×Ï?¾_3½©÷þ»§ŸJxŒ8ûa¯ý÷dÃÑ–ߎ›•	xyµéÌa‘àüćy{ÇsÙ´åw‹±¶eY6HuÓWíTËqE/žjå&§ŠC¢@dïÙÃPv#–_}Ðú—åŠJØëf¬ÔD1ƒG3Gfázª,…†a”³NÆG&“@¦cW
 ,ý&k«­“«¡Ño„ 3°MB˜
~½ïy£*`´öÛýÔ×Fkû˜Ä·:=ÏÀü+¼¼iLb”æP²$ƒ¯ÁA‰~C÷SœU‘ÈGšF
†)‰l.CäZ¡NeõZؑ˱¼®g‘Z‘Ø"æ§Á¾^àÞRÐÑ“‰ü®ƒ`Ù÷ºÊÖ<¢ÌžŽš¨4•y@;ä;¾@y=kVÐŽÌí•M±¥­œiªë×#ÓF",¼›Ë~Í( ¾31U7æúÃN0‘Ðö¶y“”›7qž›u&÷u]VšHøjúgÐäÓ¶ÊßF„XÌ1På'Iš3èÑåÝ_^Ü'(.`ÆùFD¡Ÿ%9}ö!êëÆBßÏŸ€œÀv!a¾%ÙÂî^´ÞÁÐê‹…Û‡[`¦û…È‹kn>C9¦;®Î~§}øÓÊ°p}¢àÙÀŸ›±á@ó}”š¦ÁÔn£<÷E&âëÚ¾È/?Ôf«\ÉJ’øI&>•Ã–„Ÿáï'ÅIl—"÷Y¹×l­O_<>^.Ÿ³òhÛò‘«ïñ®nÒê*o|¼I”ãº÷ë*÷Úþ[ªðÃ"…În’Ôí%·aÇ/oþ­Óö«d”øøsÍc˲yèóæÒ	¸†ü<,2«]I‹[kîcé½¹ÿqí endstream
 endobj
-1169 0 obj <<
+1168 0 obj <<
 /Type /Page
-/Contents 1170 0 R
-/Resources 1168 0 R
+/Contents 1169 0 R
+/Resources 1167 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1157 0 R
-/Annots [ 1177 0 R 1178 0 R ]
+/Parent 1156 0 R
+/Annots [ 1176 0 R 1177 0 R ]
 >> endobj
-1177 0 obj <<
+1176 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[0 1 1]
 /Rect [348.3486 128.9523 463.9152 141.0119]
 /Subtype/Link/A<>
 >> endobj
-1178 0 obj <<
+1177 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[0 1 1]
 /Rect [147.3629 116.9971 364.5484 129.0567]
 /Subtype/Link/A<>
 >> endobj
-1171 0 obj <<
-/D [1169 0 R /XYZ 85.0394 794.5015 null]
+1170 0 obj <<
+/D [1168 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 526 0 obj <<
-/D [1169 0 R /XYZ 85.0394 769.5949 null]
+/D [1168 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-1172 0 obj <<
-/D [1169 0 R /XYZ 85.0394 576.7004 null]
+1171 0 obj <<
+/D [1168 0 R /XYZ 85.0394 576.7004 null]
 >> endobj
 530 0 obj <<
-/D [1169 0 R /XYZ 85.0394 576.7004 null]
+/D [1168 0 R /XYZ 85.0394 576.7004 null]
 >> endobj
-1173 0 obj <<
-/D [1169 0 R /XYZ 85.0394 548.3785 null]
+1172 0 obj <<
+/D [1168 0 R /XYZ 85.0394 548.3785 null]
 >> endobj
 534 0 obj <<
-/D [1169 0 R /XYZ 85.0394 548.3785 null]
+/D [1168 0 R /XYZ 85.0394 548.3785 null]
 >> endobj
-1174 0 obj <<
-/D [1169 0 R /XYZ 85.0394 518.5228 null]
+1173 0 obj <<
+/D [1168 0 R /XYZ 85.0394 518.5228 null]
 >> endobj
 538 0 obj <<
-/D [1169 0 R /XYZ 85.0394 460.6968 null]
+/D [1168 0 R /XYZ 85.0394 460.6968 null]
 >> endobj
-1175 0 obj <<
-/D [1169 0 R /XYZ 85.0394 425.0333 null]
+1174 0 obj <<
+/D [1168 0 R /XYZ 85.0394 425.0333 null]
 >> endobj
 542 0 obj <<
-/D [1169 0 R /XYZ 85.0394 260.2468 null]
+/D [1168 0 R /XYZ 85.0394 260.2468 null]
 >> endobj
-1176 0 obj <<
-/D [1169 0 R /XYZ 85.0394 224.698 null]
+1175 0 obj <<
+/D [1168 0 R /XYZ 85.0394 224.698 null]
 >> endobj
-1168 0 obj <<
-/Font << /F42 605 0 R /F43 608 0 R /F11 1131 0 R /F57 632 0 R >>
+1167 0 obj <<
+/Font << /F42 605 0 R /F43 608 0 R /F11 1138 0 R /F57 632 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1181 0 obj <<
+1180 0 obj <<
 /Length 69        
 /Filter /FlateDecode
 >>
 stream
 xÚ3T0BCS3=3K#KsK=SCS…ä\.…t œ;—!T‰©±ž©‰±1ƒEV.­knj©g`fA‚!ÂVŒendstream
 endobj
-1180 0 obj <<
-/Type /Page
-/Contents 1181 0 R
-/Resources 1179 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1157 0 R
->> endobj
-1182 0 obj <<
-/D [1180 0 R /XYZ 56.6929 794.5015 null]
->> endobj
 1179 0 obj <<
+/Type /Page
+/Contents 1180 0 R
+/Resources 1178 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1156 0 R
+>> endobj
+1181 0 obj <<
+/D [1179 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1178 0 obj <<
 /ProcSet [ /PDF ]
 >> endobj
-1185 0 obj <<
-/Length 2610      
+1184 0 obj <<
+/Length 2589      
 /Filter /FlateDecode
 >>
 stream
-xÚ}ÉrÛ8öž¯ð­é*K!	R”ææÈYœ´3.Ë™®šé9@$,aL‘AÚQý¼
í°S:xððv@ÑY¿èl™ÎCµJβU2OÃ(=Ëo³à>¾‰„&IÕ¬Q	I°ŠÃ‰¦’ ¯y[œ)Qä€VAežâ¼´|ÖŽ…qyk·$3ÀIfƒÌŠGQ(°,—1ƒÄ2Qóó™ŠÃà‰R†U‘¦f€d$J¾8©øÌÝíù*.+Ó笰WÒapÒðQAÕNM \š¿…>þæp’×UgZX˜#FoMNvñã::9NPoø5?ÓZôp1
-üf…y2eÝ£Ð,XJZž°[¥@ûVE¸|oP £’ñ«åÛêÆå‘' hø@qjµjdÓ%À9ŸëöQ¨«'ËF¨ð`—Å"
-¾¢ šÌ8!賜(É‚çÖv©xÂf†ùªÛ™ZÁ£MyÔíuÇ£C]X4OËÞƒºµi(yœ,ƒ¢Î{â¯s!G¡ÅÁ­›*ŒöÀ¶¯ŸNéçµïlµÃ
H7h9µ’@CjˆuPÏ” š,]qh!0
-U*NTFÙ‡<2cȻٺ®rÓ ¤HNjAäÛÒvÖ¸Î)$,’ÑòåÓ‹)Õ7Sj!›]šÒŒÜP©T’McrÒ/gÞ'3"ýÈ`ˆØ}, 
)®¼&öÂ1¨o`ç)gÙÛ|/Ù¹,_åkûBp'd§ÛÞ–à˜²08®¸4ÝsÒÊ(I·®ãÉ`º8E—‘LˆŠ31ŒœiŸàèYPvY9ÆI­ùÙ@äzÑ¢œǾžJÎNɧÕl)¤Û#ou_òè¦ÎucºÖ:æÃ1áC¨2¡š¼_3àS]Ý8P:ßÛÊ8¦+k°/ŸbPh¥¾tà[eáÌÎvGYý	6u4­ì¹Ö¥é*«Y¯+˜±€!·³)3›*'I’ð¸Îv}'Äœüm³ž]o®9Ã"ä	XïîšÉ8ƒàQ@éê7ñ†¯>añÒcq°6ÈvÚ–›}½^ãFs¦¸äÏàrbý‰#PâV)뼊/Æþðw¦}4¥9òÌžqÉÇѨÔI¤!6%¬„4übgdir1.†W×2ÒtN­ÈÅ4åE;N|}ƒ4Ù¿;Pk«‹žR$\×”i¦;þÊ/üe¼ÎÉCÆŒ‹
-É‚¾*XØ,º]«+!}ÊþhÇ,ø¶áï•™ô¯S9t¨,Z¥­ëCÓ‹cgÒ:JD¾:/ ?žLÎé0
×›»lC6K&Œ…'ÅfLÅà«ý®ôiŽRi[¦,y£)
-ÿDï|ðÁ+ýd©¯
ƒ;»Û•x¨ØÇ<7uµªüohÁ~Ð…ÒY”ïðæë,u*ôv€Qs25ÓuFðD¡
-.9bxÝá)ô¡Ea}?„(É-Šº€)3±ÆŠÝóPš"Œ“ÈÇo5§<ÇiÜé²Ùóp­ÍÖ”ØN$Ð~1Oœ@ÿ}Uê“A,A0h:jÜ`òþ{o,•²’t*×\Kð[ÖZFØ:ÑòÂ^¨Ði.xˆZáNàÄÌZÇ'JÄü9‚CRŠ/E7` 4¦/7ÄNŸ‚ïÜèê([`
âacjh	¦¼J—û½,…KLÕob=W<€u‚ßȆö›U†¨¢o¹3Èß}"#ôïÿ`Ù1ýáÂY¡Ó,£`Ýj+˜[ÝÂÞåmDmu-+­u[N†úí /K²®‚é#jÒÈMß;R\ŸíïÊšÔJÄáÀ²É÷à…Ý_èAËÄ%\R¢º™‘ì‘°Šë·Î|ï
è«êè¢À=¬MÏ„¸[¹fó¦8ú"~_ºW×ìÎ… g‚ÉFML
-~:¥Õs抲AæGYf²½áž!,äê#8ÅNÇ1BLUý챇F?)ßNøÝh)	\N¥¿[aÁ€ªýa©’‡ÔsUŒÑüán•
A‰„Q8tÖHƒ:¢ŽÈ¸RjzëD.ªïô#gÜŸöçæ·ƒ£ë~aÓeÜîmÉ£ËòÚr”árzWoM‹z[.‚÷å_½,)Kù;-ç	h©­í<Ë»ö8ð“ïO6®WÉÝöYÄWÖÕ	ydÖ{±þtét˜Y$=1¾ Àuõw{ÀKWYZÂÆXçº}]Œ¾Õô¤ó¦Üû‡ž² áxÚ/zYQ¯‚à/=XÂË+^¶‚ø¤ñš!TŒ‘BñW¨ÔÂwUöwólÝdÑ\ï[|ãjü›Öt´òaßïLyñ*î(aº_D›‚Ü0îd’R|ÅŒäì0÷6WQˆ£Â¨Á³yúžŠ~„þéŒÃqä½à'êÓ
-¢¼w#¸«Ü6Z¸|+3}«è °¿•"-äáàcàïÓÌRÓÌN)†íQŠu%õ¼àù^?&Ú
-a€I1B€e[ßÁ‰ÊÎ
Nwœm^4È°®ÿηÛÎö˜ÿÁÌü¨ÒrxI¨cðÖðãD:4@Ðo‘ñ€’Œ‡÷©ÍšTŽW61šl­Ã¥€óz6hí^iš*–ÔzËKÂ{òq²6{Çô×Þpì8}ÁG¯·£ûûp ¢Ï1áΘMR’ž¼7Ÿ}}y…^ʃLo´¬­VÙ¯H©W­ƒJ†.Qt‰WÊ÷ª€kjÈ»[jrN/‹<$ŸPþuÞ{Û0†ŸŽûµÜ‘ª ?ÕGM«U{µäT¸X¯f'•Z‡‘áìNä^ª¯êFnΫ¬°àQ=t\¤¨7ïï‡ üÿ
-*ã¿SÿQx’Ù‰†ÿ ¿Ä«p1_Bµó¡øYôz·á·û?•Ú×>endstream
+xÚ}YKsã8¾÷¯È­•ªØ­§%í-qú‘îI6§wªvg´ÄØÜH¢Z”’öüúPVÜš©LâA‚øT‚3þ‚³,YúQŸ¥y¼Lü 9+êwþÙxŸß,'Ñ2‰£&3ÜEeË$Ó³Åt‘«Çw>ÅáYè/W«09{|÷Z¥é2L²³Çò?ÞeÛʦT?Ïaâ{—çÿ}üJjñ2ÍÒÕ|Ø"]Æ«t5Õ(¤…ƒxÅ«…WÉ2ŽÒ”„—Áù"ð}Xºxnôk%ˬeÓO”ƒež$N9Š–A”Nù¨N^uJ>Ñð‹2½î4ÑLì÷’×wˆ¦dÕ›»kÞ4:Ë—ù*\ñž!œÎÙàªßëa·(çå`ðGÆ°Gyø~X(Q!…xÛóÀ“;Õ4ªÙÅZ3U¿ÖµP
ïDÍÔÍÁô²f•¢º7ho”yN>È3ÞèUõ§vµÃ¶R…è•nÆ­áŒx*ò+yòáÓ{yè_Ј={…¦mq±#Gvä5ò•(ÆYÄWaˆXJStjkmºµÈ`sD#¢Dh«dYH$ŽR¢åù"
+}ï“5E×ã*1[£I(©µ?±¾9iHñ{¸?ÏCﲑ=dNC¼ß'-\màÔ–„KÓo)ï
Nï¦éeK€r@ì­,lÜp,XCšÞž'è7ü•?[Ù)Ìp
+ŸÜf¥|‘•nm¢Ø%È°Äzyæ4¨Aöƒ(K2Ü«­RÏ{‰áŒ¿‚;Ѫ²:Ð,Oƒ8.ÊWž­m¢"8ç«îžYºyQ„qY­ï“Ù6Œ3	ö*Ç$ŠSïµS}/šP˜a`sÕì%Oó1¦4ê÷¢§Q­K…ÍÉR6Â@w
+nZÆ™Wêb+áþõ†(6QìâÖ­†ƒ²¢ª)öúå?§ÞÞ
+ƒÆ7¹(狆ôù¨`ž¬À5i’ÓÕBbàG1¸ Ï¢…»ò¨ŒWÞ,Öº)d‹–¢¸u2?‰BUªWÒ\¦ ÑrQÌ.X>¹˜³zºY­x³›º­ä$
£(áEAdÓÊÂú—ƒ¶EÆ1Œ(?	2GuwPÆ:‰¦¾°ê¥!ÒÐÂÎsɲWŞѹªNðZ½1Ü°Ø¢|o;¨
+Ó-œ/W~N¥é‘@+µ Ý™ž&cè æAÊ0£!$†‘‘Ý==‹.¹W€ajͯn®]”pšë	cvbs:Zd,º=Ðï½*ÝêâY´²ï”!=ˆ™ÐŽW•¤èªÉÇ5êtk¡O„Z{ÕHCr•†øÒ)2Ï^­Ä• |oœÙ¨þÀ«?‘ÀF ÓñžkQ)°®Qâ=ÛzÓÀ¼Í…B-欗Ma-‰sÐ1½ê‡ž#ˆ˜ü}³^ÜlnaQ†qÖ{¸!1Ba0<ð,\½çl¸s€EKOÍÂZ¢Úq#Xnqw³Æ–$qI?cÊqôg2ÕwXgý¤‘sñÅ4ÿ~%»gYÉÍ\¡•|Õv‰M	¹)­€¼ØI^Ú¦’ÇÉњGâÉž3
+r›b–4‡ßÐÂiý€â¿»N”á£ÂõJ‹‹–g“~)Y`ð&YÆEÂIz¼UÖºnÊc S§Èûž(Ÿ'N)±Ö›‡Ï|·@Â2“ÝßFV«c°ðˆØ‰­á•Å8°8#»Ž$"ÓÀ»ö
+ûs„Oà]‹UóAívjåZ nt³ƒœihöoè¸I ¥$š=ËÊU~ @Üze?P]/ší1â„´½5ž(‚Ø>1,P£Á@­•rÍ+4ÒvEB?õ¯“J”ºûJ¸8V„R7ò-ò?ˆªÝÓp-êv+«Šú&_T3w’ë¡©Dkì¥Á	½O/¸`~ü1¨ë$‰¬¹ÝÓZBÕɈKÔJ‚`>µÔÁñÅ„ÃûY'ô©[’(‘Òü	i.fôx»¡÷„º˜à(¡í‰’‚/bhÑnEs ¦ÆDüVêÖ¦EeX«Ð
Ïí@Õ
´\âL
+·Úì!`•CG]ŠS§‰v@¯þì°B›òs¡øjðÔl–3€¼N(ìLüÌ(	±³ÈÛÔZ÷ÄZ‹®ZܪºôªbÍ[õ,‰{;Æ°ÒWUñªÒš‡Ôj¡à¨²)ö|ýŸØ‘‡Ù_Þ,²A\¤qZB•¶FþÀ?š÷°MåàsËDÚGß8×+sò’þç’˜L—,¹÷rDM˜ÅËœo-g)øÌÇá$aÆÛKjË‘BFæÓ›¿½	ùéMÈ-6úÕqëVü8Ž-ÆÎäídîbxr—gPà
ª~*z߶U
qýP“–§ãEDÁÀ›g”AÙ¦ÄZx5
+û9»¾Ï„«¿ìOaÅíàMhðÌ=hp¹,ñî÷ª¢ÑeUƒ·ŒE?x>è­ìÐoÙÊûXýÉÔËÊ‚ˆ_	þ&Ñ;
¶À.µU½S¹ê£Ž”ÅþX
p½†Ÿ¯¯lä±hŽÌ°Þsô›ÙvÒ؈ՅÚÞšJÁoªÆwUU)Ë
±šõ{]•Ä¾ö«Í„rÏêŸ{ù±ŒˆN¸E/êH€üm€HŒÕ*GÇŒ/_¬ð»Í€†8`’Ïù
+Õ™õ®5s“¯j×û?cµ„·G«žöÃNV'÷΢ù›Ûeñ›F)‰½_!1©¥š§™Ñã÷&äÙXcfÓô£-í槑½Ë‚_¤ŸIå²é Ýª¬åÚ—ù‡Cåû—rhëÚÝ¿†ÀÑ	ÌÀlRw`{tADÝp
/i¾/’„¶Ò^a qí,B€Á›®]†tª¡08¶ý8Û¼m@a­Os;àÜîz5Xð÷ù3_eÕ-€POä­¤ï0tŸ2Tiƒ’6xødÚ¬­Ëï)IJUIÌäB/F͉§mYJ!zzKKÁ§ða.Ncbº—­?Mœž"øäíä‰>¨
+Ü©‰’KÒ‹Ëæé—^W_NØEàé­à5‚> endobj
-1186 0 obj <<
-/D [1184 0 R /XYZ 85.0394 794.5015 null]
+1185 0 obj <<
+/D [1183 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 546 0 obj <<
-/D [1184 0 R /XYZ 85.0394 769.5949 null]
+/D [1183 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-1187 0 obj <<
-/D [1184 0 R /XYZ 85.0394 572.1453 null]
+1186 0 obj <<
+/D [1183 0 R /XYZ 85.0394 573.5449 null]
 >> endobj
 550 0 obj <<
-/D [1184 0 R /XYZ 85.0394 572.1453 null]
+/D [1183 0 R /XYZ 85.0394 573.5449 null]
 >> endobj
-1188 0 obj <<
-/D [1184 0 R /XYZ 85.0394 536.5761 null]
+1187 0 obj <<
+/D [1183 0 R /XYZ 85.0394 539.0037 null]
 >> endobj
 554 0 obj <<
-/D [1184 0 R /XYZ 85.0394 536.5761 null]
+/D [1183 0 R /XYZ 85.0394 539.0037 null]
 >> endobj
-1189 0 obj <<
-/D [1184 0 R /XYZ 85.0394 506.7869 null]
+1188 0 obj <<
+/D [1183 0 R /XYZ 85.0394 510.2426 null]
 >> endobj
-1183 0 obj <<
+1182 0 obj <<
 /Font << /F42 605 0 R /F43 608 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1192 0 obj <<
+1191 0 obj <<
 /Length 2679      
 /Filter /FlateDecode
 >>
@@ -4549,75 +4562,75 @@ b?
 ÑjQ7>¹>ß™´t-•ÿ^Þ^Õ6siSnž¨	|Öõa:[Û ÂvdÕÒ§óR3ñ|Ù´î†f²Ù|C%Lx»•æ/óæ©Zþ±/3ÈÍñ ÔyæŽ?ÈÙ%s±OЙ†NvË4,ÓòÁ¤á ˆ:$ÎáŠËÈî
 f¦¾$œ$Aœ©X8fÖS”•ÎÖÕʵg©ç¹^]RÛò¦Õ8£FX÷çî%-ÞWÎ]J}h,(:ßJ[2Ê7IrWw‹*'	[úÁ¤¢É€·m-J#<ÛOyLª~;jrä²Í}GÆÆ.ºel¶ïk`n°ìâ§Â–Õ¶(•¶•qxž Î«tæ¾”"Þ„¯>.;¯~Åcî[<>ek”ÿ7óÈU4So:¯Å›jxäç³Ê€nÓÅUÈïFo)P_¦Í4\8›iêקٴ(ó…(}“é•Q¦—v…kêYºHÇæeíêö4P‘ d-•A£ %Ê@C
dÃòÏ…ËS¸r¥f‡*ÿÑ(ƒÞÈŸUVO®0ÎCÏrYø×½­× ÷ĉĽf™Bµ*')Ì«ß =TnqFÞ—ºO×ÝäµýÙÀ¬Ís[å<«æi vã^“67¥Ó˳#„çóíVªeÈ­3«ú«¬‡)´l>Ÿ€kcé #±›Å_=›ÅϪ².ê¦ý‘ÄNÊž€/ašèžb`M_w‘¦Ì$ÀÖ|‘/Þ?ë[\¤Û=
%ABºHÉÊœ:™Œ=K\ÆžkÅmÆ^ ”ogRØ„)˜¾YãëئæÅÐ\S¿‰‰q0}	Á¨€Údå…ÞÊÊPÄgå9áÎ!|¢•…ÏëÃÆo¡ª ˆÎá"!¥”Ü÷Ã)Ü{Qˆ¯ý™VôÒTê€Û•™„Y!Jº“–¿çò£"Öÿô›endstream
 endobj
-1191 0 obj <<
+1190 0 obj <<
 /Type /Page
-/Contents 1192 0 R
-/Resources 1190 0 R
+/Contents 1191 0 R
+/Resources 1189 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1157 0 R
+/Parent 1156 0 R
 >> endobj
-1193 0 obj <<
-/D [1191 0 R /XYZ 56.6929 794.5015 null]
+1192 0 obj <<
+/D [1190 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 558 0 obj <<
-/D [1191 0 R /XYZ 56.6929 769.5949 null]
+/D [1190 0 R /XYZ 56.6929 769.5949 null]
 >> endobj
-1194 0 obj <<
-/D [1191 0 R /XYZ 56.6929 748.2826 null]
+1193 0 obj <<
+/D [1190 0 R /XYZ 56.6929 748.2826 null]
 >> endobj
 562 0 obj <<
-/D [1191 0 R /XYZ 56.6929 748.2826 null]
+/D [1190 0 R /XYZ 56.6929 748.2826 null]
 >> endobj
-1097 0 obj <<
-/D [1191 0 R /XYZ 56.6929 721.3917 null]
+1107 0 obj <<
+/D [1190 0 R /XYZ 56.6929 721.3917 null]
 >> endobj
 566 0 obj <<
-/D [1191 0 R /XYZ 56.6929 721.3917 null]
+/D [1190 0 R /XYZ 56.6929 721.3917 null]
 >> endobj
-1195 0 obj <<
-/D [1191 0 R /XYZ 56.6929 696.4862 null]
+1194 0 obj <<
+/D [1190 0 R /XYZ 56.6929 696.4862 null]
 >> endobj
 570 0 obj <<
-/D [1191 0 R /XYZ 56.6929 636.8275 null]
+/D [1190 0 R /XYZ 56.6929 636.8275 null]
 >> endobj
-1196 0 obj <<
-/D [1191 0 R /XYZ 56.6929 614.5163 null]
+1195 0 obj <<
+/D [1190 0 R /XYZ 56.6929 614.5163 null]
 >> endobj
 574 0 obj <<
-/D [1191 0 R /XYZ 56.6929 568.2948 null]
+/D [1190 0 R /XYZ 56.6929 568.2948 null]
 >> endobj
-1197 0 obj <<
-/D [1191 0 R /XYZ 56.6929 533.5391 null]
+1196 0 obj <<
+/D [1190 0 R /XYZ 56.6929 533.5391 null]
 >> endobj
 578 0 obj <<
-/D [1191 0 R /XYZ 56.6929 533.5391 null]
+/D [1190 0 R /XYZ 56.6929 533.5391 null]
 >> endobj
 811 0 obj <<
-/D [1191 0 R /XYZ 56.6929 505.6201 null]
+/D [1190 0 R /XYZ 56.6929 505.6201 null]
+>> endobj
+1197 0 obj <<
+/D [1190 0 R /XYZ 56.6929 432.3229 null]
 >> endobj
 1198 0 obj <<
-/D [1191 0 R /XYZ 56.6929 432.3229 null]
+/D [1190 0 R /XYZ 56.6929 420.3678 null]
 >> endobj
 1199 0 obj <<
-/D [1191 0 R /XYZ 56.6929 420.3678 null]
+/D [1190 0 R /XYZ 56.6929 314.6243 null]
 >> endobj
 1200 0 obj <<
-/D [1191 0 R /XYZ 56.6929 314.6243 null]
+/D [1190 0 R /XYZ 56.6929 302.6691 null]
 >> endobj
 1201 0 obj <<
-/D [1191 0 R /XYZ 56.6929 302.6691 null]
+/D [1190 0 R /XYZ 56.6929 95.9842 null]
 >> endobj
 1202 0 obj <<
-/D [1191 0 R /XYZ 56.6929 95.9842 null]
+/D [1190 0 R /XYZ 56.6929 84.0291 null]
 >> endobj
-1203 0 obj <<
-/D [1191 0 R /XYZ 56.6929 84.0291 null]
->> endobj
-1190 0 obj <<
-/Font << /F61 642 0 R /F42 605 0 R /F43 608 0 R /F56 626 0 R /F11 1131 0 R >>
+1189 0 obj <<
+/Font << /F61 642 0 R /F42 605 0 R /F43 608 0 R /F56 626 0 R /F11 1138 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1206 0 obj <<
+1205 0 obj <<
 /Length 2845      
 /Filter /FlateDecode
 >>
@@ -4635,329 +4648,330 @@ _|Q6
 ç›ô·6%HSøÜGÓ$Mª¤Qm7èÚP‡ø&êêZî霋Ðb§û‹hCÕhÞ<óט<{`$>;ŠÌ¹x‘Õ	DU÷"§D·Ù—}‘¶ðwyÀ«Ö<º®ëà²_õõÅQ÷¤&2uÁ¡Îÿ":Ì‘.?
Qݐ8D
•(ôOøÌIÉ;„D÷#Ô‘ý²ƒ®÷óº¢ûNƒæ!º
åhׄUŸ³¸pp°‹ÇÖþTÇE2[Äzüc”Õø¼nTï±¾Ð6bjàt"ÜS‘ÃeÍ\UÞw\‚8Žÿt-ªÐªÆ»Âð„wÝÂn_öìÚ²)å|å@Æ5/þcõÝ¢ˆ²rnìÛ·š>ô ßp/pºè}Öè}YV‘ºªµ¹ßÁé½ã.Ã%@¼óù¯MuB¥wï„ÞO‰né}_ö½·…ëwóÏp󊲤\í]té“X¾ZW&ÄT»kû#έàµèÍ@BæùâdŒs]+yKâÿ(ìÌçÁã𴈎£cˆ8‚Ëàœ’»Ãf_p?4mÉ·Û,Z%S|¿ó­¯ë=øH¾ˆà •½Ð0ñÛ˜šˆìxdƒ
 ÏçÜÛ¡ C‡ri£€“#=>^æ«’Þ,aô7ý5QM=Ç/ËŠ>ÊéiºþÂÔGú0lw*Üë¼Îfíuab8€}<y.”•ïd¯Íq¨5Íé€Gú„ÐÐ{Rûqn‰½I£bïÙ³û	jåþ`!Á]Ù>XQÇÉžYÓ ßëº\Rë.ýi²Xnÿ€ö¥Ëð"ì&ÛýÏÿJ°Òñ™‚#…bózSxd_\ëdÀÜ@ø=[ÿTíRáendstream
 endobj
-1205 0 obj <<
+1204 0 obj <<
 /Type /Page
-/Contents 1206 0 R
-/Resources 1204 0 R
+/Contents 1205 0 R
+/Resources 1203 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1232 0 R
-/Annots [ 1209 0 R 1210 0 R 1211 0 R 1212 0 R ]
+/Parent 1231 0 R
+/Annots [ 1208 0 R 1209 0 R 1210 0 R 1211 0 R ]
 >> endobj
-1209 0 obj <<
+1208 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[0 1 1]
 /Rect [429.9899 355.0226 539.579 367.0822]
 /Subtype/Link/A<>
 >> endobj
-1210 0 obj <<
+1209 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[0 1 1]
 /Rect [84.0431 343.735 140.332 355.1271]
 /Subtype/Link/A<>
 >> endobj
-1211 0 obj <<
+1210 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[0 1 1]
 /Rect [507.6985 343.735 539.579 355.1271]
 /Subtype/Link/A<>
 >> endobj
-1212 0 obj <<
+1211 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[0 1 1]
 /Rect [84.0431 332.3576 199.6097 342.5194]
 /Subtype/Link/A<>
 >> endobj
-1207 0 obj <<
-/D [1205 0 R /XYZ 85.0394 794.5015 null]
+1206 0 obj <<
+/D [1204 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 582 0 obj <<
-/D [1205 0 R /XYZ 85.0394 473.0754 null]
+/D [1204 0 R /XYZ 85.0394 473.0754 null]
 >> endobj
-1208 0 obj <<
-/D [1205 0 R /XYZ 85.0394 436.7899 null]
+1207 0 obj <<
+/D [1204 0 R /XYZ 85.0394 436.7899 null]
 >> endobj
 586 0 obj <<
-/D [1205 0 R /XYZ 85.0394 436.7899 null]
+/D [1204 0 R /XYZ 85.0394 436.7899 null]
 >> endobj
 652 0 obj <<
-/D [1205 0 R /XYZ 85.0394 409.9656 null]
+/D [1204 0 R /XYZ 85.0394 409.9656 null]
+>> endobj
+1212 0 obj <<
+/D [1204 0 R /XYZ 85.0394 282.0345 null]
 >> endobj
 1213 0 obj <<
-/D [1205 0 R /XYZ 85.0394 282.0345 null]
+/D [1204 0 R /XYZ 85.0394 282.0345 null]
 >> endobj
 1214 0 obj <<
-/D [1205 0 R /XYZ 85.0394 282.0345 null]
+/D [1204 0 R /XYZ 85.0394 249.2885 null]
 >> endobj
 1215 0 obj <<
-/D [1205 0 R /XYZ 85.0394 249.2885 null]
+/D [1204 0 R /XYZ 85.0394 249.2885 null]
 >> endobj
 1216 0 obj <<
-/D [1205 0 R /XYZ 85.0394 249.2885 null]
+/D [1204 0 R /XYZ 85.0394 249.2885 null]
 >> endobj
 1217 0 obj <<
-/D [1205 0 R /XYZ 85.0394 249.2885 null]
+/D [1204 0 R /XYZ 85.0394 243.1026 null]
 >> endobj
 1218 0 obj <<
-/D [1205 0 R /XYZ 85.0394 243.1026 null]
+/D [1204 0 R /XYZ 85.0394 228.338 null]
 >> endobj
 1219 0 obj <<
-/D [1205 0 R /XYZ 85.0394 228.338 null]
+/D [1204 0 R /XYZ 85.0394 224.7464 null]
 >> endobj
 1220 0 obj <<
-/D [1205 0 R /XYZ 85.0394 224.7464 null]
+/D [1204 0 R /XYZ 85.0394 209.9818 null]
 >> endobj
 1221 0 obj <<
-/D [1205 0 R /XYZ 85.0394 209.9818 null]
+/D [1204 0 R /XYZ 85.0394 206.3902 null]
 >> endobj
 1222 0 obj <<
-/D [1205 0 R /XYZ 85.0394 206.3902 null]
->> endobj
-1223 0 obj <<
-/D [1205 0 R /XYZ 85.0394 147.6165 null]
+/D [1204 0 R /XYZ 85.0394 147.6165 null]
 >> endobj
 754 0 obj <<
-/D [1205 0 R /XYZ 85.0394 147.6165 null]
+/D [1204 0 R /XYZ 85.0394 147.6165 null]
+>> endobj
+1223 0 obj <<
+/D [1204 0 R /XYZ 85.0394 147.6165 null]
 >> endobj
 1224 0 obj <<
-/D [1205 0 R /XYZ 85.0394 147.6165 null]
+/D [1204 0 R /XYZ 85.0394 144.2998 null]
 >> endobj
 1225 0 obj <<
-/D [1205 0 R /XYZ 85.0394 144.2998 null]
+/D [1204 0 R /XYZ 85.0394 129.5353 null]
 >> endobj
 1226 0 obj <<
-/D [1205 0 R /XYZ 85.0394 129.5353 null]
+/D [1204 0 R /XYZ 85.0394 125.9437 null]
 >> endobj
 1227 0 obj <<
-/D [1205 0 R /XYZ 85.0394 125.9437 null]
+/D [1204 0 R /XYZ 85.0394 111.1791 null]
 >> endobj
 1228 0 obj <<
-/D [1205 0 R /XYZ 85.0394 111.1791 null]
+/D [1204 0 R /XYZ 85.0394 107.5875 null]
 >> endobj
 1229 0 obj <<
-/D [1205 0 R /XYZ 85.0394 107.5875 null]
+/D [1204 0 R /XYZ 85.0394 80.8677 null]
 >> endobj
 1230 0 obj <<
-/D [1205 0 R /XYZ 85.0394 80.8677 null]
+/D [1204 0 R /XYZ 85.0394 77.2761 null]
 >> endobj
-1231 0 obj <<
-/D [1205 0 R /XYZ 85.0394 77.2761 null]
->> endobj
-1204 0 obj <<
-/Font << /F61 642 0 R /F43 608 0 R /F42 605 0 R /F66 714 0 R /F11 1131 0 R /F57 632 0 R /F56 626 0 R >>
+1203 0 obj <<
+/Font << /F61 642 0 R /F43 608 0 R /F42 605 0 R /F66 714 0 R /F11 1138 0 R /F57 632 0 R /F56 626 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1235 0 obj <<
-/Length 2709      
+1234 0 obj <<
+/Length 2748      
 /Filter /FlateDecode
 >>
 stream
-xÚÕZKsÛ¶ÞûWh)ÍÔ(Að¹”mÙQ+®¤´½“fAK°Í	Eª|8qý= )Jç®îxa<ñ‘øÎÂþðÄP»ñ$Œ=ä;ØŸìÎäæî.°¹”B—ºÔÕöâ×ÛObn0Ù>ikEȉ"<Ùî¿LçÈC3XÁ™^-¯>.?Ý­çïþ3»t}gú—ã;óÕ
ïl>ßÝ-6Û…è®ó›åêDðì2bg:xX¬n–òù9[ÕQ£×‹ÍìëöýÅb«^[ÿ4ìöÎ_|ùêLöð…ï/DâÈŸ|‡Žƒp»“Ã…çä{„È‘ìbsñ›ZP›m5m•’¹$Šÿ̆ú1
-ˆKÔ†zÄ´¡RŠmè—õíµKœèëð{±ë´NôEO •Ô)¶hØØ
‘ï†}ì}Nêô•r
-®“ÝKš?óNñÄÿ߬6¼ñ[CË”Vì-Ÿ…IŒ°¸ðBlÑ_¸ü=Äæûr†£)ý^É™¤ؽð.0¡Q²=øœkR–m—RjÛ#Ï·l»
ZÛö!¶yÛuì
Ýñ-©aˆ?ý@ßxc;ÃOË$¯’]9
¦ó¦~¡yî9æOŸŠ’78?Ð`Æ·Ý,¹…’二Ø×I‚‡fاˆw~Ÿùþ4ý‘Òv2ž~ãwÍþÐäûª*òv&šÞˆ™ERÕ—lr©Ö¿ÄÅ>4L–|£‚uÒ~ò^ô’|ÏWBMþ˜Åî”f(`ÍqZMyã
×q$¾Ê(„'Ø~EÄFˆ„-ìCY‹Š
-ˆM
hI¹¯d7Í2Þüœïi)ôœ¾Ò¬8`£Çt1bFÁ K뢒’ºˆ£(×E+t§‹'ØF]ìa+û^ü¨i^‚‰mªþ¿jŽÇ¢¬ygùÀÿ¿Ò²âºÀä…nö}ÂF½})•|\©Âµ˜}פ5=$¿Hbvôð(igá:‹ÀÇ(ò‰w† MÊB”RÎÂ	,ÎÂ
-­4Ä6¤c߇$…­ò\gºJ”µðtóVÁñQp'M™Öo|FãÑ@KäõaÐÑâ¤5çöQ0gf±3ÌgqÆç2;]ʶ”ÒضDS+´ÆöÛ̶Ž}]ó8Úï!¹¢
-ûßi„>‡œ;³êRRJ#âȵh„
ZÓˆ!¶Y#tì
œšánWM—ÈÌÁ¼(dõ&ïîø€è’¾w_Kïžý3Ø|9sÕT/ÒË7ÏMU«]Ìn‡"aàõÓç5­Š¦Ü‰à´¦»¢@ÛÜߎ\%Mz|{x.Ó¥Æ9TRŠC‘q­Ð‡'ØF{Ø+ú>aÒÐX¯ÅýËqÜ<­Çò-ǃÓ6ÑÃt›?ݲÓâk, ™f¾à%)ëVO?Š©Öž±ç Cò­¨ÄìZÌ~Î20Ü\,Ê•†;c…Î}±û–i]¦•°põJ=Z©3j¥v‰Î¥iº”…a)¥‹ß¶Bk±ÍëØ*SYmæRí™´…Šž!iì0㾽ʣí=¤ê*'6{]dpìMF¼¥7Ê9}ˆ•]jœ%ÕFCV莇l#=ì9ÓåpzO“öê¢Ðc‹Gž»TßL˜üX¨šH,s>¨`šŠ	ÈZyCeß0)²oÙ·!#r0‚D¢W3Á8°0²Ü³27˨(?ÓF8{"½8Œ)/N”'V/NàÅüÞQ)æá—-–ä)Íøâ°»á¹Å£=’!:µujÉr“ÓA9ÅD±z(v°bMhœb)¤(†SÜ8Å6ÜŽâ!°‘b˜ßY´uãÝK’?ËúÍÚ;%YÜÕ<”³Òòí
-D¦"¥科ÃϼîÅÅa¾4V΂½s‚ppM ²>~Õ›)74Æ&†­ðÜ3«KYø”RÝ9ÇÁBmУCl3¥:vwïŠýÉUàŠÖß‹ò[W¼¬»§•·ì€#Š'6B®D}‚{5†ßõNïsZÂŒâQ›Ã >gtºÔ8KJªcɵDM+tÇÒ	¶‘¥öšþݤ<š±¢R50®.€¶w)E%%.åÞ³î*±WÂ7=æjSÜ‹‰íù¦LÀa›
ÑFJ#'ÄH¨FÈ‹`ñRì[Cïäͱ‡”À5¼ú_€‚»endstream
+xÚ¥ZÉrÛ¸Ýû+´”ªÚxÁq)˲ã$VÜ’ÒݯÒYÐl³B‘jNÜ_ÿ.ˆ BI½ò®pHœ;á‚xâÀžø
+b7ž„±‡|û“Ýá™<ÃÜí2—RèR—ºÚ^üç&À“ÅL¶OÚZr¢O¶û/Ó9òÐVp¦WwWï>Ý®çïþ;»t}gú·ã;óÕ5ïl>ßÞ.7ۥ讗óë»Õ-ˆàÙeÄÎtþð°\]ßýÅççlUG.–›Ù×íû‹åV=¶þjØ!ì™ÿ¹øòÕ™ìá
ß_8ˆÄ‘?ùá8v'‡Ï'È÷‘#ÙÅæâwµ 6ÛþÔ´UJæ’x(ü3êÇ( .QêÓ†J)¶¡_Ö7—8Ñ×áûb×h?œè‹ž@+©Sl?а±"ß
ûØ+úœÔé+å,’ÝKš?óNñÄÿ_¯6¼ñ{CË”Vì)¯…IŒ°¸ð@lÑ߸ü=Äæûr†£)ý^É™¤ؽð.0¡Q²=øœkR–m—RjÛ#Ï·l»
ZÛö!¶yÛuì
Ýñ-©aˆ?ý@ßxc;ÃOË$¯’]9
¦ó¦~¡yî9æOŸŠ’78?Ð`Æ·ÝÜq;%Éu	±¯“?z˜a7ž"ÞùcæûÓôGJÛÉxúIŒß6ûC“﫪ÈÛ™hz-f–IU_2°É¥ZÿcûÐ`0Yò
+ÖIûÊ{ÑKò=o\	5ùs»Sše €5Çi5å7\Çqx+w¢ž`û!>rp¶°eq,** 65 %å¾’Ý4Ëxós¾§¥ÐsúJ³âx€ÓÅ ˆQg\€.5®‹JJê"Ž¢`\­Ð.ž`u±‡­ì{ù£¦y
+&¶©.øÿª9‹²æ»þÿ•–×Eè&Ÿ¸(tðï6‚ìíKq¨äÏ•*,Äì»&­é!ùM³£‡GI8ÔY>F‘O¼3iR‚¤”rN`qVh !¶™ ûº8$)l•ç:ÓUr ¬…§›·
+öˆ‚;iÊ´~ã3Z"¨ƒŽ/ ­9·?sf;Ã|Æ“FËqZ¢Xc!ä?$ÍÓ!ÉÅ*IÊ7îp&¤¡±^‹ú·ã¸yZå[Ž§m¢‡é6ºa§Ä×XB2Í|ÁKRÖ­ž~S­=cÎA‡ä[Q‰Ùµ˜ýœe`¸¹X”+wÆ
+ûb÷-9ÒºL+aáê‘z>´RgÔJ=ì"KÓt)ÃRJ1:¿m…Öb›Ö±U¦²Ṳ́Ú3#h=C0ÒØaÆ}{•GÛ{ IÕUNlvQdpìMF¼¥7Ê9½ˆ•]jœ%ÕFCV莇l#=ì9ÓåpzO“öê¢ÐcËGž»TßL˜üX¨šHÜå |PÁ4µò†Ê¾aRdß0*²oCFä`‰D¯f‚yÜd‹%¯i%Æ:›ƒ	­ŽÂS'¹LÏâ¶,F¢a½“A6Ý}KóJåUòpÕ÷çF½<ä^tF/4)‹^H©îì[¢¨ZÓ‹!¶Y/tlШÜL	öZÿËZí`Í‘îÒ§·V3X¿¥œIv*†YU³§åkº£•)vaâj¬`˜¹böËÛ&{,®Šæ ¥ŽÍ(`½–Æ~.íš'Y¡§vV	xíÒo;«š”…U)ÕŽK\µBk¬±Í¬êØŸ¹%ÃN¾ q—×´ÌYe”õ8ál¾i±ì±©…øýÝ_Ë5o.
+nÿ¹øímV<²Ì‹µçû½tâwÉñÈÀ
FïÅÈÞ–{_O´e¢Þ©ÄúõÎb·{I‹£/sÊatŽÝNÈB®Ò¸µ\-Øp5jÀff5`;³¦«`·—	$œ~ÎSFX¹Û³27˨(?ÓF8{"½8Œ)/N”'V/NàÁüÞQ)æá—-–ä)Íøâ°»á¹ÅO{$CtjëÔ’å&§ƒrŠ‰b7ôPì`;ÅšÐ8ÅRHQ§¸qŠm¸ÅC`#Å:0¿³hëÆ»—$–õ-šµwJ²¸«x(g¥åÚˆLEJÎO#‡ŸyÝ‹‹Ã|i¬œ{çáàš@e}*üª'SnhŒM[á¹g,V—²ð)¥ºsŽƒ-„Ú 5F‡ØfJuìî. ßû“«À­¿å·®xY
vO+nÙGOl„\'ˆú÷jèÞæ´„Å£6‡A|Îèt©q–”TÇ’k‰šV莥l#K=ì5ý§Iy4cE¥j`\]mïRŠJJ\ʽ;fÝUb¯„#nzÌÕ¦¸ÛóM™€Ã6¢”0FNx®Ì«KYH‘R]á/¶˜ŽZ#eˆm&EÇ>_×ßÔe³«{—jç5¯i*õû2¯¿ùï…qt%=ãÍúøùaÏÎРIYhRÝ
ØrÝb…Öhb›iбYRUY›åµ¶°ºœ__¯Ñ|ͽËüg¶^*lö;YyK÷9•NèVî›·¼¢[ÔÃ3ÝÀ³i—ì–!NC{ß°»éŽú.ûÓ‘–‰*C	‡c(Ž‚3…]ÊB¸”Ò
+î6ÂmÐáCl3á:¶*¸ë×M×IðÖMšÉ[Šœ%–ÏM©¹>­
+oJCBäžg	SW”–ÚUõÏ—º#‚\Ø1;šÐ8R¨«scË	݆Ûñ06Ò YP)ËßÝEÿ/sábðQ䚯;¯’R¿q¸¡å,šþd½$ðqñ¹O¤ŒíƒV¦«”`Çö¹À(¨þ±@uäS…z²ß‹2­Ùíà AXƒ‹:	T´dŸt˜Ê!8„l
ìíWj›V7´KÑÃGìÓ;Ã.9Ê5þß_j5ë¦cFš]Ø/‚EÄC±½½“'Ç]×ðèÿ&çˆ_endstream
 endobj
-1234 0 obj <<
+1233 0 obj <<
 /Type /Page
-/Contents 1235 0 R
-/Resources 1233 0 R
+/Contents 1234 0 R
+/Resources 1232 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1232 0 R
+/Parent 1231 0 R
+>> endobj
+1235 0 obj <<
+/D [1233 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 1236 0 obj <<
-/D [1234 0 R /XYZ 56.6929 794.5015 null]
+/D [1233 0 R /XYZ 56.6929 769.5949 null]
 >> endobj
 1237 0 obj <<
-/D [1234 0 R /XYZ 56.6929 769.5949 null]
+/D [1233 0 R /XYZ 56.6929 771.5874 null]
 >> endobj
 1238 0 obj <<
-/D [1234 0 R /XYZ 56.6929 771.5874 null]
+/D [1233 0 R /XYZ 56.6929 756.8827 null]
 >> endobj
 1239 0 obj <<
-/D [1234 0 R /XYZ 56.6929 756.8827 null]
+/D [1233 0 R /XYZ 56.6929 753.6547 null]
 >> endobj
 1240 0 obj <<
-/D [1234 0 R /XYZ 56.6929 753.6547 null]
+/D [1233 0 R /XYZ 56.6929 684.6346 null]
 >> endobj
 1241 0 obj <<
-/D [1234 0 R /XYZ 56.6929 684.6346 null]
+/D [1233 0 R /XYZ 56.6929 684.6346 null]
 >> endobj
 1242 0 obj <<
-/D [1234 0 R /XYZ 56.6929 684.6346 null]
+/D [1233 0 R /XYZ 56.6929 684.6346 null]
 >> endobj
 1243 0 obj <<
-/D [1234 0 R /XYZ 56.6929 684.6346 null]
+/D [1233 0 R /XYZ 56.6929 681.7414 null]
 >> endobj
 1244 0 obj <<
-/D [1234 0 R /XYZ 56.6929 681.7414 null]
+/D [1233 0 R /XYZ 56.6929 667.0366 null]
 >> endobj
 1245 0 obj <<
-/D [1234 0 R /XYZ 56.6929 667.0366 null]
+/D [1233 0 R /XYZ 56.6929 663.8086 null]
 >> endobj
 1246 0 obj <<
-/D [1234 0 R /XYZ 56.6929 663.8086 null]
+/D [1233 0 R /XYZ 56.6929 639.7389 null]
 >> endobj
 1247 0 obj <<
-/D [1234 0 R /XYZ 56.6929 639.7389 null]
+/D [1233 0 R /XYZ 56.6929 633.9207 null]
 >> endobj
 1248 0 obj <<
-/D [1234 0 R /XYZ 56.6929 633.9207 null]
+/D [1233 0 R /XYZ 56.6929 576.8557 null]
 >> endobj
 1249 0 obj <<
-/D [1234 0 R /XYZ 56.6929 576.8557 null]
+/D [1233 0 R /XYZ 56.6929 576.8557 null]
 >> endobj
 1250 0 obj <<
-/D [1234 0 R /XYZ 56.6929 576.8557 null]
+/D [1233 0 R /XYZ 56.6929 576.8557 null]
 >> endobj
 1251 0 obj <<
-/D [1234 0 R /XYZ 56.6929 576.8557 null]
+/D [1233 0 R /XYZ 56.6929 573.9625 null]
 >> endobj
 1252 0 obj <<
-/D [1234 0 R /XYZ 56.6929 573.9625 null]
+/D [1233 0 R /XYZ 56.6929 548.518 null]
 >> endobj
 1253 0 obj <<
-/D [1234 0 R /XYZ 56.6929 548.518 null]
+/D [1233 0 R /XYZ 56.6929 544.0746 null]
 >> endobj
 1254 0 obj <<
-/D [1234 0 R /XYZ 56.6929 544.0746 null]
+/D [1233 0 R /XYZ 56.6929 517.3549 null]
 >> endobj
 1255 0 obj <<
-/D [1234 0 R /XYZ 56.6929 517.3549 null]
+/D [1233 0 R /XYZ 56.6929 514.1867 null]
 >> endobj
 1256 0 obj <<
-/D [1234 0 R /XYZ 56.6929 514.1867 null]
+/D [1233 0 R /XYZ 56.6929 457.0262 null]
 >> endobj
 1257 0 obj <<
-/D [1234 0 R /XYZ 56.6929 457.0262 null]
+/D [1233 0 R /XYZ 56.6929 457.0262 null]
 >> endobj
 1258 0 obj <<
-/D [1234 0 R /XYZ 56.6929 457.0262 null]
+/D [1233 0 R /XYZ 56.6929 457.0262 null]
 >> endobj
 1259 0 obj <<
-/D [1234 0 R /XYZ 56.6929 457.0262 null]
+/D [1233 0 R /XYZ 56.6929 454.2286 null]
 >> endobj
 1260 0 obj <<
-/D [1234 0 R /XYZ 56.6929 454.2286 null]
+/D [1233 0 R /XYZ 56.6929 430.1588 null]
 >> endobj
 1261 0 obj <<
-/D [1234 0 R /XYZ 56.6929 430.1588 null]
+/D [1233 0 R /XYZ 56.6929 424.3406 null]
 >> endobj
 1262 0 obj <<
-/D [1234 0 R /XYZ 56.6929 424.3406 null]
+/D [1233 0 R /XYZ 56.6929 409.5761 null]
 >> endobj
 1263 0 obj <<
-/D [1234 0 R /XYZ 56.6929 409.5761 null]
+/D [1233 0 R /XYZ 56.6929 406.4079 null]
 >> endobj
 1264 0 obj <<
-/D [1234 0 R /XYZ 56.6929 406.4079 null]
+/D [1233 0 R /XYZ 56.6929 379.6881 null]
 >> endobj
 1265 0 obj <<
-/D [1234 0 R /XYZ 56.6929 379.6881 null]
+/D [1233 0 R /XYZ 56.6929 376.52 null]
 >> endobj
 1266 0 obj <<
-/D [1234 0 R /XYZ 56.6929 376.52 null]
+/D [1233 0 R /XYZ 56.6929 352.4503 null]
 >> endobj
 1267 0 obj <<
-/D [1234 0 R /XYZ 56.6929 352.4503 null]
+/D [1233 0 R /XYZ 56.6929 346.632 null]
 >> endobj
 1268 0 obj <<
-/D [1234 0 R /XYZ 56.6929 346.632 null]
+/D [1233 0 R /XYZ 56.6929 319.9123 null]
 >> endobj
 1269 0 obj <<
-/D [1234 0 R /XYZ 56.6929 319.9123 null]
+/D [1233 0 R /XYZ 56.6929 316.7441 null]
 >> endobj
 1270 0 obj <<
-/D [1234 0 R /XYZ 56.6929 316.7441 null]
+/D [1233 0 R /XYZ 56.6929 290.0244 null]
 >> endobj
 1271 0 obj <<
-/D [1234 0 R /XYZ 56.6929 290.0244 null]
+/D [1233 0 R /XYZ 56.6929 286.8562 null]
 >> endobj
 1272 0 obj <<
-/D [1234 0 R /XYZ 56.6929 286.8562 null]
+/D [1233 0 R /XYZ 56.6929 232.6605 null]
 >> endobj
 1273 0 obj <<
-/D [1234 0 R /XYZ 56.6929 232.6605 null]
+/D [1233 0 R /XYZ 56.6929 232.6605 null]
 >> endobj
 1274 0 obj <<
-/D [1234 0 R /XYZ 56.6929 232.6605 null]
+/D [1233 0 R /XYZ 56.6929 232.6605 null]
 >> endobj
 1275 0 obj <<
-/D [1234 0 R /XYZ 56.6929 232.6605 null]
+/D [1233 0 R /XYZ 56.6929 226.898 null]
 >> endobj
 1276 0 obj <<
-/D [1234 0 R /XYZ 56.6929 226.898 null]
+/D [1233 0 R /XYZ 56.6929 212.1335 null]
 >> endobj
 1277 0 obj <<
-/D [1234 0 R /XYZ 56.6929 212.1335 null]
+/D [1233 0 R /XYZ 56.6929 208.9653 null]
 >> endobj
 1278 0 obj <<
-/D [1234 0 R /XYZ 56.6929 208.9653 null]
+/D [1233 0 R /XYZ 56.6929 194.2606 null]
 >> endobj
 1279 0 obj <<
-/D [1234 0 R /XYZ 56.6929 194.2606 null]
+/D [1233 0 R /XYZ 56.6929 191.0325 null]
 >> endobj
 1280 0 obj <<
-/D [1234 0 R /XYZ 56.6929 191.0325 null]
+/D [1233 0 R /XYZ 56.6929 176.3278 null]
 >> endobj
 1281 0 obj <<
-/D [1234 0 R /XYZ 56.6929 176.3278 null]
+/D [1233 0 R /XYZ 56.6929 173.0998 null]
 >> endobj
 1282 0 obj <<
-/D [1234 0 R /XYZ 56.6929 173.0998 null]
+/D [1233 0 R /XYZ 56.6929 116.0348 null]
 >> endobj
 1283 0 obj <<
-/D [1234 0 R /XYZ 56.6929 116.0348 null]
+/D [1233 0 R /XYZ 56.6929 116.0348 null]
 >> endobj
 1284 0 obj <<
-/D [1234 0 R /XYZ 56.6929 116.0348 null]
+/D [1233 0 R /XYZ 56.6929 116.0348 null]
 >> endobj
 1285 0 obj <<
-/D [1234 0 R /XYZ 56.6929 116.0348 null]
+/D [1233 0 R /XYZ 56.6929 113.1416 null]
 >> endobj
 1286 0 obj <<
-/D [1234 0 R /XYZ 56.6929 113.1416 null]
+/D [1233 0 R /XYZ 56.6929 98.4369 null]
 >> endobj
 1287 0 obj <<
-/D [1234 0 R /XYZ 56.6929 98.4369 null]
+/D [1233 0 R /XYZ 56.6929 95.2089 null]
 >> endobj
 1288 0 obj <<
-/D [1234 0 R /XYZ 56.6929 95.2089 null]
+/D [1233 0 R /XYZ 56.6929 80.4443 null]
 >> endobj
 1289 0 obj <<
-/D [1234 0 R /XYZ 56.6929 80.4443 null]
+/D [1233 0 R /XYZ 56.6929 77.2761 null]
 >> endobj
-1233 0 obj <<
+1232 0 obj <<
 /Font << /F61 642 0 R /F43 608 0 R /F56 626 0 R /F42 605 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
 1292 0 obj <<
-/Length 1961      
+/Length 1872      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥XKsÛ6¾ëWèVj¦B‚à£7Ù’]§‰íJN“ä@Q°Ä	E¨$åÄýõ]~‰÷iV‰¼ÕÒÿ˜žS¤Û]ÕSP«tÇ„ ˆ1WꜺ4BŒAÄM)C„`_ûbµ«EávÓ‚gqÅk7×eâ~†ò‚7·¹úo¸jĉç{ýˆª>!~¡»ñ3åK"{ØE˜3û8Íõ¢ŽC¹ºz-+¾×«OBˆ#¡w ¡Ã5mV¬Óªˆ‹×šZ4fLÖÇŠ—.↤÷ä!ö”. wYŠ’çëø¸7ëâW¹`l¤¦
ð .A{#×gAròßÀÑâÀ±æjpÀqHµ…c[wŽ¶rƒˆÈÚ!ÚDðœ¯Û­Ä¢#<1\(l‡çÕYy³v/^øÞŽ=¯ßД¢ÐõÃ7mq
ºæ::
-˜!Õ–¡Ûº{m+oì¹:¢¨Zæ~/b“K®â,Γ{C•÷CÙØö~’yÎØüªHˤ6úìP¤YcqÖoq'Ž<ò†Å-®‹×\§¢ä
4ƒª-‹·u÷XÜV>3–åÛº{¸ŠËôÂÏMÒ:ofY&Õyt¶Æ섇¦5ˆ\'>nwqÞçúA/h‘Oè06W?
WõX?ƒªO@\èîâLyS|]J=TõZ®Åþç¯'=ZrÈúüÀë€ r‘Ú¨óiÉ_3žC}R«n’ò‡DGdÏF 9­¡?l3^®_UR4âMÉht¶kFØ'´/8 ÞxZ\xÖ\'<™;€çj϶îa’ˆý´¨¿©Ú`gýªÿµGÀ`-eCÂ+jB\5,†ùä„0ù=Ÿô¹ROÕqá_£™A±–%’|š¤ƒ]üb6‰õ_–>óŽ§gÊ[á¿L¿ëÁ^äÕÎÈ‚¿×Gü©g×uQsbfŸ&.S¿ÉïÉäø°9}æ¯(l’šÄW¦³Ü€/“5IÁ~L°ð’çZM®¸º»ŸŸöaÏoöÅ("‘ÚvÉŸy!è·¹ðUë…Þ_®6×e	"4BnÀÂÓfª‘þê3¨õT}.ÔvWŸ3µºúÀ罎+ìÛ¦²OíCF
í¯%yŒ™šeë´úçl'&_“¯*ûÇûô(¥ˆìQ¯ê)I9•|@džʧYŒu—›hý¿Oú§.
-ü(O-¾Ï˜°®*è"ŒÃºÊæEŸgÅ×qY‰ƒP¹RìõìgMyøaÉÓ,«4˜Ô´ÒnÝÅÌÊR$)xrÙÛ«‚«Ê‡ä´pãÔÿûMûän^€hºÝÞF±MÎJÞ%`í“3
-(„nÐqô<¹¾endstream
+xÚ¥XKsÛ6¾ëWèVj&D‚à£7Ù’]§©íJNÓN’EÁ'¡’”S÷×wñ I$Ý™ŽÄc»Øo_cø‘qĦ±?c1LØ8Ýðx{·#bh܆ȵ©®žF?Þd£8ð‚ñÓ³uV„p‘ñÓú³3}|œßÏîþ˜¸ÃÎM\†q³z=_NÜ0ˆå†/·ì\Ý]}¸{¸]LþS3}ÁOïgz²üx{;_>ÍÍt1ŸÎîîo„L¾>½ÍŸZµí«L¥Î>Åã5Üðý#Glü&‘8öÆ»‘Ï(b>¥ÍJ>ZŽ~k´vk—©Z—ú(
+àŒaƒ²Ô£­A}ÚeІJôóâæÚóHüõü¾„aÅÛ‡^ˆn©.e³À’MCQHÙ©ð×vÏú;»_dó,©x¥'Ï¢Ôƒ{^å7/_²”WHj~vUD(ô|””rÞiŽ_‘þþœì²¼…ž%ÅÚ€o¶?MBß)³Í¶6|i-VÜèH†HoLŠó¤L×£1bt)C„àPÉ~¨·
+ÜÎ-yžÔ¼‘xs]õùYÃi~q›ªñ–ªAœøßø è#â²»?þ±ÊŠÍÄ¥ØwÀ.rÀœ™Ø%Y¡ï“Y]¾V5ßéÕ§	!Äf£w ‘ÃõÞ´\eu™”¯ÍnÙJ˜Ö0Yj^u¸ˆ…V¼£‡P8Sº€î	Ÿ#ŽÕŽ
U‹cHèŽC¢-Ïe÷àh7ˆˆüƒ¼êÔªîØë,ïTõù¯Ñ&áj-êîï(&(“ÓþnU‰œ×ü¬™üXd»}ÎwpÓ¦Û›ÿ½çe&Wš»-½íóH~+¤mªh¨¬¶aȆD[.p.»Çlẚy3/R±ÖpÃLµÿð½åbS&ûm–*Áʇtx(b,¶¦Ä¹Fšñ&)u—˜çfGuÿtˆéöÿÃÍêÒÐ?æ<«ȶôfKc	{3C%v-Šì‰ëFþI\÷4,΂)XÅø’.öòÙêM\‚áM{ŽSÜüY™<×]~Ž¡'õ¤L_`qE¬á‚±¯ž½w³J=mÕfÒtÑr¢ÆÂ]K½(ßZ#à_‹ô }·Ò{
+2øª.^îŸJžÐúq^vÙTF\õMßè>å`YŸÀî–ël‰O­it@|9ª„¡Ã+èÎS½ëG¬í¾~YÀ`o\ Ûe…~!ÀbU'UK`,o!9×ü…çb/ï1qîšè¥9½µ—dL“ƒtKÚrZˆÚˆ§×Ðn¯97úéTàd€…¨¬Rs~ºÍ tIŒšlª·Ò«¦ª¶â›U%UV\ÿ:m€PeUXK3³ä+û(‰…9º™Š´ð_˜
+¨h†i*vn>P3u:ÁÎêUµGÀ`
-ež@Â+›¤nIñÑ	aòz>és•ž*uá«Q„Ì H«
+I:½¥ƒmòbIô'Ïžyêé™òVøVÙßz°E½5¼àïŠß!õl».j4f¶Æ0Ys™úM~oM&Çûõñ™¿2¬pHf¸Ï<«37àˤ@MR°ÿL°ð’çJL®¸º»ŸÏf?hÏÅ(&±:vÁŸy)è·QÐɇ¦u¸ÙT—%ˆÐy!‹Ž‡©Dú«Ï Ôcõ¹Û]}NÄêêÏ{W8°Mek@Fì×ð<&‡\3MóUVÿsrs®Ë,ý¦²P|È’‹ÈuÿªþJRNEÂ1ßä_~k¥R-ò÷Q¾ë¡0ˆÃ±kÑ}Á„uUA¬¨)‚²yÑú,ù*©j±*—@Š½žþ¤w~Xð,Ï›?4˜”ž¥Ý¦‹™V•H3ð䪷WW•Pv …[§þßÿ•ÝÍ¢žž—âš>0œQJÞ%dçš3
+(D^Ø¡ú¿B³\«endstream
 endobj
 1291 0 obj <<
 /Type /Page
 /Contents 1292 0 R
 /Resources 1290 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1232 0 R
+/Parent 1231 0 R
 >> endobj
 1293 0 obj <<
 /D [1291 0 R /XYZ 85.0394 794.5015 null]
@@ -4969,31 +4983,31 @@ endobj
 /D [1291 0 R /XYZ 85.0394 771.5874 null]
 >> endobj
 1296 0 obj <<
-/D [1291 0 R /XYZ 85.0394 756.8229 null]
+/D [1291 0 R /XYZ 85.0394 717.2979 null]
 >> endobj
 1297 0 obj <<
-/D [1291 0 R /XYZ 85.0394 753.6547 null]
+/D [1291 0 R /XYZ 85.0394 717.2979 null]
 >> endobj
 1298 0 obj <<
-/D [1291 0 R /XYZ 85.0394 699.3651 null]
+/D [1291 0 R /XYZ 85.0394 717.2979 null]
 >> endobj
 1299 0 obj <<
-/D [1291 0 R /XYZ 85.0394 699.3651 null]
+/D [1291 0 R /XYZ 85.0394 711.5354 null]
 >> endobj
 1300 0 obj <<
-/D [1291 0 R /XYZ 85.0394 699.3651 null]
+/D [1291 0 R /XYZ 85.0394 687.4657 null]
 >> endobj
 1301 0 obj <<
-/D [1291 0 R /XYZ 85.0394 693.6027 null]
+/D [1291 0 R /XYZ 85.0394 681.6475 null]
 >> endobj
 1302 0 obj <<
-/D [1291 0 R /XYZ 85.0394 669.533 null]
+/D [1291 0 R /XYZ 85.0394 666.9428 null]
 >> endobj
 1303 0 obj <<
 /D [1291 0 R /XYZ 85.0394 663.7147 null]
 >> endobj
 1304 0 obj <<
-/D [1291 0 R /XYZ 85.0394 649.01 null]
+/D [1291 0 R /XYZ 85.0394 648.9502 null]
 >> endobj
 1305 0 obj <<
 /D [1291 0 R /XYZ 85.0394 645.782 null]
@@ -5005,52 +5019,46 @@ endobj
 /D [1291 0 R /XYZ 85.0394 627.8492 null]
 >> endobj
 1308 0 obj <<
-/D [1291 0 R /XYZ 85.0394 613.0847 null]
+/D [1291 0 R /XYZ 85.0394 603.7795 null]
 >> endobj
 1309 0 obj <<
-/D [1291 0 R /XYZ 85.0394 609.9165 null]
+/D [1291 0 R /XYZ 85.0394 597.9613 null]
 >> endobj
 1310 0 obj <<
-/D [1291 0 R /XYZ 85.0394 585.8468 null]
+/D [1291 0 R /XYZ 85.0394 540.8025 null]
 >> endobj
 1311 0 obj <<
-/D [1291 0 R /XYZ 85.0394 580.0286 null]
+/D [1291 0 R /XYZ 85.0394 540.8025 null]
 >> endobj
 1312 0 obj <<
-/D [1291 0 R /XYZ 85.0394 522.8697 null]
+/D [1291 0 R /XYZ 85.0394 540.8025 null]
 >> endobj
 1313 0 obj <<
-/D [1291 0 R /XYZ 85.0394 522.8697 null]
->> endobj
-1314 0 obj <<
-/D [1291 0 R /XYZ 85.0394 522.8697 null]
->> endobj
-1315 0 obj <<
-/D [1291 0 R /XYZ 85.0394 519.9765 null]
+/D [1291 0 R /XYZ 85.0394 537.9093 null]
 >> endobj
 590 0 obj <<
-/D [1291 0 R /XYZ 85.0394 480.7215 null]
+/D [1291 0 R /XYZ 85.0394 498.6542 null]
 >> endobj
-1316 0 obj <<
-/D [1291 0 R /XYZ 85.0394 453.7318 null]
+1314 0 obj <<
+/D [1291 0 R /XYZ 85.0394 471.6646 null]
 >> endobj
 594 0 obj <<
-/D [1291 0 R /XYZ 85.0394 370.1987 null]
+/D [1291 0 R /XYZ 85.0394 388.1315 null]
+>> endobj
+1315 0 obj <<
+/D [1291 0 R /XYZ 85.0394 363.7919 null]
+>> endobj
+1316 0 obj <<
+/D [1291 0 R /XYZ 85.0394 329.092 null]
 >> endobj
 1317 0 obj <<
-/D [1291 0 R /XYZ 85.0394 345.8591 null]
+/D [1291 0 R /XYZ 85.0394 329.092 null]
 >> endobj
 1318 0 obj <<
-/D [1291 0 R /XYZ 85.0394 311.1592 null]
+/D [1291 0 R /XYZ 85.0394 329.092 null]
 >> endobj
 1319 0 obj <<
-/D [1291 0 R /XYZ 85.0394 311.1592 null]
->> endobj
-1320 0 obj <<
-/D [1291 0 R /XYZ 85.0394 311.1592 null]
->> endobj
-1321 0 obj <<
-/D [1291 0 R /XYZ 85.0394 311.1592 null]
+/D [1291 0 R /XYZ 85.0394 329.092 null]
 >> endobj
 1290 0 obj <<
 /Font << /F61 642 0 R /F43 608 0 R /F56 626 0 R /F42 605 0 R /F14 616 0 R >>
@@ -5059,11 +5067,11 @@ endobj
 874 0 obj
 [598 0 R /Fit]
 endobj
-1322 0 obj <<
+1320 0 obj <<
 /Type /Encoding
 /Differences [ 0 /.notdef 1/dotaccent/fi/fl/fraction/hungarumlaut/Lslash/lslash/ogonek/ring 10/.notdef 11/breve/minus 13/.notdef 14/Zcaron/zcaron/caron/dotlessi/dotlessj/ff/ffi/ffl/notequal/infinity/lessequal/greaterequal/partialdiff/summation/product/pi/grave/quotesingle/space/exclam/quotedbl/numbersign/dollar/percent/ampersand/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/less/equal/greater/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright/asciicircum/underscore/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright/asciitilde 127/.notdef 128/Euro/integral/quotesinglbase/florin/quotedblbase/ellipsis/dagger/daggerdbl/circumflex/perthousand/Scaron/guilsinglleft/OE/Omega/radical/approxequal 144/.notdef 147/quotedblleft/quotedblright/bullet/endash/emdash/tilde/trademark/scaron/guilsinglright/oe/Delta/lozenge/Ydieresis 160/.notdef 161/exclamdown/cent/sterling/currency/yen/brokenbar/section/dieresis/copyright/ordfeminine/guillemotleft/logicalnot/hyphen/registered/macron/degree/plusminus/twosuperior/threesuperior/acute/mu/paragraph/periodcentered/cedilla/onesuperior/ordmasculine/guillemotright/onequarter/onehalf/threequarters/questiondown/Agrave/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE/Ccedilla/Egrave/Eacute/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex/Idieresis/Eth/Ntilde/Ograve/Oacute/Ocircumflex/Otilde/Odieresis/multiply/Oslash/Ugrave/Uacute/Ucircumflex/Udieresis/Yacute/Thorn/germandbls/agrave/aacute/acircumflex/atilde/adieresis/aring/ae/ccedilla/egrave/eacute/ecircumflex/edieresis/igrave/iacute/icircumflex/idieresis/eth/ntilde/ograve/oacute/ocircumflex/otilde/odieresis/divide/oslash/ugrave/uacute/ucircumflex/udieresis/yacute/thorn/ydieresis]
 >> endobj
-1163 0 obj <<
+1162 0 obj <<
 /Length1 1628
 /Length2 8040
 /Length3 532
@@ -5073,7 +5081,7 @@ endobj
 stream
 xÚíte\Ôí¶6Ò ˆtÃÐÝÝÝÝ¡Ä000Ì ÝÝÝÝ’‚R"‚´t	ÒÈ‹>ïÞûüž³?³?½¿w¾Ìÿ^×Z׺î7¶‡Œ5Ü
 ¬‡¹rðpr‹t´P(ÐWç…C­fL9g0ЇÉ]Á¢#°5@ðòxDDD0rp'/gˆ­+€ù‘ƒ…ý_–ß.+¯ ‘.[€ññÃ…;9‚a®ÿã@=0àjØ@ `€œ–¶‰Š¦€YIÓ †P€¶›¨C@`˜˜`w@ÿ:@p˜5ä÷Õ\8¹d\@€‹y{‚ÀN¿!v€ØÙââòø
€¸l0×ǸÂêfý[À£ÝþG“3üÑÃñ{$Ó†»¸º€œ!N®€Ç¬ÚòŠétµºþÎíy„p›GOk8Èí÷•þ`4¨+s¸‚=]粬!.NP ×cîG2'gÈn.˜í¿°œÁ¶@gk(ØÅå‘æ‘ûwuþuOÀ¹=ÐÉ	êõ'þÇëŸ ®.`¨
'&ïcNëcn[“ë÷¨¨Àlàî¿ìÖnNÿÀÜÁÎ
-Äü{fXE­á0¨ÀlƒÉ¥	w}L	`þŸu™ó?×äÿ@‹ÿ#
þ´÷×Ü¿÷è¿,ñÿvŸÿN­è…jÁ‚ÿxcê€ßÌs:B ^ÿÎýïžFà¿4þ;Wàc!d`¶Íàáäæù€¸(B<ÁÖÚWÀ}¬Ô»Ìì…ÀÀýSL7÷ß0};Èö»ôA`˜õßå?6éx.Cc
}}¶ÿöªrèA§Ë‚GPè¯íÇ9pÕ÷rþo:#
¸õ?¿ùdeáž^7Ïãú=*áðû7¹ÿñüë¬tu†x^psr?Fr~ÿsÿÎýOÀìo4
+Äü{fXE­á0¨ÀlƒÉ¥	w}L	`þŸu™ó?×äÿ@‹ÿ#
þ´÷×Ü¿÷è¿,ñÿvŸÿN­è…jÁ‚ÿxcê€ßÌs:B ^ÿÎýïžFà¿4þ;Wàc!d`¶Íàáäæù€¸(B<ÁÖÚWÀ}¬Ô»Ìì…ÀÀýSL7÷ß0};Èö»ôA`˜õßå?6éx.5ccE¶ÿöªrèA§Ë‚GPè¯íÇ9pÕ÷rþo:#
¸õ?¿ùdeáž^7Ïãú=*áðû7¹ÿñüë¬tu†x^psr?Fr~ÿsÿÎýOÀìo4
 0Üú÷äè¹aÖÃöOÃoäæìüØã?ûÿxýœÿŒ=ì	a.ÌÁAb¡ö™9Y®
Ä£ò/z{xÂœ*Þè—ÖÁ»2#×Dj,ïêÃ8›ÇEµyÍî;Ýoª²n
öA™ºÓÁß‹(üèX>ã.3v±ms™W`gÅúϨ¯"›
 rn­êèš—ß¡RŽwð9£_²Ò¹Ð_8=óe4%v>oFÀk(Ù?`LÙ½¼`êú4ð±ûåÃ&9[~ƒ˜;26cLà«|r)Sƒj…×Íl(ßÛ
 b¬Å7ÎßÊçÏVð™h9Žù,¢I‚°RÊ• e®äß·RÆ%=²ìÙ
êt›œ(†Ì%³LÇî)®Ž>1Ù¥‘„µ…^Ñ2¼éˆO£Ý	%õ‰>•pjÕr{2–ÂwÍ<–g¬™-j—!3cäáakIè,AŒ$ÁLˆÇÆ‹J¯³nöùU»Ïm›Þ‰D3
@@ -5096,81 +5104,86 @@ $O
 t‡Í=žÝbóÆÃwî6ß"£“˵?”JËOP2RÐoQo+†â1)©w†¦ÜèådîI½ÈZ¿VÍ­(e÷åû È"QÔüFØs(úF$'‘qL ®/¶!õÔ
¤HvkÖ‰Œh¼È‰¬ê؉á¶o?Ùa:Šÿ±qêcŒ°gã!_QÇ~ÏWê¡1üaœ¯UÝGmã§Yñmn%ìRãr9÷¬ß0qˆ5†/‚E…(êÚ“†,W‚˜$Ù½ï¶åçLxËÎÔ|ú奕£w†Z|ÂV€ãž÷,éOd
 ÞyŠGÝ
 ŽÎ¨Ý3lÍ4©¿Î\×T2Zª½Ag—.7Ù#ÏPæï™v¼eŦQLÞ»±Oþ¼Ô\’	¬ÿĵJÅñ¾(š3Ç].Å*,MÎ>ÛBx(ÃSÃó|D³uû‚Þ¡ï†{:Ò‘Á¨2G9¡Cê{É•<|?ÒK áéá@F)Ø,êw÷ó?È ¸¢Ëa„Çh%Ù±o^Œñ{‹6™Ý@¥-«ä%Å~jÉwXjz1îi´·î¬%uÕ3^¿±g¸`d+ÎK[ŽDe—„]âò†YèÖýÇ?Ï>£³HjË,èkѸÍhÔ8Š”™v_Å
[ªJÖ®²9m=·âú?\‹k>¼à¬‡¤*³Ñ³ž,Y
ê<‹ý¹uÓZ/ZV$S·é#ƒmNOš¨5M@¿§rãÝ0Hõ7¬&7[àçŽAØñêOõƧÈêÚ5±pE6~d»Ž^.x¨T1¬µ¤$£Í7¿ÿ4òÆêüj§‹G1¬èípoóÌ3³QýÐZ:œNÍÆéç,0½‹Š‡Zg‹ðâ£à)‹Q©¯³‹X""œÛÆ0ÏÁ¾äBvFA‚)Y9(ÎYÖý…ì¬S…|¸Ôü¾“qbæÇN.LÔX§…_ï‚¿œ%%½¥åŒìé|°D>W²7}C–Í#—ZR¸­$º`bÛGο…a¿9gÝS%\”Á/œîñhC|?s§Ø…šg¯ÎÙÈ)ª¬m}ÐvÖËk†Ÿ.bÉ&O
 üõí+uqfº`Îa‡„°£â,I§ã¯½/‘˜÷ÇÝ›Á¤'P6ߢH‚Ú?÷›½šÙ¹˜Žà9¦ŠmHr7:pMRYŸ#£ 'æW¥¿ðKCß|-¡mWÝ躖nᲶË0–«ÞÐ3äÛÙ=j’¸Ë-,n–³e±€¢üb½iÙ;‘˜Hâ°l<)žL.ßÐYÖÿ°Ú·)wL=(‚Œ£± L|)=å'ÀÆ-Å@²öò¾µ<ÃNrä³6îµEôʃ3±d¶kÓ»¬ÿ‹%ôµøü·(kD~ô(¬_yñ‡Í;¯åä²fùOî{&*‰äyÒ¯9ÛB±T¨d>è.òY[a-³ZyÏ•px9ÝØÜ>穾„»*|,4°ç	Žð=Ï	añŽ©{ZwLVqžCÅo, H;ç_7Gg[åGxd½DŽ…*~ÂJSÛ/
*ûÎÔF‹µëújQ‹jw	Ý]_-Òq;Œ,1t³õ2ߥÆíËòê{:Ö§Ùo$<×ð¬žôôJ©Àëóüλì„b›F=ÍçåcT”u;ÐuË›÷#³»Z1q“ÒYÖgHŠ^fiyv|‰¢,PkŠA±¢FH£s^…EËRôƇnQWEÛt%Ú·y3™{æÈŒõFbKã<%Æ)â"-L+{墒zS'“#é²ÊòZÃ+•÷U­Á׎#Ç©ÃCcæHŸ,êä;÷=íÏô.óYäg:¯jÔn¹¶Æô×êS:c¤¬UºW¹Þ/Ëf¹ŠšcO¥ÛøŒM¯lD‰Á¦9²ú:­ÈùÈßÛ˜ìÑËr6½õx§ç±2ú]úS¹‘	p7O¼,j1îöÐËÚ{ž$ªS7O–xYŽróæs÷â»ì(è˜Ýš‹ÏD‚@§­Y#žC²L%¯íáž›1A•Ã¸©3¾~M+ÖAîDí>¤¶¯cãµã-Nˆ¥”ûÚÔß	ÄÖtzâ"¹tãØ'>(˜“”hSðÕœM]ˆÎÛ…0ìŽ
ñâSPÓKD³—dOjnÌó®|KHtÞ‘Ñ+㢟S'÷@6„iõ“¨C,÷ág3B½žpÖáΡÄêφÖÑn‰Ü;ɦc“
_7T,Q1çTiHøBÕWL8­¡¾	 ,œ²£.±ßu2†)¶=–Oš ¹ÿêÚ´­Ùê²,
Aq¨¿râ^T!1í¢ëç2)áN\§‹¬‚)æÄËR…Ëbž÷ž6Cb5ü´çêÞ›Ô;ð¶¹mH“üÅL¸^Ȭü¤Ý¸Ê	{>«m@Ë›ðzéN‹›´×»ÔÌÃBÿ]¬—š@)õp[jÊâá…6붡²BSHQøר.öØ«N÷Ž`ðG¿§zŽ^n)?ìû±«892ÉÿxÈÌÄ÷Ù%¼­Ø3ÕÎZJðô]\ÿ^¸Äé„SXA㣅¸r}[(â0Ò@¥elöÉmi¶ö­EWÕ9úQѲ´ˆC¶Û¯µAñ=°g>MF{Q’= †*Ëk¨+™×Øõµk¤i@ïħÕW:x<›ó"Í}<=<²šC½Q¤4Æð÷i©UµSöA-ÒiMÛk×qnñÔÆèO“¦R<)D¾€÷/ÇT#î¡ÍM©	Æ$ÖžåÔ3³Ð¿Á¢\ç{Uª÷Þ<UW=ˆ$®&<ƒªZ€0óØÒgÒR*¹ÉÒO¦1‘'£ùŽŠj*5wË-·‰ûùT j4ÝióÍu``òh߯µ“K…ݻʔÑk‡‡A›”ôÈÔDôìtk¯ö2ÅÛö÷ú—¨§$ÌöZ¥ï@Î^ùÝêõ^E~§”Üúí¨u4߉<*ôŽ±§¸KJßùy/žn•C*}…ÃåLgI£J·8jŽ[“Þ³	”ØT7%JÈOïä,Á!ØžÈ+ÌÁ¯f—ÉȘs‡h`Úq¢O”1£<ƒ3(©dØOfBOŸ º'"p=Q£B¿âäpJ}ÝØü™ŸZ®¤!p{òëÈa}÷qÑ¥³äƒ£DKXôžòxÇ(žÏÑã
©¨“{ÏçÉšj¿dqX·ã·ŸP¦Üv£ä£Ï€³i¬¾AÕ;³@øyŠ*œoLœOœÕøë…ú¾›ºxOÛÝËc	-@YšUʳªø;žBiäMÖð.•\rž;ùU´¾Rø'î…ç)眄š˜	…@ƒi/_	A®ÉéÙêr«0áFx<×Er;¾zÇ´UÏšøSÂö²Ù„.¥mô÷Œhâæ¨É2Ø’ç/{I;õŠjÑm÷¬
-*s"}Y
;Ò‰¢ú{YÌÝÇí]p¶Òݯ€Ž¶Xo³êÙ}U¹ôZø: hÁ‚)8f÷EµÔëÛDäµsüð¢ qTMŠ:ù‘ɸX!±l®ûÔ”Ëû΄,ñº17ýbŸgûŸ&fܽ×Y'jeAt
]ôÛïwV^þ%ÑåµÛR¼”tμ‡Ël¥¿é˜¦j¹„‚øϸ3èm>YjŸÖCƒÕ¸ÄžÄÈÊjbÆn“ªŒUý©?ô‹ïðu«ÈÃWøìý#ë,M€¾ߥJBQlŽ‰âXè-ebtxÃ]€s<—ÿ¢:XÝQ…¸w¶²-N;N¾?Vl¤‘vG‰…,Å%ë9êçöË'bìη9|1.…±!]¹¶DšÏó=RԌݬ¤Iˆg‰=Åh_ìŸ5rÿ/˜ÿŸàÿ	tv…;0ÿ|kõÀendstream
+*s"}Y
;Ò‰¢ú{YÌÝÇí]p¶Òݯ€Ž¶Xo³êÙ}U¹ôZø: hÁ‚)8f÷EµÔëÛDäµsüð¢ qTMŠ:ù‘ɸX!±l®ûÔ”Ëû΄,ñº17ýbŸgûŸ&fܽ×Y'jeAt
]ôÛïwV^þ%ÑåµÛR¼”tμ‡Ël¥¿é˜¦j¹„‚øϸ3èm>YjŸÖCƒÕ¸ÄžÄÈÊjbÆn“ªŒUý©?ô‹ïðu«ÈÃWøìý#ë,M€¾ߥJBQlŽ‰âXè-ebtxÃ]€s<—ÿ¢:XÝQ…¸w¶²-N;N¾?Vl¤‘vG‰…,Å%ë9êçöË'bìη9|1.…±!]¹¶DšÏó=RԌݬ¤Iˆg‰=Åh_ìŸ5rÿ/˜ÿŸàÿ	tv…;0ÿFdõ·endstream
 endobj
-1164 0 obj <<
+1163 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 1322 0 R
+/Encoding 1320 0 R
 /FirstChar 67
 /LastChar 85
-/Widths 1323 0 R
-/BaseFont /VEXMTT+URWPalladioL-Bold-Slant_167
-/FontDescriptor 1162 0 R
+/Widths 1321 0 R
+/BaseFont /KXEYXF+URWPalladioL-Bold-Slant_167
+/FontDescriptor 1161 0 R
 >> endobj
-1162 0 obj <<
+1161 0 obj <<
 /Ascent 708
 /CapHeight 672
 /Descent -266
-/FontName /VEXMTT+URWPalladioL-Bold-Slant_167
+/FontName /KXEYXF+URWPalladioL-Bold-Slant_167
 /ItalicAngle -9
 /StemV 123
 /XHeight 471
 /FontBBox [-152 -301 1000 935]
 /Flags 4
 /CharSet (/C/D/E/H/I/O/R/S/T/U)
-/FontFile 1163 0 R
+/FontFile 1162 0 R
 >> endobj
-1323 0 obj
+1321 0 obj
 [722 833 611 0 0 833 389 0 0 0 0 0 833 0 0 722 611 667 778 ]
 endobj
-1130 0 obj <<
+1137 0 obj <<
 /Length1 771
 /Length2 1151
 /Length3 532
-/Length 1711      
+/Length 1712      
 /Filter /FlateDecode
 >>
 stream
-xÚíRiTSבª¡¬2©¤j=,Œy5„„1
£soÈ-ɽôrIˆ8PIU–EltÉ(*J…UE (µÄ*¼N¤U„GX>‹T­Š€S/XWWéÏö×[ïœ?gû;{ç;›æ)cˆ lŠ¡ƒÃäA°T*á°yf³)4Z0Ë	CCä,À¬Ôªw`ó…¼eBŸBÁXºGRUð
-¦Oø@¤qD!GTN¨`
YC!W¦@`BÏ"µ¬¸‘ÖÂ0ž	CL
-‡ DA€
p*‚RXš$¨ü70¤M›Ê„ñRðš”I¤HCÕzÁJ
-k5FvƒI-ÿ„¬©ÅCµjõj¹f¢ü¤SÉË5ˆZÿ;Ó¤k	R‚qt*5~#N
-CˆV35+!äjD!BSÕ0`p–3ÙËßàHF(¢ƒ¡H„P¨€R®Î€'q…¦*!ý›ÔÁŠ–KD±Þ¿íd2RŽ D”>ì?Ø“1ç˜4	Gt Íd³9$‘ÜoOISš‰Q!h*àò|€Çåz
-9DdÄ@PÖXG*f1QŒ ¯Ò™ ÄpÊÄ¿ú°K
gdL o.`¥NÌéÞöקa:c0¸<²{¹/àóØ9"*´8£Ääø½•é)ë`ÅrSømùxï©m5¹âªÎ£öôŒù¦Ã[ÚÏm=iòcõú¹\È‚?øÕy«óÇÈ1§’ሯX’×G=%Ê6d¬­=ÎfG7zÅ>ÙŒŠ¡Ääi—ÊÚZßÓØ~ײКÞèýàGϧw2ÏÙ×­ºÇáWR‡§×ܼñòqnÚÆŽ>‹Ã—ç`	%©ìôª=pÌï]¿†Ua–êKs÷=u}e¡¶ÞîN»åhˤv×Mþ/f±é:e…³?m¡%®T°R&œ9ßçZL¹	ؼïïaŠhnŠþ2s ‹.ð0½Û-ÉÏ)	•DÌ;Zᢨ™§ö«¦ÚÂõ­ëZ4è…kýš|—´úN®1'½qmmÊØKÚ¯‹vL’ôüyï³×FjË…ÁÃÆýø´Xoßý™^ÞCôv6Õþêgfx¹ê‹»„(0¼×a…±MóïÀþìæQ)ˆ\Ïs»qä3O—rO8¦Ù[þ/é:ﯛ̻Å:AüEôÃþʇ?_l1îç&‡'ô¦œ‰ºé}©¶á|UˆkmÁô$sShhÕ¢¦™XÏ@Ð\×ù~³D‰Ö( Úi¹Ð­+º¯:›íÂ[pLès û…ßà%ÑæÆáÃ>rí7ÏKÛɼµÔàû‹Ý¹ˆÚ}§oí	ó÷s–ì…¢²kö¦«‰¨Ù¦Ñ?ÌÚsTPÿcWž}ö‰¨é;e^ê¼"6>]Jo£­¿\ûˆp*Š|^™ÂÄãÏ´´¢8j=>fÈäžùh=Ï/1õUwÀᵫ
»6>xtsù‚íë)B‡þž5]üiIîë-#=aZgqS{‚½{Ôtûû>D0°ùìAg­§ÜW‹Z¨uçÿ3ºb
ƒë¬Œ2°ÕñÞ…¶ýã4¨¹RSëFƒÜ¬—‚ä©^w³Ôõ[ÉwÔÜœnÜJнç~qÊظÉf¾Z	}c«jßvÍõJxŒ£†³9V ã>;בo÷nNáJ*õÔ¸¸nT·¯.¼ÔÚwdÇŬè÷Ìw¼bÜKÅ%¯lãcêÛmËq….ŠÆzãî•ÅŽƨƒñÒ¨|EÛ­äÍ+‡¤u
Çw9lçTewÍ.hž1ǦÝ-É”U|¹.à??3æl(¯/pÖ·ž‹T”œsb°H\} õ®¸'<ûYàwïAï؇Œ,z{ÆTXðܪê=í[^,ºÜ)ºÙº›VÛ¥nª.-Ø-]ã²þ0§Cí—…Wüwµ·ó>i£.!^¼J8¹Ôík}J'¤Ûø0¬eU„nÁBW÷6º´2óòD¥A]×w«’:®•åý„F˨ãmUûfq¢óXm3ð…»÷>¸ÿé7)ÕüÑóâ–¤«=Ÿ¬ÙÁaIbÑ“ŠrbE7oŽeÓ¬ÈCùUÔÚ~öß\”ÿøŸ( PÃrœÀ4r<òwµŒ’endstream
+xÚíRkTSW‘ª¡¬òRIÕzX%2yj	 B,žò˜{CnIH@Ä•TeYÄF—ì?ØS1ç˜4	Gt ‘Íd³9$‘ÜïNÉÓš‰Q!hàò|€Çåz
+9DdÄ@PÖXG*f1QŒ ¯Ò™\ ÄpÊä¿ú°K
gfN¢o.`¥MÎéÞ$öקa:c0¸<²{¥/àóع"*´8£ÄÔø½‹•é)ë`ÅrSømýtßéíµyâê®cöôÌ…¦#[;Îo;eòc÷ù¹\Ç›~Š†?úÍy›ó§Èq§Ò‘ˆoX’×O=-Ê1d¬m½ÎfG7zå~Ù¬‡Šá¤”—ËÛÛ>ÐÜqϲؚÑäýðgÏgw³ÎÛ×GÞçð«¨#E3koÝ|õ$/}Sg¿ÅákÈs¨”’\~&r/ûÏ»ÅW'„aÕ˜¥æòü¤ýÏ\_[¨mwzÒo;šÆr©Ý
“ÿË9lºN9ÐIáH_l‰/¬–	g/ô¹[a6ú{˜âZš#¤¿Îì¦=Lï÷H
+rKÃã$1£ŽUº(j¨ýÃj¨¶pCÛúVMz±ÐÚ°¶À%½¡‹ë_ÂÉhÚK[—:þŠöÛ’3Ÿ&¿xÑ÷ü‘ÚúPað°q?1#ÎÛ÷@`–—÷0½ƒMµ¿ö…Ù#A®úê!
+ïsXel×ü=p §eL
+â7òÝnýÂÓ¥܎köUüMºÞûÛfóž$±ÎFp	ýx êÑ¿.µpSBƒûRÏFßò¾\×x¡:ĵ®pf²¹94´zIól¬w0h¾G€ëB¿¹N¢$k4Pí²\ìÑ?PËqáMŒ/:.ô9ØóÒoè§ÒsÓÈŸEyöC[¤ïb>ˆ^nðýÕî|D]ª¾Ë·î¤ùÇyËöAÑ9ŒµûÒ×FÔn×èæì=&hxı«È9÷TÔüƒ²/õ^›ž-§·Ó6\©{L8G½¨Jeâ	g[ÛPµž7dqÏ~²ç—”öº'àȺC5†Ý›>¾µrÑŽ
¡Ã@ï €š!þ¼4ïÍÖÑÞ0­ƒ³¸¹#Ñ‚Þ;fºóc?"Ürî³ÖÓ?þ›¥­Ôúÿ[µ–ÁuVFØêï"Û	ÔR¥©s£AnÖËAò4/‹»Yêú½ä©;jnÉ0n%h‡_¬.eåY{Wòñ "Ǫ„¨l©ä´z¹ÍŒ;3Çž”º[Ÿá›^ç7Vì‚oWF­­œð¿Û=¡Íw½2RÔùË™R¥ôM¢loê|e¶^×5/»¹»lS….˜áµõÌ'†/¹_66m¶™‡¯‘DAßÙª:¶_w½ë¨ál‰è¸ÏÆwؽŸ[´šJý5.­Óí¯/³öÝy);æÃBó]¯X÷2qékÛ„Øú¡Ûò¤Ã\¡K“¢©Á¸çbU‰ãDZê`¼,º@Ñ~;eËêai}ã‰Ý;8‡T9%Ýs[f-ܹùg·Ç˲d•_¯8Ï/ÈŠ=Êëœó½çâb¥äž*×L»'î
ÏyøÃÐ{ö!£KžÄ5¾°ªúÎøV”H†¯t‰nµí¡Õu«›kÊ
+÷HçÖºlx/ÌépÇá5'ÿÝ%¼ÏÚǩˈ—¯O-wûVŸZÌ	é1>
+k̆Ð#­Xˆãš¾&—ö@f~¾¨,¨ûÆ®UJcçõòü_ÐY#u¢½zÿNL>+ }¾X`7ëþGW>ÿ.µ†?8vAÜš|­÷Ëѵ;ù/-É,zr1CN¬êáͳl|šu¸ šZ7Àþåÿþ'
+(Ô°'0O§üt¯Œ³endstream
 endobj
-1131 0 obj <<
+1138 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 1324 0 R
+/Encoding 1322 0 R
 /FirstChar 60
 /LastChar 62
-/Widths 1325 0 R
-/BaseFont /UICIAW+CMMI10
-/FontDescriptor 1129 0 R
+/Widths 1323 0 R
+/BaseFont /ILPSXS+CMMI10
+/FontDescriptor 1136 0 R
 >> endobj
-1129 0 obj <<
+1136 0 obj <<
 /Ascent 694
 /CapHeight 683
 /Descent -194
-/FontName /UICIAW+CMMI10
+/FontName /ILPSXS+CMMI10
 /ItalicAngle -14.04
 /StemV 72
 /XHeight 431
 /FontBBox [-32 -250 1048 750]
 /Flags 4
 /CharSet (/less/greater)
-/FontFile 1130 0 R
+/FontFile 1137 0 R
 >> endobj
-1325 0 obj
+1323 0 obj
 [778 0 778 ]
 endobj
-1324 0 obj <<
+1322 0 obj <<
 /Type /Encoding
 /Differences [ 0 /.notdef 60/less 61/.notdef 62/greater 63/.notdef]
 >> endobj
-971 0 obj <<
+970 0 obj <<
 /Length1 1608
 /Length2 7158
 /Length3 532
@@ -5178,135 +5191,145 @@ endobj
 /Filter /FlateDecode
 >>
 stream
-xÚíwgPTݶ-’$)¹ɱÉYrPrƒ(Qèn ¡é†î&JÎ’$KR¢ä¬’£äœƒd‰‚dúÝsέï_÷ž_¯Þ®ÚU{Í9טcÎ1תÚì,z ~EÒª†D`øBÒ˜£µd…ÐâWBÂ!€£;»2
-j…!*V¨4À
-¨@ÁaaPJJŠˆ Œtò@Álí0.#cn^^¾Y~‡¬=þá¹Ù‰†Ù"7®P8ÒÉŠÀÜ@ü7‚ PÆ
+xÚíwgPTݶ-’$)¹ɱ‰’sRrƒ(Qèn ¡é†î&JÎ’³$%JÎ*9J’“d‰‚dúÝsέï_÷ž_¯Þ®ÚU{Í9טcÎ1תÚì,z ~EÒª†D`øBR˜£µd…ÐâWBÂ!€£;»2
+j…!*V¨À
+¨@ÁaaPRR’ˆ Œtò@Álí0.#cn^^¾Y~‡¬=þá¹Ù‰†Ù"7®P8ÒÉŠÀÜ@ü7‚ PÆ
 °Á¡e]½gš:ê.u#€:EYÁz.Öp Ch(7À‰ÀÿZÀHö»4´À
–"`@;AÁ°›mPw0Ôé·‹àE9ÂÐè›o
°EY!07=À 0îùMàÆnƒüCÈ	…¼‰p¼ñÝ€é!Ñ4sÂn²ê©¨ýÅcg…ù
»q67‘$ØåwI|707^Œ` î˜ß¹¬¡í·ò¸É}æ„‚ý¡á‚†!lÿÅ€€‚ÚZ¡ p(}sƒý»;ÿªðߪ·rr‚{üÙüõO0
 · 
 ßäcnrÛÂD‚¿Eaƒ…þ²C\œþás…¢þ4ˆë÷Ìpß°‚ pjC$¨ƒÄܤpýÏTøωüø?"ðDÞÿ¸×è¿âÿíyþ;´š®cåx3]0€›
Ðü¾cþ¯X+GÜãßDÿ=Ðú≱ºiƒ"ÂöF
 !¡¿Œ0´Ì
 уaÀv+øMþØ(
-C@o´üÓF?PLìo>C;Øñ»éâR\PäïÌoäùÃ[PÅÈXYÄû÷ÛôO”ÞêC§bÿU‡6òÏÅo%%¤;à?PBÀ/"$qsØ„DR¢RÞÿ&ß à¿ÖÚVÌ`zS´ðOéÿõþkeþ7U	ù=' Œr3Zÿ4üvƒ]P¨Eÿœö›’ÿ±þ3äP¨;L4=ËÙ'¥&cÊî½íìS1mmât;åUæfû• ›|“–¤Šž_”T
H_Õ{Œwº\}ijÖÝLçlJ„îd1x³q·dßçø(Á» h‘Gš¼eùbwLk×D\èÉÚ×>}‹÷xŒEP»¿¸ýØ\³ý¨;Ýñ¿©ˆ¦þD^…EQ–ó}‹#nó×1g{OWgGÓþí–UzÞŒhBvW\RŽ?çú‡&FE/^Y¿Ƶ—Ä7‡´q‰ÌOíÓT/ŠL6+Á3/¶Ê¡5(ÿ€ç³?°³Þ5»ëvx‹†Î¼K4ÌЯœ¿I°I~ Ì°úÓ¦?ê¡OT«æ£¿åyO÷!tGõ{}…—ËD“¾éwH“êÌ?XÉÀûXf5(Ðæ—#p6TóæquŸ\)a¬:Õ“D´µÛ‚¨ÿC΢oqØ'U#q9¾A6>¾rW«ƒß†ß»¾CE–T³
-‘ø`*ú·~±Ÿq¢Î
-gx)á>õ^©½<¨üãá¡ëû‰¦ýn1íE?©^ÀYQ¯è&U6ò5PŽW÷®p¥D¡€™™÷®‘]ZȉWO
-/¶]•´|@†¯Ì¸× ý98§kÈ轑iô:?ô½w»•”9Ž›¾]«¡AÉ‡W†ú6©âÕõ×ʉ \.B“[߀Ic'šRÒ=~ê	b;—ž“pû
-Š¾8O£t€ !ÑnX®u–&±oû¿sâˆ<„ݯÛg·öÐ3³‹:xº0\2Èò£?¬5V3ŸàíœpVûá£!Ffz—V{‡&!5ÿÖò4ZéAÀ%Ã×Ç=êL=Q`R´v1-Š™XXE¸{2³V_õaø/¬ˆœíQÀùÞ©ÌìØ	Ù‹pb®ã„îbíY÷÷a2±¨ÑLŠ|ž…æšÅ•x"å—„‘ƒM·Uêu‹/Ó=—R†ÀêFA·G¿\FÛ©	8e÷ŠŠÖâ‚6Ó‹"™¶½Î¿Gß4?¿ŠôŒ=Ù'g_Ñ”ºûØaÐ8‡ºCP6ëSkYKfýùK‰ÁV²1mËÖR´ïH*>©á:›BŸÁÆ|õéÙ}~É'ÁçŠÙSOÃÊ©2R\áU‡„UË
Ù‘û'}4tâ$ñW¾g.ƒÕ,@å„Ы·­§ÆÎpEû‘sóýŸ9ª²	¼–}ø%­¥äÈÚ)3šÃ!‚̪ò¡bO‚·í=¤´~T‡M¹ëä_~moÑfýb„`ãó¸þ->Pß·ÿÓ­´á]aF&÷©i@´?$ÈçpÀ™_·”Ñ\ñ™‚ýp¶)"H>A,·~›±VF2GçvB3­ÒùÁ™”±e= é¯ã.RÈ”5Δ{¤·ŽÊ*©yJŠož’2ÐÛ¡©aN3öZˆÙP!‚Ìt/7f}Ñ<üôŽÙþ9*ú`ĹÄònõ¶À“ÞÇn²¸SKÁGW®‘*‘í¶_§Û¾…åMT.B8€×pê±LgÊê:òØ­mY;È'–•¾°Z%Ž¬6З‚®•¥)Ø‘MÅ—¸x_”d+ükmÊÝ&îìãlvR›ðAÍ
*ÏLj^LD¾áIJs³ýµ-§€2H1€¿nØçè,£Äã–<Ͷ_»û$\ž®¸>ÑšÆà›Ñ¸š˜W¾TǛҦ!Ã7|˜þÀøøA£ÑÚdÃZÀZž×i˾ì©Ræm¹«9‹i?Ý¥°?|¤•·£N=L@Ò¹œ™XHlbOJ°Ì"ÏÚ§ÒmcFOt8ŸÝ‘Õ4«¥òdSÌ*­­Ìèº5*ç¼µ…ÉÒéí®oeaðãWgçžÜ2¥Ð`˜¾òDÏißgxFçÚ•9q=3˜¾“ÕÖ7ÆôtŒüsf…õy»‘†Q)’Çu‰Œÿn˜d7ÊŽ$Mõùit[Ðâx"C˜Çâvé@y*|„
-8X–š1öNë*º^îös®FXCÕÇi9™öXÂDd”­'«\Î<äU‰Ýe©y™ 
-4±°ÜJª×+Ö¥QvwÒ|ÀáNª+Y±5vÅl¬7žµ»cÔ˜ ¢UÅ{Ï7ÙOv×gL?8‚åTcb“6E
¾DáÊCZÅ*½å¿]öTN‰ÛÞ#~˜žÛÐËxG?àAÔ¶_<¼r,¬¿ð®³Éž¥õÆS±Í¼õdœAF›GÌ‘ÿZÉp~¥Ã¹¾³ì¡ÕËÒãoŸÓë-„@€Ú‰÷+&Þ4< o
-†±;âJ¢ñàp»¤ý¨Ö­‚ˆá¶7$œ(°ßù(7ë›Áö%:òŸîÂ
-fQUÛL¯>ÄC¤?Dž?V[j£ÙtKWÈm]½×21DÜ‹u\y¹2¼M“
-Ä1Åz/úy·¡Èê
-L®£ë?“ŠKÃãoû0#‹»(8ÅË'³„\¨ai´|QÚvT¸ñ'ˆXŒö‚»mñ»¼º®uèàij’¦íø¢2*·»‘Y¿Þ'ûaµRÉkß.IdiirSéË%‘¨Ðç$TáÛÁƒûr¦½éu¤v5jf¢¨fDÅl§ÂpŒ×n9wÉè'~½TkÒr!=á¹®öMÂ
ê2½¶+\O^ŽNÇì×ÔÚ•GNÛ3Å&ìÇÂ+³ôör•¶…΃ˆ$x³Õ´mÓívñtæD†xÐœ\+,>]šG€î’¼4~+œˆ¼ìª×#²»5B“6qÝk~ü¥/ÍÚÒ3t¢‹hcÑu(%}V-M<õí¾TæÑ{³(v]i  i[£Èg6…mE¾
ÌuGÜOFéé0
u4œq©,JvRÊ65ÔÛ䊲ϮOª9ÄrY"䵯ç_>Ä7`§X/œ,ïä¿fcÌî™(ûÎðí+i¿¶ÈŠBOá|#dÔ«™K;­áEÎõ½Qtm\³îï-ÉEªk©<Â4È·oî3±q×´Ö͸Ôõ°E‰ÈÊC/FÍ^Yj~£‘HZS$MþZ]׿ê_ì¿cŽ¥‹äWÈ™ÿ!ø|šRT†“âôÊx7™¶úÔ¦õ*ö§´*«Q溗}>®ìúȳ™DõZbÑ›¿¾‡ô>Þ‰}íÊDÈ #’î¸yüu»yu”±©}—^,{÷ç½Öí*é…«ò{ÖX††óϹäi8ªNH¼Nínö©:ÞïÞUŠ{OI…)JßívDžw)_<×Hy²ê“õiºÖ fݹ…C¹¯I•2…ìÔ\H+6¿X¿HIdÒãJÄà¾ôÏ\{Y0ÿ¨U]m¤ÛÏBß“·ZÉKÓHX<	~|5µBÕ+Eóš	G><Ì~/`+éø¸éyLw¶SØlöxźDÀŸú¤ÈZˆå¬ÞmvïîÆÞ%É=úPºªç©ÎU{sï*C‰Otkž+Áå[Ûvø*%ç‚]ÇמknD:S‰qfréÛÌé^MÄK‡f©b<öüñLc݊Ͼ‘|±ç
-A½u\S­±Î¯Uo‹×ÖuóŒõgÿ)›c«‹ÔRðXM	€G$
ø¦Žfx®X°Û_ßû5°ë{ñ§îKõ”¸ô½Ùj&úšÍA’úÍ,ëpt‡wN«‘â"y&þœC£NI/Õt¿8Bµ5_BuÇé‹õ\%µL@lüý"»G±U÷½05'l¸Z—
-Õ͸”äFv]zÔ?zû%§Á
-ê%)ë¦ßK¹
-T”I¹ùçëïê…a¡t…]ö§€ô= öxèTJ]ö	cJºL¡3Ñ“i°ƒµ¿lQSS¯Ó[|CfØáiŽÅ‚ãó˜uº|ÚÅ/DÝç&wÓÇ…²+¾NÒ»
-E{zOn‡­°â:;YzbÊ+}ÏóŽš»\ZM®uõ–LBÕ‹Ë'ŒÈØâc’Æ—iM"û|ç8¸œVµä͸k	±³f¿ØhFaßþö#“WÑop$eÍ+ΡL|ÛTžg;F>“ÿŒ'¢©'iñê´#`€tD•tþƒ«ÿ…ÕãW¼D$A9™Õ㘅_¬ôºÁ2iуEŸÇxiŒ!KÄþLAô|Jò†¿¯ä:™£[ûS¨:¤ìÐs«Å*Ê7f„s¼[ó·==fŒÑîj)8/@"_ì#ëö-_«¬ Tm4&
Ÿà>«íYôû¤P($³îè©"D°\Jÿý{Ö‡!Jâ*öQWìÄÊE¶ÊÀ•7CìiZcLÄÜdê¶}ÆÈà‘Rô™ U¼¯ÓÔ“k¯Ü¼AÔðêé[·¡Ì²c½¯38êç	¨`¬Ò™,oÀ­UºJÏqù8V(}²‘[ø€WÂ3‹ŠR.Åcî—<ø§©Ù†¶Gm¶8vÜiÛ•óêLá±
-E2Ýûº9SI6¥°žìôbGÇ]Hèl
O{Ñ?’»'@nTØ”ÓÕ®'÷Ð(GB³?Öˆr¾,Õó^üJžµãâ+vËמ21À¯.´Š€-{¾šÅ£ÿù>aó¨L¼z(Æ¢ÙÇK=ȺN¼Š{sQ&ÄþZŸg>PþÀ]‰NšsêcÈ›ƒN:ݬHq›‚ápïo"
Op(í&|ø;2O$.°b>7\ãei¦˜ùŒäDE²†?ñÀ»²ñú bge=’“ÂDuîêÒÜ%]ßüÖ–Ü¡áÛp&³$o<À¯Ê†÷†Ã`¯,>ìi§X¾î\Ð~Z2ÜÖçÞ™ÍQæ|ÆDîµ±}:Q1)ÎÚ{øY´¿gíñÝ­éO5Bó$ÅïÄmW>EŒÈŸIz‰”WÊ5a!Šèøi=*|³±
Ÿd‰¿Zt±ë,?$‰µ&΢W¿Ö9dòum˜ûÆÂNèï*d@U!™8hçCèáó¨DoSšÛhÜ#‰u4ÉD;$[Íd= ÐjŽé¢Öen­wŸ9ž.ӻŜU¨OÃÙk¬=,‚0j­‘¥ó^¦ŠÚAÖKý;¿K-AföT£WÌ⤉äúúlÐOÎ.¿Š—¶ãÕ`º µ—sσzËWèš^$`u2Û0jÈ(Å?L¬øn2$$Q3…ÏZꋨÔH&תS»ƒüvÙö#Ô™0ÚK[8úÑUGuU9åP€DcªË›Ö„ycV!¾[‡Ž:Ê#]ÏŠ8×€óäåOÕ1cze·êvç[‹ƒš{IRõbå‰â·åy‡¸šoÏýªkç:üÐgåÍ~ÙÒœlä:¡¡º¡ÉèÆðvvºÊ»„;}·Åiã§â^&ù¶TíÈôâ©3™ÌçIå™2Ú“õÑ@ËT£æDàeÜGs4yÎFü/aÉ^Ãfvú”s´Ø/=¬ŸjÄiaØŽÞ‹-D«–^'‰0£Š1‚œ,‡›ô11ƒlíG+>ÒÃþR‰$W±Ÿ¸j†BW7+n:½÷ôÕ»ŽÉIõ}®g+’ýRÓB]ÞS(Á®V#ÒïÄîÏ´·Ö¿PK²{Üæ¥kç]ë&^ŒÍ›ÖX^OiL¤_ÒÓÒkVy>dÒ.ˆö›ó,Ï\äãèõ_nÔGÑ‹®Ñ>ìöp^çßôæ¬Ûü”ªütúYéFŸ‚õTC6Æ€PeŠXád<š*ÐxºGRþö!½a3YåLó¨ü†æôÀ+ÍâöbWÌÜé!niw–Í µŠâBïâ;¹‹+mÞ‘	S͈ÍòC1Ò•§™ªfÅÔaäN*
-‘ÀJë ‘šÍ®®gl宽B¬\Y‰ëZÂÅО|ìÎ<‡X±Wô=
-·Bp.-šªRœ-¦ù7¥€‘Yš¡s-<žÂò÷2F8€ÂÞ]f¹ÞÙeÆ×ë³£Z;Káoà„SlP÷(:o5ÊöJs¾n*Ú-¢:_æãqɧþÍÓ:3ªëûï„Âwšž™?j¦0®Ø}`'ì¥ÙxÝ®ò6kB½<Üw¼øêV´ÿXàâKW
ó•E”îÉgëö…ÙI—D)nd¦~(W´â£‡”éAßü¶X¢ìUås9÷ˆEÇãå×ÃÅ=Núe˜dÐ]X?Fü=ãôšÃ¬½º
#VÝNóöΗ\ÚÎ0Äã%ž·ò
-$‚t©‹Ëæ•^ÁæÀ¾·XB-r;¶ì©û7Ç“Sz˜g.,Y$6üù8	0}Ã
-¾¾s-Mv
KÜÊ<Š%+K:iÏT6àf’ýÑžZA¨Ž+u‹7?‰H÷–ËFMöhçÀ±O…VùþBQÆW4J1	x0W`á±T|L££(•P¦*éí¨Ò¼2ÙÊþ¶üˆnËàÀôe„~PúC½#z鮈ªB©èeÖ±ï<:Ú!Y‰É6_rét?¾ûT¦sïÉ»>ª»ßtë(ºòK>ä<‰ì*JlYÃA¤]v㇫þ½5†Øgé}….wúÑjŠ†÷ýßrçmO„ø”	{Æ?q£¤ËQ´uºû¦FÒÒn^ËÎÕt¦P@Éi`ÅÕOùèj­Çû°€Y•×ݙ✖+±šY‘8
oÆÿÝàÊ‘ãç-es
->NÌê#óÞÜM'‰šô4x
ëé¯yÌàu¤z¨ûžÙ£ê‘JT=Ëî‡d®dìÛisèŠyPK)BÊÏG7Ýû>q¹çìÔÁò×Xó|3rNO=Y‰iÀæ0´xÕ™ájDigùjÇÓÓ€•ª*\Aýàбçqf`ÿä'œ–wáv%§_6–gƒ¦ÙñãA¤e¯4òL•øFÀ'1ÆÚOšYÌÂΆô)èü"±ÍJÜ¥ÜSÁ¯s5|Í£Ÿ;¢ß¨Á‚«Ì,Pwð–œK7ø§™¢Å)¦¨iƒ¦ípÏúD`q´B"Ó±™^7ûû{rR—s^¢ÃpžÁÏm‚0¾ç¤†ÒBŒ©Ìç2×D£~Á­t$ߨÚ"„[”\Ë™Él[õèYjîŠfA×’©—3¥i¹_ß܇ÇÄZ<}MC·Ä˜6Òè‰W2‚ïŒ;!ô`y#ËSÏß¼)Ì3(¡òŠÑà˜8ŽeûÙƒ{­D¼ðL«‹Wð¢?Ãÿ­ÌZyuâØBe]LöžOŒlŠœ®W\U*ãÚÝ™äÃnƒ´¿Š
½&0Ûy„cÍ+¥÷ÜŒ·Ád\UE"c²ïßñ•ÈG¯.×ôò•í::tGh¹ñØ‚åžVÚ§Ú7v[¹;}Ÿà]ä6 +ZC ¤g¥é¶ðî¦+Ø”²5nh{êÛF&­«êl­}ãçY¬:ÎñíI¢'ô™ÑÞd笹ؽä\¨ÈØɶ´7{•ã¬â‘޾ýµâl1o–³ó0x7†ºüèúV¶{åóÛž´ÜÇE‹—»ÃýEù±šÒÕ_¯°S"‚Oðb©¥µãÆΆlßr^‰¾'îýiStÂóŒÏŸ“Su¢ïˆÜö0Ëm[A¼[ïòúTMÊ/q®“ð.D:s¤qóŸ5ôÜæ²—ëW|9÷‹Sy^Õ¦[Xñ©bi­?Nê¨t,¡PyE=/fN©¹ˆÀÔœCºñÇ MØØ~´³öˆtuE»®þâÓ¬ãÍ°7¬Ä‚~ªâ]Ëec¯	ý/¢ÿðÿµBaŽV(¢ÿ×vqendstream
+C@o´üÓF?PLìo>C;Øñ»éâ’\PäïÌoäùÃ[P_ÙHÉ@÷ï·éŸ(½Õ1†N7Äþ«m$䟋ßJJHwÀ~ „€_DHâæ°	‰$E%½ÿM¾?@À­µ­0(˜;Àô¦h!àŸÒÿëý×Êüo0ª0ò{N@+äf´þiøí» P7Šþ9í7%ÿcýgÈ¡Pw(˜hz	–²ONKÁ”ß{ÓÕ¯bÚÖÄé
+vʯ2ÌËñ+E6û&‡-I?¿(¨”ºjðøòÝérõÏZO
œ³9º“ÍàÍÆÝšswžãƒïZ€ E>iÊ–qä‹Ýq­E\q¡'k_ûõ
,Þ]à1~AìþâöcsÍñ£zpìtÇœTMý‘¼‹¢<÷ûGÜæ¯cÎŽÞî®ÎæýÛ­«ô¼™Ñ„ìÒ®¸¤~Ιôò&FÅ/^Y¿Æu”Æ·„´q‰ÌOíÓÔ,ŠL6«ŠÀ3/¶* µ(ÿ€ç³?°³ß¶¸ëvz‹†Î¼M4ÎЯœ'%ؤ<fXýi3%ïÕ¦ùhÇoyÞSã]ÝQÃ^Ñ#ÁårÑäïŸÒ%»
+V2ñ>”[
	´ûå
+œ
×Å$=®é—-#ŒU§z’ˆ¶v[õ—ç,þ‡}âP=—ëdãã+{µ:ômäë[Tdi
«ài¡¦r`ëûùg'êì°p†—Sï”:*‚*>º¾›XaÚïÓ^ô“ìœ÷‰ŽcÒd"_ÁPƒxõo‹VJ
+™™yïÙÑ¥÷Šœ¸põ¦òbÛUKÉdúJOûðÑŸÒðsš±†ŒÞYFŸ¡ó£@ß{·ÛH™ã¸éûÙµ•Ìpx¥©o“*ÎP]­šÚÉã"4¹õ
˜<~¢Y)ù>Ã㧞 ¶sÙ9	·¯ è‹ótJ·í†åZoiûfà;'Žˆ<ì~ý>»µo„ž™]”ÐÁÓ…‘Ò!¾am±š÷€h焳º÷1Òл´Ú;ì4	i9ø·–§ÑJ’”_÷ª3õFIÑÚ%´(fbaážÉ¬:}Uùð_X¹/:¢€;r}SY9±2áÄ\Ç	™Ü%ÒÚ³îï¤cQƒ¢Y<-µµŠ+ñDÊ/	#‡š;o«4è–\fx.¥ƒÔ'Œ‚nŽ~y­Œ¶S…pÊž­Åm¦aE2m{$¿Gß4?½ŠôŽ=Ù'g_Õ”¼ûØaÈ8‡ºSP&ûc[YkVÃùK‰RÁ6²qm˶2´ï°H>©á:›BŸÁÆ|õéÙ}~‡O‚Ïs¦ž†UPe¦ºÂ«	«—s"÷OúièºÄIâ¯|Ï\†jX€Ê	¡Wo.ÚN!ŒœáŠ:ö£­ææ3ú?sUex-ûñKÛä%eÉ;(3[Â!‚̪…r¡bO‚·í=$µ~V‡M¹ë\~íhÕfýl„`çó¸þ->ØпÿÓ­¬ñmQf÷©i@´?$ÈçpЙ_·ŒÑ\ñ™‚ýpŽ)"H>A¬°~“¹VN2GçvB3­ÒùÁ™”¹e=¨é¯ã.RÄ”õ…)ïHo•](]û”ß„=5u°¯SSÃ<œfüµ#2:32º¡B™éYnÊ)þ¬yøñ-³	üSTõÁ6ˆs‰åíêmQ&½=dq§–‚®\#U";l3¿N1¶ËŸþ \Œp¯á4`™ÎT0Ôwå³ZÛ²v’O,+}%`µJ]m¤/(]+K9R°#šŠ/#pñ>+ÉTú×ÙT¸MÜÙÇÙì¢65àƒšT™Ô¾˜ˆLâIJs³ýµ-«€2H1€¿nØçê,• Äã–<Ͷ_»û%\ž®¸>ÑšÆà›Ñ¸š˜W½TÇŸÒ¦!Í7r˜ñÀøøA“Ñ°Údãƒ:ÀZŽ×iˆË¾ü©RÖmÙ÷«¹‹é?Ý%±ß •³£N;L@Ò¹œ™XHlbOJ°Ì"Ï:¦2lcÆNt8ŸÝ‘Ñ4«£òdS|˜?\V#Z•Ù}kLÖ/xk“­%Ò×ÓÐÆÂàÇ®ÎÎ=¹7lJ¡Á0?r剞ӾÏðŒ&ε+}$âzf0}'»½œéé8ù§¬Jÿšó#
;£2$ëÿÝl0Én”IºêóÓèö ¡Å/‰a‹ÛeƒiðQ*àPyZæpØ[­«èÙÛÏ!¸aõV¦e¥;b
‘Q¶ž¬²¹óW¥v—eæå‚*ÐÄ¢
+c(©^ŸX·FùÝIóA‡;i®d%ÖØ•³±ÞxxÖ"ìŽQã‚Š
+T•ï<“r,žì®Ï˜~p˪ÆÄ&o<&.Žz‰Â•ƒ´‰UzË}»ì'¨š·½-F,Ÿ‘×ØÇxG?àAÔ¶_<¼j<¬¿ð®·É™¥õÆS±Íºõ䃴6˜#ÿµ’áüJ§sCWùB«—eÇß>e4XuïVL¼ix8@ßcwÄ•DãÁµàŽ‡öcZ·
+#FÚ“H8Q`¿ó1nÖ¤¡Ž¥:rŸîŠ䳩jl¦WåñòHÀóÇjKít ›©šBÙ­«wZ&†ˆ{±Ž+/WF– é’8¦XïD?í6[]ÉutýñGyÒpixümå3#±¸‹ƒS½|²JÉ…—Æ*¥lÇ„›~‚ˆÅèa/¸Û¿Ë©ëZ‡M<+mÞŽO *§r»™ýë]ŠV{ EœöíÒD‘ÖÆa7•þ<‰J}NBÞ¸<¸/gzRŸ#°»I+0E5#*f;†c¼v˹[Z?ñë¥Z³Î°éØ	Ïuo2nP·¹è½°]9àzÊrtf¿¶Î®"‚pÚž)6a?^•­·—§´-tD$Á›£¦m›a·‹§3'2̃æä¢XañéÖ<ô”æ§ó[áDäçT¿•)Ü­š´‰ëYóã/{Ah¦Ðž‘©ýXD‹®S)%è“jYâù«o÷%³ŽÖØ[D±ëËé¤IÛ›D>±)l+jôh(`®;ã~2JµJ…i¨[ áŒKåQ2“‚P¶©á¾fW”}NCrí!–£È!¯}ÿò!¾;ÅzÑüë9'/`ø5{dæHïDùw†o§XÉûuÅVz
+ç!c^-\Úé/r¯ïµŠ
+°èdhãšõ|oM)V]Kã¦D¾IºÏHÄÆ\ÓZ7ãR×Ã%"«½3{e©ùF"yM‘4åkMýÀªo|‰ÿŽ9–BZ_!wþ‡xàóiJQiNŠÓ+ãÝÚšS›¶¨ØoœRª¬FYë^ö¸2ë£ÏfÕëˆD[ljüúRûx'öu+!CŒHºã–/¯;ÔÈk¢ŒMí»õbÙ{>íµmoTK-\UÜc°vÀz?IšÇÐ,8ò¹àaÎ;Û‡Žï‰›ÏÇ4qgû8E-fW,¬Kü©OŠ­…XÎÜf÷înì]ÂÓä’Ý£¥ª{Ÿê\u´ô­2”úD·å»œQ¾±ýa‡ß¤RÙTz.Ø}|í¹æF¤3•g&›±ÍœáÕLü¡lx–*ÆcÏÏ4Ö­äÜéÉg{®ÔÇ5ÕZ©‚:õöxm]7¡˜1öÏò9¶úxA-EÕÔxd@òÈoÚX¦çŠ€»ýõ½_ƒ»> °Ú¾do©K¯pqÒVÑ×’´ofÙ‡c;¼¸sZM)3ñçõJzi¦Cø%ªmâª;NŸ­çª¨¥bãïÛ=Š­¾ï݈©å8aóÀ ÐºT¨iÁ¥$7²ìÖë¢þÑ׿øp¬ ^šºnúݸŒÑ¥@u±A	yˆ 7ÿtý]½(,”®¨Ûþ±Ôþ:•ZŸs˜š!]äÌCôdì`í/ÓHÔÜÜçôßvxšk±àø<&d®€vñ3QϹ‰ÀÝŒ/B9•_'é]…¢=½'·ÃVXqJˆ,=1U¾çùG-Ý.m&׺zK&¡ê%Fdlñ1É_–iM"û}ç8¸œVµä̸ë±³g¿ØhAaßþö#‹WÑoh4uÍ+Ρ\|ÛTŽg;F.‹ÿŒ'¢¹7yñê´3`tT•tþ½«ÿ…ÕãW¼D$A™Õ㘅_¬ôºÁÒéÑCÅŸÆyéŒ!KÄþLAô|Jr†¿¯ä9™£ÛR©:%íÐs«ÅjÊ$3‰9Þ­yùmOc´»ZjÎÈgûÈú}Ë×*+UIÃ'¸Ïêzý>*	I¯;zDª,—Ñÿžý~˜’x§š}Ì;q‡r‘­*p%‰b˜=]kœ‰˜›Lݶß<úC’>´Š÷ušzrí•›7ˆ^3}ë6”Yf¼ïu&GÃ!ŒU*‹%	ÜV­«ô—c%€Ò'¹…x%<³¨(	èRl0æ}®ȇœšahÔn‹cÇ~°]5¯Î«P,ݳ¯ûÁ˜3dSëÉNvtÜ…„~áÖÈ´ý#Ù{äFE͹­Qz²òF¹*˜ýñ&”óe™ž÷âÏ0Pʬ_‰[Ö—pý á)óÌc¶>”"j5,ëjm.ùÁìÊâšB•‹³:p_2Ü/œyqŠÝ6KjÙño¯~]Ú…gD²å¼â~`òèR
+vȓT'
+J4ã4à;³ºÜt|†bžD¨´|¾¥ºˆ|ñ¸h"jj‹îë/ß/ƒv£a¦Jö’¡Áž—	—C+fAÚ,»GmüÒëgô2@£Ž¶ÞéZw-¿»éuÞICßbŸ[‹öç¡ßåËYBÑ–×ã8¯ÎõD
¬#¼ÏkÊ­"`ËÇÞC¯fñÅèÂ>†OØ<*¯Žq§hññR²®$¯æÞ\”Î'±¿ÖÅ'Ç™”;pW¢“âœú’tÐE§›)nó^0îýM¤ñ	¥Ý„gÖ‰ÄVL§Æk¼lÍT3ŸÑ¼à¨HÖð'xWV"^ïUì쯬GsSC˜¨ÎýAÝš»¤ëÛ¡‘ßÚã€;4|Îd–äMøÕ9ð¾pìÃÕ‚Åû=ƒ íTË×]ÚOKGÚûÝ»r8ÊÏȽv¶'*&%™’{¯?‰ô®=¾»5ý±Vèrž¤¤ð­¸íªÂLjQ¹³‡^"U²ÍXÈ„b:~ZJßlÃÄ'Ùâ¯]Dìº*‰Eb­Éƒ³éÕ¯u™|][æ¾±°ú»>2 *»L²áÓ¡NôðyTª·)ÅmôÅ#™u4ÉD;,[Ãd=¨ÐfŽé¦Öenkøâ>s„=]®w‹8«ÐŽ³×Tw𰨵F–Á{™&jY/sôïú.¹™-ÜS^1‹“"’íï·A<9»ü*^ÖW‹éF€Ô^ÎI<ê«X¡k~‘€ÕÅlè!­/ŸXùÝdXH6¢v0
+ŸµÔQ¨‘B®U¯v+ùí²ýF¨+a¬¶h샫ŽêªrꡉÆT·7­	óƬB|u”G†žqž%çÉËŸ:«ãÆôÊnïÕíη‡4÷’%Ä*.ÅoËñsyÊ嘕÷¼eçÚ²Õi@Ü=à¸g†ÑšGæ¹ËÑð•‚Ÿ}–iR£bXOŸ	gŒ]×Å«ØP³:Šî•ëá@ã
+ظ{Óu·Qs}áíù9’õk¬Sq¦D³§ÓC)úÁLæBü‰œžSçVËûè‡.Vþ•–”8™È¶ØŸt…ŸÚÛS¹‹¸mÀxó­¸IŸAAçøV §LÂ
/‘d!Ó¥ƒ_Ö¸½Y^>{™N¹œ—èòæ'w,|.ûIçQÌC°u6Ãâ8s¬œÃ¿)@YQøE=rÆFú#»>Öløû‚}x†®BntNH€x.­vÙf…•m@®yËUКÁöoc¬—niçäñÒ5^ÆX8…ùŒµIàí§¼ú­î*;ž3¸Ç14ÃmóÃOyȼ’˜´ÜÒ­òûisÿpìç°Á’˜تdŠïUwqbïwÍ|>þXÒ–ËpñÝ;ÜýKýJA§žª¸zäéT?ˆòØçáç½ûnžëË÷Êu×
ùt¥Ú9"bé+þÐÖaÍÛúiå=´dÙžÓSÛ
Œ¹´Y:øbZ×½?¢_Wèè‘Öæ.²éÏe¯ƒ­>~V&žÞm>
+µ>ûî—£òÆÿº
9íæ5±} ‡kOͬTä©í£ùæܯ¦n®Ó}VÑâ—#ÅÉF®ªš‚n
+ïPa§«ºK¸Ó[œ6~jè îe²okõŽtž:“É|¾d¾)£m0™Q?
´\5jN^Î}4G“ïlÄ@ñ–âµ0bf÷@Þ§”œ£Õ~©X¾aª	§•!`G8z/¶­Zv,ÂŒ*Ár²nÒÇÄ±u­ø0H1ŒøK&’\Å~äª]ݬ¼éôÞÓWo;''Õ÷¹ž­<œ¶ê~ÿŽB	vµÒ‘q' v¦£­á…Z²…Øãv/];ï:7ñlÞô¦ŠJc"ýÊÞÖ>³ªóa“A´ßœgEÖ"GŸÿ2p£!Š^tV¾ÇÃyÓ›³~7òcšòÓége!Lh|
+ÖS
™B•)b…“/Ñ|TÆÓ½ånÒ¶UÍ0ÉmhN¾Ò,é(qÅÌâ–õtbÙQ«(.ô-¾•½XѸÒæ0Ռج8#]yš¥jVB}F	¬²©Ýìî~ÆVqáÚ'TÉÊ%‘¸®#\í-ÀîÊwˆ{5Hß«p+DçRqÈ¢%¡Ú!ÕÙbÚ‘Sx™
 >×ÂSá)ªy'm„(êÙe–í›]f|½>;¦µˆ±ŽñN8ÅõŒ¡óW£l¯4ç맢Ý"j
+¤?—ÞqØ<­7£º¾ðV(|§ù™ùãá
+ãÊÝvÂQšM×*o¹&Ô+rÁýÇ‹¯nµBŽ.>w×2_YDéž|².e_È”™yI@”âFg†óyE‹(>xHšþô-hÏ„%Ê\U=—uXt<^~à1RÒë¤_ŽIÝ…
`Äß1N¯9ÌÑ«Û0raÕï´lï|Σí
+C<^âyÓ%W©@"H'O½X’X>¯ô
+6ö½Åj‘×¹eO=°ù%%µ—yVàÂ’Ebß“Ó?¢à›é;×*Ñl׸ị̆Xº²¤“þL`n!Ùë­„ê¸R·zó“ˆô<ð`¹lÒdvÿ¸QdUà/e|E£äã‘€sKÆÇ49ŠR	e©’ÞŽ*Ë/—©*äo,ˆè±N_FèeÈëÑKuGTIF/°ŽçÑÑÉNL°ù’Keøñݧ20ó(üðxOÎõQýàøæ\GÑ•_r!çÉdWQbË"2o=\õïª1Ä.8Kí(¼p¹3€ÞPS4¼ïÿ†;{"ħ\Ø3þ‰%]®¢­Óݤڇ–vóZv®¦3EJN«+®ÊG¿Pk½Þ‡…̪¸îÎç´„X‰5ÌŠÄéx3þo‡VŽç8ïl)›SðqbV1˜÷åm:ÑHÔf¤sÀkYOÍc†®#ÕCÝ÷ÌmÔôŠT¡Xvߧp¥`߆H™CWÌ£€ŠXJ’~>ºÞ÷‰+8áa¶^JûÔ³ù5Â5ƒsÿËQÃiyÁýA?å÷¬qÊ_?‰šªÿªý^™£PW7ïºýžlvyì\½wÝ02Cº.1KÊ¥‹©qŒ;¸ˆ•¹‚ûãÈ–>džòÀ³÷½‘ÿA$–B“Y©»¤cøuž†¯yôsGt’,¸ÚüÀuoɹlƒš‘)ZÜ™ÒhÚˆš6hÚñ¬_G+$2‹îs³¿¿'+yy0ç%:çúÔ.ã{~@j(%tÁ˜Æ|.}M4æLÑÆ@Gòª=B¸Uɵ‚É@‘̶Mž¥ö®h6t-…z9sHŠ–ûõÍ}xL¬ÅÓ¿Ð<\xKŒi#žx%3ø®Á'„¬3tyêù»Á¤¢|ƒR*¯
Ž‰ãX¶Ÿ½¸±×JÄÏ´ºy/2ýßH¯UÔ$Ž/TÕÇä$ñ|d”`Sät-lº"àªVù¢Ý“E>â6Dû«ÄÐk³½O0Þ²ÂQvÏÍxL¦ÁU],2 óî-_©\ôêrm_ù®£CO„–-Xöi•}š}S•k°Ó÷	ÞEnºB¡54BjVŠnïn†R€M[Ó†¶§¾mdòºªÎÖÚ7þxžÅêã|Û¾Ñdz’!ïÑím@Nîš‹ÝKÎ…Êl€L;H{³O9Î*ù.xëÍ›_+Îóf¹;òÁ»1ÔG×·jµÝ«žßö¤å>¶(^4¸Ü(.ˆÕ”ªùz…|‚K-¥7~6lû†óJ,ðqßO›âžg|þœœªýGÄàvù\,·mqñnƒËëS5I¿Ä¹.»©¬ÑÄÍÖðs›Ë>f¬_ñÜ/NåxU›oaŧ‰¥·ý8ip¢Ò±„BåõL¼x˜9%ç"SsÆ‚4aãûÑÎÚ£R5•™ì¸ú‹O³7Ã’Xß‹ÿýTÅ»–ÍÁ^	ú_>Dÿàÿ	0j… ­PDÿÙvkendstream
 endobj
-972 0 obj <<
+971 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 1322 0 R
+/Encoding 1320 0 R
 /FirstChar 36
 /LastChar 121
-/Widths 1326 0 R
-/BaseFont /DUWCMS+NimbusSanL-Bold
-/FontDescriptor 970 0 R
+/Widths 1324 0 R
+/BaseFont /QCUBRP+NimbusSanL-Bold
+/FontDescriptor 969 0 R
 >> endobj
-970 0 obj <<
+969 0 obj <<
 /Ascent 722
 /CapHeight 722
 /Descent -217
-/FontName /DUWCMS+NimbusSanL-Bold
+/FontName /QCUBRP+NimbusSanL-Bold
 /ItalicAngle 0
 /StemV 141
 /XHeight 532
 /FontBBox [-173 -307 1003 949]
 /Flags 4
 /CharSet (/dollar/hyphen/six/C/D/E/G/I/L/N/O/R/U/a/c/d/e/f/g/h/i/l/n/o/p/q/r/s/t/u/v/w/y)
-/FontFile 971 0 R
+/FontFile 970 0 R
 >> endobj
-1326 0 obj
+1324 0 obj
 [556 0 0 0 0 0 0 0 0 333 0 0 0 0 0 0 0 0 556 0 0 0 0 0 0 0 0 0 0 0 0 722 722 667 0 778 0 278 0 0 611 0 722 778 0 0 722 0 0 722 0 0 0 0 0 0 0 0 0 0 0 556 0 556 611 556 333 611 611 278 0 0 278 0 611 611 611 611 389 556 333 611 556 778 0 556 ]
 endobj
 857 0 obj <<
 /Length1 1166
-/Length2 7782
+/Length2 7988
 /Length3 544
-/Length 8600      
+/Length 8804      
 /Filter /FlateDecode
 >>
 stream
-xÚízU\köm‚{p4îÒ¸»…@p'¤Fº¡iš Á@®Á!¸k 8—à,¸ÂåœùŸ™;gæ>Ý·û»Uõ}{íZ{ïõ­z+&:M.Yk¨%H	
-s¹yůÀN–n®:5.m­à1(hÅĤ†;‚þ~äa 8
-Q°€?âºvnu€äã>®yùÿJ„ÂÄš0°Ô 	‚ƒ`Ž`È#¤µrsAà:nÎÎŽ`µ6Èê³¹Šl;ûϪy¨³lk°êi°qppþ+Xzý…@®`[€ùqár„:ÿQé‘BÁ›¶þ#WÓÆBÑÿc\«î,ÆÃãlczŒq»ÚpC@p¶ÇF!ÖòP§?\±þÐLY=åÅówÝ PˆÏ„mÀë?G²vsæу€]Ü@/þ'ù1„õ¯˜-äåãåå€\ O+;ž?Jêz9ƒþ„- Ö~>ÎPg€…£+Èlz|`ù¸Z¸ƒp˜ÈÏçþ}‡¬ÁVp€%ÈöñþÅþÙüc¯n‡=&¼Ü¼¼@ï÷?W¯Ô
-qôúWú+'€GíÅ+%5}Ž¿ÏþÏ,99è#%PXÀÅ'"øè”GFQAþ¿3þS‹¿tø3ªiþŸ>yÿEùbˆþcœGÿÉs}ô&€õO³þÿ¶XÿeS^AÞG×<>€ÿÕRÿ†ÿWcý½†’›£ãŸª°þCÀ£®5ÀŠ8ZÀþ#ÝÂ	ìèõ_^ø{¢èîÿ?ð¼€[8‚­d!¶Žÿ”	ìªöYk‚áVvÿ°Ë_*[ÿù‚4¡®à?¾dPø7L×l幺>žÅŸbý·’Š+¨5bÐ?ºÒfýÏÀ°•ö(ÏŸôøî_{ðcƒ 'È
-k~j%lÿ9¸õºJ–ʃkk”¿GHïòÁV+Úñé7R÷+r‡b*œ‘äÍ!;©
-du䧡qTŠÑ¢rmÜè„D!„H*á”Ü5¯ÄpŽ1XÇOx{(ã£ÈS²vå½úTŽèJ/˜¤äGuB¡$þϯì¸h QÑ”æ•cjìÌ°‰’Þj¨8"´ÄЦÚxíߥ`«vÔOÜ°¨c×\•·¾™žé•ÃôŸ
-UÆ‚>¶¤2*ké໵+i±¹­pÎTåí¼Èù%Y?k÷£.j¾•ÃA€–øåS´6,n‘âýFÃ×
-	bØÛ뎹>lY=mçgÇ›jôµ¶åÓÓš—4=ªîÄü‰«5êz‘Öµ1æ´Ò&[-Ê5]†+½¶SÙøž%íHp]³ßb›„§ç-¸ü‡&Anç1ú´o‚9!`²TC+~F¬©­ä®\¹™á.]±ÙJѳ;4é0Ôíö<ÙV6µØ‘šäWdŽÜâÁÖÅòr/àh	Äø t¦ÂxêåÛJv*—;ƹÚ²–
    Ü߄ƯºŸ¨TΉé'˜z³¦ÖZ:×ÊÄK)߇ƒ}¤Œ.Ú¦sKÆlx™¼J×
-‘ò0¨ ¼Þ:ª™±©Nj¡ö¿J½±©Œ!J°ô—hgwòÒ{µ”™Òú‘Åp)8?ñTscža^éÇ¡)QˆÍs1Ø)zÐ>ûF(Ô¬}õJhìeSúbîÑs‹òÄÜ&¹âpŠo8F›2!ÔM™á_ßÝYÞgú‡]¼2é2˜£4ou§¾Põ±Ìº™P˜b—2ží­Âw*Zû2ÆÌ3"W×·~#˜Ân¤
¥^ñ@¦qMHUy°ó¸²“,Û¾æ#ìŽî×Û'±÷ð¹ &`oÙfJ™
R!Zy7º%_ÛùqmWXn/µqpó®÷›‘ÙÁ”Ò€Üa!Á­_+Áhh†^¢¯Žø\ÁY3ÌÕ> 4 ‹³¾Ï'.t©›¾˜Òrs¼ —^üÕªžM#D·°7­d‘·'Nk qH×gÄ@ÒZe	³Ãÿt¢£ô€½b
—œ½­«eëkÐÎ9WÜ̇¯HѲÊ?ü­»vOÞð¦ú½H×'çJ’ÙÀ‹^ä/Åùntñï]ß\'kIw|šŽ&Ê7«Ž>IÒó@gnÀàVã¿QÈtš¹Î:1ê¼õfµÿŸùó÷xA±Ç[ó"¤ËPíüæÝKL¿ºÒk>dÎœˆ&òÊÇ€¸›‡Ûˆ‰™ TŸ‹#×Y$9 /Ã8W¸+‘;5ò^ìÌc ûCÅÇð/ïÞ›(ô_ï2?o.f)í
-*a¢YSúÝï!*ï­­iV¯¨ÉñAßý:ôøKÜì¯L­Õô/­Ë¼¦óÙKüæ½uá‹	Ÿ)ÛÌUÉYZ­Nž›*Á’=ßEs¦÷.1:ݵÌlÊ(žŠGEZÒdò¹X¢ôwQÓÙ§÷ýÔ1ŽyñU`¾ÐÇP¶L™˜›ž,ÆŒ¦‚HeâÞ?´òu{Ò/c@P‡©»Ë‡ó*öUp[2¸©	#}øú´!cê…‘œ«
-o ¾þðIú÷@1º©ƒ<½ÏÎë(Â91qdôVE›¢¨GWHÞ7O½g]Íh‰hµäh=MgŽó¿:G«^eGÁ$3Q	pìTô«ÊS\¨Í]ž7hâ3ô{w¤u?¼“xó°R7²Ëm“@áa¶UJ茞^TíxÙ¼µºy`p0íár‘.,kMBŽ÷–h—^ŸºÉ\!µ›îho»Žø(o†ÜLçu]-Ž¤HDzÆÀö“6Ù
lý¹X®Ú’Ü_ž#
0î‹{ã ð›Áù>‰š¡R˜tŽ
-‰Ô¦poTÈBÑUNœÃîòî¹A-ÇWE&uÌÌl›•¨a )0U7Ghûeuⲧh´H©3”R¯ƒ'þ©9ôPÚ‡@’^ü457lóÓ諟׭«b1‚Ò—4±u E{‡o—¨æL¥»¡bãT¾jŽ:ÍMå´Ž
ôhn¾p7õšÀæLÕ¬ÄhW|xR[ôãCÛ^ÏÈ™Ô×@*:{AXÛÅG¡ñ>k5©=—gø!cØ°f»Oà
i†'”\ª…M6^w%ß_úãÀÙþŒÕÖá3Ò¤:
-Á–öâõä~éÏo‡ê4[î—¤,rÞ¶þ6Woº’Y´ŸÈ»O©ï_IW¶T>FºS¬˜«ýàOüµPöœÙnY¹>œ‘Ú§ä\#ÈÇ¿!×ìîÅ3Õ>®¡à3¾_OYwš­÷ë*œ¼.5Ãõ®ÆÂ,™7÷Þ9ïXy¨–:]µæh„]µGHœ±,(
z°s9¹"¥z)†•©ôî×>}²µßÙ``jÞi&)ɶ­P,°CUðFeâIkwjØu»7NcÕÆ[píi¬ÇE»y‹ï²…q*í_´E cÌA×-L÷”½»;6\=²¶V3_Ì,ÿŽ§âFZú`þþ”’Ã)ÁÞ"î{ÊúVQCM•a÷ÈÆ‘îÂ;âù2WÙiÇ÷»Qd=þÁ¤Lž>×Ùà„êÍrL"+£‰ðëþÖso™vdK¿†Ù¡õ¶wZ¨ï«Ó—ïžõF7 Pî=ê<‰®õ÷#8¸:O(%¥kO	o“áo½ÄR”¹÷¬Úe¬¦–üš¡—…krº0%ÓéË¥5†Ç·'ó²J9ô³ï“Ñf?WšòI÷öŠŸhþTHf]fÖY»Ä-/å{W€L½ãeó|õª%j$æЭW¯™¼¬Yòǧ[Ń¹ô~ªo-oQ”6y2˼6™AûŸ9NW@uT×ßÎÝ-Þº0Uüèݲ.ýŠ'-¬¾xÄFór˜ªYÑÌ3sÃkDëŠýØ·ŠéEY]–âO‘;j­^¯/¨šÀQRf•Ê±£Ãlþô
|@•²9£á•
¨ÖèÁ³ñ:Wp<)Ql:CjåÌëw"%¾sèmÆë¾Kt´O$o'?$æÇÇüI–6?Mc°"8KVwbt—âÓ µ±›´÷<ëXÛš3Üškù¡(WãT}jê\{À+üŠš£‰~‹ª†ƒT>¦Ç–¦sg˜kïÁÄk¼ïɹCm
-\×2ÅšK û¹ßZõĬI/ó5ªá­;‘¯+SÖ},ÞÆ@¸]áPJ9q=t‚ÈŸœÿ»÷DM“ôÒªÍÜ⠔טnÄVBŽoèÒBzëødší‘Dê³õ½	r0ë…¥}Ölš‘¡¸4 æáY…²|óî_’v¬‹ŠÅÝ/WöR•*®ä[Žxé-–BœH5˨¤sþÀV% 9žì
Æ	õ«»Øä rÉ"–+“?|	*FÉÇšŒkú‰JÞ6ï3ü¼¿¥ö¹é
-SºûŒz#²µlóÍ—ç7å¨ùŸ)Bçô²L5û}|kàOs’÷…-¼6È Ïúó|ßL¹Þƒ-±Š*%p÷¨&„ô^î–.þξ]§y¬o–tùíçÝhJáË›œçü¿Ô;$ûÝä»$+|Q"è"ey>íA¹£b+Ëü¿÷ñ(èÓV‘!GæóÆÚw#?íë k´\E(?Ù7OÐÚñáso€<ÄjYÖØÙ¢ó)é\˜)ç)—h¨9´;xË’Hâ©  b6íw©0|yîº+ÖdÔ‘	aœÞ}ZMtîÊôyòÊÀèÒ~`Sóó¬(—Í*²­Ìã#á݇-姱u—‚$fvGšó4j‰…‹-Öˆ±§xAçÜhr¾ßXØ%¦ÖÄÊÚ÷H#OHRT¸ïŸñëHùVUÍ}휷ß<ÿêèá~p†xKnHð¦tH­ ïÇ>ÂVHN'§åŒ¶S¸q|÷ÍÑU™øS-iãPÉ
Ï1~ùÄÚÿ:;u¬e°yê<=ý£qõüëöó⯘a¾¸†GÛI%=œ~â#9µÚZû’f.ªõ1Íag‘ƒXHãFµÜE-
-,Õ(Üß
·­/6&«1Y¥—­¶_M$Ѳ˜–Y53AìÜPÎvp%FÊðW]¹+a[TÉ5Ÿõ6>zÈ~?ç½»³ÔÎPDk®»QTê%Ï.âkÇÆ•Ô>U7AzÊ\Y‡oo<ý‡yñ»`žv“ضøôSÍÇw'iðä–†íu³1”ŒqE&ÛÊQÿwš‹ïE$ФY0Qbð87³´ºŠE¦êÜ‹Lµ„a}ö
-"Gѳxò)ñè[×î‰Å”˜eH†£ä£g›¯×ð¨N]iáÒz¥ä¢PuqÆípÔT­ržRm™°C+@b˜–ô\É]Âï†+oêˆR©øîvMzbi%J&é´ŒkÏ\rñ§³çšMˆCªr!§ä–xuaq-´œ,JgO9LTœ!¥”[çähåe¨ÒžoùPXUj¤ƒ‡3æQ›ÓÕƒ K°kÄZ›Îa÷'’âž dš™.@¢Êç·9˜lÈϹ1/Eåä5JÐúØ.]UЛ[·Z1,fÝ	Óbà‡Éšý7õdØ7@.Âôܲ¿ƒ<öÙit”zyˆAI´´)x˜±âR ͘Œ"’ù²Y+Æf‡™$ûX‡5Á=ÇE…
-Û]ÒíÿÕ|ƒIÓ(Kz üè´_WÓ<§g'º^¼ lxþ!™^¬]Xuqó­6¶#‘

6üáWVÁ«âÉ{–•#”1Gê"óß¾îšb•Fr$ÑÅÑœÄÂLPí_÷ìÖÆ˱cÞz×ʆ…g>i‘Âgø`×ÛŠLƒµ|³ª’ÞÏJÖMž…Ä@Pj‰	^8ž§gû ÒC¥WQi&:Âd|~½Tß+5¡¯‰ÓâX¿ÂÍ>¶ë§Qäøæ·EÙ˜¯h‹¼¬`GóæNd2Ù¸2ú¼ýå/Säù–Dí§ÃP-I¦ b—¿‰í߯LV­ iN]\R
-˜?;Ó»è5Ë˃«³R{iT#G$ª5—u¹ô…(GŠ\„o8f§Hù66^P=ßOŽ
-YÈì	Ë2À)-+tÄ\ó¤áR¡rlÀü0Ÿ<ò)'µûˆô,Ãj2k>¼¾õ²ÍÈæœÐùi-«8°šüãQ4ó½À¡%^R¯¨a:šñ—#~Þ_/Ȳژ;͆äuðèd·?ÞŒ•rÙ0/è,Gq&©µµ_ØéÙ”Û,"^&	zèÂzÁÕ“]Ë^G·÷ì•pK†pçWSa-žØ­¸úÚ4¤žl»š4Ü‚UŸfžrôw2(¼Eݤ;I'fõ;¦ãÖj>F£“©½†%/œ#ä—´øÁ…šŒ\]ÌŠHcóWX9õ¸dˆÐ‚$4Fr="ÃMîR~ˆpB²|©õ·J{äÚ*ÖÏDú
Æû;i‹Ê¹NÞ¯¨š#&^vë°­º}G9ù1L`SÛSÙ¾±OóÞûž=»Ñ³FDeËçÜòW´Þž^ºTéÍ8ö¹0!áá¯äl]gÔfp«ò%ò×͉â¶A‚ÑbkâMD½âˆ„¼Ž=G´‚>U«W“Û¾”šÏy',§³£˜Ãã0¥¸HcRcÖßD—"©ØPeCƒñ¤Å§(Ùœ:\)¤ý˜Ÿ~raX[-…ßiÞ:¬í⮦:̉Ú/AŠ™"ÎÞ马­ï5=OÜH¥g<[â{^ÄéÅÜ÷‚¦èû"±½
§/d#Å=e˜2¼xÝþ¸po$«#aôÝQè†~÷ÜæV,Æs+WLÏèY¶RÝ­¸É;2¦ƒuO‹—߾ы«P¨
-ÔF¢¯.zŒŸw°rõÉÕ	½õÏÎoÑÞ:œìù~Ëi©KÂøa˜"Âm÷ÙÉSºÙ6ÜäR™.¾‡þ€Û×65–›åÄ—ÝazØøÔㆅ
«ê#‘9mK@1÷÷D?*F…ï]’Ë0wX.Œ”Õ¬ùìÒî0_Ä8@…]g˜gµäŒ×Ûλ úZG1„+ÛFm8ˆ‚)Á|…š›©£ü”i”D³ýAiBé‰,"œú%$Y©+$Ë7-HxN“C^n·÷ƒüÛ¢OåZ¢¤›y>ª!Ž¤TR_›K¡¬ö¸Üz`4È
ždÅÀ<~ú¡+¬ùSD†»¯™è™§ÊØ’Dï³ß23êDZ3û¥K¢a/M¦/¾jÙu×IáÿMpùù~àú)‰ÍÉ9#•O¿ßv
-¸1j©l+ËßéPÉÌq)N”^ã§`äœÐA)NÅ+ÓÈVÑ ³ëï¨ûZ–›&Îu–lØIË°Lîÿ\x?œL¬A/|ª¯U§ž
-äïOÅ þBñÍeßO€1Æd]ÎDkЖ~±M¼l—ƒTh¯BfÛ4sÑ®oîâ`Wn¢BèkJ‰ôû>—
õPfoJÎYuŸi¤…²}óL–¿p2fhó·7“±’!ùÁ	Á˜Å™ÊÍêëÜ—"þW-Af¬4û§ÍÒ†Ùµö8ïãX¶Ç7’ž1‡ñD•øÿm]w(”Ë*i/xÐTÛ+œ#OrÍð‰J!ŽASìø.ž0—÷¬:ø™øþÒG*-£?—$/ûœK:ÞG»À[û&þwã~ŸK{Â8ÖYECÐçœÞ-ŠõU¶’ìƒvñnG‹Ézj³„Îl5SzàÞ¦cä6#ƒÑë¬Ôø“¾ü	…On:MÓMˆ‘SûiµÂ§°ÚÛVq¿ÎûÚ£…r
$¹ñ•w¤&¢œñ7Ù/30\“„NEN^òÑ’¾_O´Î5Mö¼Ïª“œq¼=bÕršú¨Yûc.©uÚKÀèôñƼ­]{CÇÞ,}ç.ÞÖHbSðÆSʬõKEȸ
¬h_D;Ëz	ºôŸÃ‡S´ÈøY¬D˜I¦Î•ù7¨KßÉ+TË~û.ÔVº,ʉýœ3ÐŒ¶„Ž|emG7AJûòü=aSA$abNPË—TžÉ.éjÁõ«€Þ‹¹Ï­£¸×®¿ø‰5(Ùô×Ãö»K1ˆF‡èÆK<ð¼”àu¶U{˜dÎA«îr®†¸ÚÊÕiÞbñýÈ–èæÅ—¦Ú ËÛ`é:ù^ÀzÁ˜ôJŸ™~ÔT'1Ï‹Ògßê{³rç)j”_!%ÿPn$£Ê c4UvIä²&±hUÄÈžŸ…ãÓöâH&yÏ\x¸©à)X¥} f£F[!
ÖÞËÓr¶f¬Œ-Ó•Æúñ¢°Ž•þaÆ2Z-›£FŒ´ûèõp æÖ—‚¼
-ËP{™~m6–eº21mÖ^±O*‡_[ÂíªƒØV»þÇp³â§«¾9ôIÜ»GWÀ#׃ô²­ådÓ{è/“PSK=º~ÙÜ=î:ÖÞ$¢ùWíHôÔ›“B¢S½­>ða'É)ü ¦¥zçB[5úóV•ÇèGñø§œÚzB*'b„LPR.†Â^ïhÅM[ÀÖëšž£-/¹AÜ¡¼^âÀ$µÃÑ þý‚þk™Œ=Ö|uæ:­‡\6ε—Ùº„ÕZ “
&*“xWÆ]·OXbÖy»¯ã¨÷nxu­ù4
-Ê[ËËJÊô’C†…$T¿ïè8°ÞH
-Q´aN¬ÒàÞ¬ÓØ^w&«ŒŒg÷ RHtÿ
-ÂTrAÝ<šæÑ}|p#°H6%Q¿h7^…_¬e£ìáD7—t^QˆŸ‹!‚A‘U{=CVülÛ…7;ˆRÏJ'ÅBíJÜï–ýÐ̈r·r¼ÿ—Öÿ'ø‚ÀÊdƒC,`X>0+
-û㿬ÿ¥Øÿendstream
+xÚízeT\[Ö-à<8…´€àîNpNP8EáÜ=@Ð ÁÝÝ‚;@€ Á-èãÞþn÷ëÛý~½o¼ªgï9×™k­¹×9cÔEG¥ªÁ*r0Ë8ØÃX9Ø€ˆ™‹³†©½«:ØÒðr›¢ÑÑiB`¶àÿ Ÿ	I(Øq°—2…=óšV.eS(€à
+ù¸9ž×@®¿ U(ÄÎÁ 
+†¡¶ûgJÊÁÜÅlÓpqt´…€Aê`g¨9ØY`ñ\ÙfH:8z@!–V0£–ºÎff–!üüü3¿€Øbi ^¸‚mÿÈô,!¶CŸ‹ý«ja*
‚ÀþhÀhƒ9
+°³;Z˜‚Ÿ16g6{0ŒýÍs¡Òö I»?œÑþðL
+›?7åÁþwßlìÜì½þ¶€Øƒþl	äâÈ®eqrËKýOð3„ö/Ìp9ü@NØ	v7·bÿ#¥¦‡#øO’ãØÔäãåèà°0µuû@,ÀÏ4/gSW0uûxýïÄ¿ïÐ88 ˆ9`¶|>†©?Ã`‹ì•MaPˆ;à=
äÿøþseø|  {[…«˜Úì’j²šòZÌïýŸQÏ’¬¼o¬œ|ÜÏ“ò¬ÈÏÍõwÅzñ—¢ª¦ÿ©ø/Iy{ÿ?Úyöñ¯–\ÁPççÙ0þ9Æoÿ®¯âƒ˜ƒŒÿ 7ðyjž/ÿu¤þÿ¯ƒõ÷2.¶¶ºÂø;Ï~8”8bk
+ýpS;ˆ­Ç¹áï:àLÿÿAGfj1··´ý§Mgˆ;¤
+™[ýc\þrôçsVup†üñ$X9¸9þÆiZAÌmìÁÎÎÏgñ'¶ý-¥´½¹bo	Ѐ=O¥)ôOàÚÜ
+}¶çÏz¾÷¯½ä¹@0ØlŽ¶4ï`.d]ÔvS%Nêƺ=ÎÕË£uõäBù-ÚöÅ&|
+‘M1éÛœK¾™Rª£V"ï”^„Ä‘JGóºÙðK´³!ãâãÂË…“²Õ
+©`œ 0Nž{I⣈R²÷$=䎩J¯ôèD$¿âj„8ø‘ßèïì:½C"¥(Í+G}·;ÿ†Ÿð6à蜭¯šÒìp‡Ð: 4]¡³aê7ƒ‚>zÃá5^y;®ÉÜ|Ÿ&·ßlˆ,¬æÄŒT¯˜W ãk'ç­UI«ÅmÕ°c·—¡ã
+K ²aÁj§>j©ÙÆ)±¿(Ú
+·‚Kœ¼Ù8T!Dƒõ¿é\@×Rw|u²¥D­SgY>7§zEÑ«àŠÏ•¸^«¬Õ	ª‹1¦œ²'l¶T#ÙÐ|Ûx­Õ~¦#¿ÙûM=Rßâ³Ò.äî~)ßQÅÉí:a×AÞu(àœ¢Oø0Ó®¥<ÇWU—q•­ÜˆÌt­ØjŽfðiY½ïÔÕìq?Ý“50{»+2Ã%M¹ÍŽÊQd[ÆÔQ{ãå«1ÆÞ(Ù^²ë+wµ ]<¤,kÍ ²|uÕ|)ÿ¶•ÀÒhzÅ–à•ú™§aê–";ˆÿ®$OøUWêUÜ^MlÓ<“×=pr•‹Ú	žŒ©ufŽubñ"²øá/½Ëö¹Ü’	 ‡NéF7|
+©=ÐSC!‹&6ÕN)Äú®ÔTßþS	šö7ʅݼŒ>5Yº´A]b–"öj6ÔsÔkí¸—<2ÄK¬4VçÒn”/&¦qyZÔ¯Ux&“è2VrÉMËs›%ŠÃmPˆ§1ô¶Ä‚Éš³Â‡BïͲüÂ.UÞwë,’·9BRý¤.ï‰
ÐËè
+Î÷׿Àv+mpÚ2'Œ›2#×l?úÒ…ýÕQa·Ÿ“ök†¯bW›SÌFÿ"ÿ3ô¢0eÄx#[ð£„,Û²«ðׇQí§uAžÍL	„Ÿ"7&vg&‚5KCNÜžèA­ÍIk7¯K|¦Ö-^¦Ñ”…@9¼àWqãÛ’u]é{¼û©M#c¨÷}ÓzF‡³2ÃGð8·>m8ã!™Z¾%0ßš
+–Ú1ÖŽažaMŒëñœ‚à‚ù»ª÷æm)?ðu9V,\ö!ôç»Pù
+î$;›Ü|TíLœ‹ÂË7ªŽ>MÒrC¦oDaSâú-•e7“}¦Õð÷d´~ŒÎOüõ8Ù«Sìæo\¢žß²w…úÒ§¾ô†%ç·½*Â÷ôq¿Ÿn#¦æƒ½.õØà%8ˆ4“¬áÎx®8Jdp@ô¬S}¦§Šôðþd½d©Á›=z¸É–b†ÒîÀ/|t?&dÝø%=ÕU¤U™?iúÆ÷†œôÇ-Üe©­g÷·­§–>ã2î«_I¨!i7V b¤±i3?%7—
„~tfÉè[› µ»oß“>8‹Š4£Èât2Cæì&£²Ëø¥¡#?ôv©ÀKW™²LŸúuŒîkŠ
+<¹©¿JÃŽ¤;}@`§«“‰ÍEÓ:¤½
+ÒÜŒ’1vóÊ¡1eV^OÂYê%0@[ƒB{ì4c5@€jö0ÏF«ÆñÇKÞœ˜¸×Ôæ…[üˆÇ×ðž¿_x.8QâQªIPҺ̟ä÷s;F+\Ž‚
+ÑfÑ"â`XÉiW•§8‘;‘7ªbÓzv¦õ<…
+™<}¯ÿºËf‘ð‚ù”?ÚR&¡+znE¡S±e{}ëPçøÃœ›Ó)mD¯p,ˆ€ËoZ›¬ÙX*µ‡êxÿg=þqÖ<‘‘†a}†0_-óÚ»áŸpíâ›èÚ‹±¬u%¹wîM_¡l—úá¿G–„jGK¡¢9r"_}¡ô
+ˆ»Ëñs˜œBÉuꘇ¤é”Q³>[|ã äHÕÌáù©CGV+½æÎÍWêè@¢ÕÉÿÂØáHÔG˜Zð,5˜ðz«h\å×MÛº@·èEl=xÅÚfwú
+ј®t/D`’ÔÛFÉV£¢¥¹œÒ¶‘ú’‹·/¤‡lãíÖ|Õ‚Ðxw|xRë›è{Ú§öýÞ¯ç"C¤õÖÜÐöË~[žÉ’ȾÓ+ìˆà	th‹UdóÝ
	«BA³…Ç}ɪ¢Ï	ÄòÙ¶>¿)J¨!udf-Ø@ä“ñ
+áèvô°^u¤õ!ñ›ˆiŽÛ£±róµØŠõTÞCJÃà÷ŒIY3Ùø{銩‰ºO~øCâôVk²
á´dVïð¼ü0îå_)°ŽsÞ½`ÜmÙÔWØy\©†k]O„™Ñ;ní‡:îƒÙI¿u9«-Rð:«%pD3{"ÑéEÏeaÐé#“%Õzø1\Ã]Xdi½{@AU½WM’ÁoßøBúõ›ÎHˆÖ¸øÑr94Ÿ>‡4Þ„ª!&Wg¬Ý¿(ì‹n|I²OØu]ççƒsx}‘PJH)БÞ.ÆÕv…&-öà^µG[M&<”¡•ùþlyVª1K©‹Óïød±d:x}8Aù™\fÖ+ÃÓ#~ª¥¨à5¨Ì¨«îÛÛ|ïû/d›1äë×­Q_Óp)Žl‘š0µZˆÊZ„wŠn¥3I§[mü_Êlù扭-²›˜k˜Ï¾ƒëIo¦/\Mýè*vúvy¬ÆJ‡°Dùƒ”WŽßP(Ž‘¶H¹g ‹…Põo—Äù”:5PÎWÝ­²s‹O19ðkyœQOÜAü|%3ËÆ
ØQ	Û;òÖÙ÷,½Ù·N]¢¼ã/÷uXžVí±‹Ø[«)¿8o쀯hÙr¯–¿>þö£¡NËIÕ$ü†ÕüJþB,{†­2V¶³gûâP’±3Ý“ì[ûܺ‚ ù¶Õz‹¸‡òS·“v6i:¦‚‚@N©T!%)xwêÀ¿dõ´êUæ.Ó]ƒ(/|ëžÇÖ.QϦ²xÐy#!ç
ÇÈ>U4/ìŠÝ;€¶Ü+•­ÄÞ‹hp ¿“™p푨¿.†Oˆ_©Sú]nd
+êùŒøº	‚\ĉY©
+5Išã×–MC±A¼«
K>Î@”®/ä|á”»Ý
+Ór)l‰A”h¬¨½ksØ]$¦·Tyž„hàQzŒô»¦öŒ«KÜcÎÕ#õª>ÿCîŽxÛQ÷ÄBæ»óWš{éð”:ZLû”jÔ¶Áýžè_ÆÅŠ-ä\™‘•iR!iòß6F¦-»^~tWZk=ôÁ÷lt¶	:[LÙÞÝOÖÈ#Z‘øZsÆ»’ŠÿùŒõÉgø+ï„·”£J$ÿéçqïó9@·ãÝT°b€9¼
v£è…;cbn¢ygufŠè¬›­×ÜÅêb@ÿ»Aò¤°†opÞ}ÞÓ	ÜK‰Pf¬ókÃÄ_ǹ…X0ßoŒŸ‘³ºŠcÍ)<ü$Z­Ø'(ûÕpÇÉož”?;ÝΉD·Èi÷ì*Çi
4n	s;ç´ˆÖsÉ"ù\¶¾i^¬š›Óy‘ñš™ƒ›ZÐŒG”dÆšre€®9OŒ©á3§'DŒ09É°&ÔMrj>#f×+Åe[‚TaáýF÷ß•ô‹a¿q„A·ùXŠóƒn#<÷¡ÖT&ZLUTšt¡Q·Ì Z%tLTÜö9ˆ•Šqü]q_ŒÀ®LÂÝ{„ˆTE]æIÄ)æê„0»ä,[1J¥*®‰~šX¼¹Î¹Á/…Õj6Oû:îµyHa¤#W
KoÌÈUÑÁ”d¹ËÁ…x8¶	\šÈÆXØç¯ßäØÔ4UöÔ1×UaÈàŒqÀ›L¤Ñ¹p'>„¶ÈÖø¬‘Q²þÈÜ“71<(ØÕ½UýµTPýæ”J˜PŠXUùMi‡hÈ;ýáÃ#†?
+
+õüçÛ×4y‚βQðôĤÃy}EÉcµ¾>óåØô±k/#-ƒ§û¬ˆ;¯ÈUï'lBêy­èËH”f¶8«øä^‰ˆ›W_»íõ݈U‰Ã%ž¤jø
ã^)Ü"fïd&A÷{Øç'Ë@ËWï	yó[Êo;pq/eR̲W=ë>ôêGôF«é ZéÉNÕ(H7EVy÷duñKÄò¼¦%),À1!R)-Çô|Èþ}êmb\%‚ó[—-ºŒqùþ·üQ¥¸Håñn†ŽPµH)6‡ÆÛIº™P¨XüúÔ{õ˜Tjd.Z¦ú,LCëèö‹1qJ™Ú{T\!l¤ÝµÔŒÛÏeWÐJ_&ðYµcòhrüÙ6ÂÞO¹É†Ó%³eVÇbÚò»“·ÚÃñi¿/0×Ë;›FÇ\&ñ”‹Æ«×øî'º<áuûbm-à””éÒ¹_ÐZ•!½ó?ÞŠÞ{Ÿâôæ(µ…b¨(”;e­i½P@·«†ÊjIÊöîqS<î%TXpèrÞa6ôÊ2&[†;<>Bä‚53èv>Ð*GûxVWIÿ½¨d<ÄhýE±$AÞñ_ľmüxÙs³>i;ø((ƒn ‚TIÞ1§ eº·ã½.¸3Òçû½å}Êh87ˆúzÈ>§‰7o›[‹äÚôª E’Óö±Í"¦œ™*º–f‰O—¦Lütw¼]\²éýš Píºº¹ w5ägMÝ°ËQ©/ÏIt·DO0:ƒ™üžyÙôØ?QR¡ßmÒNhvÉôÙÇêŽ~	ø+Ú‰[à™Ý³oH²D·„ÖÀÐct†•~¡â©Owá|ÑÒvFY9å« ®—–wü,áTÇ)ú«Š¾2>Aôqo³”d!yÎäøû.5A'/Õwµ]Œ.ûzãLs?;§
;E×’mëxXü„¥^Šþh
+²·êcŒ-ÂE§ááév¥[QÓ¯$YãÚó³âðîI˜.Jтܸ|Ô÷Ó¼ù_4ææ˜+°%^
Žr˜Ã!M·SŒhÙaœ‰Ps©J·u*ë©a0mzõE.÷y7ä]–>Š±u.›Ü×L,IDˆ^¹ÈôŠ7…Œæ|·¥-»Ûµë4`i
(«q½üÍ×>$¡4Œðb¿V‡€xØ»$ÓU¿™k[æ>¸†¢¥èØ>x“¥—vEcG‰¥3§§­+âë|¼Á}kL`ƒ)ÇÒè1Zqò)P‚:æÓ×R¤ÛÝk›¥]ÊLx&+3õ	ö!ÿ¦=#yIâÙª–@ÊŲ„Ðð³$‰ü¦–}¿I¿ëÕM¥F^qöä}ù¬›¯%—¼ðYí	~æàW
+Á¬ä¹]õa]“D÷v*£5µÓE"ÑÖSû8±§?kô=óQÇ`co¡YM2i
åŽMÎE€uv~6÷iždƒ¯9FE[xAnYÔ‹ÞFZMÃÔCø§ïƒUqÅÂ4Ïo¢­ßQu¡ØïQ|G·M>lë2à¤iSz±²Æ0B5¡+ßÈ€ƒa@™§­aýaŽRœa#8¡Y…À)¿ƒ¡†µ”„Ûë„ sêÉp«EM}:YVMxϸCÛ×/â©Þ©u=¢-äE&•HO¡Ë?ävöq¸È«™’×´“bïωËôF~¯¡UFó&0ul'_fmdKK
+³\8žÔ×wR454?!rË­µ^âÌäªl¾¶hÔ>]¿U)øh;öv&­½˜¼}¾?ùÀÊøµ|¨\­+Mq+zÍ—uR<¦lãÀ&ocšF–A9»vx¬3HÖ=é¸[Ÿ=ç)¤ÝòSß7ïóùUÊråÙIôýÇìõîŸÆG£]œÄÄ-á#Ë{;|ýÚ˜ç
+N16ȉÓQ†ÊÙY	kÆ$Ìl9Ò.bŒÂβMÁŸï^ÃÙí0Þ}à^Ctnkۯȱ±…øGD2ƒ‡îö‡1:(YIð—íåo¾…Ú&á¨ÞŠÝ,{œÇƃ`—3L‡7)IA‘W)öþLS¹
+Øk^uj’FSrÊí=Im›c™äÛ]UhFˆx)ž–‡f“S—RF¢[©CÖÝEUDùDj¿'Ù#7†ï#"ñClàÐsg…Þ?¥› óñÁP0µîÑTwL9…³û-ÁòFÕÇÅ÷Ôç!ê=é>/­z1°Xggý@
Ôðɯ¼é	USoK²ÉTõ.¤É/NÎ5g‰O6Êú椟´ˆê 3(ù$íZIBè]3×Â??FJQHS&u5*ÁûžÉI´ímê†M˜,‡9Y$ì<ùü@Wéìá"PFð¦Š)ˆýÌ9z•Þevù¡|nªÝ<®çOÑùÕA=aåÈFγv`%¬Ó9A]}*(>Ñ`$;}v†("q/ÏwKÉ_†{éùøêáóC{wë§Ê˜ùw6×Xk³³ôªY ™
ŠÎtJb¦˜Î§Á¤ìrJŠ;f{
à‘ÞŒ&UÜ¥yLÕú0fñ©7•ʵZ-rhíÁ§_¦¾»
QÐfb¨‹‘GiLsÐíö}Ž	¼Õ#`‚.G1øi'§º1¬«„%S¨‚—
+õˆeò´ª
+Áí!Ù‚mvžÊÜ1|úNÄîîÙüé ÉÔÝ¢Å,(7Çy$‰ÝS]æYÁÒ?À’/8#ÙÏÌñ¹Š6žvvdR6&Ûÿµít¤»Ò%šï=dË]¾¥-,¾µ‹XmI·§—ð`dãI¦&@ÎÕ cÿ.i¥gYñ‚OËà û%UîË´7’¤¯ý'ÉkÕåue¬£r‚÷Ç)ÚJ~\ë³³sqŒLÏ{KKQøvOÈÄï.BRœ,£­6ëM‹ñŒ¦ÒOÔéìœjªjL/I¯üi¯IRÒÜÛÉ4Þx¸’ô»¨t.ô›7É w^ÑØ=ˆˆêÞ®'ÔMò(¾ËqçAÏnû˜Õ<&hŠ\©Å{¡gz:-Õ«	‰+ï—Û¿hů–Ë’¹u¡ ½[ð®Ù©m8:y‹pU72_ò-|g$e™.¤Fo Â¯êŠ~8¼´ˆgjtÆ:ºHNÆÉ䓸j2›¬¡gŒ·WEhíŒh×zSL7qòÃËÍ”¾GEYA|µ,ƒØ'Ù×È*f²¦=ÇЋu¹¡Bn½x)þ“sìbµ¥¥¤Ü/©¹QsÏ?½u7ÓdšbÛk9cµª§·­oXaY²mÞí4G¯eŸ-M³MGé®d0ûÐ`8WÔ=Ý+w}`ï.®áãb“)éaõ ¼y±ö¦äYÇò”·b}5gwø4í®ÔVÀŒ×
+|X‘Å눈qñã³L¤®&<…+÷+Sùb	µÇ[ñnX‘¥BFú³×ßhKmÊ»‹Q½WíÉ/>i§¿RPßUܤè3¬oÄFÊúÑv~=M‰h^"vÝ_ÝÍ^ÕçÞU°nëRarïŒAV0Ç`ɨ'lµÍv»\Åÿ‚„GÑ^ÔŒKVP×çl"ûXykÛ¸ͳÞíCÂÛßyæ æªùE»xj'ï ™îò¬‘2šèY…,±Æ;®‡
Û`’oEdÑë9jÏ4‘¿¬"žr°™µ¶Öò£=XT÷^Š>åNbd®ê€ïA5º`,q=ßþÕaU£ïú:×-õôŽå½(InO-ÑŒÑZfƒùˆÐf›Ìà¤O‡¡æK›ºtƒÕÞa{,|Aҥו-F­g©ji¼Ô9/ƒT´ž›·%Z‰Ëçø"QÁUÛŽ¹§ýbntû¼Ž)¦7µ£iir(Ð}È
zïB<¡¨Ò¢´Bún:ªPßÅ£ùÎ;¶ÌˆóÅ7cŸ¬éFb‰Läª_ÝÄÜzô¡¹FzŠâJ‚
 J¦Sñ‘A9VBvÜÈs-8×SÓ½j!vÇþ}¶u*Ä„eË<›to¢V÷Oß|Ûz6‚ÊQTe
+ÙèâäáòtÞê!H3j.þj5°ˆìÎV†É8Ý}sa½††^+Ô8Ñ
(lAÏ\øŠ6T‘]vF¼Úºè×ô˜q.‡”ý²n¶Úƒ^kT~§jßë•›¦9ÓÆƱ÷³’£mÌcØ$iq\¥@”±>OÝ:^ß!î&ʇfx?J…Eôá­~šµûΦPsA ’${òˆ”JÿÍöC™X¡`ALç+_ŒÆîüô„¶nè;|ÃÉÝ}Eö>Y©™«wlsŒŽ‘PXüXÚMãX@>à-ÎnâZq¡8å2§™qÕ„ÈBËx®´×ܼҢÄ*pÙúV©ùà¾ã½‹²Œ‡òFN”´V %;â	â›>Ÿ“ÂbÇöò»B—¾lò«=z7ÎÔ]$ÕÍÛoûÏ<™-22UJö³ªCeEÇ6ÀDWìrtÙ3/Ëö²ÐdÉý°i)U´.í‡õl†™g°U’âÒj­öâ¥Ét#—
a#ØÛý‚e>ú¾VˆòçOV$ñ‹)ce¶B…žqí¶3(xùpLÝAõ¯©ÓKÇÿ—´ÿ/ðÿ„€¹-Ø
+s°3…Ú yAÁÎ0èÿòAû_@ï}endstream
 endobj
 858 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 1322 0 R
+/Encoding 1320 0 R
 /FirstChar 2
 /LastChar 148
-/Widths 1327 0 R
-/BaseFont /LINFLV+NimbusSanL-Regu
+/Widths 1325 0 R
+/BaseFont /CQGTIU+NimbusSanL-Regu
 /FontDescriptor 856 0 R
 >> endobj
 856 0 obj <<
 /Ascent 712
 /CapHeight 712
 /Descent -213
-/FontName /LINFLV+NimbusSanL-Regu
+/FontName /CQGTIU+NimbusSanL-Regu
 /ItalicAngle 0
 /StemV 85
 /XHeight 523
 /FontBBox [-174 -285 1001 953]
 /Flags 4
-/CharSet (/fi/quoteright/parenleft/parenright/comma/hyphen/period/zero/one/three/five/nine/colon/semicolon/A/B/C/D/F/G/I/N/P/R/S/T/U/W/quoteleft/a/b/c/d/e/f/g/h/i/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/quotedblright)
+/CharSet (/fi/quoteright/parenleft/parenright/comma/hyphen/period/zero/one/two/three/five/nine/colon/semicolon/A/B/C/D/F/G/I/N/P/R/S/T/U/W/quoteleft/a/b/c/d/e/f/g/h/i/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/quotedblright)
 /FontFile 857 0 R
 >> endobj
-1327 0 obj
-[500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 222 333 333 0 0 278 333 278 0 556 556 0 556 0 556 0 0 0 556 278 278 0 0 0 0 0 667 667 722 722 0 611 778 0 278 0 0 0 0 722 0 667 0 722 667 611 722 0 944 0 0 0 0 0 0 0 0 222 556 556 500 556 556 278 556 556 222 0 0 222 833 556 556 556 556 333 500 278 556 500 722 500 500 500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 333 ]
+1325 0 obj
+[500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 222 333 333 0 0 278 333 278 0 556 556 556 556 0 556 0 0 0 556 278 278 0 0 0 0 0 667 667 722 722 0 611 778 0 278 0 0 0 0 722 0 667 0 722 667 611 722 0 944 0 0 0 0 0 0 0 0 222 556 556 500 556 556 278 556 556 222 0 500 222 833 556 556 556 556 333 500 278 556 500 722 500 500 500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 333 ]
 endobj
 723 0 obj <<
 /Length1 1624
@@ -5321,7 +5344,7 @@ x
 †ÀÑn€-€ýu€pèïÔÐ7\
 h€FBÀÐ3ˆ;‚ü
ñ”¾ù@Ñ;Ž¹©€ÂÁ0›ßÜÈmB¢7N7Ø
™.AƒQP$pãUWYõ¯81ö Ìoßhè
@ØÞhÚ À.¿SúƒÝÐÜ Ž` î˜ß¾¬!(	yÜø¾!C¢ ÂpACávÿŠ€€‚ØP60}CsÃý»:ÿÊðß²!‘0?Öˆ?ZÿŒŠAC`¶BÂ7>Á˜ßvP8àïaÑ€Û"BÀ¿ä6.È`®ÔŸqýžî› @68Ì`±%ÔF`n\¸þg]øÏ5ù?ÐâÿHƒÿ#íýß5÷ï=úo—ø{ŸÿN­êƒiƒœnà¯%¸Ù2ÀÀï=ø½hœ] ÿ—
È	
 óø7VW4‚üéo²¿cÐM9àv7-áþ%†¢U¡î](l°ÁnªõGn· `P8䦫
-zcþ
{f;—ÿá_nó÷Øoõ'rAEe#M]Þ·[ÿhêÞÌæ™ø?nŒ´6ÿ<üæQTD¸¼øÅ„üÂÄâ¢@€ø#!ŸãñпÎZ 
+zcþ
{f;—ÿá_nó÷Øoõ'rAeu}}cÞ·[ÿhêÞÌæ™ø?nŒ´6ÿ<üæQTD¸¼øÅ„üÂÄâ¢@€ø#!ŸãñпÎZ 
 ê0
 B€›ï?ÞžÿFFØüž}ns3fÿü†Á.(ÔMwÿÜü›¤ÿqþ3ðˆ;L0ÿ–
 vHÍHÃTQg÷*›uw
@@ -5340,23 +5363,23 @@ gN
 崙aßÎ?ÁPÍpPjš€æù†SáË0q:ïÌÏgï‚_'•?Ì’
ø`çL[“­
 D±àg›?Ë#›;nðmêŸp}Î07 ÿ¼¶eÌ€m@IÆKw½èeQ=?"ÉrvÉNä‰ìzÓÛñe‡yMbYO„ÍŠÈäþeS䇒Q£q?•x8
v0h¤‘Át‡öý”Ÿ—÷¡¡ßÔó®CNt¥z9¿­"µ¸—+{”&†DMî²½¹)|Öf¹¹a HyZ`”*&³4tÍÚŽ2UÂïº\èû1–ƒYkŽtA
$ù_¿¦f9$¡žf¯¹†˜ªPx®´²+3›#s…,›‚õÜu²³ôéûnã‘óݺN¿›^~Û¿ÓÂ,iú™D¶°÷KÎÇS?Of}×KÍÈZ™6½¶”ƒléá•8ºKµÜ]8Öö´\R½¿k5‘‹÷Õúø |e¡·Y’´|,tj;‚7Oi_¦Plß)×ôakŽÙ“Í‘6½6ñžà&\窴Wµv´aA\Ç,«ªªR²°Æ=€ï‚4®Q¦ÑÒÆ×\´öó•»Ôù/MJt5ÞsãðfÔüÒ
 Î}N×C„¿sˆ?“¯ò
-]LÐÃäZd4¢a»ûMÅYÁ]1—¬2ÍÂ}ªuÝü®QDHx£ºOتjØ ¢FÞ>-œ×7X¢+sÞ튧÷èíå§\‚fÖk$›ãül+¨‚ïÄ©p”ÆLkA"Ôb9kPôi•q¯›
Š™ù…,bTç{ܪH»ue¾§'ç„êr+TåyÓ,.m@/	u©='Ò[¸èúmÂ.yÅVñY ~/ê	3—a#%eêCÏžÚÞÆ/3Y¹5.ÏjÈm€6­mB<«íöØx	Þ$»-—=;&(—4)v1ë¨×½·où9^ÑÃ×ü_>ÿŸàÿ	0BaN ”#Áé¹ìendstream
+]LÐÃäZd4¢a»ûMÅYÁ]1—¬2ÍÂ}ªuÝü®QDHx£ºOتjØ ¢FÞ>-œ×7X¢+sÞ튧÷èíå§\‚fÖk$›ãül+¨‚ïÄ©p”ÆLkA"Ôb9kPôi•q¯›
Š™ù…,bTç{ܪH»ue¾§'ç„êr+TåyÓ,.m@/	u©='Ò[¸èúmÂ.yÅVñY ~/ê	3—a#%eêCÏžÚÞÆ/3Y¹5.ÏjÈm€6­mB<«íöØx	Þ$»-—=;&(—4)v1ë¨×½·où9^ÑÃ×ü_>ÿŸàÿ	0BaN ”#Á§Uendstream
 endobj
 724 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 1322 0 R
+/Encoding 1320 0 R
 /FirstChar 97
 /LastChar 122
-/Widths 1328 0 R
-/BaseFont /OBDWJP+NimbusMonL-BoldObli
+/Widths 1326 0 R
+/BaseFont /DHSSUX+NimbusMonL-BoldObli
 /FontDescriptor 722 0 R
 >> endobj
 722 0 obj <<
 /Ascent 624
 /CapHeight 552
 /Descent -126
-/FontName /OBDWJP+NimbusMonL-BoldObli
+/FontName /DHSSUX+NimbusMonL-BoldObli
 /ItalicAngle -12
 /StemV 103
 /XHeight 439
@@ -5365,7 +5388,7 @@ endobj
 /CharSet (/a/c/d/e/h/i/l/m/n/o/r/s/t/v/w/z)
 /FontFile 723 0 R
 >> endobj
-1328 0 obj
+1326 0 obj
 [600 0 600 600 600 0 0 600 600 0 0 600 600 600 600 0 0 600 600 600 0 600 600 0 0 600 ]
 endobj
 713 0 obj <<
@@ -5376,60 +5399,60 @@ endobj
 /Filter /FlateDecode
 >>
 stream
-xÚíwePœÝ².î^q€6ØÍÖ¦åá®É­rôÖ±u!ff(èöpWzÄÆ {€"ÈÀÏàÃa(x@ü `G'/›‘¾1;''׿,¿]¶~ÿ@"a`GwËÃÈÕâr÷z ø€@/'Àì
-(è蚪i«ØT´* wè
-Ðõ~hÅ 	¶¹Ã@ì(Àõ¯ÀÎÃÝü»5Ï—À  ;ðCÈ×ù
q  ¨{x€aG(ÐÝëa¼<`w;Woûß<Ø<þzþ‡œv^¹Áî8O‹š»ƒ€÷/»½7ä˜úgƒØ~ÏûC@{wW?€=È究‡×CJÛÿLežÿœÈÿ‰ÿ#ÿGäý߉ûwþÛ!þßžç¿S+{»ºjÝà¯KðpËx4¿ïW ðû®ñôý_a@7°«ß¿	ü»£1è¯bÿ‹ïï°šðaSäÜ„áæãçáýË†)ƒ}Aöº`/;'€ÐõaÏþØÜíAPW°;èAÛ?ÛúÄËû7ÌÐ	lçâþ[¡¿ »ýßËëOñOåtôÔÕ9ÿÝ
ûÇS÷a¼ý  À¥1Öò°ÿçâ7¼¼‡/ÀŸ[˜ÀÍ/ ˆòñþ›ŒhøþµÖzAÁ¾s^^^>ÀÃï?¾ÿZYþFÉÝÎÃþ÷äxÝí†íŸ†ß°7ú ñŸóÿÐô?ÖÆòÙáÌM{ØID8gåd{ÕQä÷+š÷tñ¡öGBÊ
‹ß„ÔxtgE¯ˆUÚÜÔFò¼¿ûè7µ¹ÝPçØì"weíÌíÒ2²w¿!úÆÒ*¹öÔª?û§qœÿÁ¤æ2š™0ï³ÍÕa=}«ÒÚÑV(ÖÁ9{£Ï›R¦3A]fC"YÛ£wHÄuE;?YRœŸ±~Bô÷u¡woPsæ%b3Kø á³Ä†xæQ˘Uú¿â\G©ß¤KèNÉ;ì+_¦G„fMVè¹µå¼ÖA-Mo×ßÂ*µú•ëLÖšóXî$¦öŧ5ægÒÃfW‘œ²›£åZJå·X2B¨™÷:kó¿r›P~ÝæÜ:Vxõµ®ÇZ&?^W,O
¹¦ ÖÐóÙ]‘|ɱ;8«Ñ˜þŒ}á;©å§Û`"Ñ­¼š–ÛŽ¿ÜÉ<ö4	—,\!ëëù÷í #äŸ\E_¤kY£’ë»ý¶>á‚'1ÖOÞ¼3>œùŠ~Ò‹M2&¼‡ÏJw¶psa¡Î÷ócîùÈý{gi[+‘ͳÖLèØ×Ix|žÑºM+ªV
S¶‡s?,‚
öŽ£1z<Ó¯³ØŠ
-6¹ëíÔ†ÈÚÞÙ²AêðÃ9Ýù¯'{Ozö €.%}¯8´çžð“÷'Éë„ù|3IéˆÐõ†.`Üùi¡UK»±g`ÍI–›Š@Îw™ÛuÝ’RGm™IÕë[QøÕæÊe0¢)ÖÙÆ€ô°й™öíWŸ7^ëÙøÇ–Ñ£cwÞ¿¸üõ&æÅÞ³šln‘Í#‡'ªå‘2¸ë­ÁÒÍN\_N’¶{ù°VC¤Š0täòwºÝB¥–ï…*çxHª/¬Ëš9ntˆ炧ÖÊ3l—vÜ/Y×èÑ	E´ãÅbÚ€I,XÀÜÜí›Þæ]hd^ªSýR˜šžÏ:ì)â?/§È»²ÃD¥Õµ/4ýªV®sý ŸÇu@»Â™îÜ®ßdj. Ž1¸«.ß?’UHsÊ3?êËôhà8—˜$36¯½3ÛÔF‹rò’Ñ¥~‡³¿‹9•in†¶ì¸Ô6i’„]†xOgñƒJJJ.‰R0©T¿mÎѪ<í ò4)¾®ÂRÁ*j™àØ¢ˆƒ»í€Ò4ò²];MýoÒ«‘!¤-åâ,kɸ!gë~çÕîN¬É¬Ô—©íâÞoÎ ÄTÏ‘úćŅl8µƒçK…§ÕTÕ9¿cê«!rß•Ü\žvñµM^SÕÉõ/ß6f¥	
-÷ßP´žÈ²i®%ËËc"ÀY_Î+£›0nqI“ËçPï_Åâë[Eä™n½·ÕéÞ
ôm¢³Ç«bƒ
-FÜÃÉÜ»÷¯©i¶…™Þ^Íyu^µ'0,]4­¿I?TAàX™­|—_*ÐRÅ|4.‚7*’ÆÓ(¾Ë‘¶ËZE§¥‹&ôí{$l²)6ÕªUgœòÙ© êµF4ñFbÐ×ÍŘÔ…$æN:ÒÆ©¸žHÙ«Ž
->ÃíDþ\+þñÚóáÅs¤ÑôcMš×ü@¨°:Ö
-¼‰>ð:—±œ°>ø¡â&$+¨z]˜ÿ|ì	oY÷ã¹5Žh½ê{÷Šoœ"É«ÔÑWqΰt±Ïw÷¸ 8zÉü»O°ág "²NjrÉœFh-í6ÿ¨„î!E2Ÿn»1*@¹BQ‹ß‡¹)EDzÝ-ƒãM‡ Ò9;*‡n¾8m}ÙÈ;¾;y	®dsjLž0
°¡^¼P²=÷4éì¨oÎxõ
fSÞóI¬aÄ~¤á`3àóÛ>Ù†=GWK1y_…”ÚnÅÞÉX"Ü%¼ý:Æ|òyªÕ¹(Ñ›ž[s´µ³na_²Rû*¼Žç,âÍ °.ÁXŽŽª84Bin’~õ·©GDÇ/›“\UË’{geö
åˆ<&Š’•¼x³¬݈Ŋ—SάˆdÝ/4t-Zer€ÿ¨öÌ&d<Ȅϵ\,:7¬j:1Îr
-!‹^Câ©å’-²‹ÈáÒHR×P«~•Þö
«)EJ§œL³Ú¥ö2šûC˜cŠžÊiÂMì×F¤,›6CÖ;ŸÇ¿–ñøn£÷[#ðLW†×V뿺lúnú#ñ*“ú¨fB
-Šr4ûNt©e¢gÒ@®ÍàÙݵ½µKÐÛˆîBÏ26‚ÄÓ*|Íúì¢ÀL¼L&d}Éjy•³‘m;ªÜ¸V¦ÿb[-Þ˜%Ã÷ç÷Ójè2_S£r‰õu{—‚áh£Üjâ?ê†`cwÖþ;±™°Ì)“/²AnãkÌ<Œù††ý•ýV‡B·qÝuŠFL¾éŒ­ÔÕ‡°µSVÄ…òÏhI¡™P4ɽXÜôMž£„o|ʇ`,=çh³¾¼ÃD\iÚžQn¶Škˆ¿£éTîL?È{,·Ò;áZ4eʱ2ÂÀïýj m¥XÎ×¥ãÕ¢€¬AóxþXŸÙ­,çøØçêv™¿Ìè£N
- 
j$«l?žÙ|Mú6E9‹m೯n6%œëcy÷®=ÕQÔçNǺÏˇÏòßµ>½ø)ñ©ëmÜMOœIÛMDñ¹|Ùîó=²wsgdŒ£ív “Ù£S	k®Ôõ%-zjßEU9¶ÞAQ§@„zÌM6ÅSÏ®,I4|oJ&ï^:NòaeÜoB“M_Ž„žOpb0ô@£¡:½?pngö÷ИÁM›ìÃ|½M}ظyÚ²#J°\àœ€ë­{Ã/¾êM¤/¸™§tã»?¦O\'o-À«¿Ñ?
üU«
-åB·W•2K)³~£>iÒ²•Ž'ë
PSêT­0)Ð3²A´ŠóX¹Ê~¡9/³Mòl1:ÆSX&ª j¶£(q:)ZóÄ™|‰›DšÑIÌ·QbTBoÑn_ÚýHë"ÂJå‹mæ š£é*XàŠÌãµ€`AN"›+Þ|W8´¶‰ÉÁEÎ6õ\[9
- â%yQ`ãŒrÇºÉ!\1 `ðC›]4 ýÄrv¡õAÝ0…¨ÛïÛÁ
-Jä‘fýVTD”ëãÍEÚþ.yˆ±#Úãñ_­<šOövó”íXFc|œÉÕÇåáùäÑY»²`‚â
}OˆôV‡g¢1a⤇59/Vœ•(ù½œÙg§ª€Êžè¯ká©ÁÒ¯Ù	x'%‰ÕipŒ'
-ç+ÆÒ~¼æWg!õ6-ÙÃcÐÑNŒÀ†'	õr'pÈìP*«’w^ZoÖæcƒK^ÞÏ&ØY	­:”¦æë”^õs§¿¸Ú¢‹wa^‡¹„TÜ’AR|Ö‚Ò?"3{3ÒNä0•ª‹3Ê6#¶Ì¡èçŸFZÇ`Oè1zDÒÝ6HŠì£}UËß„×üŒq» Aã=Þ*Zt¯¬¼I#ÿú†ìûYÕÁw9d‹H©½
þ0R×1äöŠŒj)ùµ½Ä¾Ìw¾Ò‰ôЛPü(Íh‰‘ê÷_L¬+-l‚Ç°Õ¾˜‡ÕGý»ó‘=ò^¿Ãè±9zʯz³ˆ—?š^ÅYùuo?BÆÆQœ¥Ž£!«ÔQÈ|zi¬²¼YþÚAæÌͯœ(æ°ú¡IDZ§à-Ûn¿O{¿ESðÁ[£ë€xý}ìÛÚ/ÐÇwÖ²…ôöØ$TÇÐWEË¥ó•Þ±3Wå¯]Ð\Çp’b¨tQçZ‘+"zu¶X¢õvåQ{Ôجº¶gB$\’néË~ÛÀ|}ù&̹‚­R.e£+ë#k°^<üè2’•p
}ªž”ŒâíýWpÿ‚¯úˆöm@7•f£6Q¨7uZš¯8ùäV•¦7ÖOJ’³»¬mzÊÅq	:mêòí¥ùKÎúfÃ5°¯Û4ÒØ¥œ–µ_”Ý;pÛ̬ïS›áÛH—ßìIé,ÙˆqA*ºãÄ”{f°HëhYÅ£â€î*¾‰‘Õ/Í;¯Ixÿ>îñ<*Ã,PýڴõiµO˜"l	Çû+êés~|éš]4ýTúWuȱ&çžLPÆ„ _hlü‹)궾÷Ë·Œïé²zï\‰ù·Ô2Öª]5,ï>¦QÅEM<ê‘H1«žvXãŸ	„cà‰N˜mïÿ/7rf£%wS
-ÆúþêFÏZ*ÖH€ƒÉÞªÐVÔ°îâÌ`y7e-On{™¨éætRðþH߬ÖE˜Ïžàyem±ZÔ¶{	‡dd—d?K8zAØ36}\’†µ5»T7“;’É£Š*½|Ní
¹–öÀä[Ô¦²¦³ðôÖ5Ý’(Ù_3ïžÖžs«é ™X]pämË“Õ*o'o$Kï—áÕ˜YÃÈÀ'xY[Þ˜/8~€µ,nª•1·F"ݱl½¦ä¸&†97ð6øïRÞ×Y¢¸/ø&yÌ Ð][ÀÐìÉÉO‘T8E¿R%Á$€ÿM®¥¹™…Þ¥«ÞšÉöe‘<;Þá'ÒÕw’
3n›ßWqå5ð!ì$4Öãh“¶ožŒñ9‹_µÜb[%FR
RC€H¹¤×#·So™1Òë)4ÔÚâxò‚gÛ\¥<Çm§ìå•6ƒNð¥išYW#-=BÀÕÙ¦XQò4­bN
­×3%xšy¢ÊT.Áw½úðuÇz¶Š/Ú,#Uª3úôs‚lÝÎO³Cu›ùnJÿq­Ë’™âÐé1‘*ì²í¤Ù/AI[YÏ·Ce„¦U$jÍ»–…\Ø¿]­KA>¿Ì…(N/H›—%ô’1l©8XOrŠ"æ„ÒíÏß6žX~ŠWI	o,¶Ë¼2ì}»D‡ºZq^.5uŽÁ/àFlÆ¿–cÎ-‹A!Ø&„¤±%ëÖ\p·Y5„†s[ˆ?EXi9–b>YÈ)·¿2Èù©Mν‹€D1px©a4SIb?/3¥÷¬ÑßÈ18¼7ÏÎ!î§ËÖØÛ:æ}ПBli¹
-¡y¥óË2— USLhÙæ‘z¨Þ^¿B¬=;GÝgÏ©ùݱ^vßšWB™-/y=›YœŽ_GêRÊjÁ=t¡ÜL%y)Y_­ýƒÄö&d†DŽô#®jTâyvv#/íÓ-BÝd{ÊáeµTÀ8Š«ñ¦Ûs·ù®7ŠïR(,ô?þ„$ÝJKPÓ[ïE!‰n«ÓB9›:1´¦
7/y.Ìø0!“YR]Íœ¸ÆðPÌÔŽä¸Ã@4“@DTF˜àj+ökâÓó«^­A•Ì†úw:äñw‡ìu}O,Ò$åÐÖ¦pÊÎ"qAæ$­\T%‡6
[‘júК|"Û×ôtuµô±›­>(ªâ‚pÁ\4‹½Dÿ®›áP+~Êê”5]ít1HÖ%vPÇÝ™@ø¥CéËÅbˆP6ž»ó;²ÐýãÌK?“Õ±‹vu±i$âVÁ¨[…É7®K¡3ôK$ÈÚ(…[Mé?X-ô1c,>WÑKhú̸á*nTÔ¬»œ«Õ‡HK>9åNµºVÿÙÿ,R}Aòä‹Ò¥õ3ÒcOl¼xâëM™"a™š¿ßH¸Œ¨Z¿ýšýè]S^§=‰y$×D,¹Æª–š+HmöæjÎ!ç*ZÙü• ­S;Ðâ„ÝɳsZ ëèTG´Þöd‘ɨ°gMÊ܇~DŠ¿–V©¼cá¯ÚÐUèÿ½,þté`9ŽŽÍ[äêªj¢ó ”Rjóá[»	!JK©MJnyýMí¾¶ïUØŽ 'NPÑT‹«oåònDË—Ñ­ÌÏæJÝpËã9OK¯vÍY¼ÉR’.­‚—J²@ü\žåzŽ$)¤¡(é ô6øàh£ÇŽ³œ¡ÄÁOl•R::½F¦Ãe§xHüi›ï)˜Yê…,W®X¥dÇ»üŸ–á3°¢ñh¾%	JÒ•¶#ÅñL”ZŠË{®õÚáÎ$ù]ħ“Ýј¸eŒÔ—÷
-HzºùNz°²€RvâxÕ-.²U’0Ýš±üÏ[FlZy½·ãB©š†¡›æO•Ö^1/RêßÈmÄ"l7ø’ÒQîxO*J&ÛÔڅǽʣ"0vò¹tñçÀѪvŸÃ0({	ê¨(¦QðYyç½¼.áŒêÚûý醘höÚ%Y…¹Sš@Õ:ÍC³çñãدKª?î':¯ÅnAc¦ÎÑ\ËÜöÞ©I¼ˆãùxKïÒÓþ6@!QbE‰C#ÝuÂCÚõx4µXxºå9Ým€ŒÐ!pué˜ýYÎESp³øWŸÃg”‰hIÞâULl]õ¢Ð&´'s3ÑíÌæ79BÄ%Ùsƒo…Î/†vÕƺJõS¤¡“ý²ÜšÔVá²ìlSÑ8ô¥ë*kþ"\Pv›÷±ÿä/¸ÅÀL,Ø5dN’òƒøÙ¶±P¬kÈS%…9Å	ÒÌgI«g?Ê0˜nHñ‰¹¼Ù*Ù¦ñ“Â(µF_Ì ³Égš›=
,ï‘1\öÂ'Û¾Œ¿Œ8B.4¼ûA- ¼>Ž›t)l…óí ”t#·òzšbð[­¦Ùi©S’ÞÕ1žH·¬÷3c,wZIPc©þ PKÆûĉ@ÈLÈy'¡ Á5!#mÝêú×ÿJþŽ(0^ÁP ¹…Ö¬_¦ö‘Ol={uCu×-Ñä)
-êPü®
-»ëdó[艡¯d³²Qlol^ùU°v¤ShÝØ1røü½çDc;›QSÂ’HŽæ8.H1¶Ç`ŸÉøû8®ü
-Tm&E×ÔÄê'Ö(DáZäðá[ö/áxH
-8¿$ìð\hm*tà-Ü,wè°/Toá^“¶M5Ëj™~_Ék§U-Í°ß²ìthßl_Ã(¿ï覈†	¾3õð3ñ¶oP]}ÌyJMÑÁâI”Yé槱d~…Yï3¶’¡Zý⛃b:Ïô‡4þw=SÛÅ’ÓoLbò(¤‰·»ªâh(dOösGzžrëÙßXUð¼6
Ñ¢6ì!´‚46µŠ’Ó}ÙYÉìž™‹¿Wûô‰ÓwuÔ³õ€Ð×ê ¬µ1"íƒÀðÈl•Yg@Íú!ÊáIŠÁÀ¨'µvoºó“¡ðf‡´…ÜU}¼öe¡ÈãAé96Cø‰ãkéÖ;‘gÐ2ýçFpuB†M/xL6B1ÆàÞßôEʉ8ìWÈ-GÌ,µDʳ±fh2ÌcW_SS†y×leðú®gÕøL`¾ÒípŸ%+8Ó>áší+™aà'aå[zÆÔ\€ñ3ÿ~è{Ó…c¼C%ÎIžc½-ãÐÒPLÒ샽C?CÆy-Ö&(IhO¥áÒ?&tŽA
-Ìã½çëD|†ÞÆn]HÓ!:±Ëõm’tn2rªFÇÆ©WCq6«£”…Ù=n>}álÙ«^‘èΧlÐ|–@5(\àl“¯Š’
-7}r ¿T÷/?ïþh›Sƒ¥mBç¥^Ø‘³é#§ûCm6ÞË»¸ùÏSSj
-/’F0õ
-Þ†:M,*û½l
-Ÿkk«˜^\ÆŒþœÿ	'G˜3fh8Šõ¸k·9Q3B3qwz»mc4H‡8Ž˜°ciÏò¥áè^öwv¢÷"*Ë"ƒþÝì¼TŸˆ–ô=bÅjåù;Õä|¨ŠIH%NV¤¼µ¹T.ÍW—iÏ'ëûðLúm-±1È“H$L”ʶl#Ê¡¥Fly÷áž¾ðLèØbÚ5~²
’ðùÚpÃÅ«þl3¿{"Û·z—rð2<Ê9%­)l¹Öèûgï'
/ß ¢ÚÕE0˜¯P]߸8¨ÐWdÓr¶µí
-ñK$ÌdsÔÓ|k`êéL@èrñ÷WÕå96“¡.9žo»>{ó%ó;ÂGŸñìÉî)j‹Æ78DöÜs_cT‰'Î=îåÅ„K\žüÕ»Þí\üÃwØIW›¨U‚Ñ7Ü|,~=ÞWÑ„Õ/ö#Þ::a¼ìbâ–OªRåQâ‘HÉÜbp«ibzŽÆ»¤Š…áõØ×Û_a­GŸN—y®=ðgµ±f*Rä)<ߘ·ò×£Rm…²Ðªž¬BM×2/+s'Žã’œ:¸Z…RyäˆÞ©X圳‘}=S¡Î(6²%1nü‘Ýv»©Ó¯á²Ÿ»ý*¬Ê)¤‡m0h˜yÕÇø–4gç×r̲ð—È<éѧÏØëyÏÓ;«KÞ+ÍmgToè‡ÊVË¥Çì4™“ÄÕ;$ÈZ‰Ì^‰ìÅ^–+’
†‹9g4²ëÉü˜k
-ZܼÐÉ*ŒÌ_×úøºd_Ñsl[°`ºÝW$ô®Æj4@²QÒ:fX.†óé\+»Ø/„pãÎßžO÷Ò¤ö'ÛÏG˧OWP$ñ~j·¸L"CúržÆñç¨Ê’˜¼©p«:gó.\}*ñ”‰`þÚ%ÓÙH›L-q»Fµ4„Î¥gÓ9Síð†oÙ3Ë„0!ù°ä	ðÇå”|õò
-²Ÿô<`HÂ^ê+Dy‰ñ‚Ã*ªþŠúù+Tý‰{Û9é‚À†É.8ñ‡,ÖTþ¼ó†Þ+b‰¤H¨ÁžHk×senJÚ&ÁeÊf°¨§3¨QÉþ&Í‹—Ưuo‡Cq>œS|1wÓðùz!N^ŒL/>û”™,ƒlIà@ÆÔNcW¹¸x‰ ô`ÖÑŒ­ uôõa
L3®5{1GR']CL‹‹¿óþ/?8ÿŸàÿ	;WêåᄺàüžÙ¦äendstream
+xÚíwePœÝ².îä~ ƒÂÀÊð‚ƒÝÿUrÂì]ApøÍ÷ïÝùWŸ€ÿÖ=
+uõý
ùãõÏÀžp«ÿCN;χ܎`wœ§¿‡EÍÝàãýËnïýæ
‚ýÙ ¶ß3ÃþPÐâîê°9à<Õ†x>¤°ýÏTæùωüø?"ðDÞÿ¸×è¿âÿíyþ;µ²—««6Ðíaþºd· 	ø}ϸa€ßw‡èÿ
+º]}ÿMàßAû_|‡Õ<›"çîø 7?ï_f0\ì²×{Ú9€®{öÇnän‚¹‚ÝAÚþÙÖ‡ ^Þ¿a†N`;÷ß"ýÜíÿ^þƒ\ŠjúLMSE‹óßÝ°?na>7¿€@DD ÊÇðo2þ¡áû×Zè	ûÌyyxyù¿ÿøþkeù7%w;ˆýïÉ1ðºÛ?Û?
¿a;/ìAã?çÿ¡é¬ÿŒ=ä²Ã™›†ØI„;gædyÖQä÷+š÷tñ¡öG@Ë
‹ß×@:ƒ2£VÄ*mnj#xÞŠß}ôÚÞn¨slv‘»²v¦ƒöiÙ»ß}ciáÜ}jU†ŸõÓ8Öï`RsÍL˜÷Ùæê°ž¾Ué
íh«ëàœ=˜ÑûM0)Ó” Ð.£!¬íÑ;$⺢Ÿ,)?ÎÏX?!úû:л7¨9ó°™%¼ÑðYb‚=ò¨eÌŒ*ý^q®£ÔoÒÅw'ç‰ö•/ÓÂÉGB2'+
+ôÜŒ…Ûòü_kˆ –¦µëoa•ZýÊu&kÍy,w]ûâÓs3éa³«ÈNÙÍÑr-¥ò[,!Ô€Œ{µyŠ_¹M(¿nsn+<ûZ×c,“¯+–§_SPkèyŠl®H>
+ŠäX­1;M±öa"~˜¥8õ‡×Ç8-±žöì|zóò}ÉØ·N+÷•kÙGâ±ðhŠØVPkã]¡BÆMijýYœû«y¥î±fÍ“šú`ÆçÀx‰ãdƒ0uç¬#[ñŠìm¥K/™d[Ës5¹W4í_K`ù=‚­%MÔ¦åo,ÀŸµf
e?m¬D“<
+“õ‹HR¯3bšñ>Ôm]
+£~Ußé+ ÃN“¹)Ÿ”ÙhLƾáÐØòÓm0èVÞ
+MËmÇ€_îd{š„K–"[!ëëù÷í@#äŸ\E_¤kY#“ê»}·>á‚'1ÖOÞ¼3>œùŠ~Ò‹M2&¼‡ÏJw¶ì}a¡Æ÷ócîùÈý{gi[(+‘Í£ÖLèØÇIx|žÑºM+²V
S¶‡s?4œ
þŽ£1j<Ó·³ØŠ6¹ëíÔ†ˆÚÞÙ²Aê°Ã9Ýù¯'{áOzö €.%}ÏX´çÙÉ&ïO’Ö;	óùfÓ.
+&!ë
+6\ÀÔlk䧅Vu.UìÆ5'™n*Ñ8ßenKÔuKJµd&U¯oE³¯6W.ƒM1Î6¤†…νȴo¿z¿ñ\ÏÂ?¶ŒÂð[¸óúÅ
à®51/öšÕds‹h9ZT–,2µnÄå6–B–¡¢q9{D¤òÃ’÷mØ-iŠŒÑ0÷–òùv‹1£0ùÓ›ã“wC;)l\a\Í„‘]KϘ‚élšéõ•)ºü‡‡,ùxâqe}ª‚S‚ýï4·ê9Ržx³¸
‡¡vpà|©ð°šª#çwì@}5Dî³’›ËÓ.¢1¾v¡Ékª:¹þåâ›ÂƬ4AáþŠÖYö/͵dyyL8‹ãËyetÆ-.©rùMtöxUl0Áðûl2÷îýkjš-da¦·WsžWíñMëoÂ$UD8VæF+Çå—
+´T1M€‹àÇŠ¤q4Šïr¤í2WÑié"€ñ}û^#ñ›lJþ¤ÍBµjÕé§|vjˆz­Íc¼‘hôus1&uF!‰‚¹“ŽÔq*n†'Rö㪣‚Ïp;‘?׊?¤¿öøFxñi4í˜F“æ5?&¬Žµo¢¼Îe,'¬:B¨¸	É
+ª^æ?ß0kÂ[Öýxnc'ÚB¯úÞ½â§HÒÄ*uÔU¬3|]ìóÝ=.(›
+½dþÝ'øð3PY'5¹dN#¬–v›TB÷"™O·Ý ¿\¡¨ÅïÍÜ”¬cÝî–Áqˆ¢CP霕Ã6_œ‡´>häß¼W²95&M˜úÛP/^(Ùž{˜tvT‹7§¿ú·)ïù¤€?Ö0b?Òp°éÿùmŸlÊž£«¥˜¼Brm·bïd
+îÞ~c>ùåC0–žs”Y_Þa®4mÏ(7[Å5ÔÏÑtªFw¦äµ?–[éÎ-š<åXnàû~5À¶R,çëÒñj‘æ yŒ÷l¸V¦ŠÆs|ì‰su»ŒÇ_fôQ'Ð5U¶Ïl¾&}›,€œÉ6ðÙG·›2›ëcy÷®=ÕQäçNǺÏˇÏòßµ>½ø)ñ©ëmìMO¬IÛMxñ¹|Ùîó=²wsgdŒ£ív “Ù£S	k®”õ%-zjŸEU`9¶ÞAQ§@¸zôMÅS®LI4|/J&¯^:NòaeÜoB“M_Ž„žOpb0ô@£!:½?pngö÷ИÁM›ìÃ|½M}ظyÚ²ÂK°\²9×[÷†_|Ô›H_p3OéÆu!9~L›¸N*ÞZ:É®þFÿ4àW­*ŒÝ^U6Ò,¹Ìúú¤HËV:Ž¬×_uN©CRA¶Â¤@sÌÈÑF(BÌcå*sø…ä¼<Ì6ɳÅè{Na™ ‚ªÙŽ¢Äé¤hÍ[dò%laF'1ß2`D‰Q	»E?¸Ip|i÷#µ7’+…/\¶™ƒjŽ2¸«`+"׊=‰h®xó]áÐfØ&:9/ÈÔcmålÈŸŠ—täUx3Êwè&‡xpÅ€N€ÁmvÑÀŸôËÙ…ÖuÃd¢nc¼o+(Db˜õ;X‘ñPQ®7©û»äÁÞÄŽhÇ{|´òh>ÙÛÍS¶cñq&U§”?ÎÎ'ÊÜ•l`è{B¤·:<…	'=ä¨Éy±â¬DÉïéì¼È>;uPTö@]›„ ýú˜€wR’XÇ(`¢p¾b,õÇk~uR/Ó’=<í„pŒ ìD¡^îxyÿJe•gí™,ÉüKå_Š{	õ¶½¾jaåè\ô±Ý¥ z5í¿îg8ØŒ¢Ç c(
oŒLî’.9.Îé˜á† MLæ[óÕ¦¹´1YÛŸ	,›»ÔwÑÐìzÈ,×l½â,uOU«Z~'ÅØGòÀÁKëÅÚ|lpÉËûÙû 3¾U‡ÒÔ|Ò³~®ãô÷B[Tñ.Üó0—Š[2ðBCŠïÀZPúGDFo†ê‰¦RuqzÙf„–ÙaýüÓH|ëü	=FHšÛI‘}”jù›°šŸÑn4h¼Ç;CE‹î••7©ä_ß}?«:xá.‡l!µ·ÁJê:†Ü^‘^-%¿¶—ЗñÎG:v‚i£%1R½àþ‹‰u¥…Mð¾Úýðo¸ò¨w>"àªGÞ‹á{56GOùUoñòGÓ«X+ßîíGÈØ8ê³Ô±4d•:
+O/•A–7+À_;Èœ¹ù•ÅV?4‰Hë¼dÛí÷iï·H£>xit¯ÿ¢y[ûöønØR¶ÞÞ›„êöªh¹t¾Ò+fæ* üµš€ëNb4•.ê\KrEøB/°ÎK´Þ®ºŒ`%\ACŸª'%£x{ÿÜ¿à£>â‰}EëßM¥Ù¨M"äEšê#N>¹U¥é…‡õ“’„äÆì.s[„žrq\R§M]¾½4ŸnÉY_ÃÌa¸öq›F»”Ó²ö´{n›™õyj3|{íò=)½ÈK6b\Šî81åž,ÒÇ8ZVñ¨8 »ŠobdöKóÅiÞ¿}<
+À0P¿6mçpmZí¦]Â1À~ÄŠzúœ_z šfM•þUÝrŒÉ9LÅ…1>Ð÷¢GŠº­ï=ÀÛò-ã{ºÌÞ;WbEþ-5†ôµjW
Ë»©T±‘z$’ͪ§Öxçg²1ðD'̶÷Œ—F9³Ñ’»)a}u£g-c$HÀÁd›ÝªÐVÔ°îâÌ`y7e-On{™ éætRðþH߬ÖE˜Ïïqem¾ZÔ¶{™
MÏ*Ézô‚°glú¸$kkv©n&w$ƒGUzùœÚz-
Áä[Ô¦²¦³ððÒ5Ý÷—’(Ù_3ïžÖžu«é ™X]pämË“Ô*o'o$Kï—³«13†‘3NÙemÁxc>à¸ֲةVÆ܉4IJõš’ãšæÜÀÛ W¼ó­xוY_Ëm©ÚŠKž`~tYl9½00/ïbâaõÇ~q-kùHuz_g‰â¾àó<ÑQ€Œ›	zÒÂE×Ónó~õàý+žQÝ°ÜÆT¹1¼q&wf|vbMúu3ÂBУë|7и2B¦t¾&ÒóYc(@~òÈÞõ+Ýßk>,þÒ
Mš`7{L)GCp§²îÑ\Oj	³i®¼ŸC´Ùuº“CÚû9w,ß³ík•"+Q÷…Öq¬	P¶á@4õ)CÝgeʼ6wö1Éc…îÚ†fN~ŠÄÂ)ú•*t&qüor-
ÈÍ,ô.-XõÖL¶/‹äÙñ?‘®¾ë”l˜qÛü¾Š+¯é¿€e'¡±GóŸ´}ƒôdŒÏYüªåÛ*!‚jh”
+DÊ%%¸¹µ˜zËŒáq[CáÛ±ÑPHUrvŸ×)¿UqÎj{Gô8ÎÉ?èз•<â‘^_°H¡¡ÖÇ“<Ûæ*å9n;e/¯´t‚.MSͺié~[¨Î6ÅŠ’§©ms¢hh½©|,AÓÌU¦rñ>ëÕ‡¯;Ö+°Ul|Ðàé)Ú0ѧŸãeëv~šªÛÌ'»pTúk]–̇L‰Taÿm&Íz1‚$ne>ß‘šV‘¨5ìZjrubÿvµ.ýü2¬8½ Mh^–ÐK°<¦â`=uÈ)
+Ÿ6J³?Ûxbù)Nq$9¬±Ø.ãÊ°÷íRêjÅ}X¹LäÔ9¿€MÿZŽ9·,=”`˜šVÄ–¤[Xs=ÀÝ>dÕäÆm!þa¥åXŠùd!§ÜþÊ ç§69÷.ÈÀá©„SÐL%ŠýH¸Ìx”Ö³6F#ÇàðÞ<+L8‡¸Ÿ.K7V`oë˜øA
+Y°¥å*˜æ•Î/Ë\‚M1¡e›Gê!z{ýý
+1öìxuŸ=¦æwÇzÙ}j^	e´¼äõhfq:~õ©K)³÷Ð1˜r3…ä¥d}µöKÛ›à9Ò¸ª‘	çYY¼´O·u“ì)„—ÕRhã(N¬Æ›nÏÝæ»Þ(¾K¦°Ðÿ,øšx+-AMoq¼‰$ºi,¬NãlêÄКbP4ܼä¹0ãÄNfJu5sâg‡`¦t$Å ™x#"ÓCgP[±_Ÿž_íðj
ªd¤3Ô¿¸Ó!»;d¯ë{b‘*)‡¶î0å€#Pîtš˜0'iå¢*9´ipØŠPÓ‡ÕÐäÙ¾¦§Ã¨«¥ÙlõFQÌÌE³ØK@ñﺵâ'¯NYÓÕNƒd]buÜ	„_:ô—¾\,†
+eá¹;¿#Ù?θô5Y»hW›F"nŒ¼U˜|ãºÔ2C¿D‚‘Ž¬R¸Õ”öƒÕB3ÚòàsÕ½„¦÷Œ®¢áF…ͺ˹Z}°´ä“Sî«kõŸýÏ"ÔT¡O¾(]Z0C!=öÀÆKÎNx½)S$,óBóâ	—Uë·ŸC³½jÊë´'1䚈e ×XUÃRse)Í^\͹"ä\Ek8“¿âµujZœ°;yvN«t*âˆÖÛžL’#öÌéC™»ñHq×Ò*õ‚w,üUº
+ý¿¢–ÅŸ.,Ǒ°y‹\BT@MtR@¹ ¥6¾µ‹‘` ¢´”Ú¤ä–×ÏÔÙèkû^…ízÂMµ¸úV.ïF”|I}àÊül®Ô
·<ž3ñ´ôjלśô@%éÒªìRIد¿Ë³\ñ‘D…T%„Þ_6Úèñ†…ã,gqÐÓ[¥äŽNÏ‘é0Ù)?Úæ{Šf–záË•+V)Ùqç.¿geøÌ#¬(B<šoIu¥íHqSVp¦}Â5ËG2ÝÀO8ÂÊ·ôŒ©¹ãgþýÐ÷¦Ç8‡Jœ“<Çz[Æ!¡¥¡èÄÙ)z‡~†ôóZ¬MP¢ОJÃ¥5nL胘Ç{Ï׉ø»Ùº¦Ctb—ëÛ$)èܤçTŽS¯†àlVG*³Cn>}áhÙ«^‘èΧlÐ|O5(\àl“¯Š’7}r ¿T÷+?ïþh›Sƒ¥mBç¥^葳é#§ûCm6ÞË»ØùÏSSj
+/G0õ
+Þ†8M,*û¾l
+›kk«˜^\ÆŒúœÿ	'G˜3zh8’õ¸k·9A3\3awz»mc4P‡8–˜°ciÏò¥áè^Öwv¢÷"*Ë"ƒ~Ýì¼TŸˆ–ô!1â?µòüœjr¾TEǧ'+PÞÚ\*—æ«Ë´ç“õ}x&ý¶–XäA$*Je[¶‚åÐR#¶¼úpO_xÄwl±í?ÙJxíG¸áâUÿ@¶Û=‘í[½K>x霜ZŒ:\kôý³×À“†—ï	P‰Píë¢ÌW¨®o\Týé+²h9ÛÚv…ø¥?f°9êi¾‚70u‹tÆ#t¹øû«êò‡ÉP—Ï·]Ÿ½ùŒ’ñá­Ïxöd÷µEã[6TöÜscT‰'Î=îåáÅ„K\üÕ»^í\üÂvØIW›¨U‚Ñ7Ü|,~9ÞWÑ„×/ö#Þ::a¼ìbâ–K¬RåQâ‘HÎØbów«ibzŽÆ»¤Š…áùØÇËOa­GŸN—y®=àg5„X3)â4;ߘ·ò×£Rm…²ªžÌBM×2O+ȹ“GDZ‰N\­ÂN)Ý*²þŠúù+Tý‰{Û9é‚€†É®l♬)üyç
¼WĉéÐ	‚=‘Ö®çÊnJÚ&AeÊfðȧ3¨‘I~&Í‹—Ưuo‡Cq>œS|1wÓðþz!N^ŒL/>û”‘$ƒlIà@ÆÔFcW±¸x‰ „0ëhÆTº	úx³¤ך=Î1G‚R&]ƒM‹‹¿óþ/?8ÿŸàÿ	;Wæ	qÂ\pþQH¦ñendstream
 endobj
 714 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 1322 0 R
+/Encoding 1320 0 R
 /FirstChar 45
 /LastChar 122
-/Widths 1329 0 R
-/BaseFont /AORUJJ+NimbusMonL-ReguObli
+/Widths 1327 0 R
+/BaseFont /YVILGM+NimbusMonL-ReguObli
 /FontDescriptor 712 0 R
 >> endobj
 712 0 obj <<
 /Ascent 625
 /CapHeight 557
 /Descent -147
-/FontName /AORUJJ+NimbusMonL-ReguObli
+/FontName /YVILGM+NimbusMonL-ReguObli
 /ItalicAngle -12
 /StemV 43
 /XHeight 426
@@ -5438,7 +5461,7 @@ endobj
 /CharSet (/hyphen/a/c/d/e/f/g/h/i/k/l/m/n/o/p/q/r/s/t/u/v/x/y/z)
 /FontFile 713 0 R
 >> endobj
-1329 0 obj
+1327 0 obj
 [600 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 600 0 600 600 600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 600 600 600 0 600 600 600 ]
 endobj
 641 0 obj <<
@@ -5451,7 +5474,7 @@ endobj
 stream
 xÚí¹UT¤]“%Œ»kቻ;îîîNâZ¸»»;…»»»;…»Z¸ÃÔûõt÷¬ž¹šé«ýy“ω±#Nì8çY¹’œXQ…^ÈÔÞØLÜÞÎ…ž™‰ ¦¬¡hdccd
 ´—¥W¶·5ü5³Ã‘“‹8™¹ííD\Ìxf¦Q3€™››Ž bïàá´°tPýå ¦¥¥ûOË?.cGþF:-ì~˜ÙØ;ØšÙ¹ü¥ø¿T13¸XšÌ6fE-)y	•„¼@ÂÌÎÌÉÈ èjl4ÈMÌìœÍ¨æöN›[LìíLÿlÍ™á/—3Ààì`füfænbæðDp0s²:;ÿ}NFv.{àbڙظšþSÀ_»¹ý¿
-rp²ÿëaûûK¦hïìâlâtpüͪ(*þouºX¹ü“ÛøØ›ÿõ4µ7qýgKÿÂþÒüE]Œ€vÎ3w—r›LÎ6Fsÿ%spþ«Wg ÅV@p2³0r2µ1svþKó—ûŸîüç>ÿËîl<þmÿ/¯ÿ¨èâlfcÎÇÌò7§‰ËßÜ@;8ÆFEÊÎÜÀÌôovSW‡Ç~˜9ý«ATÿÌõß"ŒLííl<¦fæpŒòö.S¨þïTføïù¿Aâÿÿ[äý÷¿jô¿âÿ×óü_©Å]mlälÍþø÷; øç’±ûß¼l6ÿ'ÿÿê©aöoEþi¤\Œþ¶BÈÎâ¯ôÜl\LÜÿÅîf¦Š@K€¹‘Íß^ýË®fgjæd´3û«é¿Ú	 gfbú/˜ª%ÐÄÚîŸæ³ÿdfgú_ëÿ+Ó¿ªgT’V“’¥ýßîUz›¿óeÀÌÁùoŠ'ÁEÕÃÁð?ÓiÈÙ›þÇâ>aa{w€=3€ž…‹õïdap³±úürÿ‹ˆù?×rF.N@w€ó_Ò¾™þÉý€Þ¡³3±7ýgvT\ŒìLÿŽÛþM\œþªü¯àïöÿ}ý¯Á73s73[ûeoÂl•ž•áR‡72%ª3ÐÇ>âPÚ¨ZTè_cßë—¾Ë]iø^ÂÐ4ÃóÙî±|æðq(Ms4Ö‡eCÙ›jvU€ïCJÝ_ˆºEÑÉI{Ȩ_Š˜q®íu½$»¡ÍÁ¤~´7¥¤¬_òE0ÓÉêsýDíOú£ÐƒìÑÉ×$­!³¥	­îçÙ9EÒéÓ#åÐøèÈpï
dÿ!mn,9ïDŠ(Ç\<mµ
+rp²ÿëaûûK¦hïìâlâtpüͪ(*þouºX¹ü“ÛøØ›ÿõ4µ7qýgKÿÂþÒüE]Œ€vÎ3w—r›LÎ6Fsÿ%spþ«Wg ÅV@p2³0r2µ1svþKó—ûŸîüç>ÿËîl<þmÿ/¯ÿ¨èâlfcÎÇÌò7§‰ËßÜ@;8ÆFEÊÎÜÀÌôovSW‡Ç~˜9ý«ATÿÌõß"ŒLííl<¦fæpŒòö.S¨þïTføïù¿Aâÿÿ[äý÷¿jô¿âÿ×óü_©Å]mlälÍþø÷; øç’±ûß¼l6ÿ'ÿÿê©aöoEþi¤\Œþ¶BÈÎâ¯ôÜl\LÜÿÅîf¦Š@K€¹‘Íß^ýË®fgjæd´3û«é¿Ú	 gfbú/˜ª%ÐÄÚîŸæ³ÿdfgú_ëÿ+Ó¿ªgT•W•¡ýßîUz›¿óeÀÌÁùoŠ'ÁEÕÃÁð?ÓiÈÙ›þÇâ>aa{w€=3€ž…‹õïdap³±úürÿ‹ˆù?×rF.N@w€ó_Ò¾™þÉý€Þ¡³3±7ýgvT\ŒìLÿŽÛþM\œþªü¯àïöÿ}ý¯Á73s73[ûeoÂl•ž•áR‡72%ª3ÐÇ>âPÚ¨ZTè_cßë—¾Ë]iø^ÂÐ4ÃóÙî±|æðq(Ms4Ö‡eCÙ›jvU€ïCJÝ_ˆºEÑÉI{Ȩ_Š˜q®íu½$»¡ÍÁ¤~´7¥¤¬_òE0ÓÉêsýDíOú£ÐƒìÑÉ×$­!³¥	­îçÙ9EÒéÓ#åÐøèÈpï
dÿ!mn,9ïDŠ(Ç\<mµ
 ±ªVõ¶ý^Nc_ñõiܬ槕Q¿ÑŠÔ+«ñïPYŸÌôZ#Ûõ½¼6SºßS7Cç0ÂþD¶X>ªO¯Æ¶aÕl¾JüÁøÒŠuwßùöüh¨ÁŽ7n-	ª}»›ËÏì¯ò[ùwµ gïèÕËä‡× †¸ºŽïÛ­IZR
» ˜Yâu#1¯›t,’‹¤×CMMW•M¬îÓ–$IÁ]•Ð}}™ß×(+X{—üÓHï=s]Ô½í<›Øáb57U‘Ct¸¹# ¹@
²KCúFúØì¸5Ö0ë#‚OXíg½FC'ØÐÀ"¤¹ú,ï6çš#±VEÿú4Í ÙTÙ	ƒ˜êççX}×¹F; yhȱ½ýx˜!:Á<œ?-p©yó>sd³aEG2 ‰iħØä¢_,Ì:ý¡ÒI“
 Èú€èç“.ª¡Ü^ó!Ozü(~”@½ð¤Ê¨JïŽ	÷(ù)I¡É’!Ë[í¿7O’0	™(Öê/Êó#?ŸòtssÕï“wÏgWWÂù;í
@@ -5523,23 +5546,23 @@ Pпܠ
 ªjDÒG@œ=ù¢0Vþ23qð8@R‚¢Sx†€ÀˆQšk>Ö˜IÛ»åÆnÕ@ Šœ+7ƒ¥	#xA&¶#A×÷“š
k‘ìÚIÍ!]i¿ƒ–A!’ª5•JN¾w¢O’	ˆvš·Ò‘*âô*,¥×¤Q*Þ=£•^¯ÄìP«Üé툘Ífó®U‰{™™®ºû¶®á·Rû™ÁØ	aûp"ë¼[÷—– ®k=¡_„ë¾´6÷g]Þs±ã¢V×/h_ëìË4J#gBó³Ä…¨Ýûí:½ôy­ã~ó•é«©W-ªuuàúàÒã£^N[pa*'õÖÀ+Z“XÁàæකÈ}†J~NZ_?ÿ}þiæxA‚ÂðòÎZÊ6š§Œu£a£ÊýDAEËÿŒåkd'‡Œ®2Õ؇¯
 V°î2»“u=œÕÏ"¨¡
¥}ŨRpÔG0Ò|Ëÿ°Á÷v¯×ã#Ði¹j3ÍTâè(3Z÷†]ö‰6$áHý.ù2rä"Šñ.Q}Œ[ô(~áa¼ô|·g7LÜëèi	GÕzBƒ¤ìò°ôÉy,£–¢€%ÝÞû.îcäG3*Ùºr¢ê.ûÝS²Z°¶¯Üi𥰛‰àò"ë8׊Ê[¬oœæiªÈtB!N²Ma3_#”Ö‘3?z25Q«û%Tb÷‹ºðƒS‰\	”Ë`DðÌø¹Õ"†Ò»K$šù‘ W»P-$Ô"taâ5í.§œi"2a îÎEg|鞢³‹O-,Œ'²Æ¤ùp|’Ì”‹Ò7rž´­‘€µ‘‹Üä!ðvƒŸÖß0ÕBöy\åqýXkÊ€XƒÆ;my»”(~aŸ›{á|±ob’ØÏÖ­Ùxœ=†¤…` Ö罦(h
ö˜85]‰„C¬…ù×UÎu×ÞÃ4]}+7ÄÝ Ú‰-¬ú‹O ›ë}KHE®r¹
çbÛŸÉwO0t©„oµÆuZ¶Rèt•qø’.ùã8M“ƽ7·ôº8m
[lC)¤ŸÙ¾X<‡ø¢ø¨7¢rLÚIQº¹RоR>„OôºˆzMЃ·:¨ “PäkæŽwS´RnBßÆÆ<9Ų|<ø{_À+¾>¡zZL¼³S©6v˜I
  ?0
-tâï¯tãq·˜þ?pÿ?Áÿ'LlÌŒœ\ìmœ¬áþ;·endstream
+tâï¯tãq·˜þ?pÿ?Áÿ'LlÌŒœ\ìmœ¬áþ;·endstream
 endobj
 642 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 1322 0 R
+/Encoding 1320 0 R
 /FirstChar 40
 /LastChar 90
-/Widths 1330 0 R
-/BaseFont /QJUJAL+URWPalladioL-Roma-Slant_167
+/Widths 1328 0 R
+/BaseFont /TNRDDK+URWPalladioL-Roma-Slant_167
 /FontDescriptor 640 0 R
 >> endobj
 640 0 obj <<
 /Ascent 715
 /CapHeight 680
 /Descent -282
-/FontName /QJUJAL+URWPalladioL-Roma-Slant_167
+/FontName /TNRDDK+URWPalladioL-Roma-Slant_167
 /ItalicAngle -9
 /StemV 84
 /XHeight 469
@@ -5548,7 +5571,7 @@ endobj
 /CharSet (/parenleft/parenright/period/one/two/three/four/five/six/seven/eight/nine/A/B/C/D/E/F/G/H/I/K/L/M/N/O/P/Q/R/S/T/U/V/X/Y/Z)
 /FontFile 641 0 R
 >> endobj
-1330 0 obj
+1328 0 obj
 [333 333 0 0 0 0 250 0 0 500 500 500 500 500 500 500 500 500 0 0 0 0 0 0 0 778 611 709 774 611 556 763 832 337 0 726 611 946 831 786 604 786 668 525 613 778 722 0 667 667 667 ]
 endobj
 634 0 obj <<
@@ -5560,7 +5583,7 @@ endobj
 >>
 stream
 xÚí´cpæ_·-[;OlÛ¶mÛ¶mÛ¶m³cÛIÇf'é$·ÿï{öÙ§ö=ŸÎÙŸnݧê©úM¬1Çœc®EJ¨ L+hbod*foçBËHÇÀ³´5ru–µ·“¡²·1üu²Â’
-;™ºXÚÛ‰º˜rÔMM"¦Æ&&#''')@ØÞÁÓÉÒÜÂ@¡ª¤NIMMóŸžRFžÿù{ÒÙÒÜ@ö÷ÃÍÔÆÞÁÖÔÎå/ÄÿñAeSS€‹…)ÀÌÒÆ ,¯ ))' —Sˆ›Ú™:Ú\l,2–ƦvΦ”3{'€Í¿
€±½‰å?­9ÓýÅtœL-ÿ3õ06uø'Dp0u²µtvþû
°t˜;Ú¹ü‹=ÀÒÎØÆÕäýföÿ"äàdÿ7Ãöoì/˜‚½³‹³±“¥ƒàoU±ót±0tù§¶³åß0ÀÞìo¦‰½±ë?-ý+öæoÔÅÐÒÎàbêáòO-#S€‰¥³ƒ¡çßÚÁœ,ÿEÃÕÙÒÎü?ÐœLÍ
LlLÿÂüÅþg:ÿÙ'àéÞÐÁÁÆó_§íÿ•õ?9Xº8›Ú˜ÑÁ02ý­iìò·¶¹¥ý?‹"igf`dø·ßÄÕá?bn¦NÿÅ?;Cù—„¡‰½'ÀÄÔ†^ÎÞåoIÅÿ™Êtÿ}"ÿ7Hüß"ð‹¼ÿwâþWþ—Kü{Ÿÿ+´˜«œ¡íßø÷øûÂØdÿ¼1ÿ¯\C[KÏÿMöMT7ý7Ãÿˆ¤‹áß1Ú™ÿ•‚ŽáßNKg1KSKc€™¡Íßý˯jgbêdcigúWË@ËÈÀð_b*–ÆÖvÿõß!S;“ÿÊü¯<ÿâM¯"­)**Hý__Óe)üUÝEÅÓá/±ÿч¬½Éÿ4þÁ²÷xÓ²0h™Ø9lŒvFßÿMµÁ0þ§-kèâdéÐþÛ2ã¿ÿÿÿ´tÿŒ¨±½É?[¢ìbhgòw±þ§ãŸ°±«“Ó_=ÿu×ÿ6üö¿VÜÔÔÃÔfcÕÞ˜;Ä*#;Ó¥#lZD{h€t,Ô¡¼Y¥¤( Î¾ß?#bŸ³ÚàO}(]Ë,×W§çÊ…Ãç±Õ¯‰tòþ4Ó›B\_bÊÁ¢;dÝìÔ¿‚èõÊá3/Õc¼o—eöÀ´ØÔ~L+*é•ýÀ›ífv‚º}¥ v+
+;™ºXÚÛ‰º˜rÔMM"¦Æ&&#''')@ØÞÁÓÉÒÜÂ@¡ª¤NIMMóŸžRFžÿù{ÒÙÒÜ@ö÷ÃÍÔÆÞÁÖÔÎå/ÄÿñAeSS€‹…)ÀÌÒÆ ,¯ ))' —Sˆ›Ú™:Ú\l,2–ƦvΦ”3{'€Í¿
€±½‰å?­9ÓýÅtœL-ÿ3õ06uø'Dp0u²µtvþû
°t˜;Ú¹ü‹=ÀÒÎØÆÕäýföÿ"äàdÿ7Ãöoì/˜‚½³‹³±“¥ƒàoU±ót±0tù§¶³åß0ÀÞìo¦‰½±ë?-ý+öæoÔÅÐÒÎàbêáòO-#S€‰¥³ƒ¡çßÚÁœ,ÿEÃÕÙÒÎü?ÐœLÍ
LlLÿÂüÅþg:ÿÙ'àéÞÐÁÁÆó_§íÿ•õ?9Xº8›Ú˜ÑÁ02ý­iìò·¶¹¥ý?‹"igf`dø·ßÄÕá?bn¦NÿÅ?;Cù—„¡‰½'ÀÄÔ†^ÎÞåoIÅÿ™Êtÿ}"ÿ7Hüß"ð‹¼ÿwâþWþ—Kü{Ÿÿ+´˜«œ¡íßø÷øûÂØdÿ¼1ÿ¯\C[KÏÿMöMT7ý7Ãÿˆ¤‹áß1Ú™ÿ•‚ŽáßNKg1KSKc€™¡Íßý˯jgbêdcigúWË@ËÈÀð_b*–ÆÖvÿõß!S;“ÿÊü¯<ÿâM¯¬¢(''Cý__Óe)üUÝEÅÓá/±ÿч¬½Éÿ4þÁ²÷xÓ²0h™Ø9lŒvFßÿMµÁ0þ§-kèâdéÐþÛ2ã¿ÿÿÿ´tÿŒ¨±½É?[¢ìbhgòw±þ§ãŸ°±«“Ó_=ÿu×ÿ6üö¿VÜÔÔÃÔfcÕÞ˜;Ä*#;Ó¥#lZD{h€t,Ô¡¼Y¥¤( Î¾ß?#bŸ³ÚàO}(]Ë,×W§çÊ…Ãç±Õ¯‰tòþ4Ó›B\_bÊÁ¢;dÝìÔ¿‚èõÊá3/Õc¼o—eöÀ´ØÔ~L+*é•ýÀ›ífv‚º}¥ v+
 @%yq@ð3NoŠGëAjBn(¾¸$K>{}!ù9>6Ú>xŒCMÊíOà˜‡Ã¯¥ZíIµr’59mƒ.pÉ`Þ?&Éñ„ζÁÁ½S=æî{ƒñp&§;n¯8Fèzeíä4˜¼0€=’Ô}ØbFÖKøPÛý‰*ž|ë*u¡»ÉŒtÆëQg¶Ú0+é›;Xì3|ú˳_~$$1ÆÔt)÷™“¢vî Jaƒ*Ë÷gÑHé¾Îɳo0“³&¶…5­ÁÇeå<,ŽÐüâGæ"nEÏÎ}_°:ÎçWY¸ªûèKH°hϯØga¥@uª“fne¿¾“ßFËãJuÇ<@3ý‹ãnÚ(º†¦7 rh»žÓd#åïú2°t¤ö šuùCq~ÖEn»¼`Õz6sž­ò廃à¯ÍF ÆÆæNu.:,Ãö±®¾Sȯ0Hü]uµxoî»"ž'¤ä³«éi¢'eIä©X¨“T—cðíâðò¨Ë˜ÙK_ï%…‡Œ±™‘¸¯";ÀFßQpÈ“•"¨ÕŒFGáÑu|°¤ξ,~å/_%Ûè
I	öUøÁ2!Äü$|Æ#ö½2Óë{ZöãC^|´l´YAßúëSE¿Xü䨺®B³jötâ*‰õdȇ÷ùÔc>,üæ)7º`Ì'Žª°sSíû.rœ.ßË»"9ÉÊ­ñòw̆d”%1w Ü-®D*’Ëo¦lS‡µ;|‹:û7ê3ýOE|m²UúU?¾ÒMÑr(!¥-€Ùü³´ü»åš„¸»ßò}"‘ŠL _‡°‘Fô¨—†…óOUØ?4o#›d(Ðù“ªdR'õÓåôëQjœtD5tS¿¡Ççà|¤v¾eW¥Ó-œž³ûKDñA¾îúlÙ.ÎdÀ|
‰çZºøªRG¥8LÎj9eN»ÂðeðóÚ·¬ªçc“K<:…±-œâ&ÿ PÆC×™‰Ø
 1±€ÈÔhC	'zšŸõR##¢á݃×nXxþ»\p„¢Y5¸g	þ*iê¿HfròÿLìlÄDÁ}ë«°>î$âà5`瀙¨B:úü©Ï\d½GÓã•OVçy»žˆâŒq¿13’…‘ƒË+”/ÓUYÐ!©«Ù7G’J‰Š’µ/µ‹E[½u=èšãwlâ/ZDvØ×+‡¬Uõ8× ðòÊNx7RÕºÉ`¾µ™XÌT˹j#R“ÛGt/ eÊKÎõÊí.U;’ÊÌi½ÚT19òŸJ*|ÌŽ{ë
@@ -5620,23 +5643,23 @@ wK
 é&È×EGÐ×¼ÌþáEÖöyä^ÜãY;.O4³BVÀ_â¤*ðú®-IP	S¯Õï|œúš¢žÙ£D•IšTUÔ4ÐùŒ†âÅjá’g¼ŠPÓÎyÜ"ïš…(ð
 µxFäüñ²fL6ë·:Ùºù$ˆ©ŠIi´Nl@“'ÉYPÁìpW“Š)È%çäéÄX«w”£—û­¾[œlÌg.~ɰر;+»/yäáEèY7)5’Ùäs+¹š”ëÍÊ·"õâ,ëgßáNÊšŒ8¸iƒC1ºÁÊX×!êïŠ&‰!-ýå÷ÓbH³ÚSÂDÔíT"2'ŽXêEñ=ísk-*iæú7eÚÊ>«DÁwOmJ96!>bˆ,Ïä‡?¸Y7š“'»žž¾ðxý–ŒÝìâÞY`BÞÉüî¼éMù_`ìêɈûúÉšgµ0† Aô¸ÔSn=„8#6a–ß Vn“saÌßmæbÐ0ùÝ» v«içôŽÙ¡+C0Ê"ëE@ZÁÅIÞÍZteµ·Æx£i‰LçžíÞW3¬TÒs7²»?Ò9CvJ7LIE¾B¾1/šóÎFý­×ãw§,ƒ²˜d`z)ØïÜJ2·œ¶ÓžÿTsnÿ¨ª=¼W2£íºÏX*•ÎrüêòÐ$øyßT™4åäG×$ÉEž˜Yj¿ÊÊ«„‡›ùe!Ȇ(twèàyTÊv\P&ÓS'~¦ž¿)×ãYÛeë{Î5©.‘‰MÆ=zB¶OºùÐÚ蔼™_ÊÎl)]_¾Ýòr‡I²wÛPr”ÑÕ^H•dóìîo#’ÜñQèŒj0Q,ùŒKýYÍpV½ž$!^—#jðý%õ³ZŠhŸÍ7/¼bžQ½l¾a¥{‘ÒX%‰ZT,Ý´âÎs:™Dû´x[§¥ì®ýŠ³
U·ˆpÆ?Ĉâš«æŽ!“²}@î— ¬=FAÏ=™ÛJA±åŽ$†óvÕ£Œ€Àžš>¢ƒ>Šbì{k*9é&Ørï±·¸ÇXJ_Õž
 õqå$J*ˆ×èã3²û…s-dÞ,ªUÄrÿ£øc-þ—n,ìýXêŸ]90ÜÎ+â1éW,‹Òç©"={LSœý©ÙDY$
šHʾ&Œ9êe+Ð툂4wP$öXyßÝ›@4}{¡+/@Œ÷Ðþ
È
-•”P'DÔ$*)	Â|%“<ð	+ÐVƒ–8'A^PDÿ—?˜ÿàÿÆ6¦†N.ö¶†NÖ0ÿ"¦§nendstream
+•”P'DÔ$*)	Â|%“<ð	+ÐVƒ–8'A^PDÿ—?˜ÿàÿÆ6¦†N.ö¶†NÖ0ÿ]j§‹endstream
 endobj
 635 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 1322 0 R
+/Encoding 1320 0 R
 /FirstChar 34
 /LastChar 125
-/Widths 1331 0 R
-/BaseFont /TKYEEA+NimbusMonL-Bold
+/Widths 1329 0 R
+/BaseFont /STQNNL+NimbusMonL-Bold
 /FontDescriptor 633 0 R
 >> endobj
 633 0 obj <<
 /Ascent 624
 /CapHeight 552
 /Descent -126
-/FontName /TKYEEA+NimbusMonL-Bold
+/FontName /STQNNL+NimbusMonL-Bold
 /ItalicAngle 0
 /StemV 101
 /XHeight 439
@@ -5645,7 +5668,7 @@ endobj
 /CharSet (/quotedbl/plus/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/semicolon/A/B/D/E/F/G/H/K/M/N/O/S/T/W/Z/bracketleft/bracketright/a/b/c/d/e/f/g/h/i/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/braceright)
 /FontFile 634 0 R
 >> endobj
-1331 0 obj
+1329 0 obj
 [600 0 0 0 0 0 0 0 0 600 0 600 600 600 600 600 600 600 600 600 600 600 600 0 0 600 0 0 0 0 0 600 600 0 600 600 600 600 600 0 0 600 0 600 600 600 0 0 0 600 600 0 0 600 0 0 600 600 0 600 0 0 0 600 600 600 600 600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 0 600 ]
 endobj
 631 0 obj <<
@@ -5657,7 +5680,7 @@ endobj
 >>
 stream
 xÚ¬·ct¦]Ó-štØ1:ÖÛêضíÜqrÇ6:¶ŽÑÛ¶m£c[§Ÿ÷Ý{{¼gŸ?û|?®1®UUkÖ¬šµÖ‹œXQ…^ÈdÙ9Ó330qä-m]œä@v²ôÊ@sÀ_#;9¹ˆ#ÐÈÙd'jäähM¢@€™‹‹Ž ²÷p´4·pP©)kPÓÒÒý—埀±ÇÿôüÝédin øûã
-´ÙÛíœÿBü_oTÎ@€™¥
 ¢ ¨%%/ ’WH퀎F6EcK€¬¥	ÐÎ	H
09lþ½˜€ìL-ÿ)͉á/–Ààd4±ü»
èn´ÿÇE°:ÚZ:9ýýX:ÌìœÿöÀ°´3±q1ý‡À_»è_„ìA#lÿúþ‚)‚œœL-í³*ŠŠÿ›§³…‘ó?¹,ÿº ³¿‘¦ —Jú—ï/Ì_¯³‘¥ÀèîüO.c ÀÔÒÉÞÆÈãoî¿`öŽ–ÿ¢áâdigþ_èŽ@s#GS “Ó_˜¿Øÿtç¿êüoÕÙÛÛxük7è_Qÿ‹ƒ¥³ÐÆŒŽ™åoN翹Í-íàÿ);3€™éßvSûÿés:þ«ATÿÌõ_F¦ ;€)ÐŽQäü7%€êÿNe†ÿ>‘ÿ$þoø¿EÞÿâþ§FÿÛ!þÿ{žÿZÜÅÆFÞÈöïüû‚ü½a@YÀ?wŒ‘ãÿ+ÜÈÖÒÆãÿ°á?5€ÿ&ùÿ#ålô·Bvæab`ú·ÑÒIÜÒhªhélb03²ùÛ©ÙÕìLŽ6–vÀ¿Šþ«™zf&¦ÿð©ZXšXÛýÓzö»€v¦ÿIþ¯Hÿ¢Î¨¬$&§¨AûŸwê¿¢ÿjï¬êaÿ—Øÿ(Edú¿ÿ`ƒÜ^ôO =+'€ãoÂïÌÌ>ÿ‡lÿ‚aþ¯µœ‘³£¥;@çoÉLÌÿ*ü|ÿµÒû1;é?³¢âldgúw¼þ—á·‰‹£ã_Uÿuâÿü?×ÿt Ðh·²2á	¶JËLw®ÆÊÕéíf†±/©S-Ì÷¯uù¥…msU¾U…0ÔOr´x,œØ¿ïKÓwcÚPv¥/~âûR÷ä£nP´qÒ2ê— ¦ŸjDy]ÎËnAjs0©ìŒ+)ë¿AL¶±:Â^>Rû“ºæû#{°Gò5I­ÅhG©C«.89¥Hüóø@Ù?248Ðu
Õ³G›û•œÇ‘"Òß!O@[­Â+œ:½ïºõòƒH£ÓK?œ—,ÂVöEÑüçª]«ì[Tz«o¢œ£dóþ/MÌ«ÙÉH^¡ÄI®™ÜÏ5r1',Þü‰ Þ›ik² ©L˜ZÂÁû/WT½Na^Õ¶•4/=H¹sCSJí%µnMÐûäLôCá.¿DšíÈ=u—„e,€o¥Ùav±ÉýóÆ|mÝ3ÖU§²¦¹zŽÕ™ØŠ'¡ÇÇ
Fõ×¢}²ƒA
WÚòc’¤E§Jm¾‘®½xdñeî°Ì‘š:ð¿ÓîëKÔÚ›dçT“†;‹Z[,ð‚³ÅÈ|¹ÂÈâH‘0ç²FCu>OúŽ2Ü7íÐÒ*Ž<¸ôc’ÀMÏý/i°Ê’ÙÙj0¶Q”ß6>j²VÅp—¥GW9¼® Mf…ñðÅbFéÿh{A†Ó­³c§ßÍ{š#ñs€²~Õµ~D‚ðD5‡‹æmÏÀ¹õ®ƒw RŠˆr±$ÆB¿˜­2.ð#œî@[„`9t<
+´ÙÛíœÿBü_oTÎ@€™¥
 ¢ ¨%%/ ’WH퀎F6EcK€¬¥	ÐÎ	H
09lþ½˜€ìL-ÿ)͉á/–Ààd4±ü»
èn´ÿÇE°:ÚZ:9ýýX:ÌìœÿöÀ°´3±q1ý‡À_»è_„ìA#lÿúþ‚)‚œœL-í³*ŠŠÿ›§³…‘ó?¹,ÿº ³¿‘¦ —Jú—ï/Ì_¯³‘¥ÀèîüO.c ÀÔÒÉÞÆÈãoî¿`öŽ–ÿ¢áâdigþ_èŽ@s#GS “Ó_˜¿Øÿtç¿êüoÕÙÛÛxük7è_Qÿ‹ƒ¥³ÐÆŒŽ™åoN翹Í-íàÿ);3€™éßvSûÿés:þ«ATÿÌõ_F¦ ;€)ÐŽQäü7%€êÿNe†ÿ>‘ÿ$þoø¿EÞÿâþ§FÿÛ!þÿ{žÿZÜÅÆFÞÈöïüû‚ü½a@YÀ?wŒ‘ãÿ+ÜÈÖÒÆãÿ°á?5€ÿ&ùÿ#ålô·Bvæab`ú·ÑÒIÜÒhªhélb03²ùÛ©ÙÕìLŽ6–vÀ¿Šþ«™zf&¦ÿð©ZXšXÛýÓzö»€v¦ÿIþ¯Hÿ¢Î(!#¦..AûŸwê¿¢ÿjï¬êaÿ—Øÿ(Edú¿ÿ`ƒÜ^ôO =+'€ãoÂïÌÌ>ÿ‡lÿ‚aþ¯µœ‘³£¥;@çoÉLÌÿ*ü|ÿµÒû1;é?³¢âldgúw¼þ—á·‰‹£ã_Uÿuâÿü?×ÿt Ðh·²2á	¶JËLw®ÆÊÕéíf†±/©S-Ì÷¯uù¥…msU¾U…0ÔOr´x,œØ¿ïKÓwcÚPv¥/~âûR÷ä£nP´qÒ2ê— ¦ŸjDy]ÎËnAjs0©ìŒ+)ë¿AL¶±:Â^>Rû“ºæû#{°Gò5I­ÅhG©C«.89¥Hüóø@Ù?248Ðu
Õ³G›û•œÇ‘"Òß!O@[­Â+œ:½ïºõòƒH£ÓK?œ—,ÂVöEÑüçª]«ì[Tz«o¢œ£dóþ/MÌ«ÙÉH^¡ÄI®™ÜÏ5r1',Þü‰ Þ›ik² ©L˜ZÂÁû/WT½Na^Õ¶•4/=H¹sCSJí%µnMÐûäLôCá.¿DšíÈ=u—„e,€o¥Ùav±ÉýóÆ|mÝ3ÖU§²¦¹zŽÕ™ØŠ'¡ÇÇ
Fõ×¢}²ƒA
WÚòc’¤E§Jm¾‘®½xdñeî°Ì‘š:ð¿ÓîëKÔÚ›dçT“†;‹Z[,ð‚³ÅÈ|¹ÂÈâH‘0ç²FCu>OúŽ2Ü7íÐÒ*Ž<¸ôc’ÀMÏý/i°Ê’ÙÙj0¶Q”ß6>j²VÅp—¥GW9¼® Mf…ñðÅbFéÿh{A†Ó­³c§ßÍ{š#ñs€²~Õµ~D‚ðD5‡‹æmÏÀ¹õ®ƒw RŠˆr±$ÆB¿˜­2.ð#œî@[„`9t<
 ®;-¸9"LOlñøþ¤(™è›‹¿üfg†"©jĮތòBô€Úbš‹©Jÿøq²9ˆ³<®aÁGL…žýÍ1¢€’tgÆ€æéŠdªjÍ!b‚è`{*³Ñ>vçîóƒË|û·UBtOrÀ'v‡”ѳªã8~»%¼È&#Xúå9VÔÅn
͉$xܹ†ÌK+t†õÆ”S39h–‚Ñ_0t.Äý×®)Vü6]æ‘£ô)—ôÚ¶‡QU<ñQ`ÛfyÜd!ÄI{—9Í°Êz=,_*#”„-wS¨F‘ýþj‰Á#i‹³g¾}Õ.bê%aòàáøˆ¥3Òä°UI«QÕ>›‹¼µÚê©u?ïA°¤†æ6'¡wd^χö%c?E!Osõ±ëÍ“F€àíÁ¹¬+ËÐÝSa[?ò‹LdH²'Ä™ÊÔË(*¯¿ãÄ^ǹ„æ–1©´±ó¾¬þ²;l…!j_lŒ‰ƒBQÖ©k‘7s|Éõ«:¢­…eá0O ÙËÛôOfC–ôBÙßÕÐÒe/ÅO?žRà²ÜÇ®¸¢u¾,ùÊ«.ì4ð”’áâ·×6ŠmãT*´Õs	Óî”ì
 ³@bSiyäÚK`G¡á›ÿAgýª¬×‘	Íàì1 ÜSW©Îƒóyl3>ÛúŒ#žÞë˜øw3Ëȱ¬@"%ÓZÏæ&k]}Ö­¦Ç4¶ò´!oaQ™ý\–«Wløeû
ð–§j&!”Eö¼ì»Ã=åXA|nód5ÕR©›{eÿ§ÇBÒE9ÌĦçÇRÜàå®\ñEÞó`Ø4†iiž°7Ùµ©.CÓ²ï¢Ç,ê±Æ×uNžÆ,ûîü]L›ëMpqÖyZ:D?vþŒàËwàƒÉpçYÂ	%QX‚üT	¿Tàš6àÀüµp]HUûnã/Ž`oæW‰þýÖ”d·=ú€A&ú4è7½íïçÄ„ÏÑtžU¦Á‘ƒ	¸T62{AIÝ#\¯™C—´ÆS;7¨©rðlËw6à(à/ÀX=×Ñ@®Æ»dƾàcŽÅIn£i½„¸€éåç³À¢àU=Yõ¿˜[¸sQÿ%Cÿ‰t–#¶&¥±AHe;ð‚°x21gw(éDüŒÅ+X“³÷º*5{ÆQÁmôÊÊ,¶ïõÝŸˆ"rÔá}ºÏ[.Àã#îf!or³†@ú@z÷ê|]Ð"i<ÖwùR*°ˆ}—£…ÐCW¦X%= ›%î#
 e˜žPŠ†ºTŽ”oRÈJt¿¿˜òä:7iûCì~7„D|?·Tÿ	½ÔHt…:êÕ`²ÔÞü'ïX=…ȇÚ	‘žç—¹X	òþhr6É׉¬Šä+Ki´´
@@ -5722,23 +5745,23 @@ Bc
 ŒnÂïqÝ“äZÆM"%3wöšžk×éÔ´—~«û>W–ûÄÇbèþ!ÿ¾@¾Þ§.8pO§’]éDÜÄùû/ÏÇ­ƒzöb7žpÜü¶ny"KÌD¶<£1#3—±òðó€Ô5ï©ø¸2@Jh(C¨ô,ð0¨ŒK

 O\‰Ù)¬U°Î®ø+²d€,…•ÅáxÝ2mïË¿¯5Äž&‘=+3–ˆõn&•çV8h·~êåwŸÚ²ÿˆTÖÿþϨLÚ~¨Td¾#c¡¿{%õ R|ö–ïé×Üsîý¦„_[ø•-®ªÉ–þÒ4’b'ŒÔ)ˆñ™Í§HéSuÝÓê:V†ßá×äçNG‰=Žñ#*¯îk-ÌeÖL‡*~Iý$¥í˜Ÿ½dÊ‚Šj,ä‚@_¥þËEÆ*z|2Yðc€ƒh˜Ï¸Åç;+¼ÛÃý¸/TƒÕ›Î©doFÕn_e8„j(Ú— ü™¥ÇÔø2[=‹÷‹I‰éÊ<„qn…Àòz¾C;
 üù %:à`¨_¿.77•‘CÉÒâÐ_™í¡Ðà04~39jbÑ®ü›&Fï©°ío®GãV&mdRç–ÈëSUoƒ„‚úmZ|ÃнKÐRõÁÄÅgÁO¾/φvb$eß÷•Bf^ŠàŽÚV@ù.ä>Óͪ‡¶À‡>esÛŸÅT¢:(8'öÛ¹oˆŒ5ׄû{‹Tûzã d(6t!V\ó¨½W-aXÜišæ)Áúºû(”˜ºtëWfzÇ̓¢ëû:<­Ûý-bŽÃšÎ–¶Ÿ–1’IîYz<©§$ð÷ÅGŠ¸ÿæ¬j©1XC¨ŸzÝÀ}1«"ªˆ'xÆ"m,+äôdiý&x,«\wä‚j´k· P¶_zjë$ˆ¾‰'Ìx3”'M’>Ïð|ͳvÞ¾æ´3Ù3jhœªƒãü¹€ru¤†àÃy#‚µ¨et%žŽôçÊ	NÉÚ
Ü’JšøVtûŒÕN©õðKuGJ©`ÉíVq‚¡b4XP×d"S×|О­†¡·po_ó•à²È€,™r*õQ„!™]›±¬:CZ'¢ƒüQiñ²ü®fR£ê©rŸâ"fÅÄÍ]­'¹&>b—"„âr$#cC7tïè¶kÒô”­ìX{.[	½×OP
-H?›qtÄ'Ê—¸õ7RïàýZ$?¤FÝîc?e
IŸöãõ}unw°¿ìpd3<ŽéæË\ðþLøkÝ|hÛð‡œ}26šËèm’¤¹Cíê®—ìõª³¸µ¨Ã;á]Ëý@ˇ^¼ÌÒûNÕ—ª#]c—ø¿(9”CúݵB¸
_“Ôáé‹<§\!±$õ6F]ÞOð´¢9#ËÌ`Kv¾ì®¿‰Îj¼8ƒÒ•ƒoq±—Ž@ÖÐò‹›k¾'ÅÇ–³Øë^eƒÂþsˆ¸Åk\X·È.,0%+ IvâOã¬ÙbWÀü}Ž\Iššˆï7–îð‚܃‹Ûd¶¾…›´26FͺÞ+[XÜñž¯Õ8®vÃͬ”.™rʺƒ[[lø¿ìݸ‹ù¬ljuVãvGï½®êšZZîšiÿ2Öp"%'®«k¨!!z;y‹Óu£ÄH§;Âæ÷s‘5.C4†ANŒâ¾Ð-ˆ‚*û*!Ú¼DP¦IfþêG–ºp-¹ÈXšóÊHÉÁ£k˜—²‚%3ÚsO³¹× þÆíÕ ŸV-å	s5ÔßèŒÂ ²X6ÅÎb>oTíAÓÐu•öƒ€òÜë½%_R`¾¿+“÷Ô§j¦KBi~ç›uFyLþª+Ýœt‰6vÎýM}`ÐeØ\"ÕÞ.ÔôãÊ„£Ôòe”›„	8ï5Ùª¼üË*-/Oe…¬øïñk±K6‰òA<%ç¥ãÖX'Þzž¦ÈtBXé–°¿yRf¸æ—Ÿ{”†ü&GC¡!Ýe÷AŸtÏF
}¢ˆgr ßKÊÓ›ôðŸh¥L±¥­ç”:G}Tì”´EÜ_U¥þÖÙ?ù&ü?à¿Š¸u'0&\ø?ËǹÌendstream
+H?›qtÄ'Ê—¸õ7RïàýZ$?¤FÝîc?e
IŸöãõ}unw°¿ìpd3<ŽéæË\ðþLøkÝ|hÛð‡œ}26šËèm’¤¹Cíê®—ìõª³¸µ¨Ã;á]Ëý@ˇ^¼ÌÒûNÕ—ª#]c—ø¿(9”CúݵB¸
_“Ôáé‹<§\!±$õ6F]ÞOð´¢9#ËÌ`Kv¾ì®¿‰Îj¼8ƒÒ•ƒoq±—Ž@ÖÐò‹›k¾'ÅÇ–³Øë^eƒÂþsˆ¸Åk\X·È.,0%+ IvâOã¬ÙbWÀü}Ž\Iššˆï7–îð‚܃‹Ûd¶¾…›´26FͺÞ+[XÜñž¯Õ8®vÃͬ”.™rʺƒ[[lø¿ìݸ‹ù¬ljuVãvGï½®êšZZîšiÿ2Öp"%'®«k¨!!z;y‹Óu£ÄH§;Âæ÷s‘5.C4†ANŒâ¾Ð-ˆ‚*û*!Ú¼DP¦IfþêG–ºp-¹ÈXšóÊHÉÁ£k˜—²‚%3ÚsO³¹× þÆíÕ ŸV-å	s5ÔßèŒÂ ²X6ÅÎb>oTíAÓÐu•öƒ€òÜë½%_R`¾¿+“÷Ô§j¦KBi~ç›uFyLþª+Ýœt‰6vÎýM}`ÐeØ\"ÕÞ.ÔôãÊ„£Ôòe”›„	8ï5Ùª¼üË*-/Oe…¬øïñk±K6‰òA<%ç¥ãÖX'Þzž¦ÈtBXé–°¿yRf¸æ—Ÿ{”†ü&GC¡!Ýe÷AŸtÏF
}¢ˆgr ßKÊÓ›ôðŸh¥L±¥­ç”:G}Tì”´EÜ_U¥þÖÙ?ù&ü?à¿Š¸u'0&\ø?﹪endstream
 endobj
 632 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 1322 0 R
+/Encoding 1320 0 R
 /FirstChar 33
 /LastChar 125
-/Widths 1332 0 R
-/BaseFont /RQEMPW+NimbusMonL-Regu
+/Widths 1330 0 R
+/BaseFont /GKEVFG+NimbusMonL-Regu
 /FontDescriptor 630 0 R
 >> endobj
 630 0 obj <<
 /Ascent 625
 /CapHeight 557
 /Descent -147
-/FontName /RQEMPW+NimbusMonL-Regu
+/FontName /GKEVFG+NimbusMonL-Regu
 /ItalicAngle 0
 /StemV 41
 /XHeight 426
@@ -5747,7 +5770,7 @@ endobj
 /CharSet (/exclam/quotedbl/numbersign/dollar/percent/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/equal/at/A/B/C/D/E/F/G/H/I/K/L/M/N/O/P/R/S/T/U/V/W/X/Y/Z/bracketleft/bracketright/underscore/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright)
 /FontFile 631 0 R
 >> endobj
-1332 0 obj
+1330 0 obj
 [600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 0 600 0 0 600 600 600 600 600 600 600 600 600 600 0 600 600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 600 0 600 0 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 ]
 endobj
 625 0 obj <<
@@ -5760,7 +5783,7 @@ endobj
 stream
 xÚ¬zSx¥]·eœTlcÇv%©Ø¶íìضmÛ¨Šm£b£bÛ6»¾ÿïÓ§ŸÓ}Õ}.ö~Þ5Çœcb¬µö¾xɉ”éM쌀bv¶ÎôÌL\U%uCkkC;zIgCkÀ_3,9¹°#ÐÐÙÂÎVÄÐÈPšD€Æ3''',9@ØÎÞÃÑÂÌÜ@õ—ƒš––î?-ÿ¸Œ<þùédaf øûà
 ´¶³·Ú:ÿ¥øTÎæ@€©…5 ,¯ ))' —SˆmŽ›Pp1²¶0ÈXm€ÔS;G€õ¿c;[‹ZsbøË%è08Ù-þ†Ýöÿ@t{ £…“Óßg€…ÀÌÑÐÖùïœí¶ÆÖ.&ÿð×nj÷¯‚ìíþzØüÅþ’)Ø99;;ZØ;þfUûwÎæ†Îÿäv²øìLÿzšØ»üÓÒ¿°¿4QgC['€3ÐÝùŸ\F@€‰…“½µ¡ÇßÜÉì-þU†‹“…­ÙV@pš:šXœþÒüåþg:ÿÙ'àëÞÐÞÞÚã_Ñvÿòú_5X8;­M`™Yþæ4vþ›ÛÌ–ñŸ­"ikj`fú·ÝÄÅþ?0W ã¿DõÏž¡þ[„¡‰­µÀh
-Ë(gçü7%€êÿMe†ÿ>‘ÿ$þoø¿EÞÿ?qÿ«FÿÛ!þÿ=Ïÿ•ZÌÅÚZÎÐø¯ ÀÜ1À?—Œ…ñÿánhcaíñø¯žêÀW©4s±6tü¯ð¿émÍþ*BÏÉÀöo«…“˜…;ÐDÁÂÙØ`jhýwVÿ²«Úš­-l5ý×8ôÌLLÿS1·0¶²ýgølÿ†€¶&ÿµü¿2ý«xFMEIÚÿó^ý—ŸÂ_ýU<ì€ÿ™D]ÖÎä-þa²sxÑ3s0èY™Øþ»¿ó;³Ïÿ%㿈˜ÿs-kèìháÐfb`bbüýþÏ®tÿ¨­±É?;FÙÙÐÖäï&û_†`cGÇ¿ÚþëÜÿmú?ÖÿÚî@ ;ÐveÑΘ;Ø2=+ù+ohBD»¿—|(ÄþWƒJq¡µ]_zø6g…Á{MCã×g›ÇŸSû})šƒ‘^LkÊžTàe¾)u_!ÊEíA £Þ/„Œ3õh¯«™--v&µƒ	E%½ŸïPS¬Ž0WOÔþ¤®…þèdöˆ¾ÆiõqÈ ¨µE§gIÇO”¿G‡‡{n ûöñhs㾑s»B PDù;äâñk©–‹V6½8mN¨Œ Ávìòø›½ä´“[¬{[Ëû^¬jÄî
Öæð¡'¦E½à3õ%­µK$cÿŒæ^55`wzý´æ]ŠÛê{ÌFx9].òn1[Em™QBÏ•[ï¹öضé3MºÔí¡v»ùV¹\¢ ³*2mjVöˆ¨pz/’]6r
w™ÇR‚I%Poýpc75ÈÔ'¶ÈhÀƒW7JUϳ`K¡$¥ÀsÎ<Ä7:^ƒÉXÖë}†¿?Gæ;¦D»Ëc|y´—GðCK”Ï?eñ!AÊ¥c£VÖnPW±6HãÊQ9+–hh8©SfŠŸ0gÒËÑÍÁýh7F(Í¡7öؽŽa¸Z®/„y®I­1‚ÐÖÊ®kZºíRø»ÓÐð±‰ÌN²NNÆnôâT7%ÿÑ'ϳ7i"Å
+Ë(gçü7%€êÿMe†ÿ>‘ÿ$þoø¿EÞÿ?qÿ«FÿÛ!þÿ=Ïÿ•ZÌÅÚZÎÐø¯ ÀÜ1À?—Œ…ñÿánhcaíñø¯žêÀW©4s±6tü¯ð¿émÍþ*BÏÉÀöo«…“˜…;ÐDÁÂÙØ`jhýwVÿ²«Úš­-l5ý×8ôÌLLÿS1·0¶²ýgølÿ†€¶&ÿµü¿2ý«xFIQyÚÿó^ý—ŸÂ_ýU<ì€ÿ™D]ÖÎä-þa²sxÑ3s0èY™Øþ»¿ó;³Ïÿ%㿈˜ÿs-kèìháÐfb`bbüýþÏ®tÿ¨­±É?;FÙÙÐÖäï&û_†`cGÇ¿ÚþëÜÿmú?ÖÿÚî@ ;ÐveÑΘ;Ø2=+ù+ohBD»¿—|(ÄþWƒJq¡µ]_zø6g…Á{MCã×g›ÇŸSû})šƒ‘^LkÊžTàe¾)u_!ÊEíA £Þ/„Œ3õh¯«™--v&µƒ	E%½ŸïPS¬Ž0WOÔþ¤®…þèdöˆ¾ÆiõqÈ ¨µE§gIÇO”¿G‡‡{n ûöñhs㾑s»B PDù;äâñk©–‹V6½8mN¨Œ Ávìòø›½ä´“[¬{[Ëû^¬jÄî
Öæð¡'¦E½à3õ%­µK$cÿŒæ^55`wzý´æ]ŠÛê{ÌFx9].òn1[Em™QBÏ•[ï¹öضé3MºÔí¡v»ùV¹\¢ ³*2mjVöˆ¨pz/’]6r
w™ÇR‚I%Poýpc75ÈÔ'¶ÈhÀƒW7JUϳ`K¡$¥ÀsÎ<Ä7:^ƒÉXÖë}†¿?Gæ;¦D»Ëc|y´—GðCK”Ï?eñ!AÊ¥c£VÖnPW±6HãÊQ9+–hh8©SfŠŸ0gÒËÑÍÁýh7F(Í¡7öؽŽa¸Z®/„y®I­1‚ÐÖÊ®kZºíRø»ÓÐð±‰ÌN²NNÆnôâT7%ÿÑ'ϳ7i"Å
 HkÑò¶ xÀΙsTºÜºíF¥$_2à¤ÝéØæú¢úÆÒ†êéÓ÷j%ôÜvk†Êœæ%¢d` ;ÝSêdù/áÉ]‘¶S¡¼ÀËÒKa÷Ï
ëö³‘#&[K^˜µ+»UTƒdak¦“Ÿ–fUX©u¢¸5ÐJçCL8KÔR®<‚öwm.¦LË‚&ØwLCœ¾a!~6]íeîkZ77º?ž†,˜ˆÁóñ0a£%Æà
 
 \P3ÏØ©®â%ª«Q¶°sy1*õŸƒð3›Wž®õ;7 K³y²mÇZÉh\HÐçãîäÑ|Àÿ´_˜D®á!)?¬oöër$q0>°±ÏO„…£b{m㔿/£HŽç,Û»MEr2ï©Åèg(ãw„†Ó¤,DûJ.pW£?W؃ð›'HÂMcÕ‹~[5
j´iÝ "£õëÈbýN¿”òà–`˜ä§×ÛÉ™ÍeÒÔ“Ç먄lŸyú¿ýw¬ª±›ä»~¤J!“A=ÐÃé8êâ N1&ƒ¨8#vŠ:ÚQ™¡ù 0
RÛ¤T(þ×ût„Í$þbwF˜ß®
7)ÒZ¥ëî±´X¾;dãQ¡ÅC…sNÏÚ‘!jCù‚#XÎäüÃ_Ä÷
 €mK1”£»ãß:¹Õ˜z_#å*’Ðs,b½“o&‰ð]ÎÎì†Ò¬¦{˜±ãxÂZ©–\å.ÉÉq™5í—]Í_ãÓ~wX~˜½UÖ"bg¬%Ì—ÊÉbÙ¶Õ¾VÂ3a¾$þ—ì!íL;ENLãÖ[µô(ÁzŠþÐÞÂ
:\¦oŽìÿÞÉðdþÌn¤j’Pïn‰“Ì{:}*PDvŸw*[ð@9‚»pR¸ÿÍ‹°E²(oh~÷ƒ¸hkå……DÛ–‡[ÒÆ¥oÖ™ziUèɉ±-Ïòk^Mï•ôÌ,öêf¬”ñx”ŸGS6»æÐ>²+5XÛ•½åfìÔm·ë×®þv*¦Øp	ëÔ,ÆêWàÅ{+"‹ÜV¦Å—iÂÿÆ6ë,Y¶ÍSßl£ÐãìÖH”þœÙ¶‚;»£:Jb†öÿcÂ2üâ'
í½dn”»†õ¥ÂJz]è°^kSâ…v‡Æ¤>fÊýQÌ’Ñ飺˜N•½º%ÞAäÙiÁO…Ûoñ­¢/ÝvÙŸHMpÿdÓ.š8yиæâ<·ûÌTêüÈÏöé]øÝYØzÔ0óYJöÊVêôøÿ¦/=¢W"ýÓ:Cè¡Êà^+ósZ…íôqÜvOø$ÕiÚøVýq${zìxŽÊ«Q‘c²ârÞQ¨Uz™F`Ô4ùjþ1gæ\xEŠ	„ûɘÄEÕ¬«‰~*U;³Ù ¿É›
 Ô0a¸­¦û[ßÅräÛ%Ó\qŸž]£÷Àëð|O-FêkÞ‹³€'‰Qö.ÊÂTqëÚĵ¦Îš)RžcÀ¾ôßØDã“V¶¢Ååž5yÔLùR„wOƒùͳ¬¯ãƲ¹ûx¥óuj2a™	dêMèaÁxö³]&e9õ};ªÄqÜm–íʳì $j´’V¢_yŸ¹6€W3‚èíRõѹc§EsšN1}œÇ‹”Çžácž!\°­1£,,ᄬ¨\XMÔ›ÖÁ€DÊŸ&ë«~9F=Þ'KJk®©YGŽ¿¸éís¬zÖÃÔcü„Xnú°à¬KNT‡E}Í®¶ˆjYMr5†Ò™NgeƒËÝ
˪òÒ •õ¼š3÷1¨vypæËj6µ}åI_ói­EÅÎq¸'½ šþñ+„žb2ä÷R…‚¶~UÞci„eù‹Pz©k!ïÊ×2oˆáûv)³!>­ZJ®‰ÙGj]ÙîWðH:‘”·Y«äMŽ˜‚Ïéì©qîmuëO#/3K®ÈíöiEpë×3ä‡ÔO@â0¡á‹5!³ÑŒ¯
Ü8ßï;*UbÊS”ßÖq—2,Â#h=ÕMx'üÁROª…ÙB!É<Áq	ݘ87¥3üB$ò:ÿÕzÆOE:óP¶%õŠkÄ´{@æÿíÿ€ÿ
-ÀÝÏói<ÐÿiŒö?±ª³endstream
+ÀÝÏói<ÐÿiŒö?oª¥endstream
 endobj
 626 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 1322 0 R
+/Encoding 1320 0 R
 /FirstChar 2
 /LastChar 151
-/Widths 1333 0 R
-/BaseFont /YLQDTI+URWPalladioL-Ital
+/Widths 1331 0 R
+/BaseFont /PIEPOL+URWPalladioL-Ital
 /FontDescriptor 624 0 R
 >> endobj
 624 0 obj <<
 /Ascent 722
 /CapHeight 693
 /Descent -261
-/FontName /YLQDTI+URWPalladioL-Ital
+/FontName /PIEPOL+URWPalladioL-Ital
 /ItalicAngle -9.5
 /StemV 78
 /XHeight 482
@@ -5868,44 +5891,44 @@ endobj
 /CharSet (/fi/parenleft/parenright/comma/hyphen/period/one/two/three/four/five/six/seven/eight/colon/A/B/C/D/E/F/G/H/I/K/L/M/N/O/P/Q/R/S/T/U/W/X/Z/a/b/c/d/e/f/g/h/i/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/emdash)
 /FontFile 625 0 R
 >> endobj
-1333 0 obj
+1331 0 obj
 [528 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 333 333 0 0 250 333 250 0 0 500 500 500 500 500 500 500 500 0 250 0 0 0 0 0 0 722 611 667 778 611 556 722 778 333 0 667 556 944 778 778 611 778 667 556 611 778 0 944 722 0 667 0 0 0 0 0 0 444 463 407 500 389 278 500 500 278 0 444 278 778 556 444 500 463 389 389 333 556 500 722 500 500 444 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1000 ]
 endobj
 615 0 obj <<
 /Length1 862
 /Length2 1251
 /Length3 532
-/Length 1860      
+/Length 1861      
 /Filter /FlateDecode
 >>
 stream
-xÚíUkTgnõJÀ+Å€€¸
-æ2@	Š&(’–;*R’		$˜$ (‚€`P¡r¨´RZ/ÀËÅ`EÁ³F„‚Ü4
-& X¹ê
-ºè±KîþÚ³3æ}žç{¿gž÷;ç33ñô!ÐÙH0ìŒÅÒ'7ŸC ‰dœ™™
-Cb"܉aÚÛƒ]€T€lG£iT;œà„„G¡¼®°púlQdÐ0ÊcABÀ
saÖƒñ„ŃÅQD€ÎçÞ‹+D€7,‚ÑH˜MÄ Àæ±Ä@0ÂâH‹Ž˜BØ-ÃlIø;*FE˜)À3ù€Yd#B~À†98’;‚ícNþ¦V6w–ðùî`±ýRJâ!õVÂ%bÜ6Œ
-WJ}áesn0›'¬d™bˆÏcÑ…!| €6D²5u™à‰œyR˜íɳ¸â‹à%²WZÁâ[2Bró£û»ìµz;×%Òâ	Åû£Âa€ü^½Tƒïk,%”'ÈD2Ä„Øûî+pÅf{…,„͆ª-¡(…ÃNVQà	Ù°€¥˜cQˆˆ±%Í1€ƒ ¸Å±‚Ö‰ÅCY|˜µ85ñ"»LPR0–9üˆLÁ0bÁ|˜óGØú-¼<ô÷¸-†Cè{ËXa">$â.ÁŽÁ@¤1Š=@°·Å~m;;ê±²$(
-ÅKg‹ÿ]Íáa#ƒa)ÌÂõv#,‡¤Ð¼êäŠØ½çïüðIëe[¥ºW³Ù¯66ŸÇ>æC=çe".-V^=!LJ)ô¿`9œÒE¯d¸§5]¢{ñjZQ¹_V<µ‰ØãƒJL“­yme>Ê”G<]ðÒÖ„>:ûí¶í½ÓÛâÚtαUÿósƒÝÚ-½OZšn¶ë½ 9ðá&|ÔÀ“έ“µqy7v²&nßwezâEÎiæ
-Ž£vð44ûȉT(¬¼Fè-÷TÊ£úìùõéMҧƩ¦)fÏ[}Ê¥3i±†1¿Ý
-×ÄßMË(žùÚC×d̸>pGžtCIÊŒß×hìjÔöÈšûjs›•»ì“ò õªK#µí¡üR¦¼Qin.‹}Q…Ôäïyñ}ýιøŒcÄ/«OzVZ/×î®×uwÝëuÊ|Y¨åÞ¡‘Fq“\•ÕrOŒ‘ðÃã6Ýwö•>Š| cðÝ×^5¸ÈùµFFËðàñëá-SY—‘ùW_1W—¯•Xl•\ŠK¤õ«nvvTã‡sb™“Ì4½Ük	0Žo_eÙ¼QV§×SsV&ïÓ1ÖìWfEë)Ld•â çŒölfz†g »—ß—q‡›ó’=Ÿ«Õ}/*ž•!gwŒmIóU'3O´¾œ°šûhÓ.u•ú¥šGÁ—mf
-4éåg׫˜
-$§ý&Ãïâþ.nar67z*õÜ?L_Æ
þ>ùýÆ¢PÂO1–CÈ-—외7ƒ“eÜçJ:‡ê2cb¯ý¸]ROh$Ε%µ+×<Åß´êôwy@1ŽˆË:1fâ©¡ëQ.»â  Ps]·P2»Ã&ÂrþY©˜¶Q?õÌ×ônݱgòcíËÞ#§vü¤¦XJZ¿«ÙÏz0]}`ӛ̃Ï;ú¹Ÿ„ýMwÖOý*"oþÈ°ú¸ÊCÖ'¿Œû0¿Qúƒà÷¿•NF¬Ï¿vK~MNt&´N´öß*²¥*Ž>œT^¯¼1&i¸é`.#)oS$œÉb”æù^üQíź¢²x\ÕÔØS7Ÿ4(Z‡î)ª>¥Í£œgÎã“•¥´Ï}\~£Š9'é/þ~Šô&±û…F]«Ô¨Ì—Q•25]¢Õúf«gVûÇ žlÎÊ’A©^#qi&iö»û
wìáÌ]øMjß²nÜW‘c¯ãÒ脳üXçéÏw›w¿ææ?;®“".bà×ÜW­R©O…ÓîË+ƈu…i~ußU¨LIžÜ’?t½±b×Á"‰·—
¸EèFi¬‰Ï‹:"<æº$9
¹	9îò+ÑäÌ'¥H±_«N9¾¸'沨{mÔVÓx篩ŽG»ÖÍܽ§ÖÊÆ\U«b4ûtïv:—ê¶.Ô²w·Üu¢_Ó’óÛ4^ù7‚ß¼tÍ›
‰ˆINzàxwÁv}ÃuÙFûH~>¼iÿ„úpv«× íøT6žßt˜)P<	‰9oòã7ÑGT#k#FékÑWÕÕ9ÝÙ•ìëj:×.M9£œÚ¸³½›pbW¶Çcæɾ/®g4úçäZ«“ÊcÙ¡õ6hÜ!Iϱlo^·`mPonçòøàþßà¢vuC¨@hî_bGþbendstream
+xÚíU}8Tùß­gYC¯VC¨Cײ4/gÖ(eX™ÍË ¢dsÌœ1ÃÌÎÌh°áb±"D£bó6»Y»½àâzi´)zn“XòVS4C´y­uêi¯ýóÞ¿îsÏùç|?ŸÏïûûœÏ÷÷à‹°x°8Š8ñù€Ïâ
+à‹`4fq °y,1‡ð„8Ò¢#†ƒvË0[þŽŠ„Qf
+°ÀL~`Ùˆ°aŽä‰`{Á˜“ÿ†©•Í]%|¾'$Xl¿”ÒŸxHÀãG½U ‚p‰F„
£Â•R?xÙœÌæI+Y†âóXNÂ>@"ÙšºLðD®<)ÌfòÄ,.Àø"x	‡…ì•V°ø–Œö2]ü÷¹Y½ëÉ„xBñ¾¨p ¿W/ÕàûK	åI2‘L1!ö¾û
+\±ÙBÂæ	C
+Õ€PŠÂa'«¨@ð„lX
+ÀRÌ1‰(DÄØ‹æÀAPÜâXAk€Äâ¡,>ÌZœšx‘]&¨)ËþD¦`
+±`>Ìù#lý^ú{ÜÃ!ô=€e€¬0q—à?G§#ÒÅ ØÛb?‚¶€õØ¿	Y……⥳‰Åÿ®æð°‘Á°fáz»–CRh^urEìçïüðIëe[¥ºW³Ù¿66ŸÇ>æK=çm".-V^=!LJ)ô¿d9œÒE¯dx¦5]¢{ñjZQ¹V<µ‰Øã‹JL“­yme>ÊG8]ðÒÖ„>:ûí¶í½ÓÛâÚtαUôCç绵7Zúœ´4Ýl×{AsàÃMø¨'['kãònìdMܾïÎ`âE®iæ
+Ž£vð44ûȉT(¬¼GœZî©”GõÙóë½Ò›¤OSMSÌž·ú–KgÒb
c~»®‰¿›:–Q<󵗮ɘ~}àŽ<醒”¿§ÑØݨí‘5÷Õæ6+OÙ'!äAëU—Fj
ÚCïÿ¥
+Ly£ÒÜ\û¢
++¨É5vyñ}ýιýøŒcĽէ>+­—kw×뺻îõ:g¾,ÔòìÐH£xH®ÎÊj¹'ÆHøáq›Žî;{JÅ>Ð1øîkïÀ\†äúZ#£exðøõpŠ–©¬ËÎÈü«¯«Ë׊J,6‰J.Å%Òú‚U7;»ÀªñŒÃ9±ŒIFš^nȵGŽ·¯²lÞ(«Óë©9+“÷ékö+³¢õ&²JqsF{63=ƒèéí¿W#îps^R WàsµºïEų2ä쎱-	c~êdƉ֗ƒVS¢q_mÚ¥®RÿCó(øRƒ£ÍL¦SùÙõ*†Éi¿I÷¿¸¯‹[˜œÍžJ=÷Ó—qƒ¿O~¿±(”ðSŒåЄrË-{&nÄÃàd÷¹Ò«Î¡ºÌØ„Øk?n—Ô‰sDeIíÊ5Oñ7­ƒ:¹= GÄe‰3ajèz•Ë®8h'$Ô\÷-”…Ìî°‰°œV*¦…­FÔO™àšÞ­;\&?Ö¾\à3rjÇOjŠ¥¤õ»š}ì ÓÕû7½É<𼃮ŸûIØßtgýÕ¯"òæ««¼d}ò˸ó¥?~ÿËPédÄúük·ä×äDWBëDkÿ­"[ªâèÃIåõÊc’†›æ2’ò6e™,v@ižßÅÕ^Q¬+*‹ÇUM=uó)Aƒ¢…p螢êSÚ<Êyæ:^á0YY@ûÜ×í×8ª˜sÒéÅßO‘Þ$v¿Ð¨k••ùÑ«R¦¦K´Zßlefµy
êÉæ¬,é”ê5·ff¿»ßp‡gîÂoRû–uã~ŠÄ{ŸFgœåÇ:O¾Û¼û57ÿÙq˜ùpŸ¸.à¾j•J}Ú(œv_X1F¬+L»ð«ç®BeJò|ä–ü¡ë»ä1š}[Úß0Ûô*ÑBõmfÓtµqqßBI%@ß6\¬.øˆ$Þ^6à¡O¥±&>/Jhèˆ`ÌuIrrr<åW¢É™OJ‘bÿVr|qOÌeQ÷8Ú¨­¦!ðÎ_Sv­›¹{N­/”¹«VÅhöèÞít-Õm]¨eïn¹=ê:ätMKÌoÓüyAv¨)$òËKל±Ùˆ˜ä¤Žwl×7\—m´‡ÄáàÛæñO¨g·zÚŽOeÓœò›3Š'!1çM~ü&úˆj$`mÄè/}-úªºº#§;»’ýbÝMçÚ¥)g”Sw¶wNìÊözÌ8Ù÷%ÝýŒFÿœ\kuRy,»#´Þ;(é9–í£Ñ+ã¬
êÍ­à| CþÜÿüO4À®n#
Ãý”°þhendstream
 endobj
 616 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 1334 0 R
+/Encoding 1332 0 R
 /FirstChar 13
 /LastChar 110
-/Widths 1335 0 R
-/BaseFont /MXAZHE+CMSY10
+/Widths 1333 0 R
+/BaseFont /KPDXTH+CMSY10
 /FontDescriptor 614 0 R
 >> endobj
 614 0 obj <<
 /Ascent 750
 /CapHeight 683
 /Descent -194
-/FontName /MXAZHE+CMSY10
+/FontName /KPDXTH+CMSY10
 /ItalicAngle -14.035
 /StemV 85
 /XHeight 431
@@ -5914,10 +5937,10 @@ endobj
 /CharSet (/circlecopyrt/bullet/braceleft/braceright/bar/backslash)
 /FontFile 615 0 R
 >> endobj
-1335 0 obj
+1333 0 obj
 [1000 0 500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 500 500 0 0 278 0 0 0 500 ]
 endobj
-1334 0 obj <<
+1332 0 obj <<
 /Type /Encoding
 /Differences [ 0 /.notdef 13/circlecopyrt 14/.notdef 15/bullet 16/.notdef 102/braceleft/braceright 104/.notdef 106/bar 107/.notdef 110/backslash 111/.notdef]
 >> endobj
@@ -5929,7 +5952,7 @@ endobj
 /Filter /FlateDecode
 >>
 stream
-xÚ¬¸c”$Z°%\]¶Í,Ûv—m›Y¶­.Û¶m»»lwÙÕeÛõõ½oÞ¼Yoæ×|ó#×ÊgÇŽØqb­LrbEz!S{c ¸½=3@MYCÑÈÆÆÈÔÒ^–^ÙÞÖð×ÌKN.â4r±´·5rò4€¦Q 	€…ÀÌÍÍ
K±wðt²4·pPýÅ ¦¥¥û/Ë?!cÏÿôü½élin øûÅ
hcï`´sùñ}Q¸Xf–6@€ˆ‚¢–”¼€JB^
 ´:Ù]m,M²–&@;g 5ÀÌÞ	`󀉽©å?¥93üÅrœ€&–¯=L€ÿ¸è@'[Kgç¿ß–Îs'#;—¿=p±XڙظšþCà¯ÝÌþ_BNö#lÿúþ‚)Ú;»8›8Y:¸þfUÿž.F.ÿäv¶üëØ›ý4µ7qý§¤}aþz]Œ,íœ.@—r¦–Î6Fžsÿsp²ü—†«³¥ù1 8ÍœLm€ÎÎaþbÿÓÿªð¿Toäà`ãùïmû£þ'Kg ,3Ëßœ&.s›[ÚÁ2þ3*Rvföf¦ÿ°›º:ü§Ï
èôoƒ¨þ™ê¿$ŒLííl<¦@3XFy{—¿)Tÿw*3ü¿ùÿÄÿOþ"ïÿ?qÿ»FÿË#þÿûžÿ;´¸«¼‘-ðßK€ÿÜ1YÀ?KÆî‹6²µ´ñü?Åÿ÷H
àü?ÂH¹ým…ù_9˜˜þÃhé,né4U´t1±˜ÙüíÓ¿v5;S “¥ð¯žÿ¶@ÏÌÄôß|ª–&Övÿ4žý?\@;ÓÿÎý¯Dÿ2gSR¢ýßwê¿qŠµwQõtøKí”"goú?ÿ Û{¼é™98ô,\¬Ÿ3€›Õ÷ÿñ_ æÿ:˹8Yztþ–ÍÄüoñÿãó_'½ÿ#fgboúÏ´¨¸Ù™þ°ÿiøÇmâêäôW×ßüߢÿóüï¨@ØÕßö&¼ÁVéY.õXyÓ¢:¿ú™Á†CÊšT‹jíûüÓÃw¸«ßëBš§y>;<—N>¤iþŒöcÚPö¥/ð}I©¢lRtqÒþ	bÔ/CÈ8Óˆö¾Z”Ý×æ`Rÿ³;©¤¬_úI0ÝÅê}õD@êV€Nöè€èg’Ö‡ÑÜ‚Z_tzF‘tüôH9862<Ôwñó67†œ×
"*À1OP[­R¬ºM½}¯O‡ÓØO|íCZÁ7$«åiyĤ2õÒjŒr<(+ð“yŸ^kx«¡×fR—/1u#t=ì:²ÕâQ}j%¶³v“ðUâýK+ÖcÌcûùÑPƒoÌZò›öíN®s€Ê‰òIÍwξ‘Ë—‰ï
qu¿·[!“´¤Zv'@0³Äëzb^Ù·ÑH.F>O59T]U65VÐúO[’t&	xUBµ%\£¬bíòg#Q¼÷Ì5QCöö³l~ËN«ÙÉJð¢ƒUˆmAÉyjÒ7ÒÇÇÍÑÆh|ÂëU:áñ‹äGÑýiæ·:Ò|ÓJ´ß8c©Tò@`Xx ÔþD•©KB§#…t*&]³²S½À¤y{~Ý.Ó{7Ñ+=g&Ç3îxÄ©I6³»šˆË!µgRƒTä#X*¼J3Êû5нª
+xÚ¬¸c”$Z°%\]¶Í,Ûv—m›Y¶­.Û¶m»»lwÙÕeÛõõ½oÞ¼Yoæ×|ó#×ÊgÇŽØqb­LrbEz!S{c ¸½=3@MYCÑÈÆÆÈÔÒ^–^ÙÞÖð×ÌKN.â4r±´·5rò4€¦Q 	€…ÀÌÍÍ
K±wðt²4·pPýÅ ¦¥¥û/Ë?!cÏÿôü½élin øûÅ
hcï`´sùñ}Q¸Xf–6@€ˆ‚¢–”¼€JB^
 ´:Ù]m,M²–&@;g 5ÀÌÞ	`󀉽©å?¥93üÅrœ€&–¯=L€ÿ¸è@'[Kgç¿ß–Îs'#;—¿=p±XڙظšþCà¯ÝÌþ_BNö#lÿúþ‚)Ú;»8›8Y:¸þfUÿž.F.ÿäv¶üëØ›ý4µ7qý§¤}aþz]Œ,íœ.@—r¦–Î6Fžsÿsp²ü—†«³¥ù1 8ÍœLm€ÎÎaþbÿÓÿªð¿Toäà`ãùïmû£þ'Kg ,3Ëßœ&.s›[ÚÁ2þ3*Rvföf¦ÿ°›º:ü§Ï
èôoƒ¨þ™ê¿$ŒLííl<¦@3XFy{—¿)Tÿw*3ü¿ùÿÄÿOþ"ïÿ?qÿ»FÿË#þÿûžÿ;´¸«¼‘-ðßK€ÿÜ1YÀ?KÆî‹6²µ´ñü?Åÿ÷H
àü?ÂH¹ým…ù_9˜˜þÃhé,né4U´t1±˜ÙüíÓ¿v5;S “¥ð¯žÿ¶@ÏÌÄôß|ª–&Övÿ4žý?\@;ÓÿÎý¯Dÿ2gTU–“¤ýßwê¿qŠµwQõtøKí”"goú?ÿ Û{¼é™98ô,\¬Ÿ3€›Õ÷ÿñ_ æÿ:˹8Yztþ–ÍÄüoñÿãó_'½ÿ#fgboúÏ´¨¸Ù™þ°ÿiøÇmâêäôW×ßüߢÿóüï¨@ØÕßö&¼ÁVéY.õXyÓ¢:¿ú™Á†CÊšT‹jíûüÓÃw¸«ßëBš§y>;<—N>¤iþŒöcÚPö¥/ð}I©¢lRtqÒþ	bÔ/CÈ8Óˆö¾Z”Ý×æ`Rÿ³;©¤¬_úI0ÝÅê}õD@êV€Nöè€èg’Ö‡ÑÜ‚Z_tzF‘tüôH9862<Ôwñó67†œ×
"*À1OP[­R¬ºM½}¯O‡ÓØO|íCZÁ7$«åiyĤ2õÒjŒr<(+ð“yŸ^kx«¡×fR—/1u#t=ì:²ÕâQ}j%¶³v“ðUâýK+ÖcÌcûùÑPƒoÌZò›öíN®s€Ê‰òIÍwξ‘Ë—‰ï
qu¿·[!“´¤Zv'@0³Äëzb^Ù·ÑH.F>O59T]U65VÐúO[’t&	xUBµ%\£¬bíòg#Q¼÷Ì5QCöö³l~ËN«ÙÉJð¢ƒUˆmAÉyjÒ7ÒÇÇÍÑÆh|ÂëU:áñ‹äGÑýiæ·:Ò|ÓJ´ß8c©Tò@`Xx ÔþD•©KB§#…t*&]³²S½À¤y{~Ý.Ó{7Ñ+=g&Ç3îxÄ©I6³»šˆË!µgRƒTä#X*¼J3Êû5нª
 %É‘÷Q•£,ň;0º3êì¾fC|³%œQ™”îflh`ÒRsšÆ‚w›sÅ‘X§¢uü-Í ÙTÙ	˜ªès´¡ûÌN£Ð2¸iɱ½õx!:Î<”?%x¡yƒMŸ9¼Ñ¸¬#ØÌ4ìÛfÙì¢_"Ì:õ¡ÒE“
 Èüñþ“_º¸–rkÕ—<éñ£äQåÜ‹*£:½'&ܳ´H’B“%C–·&`wŽ$a"Q´-@”Ç-?ŸòxccÅÿ“w×wGW™v™4;ÌRC“
	¨Ž\]“.ü\°ß5_Ë*Ù7†·w¡.r.†把zÙf’9p¥¥JÛÕŸ—þLÔ‹1œÐÇ5-ÌÝ€i*¡²Þß=#€–—cþ	¼
JgLú§ooGâC12¢)Œ.ì)0·»b›Ì)7ühøÏ´åÚi{Œ¼
ÒŠnèˆ({ßø^4­nÆ*n–¨s¼-ø÷VkHÛì“äù&Ö{‡–…nªNzË,¯CZ‹ì%ø½EMEÂîy."6¦ˆÜBú<Œq°)ì	LD­þçxä
ÂÜA¸Ò…¼¶üæ¥Ê×öŸ¾z¦SÁ‘,#¸º!6cc
 d­cu!2?Ü1=ú뛇‹Wûµ·,ÿô‹§…)ÝÐÌŸ$Ê-Æ6†˜þÙÞ¦ÿDÊ|(ØufË«‰4ú]á4Ê®ò\¸†ÑóÆ°íkÑ$i@–WÏ_ÏíÕµB¿„G5µ2c?L?~pÉ÷’¬Ÿ¸¿áQÂl4^”ê[‘^W¢ ú'iM¼¶ˆ€UxìÑ[Ü1­.yM<
üDðWà:Hÿ]³ô^¥ŒnKGCA
@@ -6027,23 +6050,23 @@ N
 £9ªåJdŽ²k¬û¡!î—yOßËHg´¤½ð>pèÓrR¡”|fwÐÜ)‰ß©éËÈíª6ÞÛÀ“Ç*i}J.âÙ¨œE‡ÆöqÿŒ0ÿ|Ñö*–fÕ$% þ¶6É™ÑÖZùQX;]Ÿu¬ïë:«\Ò†¡é±CµÐBkÕÔÊÝTÕ¡Á™•ŠG’ót¾€‘4Þ¨4ìöš¦Á½œ€w?Ìá›Bx[R eßÏA‹üúG4)óÖm½ïËä£ÄW®¡„»{&8V^›v”TxBÓ‹‹"[“¡XÀ¸”Tò€Öiøð;ÅÈçæ=Ú‰]r–RÔ³{6ð¤Ã‘¹„5šöÞæÜ(Fƒu«ú¸ìtÈæõí’ŒÏý­çâ–ý”wKB§:"Ñ‹´øT>+ÈŠ v",Ú¦d]	£³\Bù›‰—¢IÑAÚ‡u5:)¶±ç«ei9c;“Ock¤ÒýcT9„»·¹äøâlˆ‡Ùæ6øй¢ÚÓÌÓ¶
 W4ŸÞç†(œ$<ç,èT-Ikñ¬qS\øïˆÁÀÌê™â
Tb©¯ £¾¹†¢Eâd¹u’\hajˆ±èÀöµÕß½ÏKœK§é.à*wã7E]Š½Ú–…:Ê‘«â­ß¥¿áØÒc¸ûŽEýª’|¸$\Š\Š?‚¿µj*ˆM?žãY‰þôÁ„ÖæÖ0EØéòRçl¾¢Øÿ›…r‰od:‰Æçu&Ù¤CÑ*¥Í¯Ý%|Уð‹¥Îtª$]$2Tk!𠟬¨ <|þœýÿÒÿ€ÿ
-ÀÜ`êêîä`êj‡ô”|÷Åendstream
+ÀÜ`êêîä`êj‡ôem÷Ùendstream
 endobj
 608 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 1322 0 R
+/Encoding 1320 0 R
 /FirstChar 2
 /LastChar 151
-/Widths 1336 0 R
-/BaseFont /EQSCDA+URWPalladioL-Roma
+/Widths 1334 0 R
+/BaseFont /TUBMEH+URWPalladioL-Roma
 /FontDescriptor 606 0 R
 >> endobj
 606 0 obj <<
 /Ascent 715
 /CapHeight 680
 /Descent -282
-/FontName /EQSCDA+URWPalladioL-Roma
+/FontName /TUBMEH+URWPalladioL-Roma
 /ItalicAngle 0
 /StemV 84
 /XHeight 469
@@ -6052,7 +6075,7 @@ endobj
 /CharSet (/fi/fl/exclam/dollar/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/equal/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/bracketright/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/circumflex/quotedblleft/quotedblright/emdash)
 /FontFile 607 0 R
 >> endobj
-1336 0 obj
+1334 0 obj
 [605 608 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 278 0 0 500 0 0 278 333 333 389 606 250 333 250 606 500 500 500 500 500 500 500 500 500 500 250 250 0 606 0 444 747 778 611 709 774 611 556 763 832 337 333 726 611 946 831 786 604 786 668 525 613 778 722 1000 667 667 667 333 0 333 0 0 278 500 553 444 611 479 333 556 582 291 234 556 291 883 582 546 601 560 395 424 326 603 565 834 516 556 500 0 0 0 0 0 0 0 0 0 0 0 0 0 333 0 0 0 0 0 0 0 0 0 0 500 500 0 0 1000 ]
 endobj
 604 0 obj <<
@@ -6063,7 +6086,7 @@ endobj
 /Filter /FlateDecode
 >>
 stream
-xÚ¬´ct¦[´%VìTŒ76ß bÛ¶mÛ¬ŠmÛ¶SqR±mÛÆWçܾ}{Üî_ýõgŒg/Ì5ךko2"y%:c;CQ;[g:&zFN€Š¢š¼µµ±…4 µ1௙–ŒLÈÑÄÀÙÂÎVØÀÙ„ fb6103˜888`ÉBvöŽfæÎÊ¿T44´ÿeù'`èñŸž¿™Nf¶ò¿?®&Övö6&¶Î!þ¯•LLÎæ&Sk€œ¼†„¬€RLV fbkâh`
w1´¶0H[™Ø:™PLíÖÿqÙÙ[üÓšý_,'€ÀÉÞÄÈâoš‰»‘‰ý?.Z€½‰£…“Ó߀…ÀÌÑÀÖùïœí¶FÖ.Æÿøk7µû—½£Ýß›¿¾¿`òvNÎNFŽö΀¿Uå…Eÿƒ§³¹ó?µ,þºv¦#íŒ\þié_ß_˜¿^g['€³‰»ó?µMÆNöÖkÿ³w´ø—†‹“…­Ù1 8š˜8[›89ý…ù‹ýÏtþ«OÀÿÒ½½½µÇ¿ÙvÿFýOÎN&Ö¦ô°LÌk9ÿ­mfaËðϪHØšÚ˜ÿÃnìbÿŸ>WÇDùÏÎPý%a`lgkí061…eµsþ[@ù§2ýÿ;‘ÿHüÿDàÿ'òþÿ÷¿kô¿\âÿ¿÷ù¿C‹ºX[Ëؘü›øÏ7 
øç‘ùß‚
l,¬=þOáÿ=RÍä?8þŸP$œ
þBÀÖ쯌ôŒÿa´pµp71–·p62˜XÿÒ¿v[cGk[“¿jþ;H#ãó)›[YÙþ3vÖÿp™Øÿwêú—8ƒ€šœ¢²2Íÿþ¢þ'ÿWygeû¿ÔþG'2vÆÿóðŠ  ;À‹Ž‰•@ddú{áþòá²úü*þÄô_ggGw€Ö߶ÿfþÓüÿøþë¤óß`DlìŒÿÙ%g[ã¿ëõ?
ÿ¸\ÿªúïÿÛôžÿ]tw#Ø•E;#®`ËÔŒ4çZÌœ¡qa­¾^&ð¡û’åÂ|ÿj»¿Ô_Ûúï5!ô“œŸm§öû’Ô#½Ö=É&—yx>$T¿óQ6È;ØitKÒÎÔ"½®æ¥· 4ÙUvÆu‹ß¿áOv¡¯ž¨üI\óýÑIí}Rêc¾w"7‚ Öœž‘'?=RŒ
öÜ@þÞǥɎ!ãr…@ ðwÈÆåÓT)©l¤¼lˉ0æÞ»oÎ^(jÈÙOx­AñÁ'‰YŸ9ã^$ÄLòº¥YÒªžU+ÖÛãŸê²ñ¦iN^|à=_S˜'a…´?“5tD'c{…ßðØ×O ð¹€N$ÏÒ)'²TeÓ9ÍSæÕÜÜÌô¿;ò`‚óP~G¥aþFª°£3ëÐnÎôÖ¦tÍÓ‰‹w>þaMg¹Û|™2?h£ØY5º´0< §m«¿•“è0Oƒo'r•z¶Òý´`“~œZ“§V†¡\U[MΤo8À5°±nùaV—½õ&—Éíã#z'&Xü«g&(ÑU¢Àήºœ.Z/¯‘4D˜pRïíåf%5fpt:	݈K@ÉÝ8²XÎŽÿiœ$ó§"‘ò80ã{p¦¬9H7Ê$rKø6Ô9¢»´éÀí¯oRoùÖy5Í|3VÁ=ìM“,d+G÷[’â]\ZZü.‡GLîG~Ú\fžm"(„¤\éÐœ„†ËcÕX¬"™ZÃ5CåjstÏ[«ZªëujÒÉ~àÆýGµ±ö¬Ë]é¦pùÌ|_ª—õœ^¥Â²úî]໾­@Ko‘§_[,÷1ka´ÙoÝ‘šTô׺"Û›bzte`>
+xÚ¬´ct¦[´%VìTŒ76ß bÛ¶mÛ¬ŠmÛ¶SqR±mÛÆWçܾ}{Üî_ýõgŒg/Ì5ךko2"y%:c;CQ;[g:&zFN€Š¢š¼µµ±…4 µ1௙–ŒLÈÑÄÀÙÂÎVØÀÙ„ fb6103˜888`ÉBvöŽfæÎÊ¿T44´ÿeù'`èñŸž¿™Nf¶ò¿?®&Övö6&¶Î!þ¯•LLÎæ&Sk€œ¼†„¬€RLV fbkâh`
w1´¶0H[™Ø:™PLíÖÿqÙÙ[üÓšý_,'€ÀÉÞÄÈâoš‰»‘‰ý?.Z€½‰£…“Ó߀…ÀÌÑÀÖùïœí¶FÖ.Æÿøk7µû—½£Ýß›¿¾¿`òvNÎNFŽö΀¿Uå…Eÿƒ§³¹ó?µ,þºv¦#íŒ\þié_ß_˜¿^g['€³‰»ó?µMÆNöÖkÿ³w´ø—†‹“…­Ù1 8š˜8[›89ý…ù‹ýÏtþ«OÀÿÒ½½½µÇ¿ÙvÿFýOÎN&Ö¦ô°LÌk9ÿ­mfaËðϪHØšÚ˜ÿÃnìbÿŸ>WÇDùÏÎPý%a`lgkí061…eµsþ[@ù§2ýÿ;‘ÿHüÿDàÿ'òþÿ÷¿kô¿\âÿ¿÷ù¿C‹ºX[Ëؘü›øÏ7 
øç‘ùß‚
l,¬=þOáÿ=RÍä?8þŸP$œ
þBÀÖ쯌ôŒÿa´pµp71–·p62˜XÿÒ¿v[cGk[“¿jþ;H#ãó)›[YÙþ3vÖÿp™Øÿwêú—8ƒ¤†´Œ”Íÿþ¢þ'ÿWygeû¿ÔþG'2vÆÿóðŠ  ;À‹Ž‰•@ddú{áþòá²úü*þÄô_ggGw€Ö߶ÿfþÓüÿøþë¤óß`DlìŒÿÙ%g[ã¿ëõ?
ÿ¸\ÿªúïÿÛôžÿ]tw#Ø•E;#®`ËÔŒ4çZÌœ¡qa­¾^&ð¡û’åÂ|ÿj»¿Ô_Ûúï5!ô“œŸm§öû’Ô#½Ö=É&—yx>$T¿óQ6È;ØitKÒÎÔ"½®æ¥· 4ÙUvÆu‹ß¿áOv¡¯ž¨üI\óýÑIí}Rêc¾w"7‚ Öœž‘'?=RŒ
öÜ@þÞǥɎ!ãr…@ ðwÈÆåÓT)©l¤¼lˉ0æÞ»oÎ^(jÈÙOx­AñÁ'‰YŸ9ã^$ÄLòº¥YÒªžU+ÖÛãŸê²ñ¦iN^|à=_S˜'a…´?“5tD'c{…ßðØ×O ð¹€N$ÏÒ)'²TeÓ9ÍSæÕÜÜÌô¿;ò`‚óP~G¥aþFª°£3ëÐnÎôÖ¦tÍÓ‰‹w>þaMg¹Û|™2?h£ØY5º´0< §m«¿•“è0Oƒo'r•z¶Òý´`“~œZ“§V†¡\U[MΤo8À5°±nùaV—½õ&—Éíã#z'&Xü«g&(ÑU¢Àήºœ.Z/¯‘4D˜pRïíåf%5fpt:	݈K@ÉÝ8²XÎŽÿiœ$ó§"‘ò80ã{p¦¬9H7Ê$rKø6Ô9¢»´éÀí¯oRoùÖy5Í|3VÁ=ìM“,d+G÷[’â]\ZZü.‡GLîG~Ú\fžm"(„¤\éÐœ„†ËcÕX¬"™ZÃ5CåjstÏ[«ZªëujÒÉ~àÆýGµ±ö¬Ë]é¦pùÌ|_ª—õœ^¥Â²úî]໾­@Ko‘§_[,÷1ka´ÙoÝ‘šTô׺"Û›bzte`>
 :ÿ¦ÐüÈ­?š¼dOQ7ÿVK
U	¸¹S=ýˆ»ü Ã^‹Y¶>Grù‚£d„)Óâ~à|¿¥n¾`Ãc™·)áâ6‡.k¨A«!]Ýõ€=Úa
 ¦ë;”K–’+M̦ŽöæOloôRŒÃxcב›nÊ÷‰E·yöì¬ä2÷‹2O$2–bPoÑk#OóÐ)ä³%Õ°¹±y?‚E»@y¶žƒtù"ùë÷Q÷«}NC&ýjŸ/Ü3sÑ2?ávƒä­ë“ò
 $>–S²²ðNùMZ,T±‰p_š·ïI­"h|\9¢3Á†¥ßNÑÎØ›õº.æfL?ˆ’Çú«™ΞӄŸÃ±‹&Æóý½/6[Ékëãºv'Û°§le™ó[{6ál»Yžt–Û( å"mѦÛð?ʬJÙÛU8FØÙ•1Ò«˜¢ÿ½O)S-ylвÁ¡tU®dq7{Šgq©SÄtî£"Ñëü_I=sO6‘v°‰X!Åó>]øÑ*饳šú‡­«‘N~PCfTØ…{ŠdÚ¤,#os?…©¬·	Š¯Uögqlö8Ä k¶Ó&'ë¼gm¿_rƒð”û
4q&Ï¡pk€?*¸RêÈ[^¼¦»¬5ì(@.{¬…#ÔÌ´¾$Dõù,­MÈЫՈÏ
@@ -6158,23 +6181,23 @@ G
 ­\^Élxχ¾PÙ´[äS®ãEhsŽаÂÜ]5:zÕÐSSœUÌï^F€kv»¥’ ã{'˜áÿ¸´–1¼Mwô‡êýê'‡u-ËÅ1sÜQ&
ö¦X£…#!z×è‡_QËsŠÑ•ÜÕ_‚ÜS8^íÞÙLóŪUµwg$T´8ý™Gÿ¥`ïç4ß$.¢ŽüpdÞé5¸á-pÏÎH¦å’àRm…ìÝÒ€”S±
 Ô¢æ–[¶Ø„K'ÓÉåv;ôs'ˆdž“¯¯uè÷–WhU/RŽ¨ËöÓ¯%ØãkûŸ-ò„Ï
 däœ|UNò©‡Ñùƒ,Ÿj˶ÙײèËæ‚,Lyªpò9\åk„9ð/U ow
âB+Dž^ÇC…óíò–ý•H½‰½ÍYáˆR]SžÈt¦¢z—Ðݶ”ö¸2¤õ·´ä¦ƒ¡áÉÜ’ë0ëwÄæ>ëøõ€Q)ßUœÆà©
¿¹ßŽ^ƒV=öVlƤ¶š¿)ÒIî«8@+Œ"«Wã@£óíÊ Ñ.œ­’u&—lP1% "ÒïÂ¥Á%„èòñÂátÑ»‰šqȃ¡AÊäÖôè­×“\AbâäÁ´þ²±ü»ŠjkLÆRýˆ™T÷¬óéê›áp2ÙWYöj\Ýl=šqÍ?×Åzx”ICˆèïiNÊ]Ç6„/f“m!9Îqý›á‰Ô9Êbóä××Mö'âï‹4±¤¬\&Â&_ÓPØ&?Ñy©#Þ1Ô¤‘Ñg×K-ò9¬‹³8eÊâÙ‹Wëa¯,c©å„ÓÍ}¢Š'îOªw¦ñË\m#ÆWm桃à03	´w€)Íû™ÁzÊê[Ê{‘[u¿üᥨ¢,ãq¦f§1<Þcåεßâi.{Ý¥4z?}†ß	 *eÄ¿N›ùù1Éb1‰$ÁÄEçB´¥ØÍ5ÑN°…¿öxõè.Pÿ$Ž<|Gê'IÆ{𢋸ÿ´¦õ*~#(<> endobj
 603 0 obj <<
 /Ascent 708
 /CapHeight 672
 /Descent -266
-/FontName /AWORTT+URWPalladioL-Bold
+/FontName /JYLMKM+URWPalladioL-Bold
 /ItalicAngle 0
 /StemV 123
 /XHeight 471
@@ -6183,111 +6206,111 @@ endobj
 /CharSet (/fi/exclam/dollar/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/equal/question/at/A/B/C/D/E/F/G/H/I/K/L/M/N/O/P/Q/R/S/T/U/W/X/Y/Z/bracketleft/bracketright/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/emdash)
 /FontFile 604 0 R
 >> endobj
-1337 0 obj
+1335 0 obj
 [611 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 278 0 0 500 0 0 278 333 333 444 606 250 333 250 296 500 500 500 500 500 500 500 500 500 500 250 250 0 606 0 444 747 778 667 722 833 611 556 833 833 389 0 778 611 1000 833 833 611 833 722 611 667 778 0 1000 667 667 667 333 0 333 0 0 0 500 611 444 611 500 389 556 611 333 333 611 333 889 611 556 611 611 389 444 333 611 556 833 500 556 500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1000 ]
 endobj
 609 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1338 0 R
+/Parent 1336 0 R
 /Kids [598 0 R 611 0 R 618 0 R 637 0 R 654 0 R 665 0 R]
 >> endobj
 680 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1338 0 R
+/Parent 1336 0 R
 /Kids [672 0 R 682 0 R 687 0 R 695 0 R 705 0 R 718 0 R]
 >> endobj
 730 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1338 0 R
+/Parent 1336 0 R
 /Kids [726 0 R 733 0 R 740 0 R 747 0 R 756 0 R 761 0 R]
 >> endobj
 774 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1338 0 R
+/Parent 1336 0 R
 /Kids [765 0 R 776 0 R 786 0 R 793 0 R 800 0 R 813 0 R]
 >> endobj
 823 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1338 0 R
+/Parent 1336 0 R
 /Kids [818 0 R 825 0 R 829 0 R 839 0 R 845 0 R 853 0 R]
 >> endobj
 873 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1338 0 R
+/Parent 1336 0 R
 /Kids [865 0 R 876 0 R 887 0 R 893 0 R 897 0 R 903 0 R]
 >> endobj
-917 0 obj <<
+916 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1339 0 R
-/Kids [910 0 R 919 0 R 924 0 R 932 0 R 938 0 R 943 0 R]
+/Parent 1337 0 R
+/Kids [910 0 R 918 0 R 923 0 R 931 0 R 937 0 R 942 0 R]
 >> endobj
-961 0 obj <<
+960 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1339 0 R
-/Kids [953 0 R 965 0 R 974 0 R 978 0 R 984 0 R 990 0 R]
+/Parent 1337 0 R
+/Kids [952 0 R 964 0 R 973 0 R 977 0 R 982 0 R 989 0 R]
 >> endobj
-1004 0 obj <<
+1001 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1339 0 R
-/Kids [998 0 R 1006 0 R 1011 0 R 1018 0 R 1023 0 R 1032 0 R]
+/Parent 1337 0 R
+/Kids [996 0 R 1003 0 R 1009 0 R 1015 0 R 1022 0 R 1029 0 R]
 >> endobj
-1043 0 obj <<
+1038 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1339 0 R
-/Kids [1036 0 R 1045 0 R 1050 0 R 1062 0 R 1077 0 R 1089 0 R]
+/Parent 1337 0 R
+/Kids [1035 0 R 1040 0 R 1044 0 R 1052 0 R 1064 0 R 1074 0 R]
 >> endobj
-1107 0 obj <<
+1097 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1339 0 R
-/Kids [1099 0 R 1109 0 R 1121 0 R 1133 0 R 1142 0 R 1146 0 R]
+/Parent 1337 0 R
+/Kids [1086 0 R 1099 0 R 1109 0 R 1119 0 R 1131 0 R 1142 0 R]
 >> endobj
-1157 0 obj <<
+1156 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1339 0 R
-/Kids [1150 0 R 1159 0 R 1169 0 R 1180 0 R 1184 0 R 1191 0 R]
+/Parent 1337 0 R
+/Kids [1149 0 R 1158 0 R 1168 0 R 1179 0 R 1183 0 R 1190 0 R]
 >> endobj
-1232 0 obj <<
+1231 0 obj <<
 /Type /Pages
 /Count 3
-/Parent 1340 0 R
-/Kids [1205 0 R 1234 0 R 1291 0 R]
+/Parent 1338 0 R
+/Kids [1204 0 R 1233 0 R 1291 0 R]
+>> endobj
+1336 0 obj <<
+/Type /Pages
+/Count 36
+/Parent 1339 0 R
+/Kids [609 0 R 680 0 R 730 0 R 774 0 R 823 0 R 873 0 R]
+>> endobj
+1337 0 obj <<
+/Type /Pages
+/Count 36
+/Parent 1339 0 R
+/Kids [916 0 R 960 0 R 1001 0 R 1038 0 R 1097 0 R 1156 0 R]
 >> endobj
 1338 0 obj <<
 /Type /Pages
-/Count 36
-/Parent 1341 0 R
-/Kids [609 0 R 680 0 R 730 0 R 774 0 R 823 0 R 873 0 R]
+/Count 3
+/Parent 1339 0 R
+/Kids [1231 0 R]
 >> endobj
 1339 0 obj <<
 /Type /Pages
-/Count 36
-/Parent 1341 0 R
-/Kids [917 0 R 961 0 R 1004 0 R 1043 0 R 1107 0 R 1157 0 R]
+/Count 75
+/Kids [1336 0 R 1337 0 R 1338 0 R]
 >> endobj
 1340 0 obj <<
-/Type /Pages
-/Count 3
-/Parent 1341 0 R
-/Kids [1232 0 R]
->> endobj
-1341 0 obj <<
-/Type /Pages
-/Count 75
-/Kids [1338 0 R 1339 0 R 1340 0 R]
->> endobj
-1342 0 obj <<
 /Type /Outlines
 /First 7 0 R
 /Last 547 0 R
@@ -6383,7 +6406,7 @@ endobj
 547 0 obj <<
 /Title 548 0 R
 /A 545 0 R
-/Parent 1342 0 R
+/Parent 1340 0 R
 /Prev 527 0 R
 /First 551 0 R
 /Last 583 0 R
@@ -6419,7 +6442,7 @@ endobj
 527 0 obj <<
 /Title 528 0 R
 /A 525 0 R
-/Parent 1342 0 R
+/Parent 1340 0 R
 /Prev 503 0 R
 /Next 547 0 R
 /First 531 0 R
@@ -6463,7 +6486,7 @@ endobj
 503 0 obj <<
 /Title 504 0 R
 /A 501 0 R
-/Parent 1342 0 R
+/Parent 1340 0 R
 /Prev 247 0 R
 /Next 527 0 R
 /First 507 0 R
@@ -6922,7 +6945,7 @@ endobj
 247 0 obj <<
 /Title 248 0 R
 /A 245 0 R
-/Parent 1342 0 R
+/Parent 1340 0 R
 /Prev 235 0 R
 /Next 503 0 R
 /First 251 0 R
@@ -6944,7 +6967,7 @@ endobj
 235 0 obj <<
 /Title 236 0 R
 /A 233 0 R
-/Parent 1342 0 R
+/Parent 1340 0 R
 /Prev 135 0 R
 /Next 247 0 R
 /First 239 0 R
@@ -7125,7 +7148,7 @@ endobj
 135 0 obj <<
 /Title 136 0 R
 /A 133 0 R
-/Parent 1342 0 R
+/Parent 1340 0 R
 /Prev 91 0 R
 /Next 235 0 R
 /First 139 0 R
@@ -7206,7 +7229,7 @@ endobj
 91 0 obj <<
 /Title 92 0 R
 /A 89 0 R
-/Parent 1342 0 R
+/Parent 1340 0 R
 /Prev 67 0 R
 /Next 135 0 R
 /First 95 0 R
@@ -7249,7 +7272,7 @@ endobj
 67 0 obj <<
 /Title 68 0 R
 /A 65 0 R
-/Parent 1342 0 R
+/Parent 1340 0 R
 /Prev 7 0 R
 /Next 91 0 R
 /First 71 0 R
@@ -7358,1392 +7381,1390 @@ endobj
 7 0 obj <<
 /Title 8 0 R
 /A 5 0 R
-/Parent 1342 0 R
+/Parent 1340 0 R
 /Next 67 0 R
 /First 11 0 R
 /Last 23 0 R
 /Count -4
 >> endobj
-1343 0 obj <<
-/Names [(Access_Control_Lists) 1154 0 R (Bv9ARM.ch01) 621 0 R (Bv9ARM.ch02) 675 0 R (Bv9ARM.ch03) 690 0 R (Bv9ARM.ch04) 743 0 R (Bv9ARM.ch05) 810 0 R (Bv9ARM.ch06) 832 0 R (Bv9ARM.ch07) 1153 0 R (Bv9ARM.ch08) 1172 0 R (Bv9ARM.ch09) 1187 0 R (Configuration_File_Grammar) 859 0 R (DNSSEC) 791 0 R (Doc-Start) 602 0 R (Setting_TTLs) 1117 0 R (access_control) 958 0 R (acl) 863 0 R (address_match_lists) 837 0 R (admin_tools) 721 0 R (appendix.A) 546 0 R (bibliography) 1208 0 R (boolean_options) 716 0 R (chapter.1) 6 0 R (chapter.2) 66 0 R (chapter.3) 90 0 R (chapter.4) 134 0 R (chapter.5) 234 0 R (chapter.6) 246 0 R (chapter.7) 502 0 R (chapter.8) 526 0 R (cite.RFC1034) 1218 0 R (cite.RFC1035) 1220 0 R (cite.RFC1101) 1276 0 R (cite.RFC1123) 1278 0 R (cite.RFC1183) 1260 0 R (cite.RFC1464) 1301 0 R (cite.RFC1535) 1252 0 R (cite.RFC1536) 1254 0 R (cite.RFC1537) 1286 0 R (cite.RFC1591) 1280 0 R (cite.RFC1706) 1262 0 R (cite.RFC1712) 1315 0 R (cite.RFC1713) 1303 0 R (cite.RFC1794) 1305 0 R (cite.RFC1876) 1264 0 R (cite.RFC1886) 1244 0 R (cite.RFC1912) 1288 0 R (cite.RFC1982) 1256 0 R (cite.RFC1995) 1225 0 R (cite.RFC1996) 1227 0 R (cite.RFC2010) 1295 0 R (cite.RFC2052) 1266 0 R (cite.RFC2065) 1246 0 R (cite.RFC2136) 1229 0 R (cite.RFC2137) 1248 0 R (cite.RFC2163) 1268 0 R (cite.RFC2168) 1270 0 R (cite.RFC2181) 1231 0 R (cite.RFC2219) 1297 0 R (cite.RFC2230) 1272 0 R (cite.RFC2240) 1307 0 R (cite.RFC2308) 1238 0 R (cite.RFC2317) 1282 0 R (cite.RFC2345) 1309 0 R (cite.RFC2352) 1311 0 R (cite.RFC2845) 1240 0 R (cite.RFC974) 1222 0 R (cite.id2490832) 1320 0 R (classes_of_resource_records) 1097 0 R (configuration_file_elements) 833 0 R (controls_statement_definition_and_usage) 731 0 R (diagnostic_tools) 663 0 R (dynamic_update) 744 0 R (dynamic_update_policies) 784 0 R (dynamic_update_security) 1060 0 R (historical_dns_information) 1194 0 R (id2465864) 622 0 R (id2466744) 623 0 R (id2466798) 627 0 R (id2466807) 628 0 R (id2467646) 676 0 R (id2467671) 677 0 R (id2467682) 678 0 R (id2467696) 679 0 R (id2467704) 685 0 R (id2468484) 643 0 R (id2468627) 645 0 R (id2468647) 646 0 R (id2468945) 647 0 R (id2469029) 650 0 R (id2469104) 657 0 R (id2469126) 660 0 R (id2469216) 661 0 R (id2469235) 662 0 R (id2469264) 668 0 R (id2469296) 669 0 R (id2469321) 670 0 R (id2469713) 692 0 R (id2469725) 693 0 R (id2469748) 698 0 R (id2469833) 699 0 R (id2470206) 710 0 R (id2470212) 711 0 R (id2473127) 736 0 R (id2473139) 737 0 R (id2473367) 753 0 R (id2473929) 770 0 R (id2473945) 771 0 R (id2473979) 772 0 R (id2473995) 773 0 R (id2474004) 779 0 R (id2474043) 780 0 R (id2474164) 781 0 R (id2474208) 783 0 R (id2474221) 789 0 R (id2474339) 790 0 R (id2474392) 796 0 R (id2474460) 797 0 R (id2474499) 798 0 R (id2474609) 803 0 R (id2474663) 804 0 R (id2474688) 805 0 R (id2474880) 809 0 R (id2474893) 816 0 R (id2474925) 821 0 R (id2475064) 834 0 R (id2475686) 842 0 R (id2475713) 843 0 R (id2475800) 848 0 R (id2475815) 849 0 R (id2475980) 850 0 R (id2476124) 860 0 R (id2476375) 862 0 R (id2476417) 868 0 R (id2476554) 870 0 R (id2476801) 879 0 R (id2476816) 880 0 R (id2476838) 881 0 R (id2476859) 882 0 R (id2476990) 885 0 R (id2477116) 890 0 R (id2477237) 891 0 R (id2477929) 906 0 R (id2478410) 908 0 R (id2478483) 913 0 R (id2478546) 916 0 R (id2479332) 927 0 R (id2480491) 956 0 R (id2480665) 968 0 R (id2480749) 969 0 R (id2481341) 981 0 R (id2481511) 987 0 R (id2481580) 988 0 R (id2481918) 1002 0 R (id2482501) 1015 0 R (id2483001) 1026 0 R (id2483049) 1027 0 R (id2483141) 1029 0 R (id2483189) 1030 0 R (id2483728) 1039 0 R (id2483734) 1040 0 R (id2483738) 1041 0 R (id2484040) 1048 0 R (id2484071) 1053 0 R (id2484913) 1080 0 R (id2485034) 1082 0 R (id2485121) 1083 0 R (id2485142) 1086 0 R (id2485282) 1092 0 R (id2485921) 1094 0 R (id2486004) 1102 0 R (id2486201) 1104 0 R (id2486291) 1105 0 R (id2486512) 1112 0 R (id2486627) 1114 0 R (id2486645) 1115 0 R (id2486950) 1118 0 R (id2487056) 1124 0 R (id2487069) 1125 0 R (id2487161) 1127 0 R (id2487180) 1128 0 R (id2487236) 1136 0 R (id2487299) 1137 0 R (id2487330) 1138 0 R (id2487382) 1139 0 R (id2487784) 1165 0 R (id2487928) 1166 0 R (id2488054) 1167 0 R (id2488193) 1173 0 R (id2488198) 1174 0 R (id2488210) 1175 0 R (id2488227) 1176 0 R (id2488289) 1188 0 R (id2488294) 1189 0 R (id2488528) 1195 0 R (id2488544) 1196 0 R (id2488558) 1197 0 R (id2488597) 1198 0 R (id2488908) 1200 0 R (id2489134) 1202 0 R (id2489350) 1214 0 R (id2489352) 1216 0 R (id2489361) 1221 0 R (id2489384) 1217 0 R (id2489408) 1219 0 R (id2489445) 1230 0 R (id2489470) 1237 0 R (id2489496) 1224 0 R (id2489521) 1226 0 R (id2489544) 1228 0 R (id2489600) 1239 0 R (id2489660) 1242 0 R (id2489675) 1243 0 R (id2489714) 1245 0 R (id2489753) 1247 0 R (id2489781) 1250 0 R (id2489789) 1251 0 R (id2489815) 1253 0 R (id2489882) 1255 0 R (id2489918) 1258 0 R (id2489924) 1259 0 R (id2489981) 1261 0 R (id2490019) 1269 0 R (id2490054) 1263 0 R (id2490108) 1265 0 R (id2490148) 1267 0 R (id2490174) 1271 0 R (id2490201) 1274 0 R (id2490209) 1275 0 R (id2490234) 1277 0 R (id2490258) 1279 0 R (id2490279) 1281 0 R (id2490326) 1284 0 R (id2490333) 1285 0 R (id2490359) 1287 0 R (id2490386) 1289 0 R (id2490412) 1294 0 R (id2490449) 1296 0 R (id2490488) 1299 0 R (id2490508) 1300 0 R (id2490531) 1302 0 R (id2490555) 1304 0 R (id2490580) 1306 0 R (id2490602) 1308 0 R (id2490716) 1310 0 R (id2490741) 1313 0 R (id2490747) 1314 0 R (id2490820) 1317 0 R (id2490829) 1319 0 R (id2490832) 1321 0 R (incremental_zone_transfers) 750 0 R (internet_drafts) 1316 0 R (ipv6addresses) 811 0 R (journal) 745 0 R (lwresd) 822 0 R (notify) 702 0 R (page.1) 601 0 R (page.10) 697 0 R (page.11) 707 0 R (page.12) 720 0 R (page.13) 728 0 R (page.14) 735 0 R (page.15) 742 0 R (page.16) 749 0 R (page.17) 758 0 R (page.18) 763 0 R (page.19) 767 0 R (page.2) 613 0 R (page.20) 778 0 R (page.21) 788 0 R (page.22) 795 0 R (page.23) 802 0 R (page.24) 815 0 R (page.25) 820 0 R (page.26) 827 0 R (page.27) 831 0 R (page.28) 841 0 R (page.29) 847 0 R (page.3) 620 0 R (page.30) 855 0 R (page.31) 867 0 R (page.32) 878 0 R (page.33) 889 0 R (page.34) 895 0 R (page.35) 899 0 R (page.36) 905 0 R (page.37) 912 0 R (page.38) 921 0 R (page.39) 926 0 R (page.4) 639 0 R (page.40) 934 0 R (page.41) 940 0 R (page.42) 945 0 R (page.43) 955 0 R (page.44) 967 0 R (page.45) 976 0 R (page.46) 980 0 R (page.47) 986 0 R (page.48) 992 0 R (page.49) 1000 0 R (page.5) 656 0 R (page.50) 1008 0 R (page.51) 1013 0 R (page.52) 1020 0 R (page.53) 1025 0 R (page.54) 1034 0 R (page.55) 1038 0 R (page.56) 1047 0 R (page.57) 1052 0 R (page.58) 1064 0 R (page.59) 1079 0 R (page.6) 667 0 R (page.60) 1091 0 R (page.61) 1101 0 R (page.62) 1111 0 R (page.63) 1123 0 R (page.64) 1135 0 R (page.65) 1144 0 R (page.66) 1148 0 R (page.67) 1152 0 R (page.68) 1161 0 R (page.69) 1171 0 R (page.7) 674 0 R (page.70) 1182 0 R (page.71) 1186 0 R (page.72) 1193 0 R (page.73) 1207 0 R (page.74) 1236 0 R (page.75) 1293 0 R (page.8) 684 0 R (page.9) 689 0 R (proposed_standards) 754 0 R (rfcs) 652 0 R (rndc) 874 0 R (rrset_ordering) 703 0 R (sample_configuration) 691 0 R (section*.1) 1213 0 R (section*.10) 1312 0 R (section*.11) 1318 0 R (section*.2) 1215 0 R (section*.3) 1223 0 R (section*.4) 1241 0 R (section*.5) 1249 0 R (section*.6) 1257 0 R (section*.7) 1273 0 R (section*.8) 1283 0 R (section*.9) 1298 0 R (section.1.1) 10 0 R (section.1.2) 14 0 R (section.1.3) 18 0 R (section.1.4) 22 0 R (section.2.1) 70 0 R (section.2.2) 74 0 R (section.2.3) 78 0 R (section.2.4) 82 0 R (section.2.5) 86 0 R (section.3.1) 94 0 R (section.3.2) 106 0 R (section.3.3) 110 0 R (section.3.4) 114 0 R (section.4.1) 138 0 R (section.4.2) 146 0 R (section.4.3) 150 0 R (section.4.4) 154 0 R (section.4.5) 190 0 R (section.4.6) 194 0 R (section.4.7) 198 0 R (section.4.8) 222 0 R (section.5.1) 238 0 R (section.5.2) 242 0 R (section.6.1) 250 0 R (section.6.2) 278 0 R (section.6.3) 454 0 R (section.7.1) 506 0 R (section.7.2) 510 0 R (section.7.3) 522 0 R (section.8.1) 530 0 R (section.8.2) 538 0 R (section.8.3) 542 0 R (section.A.1) 550 0 R (section.A.2) 558 0 R (section.A.3) 574 0 R (section.A.4) 582 0 R (server_statement_definition_and_usage) 951 0 R (server_statement_grammar) 1021 0 R (statsfile) 936 0 R (subsection.1.4.1) 26 0 R (subsection.1.4.2) 30 0 R (subsection.1.4.3) 34 0 R (subsection.1.4.4) 38 0 R (subsection.1.4.5) 54 0 R (subsection.1.4.6) 62 0 R (subsection.3.1.1) 98 0 R (subsection.3.1.2) 102 0 R (subsection.3.4.1) 118 0 R (subsection.3.4.2) 130 0 R (subsection.4.1.1) 142 0 R (subsection.4.4.1) 158 0 R (subsection.4.4.2) 170 0 R (subsection.4.4.3) 174 0 R (subsection.4.4.4) 178 0 R (subsection.4.4.5) 182 0 R (subsection.4.4.6) 186 0 R (subsection.4.7.1) 202 0 R (subsection.4.7.2) 206 0 R (subsection.4.7.3) 210 0 R (subsection.4.7.4) 214 0 R (subsection.4.7.5) 218 0 R (subsection.4.8.1) 226 0 R (subsection.4.8.2) 230 0 R (subsection.6.1.1) 254 0 R (subsection.6.1.2) 266 0 R (subsection.6.2.1) 282 0 R (subsection.6.2.10) 318 0 R (subsection.6.2.11) 330 0 R (subsection.6.2.12) 334 0 R (subsection.6.2.13) 338 0 R (subsection.6.2.14) 342 0 R (subsection.6.2.15) 406 0 R (subsection.6.2.16) 410 0 R (subsection.6.2.17) 414 0 R (subsection.6.2.18) 418 0 R (subsection.6.2.19) 422 0 R (subsection.6.2.2) 286 0 R (subsection.6.2.20) 426 0 R (subsection.6.2.21) 430 0 R (subsection.6.2.22) 434 0 R (subsection.6.2.3) 290 0 R (subsection.6.2.4) 294 0 R (subsection.6.2.5) 298 0 R (subsection.6.2.6) 302 0 R (subsection.6.2.7) 306 0 R (subsection.6.2.8) 310 0 R (subsection.6.2.9) 314 0 R (subsection.6.3.1) 458 0 R (subsection.6.3.2) 470 0 R (subsection.6.3.3) 474 0 R (subsection.6.3.4) 478 0 R (subsection.6.3.5) 482 0 R (subsection.6.3.6) 498 0 R (subsection.7.2.1) 514 0 R (subsection.7.2.2) 518 0 R (subsection.8.1.1) 534 0 R (subsection.A.1.1) 554 0 R (subsection.A.2.1) 562 0 R (subsection.A.3.1) 578 0 R (subsection.A.4.1) 586 0 R (subsection.A.4.2) 590 0 R (subsection.A.4.3) 594 0 R (subsubsection.1.4.4.1) 42 0 R (subsubsection.1.4.4.2) 46 0 R (subsubsection.1.4.4.3) 50 0 R (subsubsection.1.4.5.1) 58 0 R (subsubsection.3.4.1.1) 122 0 R (subsubsection.3.4.1.2) 126 0 R (subsubsection.4.4.1.1) 162 0 R (subsubsection.4.4.1.2) 166 0 R (subsubsection.6.1.1.1) 258 0 R (subsubsection.6.1.1.2) 262 0 R (subsubsection.6.1.2.1) 270 0 R (subsubsection.6.1.2.2) 274 0 R (subsubsection.6.2.10.1) 322 0 R (subsubsection.6.2.10.2) 326 0 R (subsubsection.6.2.14.1) 346 0 R (subsubsection.6.2.14.10) 382 0 R (subsubsection.6.2.14.11) 386 0 R (subsubsection.6.2.14.12) 390 0 R (subsubsection.6.2.14.13) 394 0 R (subsubsection.6.2.14.14) 398 0 R (subsubsection.6.2.14.15) 402 0 R (subsubsection.6.2.14.2) 350 0 R (subsubsection.6.2.14.3) 354 0 R (subsubsection.6.2.14.4) 358 0 R (subsubsection.6.2.14.5) 362 0 R (subsubsection.6.2.14.6) 366 0 R (subsubsection.6.2.14.7) 370 0 R (subsubsection.6.2.14.8) 374 0 R (subsubsection.6.2.14.9) 378 0 R (subsubsection.6.2.22.1) 438 0 R (subsubsection.6.2.22.2) 442 0 R (subsubsection.6.2.22.3) 446 0 R (subsubsection.6.2.22.4) 450 0 R (subsubsection.6.3.1.1) 462 0 R (subsubsection.6.3.1.2) 466 0 R (subsubsection.6.3.5.1) 486 0 R (subsubsection.6.3.5.2) 490 0 R (subsubsection.6.3.5.3) 494 0 R (subsubsection.A.2.1.1) 566 0 R (subsubsection.A.2.1.2) 570 0 R (synthesis) 963 0 R (table.1.1) 629 0 R (table.1.2) 644 0 R (table.3.1) 700 0 R (table.3.2) 738 0 R (table.6.1) 835 0 R (table.6.10) 1093 0 R (table.6.11) 1095 0 R (table.6.12) 1103 0 R (table.6.13) 1106 0 R (table.6.14) 1113 0 R (table.6.15) 1116 0 R (table.6.16) 1119 0 R (table.6.17) 1126 0 R (table.6.18) 1140 0 R (table.6.2) 861 0 R (table.6.3) 869 0 R (table.6.4) 907 0 R (table.6.5) 1003 0 R (table.6.6) 1016 0 R (table.6.7) 1042 0 R (table.6.8) 1081 0 R (table.6.9) 1087 0 R (table.A.1) 1199 0 R (table.A.2) 1201 0 R (table.A.3) 1203 0 R (the_category_phrase) 901 0 R (the_sortlist_statement) 994 0 R (topology) 993 0 R (tsig) 768 0 R (tuning) 1009 0 R (types_of_resource_records_and_when_to_use_them) 651 0 R (zone_statement_grammar) 962 0 R (zone_transfers) 715 0 R]
+1341 0 obj <<
+/Names [(Access_Control_Lists) 1153 0 R (Bv9ARM.ch01) 621 0 R (Bv9ARM.ch02) 675 0 R (Bv9ARM.ch03) 690 0 R (Bv9ARM.ch04) 743 0 R (Bv9ARM.ch05) 810 0 R (Bv9ARM.ch06) 832 0 R (Bv9ARM.ch07) 1152 0 R (Bv9ARM.ch08) 1171 0 R (Bv9ARM.ch09) 1186 0 R (Configuration_File_Grammar) 859 0 R (DNSSEC) 791 0 R (Doc-Start) 602 0 R (Setting_TTLs) 1124 0 R (access_control) 957 0 R (acl) 863 0 R (address_match_lists) 837 0 R (admin_tools) 721 0 R (appendix.A) 546 0 R (bibliography) 1207 0 R (boolean_options) 716 0 R (chapter.1) 6 0 R (chapter.2) 66 0 R (chapter.3) 90 0 R (chapter.4) 134 0 R (chapter.5) 234 0 R (chapter.6) 246 0 R (chapter.7) 502 0 R (chapter.8) 526 0 R (cite.RFC1034) 1217 0 R (cite.RFC1035) 1219 0 R (cite.RFC1101) 1275 0 R (cite.RFC1123) 1277 0 R (cite.RFC1183) 1259 0 R (cite.RFC1464) 1299 0 R (cite.RFC1535) 1251 0 R (cite.RFC1536) 1253 0 R (cite.RFC1537) 1285 0 R (cite.RFC1591) 1279 0 R (cite.RFC1706) 1261 0 R (cite.RFC1712) 1313 0 R (cite.RFC1713) 1301 0 R (cite.RFC1794) 1303 0 R (cite.RFC1876) 1263 0 R (cite.RFC1886) 1243 0 R (cite.RFC1912) 1287 0 R (cite.RFC1982) 1255 0 R (cite.RFC1995) 1224 0 R (cite.RFC1996) 1226 0 R (cite.RFC2010) 1289 0 R (cite.RFC2052) 1265 0 R (cite.RFC2065) 1245 0 R (cite.RFC2136) 1228 0 R (cite.RFC2137) 1247 0 R (cite.RFC2163) 1267 0 R (cite.RFC2168) 1269 0 R (cite.RFC2181) 1230 0 R (cite.RFC2219) 1295 0 R (cite.RFC2230) 1271 0 R (cite.RFC2240) 1305 0 R (cite.RFC2308) 1237 0 R (cite.RFC2317) 1281 0 R (cite.RFC2345) 1307 0 R (cite.RFC2352) 1309 0 R (cite.RFC2845) 1239 0 R (cite.RFC974) 1221 0 R (cite.id2490626) 1318 0 R (classes_of_resource_records) 1107 0 R (configuration_file_elements) 833 0 R (controls_statement_definition_and_usage) 731 0 R (diagnostic_tools) 663 0 R (dynamic_update) 744 0 R (dynamic_update_policies) 784 0 R (dynamic_update_security) 1062 0 R (historical_dns_information) 1193 0 R (id2465419) 622 0 R (id2465445) 623 0 R (id2467342) 692 0 R (id2467355) 693 0 R (id2467446) 698 0 R (id2467463) 699 0 R (id2467500) 627 0 R (id2467509) 628 0 R (id2467684) 643 0 R (id2467827) 645 0 R (id2468120) 646 0 R (id2468145) 647 0 R (id2468229) 650 0 R (id2468304) 657 0 R (id2468394) 660 0 R (id2468416) 661 0 R (id2468435) 662 0 R (id2468464) 668 0 R (id2468496) 669 0 R (id2468521) 670 0 R (id2468553) 676 0 R (id2468578) 677 0 R (id2468588) 678 0 R (id2468602) 679 0 R (id2468611) 685 0 R (id2469406) 710 0 R (id2469480) 711 0 R (id2472260) 736 0 R (id2472272) 737 0 R (id2472636) 753 0 R (id2473131) 770 0 R (id2473147) 771 0 R (id2473181) 772 0 R (id2473197) 773 0 R (id2473206) 779 0 R (id2473245) 780 0 R (id2473298) 781 0 R (id2473410) 783 0 R (id2473424) 789 0 R (id2473541) 790 0 R (id2473594) 796 0 R (id2473662) 797 0 R (id2473701) 798 0 R (id2473811) 803 0 R (id2473933) 804 0 R (id2473958) 805 0 R (id2474082) 809 0 R (id2474096) 816 0 R (id2474128) 821 0 R (id2474266) 834 0 R (id2474888) 842 0 R (id2474915) 843 0 R (id2475002) 848 0 R (id2475154) 849 0 R (id2475182) 850 0 R (id2475258) 860 0 R (id2475577) 862 0 R (id2475619) 868 0 R (id2475756) 870 0 R (id2476012) 879 0 R (id2476027) 880 0 R (id2476050) 881 0 R (id2476071) 882 0 R (id2476134) 885 0 R (id2476396) 890 0 R (id2476449) 891 0 R (id2477209) 906 0 R (id2477622) 908 0 R (id2477694) 913 0 R (id2477757) 915 0 R (id2478544) 926 0 R (id2479636) 955 0 R (id2479878) 967 0 R (id2479962) 968 0 R (id2480570) 980 0 R (id2480740) 986 0 R (id2480809) 987 0 R (id2481079) 1006 0 R (id2481740) 1018 0 R (id2482172) 1025 0 R (id2482289) 1026 0 R (id2482312) 1032 0 R (id2482360) 1033 0 R (id2483543) 1047 0 R (id2483549) 1048 0 R (id2483554) 1049 0 R (id2483924) 1055 0 R (id2483955) 1056 0 R (id2484594) 1083 0 R (id2484852) 1089 0 R (id2484870) 1090 0 R (id2484891) 1093 0 R (id2485031) 1095 0 R (id2485670) 1102 0 R (id2485753) 1105 0 R (id2486019) 1112 0 R (id2486040) 1113 0 R (id2486261) 1115 0 R (id2486376) 1117 0 R (id2486394) 1122 0 R (id2486836) 1125 0 R (id2486941) 1127 0 R (id2486955) 1128 0 R (id2487047) 1134 0 R (id2487066) 1135 0 R (id2487122) 1139 0 R (id2487185) 1140 0 R (id2487216) 1145 0 R (id2487268) 1146 0 R (id2487602) 1164 0 R (id2487677) 1165 0 R (id2487803) 1166 0 R (id2487874) 1172 0 R (id2487879) 1173 0 R (id2487891) 1174 0 R (id2487908) 1175 0 R (id2488038) 1187 0 R (id2488043) 1188 0 R (id2488280) 1194 0 R (id2488296) 1195 0 R (id2488311) 1196 0 R (id2488349) 1197 0 R (id2488661) 1199 0 R (id2488887) 1201 0 R (id2489171) 1213 0 R (id2489173) 1215 0 R (id2489181) 1220 0 R (id2489205) 1216 0 R (id2489228) 1218 0 R (id2489266) 1229 0 R (id2489291) 1236 0 R (id2489317) 1223 0 R (id2489341) 1225 0 R (id2489365) 1227 0 R (id2489420) 1238 0 R (id2489481) 1241 0 R (id2489496) 1242 0 R (id2489534) 1244 0 R (id2489574) 1246 0 R (id2489602) 1249 0 R (id2489610) 1250 0 R (id2489636) 1252 0 R (id2489703) 1254 0 R (id2489739) 1257 0 R (id2489745) 1258 0 R (id2489802) 1260 0 R (id2489840) 1268 0 R (id2489875) 1262 0 R (id2489929) 1264 0 R (id2489969) 1266 0 R (id2489995) 1270 0 R (id2490022) 1273 0 R (id2490029) 1274 0 R (id2490055) 1276 0 R (id2490078) 1278 0 R (id2490168) 1280 0 R (id2490215) 1283 0 R (id2490222) 1284 0 R (id2490248) 1286 0 R (id2490275) 1288 0 R (id2490311) 1294 0 R (id2490350) 1297 0 R (id2490371) 1298 0 R (id2490393) 1300 0 R (id2490418) 1302 0 R (id2490442) 1304 0 R (id2490465) 1306 0 R (id2490510) 1308 0 R (id2490535) 1311 0 R (id2490541) 1312 0 R (id2490614) 1315 0 R (id2490624) 1317 0 R (id2490626) 1319 0 R (incremental_zone_transfers) 750 0 R (internet_drafts) 1314 0 R (ipv6addresses) 811 0 R (journal) 745 0 R (lwresd) 822 0 R (notify) 702 0 R (page.1) 601 0 R (page.10) 697 0 R (page.11) 707 0 R (page.12) 720 0 R (page.13) 728 0 R (page.14) 735 0 R (page.15) 742 0 R (page.16) 749 0 R (page.17) 758 0 R (page.18) 763 0 R (page.19) 767 0 R (page.2) 613 0 R (page.20) 778 0 R (page.21) 788 0 R (page.22) 795 0 R (page.23) 802 0 R (page.24) 815 0 R (page.25) 820 0 R (page.26) 827 0 R (page.27) 831 0 R (page.28) 841 0 R (page.29) 847 0 R (page.3) 620 0 R (page.30) 855 0 R (page.31) 867 0 R (page.32) 878 0 R (page.33) 889 0 R (page.34) 895 0 R (page.35) 899 0 R (page.36) 905 0 R (page.37) 912 0 R (page.38) 920 0 R (page.39) 925 0 R (page.4) 639 0 R (page.40) 933 0 R (page.41) 939 0 R (page.42) 944 0 R (page.43) 954 0 R (page.44) 966 0 R (page.45) 975 0 R (page.46) 979 0 R (page.47) 984 0 R (page.48) 991 0 R (page.49) 998 0 R (page.5) 656 0 R (page.50) 1005 0 R (page.51) 1011 0 R (page.52) 1017 0 R (page.53) 1024 0 R (page.54) 1031 0 R (page.55) 1037 0 R (page.56) 1042 0 R (page.57) 1046 0 R (page.58) 1054 0 R (page.59) 1066 0 R (page.6) 667 0 R (page.60) 1076 0 R (page.61) 1088 0 R (page.62) 1101 0 R (page.63) 1111 0 R (page.64) 1121 0 R (page.65) 1133 0 R (page.66) 1144 0 R (page.67) 1151 0 R (page.68) 1160 0 R (page.69) 1170 0 R (page.7) 674 0 R (page.70) 1181 0 R (page.71) 1185 0 R (page.72) 1192 0 R (page.73) 1206 0 R (page.74) 1235 0 R (page.75) 1293 0 R (page.8) 684 0 R (page.9) 689 0 R (proposed_standards) 754 0 R (rfcs) 652 0 R (rndc) 874 0 R (rrset_ordering) 703 0 R (sample_configuration) 691 0 R (section*.1) 1212 0 R (section*.10) 1310 0 R (section*.11) 1316 0 R (section*.2) 1214 0 R (section*.3) 1222 0 R (section*.4) 1240 0 R (section*.5) 1248 0 R (section*.6) 1256 0 R (section*.7) 1272 0 R (section*.8) 1282 0 R (section*.9) 1296 0 R (section.1.1) 10 0 R (section.1.2) 14 0 R (section.1.3) 18 0 R (section.1.4) 22 0 R (section.2.1) 70 0 R (section.2.2) 74 0 R (section.2.3) 78 0 R (section.2.4) 82 0 R (section.2.5) 86 0 R (section.3.1) 94 0 R (section.3.2) 106 0 R (section.3.3) 110 0 R (section.3.4) 114 0 R (section.4.1) 138 0 R (section.4.2) 146 0 R (section.4.3) 150 0 R (section.4.4) 154 0 R (section.4.5) 190 0 R (section.4.6) 194 0 R (section.4.7) 198 0 R (section.4.8) 222 0 R (section.5.1) 238 0 R (section.5.2) 242 0 R (section.6.1) 250 0 R (section.6.2) 278 0 R (section.6.3) 454 0 R (section.7.1) 506 0 R (section.7.2) 510 0 R (section.7.3) 522 0 R (section.8.1) 530 0 R (section.8.2) 538 0 R (section.8.3) 542 0 R (section.A.1) 550 0 R (section.A.2) 558 0 R (section.A.3) 574 0 R (section.A.4) 582 0 R (server_statement_definition_and_usage) 950 0 R (server_statement_grammar) 1020 0 R (statsfile) 935 0 R (subsection.1.4.1) 26 0 R (subsection.1.4.2) 30 0 R (subsection.1.4.3) 34 0 R (subsection.1.4.4) 38 0 R (subsection.1.4.5) 54 0 R (subsection.1.4.6) 62 0 R (subsection.3.1.1) 98 0 R (subsection.3.1.2) 102 0 R (subsection.3.4.1) 118 0 R (subsection.3.4.2) 130 0 R (subsection.4.1.1) 142 0 R (subsection.4.4.1) 158 0 R (subsection.4.4.2) 170 0 R (subsection.4.4.3) 174 0 R (subsection.4.4.4) 178 0 R (subsection.4.4.5) 182 0 R (subsection.4.4.6) 186 0 R (subsection.4.7.1) 202 0 R (subsection.4.7.2) 206 0 R (subsection.4.7.3) 210 0 R (subsection.4.7.4) 214 0 R (subsection.4.7.5) 218 0 R (subsection.4.8.1) 226 0 R (subsection.4.8.2) 230 0 R (subsection.6.1.1) 254 0 R (subsection.6.1.2) 266 0 R (subsection.6.2.1) 282 0 R (subsection.6.2.10) 318 0 R (subsection.6.2.11) 330 0 R (subsection.6.2.12) 334 0 R (subsection.6.2.13) 338 0 R (subsection.6.2.14) 342 0 R (subsection.6.2.15) 406 0 R (subsection.6.2.16) 410 0 R (subsection.6.2.17) 414 0 R (subsection.6.2.18) 418 0 R (subsection.6.2.19) 422 0 R (subsection.6.2.2) 286 0 R (subsection.6.2.20) 426 0 R (subsection.6.2.21) 430 0 R (subsection.6.2.22) 434 0 R (subsection.6.2.3) 290 0 R (subsection.6.2.4) 294 0 R (subsection.6.2.5) 298 0 R (subsection.6.2.6) 302 0 R (subsection.6.2.7) 306 0 R (subsection.6.2.8) 310 0 R (subsection.6.2.9) 314 0 R (subsection.6.3.1) 458 0 R (subsection.6.3.2) 470 0 R (subsection.6.3.3) 474 0 R (subsection.6.3.4) 478 0 R (subsection.6.3.5) 482 0 R (subsection.6.3.6) 498 0 R (subsection.7.2.1) 514 0 R (subsection.7.2.2) 518 0 R (subsection.8.1.1) 534 0 R (subsection.A.1.1) 554 0 R (subsection.A.2.1) 562 0 R (subsection.A.3.1) 578 0 R (subsection.A.4.1) 586 0 R (subsection.A.4.2) 590 0 R (subsection.A.4.3) 594 0 R (subsubsection.1.4.4.1) 42 0 R (subsubsection.1.4.4.2) 46 0 R (subsubsection.1.4.4.3) 50 0 R (subsubsection.1.4.5.1) 58 0 R (subsubsection.3.4.1.1) 122 0 R (subsubsection.3.4.1.2) 126 0 R (subsubsection.4.4.1.1) 162 0 R (subsubsection.4.4.1.2) 166 0 R (subsubsection.6.1.1.1) 258 0 R (subsubsection.6.1.1.2) 262 0 R (subsubsection.6.1.2.1) 270 0 R (subsubsection.6.1.2.2) 274 0 R (subsubsection.6.2.10.1) 322 0 R (subsubsection.6.2.10.2) 326 0 R (subsubsection.6.2.14.1) 346 0 R (subsubsection.6.2.14.10) 382 0 R (subsubsection.6.2.14.11) 386 0 R (subsubsection.6.2.14.12) 390 0 R (subsubsection.6.2.14.13) 394 0 R (subsubsection.6.2.14.14) 398 0 R (subsubsection.6.2.14.15) 402 0 R (subsubsection.6.2.14.2) 350 0 R (subsubsection.6.2.14.3) 354 0 R (subsubsection.6.2.14.4) 358 0 R (subsubsection.6.2.14.5) 362 0 R (subsubsection.6.2.14.6) 366 0 R (subsubsection.6.2.14.7) 370 0 R (subsubsection.6.2.14.8) 374 0 R (subsubsection.6.2.14.9) 378 0 R (subsubsection.6.2.22.1) 438 0 R (subsubsection.6.2.22.2) 442 0 R (subsubsection.6.2.22.3) 446 0 R (subsubsection.6.2.22.4) 450 0 R (subsubsection.6.3.1.1) 462 0 R (subsubsection.6.3.1.2) 466 0 R (subsubsection.6.3.5.1) 486 0 R (subsubsection.6.3.5.2) 490 0 R (subsubsection.6.3.5.3) 494 0 R (subsubsection.A.2.1.1) 566 0 R (subsubsection.A.2.1.2) 570 0 R (synthesis) 962 0 R (table.1.1) 629 0 R (table.1.2) 644 0 R (table.3.1) 700 0 R (table.3.2) 738 0 R (table.6.1) 835 0 R (table.6.10) 1096 0 R (table.6.11) 1103 0 R (table.6.12) 1106 0 R (table.6.13) 1114 0 R (table.6.14) 1116 0 R (table.6.15) 1123 0 R (table.6.16) 1126 0 R (table.6.17) 1129 0 R (table.6.18) 1147 0 R (table.6.2) 861 0 R (table.6.3) 869 0 R (table.6.4) 907 0 R (table.6.5) 1007 0 R (table.6.6) 1019 0 R (table.6.7) 1050 0 R (table.6.8) 1084 0 R (table.6.9) 1094 0 R (table.A.1) 1198 0 R (table.A.2) 1200 0 R (table.A.3) 1202 0 R (the_category_phrase) 901 0 R (the_sortlist_statement) 993 0 R (topology) 992 0 R (tsig) 768 0 R (tuning) 1012 0 R (types_of_resource_records_and_when_to_use_them) 651 0 R (zone_statement_grammar) 961 0 R (zone_transfers) 715 0 R]
 /Limits [(Access_Control_Lists) (zone_transfers)]
 >> endobj
+1342 0 obj <<
+/Kids [1341 0 R]
+>> endobj
+1343 0 obj <<
+/Dests 1342 0 R
+>> endobj
 1344 0 obj <<
-/Kids [1343 0 R]
->> endobj
-1345 0 obj <<
-/Dests 1344 0 R
->> endobj
-1346 0 obj <<
 /Type /Catalog
-/Pages 1341 0 R
-/Outlines 1342 0 R
-/Names 1345 0 R
+/Pages 1339 0 R
+/Outlines 1340 0 R
+/Names 1343 0 R
 /PageMode /UseOutlines 
 /OpenAction 597 0 R
 >> endobj
-1347 0 obj <<
+1345 0 obj <<
 /Author()/Title()/Subject()/Creator(LaTeX with hyperref package)/Producer(pdfeTeX-1.21a)/Keywords()
-/CreationDate (D:20051104121425+11'00')
+/CreationDate (D:20060525180648+10'00')
 /PTEX.Fullbanner (This is pdfeTeX, Version 3.141592-1.21a-2.2 (Web2C 7.5.4) kpathsea version 3.5.4)
 >> endobj
 xref
-0 1348
+0 1346
 0000000001 65535 f 
 0000000002 00000 f 
 0000000003 00000 f 
 0000000004 00000 f 
 0000000000 00000 f 
 0000000009 00000 n 
-0000018998 00000 n 
-0000469478 00000 n 
+0000019003 00000 n 
+0000470190 00000 n 
 0000000054 00000 n 
 0000000086 00000 n 
-0000019122 00000 n 
-0000469406 00000 n 
+0000019127 00000 n 
+0000470118 00000 n 
 0000000133 00000 n 
 0000000173 00000 n 
-0000019247 00000 n 
-0000469320 00000 n 
+0000019252 00000 n 
+0000470032 00000 n 
 0000000221 00000 n 
 0000000273 00000 n 
-0000019372 00000 n 
-0000469234 00000 n 
+0000019377 00000 n 
+0000469946 00000 n 
 0000000321 00000 n 
 0000000377 00000 n 
-0000023742 00000 n 
-0000469124 00000 n 
+0000023747 00000 n 
+0000469836 00000 n 
 0000000425 00000 n 
 0000000478 00000 n 
-0000023866 00000 n 
-0000469050 00000 n 
+0000023871 00000 n 
+0000469762 00000 n 
 0000000531 00000 n 
 0000000572 00000 n 
-0000023991 00000 n 
-0000468963 00000 n 
+0000023996 00000 n 
+0000469675 00000 n 
 0000000625 00000 n 
 0000000674 00000 n 
-0000024116 00000 n 
-0000468876 00000 n 
+0000024121 00000 n 
+0000469588 00000 n 
 0000000727 00000 n 
 0000000757 00000 n 
-0000028264 00000 n 
-0000468752 00000 n 
+0000028269 00000 n 
+0000469464 00000 n 
 0000000810 00000 n 
 0000000861 00000 n 
-0000028389 00000 n 
-0000468678 00000 n 
+0000028394 00000 n 
+0000469390 00000 n 
 0000000919 00000 n 
 0000000964 00000 n 
-0000028514 00000 n 
-0000468591 00000 n 
+0000028519 00000 n 
+0000469303 00000 n 
 0000001022 00000 n 
 0000001062 00000 n 
-0000028639 00000 n 
-0000468517 00000 n 
+0000028644 00000 n 
+0000469229 00000 n 
 0000001120 00000 n 
 0000001162 00000 n 
-0000031548 00000 n 
-0000468393 00000 n 
+0000031553 00000 n 
+0000469105 00000 n 
 0000001215 00000 n 
 0000001260 00000 n 
-0000031673 00000 n 
-0000468332 00000 n 
+0000031678 00000 n 
+0000469044 00000 n 
 0000001318 00000 n 
 0000001355 00000 n 
-0000031798 00000 n 
-0000468258 00000 n 
+0000031803 00000 n 
+0000468970 00000 n 
 0000001408 00000 n 
 0000001463 00000 n 
-0000034238 00000 n 
-0000468133 00000 n 
+0000034243 00000 n 
+0000468845 00000 n 
 0000001509 00000 n 
 0000001556 00000 n 
-0000034363 00000 n 
-0000468059 00000 n 
+0000034368 00000 n 
+0000468771 00000 n 
 0000001604 00000 n 
 0000001648 00000 n 
-0000034488 00000 n 
-0000467972 00000 n 
+0000034493 00000 n 
+0000468684 00000 n 
 0000001696 00000 n 
 0000001735 00000 n 
-0000034613 00000 n 
-0000467885 00000 n 
+0000034618 00000 n 
+0000468597 00000 n 
 0000001783 00000 n 
 0000001825 00000 n 
-0000034738 00000 n 
-0000467798 00000 n 
+0000034743 00000 n 
+0000468510 00000 n 
 0000001873 00000 n 
 0000001935 00000 n 
-0000036058 00000 n 
-0000467724 00000 n 
+0000036063 00000 n 
+0000468436 00000 n 
 0000001983 00000 n 
 0000002033 00000 n 
-0000037699 00000 n 
-0000467596 00000 n 
+0000037704 00000 n 
+0000468308 00000 n 
 0000002079 00000 n 
 0000002124 00000 n 
-0000037823 00000 n 
-0000467483 00000 n 
+0000037828 00000 n 
+0000468195 00000 n 
 0000002172 00000 n 
 0000002216 00000 n 
-0000037948 00000 n 
-0000467407 00000 n 
+0000037953 00000 n 
+0000468119 00000 n 
 0000002269 00000 n 
 0000002320 00000 n 
-0000038073 00000 n 
-0000467330 00000 n 
+0000038078 00000 n 
+0000468042 00000 n 
 0000002374 00000 n 
 0000002432 00000 n 
-0000040771 00000 n 
-0000467239 00000 n 
+0000040776 00000 n 
+0000467951 00000 n 
 0000002481 00000 n 
 0000002519 00000 n 
-0000041023 00000 n 
-0000467147 00000 n 
+0000041028 00000 n 
+0000467859 00000 n 
 0000002568 00000 n 
 0000002598 00000 n 
-0000044643 00000 n 
-0000467030 00000 n 
+0000044648 00000 n 
+0000467742 00000 n 
 0000002647 00000 n 
 0000002692 00000 n 
-0000044769 00000 n 
-0000466912 00000 n 
+0000044774 00000 n 
+0000467624 00000 n 
 0000002746 00000 n 
 0000002812 00000 n 
-0000044895 00000 n 
-0000466833 00000 n 
+0000044900 00000 n 
+0000467545 00000 n 
 0000002871 00000 n 
 0000002915 00000 n 
-0000048005 00000 n 
-0000466754 00000 n 
+0000048013 00000 n 
+0000467466 00000 n 
 0000002974 00000 n 
 0000003022 00000 n 
-0000053787 00000 n 
-0000466675 00000 n 
+0000053795 00000 n 
+0000467387 00000 n 
 0000003076 00000 n 
 0000003109 00000 n 
-0000056613 00000 n 
-0000466543 00000 n 
+0000056621 00000 n 
+0000467255 00000 n 
 0000003156 00000 n 
 0000003195 00000 n 
-0000056739 00000 n 
-0000466425 00000 n 
+0000056747 00000 n 
+0000467137 00000 n 
 0000003244 00000 n 
 0000003282 00000 n 
-0000056865 00000 n 
-0000466360 00000 n 
+0000056873 00000 n 
+0000467072 00000 n 
 0000003336 00000 n 
 0000003378 00000 n 
-0000061182 00000 n 
-0000466267 00000 n 
+0000061190 00000 n 
+0000466979 00000 n 
 0000003427 00000 n 
 0000003486 00000 n 
-0000061308 00000 n 
-0000466174 00000 n 
+0000061316 00000 n 
+0000466886 00000 n 
 0000003535 00000 n 
 0000003568 00000 n 
-0000068031 00000 n 
-0000466042 00000 n 
+0000068045 00000 n 
+0000466754 00000 n 
 0000003617 00000 n 
 0000003645 00000 n 
-0000068157 00000 n 
-0000465924 00000 n 
+0000068171 00000 n 
+0000466636 00000 n 
 0000003699 00000 n 
 0000003768 00000 n 
-0000068283 00000 n 
-0000465845 00000 n 
+0000068297 00000 n 
+0000466557 00000 n 
 0000003827 00000 n 
 0000003875 00000 n 
-0000068409 00000 n 
-0000465766 00000 n 
+0000068423 00000 n 
+0000466478 00000 n 
 0000003934 00000 n 
 0000003979 00000 n 
-0000068535 00000 n 
-0000465673 00000 n 
+0000068549 00000 n 
+0000466385 00000 n 
 0000004033 00000 n 
 0000004101 00000 n 
-0000071633 00000 n 
-0000465580 00000 n 
+0000071653 00000 n 
+0000466292 00000 n 
 0000004155 00000 n 
 0000004225 00000 n 
-0000071759 00000 n 
-0000465487 00000 n 
+0000071779 00000 n 
+0000466199 00000 n 
 0000004279 00000 n 
 0000004342 00000 n 
-0000071885 00000 n 
-0000465394 00000 n 
+0000071905 00000 n 
+0000466106 00000 n 
 0000004396 00000 n 
 0000004451 00000 n 
-0000072010 00000 n 
-0000465315 00000 n 
+0000072030 00000 n 
+0000466027 00000 n 
 0000004505 00000 n 
 0000004537 00000 n 
-0000075630 00000 n 
-0000465222 00000 n 
+0000075659 00000 n 
+0000465934 00000 n 
 0000004586 00000 n 
 0000004614 00000 n 
-0000075756 00000 n 
-0000465129 00000 n 
+0000075785 00000 n 
+0000465841 00000 n 
 0000004663 00000 n 
 0000004695 00000 n 
-0000075882 00000 n 
-0000464997 00000 n 
+0000075911 00000 n 
+0000465709 00000 n 
 0000004744 00000 n 
 0000004774 00000 n 
-0000079103 00000 n 
-0000464918 00000 n 
+0000079132 00000 n 
+0000465630 00000 n 
 0000004828 00000 n 
 0000004869 00000 n 
-0000079229 00000 n 
-0000464825 00000 n 
+0000079258 00000 n 
+0000465537 00000 n 
 0000004923 00000 n 
 0000004966 00000 n 
-0000079354 00000 n 
-0000464732 00000 n 
+0000079383 00000 n 
+0000465444 00000 n 
 0000005020 00000 n 
 0000005072 00000 n 
-0000082978 00000 n 
-0000464639 00000 n 
+0000083007 00000 n 
+0000465351 00000 n 
 0000005126 00000 n 
 0000005168 00000 n 
-0000083104 00000 n 
-0000464560 00000 n 
+0000083133 00000 n 
+0000465272 00000 n 
 0000005222 00000 n 
 0000005267 00000 n 
-0000083229 00000 n 
-0000464442 00000 n 
+0000083258 00000 n 
+0000465154 00000 n 
 0000005316 00000 n 
 0000005362 00000 n 
-0000083355 00000 n 
-0000464363 00000 n 
+0000083384 00000 n 
+0000465075 00000 n 
 0000005416 00000 n 
 0000005476 00000 n 
-0000084563 00000 n 
-0000464284 00000 n 
+0000084592 00000 n 
+0000464996 00000 n 
 0000005530 00000 n 
 0000005599 00000 n 
-0000087032 00000 n 
-0000464151 00000 n 
+0000087048 00000 n 
+0000464863 00000 n 
 0000005646 00000 n 
 0000005699 00000 n 
-0000087158 00000 n 
-0000464072 00000 n 
+0000087174 00000 n 
+0000464784 00000 n 
 0000005748 00000 n 
 0000005804 00000 n 
-0000087284 00000 n 
-0000463993 00000 n 
+0000087300 00000 n 
+0000464705 00000 n 
 0000005853 00000 n 
 0000005902 00000 n 
-0000091657 00000 n 
-0000463860 00000 n 
+0000091673 00000 n 
+0000464572 00000 n 
 0000005949 00000 n 
 0000006001 00000 n 
-0000091783 00000 n 
-0000463742 00000 n 
+0000091799 00000 n 
+0000464454 00000 n 
 0000006050 00000 n 
 0000006101 00000 n 
-0000095635 00000 n 
-0000463624 00000 n 
+0000095651 00000 n 
+0000464336 00000 n 
 0000006155 00000 n 
 0000006200 00000 n 
-0000095761 00000 n 
-0000463545 00000 n 
+0000095777 00000 n 
+0000464257 00000 n 
 0000006259 00000 n 
 0000006293 00000 n 
-0000095887 00000 n 
-0000463466 00000 n 
+0000095903 00000 n 
+0000464178 00000 n 
 0000006352 00000 n 
 0000006400 00000 n 
-0000099020 00000 n 
-0000463348 00000 n 
+0000099039 00000 n 
+0000464060 00000 n 
 0000006454 00000 n 
 0000006494 00000 n 
-0000099146 00000 n 
-0000463269 00000 n 
+0000099165 00000 n 
+0000463981 00000 n 
 0000006553 00000 n 
 0000006587 00000 n 
-0000099272 00000 n 
-0000463190 00000 n 
+0000099291 00000 n 
+0000463902 00000 n 
 0000006646 00000 n 
 0000006694 00000 n 
-0000102880 00000 n 
-0000463057 00000 n 
+0000102899 00000 n 
+0000463769 00000 n 
 0000006743 00000 n 
 0000006793 00000 n 
-0000103132 00000 n 
-0000462978 00000 n 
+0000103151 00000 n 
+0000463690 00000 n 
 0000006847 00000 n 
 0000006894 00000 n 
-0000103258 00000 n 
-0000462885 00000 n 
+0000103277 00000 n 
+0000463597 00000 n 
 0000006948 00000 n 
 0000007008 00000 n 
-0000108205 00000 n 
-0000462792 00000 n 
+0000108258 00000 n 
+0000463504 00000 n 
 0000007062 00000 n 
 0000007114 00000 n 
-0000108331 00000 n 
-0000462699 00000 n 
+0000108384 00000 n 
+0000463411 00000 n 
 0000007168 00000 n 
 0000007233 00000 n 
-0000112055 00000 n 
-0000462606 00000 n 
+0000112085 00000 n 
+0000463318 00000 n 
 0000007287 00000 n 
 0000007338 00000 n 
-0000112181 00000 n 
-0000462513 00000 n 
+0000112211 00000 n 
+0000463225 00000 n 
 0000007392 00000 n 
 0000007456 00000 n 
-0000112307 00000 n 
-0000462420 00000 n 
+0000112337 00000 n 
+0000463132 00000 n 
 0000007510 00000 n 
 0000007557 00000 n 
-0000112433 00000 n 
-0000462327 00000 n 
+0000112463 00000 n 
+0000463039 00000 n 
 0000007611 00000 n 
 0000007671 00000 n 
-0000112558 00000 n 
-0000462234 00000 n 
+0000112588 00000 n 
+0000462946 00000 n 
 0000007725 00000 n 
 0000007776 00000 n 
-0000115774 00000 n 
-0000462102 00000 n 
+0000115804 00000 n 
+0000462814 00000 n 
 0000007831 00000 n 
 0000007896 00000 n 
-0000115900 00000 n 
-0000462023 00000 n 
+0000115930 00000 n 
+0000462735 00000 n 
 0000007956 00000 n 
 0000008003 00000 n 
-0000123038 00000 n 
-0000461944 00000 n 
+0000123068 00000 n 
+0000462656 00000 n 
 0000008063 00000 n 
 0000008111 00000 n 
-0000126305 00000 n 
-0000461851 00000 n 
+0000126335 00000 n 
+0000462563 00000 n 
 0000008166 00000 n 
 0000008216 00000 n 
-0000129128 00000 n 
-0000461758 00000 n 
+0000128977 00000 n 
+0000462470 00000 n 
 0000008271 00000 n 
 0000008334 00000 n 
-0000129254 00000 n 
-0000461665 00000 n 
+0000129103 00000 n 
+0000462377 00000 n 
 0000008389 00000 n 
 0000008441 00000 n 
-0000136008 00000 n 
-0000461532 00000 n 
+0000135857 00000 n 
+0000462244 00000 n 
 0000008496 00000 n 
 0000008561 00000 n 
-0000140220 00000 n 
-0000461453 00000 n 
+0000140073 00000 n 
+0000462165 00000 n 
 0000008621 00000 n 
 0000008665 00000 n 
-0000153653 00000 n 
-0000461360 00000 n 
+0000153503 00000 n 
+0000462072 00000 n 
 0000008725 00000 n 
 0000008764 00000 n 
-0000153779 00000 n 
-0000461267 00000 n 
+0000153629 00000 n 
+0000461979 00000 n 
 0000008824 00000 n 
 0000008867 00000 n 
-0000156641 00000 n 
-0000461174 00000 n 
+0000156495 00000 n 
+0000461886 00000 n 
 0000008927 00000 n 
 0000008966 00000 n 
-0000156767 00000 n 
-0000461081 00000 n 
+0000156621 00000 n 
+0000461793 00000 n 
 0000009026 00000 n 
 0000009068 00000 n 
-0000160396 00000 n 
-0000460988 00000 n 
+0000159839 00000 n 
+0000461700 00000 n 
 0000009128 00000 n 
 0000009171 00000 n 
-0000164915 00000 n 
-0000460895 00000 n 
+0000163908 00000 n 
+0000461607 00000 n 
 0000009231 00000 n 
 0000009292 00000 n 
-0000168113 00000 n 
-0000460802 00000 n 
+0000167785 00000 n 
+0000461514 00000 n 
 0000009352 00000 n 
 0000009403 00000 n 
-0000168238 00000 n 
-0000460709 00000 n 
+0000167911 00000 n 
+0000461421 00000 n 
 0000009463 00000 n 
 0000009515 00000 n 
-0000172554 00000 n 
-0000460616 00000 n 
+0000171063 00000 n 
+0000461328 00000 n 
 0000009576 00000 n 
 0000009614 00000 n 
-0000172680 00000 n 
-0000460523 00000 n 
+0000171189 00000 n 
+0000461235 00000 n 
 0000009675 00000 n 
 0000009727 00000 n 
-0000175563 00000 n 
-0000460430 00000 n 
+0000175146 00000 n 
+0000461142 00000 n 
 0000009788 00000 n 
 0000009832 00000 n 
-0000179364 00000 n 
-0000460337 00000 n 
+0000178795 00000 n 
+0000461049 00000 n 
 0000009893 00000 n 
 0000009947 00000 n 
-0000179491 00000 n 
-0000460244 00000 n 
+0000182353 00000 n 
+0000460956 00000 n 
 0000010008 00000 n 
 0000010044 00000 n 
-0000183281 00000 n 
-0000460165 00000 n 
+0000182482 00000 n 
+0000460877 00000 n 
 0000010105 00000 n 
 0000010154 00000 n 
-0000187133 00000 n 
-0000460072 00000 n 
+0000185549 00000 n 
+0000460784 00000 n 
 0000010209 00000 n 
 0000010260 00000 n 
-0000187261 00000 n 
-0000459979 00000 n 
+0000185678 00000 n 
+0000460691 00000 n 
 0000010315 00000 n 
 0000010379 00000 n 
-0000190855 00000 n 
-0000459886 00000 n 
+0000189860 00000 n 
+0000460598 00000 n 
 0000010434 00000 n 
 0000010491 00000 n 
-0000190983 00000 n 
-0000459793 00000 n 
+0000189989 00000 n 
+0000460505 00000 n 
 0000010546 00000 n 
 0000010616 00000 n 
-0000191112 00000 n 
-0000459700 00000 n 
+0000193335 00000 n 
+0000460412 00000 n 
 0000010671 00000 n 
 0000010720 00000 n 
-0000191241 00000 n 
-0000459607 00000 n 
+0000193464 00000 n 
+0000460319 00000 n 
 0000010775 00000 n 
 0000010837 00000 n 
-0000193859 00000 n 
-0000459514 00000 n 
+0000195060 00000 n 
+0000460226 00000 n 
 0000010892 00000 n 
 0000010941 00000 n 
-0000196461 00000 n 
-0000459396 00000 n 
+0000200321 00000 n 
+0000460108 00000 n 
 0000010996 00000 n 
 0000011058 00000 n 
-0000196590 00000 n 
-0000459317 00000 n 
+0000200450 00000 n 
+0000460029 00000 n 
 0000011118 00000 n 
 0000011157 00000 n 
-0000200732 00000 n 
-0000459224 00000 n 
+0000205261 00000 n 
+0000459936 00000 n 
 0000011217 00000 n 
 0000011251 00000 n 
-0000205667 00000 n 
-0000459131 00000 n 
+0000205390 00000 n 
+0000459843 00000 n 
 0000011311 00000 n 
 0000011352 00000 n 
-0000211112 00000 n 
-0000459052 00000 n 
+0000214536 00000 n 
+0000459764 00000 n 
 0000011412 00000 n 
 0000011464 00000 n 
-0000215071 00000 n 
-0000458934 00000 n 
+0000218610 00000 n 
+0000459646 00000 n 
 0000011513 00000 n 
 0000011546 00000 n 
-0000215200 00000 n 
-0000458816 00000 n 
+0000218739 00000 n 
+0000459528 00000 n 
 0000011600 00000 n 
 0000011672 00000 n 
-0000215328 00000 n 
-0000458737 00000 n 
+0000218867 00000 n 
+0000459449 00000 n 
 0000011731 00000 n 
 0000011775 00000 n 
-0000223341 00000 n 
-0000458658 00000 n 
+0000226631 00000 n 
+0000459370 00000 n 
 0000011834 00000 n 
 0000011887 00000 n 
-0000226946 00000 n 
-0000458565 00000 n 
+0000227020 00000 n 
+0000459277 00000 n 
 0000011941 00000 n 
 0000011991 00000 n 
-0000227204 00000 n 
-0000458472 00000 n 
+0000230554 00000 n 
+0000459184 00000 n 
 0000012045 00000 n 
 0000012083 00000 n 
-0000230627 00000 n 
-0000458379 00000 n 
+0000230813 00000 n 
+0000459091 00000 n 
 0000012137 00000 n 
 0000012186 00000 n 
-0000230886 00000 n 
-0000458247 00000 n 
+0000233795 00000 n 
+0000458959 00000 n 
 0000012240 00000 n 
 0000012292 00000 n 
-0000231015 00000 n 
-0000458168 00000 n 
+0000233924 00000 n 
+0000458880 00000 n 
 0000012351 00000 n 
 0000012403 00000 n 
-0000233801 00000 n 
-0000458075 00000 n 
+0000234053 00000 n 
+0000458787 00000 n 
 0000012462 00000 n 
 0000012515 00000 n 
-0000233930 00000 n 
-0000457996 00000 n 
+0000234181 00000 n 
+0000458708 00000 n 
 0000012574 00000 n 
 0000012623 00000 n 
-0000234059 00000 n 
-0000457917 00000 n 
+0000237343 00000 n 
+0000458629 00000 n 
 0000012677 00000 n 
 0000012757 00000 n 
-0000239373 00000 n 
-0000457784 00000 n 
+0000240006 00000 n 
+0000458496 00000 n 
 0000012804 00000 n 
 0000012856 00000 n 
-0000239502 00000 n 
-0000457705 00000 n 
+0000240135 00000 n 
+0000458417 00000 n 
 0000012905 00000 n 
 0000012949 00000 n 
-0000243225 00000 n 
-0000457573 00000 n 
+0000243859 00000 n 
+0000458285 00000 n 
 0000012998 00000 n 
 0000013060 00000 n 
-0000243354 00000 n 
-0000457494 00000 n 
+0000243988 00000 n 
+0000458206 00000 n 
 0000013114 00000 n 
 0000013162 00000 n 
-0000243483 00000 n 
-0000457415 00000 n 
+0000244117 00000 n 
+0000458127 00000 n 
 0000013216 00000 n 
 0000013267 00000 n 
-0000243612 00000 n 
-0000457336 00000 n 
+0000244246 00000 n 
+0000458048 00000 n 
 0000013316 00000 n 
 0000013363 00000 n 
-0000246543 00000 n 
-0000457203 00000 n 
+0000247177 00000 n 
+0000457915 00000 n 
 0000013410 00000 n 
 0000013447 00000 n 
-0000246672 00000 n 
-0000457085 00000 n 
+0000247306 00000 n 
+0000457797 00000 n 
 0000013496 00000 n 
 0000013535 00000 n 
-0000246801 00000 n 
-0000457020 00000 n 
+0000247435 00000 n 
+0000457732 00000 n 
 0000013589 00000 n 
 0000013667 00000 n 
-0000246930 00000 n 
-0000456927 00000 n 
+0000247564 00000 n 
+0000457639 00000 n 
 0000013716 00000 n 
 0000013783 00000 n 
-0000247059 00000 n 
-0000456848 00000 n 
+0000247693 00000 n 
+0000457560 00000 n 
 0000013832 00000 n 
 0000013877 00000 n 
-0000250565 00000 n 
-0000456729 00000 n 
+0000251178 00000 n 
+0000457441 00000 n 
 0000013925 00000 n 
 0000013957 00000 n 
-0000250694 00000 n 
-0000456611 00000 n 
+0000251307 00000 n 
+0000457323 00000 n 
 0000014006 00000 n 
 0000014046 00000 n 
-0000250823 00000 n 
-0000456546 00000 n 
+0000251436 00000 n 
+0000457258 00000 n 
 0000014100 00000 n 
 0000014161 00000 n 
-0000253989 00000 n 
-0000456414 00000 n 
+0000254602 00000 n 
+0000457126 00000 n 
 0000014210 00000 n 
 0000014260 00000 n 
-0000254118 00000 n 
-0000456310 00000 n 
+0000254731 00000 n 
+0000457022 00000 n 
 0000014314 00000 n 
 0000014367 00000 n 
-0000254247 00000 n 
-0000456231 00000 n 
+0000254860 00000 n 
+0000456943 00000 n 
 0000014426 00000 n 
 0000014465 00000 n 
-0000254376 00000 n 
-0000456152 00000 n 
+0000254989 00000 n 
+0000456864 00000 n 
 0000014524 00000 n 
 0000014562 00000 n 
-0000254505 00000 n 
-0000456020 00000 n 
+0000255118 00000 n 
+0000456732 00000 n 
 0000014611 00000 n 
 0000014668 00000 n 
-0000254634 00000 n 
-0000455955 00000 n 
+0000255247 00000 n 
+0000456667 00000 n 
 0000014722 00000 n 
 0000014769 00000 n 
-0000259148 00000 n 
-0000455837 00000 n 
+0000259761 00000 n 
+0000456549 00000 n 
 0000014818 00000 n 
 0000014880 00000 n 
-0000259277 00000 n 
-0000455758 00000 n 
+0000259890 00000 n 
+0000456470 00000 n 
 0000014934 00000 n 
 0000014989 00000 n 
-0000271042 00000 n 
-0000455665 00000 n 
+0000271542 00000 n 
+0000456377 00000 n 
 0000015043 00000 n 
 0000015084 00000 n 
-0000271171 00000 n 
-0000455586 00000 n 
+0000271671 00000 n 
+0000456298 00000 n 
 0000015138 00000 n 
 0000015190 00000 n 
-0000015544 00000 n 
-0000015792 00000 n 
+0000015543 00000 n 
+0000015791 00000 n 
 0000015243 00000 n 
-0000015666 00000 n 
-0000015729 00000 n 
-0000452565 00000 n 
-0000427733 00000 n 
-0000452391 00000 n 
-0000426668 00000 n 
-0000400631 00000 n 
-0000426494 00000 n 
-0000453563 00000 n 
-0000016444 00000 n 
-0000016259 00000 n 
-0000015877 00000 n 
-0000016381 00000 n 
-0000399946 00000 n 
-0000397802 00000 n 
-0000399782 00000 n 
-0000019623 00000 n 
-0000018813 00000 n 
-0000016529 00000 n 
-0000018935 00000 n 
-0000019059 00000 n 
-0000019184 00000 n 
-0000019309 00000 n 
-0000396948 00000 n 
-0000376590 00000 n 
-0000396774 00000 n 
-0000019434 00000 n 
-0000019497 00000 n 
-0000019560 00000 n 
-0000375661 00000 n 
-0000356333 00000 n 
-0000375488 00000 n 
-0000355590 00000 n 
-0000338866 00000 n 
-0000355417 00000 n 
-0000024241 00000 n 
-0000023059 00000 n 
-0000019747 00000 n 
-0000023553 00000 n 
-0000338331 00000 n 
-0000321414 00000 n 
-0000338147 00000 n 
-0000023616 00000 n 
-0000023679 00000 n 
-0000023803 00000 n 
-0000023928 00000 n 
-0000024053 00000 n 
-0000023209 00000 n 
-0000023402 00000 n 
-0000024178 00000 n 
-0000215264 00000 n 
-0000259341 00000 n 
-0000028764 00000 n 
-0000027729 00000 n 
-0000024365 00000 n 
-0000028201 00000 n 
-0000028326 00000 n 
-0000027879 00000 n 
-0000028041 00000 n 
-0000028451 00000 n 
-0000028576 00000 n 
-0000028701 00000 n 
-0000044958 00000 n 
-0000031922 00000 n 
-0000031363 00000 n 
-0000028888 00000 n 
-0000031485 00000 n 
-0000031610 00000 n 
-0000031735 00000 n 
-0000031859 00000 n 
-0000034863 00000 n 
-0000034053 00000 n 
-0000032033 00000 n 
-0000034175 00000 n 
-0000034300 00000 n 
-0000034425 00000 n 
-0000034550 00000 n 
-0000034675 00000 n 
-0000034800 00000 n 
-0000453681 00000 n 
-0000036183 00000 n 
-0000035873 00000 n 
-0000034948 00000 n 
-0000035995 00000 n 
-0000036120 00000 n 
-0000038199 00000 n 
-0000037514 00000 n 
-0000036294 00000 n 
-0000037636 00000 n 
-0000037761 00000 n 
-0000037885 00000 n 
-0000038010 00000 n 
-0000038136 00000 n 
-0000041149 00000 n 
-0000040406 00000 n 
-0000038297 00000 n 
-0000040708 00000 n 
-0000040834 00000 n 
-0000040897 00000 n 
-0000040960 00000 n 
-0000040548 00000 n 
-0000041086 00000 n 
-0000175626 00000 n 
-0000045021 00000 n 
-0000044109 00000 n 
-0000041260 00000 n 
-0000044580 00000 n 
-0000044259 00000 n 
-0000044418 00000 n 
-0000044706 00000 n 
-0000044832 00000 n 
-0000320926 00000 n 
-0000311976 00000 n 
-0000320749 00000 n 
-0000160459 00000 n 
-0000140283 00000 n 
-0000048131 00000 n 
-0000047820 00000 n 
-0000045145 00000 n 
-0000047942 00000 n 
-0000048068 00000 n 
-0000311628 00000 n 
-0000304057 00000 n 
-0000311451 00000 n 
-0000052175 00000 n 
-0000051785 00000 n 
-0000048281 00000 n 
-0000052112 00000 n 
-0000051927 00000 n 
-0000453799 00000 n 
-0000108394 00000 n 
-0000054039 00000 n 
-0000053602 00000 n 
-0000052299 00000 n 
-0000053724 00000 n 
-0000053850 00000 n 
-0000053913 00000 n 
-0000053976 00000 n 
-0000056990 00000 n 
-0000056428 00000 n 
-0000054150 00000 n 
-0000056550 00000 n 
-0000056676 00000 n 
-0000056802 00000 n 
-0000056927 00000 n 
-0000061434 00000 n 
-0000060640 00000 n 
-0000057101 00000 n 
-0000061119 00000 n 
-0000061245 00000 n 
-0000060790 00000 n 
-0000060955 00000 n 
-0000061371 00000 n 
-0000260119 00000 n 
-0000063928 00000 n 
-0000063557 00000 n 
-0000061558 00000 n 
-0000063865 00000 n 
-0000063699 00000 n 
-0000065152 00000 n 
-0000064967 00000 n 
-0000064052 00000 n 
-0000065089 00000 n 
-0000068660 00000 n 
-0000067662 00000 n 
-0000065250 00000 n 
-0000067968 00000 n 
-0000068094 00000 n 
-0000067804 00000 n 
-0000068220 00000 n 
-0000068346 00000 n 
-0000068472 00000 n 
-0000068598 00000 n 
-0000453917 00000 n 
-0000072135 00000 n 
-0000071258 00000 n 
-0000068797 00000 n 
-0000071570 00000 n 
-0000071696 00000 n 
-0000071822 00000 n 
-0000071948 00000 n 
-0000071400 00000 n 
-0000072072 00000 n 
-0000211176 00000 n 
-0000076008 00000 n 
-0000075445 00000 n 
-0000072272 00000 n 
-0000075567 00000 n 
-0000075693 00000 n 
-0000075819 00000 n 
-0000075945 00000 n 
-0000079479 00000 n 
-0000078918 00000 n 
-0000076132 00000 n 
-0000079040 00000 n 
-0000079166 00000 n 
-0000079292 00000 n 
-0000079416 00000 n 
-0000083481 00000 n 
-0000082284 00000 n 
-0000079603 00000 n 
-0000082915 00000 n 
-0000083041 00000 n 
-0000083167 00000 n 
-0000083292 00000 n 
-0000082442 00000 n 
-0000082599 00000 n 
-0000082756 00000 n 
-0000083418 00000 n 
-0000087095 00000 n 
-0000254698 00000 n 
-0000084689 00000 n 
-0000084378 00000 n 
-0000083605 00000 n 
-0000084500 00000 n 
-0000084626 00000 n 
-0000087410 00000 n 
-0000086847 00000 n 
-0000084800 00000 n 
-0000086969 00000 n 
-0000087221 00000 n 
-0000087347 00000 n 
-0000454035 00000 n 
-0000087842 00000 n 
-0000087657 00000 n 
-0000087508 00000 n 
-0000087779 00000 n 
-0000092034 00000 n 
-0000091286 00000 n 
-0000087883 00000 n 
-0000091594 00000 n 
-0000091720 00000 n 
-0000091845 00000 n 
-0000091908 00000 n 
-0000091971 00000 n 
-0000091428 00000 n 
-0000095698 00000 n 
-0000096013 00000 n 
-0000095450 00000 n 
-0000092132 00000 n 
-0000095572 00000 n 
-0000095824 00000 n 
-0000095950 00000 n 
-0000099397 00000 n 
-0000098835 00000 n 
-0000096150 00000 n 
-0000098957 00000 n 
-0000099083 00000 n 
-0000099209 00000 n 
-0000099335 00000 n 
-0000101892 00000 n 
-0000103383 00000 n 
-0000101770 00000 n 
-0000099508 00000 n 
-0000102817 00000 n 
-0000303232 00000 n 
-0000294339 00000 n 
-0000303060 00000 n 
-0000102943 00000 n 
-0000103006 00000 n 
-0000103069 00000 n 
-0000103195 00000 n 
-0000103321 00000 n 
-0000108457 00000 n 
-0000107557 00000 n 
-0000103535 00000 n 
-0000108016 00000 n 
-0000108079 00000 n 
-0000108142 00000 n 
-0000108268 00000 n 
-0000107707 00000 n 
-0000107858 00000 n 
-0000454153 00000 n 
-0000271685 00000 n 
-0000112684 00000 n 
-0000111507 00000 n 
-0000108581 00000 n 
-0000111992 00000 n 
-0000112118 00000 n 
-0000112244 00000 n 
-0000112370 00000 n 
-0000112495 00000 n 
-0000111657 00000 n 
-0000111808 00000 n 
-0000112621 00000 n 
-0000116026 00000 n 
-0000115589 00000 n 
-0000112821 00000 n 
-0000115711 00000 n 
-0000115837 00000 n 
-0000115963 00000 n 
-0000120321 00000 n 
-0000120136 00000 n 
-0000116150 00000 n 
-0000120258 00000 n 
-0000123162 00000 n 
-0000122667 00000 n 
-0000120432 00000 n 
-0000122975 00000 n 
-0000122809 00000 n 
-0000123100 00000 n 
-0000126431 00000 n 
-0000125994 00000 n 
-0000123273 00000 n 
-0000126116 00000 n 
-0000126179 00000 n 
-0000126242 00000 n 
-0000126368 00000 n 
-0000129379 00000 n 
-0000128611 00000 n 
-0000126542 00000 n 
-0000129065 00000 n 
-0000129191 00000 n 
-0000128761 00000 n 
-0000128913 00000 n 
-0000129317 00000 n 
-0000454271 00000 n 
-0000130921 00000 n 
-0000130736 00000 n 
-0000129490 00000 n 
-0000130858 00000 n 
-0000134309 00000 n 
-0000136134 00000 n 
-0000134187 00000 n 
-0000131019 00000 n 
-0000135945 00000 n 
-0000136071 00000 n 
-0000135777 00000 n 
-0000135834 00000 n 
-0000135923 00000 n 
-0000140345 00000 n 
-0000139859 00000 n 
-0000136299 00000 n 
-0000140157 00000 n 
-0000140001 00000 n 
-0000183345 00000 n 
-0000144214 00000 n 
-0000143856 00000 n 
-0000140469 00000 n 
-0000144151 00000 n 
-0000143998 00000 n 
-0000149233 00000 n 
-0000148116 00000 n 
-0000144338 00000 n 
-0000149170 00000 n 
-0000148290 00000 n 
-0000148446 00000 n 
-0000148630 00000 n 
-0000148803 00000 n 
-0000148986 00000 n 
-0000187325 00000 n 
-0000153905 00000 n 
-0000152946 00000 n 
-0000149424 00000 n 
-0000153590 00000 n 
-0000153716 00000 n 
-0000153104 00000 n 
-0000153842 00000 n 
-0000153272 00000 n 
-0000153435 00000 n 
-0000454389 00000 n 
-0000193923 00000 n 
-0000179428 00000 n 
-0000156893 00000 n 
-0000156456 00000 n 
-0000154029 00000 n 
-0000156578 00000 n 
-0000156704 00000 n 
-0000156830 00000 n 
-0000293795 00000 n 
-0000285492 00000 n 
-0000293622 00000 n 
-0000160522 00000 n 
-0000160211 00000 n 
-0000157058 00000 n 
-0000160333 00000 n 
-0000165041 00000 n 
-0000164537 00000 n 
-0000160674 00000 n 
-0000164852 00000 n 
-0000164978 00000 n 
-0000164679 00000 n 
-0000168363 00000 n 
-0000167928 00000 n 
-0000165152 00000 n 
-0000168050 00000 n 
-0000168176 00000 n 
-0000168301 00000 n 
-0000172805 00000 n 
-0000172026 00000 n 
-0000168515 00000 n 
-0000172491 00000 n 
-0000172617 00000 n 
-0000172742 00000 n 
-0000172176 00000 n 
-0000172337 00000 n 
-0000175817 00000 n 
-0000175186 00000 n 
-0000172970 00000 n 
-0000175499 00000 n 
-0000175330 00000 n 
-0000175689 00000 n 
-0000175753 00000 n 
-0000454507 00000 n 
-0000179620 00000 n 
-0000179173 00000 n 
-0000175928 00000 n 
-0000179299 00000 n 
-0000179555 00000 n 
-0000183539 00000 n 
-0000182908 00000 n 
-0000179812 00000 n 
-0000183216 00000 n 
-0000183055 00000 n 
-0000183409 00000 n 
-0000183474 00000 n 
-0000187388 00000 n 
-0000186942 00000 n 
-0000183705 00000 n 
-0000187068 00000 n 
-0000187196 00000 n 
-0000191370 00000 n 
-0000190490 00000 n 
-0000187500 00000 n 
-0000190790 00000 n 
-0000190919 00000 n 
-0000191047 00000 n 
-0000190637 00000 n 
-0000191176 00000 n 
-0000191305 00000 n 
-0000193987 00000 n 
-0000193668 00000 n 
-0000191482 00000 n 
-0000193794 00000 n 
-0000196849 00000 n 
-0000196270 00000 n 
-0000194099 00000 n 
-0000196396 00000 n 
-0000196525 00000 n 
-0000196654 00000 n 
-0000196719 00000 n 
-0000196784 00000 n 
-0000454631 00000 n 
-0000200861 00000 n 
-0000200541 00000 n 
-0000196961 00000 n 
-0000200667 00000 n 
-0000200796 00000 n 
-0000205795 00000 n 
-0000204420 00000 n 
-0000200973 00000 n 
-0000205602 00000 n 
-0000205731 00000 n 
-0000204612 00000 n 
-0000204774 00000 n 
-0000204936 00000 n 
-0000205097 00000 n 
-0000205268 00000 n 
-0000205439 00000 n 
-0000243675 00000 n 
-0000211240 00000 n 
-0000209048 00000 n 
-0000205920 00000 n 
-0000211047 00000 n 
-0000209285 00000 n 
-0000209447 00000 n 
-0000209609 00000 n 
-0000209771 00000 n 
-0000209933 00000 n 
-0000210095 00000 n 
-0000210248 00000 n 
-0000210410 00000 n 
-0000210570 00000 n 
-0000210732 00000 n 
-0000210894 00000 n 
-0000215587 00000 n 
-0000214391 00000 n 
-0000211365 00000 n 
-0000214876 00000 n 
-0000214941 00000 n 
-0000215006 00000 n 
-0000215135 00000 n 
-0000215392 00000 n 
-0000214547 00000 n 
-0000214716 00000 n 
-0000215457 00000 n 
-0000215522 00000 n 
-0000219480 00000 n 
-0000218836 00000 n 
-0000215699 00000 n 
-0000219155 00000 n 
-0000219220 00000 n 
-0000219285 00000 n 
-0000219350 00000 n 
-0000219415 00000 n 
-0000218983 00000 n 
-0000254182 00000 n 
-0000223600 00000 n 
-0000223020 00000 n 
-0000219579 00000 n 
-0000223146 00000 n 
-0000223211 00000 n 
-0000223276 00000 n 
-0000223405 00000 n 
-0000223470 00000 n 
-0000223535 00000 n 
-0000454756 00000 n 
-0000227461 00000 n 
-0000226625 00000 n 
-0000223725 00000 n 
-0000226751 00000 n 
-0000226816 00000 n 
-0000226881 00000 n 
-0000227009 00000 n 
-0000227074 00000 n 
-0000227139 00000 n 
-0000227268 00000 n 
-0000227333 00000 n 
-0000227397 00000 n 
-0000231144 00000 n 
-0000230436 00000 n 
-0000227586 00000 n 
-0000230562 00000 n 
-0000230691 00000 n 
-0000230756 00000 n 
-0000230821 00000 n 
-0000230950 00000 n 
-0000231079 00000 n 
-0000285137 00000 n 
-0000283140 00000 n 
-0000284972 00000 n 
-0000234318 00000 n 
-0000233610 00000 n 
-0000231350 00000 n 
-0000233736 00000 n 
-0000233865 00000 n 
-0000233994 00000 n 
-0000234123 00000 n 
-0000234188 00000 n 
-0000234253 00000 n 
-0000236609 00000 n 
-0000236418 00000 n 
-0000234497 00000 n 
-0000236544 00000 n 
-0000237062 00000 n 
-0000236871 00000 n 
-0000236721 00000 n 
-0000236997 00000 n 
-0000239631 00000 n 
-0000238722 00000 n 
-0000237104 00000 n 
-0000239308 00000 n 
-0000239437 00000 n 
-0000239566 00000 n 
-0000238878 00000 n 
-0000239093 00000 n 
-0000454881 00000 n 
-0000243740 00000 n 
-0000243034 00000 n 
-0000239757 00000 n 
-0000243160 00000 n 
-0000282819 00000 n 
-0000273606 00000 n 
-0000282633 00000 n 
-0000243289 00000 n 
-0000243418 00000 n 
-0000243547 00000 n 
-0000247187 00000 n 
-0000245961 00000 n 
-0000243905 00000 n 
-0000246478 00000 n 
-0000246607 00000 n 
-0000246736 00000 n 
-0000246865 00000 n 
-0000246994 00000 n 
-0000247123 00000 n 
-0000246117 00000 n 
-0000246289 00000 n 
-0000247641 00000 n 
-0000247450 00000 n 
-0000247300 00000 n 
-0000247576 00000 n 
-0000250952 00000 n 
-0000250374 00000 n 
-0000247683 00000 n 
-0000250500 00000 n 
-0000250629 00000 n 
-0000250758 00000 n 
-0000250887 00000 n 
-0000255150 00000 n 
-0000253798 00000 n 
-0000251038 00000 n 
-0000253924 00000 n 
-0000254053 00000 n 
-0000254311 00000 n 
-0000254440 00000 n 
-0000254569 00000 n 
-0000254762 00000 n 
-0000254827 00000 n 
-0000254892 00000 n 
-0000254957 00000 n 
-0000255022 00000 n 
-0000255086 00000 n 
-0000260701 00000 n 
-0000258202 00000 n 
-0000255276 00000 n 
-0000259083 00000 n 
-0000259212 00000 n 
-0000258376 00000 n 
-0000258555 00000 n 
-0000258732 00000 n 
-0000258907 00000 n 
-0000259405 00000 n 
-0000259470 00000 n 
-0000259535 00000 n 
-0000259600 00000 n 
-0000259665 00000 n 
-0000259730 00000 n 
-0000259795 00000 n 
-0000259859 00000 n 
-0000259924 00000 n 
-0000259989 00000 n 
-0000260054 00000 n 
-0000260183 00000 n 
-0000260248 00000 n 
-0000260313 00000 n 
-0000260378 00000 n 
-0000260443 00000 n 
-0000260508 00000 n 
-0000260573 00000 n 
-0000260637 00000 n 
-0000455006 00000 n 
-0000267271 00000 n 
-0000263643 00000 n 
-0000260853 00000 n 
-0000263769 00000 n 
-0000263834 00000 n 
-0000263899 00000 n 
-0000263964 00000 n 
-0000264029 00000 n 
-0000264094 00000 n 
-0000264159 00000 n 
-0000264224 00000 n 
-0000264289 00000 n 
-0000264354 00000 n 
-0000264419 00000 n 
-0000264484 00000 n 
-0000264549 00000 n 
-0000264614 00000 n 
-0000264679 00000 n 
-0000264744 00000 n 
-0000264809 00000 n 
-0000264874 00000 n 
-0000264938 00000 n 
-0000265003 00000 n 
-0000265068 00000 n 
-0000265133 00000 n 
-0000265198 00000 n 
-0000265263 00000 n 
-0000265328 00000 n 
-0000265393 00000 n 
-0000265458 00000 n 
-0000265523 00000 n 
-0000265588 00000 n 
-0000265653 00000 n 
-0000265718 00000 n 
-0000265781 00000 n 
-0000265846 00000 n 
-0000265910 00000 n 
-0000265975 00000 n 
-0000266040 00000 n 
-0000266105 00000 n 
-0000266170 00000 n 
-0000266235 00000 n 
-0000266300 00000 n 
-0000266365 00000 n 
-0000266429 00000 n 
-0000266494 00000 n 
-0000266559 00000 n 
-0000266624 00000 n 
-0000266689 00000 n 
-0000266754 00000 n 
-0000266819 00000 n 
-0000266884 00000 n 
-0000266949 00000 n 
-0000267014 00000 n 
-0000267079 00000 n 
-0000267143 00000 n 
-0000267207 00000 n 
-0000271560 00000 n 
-0000269425 00000 n 
-0000267383 00000 n 
-0000269551 00000 n 
-0000269616 00000 n 
-0000269681 00000 n 
-0000269746 00000 n 
-0000269811 00000 n 
-0000269876 00000 n 
-0000269941 00000 n 
-0000270006 00000 n 
-0000270071 00000 n 
-0000270136 00000 n 
-0000270200 00000 n 
-0000270265 00000 n 
-0000270328 00000 n 
-0000270392 00000 n 
-0000270457 00000 n 
-0000270522 00000 n 
-0000270587 00000 n 
-0000270652 00000 n 
-0000270717 00000 n 
-0000270782 00000 n 
-0000270847 00000 n 
-0000270912 00000 n 
-0000270977 00000 n 
-0000271106 00000 n 
-0000271235 00000 n 
-0000271300 00000 n 
-0000271365 00000 n 
-0000271430 00000 n 
-0000271495 00000 n 
-0000271717 00000 n 
-0000283061 00000 n 
-0000285384 00000 n 
-0000285353 00000 n 
-0000294080 00000 n 
-0000303634 00000 n 
-0000311871 00000 n 
-0000321189 00000 n 
-0000338671 00000 n 
-0000356010 00000 n 
-0000376215 00000 n 
-0000397352 00000 n 
-0000400433 00000 n 
-0000400203 00000 n 
-0000427236 00000 n 
-0000453079 00000 n 
-0000455104 00000 n 
-0000455224 00000 n 
-0000455348 00000 n 
-0000455428 00000 n 
-0000455510 00000 n 
-0000469588 00000 n 
-0000481635 00000 n 
-0000481676 00000 n 
-0000481716 00000 n 
-0000481850 00000 n 
+0000015665 00000 n 
+0000015728 00000 n 
+0000453277 00000 n 
+0000428445 00000 n 
+0000453103 00000 n 
+0000427380 00000 n 
+0000401343 00000 n 
+0000427206 00000 n 
+0000454275 00000 n 
+0000016449 00000 n 
+0000016264 00000 n 
+0000015876 00000 n 
+0000016386 00000 n 
+0000400658 00000 n 
+0000398513 00000 n 
+0000400494 00000 n 
+0000019628 00000 n 
+0000018818 00000 n 
+0000016534 00000 n 
+0000018940 00000 n 
+0000019064 00000 n 
+0000019189 00000 n 
+0000019314 00000 n 
+0000397659 00000 n 
+0000377301 00000 n 
+0000397485 00000 n 
+0000019439 00000 n 
+0000019502 00000 n 
+0000019565 00000 n 
+0000376372 00000 n 
+0000357044 00000 n 
+0000376199 00000 n 
+0000356301 00000 n 
+0000339577 00000 n 
+0000356128 00000 n 
+0000024246 00000 n 
+0000023064 00000 n 
+0000019752 00000 n 
+0000023558 00000 n 
+0000339042 00000 n 
+0000322125 00000 n 
+0000338858 00000 n 
+0000023621 00000 n 
+0000023684 00000 n 
+0000023808 00000 n 
+0000023933 00000 n 
+0000024058 00000 n 
+0000023214 00000 n 
+0000023407 00000 n 
+0000024183 00000 n 
+0000218803 00000 n 
+0000259954 00000 n 
+0000028769 00000 n 
+0000027734 00000 n 
+0000024370 00000 n 
+0000028206 00000 n 
+0000028331 00000 n 
+0000027884 00000 n 
+0000028046 00000 n 
+0000028456 00000 n 
+0000028581 00000 n 
+0000028706 00000 n 
+0000044963 00000 n 
+0000031927 00000 n 
+0000031368 00000 n 
+0000028893 00000 n 
+0000031490 00000 n 
+0000031615 00000 n 
+0000031740 00000 n 
+0000031864 00000 n 
+0000034868 00000 n 
+0000034058 00000 n 
+0000032038 00000 n 
+0000034180 00000 n 
+0000034305 00000 n 
+0000034430 00000 n 
+0000034555 00000 n 
+0000034680 00000 n 
+0000034805 00000 n 
+0000454393 00000 n 
+0000036188 00000 n 
+0000035878 00000 n 
+0000034953 00000 n 
+0000036000 00000 n 
+0000036125 00000 n 
+0000038204 00000 n 
+0000037519 00000 n 
+0000036299 00000 n 
+0000037641 00000 n 
+0000037766 00000 n 
+0000037890 00000 n 
+0000038015 00000 n 
+0000038141 00000 n 
+0000041154 00000 n 
+0000040411 00000 n 
+0000038302 00000 n 
+0000040713 00000 n 
+0000040839 00000 n 
+0000040902 00000 n 
+0000040965 00000 n 
+0000040553 00000 n 
+0000041091 00000 n 
+0000175209 00000 n 
+0000045026 00000 n 
+0000044114 00000 n 
+0000041265 00000 n 
+0000044585 00000 n 
+0000044264 00000 n 
+0000044423 00000 n 
+0000044711 00000 n 
+0000044837 00000 n 
+0000321637 00000 n 
+0000312687 00000 n 
+0000321460 00000 n 
+0000159902 00000 n 
+0000140136 00000 n 
+0000048139 00000 n 
+0000047828 00000 n 
+0000045150 00000 n 
+0000047950 00000 n 
+0000048076 00000 n 
+0000312339 00000 n 
+0000304768 00000 n 
+0000312162 00000 n 
+0000052183 00000 n 
+0000051793 00000 n 
+0000048289 00000 n 
+0000052120 00000 n 
+0000051935 00000 n 
+0000454511 00000 n 
+0000108447 00000 n 
+0000054047 00000 n 
+0000053610 00000 n 
+0000052307 00000 n 
+0000053732 00000 n 
+0000053858 00000 n 
+0000053921 00000 n 
+0000053984 00000 n 
+0000056998 00000 n 
+0000056436 00000 n 
+0000054158 00000 n 
+0000056558 00000 n 
+0000056684 00000 n 
+0000056810 00000 n 
+0000056935 00000 n 
+0000061442 00000 n 
+0000060648 00000 n 
+0000057109 00000 n 
+0000061127 00000 n 
+0000061253 00000 n 
+0000060798 00000 n 
+0000060963 00000 n 
+0000061379 00000 n 
+0000260732 00000 n 
+0000063942 00000 n 
+0000063571 00000 n 
+0000061566 00000 n 
+0000063879 00000 n 
+0000063713 00000 n 
+0000065166 00000 n 
+0000064981 00000 n 
+0000064066 00000 n 
+0000065103 00000 n 
+0000068674 00000 n 
+0000067676 00000 n 
+0000065264 00000 n 
+0000067982 00000 n 
+0000068108 00000 n 
+0000067818 00000 n 
+0000068234 00000 n 
+0000068360 00000 n 
+0000068486 00000 n 
+0000068612 00000 n 
+0000454629 00000 n 
+0000072155 00000 n 
+0000071278 00000 n 
+0000068811 00000 n 
+0000071590 00000 n 
+0000071716 00000 n 
+0000071842 00000 n 
+0000071968 00000 n 
+0000071420 00000 n 
+0000072092 00000 n 
+0000214600 00000 n 
+0000076037 00000 n 
+0000075474 00000 n 
+0000072292 00000 n 
+0000075596 00000 n 
+0000075722 00000 n 
+0000075848 00000 n 
+0000075974 00000 n 
+0000079508 00000 n 
+0000078947 00000 n 
+0000076161 00000 n 
+0000079069 00000 n 
+0000079195 00000 n 
+0000079321 00000 n 
+0000079445 00000 n 
+0000083510 00000 n 
+0000082313 00000 n 
+0000079632 00000 n 
+0000082944 00000 n 
+0000083070 00000 n 
+0000083196 00000 n 
+0000083321 00000 n 
+0000082471 00000 n 
+0000082628 00000 n 
+0000082785 00000 n 
+0000083447 00000 n 
+0000087111 00000 n 
+0000255311 00000 n 
+0000084718 00000 n 
+0000084407 00000 n 
+0000083634 00000 n 
+0000084529 00000 n 
+0000084655 00000 n 
+0000087426 00000 n 
+0000086863 00000 n 
+0000084829 00000 n 
+0000086985 00000 n 
+0000087237 00000 n 
+0000087363 00000 n 
+0000454747 00000 n 
+0000087858 00000 n 
+0000087673 00000 n 
+0000087524 00000 n 
+0000087795 00000 n 
+0000092050 00000 n 
+0000091302 00000 n 
+0000087899 00000 n 
+0000091610 00000 n 
+0000091736 00000 n 
+0000091861 00000 n 
+0000091924 00000 n 
+0000091987 00000 n 
+0000091444 00000 n 
+0000095714 00000 n 
+0000096029 00000 n 
+0000095466 00000 n 
+0000092148 00000 n 
+0000095588 00000 n 
+0000095840 00000 n 
+0000095966 00000 n 
+0000099416 00000 n 
+0000098854 00000 n 
+0000096166 00000 n 
+0000098976 00000 n 
+0000099102 00000 n 
+0000099228 00000 n 
+0000099354 00000 n 
+0000101911 00000 n 
+0000103402 00000 n 
+0000101789 00000 n 
+0000099527 00000 n 
+0000102836 00000 n 
+0000303933 00000 n 
+0000294836 00000 n 
+0000303761 00000 n 
+0000102962 00000 n 
+0000103025 00000 n 
+0000103088 00000 n 
+0000103214 00000 n 
+0000103340 00000 n 
+0000108510 00000 n 
+0000107610 00000 n 
+0000103554 00000 n 
+0000108069 00000 n 
+0000108132 00000 n 
+0000108195 00000 n 
+0000108321 00000 n 
+0000107760 00000 n 
+0000107911 00000 n 
+0000454865 00000 n 
+0000272181 00000 n 
+0000112714 00000 n 
+0000111537 00000 n 
+0000108634 00000 n 
+0000112022 00000 n 
+0000112148 00000 n 
+0000112274 00000 n 
+0000112400 00000 n 
+0000112525 00000 n 
+0000111687 00000 n 
+0000111838 00000 n 
+0000112651 00000 n 
+0000116056 00000 n 
+0000115619 00000 n 
+0000112851 00000 n 
+0000115741 00000 n 
+0000115867 00000 n 
+0000115993 00000 n 
+0000120344 00000 n 
+0000120159 00000 n 
+0000116180 00000 n 
+0000120281 00000 n 
+0000123192 00000 n 
+0000122697 00000 n 
+0000120455 00000 n 
+0000123005 00000 n 
+0000122839 00000 n 
+0000123130 00000 n 
+0000126461 00000 n 
+0000126024 00000 n 
+0000123303 00000 n 
+0000126146 00000 n 
+0000126209 00000 n 
+0000126272 00000 n 
+0000126398 00000 n 
+0000129228 00000 n 
+0000128621 00000 n 
+0000126572 00000 n 
+0000128914 00000 n 
+0000129040 00000 n 
+0000128763 00000 n 
+0000129166 00000 n 
+0000454983 00000 n 
+0000130770 00000 n 
+0000130585 00000 n 
+0000129339 00000 n 
+0000130707 00000 n 
+0000134158 00000 n 
+0000135983 00000 n 
+0000134036 00000 n 
+0000130868 00000 n 
+0000135794 00000 n 
+0000135920 00000 n 
+0000135626 00000 n 
+0000135683 00000 n 
+0000135772 00000 n 
+0000140198 00000 n 
+0000139712 00000 n 
+0000136148 00000 n 
+0000140010 00000 n 
+0000139854 00000 n 
+0000182546 00000 n 
+0000144067 00000 n 
+0000143709 00000 n 
+0000140322 00000 n 
+0000144004 00000 n 
+0000143851 00000 n 
+0000149083 00000 n 
+0000147966 00000 n 
+0000144191 00000 n 
+0000149020 00000 n 
+0000148140 00000 n 
+0000148296 00000 n 
+0000148480 00000 n 
+0000148653 00000 n 
+0000148836 00000 n 
+0000185742 00000 n 
+0000153755 00000 n 
+0000152796 00000 n 
+0000149274 00000 n 
+0000153440 00000 n 
+0000153566 00000 n 
+0000152954 00000 n 
+0000153692 00000 n 
+0000153122 00000 n 
+0000153285 00000 n 
+0000455101 00000 n 
+0000195124 00000 n 
+0000178859 00000 n 
+0000156747 00000 n 
+0000156310 00000 n 
+0000153879 00000 n 
+0000156432 00000 n 
+0000156558 00000 n 
+0000156684 00000 n 
+0000294292 00000 n 
+0000285989 00000 n 
+0000294119 00000 n 
+0000159965 00000 n 
+0000159654 00000 n 
+0000156912 00000 n 
+0000159776 00000 n 
+0000164033 00000 n 
+0000163723 00000 n 
+0000160117 00000 n 
+0000163845 00000 n 
+0000163971 00000 n 
+0000168037 00000 n 
+0000167406 00000 n 
+0000164185 00000 n 
+0000167722 00000 n 
+0000167548 00000 n 
+0000167848 00000 n 
+0000167974 00000 n 
+0000171315 00000 n 
+0000170699 00000 n 
+0000168148 00000 n 
+0000171000 00000 n 
+0000171126 00000 n 
+0000171252 00000 n 
+0000170841 00000 n 
+0000175272 00000 n 
+0000174609 00000 n 
+0000171480 00000 n 
+0000175083 00000 n 
+0000174761 00000 n 
+0000174916 00000 n 
+0000455219 00000 n 
+0000178923 00000 n 
+0000178474 00000 n 
+0000175383 00000 n 
+0000178600 00000 n 
+0000178665 00000 n 
+0000178730 00000 n 
+0000182609 00000 n 
+0000181980 00000 n 
+0000179115 00000 n 
+0000182288 00000 n 
+0000182417 00000 n 
+0000182127 00000 n 
+0000185806 00000 n 
+0000185228 00000 n 
+0000182788 00000 n 
+0000185354 00000 n 
+0000185419 00000 n 
+0000185484 00000 n 
+0000185613 00000 n 
+0000190117 00000 n 
+0000189494 00000 n 
+0000185918 00000 n 
+0000189795 00000 n 
+0000189924 00000 n 
+0000190052 00000 n 
+0000189641 00000 n 
+0000193593 00000 n 
+0000193144 00000 n 
+0000190229 00000 n 
+0000193270 00000 n 
+0000193399 00000 n 
+0000193528 00000 n 
+0000195188 00000 n 
+0000194869 00000 n 
+0000193705 00000 n 
+0000194995 00000 n 
+0000455343 00000 n 
+0000196469 00000 n 
+0000196278 00000 n 
+0000195300 00000 n 
+0000196404 00000 n 
+0000200709 00000 n 
+0000200130 00000 n 
+0000196568 00000 n 
+0000200256 00000 n 
+0000200385 00000 n 
+0000200514 00000 n 
+0000200579 00000 n 
+0000200644 00000 n 
+0000205519 00000 n 
+0000204186 00000 n 
+0000200821 00000 n 
+0000205196 00000 n 
+0000205325 00000 n 
+0000205454 00000 n 
+0000204369 00000 n 
+0000204530 00000 n 
+0000204692 00000 n 
+0000204854 00000 n 
+0000205025 00000 n 
+0000244309 00000 n 
+0000210216 00000 n 
+0000208985 00000 n 
+0000205644 00000 n 
+0000210151 00000 n 
+0000209177 00000 n 
+0000209340 00000 n 
+0000209502 00000 n 
+0000209664 00000 n 
+0000209826 00000 n 
+0000209988 00000 n 
+0000214794 00000 n 
+0000213325 00000 n 
+0000210341 00000 n 
+0000214471 00000 n 
+0000213517 00000 n 
+0000213670 00000 n 
+0000213832 00000 n 
+0000213993 00000 n 
+0000214155 00000 n 
+0000214317 00000 n 
+0000214664 00000 n 
+0000214729 00000 n 
+0000219256 00000 n 
+0000218058 00000 n 
+0000214906 00000 n 
+0000218545 00000 n 
+0000218674 00000 n 
+0000218931 00000 n 
+0000218214 00000 n 
+0000218384 00000 n 
+0000218996 00000 n 
+0000219061 00000 n 
+0000219126 00000 n 
+0000219191 00000 n 
+0000455468 00000 n 
+0000223359 00000 n 
+0000222714 00000 n 
+0000219368 00000 n 
+0000223036 00000 n 
+0000223101 00000 n 
+0000223166 00000 n 
+0000222861 00000 n 
+0000223231 00000 n 
+0000223296 00000 n 
+0000254795 00000 n 
+0000227149 00000 n 
+0000226440 00000 n 
+0000223458 00000 n 
+0000226566 00000 n 
+0000226695 00000 n 
+0000226760 00000 n 
+0000226825 00000 n 
+0000226890 00000 n 
+0000226955 00000 n 
+0000227084 00000 n 
+0000231072 00000 n 
+0000230233 00000 n 
+0000227261 00000 n 
+0000230359 00000 n 
+0000230424 00000 n 
+0000230489 00000 n 
+0000230618 00000 n 
+0000230683 00000 n 
+0000230748 00000 n 
+0000230877 00000 n 
+0000230942 00000 n 
+0000231007 00000 n 
+0000234309 00000 n 
+0000233604 00000 n 
+0000231197 00000 n 
+0000233730 00000 n 
+0000233859 00000 n 
+0000233988 00000 n 
+0000285634 00000 n 
+0000283636 00000 n 
+0000285469 00000 n 
+0000234116 00000 n 
+0000234244 00000 n 
+0000237602 00000 n 
+0000237152 00000 n 
+0000234502 00000 n 
+0000237278 00000 n 
+0000237407 00000 n 
+0000237472 00000 n 
+0000237537 00000 n 
+0000240263 00000 n 
+0000239355 00000 n 
+0000237740 00000 n 
+0000239941 00000 n 
+0000240070 00000 n 
+0000240199 00000 n 
+0000239511 00000 n 
+0000239726 00000 n 
+0000455593 00000 n 
+0000244374 00000 n 
+0000243668 00000 n 
+0000240389 00000 n 
+0000243794 00000 n 
+0000283315 00000 n 
+0000274102 00000 n 
+0000283129 00000 n 
+0000243923 00000 n 
+0000244052 00000 n 
+0000244181 00000 n 
+0000247821 00000 n 
+0000246595 00000 n 
+0000244539 00000 n 
+0000247112 00000 n 
+0000247241 00000 n 
+0000247370 00000 n 
+0000247499 00000 n 
+0000247628 00000 n 
+0000247757 00000 n 
+0000246751 00000 n 
+0000246923 00000 n 
+0000248275 00000 n 
+0000248084 00000 n 
+0000247934 00000 n 
+0000248210 00000 n 
+0000251565 00000 n 
+0000250987 00000 n 
+0000248317 00000 n 
+0000251113 00000 n 
+0000251242 00000 n 
+0000251371 00000 n 
+0000251500 00000 n 
+0000255763 00000 n 
+0000254411 00000 n 
+0000251651 00000 n 
+0000254537 00000 n 
+0000254666 00000 n 
+0000254924 00000 n 
+0000255053 00000 n 
+0000255182 00000 n 
+0000255375 00000 n 
+0000255440 00000 n 
+0000255505 00000 n 
+0000255570 00000 n 
+0000255635 00000 n 
+0000255699 00000 n 
+0000261314 00000 n 
+0000258815 00000 n 
+0000255889 00000 n 
+0000259696 00000 n 
+0000259825 00000 n 
+0000258989 00000 n 
+0000259168 00000 n 
+0000259345 00000 n 
+0000259520 00000 n 
+0000260018 00000 n 
+0000260083 00000 n 
+0000260148 00000 n 
+0000260213 00000 n 
+0000260278 00000 n 
+0000260343 00000 n 
+0000260408 00000 n 
+0000260472 00000 n 
+0000260537 00000 n 
+0000260602 00000 n 
+0000260667 00000 n 
+0000260796 00000 n 
+0000260861 00000 n 
+0000260926 00000 n 
+0000260991 00000 n 
+0000261056 00000 n 
+0000261121 00000 n 
+0000261186 00000 n 
+0000261250 00000 n 
+0000455718 00000 n 
+0000267987 00000 n 
+0000264295 00000 n 
+0000261466 00000 n 
+0000264421 00000 n 
+0000264486 00000 n 
+0000264551 00000 n 
+0000264616 00000 n 
+0000264681 00000 n 
+0000264746 00000 n 
+0000264811 00000 n 
+0000264876 00000 n 
+0000264941 00000 n 
+0000265006 00000 n 
+0000265071 00000 n 
+0000265136 00000 n 
+0000265201 00000 n 
+0000265266 00000 n 
+0000265331 00000 n 
+0000265396 00000 n 
+0000265461 00000 n 
+0000265526 00000 n 
+0000265590 00000 n 
+0000265655 00000 n 
+0000265720 00000 n 
+0000265785 00000 n 
+0000265850 00000 n 
+0000265915 00000 n 
+0000265980 00000 n 
+0000266045 00000 n 
+0000266110 00000 n 
+0000266175 00000 n 
+0000266240 00000 n 
+0000266305 00000 n 
+0000266370 00000 n 
+0000266433 00000 n 
+0000266498 00000 n 
+0000266562 00000 n 
+0000266627 00000 n 
+0000266692 00000 n 
+0000266757 00000 n 
+0000266822 00000 n 
+0000266887 00000 n 
+0000266952 00000 n 
+0000267017 00000 n 
+0000267081 00000 n 
+0000267146 00000 n 
+0000267211 00000 n 
+0000267276 00000 n 
+0000267341 00000 n 
+0000267406 00000 n 
+0000267471 00000 n 
+0000267536 00000 n 
+0000267601 00000 n 
+0000267666 00000 n 
+0000267731 00000 n 
+0000267795 00000 n 
+0000267859 00000 n 
+0000267923 00000 n 
+0000272056 00000 n 
+0000270052 00000 n 
+0000268099 00000 n 
+0000270178 00000 n 
+0000270243 00000 n 
+0000270308 00000 n 
+0000270373 00000 n 
+0000270438 00000 n 
+0000270503 00000 n 
+0000270568 00000 n 
+0000270633 00000 n 
+0000270698 00000 n 
+0000270763 00000 n 
+0000270828 00000 n 
+0000270893 00000 n 
+0000270958 00000 n 
+0000271022 00000 n 
+0000271087 00000 n 
+0000271152 00000 n 
+0000271217 00000 n 
+0000271282 00000 n 
+0000271347 00000 n 
+0000271412 00000 n 
+0000271477 00000 n 
+0000271606 00000 n 
+0000271735 00000 n 
+0000271800 00000 n 
+0000271864 00000 n 
+0000271928 00000 n 
+0000271992 00000 n 
+0000272213 00000 n 
+0000283557 00000 n 
+0000285881 00000 n 
+0000285850 00000 n 
+0000294577 00000 n 
+0000304341 00000 n 
+0000312582 00000 n 
+0000321900 00000 n 
+0000339382 00000 n 
+0000356721 00000 n 
+0000376926 00000 n 
+0000398063 00000 n 
+0000401145 00000 n 
+0000400915 00000 n 
+0000427948 00000 n 
+0000453791 00000 n 
+0000455816 00000 n 
+0000455936 00000 n 
+0000456060 00000 n 
+0000456140 00000 n 
+0000456222 00000 n 
+0000470300 00000 n 
+0000482325 00000 n 
+0000482366 00000 n 
+0000482406 00000 n 
+0000482540 00000 n 
 trailer
 <<
-/Size 1348
-/Root 1346 0 R
-/Info 1347 0 R
-/ID [ ]
+/Size 1346
+/Root 1344 0 R
+/Info 1345 0 R
+/ID [<6E6C549B402781459D6430ACB029FB20> <6E6C549B402781459D6430ACB029FB20>]
 >>
 startxref
-482114
+482804
 %%EOF

From 3e6d9bde9029bdae6d450ea6791ff7f2253da480 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 25 May 2006 23:30:04 +0000
Subject: [PATCH 236/465] newcopyrights

---
 util/copyrights | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/util/copyrights b/util/copyrights
index 04535ba574..a65b01aaf8 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -774,7 +774,7 @@
 ./bin/win32/BINDInstall/resource.h		X	2001
 ./config.guess					X	1999,2000,2001
 ./config.h.in					X	1999,2000,2001,2005,2006
-./config.h.win32				C	1999,2000,2001,2004
+./config.h.win32				C	1999,2000,2001,2004,2006
 ./config.sub					X	1999,2000,2001
 ./config.threads.in				X	2005
 ./configure					X	1998,1999,2000,2001,2005,2006
@@ -1077,7 +1077,7 @@
 ./doc/arm/Bv9ARM.ch08.html			X	2000,2001,2005,2006
 ./doc/arm/Bv9ARM.ch09.html			X	2000,2001,2005,2006
 ./doc/arm/Bv9ARM.html				X	2000,2001,2005,2006
-./doc/arm/Bv9ARM.pdf				X	2005
+./doc/arm/Bv9ARM.pdf				X	2005,2006
 ./doc/arm/Makefile.in				MAKE	2001,2002,2004,2005
 ./doc/arm/README-SGML				TXT.BRIEF	2000,2001,2004
 ./doc/arm/latex-fixup.pl			PERL	2005
@@ -2272,7 +2272,7 @@
 ./util/spacewhack.pl				PERL	2000,2001,2004
 ./util/update-drafts.pl				PERL	2000,2001,2004
 ./util/update_copyrights			PERL	1998,1999,2000,2001,2004,2005
-./version					X	1999,2000,2001,2005
+./version					X	1999,2000,2001,2005,2006
 ./win32utils/BINDBuild.dsw			X	2001,2005
 ./win32utils/BuildAll.bat			BAT	2001,2003,2004
 ./win32utils/BuildSetup.bat			BAT	2001,2002,2003,2004,2005

From e46e52957fad53c516f84d23fb5d045ba23c8dfa Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 26 May 2006 00:58:22 +0000
Subject: [PATCH 237/465] update copyright notice

---
 config.h.win32 | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/config.h.win32 b/config.h.win32
index 4e7cb25cf8..3475edb8cb 100644
--- a/config.h.win32
+++ b/config.h.win32
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.h.win32,v 1.6.2.5 2006/05/25 08:10:12 marka Exp $ */
+/* $Id: config.h.win32,v 1.6.2.6 2006/05/26 00:58:22 marka Exp $ */
 
 /*
  * win32 configuration file

From 9a1e8f1baf3e5c53d6b6bfa97d7f60cb3358e404 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 26 May 2006 02:44:02 +0000
Subject: [PATCH 238/465] 2032.   [bug]           Remove a INSIST in
 query_addadditional2(). [RT #16074]

---
 CHANGES           |  2 ++
 bin/named/query.c | 11 +----------
 2 files changed, 3 insertions(+), 10 deletions(-)

diff --git a/CHANGES b/CHANGES
index fae5647d8a..3a1d81cc26 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+2032.	[bug]		Remove a INSIST in query_addadditional2(). [RT #16074]
+
 2031.	[bug]		Emit a error message when "rndc refresh" is called on
 			a non slave/stub zone. [RT # 16073]
 
diff --git a/bin/named/query.c b/bin/named/query.c
index f8d83225b0..b274d4377a 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: query.c,v 1.286 2006/05/18 03:12:36 marka Exp $ */
+/* $Id: query.c,v 1.287 2006/05/26 02:44:02 marka Exp $ */
 
 /*! \file */
 
@@ -1761,8 +1761,6 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 	/* Find AAAA RRset with sig RRset */
 	result = dns_db_findrdataset(db, node, version, dns_rdatatype_aaaa,
 				     0, client->now, rdataset, sigrdataset);
-	/* The NXDOMAIN case should be covered above */
-	INSIST(result != DNS_R_NCACHENXDOMAIN);
 	/*
 	 * If we can't promote glue/pending from the cache to secure
 	 * then drop it.
@@ -1777,13 +1775,6 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 			dns_rdataset_disassociate(sigrdataset);
 		result = ISC_R_NOTFOUND;
 	}
-	if (result == DNS_R_NCACHENXRRSET) {
-		dns_rdataset_disassociate(rdataset);
-		/*
-		 * Negative cache entries don't have sigrdatasets.
-		 */
-		INSIST(! dns_rdataset_isassociated(sigrdataset));
-	}
 	if (result == ISC_R_SUCCESS) {
 		ISC_LIST_APPEND(cfname.list, rdataset, link);
 		rdataset = NULL;

From 6135a0d50f64224835f84875a0a7d5cc0dfcda26 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 26 May 2006 03:53:38 +0000
Subject: [PATCH 239/465] 9.2.7b1

---
 .../patch/bind9/bind-9.2.7-patch              | 1269 +++++++++++++++++
 1 file changed, 1269 insertions(+)
 create mode 100644 contrib/idn/idnkit-1.0-src/patch/bind9/bind-9.2.7-patch

diff --git a/contrib/idn/idnkit-1.0-src/patch/bind9/bind-9.2.7-patch b/contrib/idn/idnkit-1.0-src/patch/bind9/bind-9.2.7-patch
new file mode 100644
index 0000000000..98c060729e
--- /dev/null
+++ b/contrib/idn/idnkit-1.0-src/patch/bind9/bind-9.2.7-patch
@@ -0,0 +1,1269 @@
+IDN patch for bind-9.2.7
+========================
+
+
+This is a patch file for ISC BIND 9.2.7 to make it work with
+internationalized domain names.  With this patch you'll get IDN-aware
+dig/host/nslookup.
+
+To apply this patch, you should go to the top directory of the BIND
+distribution (where you see `README' file), then invoke `patch'
+command like this:
+
+	% patch -p0 < this-file
+
+Then follow the instructions described in `README.idnkit' to compile
+and install.
+
+
+Index: README.idnkit
+--- /dev/null	Fri May 26 13:45:50 2006
++++ README.idnkit	Fri May 26 12:50:53 2006
+@@ -0,0 +1,113 @@
++
++			BIND-9 IDN patch
++
++	       Japan Network Information Center (JPNIC)
++
++
++* What is this patch for?
++
++This patch adds internationalized domain name (IDN) support to BIND-9.
++You'll get internationalized version of dig/host/nslookup commands.
++
++    + internationalized dig/host/nslookup
++	dig/host/nslookup accepts non-ASCII domain names in the local
++	codeset (such as Shift JIS, Big5 or ISO8859-1) determined by
++	the locale information.  The domain names are normalized and
++	converted to the encoding on the DNS protocol, and sent to DNS
++	servers.  The replies are converted back to the local codeset
++	and displayed.
++
++
++* Compilation & installation
++
++0. Prerequisite
++
++You have to build and install idnkit before building this patched version
++of bind-9.
++
++1. Running configure script
++
++Run `configure' in the top directory.  See `README' for the
++configuration options.
++
++This patch adds the following 4 options to `configure'.  You should
++at least specify `--with-idn' option to enable IDN support.
++
++    --with-idn[=IDN_PREFIX]
++	To enable IDN support, you have to specify `--with-idn' option.
++	The argument IDN_PREFIX is the install prefix of idnkit.  If
++	IDN_PREFIX is omitted, PREFIX (derived from `--prefix=PREFIX')
++	is assumed.
++
++    --with-libiconv[=LIBICONV_PREFIX]
++	Specify this option if idnkit you have installed links GNU
++	libiconv.  The argument LIBICONV_PREFIX is install prefix of
++	GNU libiconv.  If the argument is omitted, PREFIX (derived
++	from `--prefix=PREFIX') is assumed.
++
++	`--with-libiconv' is shorthand option for GNU libiconv.
++
++	    --with-libiconv=/usr/local
++
++	This is equivalent to:
++
++	    --with-iconv='-L/usr/local/lib -R/usr/local/lib -liconv'
++
++	`--with-libiconv' assumes that your C compiler has `-R'
++	option, and that the option adds the specified run-time path
++	to an exacutable binary.  If `-R' option of your compiler has
++	different meaning, or your compiler lacks the option, you
++	should use `--with-iconv' option instead.  Binary command
++	without run-time path information might be unexecutable.
++	In that case, you would see an error message like:
++
++	    error in loading shared libraries: libiconv.so.2: cannot
++	    open shared object file
++
++	If both `--with-libiconv' and `--with-iconv' options are
++	specified, `--with-iconv' is prior to `--with-libiconv'.
++
++    --with-iconv=ICONV_LIBSPEC
++	If your libc doens't provide iconv(), you need to specify the
++	library containing iconv() with this option.  `ICONV_LIBSPEC'
++	is the argument(s) to `cc' or `ld' to link the library, for
++	example, `--with-iconv="-L/usr/local/lib -liconv"'.
++	You don't need to specify the header file directory for "iconv.h"
++	to the compiler, as it isn't included directly by bind-9 with
++	this patch.
++
++    --with-idnlib=IDN_LIBSPEC
++	With this option, you can explicitly specify the argument(s)
++	to `cc' or `ld' to link the idnkit's library, `libidnkit'.  If
++	this option is not specified, `-L${PREFIX}/lib -lidnkit' is
++	assumed, where ${PREFIX} is the installation prefix specified
++	with `--with-idn' option above.  You may need to use this
++	option to specify extra argments, for example,
++	`--with-idnlib="-L/usr/local/lib -R/usr/local/lib -lidnkit"'.
++
++Please consult `README' for other configuration options.
++
++Note that if you want to specify some extra header file directories,
++you should use the environment variable STD_CINCLUDES instead of
++CFLAGS, as described in README.
++
++2. Compilation and installation
++
++After running "configure", just do
++
++	make
++	make install
++
++for compiling and installing.
++
++
++* Contact information
++
++Please see http//www.nic.ad.jp/en/idn/ for the latest news
++about idnkit and this patch.
++
++Bug reports and comments on this kit should be sent to
++mdnkit-bugs@nic.ad.jp and idn-cmt@nic.ad.jp, respectively.
++
++
++; $Id: bind-9.2.2-patch,v 1.1.1.1 2003/06/04 00:27:32 marka Exp $
+Index: configure
+===================================================================
+RCS file: /proj/cvs/prod/bind9/configure,v
+retrieving revision 1.284.2.56
+diff -U2 -r1.284.2.56 configure
+--- configure	3 Mar 2006 03:32:29 -0000	1.284.2.56
++++ configure	26 May 2006 03:50:50 -0000
+@@ -466,5 +466,5 @@
+ #endif"
+ 
+-ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS subdirs build build_cpu build_vendor build_os host host_cpu host_vendor host_os SET_MAKE RANLIB ac_ct_RANLIB INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA STD_CINCLUDES STD_CDEFINES STD_CWARNINGS CCOPT AR ARFLAGS LN ETAGS PERL CC CFLAGS LDFLAGS CPPFLAGS ac_ct_CC EXEEXT OBJEXT CPP EGREP ISC_SOCKADDR_LEN_T ISC_PLATFORM_HAVELONGLONG ISC_PLATFORM_NEEDSYSSELECTH LWRES_PLATFORM_NEEDSYSSELECTH DST_OPENSSL_INC DNS_OPENSSL_LIBS USE_OPENSSL USE_GSSAPI DST_GSSAPI_INC DNS_GSSAPI_LIBS ALWAYS_DEFINES ISC_PLATFORM_USETHREADS ISC_THREAD_DIR MKDEPCC MKDEPCFLAGS MKDEPPROG IRIX_DNSSEC_WARNINGS_HACK purify_path PURIFY LN_S ECHO ac_ct_AR STRIP ac_ct_STRIP CXX CXXFLAGS ac_ct_CXX CXXCPP F77 FFLAGS ac_ct_F77 LIBTOOL O A SA LIBTOOL_MKDEP_SED LIBTOOL_MODE_COMPILE LIBTOOL_MODE_INSTALL LIBTOOL_MODE_LINK LIBTOOL_ALLOW_UNDEFINED LIBTOOL_IN_MAIN LIBBIND ISC_PLATFORM_HAVEIPV6 LWRES_PLATFORM_HAVEIPV6 ISC_PLATFORM_NEEDNETINETIN6H LWRES_PLATFORM_NEEDNETINETIN6H ISC_PLATFORM_NEEDNETINET6IN6H LWRES_PLATFORM_NEEDNETINET6IN6H ISC_PLATFORM_HAVEINADDR6 LWRES_PLATFORM_HAVEINADDR6 ISC_PLATFORM_NEEDIN6ADDRANY LWRES_PLATFORM_NEEDIN6ADDRANY ISC_PLATFORM_NEEDIN6ADDRLOOPBACK LWRES_PLATFORM_NEEDIN6ADDRLOOPBACK ISC_PLATFORM_HAVEIN6PKTINFO ISC_PLATFORM_FIXIN6ISADDR ISC_IPV6_H ISC_IPV6_O ISC_ISCIPV6_O ISC_IPV6_C LWRES_HAVE_SIN6_SCOPE_ID BUILD_CC BUILD_CFLAGS BUILD_CPPFLAGS BUILD_LDFLAGS BUILD_LIBS ISC_PLATFORM_NEEDNTOP ISC_PLATFORM_NEEDPTON ISC_PLATFORM_NEEDATON ISC_PLATFORM_HAVESALEN LWRES_PLATFORM_HAVESALEN ISC_PLATFORM_MSGHDRFLAVOR ISC_PLATFORM_NEEDPORTT ISC_LWRES_NEEDADDRINFO ISC_LWRES_NEEDRRSETINFO ISC_LWRES_SETHOSTENTINT ISC_LWRES_ENDHOSTENTINT ISC_LWRES_GETNETBYADDRINADDR ISC_LWRES_SETNETENTINT ISC_LWRES_ENDNETENTINT ISC_LWRES_GETHOSTBYADDRVOID ISC_LWRES_NEEDHERRNO ISC_LWRES_GETIPNODEPROTO ISC_LWRES_GETADDRINFOPROTO ISC_LWRES_GETNAMEINFOPROTO ISC_PLATFORM_NEEDSTRSEP ISC_PLATFORM_NEEDVSNPRINTF LWRES_PLATFORM_NEEDVSNPRINTF ISC_EXTRA_OBJS ISC_EXTRA_SRCS ISC_PLATFORM_QUADFORMAT LWRES_PLATFORM_QUADFORMAT ISC_PLATFORM_RLIMITTYPE ISC_PLATFORM_USEDECLSPEC LWRES_PLATFORM_USEDECLSPEC ISC_PLATFORM_BRACEPTHREADONCEINIT LATEX PDFLATEX XSLTPROC XMLLINT XSLT_DOCBOOK_STYLE_HTML XSLT_DOCBOOK_STYLE_XHTML XSLT_DOCBOOK_STYLE_MAN XSLT_DOCBOOK_CHUNK_HTML XSLT_DOCBOOK_CHUNK_XHTML XSLT_DB2LATEX_STYLE XSLT_DB2LATEX_ADMONITIONS BIND9_TOP_BUILDDIR BIND9_ISC_BUILDINCLUDE BIND9_ISCCC_BUILDINCLUDE BIND9_ISCCFG_BUILDINCLUDE BIND9_DNS_BUILDINCLUDE BIND9_LWRES_BUILDINCLUDE BIND9_VERSION LIBOBJS LTLIBOBJS'
++ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS subdirs build build_cpu build_vendor build_os host host_cpu host_vendor host_os SET_MAKE RANLIB ac_ct_RANLIB INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA STD_CINCLUDES STD_CDEFINES STD_CWARNINGS CCOPT AR ARFLAGS LN ETAGS PERL CC CFLAGS LDFLAGS CPPFLAGS ac_ct_CC EXEEXT OBJEXT CPP EGREP ISC_SOCKADDR_LEN_T ISC_PLATFORM_HAVELONGLONG ISC_PLATFORM_NEEDSYSSELECTH LWRES_PLATFORM_NEEDSYSSELECTH DST_OPENSSL_INC DNS_OPENSSL_LIBS USE_OPENSSL USE_GSSAPI DST_GSSAPI_INC DNS_GSSAPI_LIBS ALWAYS_DEFINES ISC_PLATFORM_USETHREADS ISC_THREAD_DIR MKDEPCC MKDEPCFLAGS MKDEPPROG IRIX_DNSSEC_WARNINGS_HACK purify_path PURIFY LN_S ECHO ac_ct_AR STRIP ac_ct_STRIP CXX CXXFLAGS ac_ct_CXX CXXCPP F77 FFLAGS ac_ct_F77 LIBTOOL O A SA LIBTOOL_MKDEP_SED LIBTOOL_MODE_COMPILE LIBTOOL_MODE_INSTALL LIBTOOL_MODE_LINK LIBTOOL_ALLOW_UNDEFINED LIBTOOL_IN_MAIN LIBBIND ISC_PLATFORM_HAVEIPV6 LWRES_PLATFORM_HAVEIPV6 ISC_PLATFORM_NEEDNETINETIN6H LWRES_PLATFORM_NEEDNETINETIN6H ISC_PLATFORM_NEEDNETINET6IN6H LWRES_PLATFORM_NEEDNETINET6IN6H ISC_PLATFORM_HAVEINADDR6 LWRES_PLATFORM_HAVEINADDR6 ISC_PLATFORM_NEEDIN6ADDRANY LWRES_PLATFORM_NEEDIN6ADDRANY ISC_PLATFORM_NEEDIN6ADDRLOOPBACK LWRES_PLATFORM_NEEDIN6ADDRLOOPBACK ISC_PLATFORM_HAVEIN6PKTINFO ISC_PLATFORM_FIXIN6ISADDR ISC_IPV6_H ISC_IPV6_O ISC_ISCIPV6_O ISC_IPV6_C LWRES_HAVE_SIN6_SCOPE_ID BUILD_CC BUILD_CFLAGS BUILD_CPPFLAGS BUILD_LDFLAGS BUILD_LIBS ISC_PLATFORM_NEEDNTOP ISC_PLATFORM_NEEDPTON ISC_PLATFORM_NEEDATON ISC_PLATFORM_HAVESALEN LWRES_PLATFORM_HAVESALEN ISC_PLATFORM_MSGHDRFLAVOR ISC_PLATFORM_NEEDPORTT ISC_LWRES_NEEDADDRINFO ISC_LWRES_NEEDRRSETINFO ISC_LWRES_SETHOSTENTINT ISC_LWRES_ENDHOSTENTINT ISC_LWRES_GETNETBYADDRINADDR ISC_LWRES_SETNETENTINT ISC_LWRES_ENDNETENTINT ISC_LWRES_GETHOSTBYADDRVOID ISC_LWRES_NEEDHERRNO ISC_LWRES_GETIPNODEPROTO ISC_LWRES_GETADDRINFOPROTO ISC_LWRES_GETNAMEINFOPROTO ISC_PLATFORM_NEEDSTRSEP ISC_PLATFORM_NEEDVSNPRINTF LWRES_PLATFORM_NEEDVSNPRINTF ISC_EXTRA_OBJS ISC_EXTRA_SRCS ISC_PLATFORM_QUADFORMAT LWRES_PLATFORM_QUADFORMAT ISC_PLATFORM_RLIMITTYPE ISC_PLATFORM_USEDECLSPEC LWRES_PLATFORM_USEDECLSPEC ISC_PLATFORM_BRACEPTHREADONCEINIT LATEX PDFLATEX XSLTPROC XMLLINT XSLT_DOCBOOK_STYLE_HTML XSLT_DOCBOOK_STYLE_XHTML XSLT_DOCBOOK_STYLE_MAN XSLT_DOCBOOK_CHUNK_HTML XSLT_DOCBOOK_CHUNK_XHTML XSLT_DB2LATEX_STYLE XSLT_DB2LATEX_ADMONITIONS IDNLIBS BIND9_TOP_BUILDDIR BIND9_ISC_BUILDINCLUDE BIND9_ISCCC_BUILDINCLUDE BIND9_ISCCFG_BUILDINCLUDE BIND9_DNS_BUILDINCLUDE BIND9_LWRES_BUILDINCLUDE BIND9_VERSION LIBOBJS LTLIBOBJS'
+ ac_subst_files='BIND9_INCLUDES BIND9_MAKE_RULES LIBISC_API LIBISCCC_API LIBISCCFG_API LIBDNS_API LIBLWRES_API'
+ 
+@@ -1048,4 +1048,8 @@
+                           include additional configurations [automatic]
+   --with-kame=PATH	use Kame IPv6 default path /usr/local/v6
++  --with-idn=MPREFIX   enable IDN support using idnkit default PREFIX
++  --with-libiconv=IPREFIX   GNU libiconv are in IPREFIX default PREFIX
++  --with-iconv=LIBSPEC   specify iconv library default -liconv
++  --with-idnlib=ARG    specify libidnkit
+ 
+ Some influential environment variables:
+@@ -8268,5 +8272,5 @@
+ *-*-irix6*)
+   # Find out which ABI we are using.
+-  echo '#line 8270 "configure"' > conftest.$ac_ext
++  echo '#line 8274 "configure"' > conftest.$ac_ext
+   if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+   (eval $ac_compile) 2>&5
+@@ -9265,5 +9269,5 @@
+ 
+ # Provide some information about the compiler.
+-echo "$as_me:9267:" \
++echo "$as_me:9271:" \
+      "checking for Fortran 77 compiler version" >&5
+ ac_compiler=`set X $ac_compile; echo $2`
+@@ -10326,9 +10330,9 @@
+    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
+    -e 's:$: $lt_compiler_flag:'`
+-   (eval echo "\"\$as_me:10328: $lt_compile\"" >&5)
++   (eval echo "\"\$as_me:10332: $lt_compile\"" >&5)
+    (eval "$lt_compile" 2>conftest.err)
+    ac_status=$?
+    cat conftest.err >&5
+-   echo "$as_me:10332: \$? = $ac_status" >&5
++   echo "$as_me:10336: \$? = $ac_status" >&5
+    if (exit $ac_status) && test -s "$ac_outfile"; then
+      # The compiler can only warn and ignore the option if not recognized
+@@ -10569,9 +10573,9 @@
+    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
+    -e 's:$: $lt_compiler_flag:'`
+-   (eval echo "\"\$as_me:10571: $lt_compile\"" >&5)
++   (eval echo "\"\$as_me:10575: $lt_compile\"" >&5)
+    (eval "$lt_compile" 2>conftest.err)
+    ac_status=$?
+    cat conftest.err >&5
+-   echo "$as_me:10575: \$? = $ac_status" >&5
++   echo "$as_me:10579: \$? = $ac_status" >&5
+    if (exit $ac_status) && test -s "$ac_outfile"; then
+      # The compiler can only warn and ignore the option if not recognized
+@@ -10629,9 +10633,9 @@
+    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
+    -e 's:$: $lt_compiler_flag:'`
+-   (eval echo "\"\$as_me:10631: $lt_compile\"" >&5)
++   (eval echo "\"\$as_me:10635: $lt_compile\"" >&5)
+    (eval "$lt_compile" 2>out/conftest.err)
+    ac_status=$?
+    cat out/conftest.err >&5
+-   echo "$as_me:10635: \$? = $ac_status" >&5
++   echo "$as_me:10639: \$? = $ac_status" >&5
+    if (exit $ac_status) && test -s out/conftest2.$ac_objext
+    then
+@@ -12814,5 +12818,5 @@
+   lt_status=$lt_dlunknown
+   cat > conftest.$ac_ext < conftest.$ac_ext <&5)
++   (eval echo "\"\$as_me:15115: $lt_compile\"" >&5)
+    (eval "$lt_compile" 2>conftest.err)
+    ac_status=$?
+    cat conftest.err >&5
+-   echo "$as_me:15115: \$? = $ac_status" >&5
++   echo "$as_me:15119: \$? = $ac_status" >&5
+    if (exit $ac_status) && test -s "$ac_outfile"; then
+      # The compiler can only warn and ignore the option if not recognized
+@@ -15169,9 +15173,9 @@
+    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
+    -e 's:$: $lt_compiler_flag:'`
+-   (eval echo "\"\$as_me:15171: $lt_compile\"" >&5)
++   (eval echo "\"\$as_me:15175: $lt_compile\"" >&5)
+    (eval "$lt_compile" 2>out/conftest.err)
+    ac_status=$?
+    cat out/conftest.err >&5
+-   echo "$as_me:15175: \$? = $ac_status" >&5
++   echo "$as_me:15179: \$? = $ac_status" >&5
+    if (exit $ac_status) && test -s out/conftest2.$ac_objext
+    then
+@@ -16530,5 +16534,5 @@
+   lt_status=$lt_dlunknown
+   cat > conftest.$ac_ext < conftest.$ac_ext <&5)
++   (eval echo "\"\$as_me:17471: $lt_compile\"" >&5)
+    (eval "$lt_compile" 2>conftest.err)
+    ac_status=$?
+    cat conftest.err >&5
+-   echo "$as_me:17471: \$? = $ac_status" >&5
++   echo "$as_me:17475: \$? = $ac_status" >&5
+    if (exit $ac_status) && test -s "$ac_outfile"; then
+      # The compiler can only warn and ignore the option if not recognized
+@@ -17525,9 +17529,9 @@
+    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
+    -e 's:$: $lt_compiler_flag:'`
+-   (eval echo "\"\$as_me:17527: $lt_compile\"" >&5)
++   (eval echo "\"\$as_me:17531: $lt_compile\"" >&5)
+    (eval "$lt_compile" 2>out/conftest.err)
+    ac_status=$?
+    cat out/conftest.err >&5
+-   echo "$as_me:17531: \$? = $ac_status" >&5
++   echo "$as_me:17535: \$? = $ac_status" >&5
+    if (exit $ac_status) && test -s out/conftest2.$ac_objext
+    then
+@@ -19564,9 +19568,9 @@
+    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
+    -e 's:$: $lt_compiler_flag:'`
+-   (eval echo "\"\$as_me:19566: $lt_compile\"" >&5)
++   (eval echo "\"\$as_me:19570: $lt_compile\"" >&5)
+    (eval "$lt_compile" 2>conftest.err)
+    ac_status=$?
+    cat conftest.err >&5
+-   echo "$as_me:19570: \$? = $ac_status" >&5
++   echo "$as_me:19574: \$? = $ac_status" >&5
+    if (exit $ac_status) && test -s "$ac_outfile"; then
+      # The compiler can only warn and ignore the option if not recognized
+@@ -19807,9 +19811,9 @@
+    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
+    -e 's:$: $lt_compiler_flag:'`
+-   (eval echo "\"\$as_me:19809: $lt_compile\"" >&5)
++   (eval echo "\"\$as_me:19813: $lt_compile\"" >&5)
+    (eval "$lt_compile" 2>conftest.err)
+    ac_status=$?
+    cat conftest.err >&5
+-   echo "$as_me:19813: \$? = $ac_status" >&5
++   echo "$as_me:19817: \$? = $ac_status" >&5
+    if (exit $ac_status) && test -s "$ac_outfile"; then
+      # The compiler can only warn and ignore the option if not recognized
+@@ -19867,9 +19871,9 @@
+    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
+    -e 's:$: $lt_compiler_flag:'`
+-   (eval echo "\"\$as_me:19869: $lt_compile\"" >&5)
++   (eval echo "\"\$as_me:19873: $lt_compile\"" >&5)
+    (eval "$lt_compile" 2>out/conftest.err)
+    ac_status=$?
+    cat out/conftest.err >&5
+-   echo "$as_me:19873: \$? = $ac_status" >&5
++   echo "$as_me:19877: \$? = $ac_status" >&5
+    if (exit $ac_status) && test -s out/conftest2.$ac_objext
+    then
+@@ -22052,5 +22056,5 @@
+   lt_status=$lt_dlunknown
+   cat > conftest.$ac_ext < conftest.$ac_ext <&5
++echo "$as_me: error: You must specify ARG for --with-idnlib." >&2;}
++   { (exit 1); exit 1; }; }
++fi
++
++IDNLIBS=
++if test "$use_idn" != no; then
++
++cat >>confdefs.h <<\_ACEOF
++#define WITH_IDN 1
++_ACEOF
++
++	STD_CINCLUDES="$STD_CINCLUDES -I$idn_path/include"
++	if test "$idnlib" != no; then
++		IDNLIBS="$idnlib $iconvlib"
++	else
++		IDNLIBS="-L$idn_path/lib -lidnkit $iconvlib"
++	fi
++fi
++
++
++
++for ac_header in locale.h
++do
++as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
++if eval "test \"\${$as_ac_Header+set}\" = set"; then
++  echo "$as_me:$LINENO: checking for $ac_header" >&5
++echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
++if eval "test \"\${$as_ac_Header+set}\" = set"; then
++  echo $ECHO_N "(cached) $ECHO_C" >&6
++fi
++echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
++echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
++else
++  # Is the header compilable?
++echo "$as_me:$LINENO: checking $ac_header usability" >&5
++echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6
++cat >conftest.$ac_ext <<_ACEOF
++/* confdefs.h.  */
++_ACEOF
++cat confdefs.h >>conftest.$ac_ext
++cat >>conftest.$ac_ext <<_ACEOF
++/* end confdefs.h.  */
++$ac_includes_default
++#include <$ac_header>
++_ACEOF
++rm -f conftest.$ac_objext
++if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
++  (eval $ac_compile) 2>conftest.er1
++  ac_status=$?
++  grep -v '^ *+' conftest.er1 >conftest.err
++  rm -f conftest.er1
++  cat conftest.err >&5
++  echo "$as_me:$LINENO: \$? = $ac_status" >&5
++  (exit $ac_status); } &&
++	 { ac_try='test -z "$ac_c_werror_flag"
++			 || test ! -s conftest.err'
++  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
++  (eval $ac_try) 2>&5
++  ac_status=$?
++  echo "$as_me:$LINENO: \$? = $ac_status" >&5
++  (exit $ac_status); }; } &&
++	 { ac_try='test -s conftest.$ac_objext'
++  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
++  (eval $ac_try) 2>&5
++  ac_status=$?
++  echo "$as_me:$LINENO: \$? = $ac_status" >&5
++  (exit $ac_status); }; }; then
++  ac_header_compiler=yes
++else
++  echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++ac_header_compiler=no
++fi
++rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
++echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
++echo "${ECHO_T}$ac_header_compiler" >&6
++
++# Is the header present?
++echo "$as_me:$LINENO: checking $ac_header presence" >&5
++echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6
++cat >conftest.$ac_ext <<_ACEOF
++/* confdefs.h.  */
++_ACEOF
++cat confdefs.h >>conftest.$ac_ext
++cat >>conftest.$ac_ext <<_ACEOF
++/* end confdefs.h.  */
++#include <$ac_header>
++_ACEOF
++if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
++  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
++  ac_status=$?
++  grep -v '^ *+' conftest.er1 >conftest.err
++  rm -f conftest.er1
++  cat conftest.err >&5
++  echo "$as_me:$LINENO: \$? = $ac_status" >&5
++  (exit $ac_status); } >/dev/null; then
++  if test -s conftest.err; then
++    ac_cpp_err=$ac_c_preproc_warn_flag
++    ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
++  else
++    ac_cpp_err=
++  fi
++else
++  ac_cpp_err=yes
++fi
++if test -z "$ac_cpp_err"; then
++  ac_header_preproc=yes
++else
++  echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++  ac_header_preproc=no
++fi
++rm -f conftest.err conftest.$ac_ext
++echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
++echo "${ECHO_T}$ac_header_preproc" >&6
++
++# So?  What about this header?
++case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
++  yes:no: )
++    { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
++echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
++    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
++echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
++    ac_header_preproc=yes
++    ;;
++  no:yes:* )
++    { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
++echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
++    { echo "$as_me:$LINENO: WARNING: $ac_header:     check for missing prerequisite headers?" >&5
++echo "$as_me: WARNING: $ac_header:     check for missing prerequisite headers?" >&2;}
++    { echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
++echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
++    { echo "$as_me:$LINENO: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&5
++echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&2;}
++    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
++echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
++    { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
++echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
++    (
++      cat <<\_ASBOX
++## ------------------------------------------ ##
++## Report this to the AC_PACKAGE_NAME lists.  ##
++## ------------------------------------------ ##
++_ASBOX
++    ) |
++      sed "s/^/$as_me: WARNING:     /" >&2
++    ;;
++esac
++echo "$as_me:$LINENO: checking for $ac_header" >&5
++echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
++if eval "test \"\${$as_ac_Header+set}\" = set"; then
++  echo $ECHO_N "(cached) $ECHO_C" >&6
++else
++  eval "$as_ac_Header=\$ac_header_preproc"
++fi
++echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
++echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
++
++fi
++if test `eval echo '${'$as_ac_Header'}'` = yes; then
++  cat >>confdefs.h <<_ACEOF
++#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
++_ACEOF
++
++fi
++
++done
++
++
++for ac_func in setlocale
++do
++as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
++echo "$as_me:$LINENO: checking for $ac_func" >&5
++echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
++if eval "test \"\${$as_ac_var+set}\" = set"; then
++  echo $ECHO_N "(cached) $ECHO_C" >&6
++else
++  cat >conftest.$ac_ext <<_ACEOF
++/* confdefs.h.  */
++_ACEOF
++cat confdefs.h >>conftest.$ac_ext
++cat >>conftest.$ac_ext <<_ACEOF
++/* end confdefs.h.  */
++/* Define $ac_func to an innocuous variant, in case  declares $ac_func.
++   For example, HP-UX 11i  declares gettimeofday.  */
++#define $ac_func innocuous_$ac_func
++
++/* System header to define __stub macros and hopefully few prototypes,
++    which can conflict with char $ac_func (); below.
++    Prefer  to  if __STDC__ is defined, since
++     exists even on freestanding compilers.  */
++
++#ifdef __STDC__
++# include 
++#else
++# include 
++#endif
++
++#undef $ac_func
++
++/* Override any gcc2 internal prototype to avoid an error.  */
++#ifdef __cplusplus
++extern "C"
++{
++#endif
++/* We use char because int might match the return type of a gcc2
++   builtin and then its argument prototype would still apply.  */
++char $ac_func ();
++/* The GNU C library defines this for functions which it implements
++    to always fail with ENOSYS.  Some functions are actually named
++    something starting with __ and the normal name is an alias.  */
++#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
++choke me
++#else
++char (*f) () = $ac_func;
++#endif
++#ifdef __cplusplus
++}
++#endif
++
++int
++main ()
++{
++return f != $ac_func;
++  ;
++  return 0;
++}
++_ACEOF
++rm -f conftest.$ac_objext conftest$ac_exeext
++if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
++  (eval $ac_link) 2>conftest.er1
++  ac_status=$?
++  grep -v '^ *+' conftest.er1 >conftest.err
++  rm -f conftest.er1
++  cat conftest.err >&5
++  echo "$as_me:$LINENO: \$? = $ac_status" >&5
++  (exit $ac_status); } &&
++	 { ac_try='test -z "$ac_c_werror_flag"
++			 || test ! -s conftest.err'
++  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
++  (eval $ac_try) 2>&5
++  ac_status=$?
++  echo "$as_me:$LINENO: \$? = $ac_status" >&5
++  (exit $ac_status); }; } &&
++	 { ac_try='test -s conftest$ac_exeext'
++  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
++  (eval $ac_try) 2>&5
++  ac_status=$?
++  echo "$as_me:$LINENO: \$? = $ac_status" >&5
++  (exit $ac_status); }; }; then
++  eval "$as_ac_var=yes"
++else
++  echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++eval "$as_ac_var=no"
++fi
++rm -f conftest.err conftest.$ac_objext \
++      conftest$ac_exeext conftest.$ac_ext
++fi
++echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
++echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
++if test `eval echo '${'$as_ac_var'}'` = yes; then
++  cat >>confdefs.h <<_ACEOF
++#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
++_ACEOF
++
++fi
++done
++
++
++#
+ # Substitutions
+ #
+@@ -27521,4 +27875,5 @@
+ s,@XSLT_DB2LATEX_STYLE@,$XSLT_DB2LATEX_STYLE,;t t
+ s,@XSLT_DB2LATEX_ADMONITIONS@,$XSLT_DB2LATEX_ADMONITIONS,;t t
++s,@IDNLIBS@,$IDNLIBS,;t t
+ s,@BIND9_TOP_BUILDDIR@,$BIND9_TOP_BUILDDIR,;t t
+ s,@BIND9_ISC_BUILDINCLUDE@,$BIND9_ISC_BUILDINCLUDE,;t t
+Index: configure.in
+===================================================================
+RCS file: /proj/cvs/prod/bind9/configure.in,v
+retrieving revision 1.294.2.61
+diff -U2 -r1.294.2.61 configure.in
+--- configure.in	3 Mar 2006 03:29:45 -0000	1.294.2.61
++++ configure.in	26 May 2006 03:50:53 -0000
+@@ -1792,4 +1792,80 @@
+ 
+ #
++# IDN support
++#
++AC_ARG_WITH(idn,
++	[  --with-idn[=MPREFIX]   enable IDN support using idnkit [default PREFIX]],
++	use_idn="$withval", use_idn="no")
++case "$use_idn" in
++yes)
++	if test X$prefix = XNONE ; then
++		idn_path=/usr/local
++	else
++		idn_path=$prefix
++	fi
++	;;
++no)
++	;;
++*)
++	idn_path="$use_idn"
++	;;
++esac
++
++iconvinc=
++iconvlib=
++AC_ARG_WITH(libiconv,
++	[  --with-libiconv[=IPREFIX]   GNU libiconv are in IPREFIX [default PREFIX]],
++	use_libiconv="$withval", use_libiconv="no")
++case "$use_libiconv" in
++yes)
++	if test X$prefix = XNONE ; then
++		iconvlib="-L/usr/local/lib -R/usr/local/lib -liconv"
++	else
++		iconvlib="-L$prefix/lib -R$prefix/lib -liconv"
++	fi
++	;;
++no)
++	iconvlib=
++	;;
++*)
++	iconvlib="-L$use_libiconv/lib -R$use_libiconv/lib -liconv"
++	;;
++esac
++
++AC_ARG_WITH(iconv,
++	[  --with-iconv[=LIBSPEC]   specify iconv library [default -liconv]],
++	iconvlib="$withval")
++case "$iconvlib" in
++no)
++	iconvlib=
++	;;
++yes)
++	iconvlib=-liconv
++	;;
++esac
++
++AC_ARG_WITH(idnlib,
++	[  --with-idnlib=ARG    specify libidnkit],
++	idnlib="$withval", idnlib="no")
++if test "$idnlib" = yes; then
++	AC_MSG_ERROR([You must specify ARG for --with-idnlib.])
++fi
++
++IDNLIBS=
++if test "$use_idn" != no; then
++	AC_DEFINE(WITH_IDN, 1, [define if idnkit support is to be included.])
++	STD_CINCLUDES="$STD_CINCLUDES -I$idn_path/include"
++	if test "$idnlib" != no; then
++		IDNLIBS="$idnlib $iconvlib"
++	else
++		IDNLIBS="-L$idn_path/lib -lidnkit $iconvlib"
++	fi
++fi
++AC_SUBST(IDNLIBS)
++
++AC_CHECK_HEADERS(locale.h)
++AC_CHECK_FUNCS(setlocale)
++
++#
+ # Substitutions
+ #
+Index: config.h.in
+===================================================================
+RCS file: /proj/cvs/prod/bind9/config.h.in,v
+retrieving revision 1.47.2.21
+diff -U2 -r1.47.2.21 config.h.in
+--- config.h.in	1 Mar 2006 02:49:40 -0000	1.47.2.21
++++ config.h.in	26 May 2006 03:50:53 -0000
+@@ -17,5 +17,5 @@
+  */
+ 
+-/* $Id: config.h.in,v 1.47.2.21 2006/03/01 02:49:40 marka Exp $ */
++/* $Id: acconfig.h,v 1.35.2.10 2004/12/04 06:44:36 marka Exp $ */
+ 
+ /***
+@@ -181,4 +181,7 @@
+ #undef HAVE_LINUX_CAPABILITY_H
+ 
++/* Define to 1 if you have the  header file. */
++#undef HAVE_LOCALE_H
++
+ /* Define to 1 if you have the  header file. */
+ #undef HAVE_MEMORY_H
+@@ -187,4 +190,7 @@
+ #undef HAVE_RSA_GENERATE_KEY
+ 
++/* Define to 1 if you have the `setlocale' function. */
++#undef HAVE_SETLOCALE
++
+ /* Define to 1 if you have the  header file. */
+ #undef HAVE_STDINT_H
+@@ -255,4 +261,7 @@
+ #undef USE_FIONBIO_IOCTL
+ 
++/* define if idnkit support is to be included. */
++#undef WITH_IDN
++
+ /* Define to 1 if your processor stores words with the most significant byte
+    first (like Motorola and SPARC, unlike Intel and VAX). */
+Index: bin/dig/Makefile.in
+===================================================================
+RCS file: /proj/cvs/prod/bind9/bin/dig/Makefile.in,v
+retrieving revision 1.25.2.4
+diff -U2 -r1.25.2.4 Makefile.in
+--- bin/dig/Makefile.in	18 Aug 2004 23:22:52 -0000	1.25.2.4
++++ bin/dig/Makefile.in	26 May 2006 03:50:53 -0000
+@@ -37,5 +37,5 @@
+ DEPLIBS =	${DNSDEPLIBS} ${ISCDEPLIBS}
+ 
+-LIBS =		${DNSLIBS} ${ISCLIBS} @LIBS@
++LIBS =		${DNSLIBS} ${ISCLIBS} @IDNLIBS@ @LIBS@
+ 
+ SUBDIRS =
+Index: bin/dig/dig.1
+===================================================================
+RCS file: /proj/cvs/prod/bind9/bin/dig/dig.1,v
+retrieving revision 1.14.2.9
+diff -U2 -r1.14.2.9 dig.1
+--- bin/dig/dig.1	13 Oct 2005 02:23:26 -0000	1.14.2.9
++++ bin/dig/dig.1	26 May 2006 03:50:54 -0000
+@@ -14,5 +14,5 @@
+ .\" PERFORMANCE OF THIS SOFTWARE.
+ .\"
+-.\" $Id: dig.1,v 1.14.2.9 2005/10/13 02:23:26 marka Exp $
++.\" $Id$
+ .\"
+ .hy 0
+@@ -364,4 +364,15 @@
+ will not print the initial query when it looks up the NS records for
+ isc.org.
++.SH "IDN SUPPORT"
++.PP
++If
++\fBdig\fR
++has been built with IDN (internationalized domain name) support, it can accept and display non\-ASCII domain names.
++\fBdig\fR
++appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server. If you'd like to turn off the IDN support for some reason, defines the
++\fBIDN_DISABLE\fR
++environment variable. The IDN support is disabled if the the variable is set when
++\fBdig\fR
++runs.
+ .SH "FILES"
+ .PP
+Index: bin/dig/dig.docbook
+===================================================================
+RCS file: /proj/cvs/prod/bind9/bin/dig/dig.docbook,v
+retrieving revision 1.4.2.11
+diff -U2 -r1.4.2.11 dig.docbook
+--- bin/dig/dig.docbook	12 May 2005 21:35:06 -0000	1.4.2.11
++++ bin/dig/dig.docbook	26 May 2006 03:50:55 -0000
+@@ -547,4 +547,19 @@
+ 
+ 
++IDN SUPPORT
++
++If dig has been built with IDN (internationalized
++domain name) support, it can accept and display non-ASCII domain names.
++dig appropriately converts character encoding of
++domain name before sending a request to DNS server or displaying a
++reply from the server.
++If you'd like to turn off the IDN support for some reason, defines
++the IDN_DISABLE environment variable.
++The IDN support is disabled if the the variable is set when
++dig runs.
++
++
++
++
+ FILES
+ 
+Index: bin/dig/dighost.c
+===================================================================
+RCS file: /proj/cvs/prod/bind9/bin/dig/dighost.c,v
+retrieving revision 1.221.2.29
+diff -U2 -r1.221.2.29 dighost.c
+--- bin/dig/dighost.c	14 Oct 2005 01:37:48 -0000	1.221.2.29
++++ bin/dig/dighost.c	26 May 2006 03:50:59 -0000
+@@ -33,4 +33,15 @@
+ #include 
+ 
++#ifdef HAVE_LOCALE_H
++#include 
++#endif
++
++#ifdef WITH_IDN
++#include 
++#include 
++#include 
++#include 
++#endif
++
+ #include 
+ #include 
+@@ -134,4 +145,16 @@
+ dig_lookup_t *current_lookup = NULL;
+ 
++#ifdef WITH_IDN
++static void	      initialize_idn(void);
++static isc_result_t   output_filter(isc_buffer_t *buffer,
++				    unsigned int used_org,
++				    isc_boolean_t absolute);
++static idn_result_t   append_textname(char *name, const char *origin,
++				      size_t namesize);
++static void	      idn_check_result(idn_result_t r, const char *msg);
++
++#define MAXDLEN               256
++#endif
++
+ /*
+  * Apply and clear locks at the event level in global task.
+@@ -732,4 +755,8 @@
+ 	}
+ 
++#ifdef WITH_IDN
++	initialize_idn();
++#endif
++
+ 	if (keyfile[0] != 0)
+ 		setup_file_key();
+@@ -1255,4 +1282,12 @@
+ 	dns_compress_t cctx;
+ 	char store[MXNAME];
++#ifdef WITH_IDN
++	idn_result_t mr;
++	char utf8_textname[MXNAME], utf8_origin[MXNAME], idn_textname[MXNAME];
++#endif
++
++#ifdef WITH_IDN
++	dns_name_settotextfilter(output_filter);
++#endif
+ 
+ 	REQUIRE(lookup != NULL);
+@@ -1283,4 +1318,15 @@
+ 			sizeof(lookup->onamespace));
+ 
++#ifdef WITH_IDN
++	/*
++	 * We cannot convert `textname' and `origin' separately.
++	 * `textname' doesn't contain TLD, but local mapping needs
++	 * TLD.
++	 */
++	mr = idn_encodename(IDN_LOCALCONV | IDN_DELIMMAP, lookup->textname,
++			    utf8_textname, sizeof(utf8_textname));
++	idn_check_result(mr, "convert textname to UTF-8");
++#endif
++
+ 	/*
+ 	 * If the name has too many dots, force the origin to be NULL
+@@ -1291,4 +1337,11 @@
+ 	 */
+ 	/* XXX New search here? */
++#ifdef WITH_IDN
++	if ((count_dots(utf8_textname) >= ndots) || !usesearch)
++		lookup->origin = NULL; /* Force abs lookup */
++	else if (lookup->origin == NULL && lookup->new_search && usesearch) {
++		lookup->origin = ISC_LIST_HEAD(search_list);
++	}
++#else
+ 	if ((count_dots(lookup->textname) >= ndots) || !usesearch)
+ 		lookup->origin = NULL; /* Force abs lookup */
+@@ -1296,5 +1349,27 @@
+ 		lookup->origin = ISC_LIST_HEAD(search_list);
+ 	}
++#endif
++
++#ifdef WITH_IDN
+ 	if (lookup->origin != NULL) {
++		mr = idn_encodename(IDN_LOCALCONV | IDN_DELIMMAP,
++				    lookup->origin->origin, utf8_origin,
++				    sizeof(utf8_origin));
++		idn_check_result(mr, "convert origin to UTF-8");
++		mr = append_textname(utf8_textname, utf8_origin,
++				     sizeof(utf8_textname));
++		idn_check_result(mr, "append origin to textname");
++	}
++	mr = idn_encodename(IDN_LOCALMAP | IDN_NAMEPREP | IDN_ASCCHECK |
++			    IDN_IDNCONV | IDN_LENCHECK, utf8_textname,
++			    idn_textname, sizeof(idn_textname));
++	idn_check_result(mr, "convert UTF-8 textname to IDN encoding");
++#endif
++
++#ifdef WITH_IDN
++	if (0) {
++#else
++	if (lookup->origin != NULL) {
++#endif
+ 		debug("trying origin %s", lookup->origin->origin);
+ 		result = dns_message_gettempname(lookup->sendmsg,
+@@ -1341,4 +1416,13 @@
+ 			dns_name_clone(dns_rootname, lookup->name);
+ 		else {
++#ifdef WITH_IDN
++			len = strlen(idn_textname);
++			isc_buffer_init(&b, idn_textname, len);
++			isc_buffer_add(&b, len);
++			result = dns_name_fromtext(lookup->name, &b,
++						   dns_rootname,
++						   ISC_FALSE,
++						   &lookup->namebuf);
++#else
+ 			len = strlen(lookup->textname);
+ 			isc_buffer_init(&b, lookup->textname, len);
+@@ -1348,4 +1432,5 @@
+ 						   ISC_FALSE,
+ 						   &lookup->namebuf);
++#endif
+ 		}
+ 		if (result != ISC_R_SUCCESS) {
+@@ -2863,2 +2948,100 @@
+ 		isc_mem_destroy(&mctx);
+ }
++
++#ifdef WITH_IDN
++static void
++initialize_idn(void) {
++	idn_result_t r;
++
++#ifdef HAVE_SETLOCALE
++	/* Set locale */
++	(void)setlocale(LC_ALL, "");
++#endif
++	/* Create configuration context. */
++	r = idn_nameinit(1);
++	if (r != idn_success)
++		fatal("idn api initialization failed: %s",
++		      idn_result_tostring(r));
++
++	/* Set domain name -> text post-conversion filter. */
++	dns_name_settotextfilter(output_filter);
++}
++
++static isc_result_t
++output_filter(isc_buffer_t *buffer, unsigned int used_org,
++	      isc_boolean_t absolute)
++{
++	char tmp1[MAXDLEN], tmp2[MAXDLEN];
++	size_t fromlen, tolen;
++	isc_boolean_t end_with_dot;
++
++	/*
++	 * Copy contents of 'buffer' to 'tmp1', supply trailing dot
++	 * if 'absolute' is true, and terminate with NUL.
++	 */
++	fromlen = isc_buffer_usedlength(buffer) - used_org;
++	if (fromlen >= MAXDLEN)
++		return (ISC_R_SUCCESS);
++	memcpy(tmp1, (char *)isc_buffer_base(buffer) + used_org, fromlen);
++	end_with_dot = (tmp1[fromlen - 1] == '.') ? ISC_TRUE : ISC_FALSE;
++	if (absolute && !end_with_dot) {
++		fromlen++;
++		if (fromlen >= MAXDLEN)
++			return (ISC_R_SUCCESS);
++		tmp1[fromlen - 1] = '.';
++	}
++	tmp1[fromlen] = '\0';
++
++	/*
++	 * Convert contents of 'tmp1' to local encoding.
++	 */
++	if (idn_decodename(IDN_DECODE_APP, tmp1, tmp2, MAXDLEN) != idn_success)
++		return (ISC_R_SUCCESS);
++	strcpy(tmp1, tmp2);
++
++	/*
++	 * Copy the converted contents in 'tmp1' back to 'buffer'.
++	 * If we have appended trailing dot, remove it.
++	 */
++	tolen = strlen(tmp1);
++	if (absolute && !end_with_dot && tmp1[tolen - 1] == '.')
++		tolen--;
++
++	if (isc_buffer_length(buffer) < used_org + tolen)
++		return (ISC_R_NOSPACE);
++
++	isc_buffer_subtract(buffer, isc_buffer_usedlength(buffer) - used_org);
++	memcpy(isc_buffer_used(buffer), tmp1, tolen);
++	isc_buffer_add(buffer, tolen);
++
++	return (ISC_R_SUCCESS);
++}
++
++static idn_result_t
++append_textname(char *name, const char *origin, size_t namesize) {
++	size_t namelen = strlen(name);
++	size_t originlen = strlen(origin);
++
++	/* Already absolute? */
++	if (namelen > 0 && name[namelen - 1] == '.')
++		return idn_success;
++
++	/* Append dot and origin */
++
++	if (namelen + 1 + originlen >= namesize)
++		return idn_buffer_overflow;
++
++	name[namelen++] = '.';
++	(void)strcpy(name + namelen, origin);
++	return idn_success;
++}
++
++static void
++idn_check_result(idn_result_t r, const char *msg) {
++	if (r != idn_success) {
++		exitcode = 1;
++		fatal("%s: %s", msg, idn_result_tostring(r));
++	}
++}
++
++#endif /* WITH_IDN */
+Index: bin/dig/host.1
+===================================================================
+RCS file: /proj/cvs/prod/bind9/bin/dig/host.1,v
+retrieving revision 1.11.2.5
+diff -U2 -r1.11.2.5 host.1
+--- bin/dig/host.1	13 Oct 2005 02:23:26 -0000	1.11.2.5
++++ bin/dig/host.1	26 May 2006 03:51:00 -0000
+@@ -14,5 +14,5 @@
+ .\" PERFORMANCE OF THIS SOFTWARE.
+ .\"
+-.\" $Id: host.1,v 1.11.2.5 2005/10/13 02:23:26 marka Exp $
++.\" $Id$
+ .\"
+ .hy 0
+@@ -165,4 +165,15 @@
+ \fBhost\fR
+ will effectively wait forever for a reply. The time to wait for a response will be set to the number of seconds given by the hardware's maximum value for an integer quantity.
++.SH "IDN SUPPORT"
++.PP
++If
++\fBhost\fR
++has been built with IDN (internationalized domain name) support, it can accept and display non\-ASCII domain names.
++\fBhost\fR
++appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server. If you'd like to turn off the IDN support for some reason, defines the
++\fBIDN_DISABLE\fR
++environment variable. The IDN support is disabled if the the variable is set when
++\fBhost\fR
++runs.
+ .SH "FILES"
+ .PP
+Index: bin/dig/host.docbook
+===================================================================
+RCS file: /proj/cvs/prod/bind9/bin/dig/host.docbook,v
+retrieving revision 1.2.2.5
+diff -U2 -r1.2.2.5 host.docbook
+--- bin/dig/host.docbook	12 May 2005 21:35:06 -0000	1.2.2.5
++++ bin/dig/host.docbook	26 May 2006 03:51:00 -0000
+@@ -199,4 +199,19 @@
+ 
+ 
++IDN SUPPORT
++
++If host has been built with IDN (internationalized
++domain name) support, it can accept and display non-ASCII domain names.
++host appropriately converts character encoding of
++domain name before sending a request to DNS server or displaying a
++reply from the server.
++If you'd like to turn off the IDN support for some reason, defines
++the IDN_DISABLE environment variable.
++The IDN support is disabled if the the variable is set when
++host runs.
++
++
++
++
+ FILES
+ 
+Index: lib/dns/name.c
+===================================================================
+RCS file: /proj/cvs/prod/bind9/lib/dns/name.c,v
+retrieving revision 1.127.2.14
+diff -U2 -r1.127.2.14 name.c
+--- lib/dns/name.c	2 Mar 2006 00:37:17 -0000	1.127.2.14
++++ lib/dns/name.c	26 May 2006 03:51:04 -0000
+@@ -199,4 +199,11 @@
+ dns_fullname_hash(dns_name_t *name, isc_boolean_t case_sensitive);
+ 
++#ifdef WITH_IDN
++/*
++ * dns_name_t to text post-conversion procedure.
++ */
++static dns_name_totextfilter_t totext_filter_proc = NULL;
++#endif
++
+ static void
+ set_offsets(const dns_name_t *name, unsigned char *offsets,
+@@ -1715,4 +1722,7 @@
+ 	isc_boolean_t saw_root = ISC_FALSE;
+ 	char num[4];
++#ifdef WITH_IDN
++	unsigned int oused = target->used;
++#endif
+ 
+ 	/*
+@@ -1895,4 +1905,8 @@
+ 	isc_buffer_add(target, tlen - trem);
+ 
++#ifdef WITH_IDN
++	if (totext_filter_proc != NULL)
++		return ((*totext_filter_proc)(target, oused, saw_root));
++#endif
+ 	return (ISC_R_SUCCESS);
+ }
+@@ -3363,2 +3377,8 @@
+ }
+ 
++#ifdef WITH_IDN
++void
++dns_name_settotextfilter(dns_name_totextfilter_t proc) {
++	totext_filter_proc = proc;
++}
++#endif
+Index: lib/dns/include/dns/name.h
+===================================================================
+RCS file: /proj/cvs/prod/bind9/lib/dns/include/dns/name.h,v
+retrieving revision 1.95.2.11
+diff -U2 -r1.95.2.11 name.h
+--- lib/dns/include/dns/name.h	2 Mar 2006 00:37:17 -0000	1.95.2.11
++++ lib/dns/include/dns/name.h	26 May 2006 03:51:06 -0000
+@@ -220,4 +220,15 @@
+ #define DNS_NAME_MAXWIRE 255
+ 
++#ifdef WITH_IDN
++/*
++ * Text output filter procedure.
++ * 'target' is the buffer to be converted.  The region to be converted
++ * is from 'buffer'->base + 'used_org' to the end of the used region.
++ */
++typedef isc_result_t (*dns_name_totextfilter_t)(isc_buffer_t *target,
++						unsigned int used_org,
++						isc_boolean_t absolute);
++#endif
++
+ /***
+  *** Initialization
+@@ -1266,4 +1277,12 @@
+  */
+ 
++#ifdef WITH_IDN
++void
++dns_name_settotextfilter(dns_name_totextfilter_t proc);
++/*
++ * Call 'proc' at the end of dns_name_totext.
++ */
++#endif /* WITH_IDN */
++
+ #define DNS_NAME_FORMATSIZE (DNS_NAME_MAXTEXT + 1)
+ /*

From c205e982b6625034ca5445470fbf175c9cc41bea Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 26 May 2006 04:01:57 +0000
Subject: [PATCH 240/465] spelling

---
 lib/dns/include/dns/cache.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/dns/include/dns/cache.h b/lib/dns/include/dns/cache.h
index 73210e06c6..6659455375 100644
--- a/lib/dns/include/dns/cache.h
+++ b/lib/dns/include/dns/cache.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cache.h,v 1.17.2.3 2006/03/02 00:37:17 marka Exp $ */
+/* $Id: cache.h,v 1.17.2.4 2006/05/26 04:01:57 marka Exp $ */
 
 #ifndef DNS_CACHE_H
 #define DNS_CACHE_H 1
@@ -151,7 +151,7 @@ dns_cache_attachdb(dns_cache_t *cache, dns_db_t **dbp);
 
 
 isc_result_t
-dns_cache_setfilename(dns_cache_t *cahce, const char *filename);
+dns_cache_setfilename(dns_cache_t *cache, const char *filename);
 /*
  * If 'filename' is non-NULL, make the cache persistent.
  * The cache's data will be stored in the given file.

From b398bcb694bf14ab0fde3f8feedc0384359ba6e9 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 26 May 2006 04:10:28 +0000
Subject: [PATCH 241/465] 9.2.7b1

---
 lib/dns/api    | 6 +++---
 lib/isc/api    | 6 +++---
 lib/isccfg/api | 2 +-
 lib/lwres/api  | 2 +-
 4 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/lib/dns/api b/lib/dns/api
index a62e57e256..409db1925b 100644
--- a/lib/dns/api
+++ b/lib/dns/api
@@ -1,3 +1,3 @@
-LIBINTERFACE = 17
-LIBREVISION = 1
-LIBAGE = 1
+LIBINTERFACE = 18
+LIBREVISION = 0
+LIBAGE = 2
diff --git a/lib/isc/api b/lib/isc/api
index 230116d4f4..083b745146 100644
--- a/lib/isc/api
+++ b/lib/isc/api
@@ -1,3 +1,3 @@
-LIBINTERFACE = 8
-LIBREVISION = 8
-LIBAGE = 1
+LIBINTERFACE = 9
+LIBREVISION = 0
+LIBAGE = 2
diff --git a/lib/isccfg/api b/lib/isccfg/api
index acd63648e1..455a7f4315 100644
--- a/lib/isccfg/api
+++ b/lib/isccfg/api
@@ -1,3 +1,3 @@
 LIBINTERFACE = 0
-LIBREVISION = 12
+LIBREVISION = 13
 LIBAGE = 0
diff --git a/lib/lwres/api b/lib/lwres/api
index 3f9fc8787e..a8b05fb19e 100644
--- a/lib/lwres/api
+++ b/lib/lwres/api
@@ -1,3 +1,3 @@
 LIBINTERFACE = 2
-LIBREVISION = 5
+LIBREVISION = 6
 LIBAGE = 1

From 031283c7090e62aaf4b4dafbcc3bf51792ca85ac Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 26 May 2006 04:24:49 +0000
Subject: [PATCH 242/465] 9.2.7b1

---
 lib/bind/api | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/bind/api b/lib/bind/api
index a23ecb3d2b..2bcba231e6 100644
--- a/lib/bind/api
+++ b/lib/bind/api
@@ -1,3 +1,3 @@
 LIBINTERFACE = 4
-LIBREVISION = 3
+LIBREVISION = 4
 LIBAGE = 0

From 6cb5ddf582968e0727ecc74c8c4b0b5909d869d1 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 26 May 2006 04:26:34 +0000
Subject: [PATCH 243/465] newcopyrights

---
 util/copyrights | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/util/copyrights b/util/copyrights
index a65b01aaf8..b7c30ae9e7 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -939,6 +939,7 @@
 ./contrib/idn/idnkit-1.0-src/patch/bind9/bind-9.2.4-patch	X	2004
 ./contrib/idn/idnkit-1.0-src/patch/bind9/bind-9.2.5-patch	X	2004
 ./contrib/idn/idnkit-1.0-src/patch/bind9/bind-9.2.6-patch	X	2005
+./contrib/idn/idnkit-1.0-src/patch/bind9/bind-9.2.7-patch	X	2006
 ./contrib/idn/idnkit-1.0-src/tools/Makefile.in	X	2003
 ./contrib/idn/idnkit-1.0-src/tools/idnconv/Makefile.in	X	2003
 ./contrib/idn/idnkit-1.0-src/tools/idnconv/idnconv.1	X	2003
@@ -1570,7 +1571,7 @@
 ./lib/dns/a6.c					C	1999,2000,2001,2004
 ./lib/dns/acl.c					C	1999,2000,2001,2004,2006
 ./lib/dns/adb.c					C	1999,2000,2001,2002,2003,2004,2005,2006
-./lib/dns/api					X	1999,2000,2001,2005
+./lib/dns/api					X	1999,2000,2001,2005,2006
 ./lib/dns/byaddr.c				C	2000,2001,2003,2004
 ./lib/dns/cache.c				C	1999,2000,2001,2002,2003,2004,2006
 ./lib/dns/callbacks.c				C	1999,2000,2001,2004
@@ -1814,7 +1815,7 @@
 ./lib/dns/zt.c					C	1999,2000,2001,2004
 ./lib/isc/.cvsignore				X	1999,2000,2001
 ./lib/isc/Makefile.in				MAKE	1998,1999,2000,2001,2003,2004
-./lib/isc/api					X	1999,2000,2001,2005
+./lib/isc/api					X	1999,2000,2001,2005,2006
 ./lib/isc/assertions.c				C	1997,1998,1999,2000,2001,2004
 ./lib/isc/base64.c				C	1998,1999,2000,2001,2003,2004
 ./lib/isc/bitstring.c				C	1999,2000,2001,2004
@@ -2087,7 +2088,7 @@
 ./lib/isccc/win32/version.c			C	2001,2004
 ./lib/isccfg/.cvsignore				X	2001
 ./lib/isccfg/Makefile.in			MAKE	2001,2003,2004
-./lib/isccfg/api				X	2001,2005
+./lib/isccfg/api				X	2001,2005,2006
 ./lib/isccfg/check.c				C	2001,2002,2003,2004,2006
 ./lib/isccfg/include/.cvsignore			X	2001
 ./lib/isccfg/include/Makefile.in		MAKE	2001,2004
@@ -2107,7 +2108,7 @@
 ./lib/isccfg/win32/version.c			C	1998,1999,2000,2001,2004
 ./lib/lwres/.cvsignore				X	2000,2001
 ./lib/lwres/Makefile.in				MAKE	2000,2001,2004
-./lib/lwres/api					X	2000,2001,2005
+./lib/lwres/api					X	2000,2001,2005,2006
 ./lib/lwres/assert_p.h				C	2000,2001,2004
 ./lib/lwres/context.c				C	2000,2001,2003,2004
 ./lib/lwres/context_p.h				C	2000,2001,2004

From b5205d860b1672c405c57004e6823af873799b42 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Mon, 29 May 2006 01:27:58 +0000
Subject: [PATCH 244/465] 2033.   [bug]           We wern't creating multiple
 client memory contexts                         on demand as expected. [RT
 #16095]

---
 CHANGES            | 3 +++
 bin/named/client.c | 6 +++---
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/CHANGES b/CHANGES
index 3a1d81cc26..b5d283c8e2 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2033.	[bug]		We wern't creating multiple client memory contexts
+			on demand as expected. [RT #16095]
+
 2032.	[bug]		Remove a INSIST in query_addadditional2(). [RT #16074]
 
 2031.	[bug]		Emit a error message when "rndc refresh" is called on
diff --git a/bin/named/client.c b/bin/named/client.c
index 108e5517a1..336433f6cb 100644
--- a/bin/named/client.c
+++ b/bin/named/client.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: client.c,v 1.235 2006/01/05 00:01:46 marka Exp $ */
+/* $Id: client.c,v 1.236 2006/05/29 01:27:58 marka Exp $ */
 
 #include 
 
@@ -1782,14 +1782,14 @@ client_timeout(isc_task_t *task, isc_event_t *event) {
 static isc_result_t
 get_clientmctx(ns_clientmgr_t *manager, isc_mem_t **mctxp) {
 	isc_mem_t *clientmctx;
-#if NMCTX > 0
+#if NMCTXS > 0
 	isc_result_t result;
 #endif
 
 	/*
 	 * Caller must be holding the manager lock.
 	 */
-#if NMCTX > 0
+#if NMCTXS > 0
 	INSIST(manager->nextmctx < NMCTXS);
 	clientmctx = manager->mctxpool[manager->nextmctx];
 	if (clientmctx == NULL) {

From cd18f34923b7d82dc80b3205eee11d2e7f26bdde Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 30 May 2006 04:18:36 +0000
Subject: [PATCH 245/465] checkpoint

---
 lib/isc/include/isc/list.h | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/lib/isc/include/isc/list.h b/lib/isc/include/isc/list.h
index 2c987eaad3..8220522d38 100644
--- a/lib/isc/include/isc/list.h
+++ b/lib/isc/include/isc/list.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: list.h,v 1.20 2004/03/05 05:10:58 marka Exp $ */
+/* $Id: list.h,v 1.21 2006/05/30 04:18:36 marka Exp $ */
 
 #ifndef ISC_LIST_H
 #define ISC_LIST_H 1
@@ -90,12 +90,16 @@
 	do { \
 		if ((elt)->link.next != NULL) \
 			(elt)->link.next->link.prev = (elt)->link.prev; \
-		else \
+		else { \
+			ISC_INSIST((list).tail == (elt)); \
 			(list).tail = (elt)->link.prev; \
+		} \
 		if ((elt)->link.prev != NULL) \
 			(elt)->link.prev->link.next = (elt)->link.next; \
-		else \
+		else { \
+			ISC_INSIST((list).head == (elt)); \
 			(list).head = (elt)->link.next; \
+		} \
 		(elt)->link.prev = (type *)(-1); \
 		(elt)->link.next = (type *)(-1); \
 	} while (0)

From 14fd8cec2cbe0ed0deabbe06df4c9f2789ecde9b Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 30 May 2006 23:17:54 +0000
Subject: [PATCH 246/465] auto update

---
 doc/private/branches | 1 +
 1 file changed, 1 insertion(+)

diff --git a/doc/private/branches b/doc/private/branches
index 8a7dd79eff..eb6542db74 100644
--- a/doc/private/branches
+++ b/doc/private/branches
@@ -72,6 +72,7 @@ rt15860				new
 rt15878				new	
 rt15941				new	
 rt15958				new	
+rt15959				new	
 rt15960				new	
 rt15970				new	
 rt15976				new	

From d88802c24b46b5da1c669f1e597825efc094b2bb Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 30 May 2006 23:30:23 +0000
Subject: [PATCH 247/465] newcopyrights

---
 util/copyrights | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/util/copyrights b/util/copyrights
index ce63b58487..810ac50418 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -2038,7 +2038,7 @@
 ./lib/isc/include/isc/lex.h			C	1998,1999,2000,2001,2002,2004,2005
 ./lib/isc/include/isc/lfsr.h			C	1999,2000,2001,2004,2005
 ./lib/isc/include/isc/lib.h			C	1999,2000,2001,2004,2005
-./lib/isc/include/isc/list.h			C	1997,1998,1999,2000,2001,2002,2004
+./lib/isc/include/isc/list.h			C	1997,1998,1999,2000,2001,2002,2004,2006
 ./lib/isc/include/isc/log.h			C	1999,2000,2001,2002,2004,2005
 ./lib/isc/include/isc/magic.h			C	1999,2000,2001,2004,2005
 ./lib/isc/include/isc/md5.h			C	2000,2001,2004,2005,2006

From a48de0f7c4fd4fe7c3513ca352501bdcaaccaa79 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 31 May 2006 23:17:51 +0000
Subject: [PATCH 248/465] auto update

---
 doc/private/branches | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/doc/private/branches b/doc/private/branches
index eb6542db74..b5d454193a 100644
--- a/doc/private/branches
+++ b/doc/private/branches
@@ -86,6 +86,9 @@ rt16037				new
 rt16073				new	
 rt16074				new	
 rt16075				new	
+rt16122				new	
+rt16123				new	
+rt16124				new	
 rt1727				open		// ixfr-from-differences workfile
 rt6496a				review	marka
 rt6496b				new	

From 4f5d35f6f0e6f8161ef89ac29ddabc0cea37fa13 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 31 May 2006 23:48:23 +0000
Subject: [PATCH 249/465] closed

---
 doc/private/branches | 112 +++++++++++++++++++++----------------------
 1 file changed, 56 insertions(+), 56 deletions(-)

diff --git a/doc/private/branches b/doc/private/branches
index b5d454193a..c67ca9cdc0 100644
--- a/doc/private/branches
+++ b/doc/private/branches
@@ -24,74 +24,74 @@ rt11398d			open	sra	// doxygen dev
 rt11543				open	jakob
 rt11733				open	jakob
 rt11733b			open	jakob
-rt12895				new	
+rt12895				closed	
 rt13489				review	marka
 rt13555				open	marka	// nslookup name failure
 rt13562				open	marka
-rt13606				review	marka	// TSIG SHA256
-rt13662_alt2			review	marka	// rrset-order fixed
+rt13606				closed	marka	// TSIG SHA256
+rt13662_alt2			closed	marka	// rrset-order fixed
 rt14623				open	
 rt14654				open	
 rt14815				open		// stats blind spots	
 rt14895				open	jinmei
-rt14895b			open	
+rt14895b			open	jinmei
 rt15327				open	
-rt15452				new	
+rt15452				open	marka	// NSEC3	
 rt15473				review	marka
 rt15473b			review	marka
-rt15592				review	
-rt15608				review	
-rt15620				review	
-rt15633				review	
-rt15674				review	
-rt15694				review	
-rt15695				review	
-rt15698				new	
-rt15702				review	
-rt15704				review	
-rt15709				review	
-rt15742				review	
-rt15753				review	
-rt15758				review	
-rt15758a			new	
+rt15592				closed	
+rt15608				closed
+rt15620				closed	
+rt15633				closed	
+rt15674				closed	
+rt15694				closed	
+rt15695				closed	
+rt15698				open	
+rt15702				closed	
+rt15704				closed	
+rt15709				closed	
+rt15742				closed	
+rt15753				closed	
+rt15758				closed	
+rt15758a			closed	
 rt15765				open	
-rt15795				review	
-rt15807				review	
-rt15808				review	
-rt15812				review	
-rt15813				new	
-rt15817				new	
-rt15818				new	
-rt15825				new	
-rt15835				new	
-rt15840				new	
-rt15844				new	
-rt15849				new	
-rt15855				new	
-rt15860				new	
-rt15878				new	
-rt15941				new	
-rt15958				new	
-rt15959				new	
-rt15960				new	
-rt15970				new	
-rt15976				new	
-rt15992				new	
-rt16020				new	
-rt16026				new	
-rt16027				new	
-rt16030				new	
-rt16034				new	
-rt16037				new	
-rt16073				new	
-rt16074				new	
-rt16075				new	
-rt16122				new	
-rt16123				new	
-rt16124				new	
+rt15795				closed	
+rt15807				closed	
+rt15808				closed	
+rt15812				closed	
+rt15813				closed	
+rt15817				closed	
+rt15818				closed	
+rt15825				closed	
+rt15835				closed	
+rt15840				closed	
+rt15844				closed	
+rt15849				closed	
+rt15855				closed	
+rt15860				open	
+rt15878				closed	
+rt15941				closed	
+rt15958				closed	
+rt15959				review	
+rt15960				closed	
+rt15970				closed	
+rt15976				closed	
+rt15992				closed	
+rt16020				closed	
+rt16026				closed	
+rt16027				closed	
+rt16030				closed	
+rt16034				closed	
+rt16037				closed	
+rt16073				closed	
+rt16074				closed	
+rt16075				review	
+rt16122				review	
+rt16123				review	
+rt16124				review	
 rt1727				open		// ixfr-from-differences workfile
-rt6496a				review	marka
-rt6496b				new	
+rt6496a				closed	marka
+rt6496b				closed	
 skan				new	
 skan-metazones1			private	
 skan_implicit_update1		new	

From c7fd8eee2e6d52e3fb063996b1cab8fdf4f6a81e Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 1 Jun 2006 23:17:01 +0000
Subject: [PATCH 250/465] auto update

---
 doc/private/branches | 94 ++++++++++++++++++++++----------------------
 1 file changed, 47 insertions(+), 47 deletions(-)

diff --git a/doc/private/branches b/doc/private/branches
index c67ca9cdc0..287fb70e40 100644
--- a/doc/private/branches
+++ b/doc/private/branches
@@ -24,12 +24,9 @@ rt11398d			open	sra	// doxygen dev
 rt11543				open	jakob
 rt11733				open	jakob
 rt11733b			open	jakob
-rt12895				closed	
 rt13489				review	marka
 rt13555				open	marka	// nslookup name failure
 rt13562				open	marka
-rt13606				closed	marka	// TSIG SHA256
-rt13662_alt2			closed	marka	// rrset-order fixed
 rt14623				open	
 rt14654				open	
 rt14815				open		// stats blind spots	
@@ -39,59 +36,15 @@ rt15327				open
 rt15452				open	marka	// NSEC3	
 rt15473				review	marka
 rt15473b			review	marka
-rt15592				closed	
-rt15608				closed
-rt15620				closed	
-rt15633				closed	
-rt15674				closed	
-rt15694				closed	
-rt15695				closed	
 rt15698				open	
-rt15702				closed	
-rt15704				closed	
-rt15709				closed	
-rt15742				closed	
-rt15753				closed	
-rt15758				closed	
-rt15758a			closed	
 rt15765				open	
-rt15795				closed	
-rt15807				closed	
-rt15808				closed	
-rt15812				closed	
-rt15813				closed	
-rt15817				closed	
-rt15818				closed	
-rt15825				closed	
-rt15835				closed	
-rt15840				closed	
-rt15844				closed	
-rt15849				closed	
-rt15855				closed	
 rt15860				open	
-rt15878				closed	
-rt15941				closed	
-rt15958				closed	
 rt15959				review	
-rt15960				closed	
-rt15970				closed	
-rt15976				closed	
-rt15992				closed	
-rt16020				closed	
-rt16026				closed	
-rt16027				closed	
-rt16030				closed	
-rt16034				closed	
-rt16037				closed	
-rt16073				closed	
-rt16074				closed	
 rt16075				review	
 rt16122				review	
 rt16123				review	
 rt16124				review	
 rt1727				open		// ixfr-from-differences workfile
-rt6496a				closed	marka
-rt6496b				closed	
 skan				new	
 skan-metazones1			private	
 skan_implicit_update1		new	
@@ -277,6 +230,7 @@ rt12810a			closed
 rt12838				closed
 rt12866				closed
 rt12894				closed
+rt12895				closed
 rt12907				closed
 rt12919				closed
 rt12933				closed
@@ -320,11 +274,13 @@ rt13593				closed
 rt13593a			closed
 rt13597				closed
 rt13605				closed
+rt13606				closed		// TSIG SHA256
 rt13609				closed
 rt13620				closed
 rt13659				closed
 rt13662				closed		// abandoned
 rt13662_alt			closed		// abandoned
+rt13662_alt2			closed		// rrset-order fixed
 rt13694				closed
 rt13707				closed
 rt13714				closed
@@ -407,19 +363,61 @@ rt15544b			closed
 rt15562				closed
 rt15568				closed
 rt15586				closed
+rt15592				closed
+rt15608				closed
 rt15613				closed
+rt15620				closed
 rt15628				closed
+rt15633				closed
 rt15636				closed
 rt15642				closed
 rt15647				closed
 rt15649				closed
+rt15674				closed
+rt15694				closed
+rt15695				closed
+rt15702				closed
+rt15704				closed
+rt15709				closed
 rt15723				closed
 rt15727				closed
 rt1572a				closed		// bad rt#
 rt15739				closed
+rt15742				closed
+rt15753				closed
+rt15758				closed
+rt15758a			closed
 rt15776				closed
 rt15779				closed
 rt15780				closed
+rt15795				closed
+rt15807				closed
+rt15808				closed
+rt15812				closed
+rt15813				closed
+rt15817				closed
+rt15818				closed
+rt15825				closed
+rt15835				closed
+rt15840				closed
+rt15844				closed
+rt15849				closed
+rt15855				closed
+rt15878				closed
+rt15941				closed
+rt15958				closed
+rt15960				closed
+rt15970				closed
+rt15976				closed
+rt15992				closed
+rt16020				closed
+rt16026				closed
+rt16027				closed
+rt16030				closed
+rt16034				closed
+rt16037				closed
+rt16073				closed
+rt16074				closed
 rt1727b				closed
 rt1727c				closed
 rt2471				closed
@@ -492,6 +490,8 @@ rt6229				closed
 rt6427				closed
 rt6432				closed
 rt6496				closed
+rt6496a				closed
+rt6496b				closed
 rt6539				closed
 rt6636				closed
 rt6813				closed

From 15bda409010cbf2d3e43baf10f28bae5f7b1abef Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 2 Jun 2006 03:36:23 +0000
Subject: [PATCH 251/465] 2034.   [bug]           gcc: set
 -fno-strict-aliasing. [RT #16124]

---
 CHANGES               | 2 ++
 configure             | 8 +++++---
 configure.in          | 4 ++--
 lib/bind/configure    | 4 ++--
 lib/bind/configure.in | 4 ++--
 5 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/CHANGES b/CHANGES
index b5d283c8e2..394b332f74 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+2034.	[bug]		gcc: set -fno-strict-aliasing. [RT #16124]
+
 2033.	[bug]		We wern't creating multiple client memory contexts
 			on demand as expected. [RT #16095]
 
diff --git a/configure b/configure
index 4137fefc1c..29944a6e0d 100755
--- a/configure
+++ b/configure
@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 #
-# $Id: configure,v 1.393 2006/03/06 01:06:48 marka Exp $
+# $Id: configure,v 1.394 2006/06/02 03:36:22 marka Exp $
 #
 # Portions Copyright (C) 1996-2001  Nominum, Inc.
 #
@@ -29,7 +29,7 @@
 # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
 # OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-# From configure.in Revision: 1.405 .
+# From configure.in Revision: 1.406 .
 # Guess values for system-dependent variables and create Makefiles.
 # Generated by GNU Autoconf 2.59.
 #
@@ -7506,7 +7506,7 @@ MKDEPCFLAGS="-M"
 IRIX_DNSSEC_WARNINGS_HACK=""
 
 if test "X$GCC" = "Xyes"; then
-	STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith"
+	STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith -fno-strict-aliasing"
 	case "$host" in
 	*-hp-hpux*)
 		LDFLAGS="-Wl,+vnocompatwarnings $LDFLAGS"
@@ -29433,6 +29433,8 @@ echo "$as_me: error: path $use_dlz_bdb does not exist" >&2;}
 					if test "$dd" != "/usr"
 					then
 						dlz_bdb_libs="-L${dd}/lib "
+					else
+						dlz_bdb_libs=""
 					fi
 					dlz_bdb_libs="${dlz_bdb_libs}-l${d}"
 					break
diff --git a/configure.in b/configure.in
index f13dba5ed4..2c42fa89cb 100644
--- a/configure.in
+++ b/configure.in
@@ -18,7 +18,7 @@ AC_DIVERT_PUSH(1)dnl
 esyscmd([sed "s/^/# /" COPYRIGHT])dnl
 AC_DIVERT_POP()dnl
 
-AC_REVISION($Revision: 1.405 $)
+AC_REVISION($Revision: 1.406 $)
 
 AC_INIT(lib/dns/name.c)
 AC_PREREQ(2.59)
@@ -810,7 +810,7 @@ MKDEPCFLAGS="-M"
 IRIX_DNSSEC_WARNINGS_HACK=""
 
 if test "X$GCC" = "Xyes"; then
-	STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith"
+	STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith -fno-strict-aliasing"
 	case "$host" in
 	*-hp-hpux*)
 		LDFLAGS="-Wl,+vnocompatwarnings $LDFLAGS"
diff --git a/lib/bind/configure b/lib/bind/configure
index 3de6eb378b..e85a2900a0 100644
--- a/lib/bind/configure
+++ b/lib/bind/configure
@@ -1,5 +1,5 @@
 #! /bin/sh
-# From configure.in Revision: 1.115 .
+# From configure.in Revision: 1.117 .
 # Guess values for system-dependent variables and create Makefiles.
 # Generated by GNU Autoconf 2.59.
 #
@@ -6403,7 +6403,7 @@ MKDEPCFLAGS="-M"
 IRIX_DNSSEC_WARNINGS_HACK=""
 
 if test "X$GCC" = "Xyes"; then
-	STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wpointer-arith"
+	STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wpointer-arith -fno-strict-aliasing"
 else
 	case $host in
 	*-dec-osf*)
diff --git a/lib/bind/configure.in b/lib/bind/configure.in
index 0fae2f5772..620cc155bd 100644
--- a/lib/bind/configure.in
+++ b/lib/bind/configure.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-AC_REVISION($Revision: 1.116 $)
+AC_REVISION($Revision: 1.117 $)
 
 AC_INIT(resolv/herror.c)
 AC_PREREQ(2.13)
@@ -513,7 +513,7 @@ MKDEPCFLAGS="-M"
 IRIX_DNSSEC_WARNINGS_HACK=""
 
 if test "X$GCC" = "Xyes"; then
-	STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wpointer-arith"
+	STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wpointer-arith -fno-strict-aliasing"
 else
 	case $host in
 	*-dec-osf*)

From 42a9236cbd2fb6958893c6d3083d3535df4c0535 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 2 Jun 2006 04:55:38 +0000
Subject: [PATCH 252/465] 2034.   [bug]           gcc: set
 -fno-strict-aliasing. [RT #16124]

---
 CHANGES               | 2 ++
 configure             | 4 ++--
 configure.in          | 4 ++--
 lib/bind/configure    | 4 ++--
 lib/bind/configure.in | 4 ++--
 5 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/CHANGES b/CHANGES
index 3aca395b4c..6305a7113d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+2034.	[bug]		gcc: set -fno-strict-aliasing. [RT #16124]
+
 
 	--- 9.2.7b1 released ---
 
diff --git a/configure b/configure
index c2b4f6a015..09dc7ceb76 100755
--- a/configure
+++ b/configure
@@ -1,5 +1,5 @@
 #! /bin/sh
-# From configure.in Revision: 1.294.2.61 .
+# From configure.in Revision: 1.294.2.62 .
 # Guess values for system-dependent variables and create Makefiles.
 # Generated by GNU Autoconf 2.59.
 #
@@ -7297,7 +7297,7 @@ MKDEPCFLAGS="-M"
 IRIX_DNSSEC_WARNINGS_HACK=""
 
 if test "X$GCC" = "Xyes"; then
-	STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith"
+	STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith -fno-strict-aliasing"
 	case "$host" in
 	*-hp-hpux*)
 		LDFLAGS="-Wl,+vnocompatwarnings $LDFLAGS"
diff --git a/configure.in b/configure.in
index 79c08310d0..6377aae7e3 100644
--- a/configure.in
+++ b/configure.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-AC_REVISION($Revision: 1.294.2.61 $)
+AC_REVISION($Revision: 1.294.2.62 $)
 
 AC_INIT(lib/dns/name.c)
 AC_PREREQ(2.13)
@@ -717,7 +717,7 @@ MKDEPCFLAGS="-M"
 IRIX_DNSSEC_WARNINGS_HACK=""
 
 if test "X$GCC" = "Xyes"; then
-	STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith"
+	STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith -fno-strict-aliasing"
 	case "$host" in
 	*-hp-hpux*)
 		LDFLAGS="-Wl,+vnocompatwarnings $LDFLAGS"
diff --git a/lib/bind/configure b/lib/bind/configure
index 1af8593ffa..1861ac31d6 100644
--- a/lib/bind/configure
+++ b/lib/bind/configure
@@ -1,5 +1,5 @@
 #! /bin/sh
-# From configure.in Revision: 1.83.2.28 .
+# From configure.in Revision: 1.83.2.30 .
 # Guess values for system-dependent variables and create Makefiles.
 # Generated by GNU Autoconf 2.59.
 #
@@ -6403,7 +6403,7 @@ MKDEPCFLAGS="-M"
 IRIX_DNSSEC_WARNINGS_HACK=""
 
 if test "X$GCC" = "Xyes"; then
-	STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wpointer-arith"
+	STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wpointer-arith -fno-strict-aliasing"
 else
 	case $host in
 	*-dec-osf*)
diff --git a/lib/bind/configure.in b/lib/bind/configure.in
index d5c6df35be..0c59c987ed 100644
--- a/lib/bind/configure.in
+++ b/lib/bind/configure.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-AC_REVISION($Revision: 1.83.2.29 $)
+AC_REVISION($Revision: 1.83.2.30 $)
 
 AC_INIT(resolv/herror.c)
 AC_PREREQ(2.13)
@@ -513,7 +513,7 @@ MKDEPCFLAGS="-M"
 IRIX_DNSSEC_WARNINGS_HACK=""
 
 if test "X$GCC" = "Xyes"; then
-	STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wpointer-arith"
+	STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wpointer-arith -fno-strict-aliasing"
 else
 	case $host in
 	*-dec-osf*)

From a45a6ea2b03448751d7c44931e8ac7666e7cc2ce Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Sun, 4 Jun 2006 23:17:07 +0000
Subject: [PATCH 253/465] 2035.   [func]          Make falling back to TCP on
 UDP refresh failure                         optional. Default
 "try-tcp-refresh yes;" for BIND 8                         compatibility. [RT
 #16123]

---
 CHANGES                      |  4 ++++
 bin/named/config.c           |  3 ++-
 bin/named/named.conf.docbook |  5 ++++-
 bin/named/zoneconf.c         |  6 +++++-
 doc/arm/Bv9ARM-book.xml      | 24 +++++++++++++++++++++++-
 lib/bind9/check.c            |  3 ++-
 lib/dns/include/dns/zone.h   |  3 ++-
 lib/dns/zone.c               |  5 +++--
 lib/isccfg/namedconf.c       |  3 ++-
 9 files changed, 47 insertions(+), 9 deletions(-)

diff --git a/CHANGES b/CHANGES
index 394b332f74..2e18766996 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+2035.	[func]		Make falling back to TCP on UDP refresh failure
+			optional. Default "try-tcp-refresh yes;" for BIND 8
+			compatibility. [RT #16123]
+
 2034.	[bug]		gcc: set -fno-strict-aliasing. [RT #16124]
 
 2033.	[bug]		We wern't creating multiple client memory contexts
diff --git a/bin/named/config.c b/bin/named/config.c
index 856d2f48dd..8d3571248f 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.c,v 1.74 2006/05/03 01:54:53 marka Exp $ */
+/* $Id: config.c,v 1.75 2006/06/04 23:17:06 marka Exp $ */
 
 /*! \file */
 
@@ -178,6 +178,7 @@ options {\n\
 	check-srv-cname warn;\n\
 	zero-no-soa-ttl yes;\n\
 	update-check-ksk yes;\n\
+	try-tcp-refresh yes; /* BIND 8 compat */\n\
 };\n\
 "
 
diff --git a/bin/named/named.conf.docbook b/bin/named/named.conf.docbook
index 3fc54dac7e..2978ce1e12 100644
--- a/bin/named/named.conf.docbook
+++ b/bin/named/named.conf.docbook
@@ -17,7 +17,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   
     Aug 13, 2004
@@ -321,6 +321,7 @@ options {
 
 	zone-statistics boolean;
 	key-directory quoted_string;
+	try-tcp-refresh boolean;
 	zero-no-soa-ttl boolean;
 	zero-no-soa-ttl-cache boolean;
 
@@ -468,6 +469,7 @@ view string optional_class
 	use-alt-transfer-source boolean;
 
 	zone-statistics boolean;
+	try-tcp-refresh boolean;
 	key-directory quoted_string;
 	zero-no-soa-ttl boolean;
 	zero-no-soa-ttl-cache boolean;
@@ -554,6 +556,7 @@ zone string optional_class
 	use-alt-transfer-source boolean;
 
 	zone-statistics boolean;
+	try-tcp-refresh boolean;
 	key-directory quoted_string;
 
 	ixfr-base quoted_string; // obsolete
diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
index 4866374a83..72cd962542 100644
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zoneconf.c,v 1.133 2006/05/16 03:35:56 marka Exp $ */
+/* $Id: zoneconf.c,v 1.134 2006/06/04 23:17:06 marka Exp $ */
 
 /*% */
 
@@ -876,6 +876,10 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 			alt = cfg_obj_asboolean(obj);
 		dns_zone_setoption(zone, DNS_ZONEOPT_USEALTXFRSRC, alt);
 
+		obj = NULL;
+		(void)ns_config_get(maps, "try-tcp-refresh", &obj);
+		dns_zone_setoption(zone, DNS_ZONEOPT_TRYTCPREFRESH,
+				   cfg_obj_asboolean(obj));
 		break;
 
 	default:
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 5bd6c312f1..91ef76ec15 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   BIND 9 Administrator Reference Manual
 
@@ -4419,6 +4419,7 @@ category notify { null; };
      allow-update { address_match_list }; 
      allow-update-forwarding { address_match_list }; 
      update-check-ksk yes_or_no; 
+     try-tcp-refresh yes_or_no; 
      allow-v6-synthesis { address_match_list }; 
      blackhole { address_match_list }; 
      avoid-v4-udp-ports { port_list }; 
@@ -5671,6 +5672,16 @@ options {
 	      
 	    
 
+	    
+	      try-tcp-refresh
+	      
+	        
+		  Try to refresh the zone using TCP if UDP queries fail.
+		  The default is yes.
+		
+	      
+	    
+
           
 
         
@@ -8041,6 +8052,7 @@ zone zone_name class allow-transfer { address_match_list }; 
      allow-update-forwarding { address_match_list }; 
      update-check-ksk yes_or_no; 
+     try-tcp-refresh yes_or_no; 
      also-notify { ip_addr port ip_port ;  ip_addr port ip_port ; ...  }; 
      check-names (warn|fail|ignore) ; 
      dialup dialup_option ; 
@@ -8525,6 +8537,16 @@ zone zone_name class
               
 
+	      
+	        try-tcp-refresh
+                
+                  
+                    See the description of
+                    try-tcp-refresh in .
+                  
+                
+              
+
               
                 database
                 
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index 5db9b81ac2..b052a50ab5 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: check.c,v 1.74 2006/03/10 05:00:23 marka Exp $ */
+/* $Id: check.c,v 1.75 2006/06/04 23:17:06 marka Exp $ */
 
 /*! \file */
 
@@ -934,6 +934,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 	{ "check-srv-cname", MASTERZONE },
 	{ "masterfile-format", MASTERZONE | SLAVEZONE | STUBZONE | HINTZONE },
 	{ "update-check-ksk", MASTERZONE },
+	{ "try-tcp-refresh", SLAVEZONE },
 	};
 
 	static optionstable dialups[] = {
diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h
index c2a1bf499a..6e98c9996e 100644
--- a/lib/dns/include/dns/zone.h
+++ b/lib/dns/include/dns/zone.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.h,v 1.144 2006/03/06 01:27:52 marka Exp $ */
+/* $Id: zone.h,v 1.145 2006/06/04 23:17:07 marka Exp $ */
 
 #ifndef DNS_ZONE_H
 #define DNS_ZONE_H 1
@@ -66,6 +66,7 @@ typedef enum {
 #define DNS_ZONEOPT_WARNSRVCNAME  0x00200000U	/*%< warn on SRV CNAME check */
 #define DNS_ZONEOPT_IGNORESRVCNAME 0x00400000U	/*%< ignore SRV CNAME check */
 #define DNS_ZONEOPT_UPDATECHECKKSK 0x00800000U	/*%< check dnskey KSK flag */
+#define DNS_ZONEOPT_TRYTCPREFRESH 0x01000000U	/*%< try tcp refresh on udp failure */
 
 #ifndef NOMINUM_PUBLIC
 /*
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 22b483777a..6f65db39ed 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.c,v 1.455 2006/05/18 02:35:26 marka Exp $ */
+/* $Id: zone.c,v 1.456 2006/06/04 23:17:06 marka Exp $ */
 
 /*! \file */
 
@@ -4285,7 +4285,8 @@ refresh_callback(isc_task_t *task, isc_event_t *event) {
 				     "master %s exceeded (source %s)",
 				     master, source);
 			/* Try with slave with TCP. */
-			if (zone->type == dns_zone_slave)
+			if (zone->type == dns_zone_slave &&
+			    DNS_ZONE_OPTION(zone, DNS_ZONEOPT_TRYTCPREFRESH))
 				goto tcp_transfer;
 		} else
 			dns_zone_log(zone, ISC_LOG_INFO,
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index cc34ec864c..2c691f5f68 100644
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: namedconf.c,v 1.69 2006/05/03 01:54:54 marka Exp $ */
+/* $Id: namedconf.c,v 1.70 2006/06/04 23:17:07 marka Exp $ */
 
 /*! \file */
 
@@ -846,6 +846,7 @@ zone_clauses[] = {
 	{ "check-sibling", &cfg_type_boolean, 0 },
 	{ "zero-no-soa-ttl", &cfg_type_boolean, 0 },
 	{ "update-check-ksk", &cfg_type_boolean, 0 },
+	{ "try-tcp-refresh", &cfg_type_boolean, 0 },
 	{ NULL, NULL, 0 }
 };
 

From 6bf6622b7b9053dc52527478473b572f042c4b5b Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Sun, 4 Jun 2006 23:38:17 +0000
Subject: [PATCH 254/465] regen

---
 bin/named/named.conf.5           |  5 +-
 bin/named/named.conf.html        | 13 +++--
 doc/arm/Bv9ARM.ch06.html         | 82 ++++++++++++++++++--------------
 doc/arm/Bv9ARM.ch07.html         | 14 +++---
 doc/arm/Bv9ARM.ch08.html         | 18 +++----
 doc/arm/Bv9ARM.ch09.html         | 18 +++----
 doc/arm/Bv9ARM.html              | 40 ++++++++--------
 doc/arm/man.dig.html             | 20 ++++----
 doc/arm/man.dnssec-keygen.html   | 14 +++---
 doc/arm/man.dnssec-signzone.html | 12 ++---
 doc/arm/man.host.html            | 10 ++--
 doc/arm/man.named-checkconf.html | 12 ++---
 doc/arm/man.named-checkzone.html | 12 ++---
 doc/arm/man.named.html           | 16 +++----
 doc/arm/man.rndc-confgen.html    | 12 ++---
 doc/arm/man.rndc.conf.html       | 12 ++---
 doc/arm/man.rndc.html            | 12 ++---
 doc/misc/options                 |  4 ++
 18 files changed, 174 insertions(+), 152 deletions(-)

diff --git a/bin/named/named.conf.5 b/bin/named/named.conf.5
index 2b2244910b..fb1aee1886 100644
--- a/bin/named/named.conf.5
+++ b/bin/named/named.conf.5
@@ -12,7 +12,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: named.conf.5,v 1.19 2006/05/17 02:39:15 marka Exp $
+.\" $Id: named.conf.5,v 1.20 2006/06/04 23:38:17 marka Exp $
 .\"
 .hy 0
 .ad l
@@ -266,6 +266,7 @@ options {
 	use\-alt\-transfer\-source \fIboolean\fR;
 	zone\-statistics \fIboolean\fR;
 	key\-directory \fIquoted_string\fR;
+	try\-tcp\-refresh \fIboolean\fR;
 	zero\-no\-soa\-ttl \fIboolean\fR;
 	zero\-no\-soa\-ttl\-cache \fIboolean\fR;
 	allow\-v6\-synthesis { \fIaddress_match_element\fR; ... }; // obsolete
@@ -396,6 +397,7 @@ view \fIstring\fR \fIoptional_class\fR {
 		[ port ( \fIinteger\fR | * ) ];
 	use\-alt\-transfer\-source \fIboolean\fR;
 	zone\-statistics \fIboolean\fR;
+	try\-tcp\-refresh \fIboolean\fR;
 	key\-directory \fIquoted_string\fR;
 	zero\-no\-soa\-ttl \fIboolean\fR;
 	zero\-no\-soa\-ttl\-cache \fIboolean\fR;
@@ -470,6 +472,7 @@ zone \fIstring\fR \fIoptional_class\fR {
 		[ port ( \fIinteger\fR | * ) ];
 	use\-alt\-transfer\-source \fIboolean\fR;
 	zone\-statistics \fIboolean\fR;
+	try\-tcp\-refresh \fIboolean\fR;
 	key\-directory \fIquoted_string\fR;
 	ixfr\-base \fIquoted_string\fR; // obsolete
 	ixfr\-tmp\-file \fIquoted_string\fR; // obsolete
diff --git a/bin/named/named.conf.html b/bin/named/named.conf.html
index d2a4e797e4..481f8936d4 100644
--- a/bin/named/named.conf.html
+++ b/bin/named/named.conf.html
@@ -13,7 +13,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -293,6 +293,7 @@ options
 
    
 	zone-statistics boolean;
    
 	key-directory quoted_string;
    
+	try-tcp-refresh boolean;
    
 	zero-no-soa-ttl boolean;
    
 	zero-no-soa-ttl-cache boolean;
    
 
    
@@ -312,7 +313,7 @@ options
 

 
 

-
VIEW

+
VIEW

 


 view string optional_class {

 	match-clients { address_match_element; ... };

@@ -439,6 +440,7 @@ view
 	use-alt-transfer-source boolean;

 

 	zone-statistics boolean;

+	try-tcp-refresh boolean;

 	key-directory quoted_string;

 	zero-no-soa-ttl boolean;

 	zero-no-soa-ttl-cache boolean;

@@ -451,7 +453,7 @@ view
 

 

 

-
ZONE

+
ZONE

 


 zone string optional_class {

 	type ( master | slave | stub | hint |

@@ -524,6 +526,7 @@ zone
 	use-alt-transfer-source boolean;

 

 	zone-statistics boolean;

+	try-tcp-refresh boolean;

 	key-directory quoted_string;

 

 	ixfr-base quoted_string; // obsolete

@@ -535,12 +538,12 @@ zone
 

 

 

-
FILES

+
FILES

 
/etc/named.conf
     

 

 

-
SEE ALSO

+
SEE ALSO

 
named(8),
       rndc(8),
       BIND 9 Administrator Reference Manual.
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index 64102846c2..7c7b39e8ae 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -77,23 +77,23 @@
 
server Statement Grammar

 
server Statement Definition and
             Usage

-
trusted-keys Statement Grammar

-
trusted-keys Statement Definition
+
trusted-keys Statement Grammar

+
trusted-keys Statement Definition
             and Usage

 
view Statement Grammar

-
view Statement Definition and Usage

+
view Statement Definition and Usage

 
zone
             Statement Grammar

-
zone Statement Definition and Usage

+
zone Statement Definition and Usage

 
-
Zone File

+
Zone File

 

 
Types of Resource Records and When to Use Them

-
Discussion of MX Records

+
Discussion of MX Records

 
Setting TTLs

-
Inverse Mapping in IPv4

-
Other Zone File Directives

-
BIND Master File Extension: the  $GENERATE Directive

+
Inverse Mapping in IPv4

+
Other Zone File Directives

+
BIND Master File Extension: the  $GENERATE Directive

 
Additional File Formats

 

 
@@ -1776,6 +1776,7 @@ category notify { null; };
     [ allow-update { address_match_list }; ]
     [ allow-update-forwarding { address_match_list }; ]
     [ update-check-ksk yes_or_no; ]
+    [ try-tcp-refresh yes_or_no; ]
     [ allow-v6-synthesis { address_match_list }; ]
     [ blackhole { address_match_list }; ]
     [ avoid-v4-udp-ports { port_list }; ]
@@ -2762,11 +2763,16 @@ options {
                   a KSK.
                   The default is yes.
                 

+
try-tcp-refresh

+

+                  Try to refresh the zone using TCP if UDP queries fail.
+                  The default is yes.
+                

 

 
 

 

-Forwarding

+Forwarding

 

             The forwarding facility can be used to create a large site-wide
             cache on a few servers, reducing traffic over links to external
@@ -2810,7 +2816,7 @@ options {
 
 

 

-Dual-stack Servers

+Dual-stack Servers

 

             Dual-stack servers are used as servers of last resort to work
             around
@@ -2970,7 +2976,7 @@ options {
 
 

 

-Interfaces

+Interfaces

 

             The interfaces and ports that the server will answer queries
             from may be specified using the listen-on option. listen-on takes
@@ -3050,7 +3056,7 @@ listen-on-v6 port 1234 { !2001:db8::/32; any; };
 
 

 

-Query Address

+Query Address

 

             If the server doesn't know the answer to a question, it will
             query other name servers. query-source specifies
@@ -3330,7 +3336,7 @@ query-source-v6 address * port *;
 
 

 

-Bad UDP Port Lists

+Bad UDP Port Lists

 
avoid-v4-udp-ports
             and avoid-v6-udp-ports specify a list
             of IPv4 and IPv6 UDP ports that will not be used as system
@@ -3344,7 +3350,7 @@ query-source-v6 address * port *;
 
 

 

-Operating System Resource Limits

+Operating System Resource Limits

 

             The server's usage of many system resources can be limited.
             Scaled values are allowed when specifying resource limits.  For
@@ -3403,7 +3409,7 @@ query-source-v6 address * port *;
 
 

 

-Server  Resource Limits

+Server  Resource Limits

 

             The following options set limits on the server's
             resource consumption that are enforced internally by the
@@ -3481,7 +3487,7 @@ query-source-v6 address * port *;
 
 

 

-Periodic Task Intervals

+Periodic Task Intervals

 

 
cleaning-interval

 

@@ -4529,7 +4535,7 @@ query-source-v6 address * port *;
 

 

 

-trusted-keys Statement Grammar

+trusted-keys Statement Grammar

 
trusted-keys {
     string number number number string ;
     [ string number number number string ; [...]]
@@ -4538,7 +4544,7 @@ query-source-v6 address * port *;
 
 

 

-trusted-keys Statement Definition
+trusted-keys Statement Definition
             and Usage

 

             The trusted-keys statement defines
@@ -4581,7 +4587,7 @@ query-source-v6 address * port *;
 

 

 

-view Statement Definition and Usage

+view Statement Definition and Usage

 

             The view statement is a powerful
             feature
@@ -4746,6 +4752,7 @@ zone zone_name [ allow-transfer { address_match_list }; ]
     [ allow-update-forwarding { address_match_list }; ]
     [ update-check-ksk yes_or_no; ]
+    [ try-tcp-refresh yes_or_no; ]
     [ also-notify { ip_addr [port ip_port] ; [ ip_addr [port ip_port] ; ... ] }; ]
     [ check-names (warn|fail|ignore) ; ]
     [ dialup dialup_option ; ]
@@ -4832,10 +4839,10 @@ zone zone_name [
 

 

-zone Statement Definition and Usage

+zone Statement Definition and Usage

 

 

-Zone Types

+Zone Types

 

 
 


                       

-                        Identifies a mail exchange for the domain.
+                        Identifies a mail exchange for the domain with
                         a 16 bit preference value (lower is better)
                         followed by the host name of the mail exchange.
                         Described in RFC 974, RFC 1035.
@@ -6198,7 +6213,7 @@ zone zone_name [
 

 

-Textual expression of RRs

+Textual expression of RRs

 

               RRs are represented in binary form in the packets of the DNS
               protocol, and are usually represented in highly encoded form
@@ -6401,7 +6416,7 @@ zone zone_name [
 

 

-Discussion of MX Records

+Discussion of MX Records

 

             As described above, domain servers store information as a
             series of resource records, each of which contains a particular
@@ -6659,7 +6674,7 @@ zone zone_name [
 

 

-Inverse Mapping in IPv4

+Inverse Mapping in IPv4

 

             Reverse name resolution (that is, translation from IP address
             to name) is achieved by means of the in-addr.arpa domain
@@ -6720,7 +6735,7 @@ zone zone_name [
 

 

-Other Zone File Directives

+Other Zone File Directives

 

             The Master File Format was initially defined in RFC 1035 and
             has subsequently been extended. While the Master File Format
@@ -6735,7 +6750,7 @@ zone zone_name [
 

 

-The $ORIGIN Directive

+The $ORIGIN Directive

 

               Syntax: $ORIGIN
               domain-name
@@ -6763,7 +6778,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 

 

-The $INCLUDE Directive

+The $INCLUDE Directive

 

               Syntax: $INCLUDE
               filename
@@ -6799,7 +6814,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 

 

-The $TTL Directive

+The $TTL Directive

 

               Syntax: $TTL
               default-ttl
@@ -6818,7 +6833,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 

 

-BIND Master File Extension: the  $GENERATE Directive

+BIND Master File Extension: the  $GENERATE Directive

 

             Syntax: $GENERATE
             range
@@ -6892,10 +6907,10 @@ $GENERATE 1-127 $ CNAME $.0
                       { immediately following the
                       $ as
                       ${offset[,width[,base]]}.
-                      e.g. ${-20,3,d} which
+                      For example, ${-20,3,d}
                       subtracts 20 from the current value, prints the
                       result as a decimal in a zero padded field of
-                      with 3.
+                      width 3.
 
                       Available output forms are decimal
                       (d), octal
@@ -6909,7 +6924,7 @@ $GENERATE 1-127 $ CNAME $.0
                     

                     

                       For compatibility with earlier versions $$ is still
-                      recognized a indicating a literal $ in the output.
+                      recognized as indicating a literal $ in the output.
                     

                   		
 

-                    
ttl
-                      specifies the ttl of the generated records. If
+                    

+                      Specifies the time-to-live of the generated records. If
                       not specified this will be inherited using the
                       normal ttl inheritance rules.
                     

@@ -6934,8 +6949,8 @@ $GENERATE 1-127 $ CNAME $.0
                     
class

                   		
 
-                    
class
-                      specifies the class of the generated records.
+                    

+                      Specifies the class of the generated records.
                       This must match the zone class if it is
                       specified.
                     

@@ -6962,7 +6977,7 @@ $GENERATE 1-127 $ CNAME $.0
                   		
 
                     

-                      rhs is a domain name. It is processed
+                      A domain name. It is processed
                       similarly to lhs.
                     

                   
@@ -5044,7 +5051,7 @@ zone zone_name [
 

 

-Class

+Class

 

               The zone's name may optionally be followed by a class. If
               a class is not specified, class IN (for Internet),
@@ -5066,7 +5073,7 @@ zone zone_name [
 

 

-Zone Options

+Zone Options

 

 
allow-notify

 

@@ -5157,6 +5164,11 @@ zone zone_name [update-check-ksk in the section called “Boolean Options”.
                   

+
try-tcp-refresh

+

+                    See the description of
+                    try-tcp-refresh in the section called “Boolean Options”.
+                  

 
database

 

 

@@ -5549,7 +5561,7 @@ zone zone_name [
 

 

-Zone File

+Zone File

 

 

 Types of Resource Records and When to Use Them

@@ -5562,7 +5574,7 @@ zone zone_name [
 

 

-Resource Records

+Resource Records

 

               A domain name identifies a node.  Each node has a set of
               resource information, which may be empty.  The set of resource
@@ -6213,7 +6225,7 @@ zone zone_name [
 

 

-Textual expression of RRs

+Textual expression of RRs

 

               RRs are represented in binary form in the packets of the DNS
               protocol, and are usually represented in highly encoded form
@@ -6416,7 +6428,7 @@ zone zone_name [
 

 

-Discussion of MX Records

+Discussion of MX Records

 

             As described above, domain servers store information as a
             series of resource records, each of which contains a particular
@@ -6674,7 +6686,7 @@ zone zone_name [
 

 

-Inverse Mapping in IPv4

+Inverse Mapping in IPv4

 

             Reverse name resolution (that is, translation from IP address
             to name) is achieved by means of the in-addr.arpa domain
@@ -6735,7 +6747,7 @@ zone zone_name [
 

 

-Other Zone File Directives

+Other Zone File Directives

 

             The Master File Format was initially defined in RFC 1035 and
             has subsequently been extended. While the Master File Format
@@ -6750,7 +6762,7 @@ zone zone_name [
 

 

-The $ORIGIN Directive

+The $ORIGIN Directive

 

               Syntax: $ORIGIN
               domain-name
@@ -6778,7 +6790,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 

 

-The $INCLUDE Directive

+The $INCLUDE Directive

 

               Syntax: $INCLUDE
               filename
@@ -6814,7 +6826,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 

 

-The $TTL Directive

+The $TTL Directive

 

               Syntax: $TTL
               default-ttl
@@ -6833,7 +6845,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 

 

-BIND Master File Extension: the  $GENERATE Directive

+BIND Master File Extension: the  $GENERATE Directive

 

             Syntax: $GENERATE
             range
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index 1321894ef8..7a9bbc0269 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -46,10 +46,10 @@
 
Table of Contents

 

 
Access Control Lists

-
chroot and setuid

+
chroot and setuid

 

-
The chroot Environment

-
Using the setuid Function

+
The chroot Environment

+
Using the setuid Function

 

 
Dynamic Update Security

 

@@ -118,7 +118,7 @@ zone "example.com" {
 
 

 

-chroot and setuid

+chroot and setuid

 

           On UNIX servers, it is possible to run BIND in a chrooted environment
           (chroot()) by specifying the "-t"
@@ -141,7 +141,7 @@ zone "example.com" {
         

 

 

-The chroot Environment

+The chroot Environment

 

             In order for a chroot environment
             to
@@ -169,7 +169,7 @@ zone "example.com" {
 
 

 

-Using the setuid Function

+Using the setuid Function

 

             Prior to running the named daemon,
             use
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index 19fefb16ee..65161dc65f 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,18 +45,18 @@
 

 
Table of Contents

 

-
Common Problems

-
It's not working; how can I figure out what's wrong?

-
Incrementing and Changing the Serial Number

-
Where Can I Get Help?

+
Common Problems

+
It's not working; how can I figure out what's wrong?

+
Incrementing and Changing the Serial Number

+
Where Can I Get Help?

 

 

 

 

-Common Problems

+Common Problems

 

 

-It's not working; how can I figure out what's wrong?

+It's not working; how can I figure out what's wrong?

 

             The best solution to solving installation and
             configuration issues is to take preventative measures by setting
@@ -68,7 +68,7 @@
 
 

 

-Incrementing and Changing the Serial Number

+Incrementing and Changing the Serial Number

 

           Zone serial numbers are just numbers-they aren't date
           related.  A lot of people set them to a number that represents a
@@ -95,7 +95,7 @@
 
 

 

-Where Can I Get Help?

+Where Can I Get Help?

 

           The Internet Systems Consortium
           (ISC) offers a wide range
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index 88538201a3..512d6bcef6 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,21 +45,21 @@
 

 
Table of Contents

 

-
Acknowledgments

+
Acknowledgments

 
A Brief History of the DNS and BIND

-
General DNS Reference Information

+
General DNS Reference Information

 
IPv6 addresses (AAAA)

 
Bibliography (and Suggested Reading)

 

 
Request for Comments (RFCs)

 
Internet Drafts

-
Other Documents About BIND

+
Other Documents About BIND

 

 

 

 

 

-Acknowledgments

+Acknowledgments

 

 

 A Brief History of the DNS and BIND

@@ -148,7 +148,7 @@
 

 

 

-General DNS Reference Information

+General DNS Reference Information

 

 

 IPv6 addresses (AAAA)

@@ -235,7 +235,7 @@
           

 

 

-Bibliography

+Bibliography

 

 
Standards

 
[RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 

@@ -420,11 +420,11 @@
 

 

 

-Other Documents About BIND

+Other Documents About BIND

 

 

 

-Bibliography

+Bibliography

 
Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 

 
 
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index 8bebaa5916..ba814558c6 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -155,54 +155,54 @@
 
server Statement Grammar

 
server Statement Definition and
             Usage

-
trusted-keys Statement Grammar

-
trusted-keys Statement Definition
+
trusted-keys Statement Grammar

+
trusted-keys Statement Definition
             and Usage

 
view Statement Grammar

-
view Statement Definition and Usage

+
view Statement Definition and Usage

 
zone
             Statement Grammar

-
zone Statement Definition and Usage

+
zone Statement Definition and Usage

 
-
Zone File

+
Zone File

 

 
Types of Resource Records and When to Use Them

-
Discussion of MX Records

+
Discussion of MX Records

 
Setting TTLs

-
Inverse Mapping in IPv4

-
Other Zone File Directives

-
BIND Master File Extension: the  $GENERATE Directive

+
Inverse Mapping in IPv4

+
Other Zone File Directives

+
BIND Master File Extension: the  $GENERATE Directive

 
Additional File Formats

 

 
 
7. BIND 9 Security Considerations

 

 
Access Control Lists

-
chroot and setuid

+
chroot and setuid

 

-
The chroot Environment

-
Using the setuid Function

+
The chroot Environment

+
Using the setuid Function

 

 
Dynamic Update Security

 

 
8. Troubleshooting

 

-
Common Problems

-
It's not working; how can I figure out what's wrong?

-
Incrementing and Changing the Serial Number

-
Where Can I Get Help?

+
Common Problems

+
It's not working; how can I figure out what's wrong?

+
Incrementing and Changing the Serial Number

+
Where Can I Get Help?

 

 
A. Appendices

 

-
Acknowledgments

+
Acknowledgments

 
A Brief History of the DNS and BIND

-
General DNS Reference Information

+
General DNS Reference Information

 
IPv6 addresses (AAAA)

 
Bibliography (and Suggested Reading)

 

 
Request for Comments (RFCs)

 
Internet Drafts

-
Other Documents About BIND

+
Other Documents About BIND

 

 

 
I. Manual pages

diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index 2486c9c43e..4ee12d3970 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -52,7 +52,7 @@
 
dig  [global-queryopt...] [query...]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dig
       (domain information groper) is a flexible tool
       for interrogating DNS name servers.  It performs DNS lookups and
@@ -91,7 +91,7 @@
     

 

 

-
SIMPLE USAGE

+
SIMPLE USAGE

 

       A typical invocation of dig looks like:
       

@@ -137,7 +137,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

       The -b option sets the source IP address of the query
       to address.  This must be a valid
@@ -237,7 +237,7 @@
     

 

 

-
QUERY OPTIONS

+
QUERY OPTIONS

 
dig
       provides a number of query options which affect
       the way in which lookups are made and the results displayed.  Some of
@@ -556,7 +556,7 @@
     

 

 

-
MULTIPLE QUERIES

+
MULTIPLE QUERIES

 

       The BIND 9 implementation of dig 
       supports
@@ -602,7 +602,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
IDN SUPPORT

+
IDN SUPPORT

 

       If dig has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names.
@@ -616,14 +616,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
FILES

+
FILES

 
/etc/resolv.conf
     

 
${HOME}/.digrc
     

 

 

-
SEE ALSO

+
SEE ALSO

 
host(1),
       named(8),
       dnssec-keygen(8),
@@ -631,7 +631,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
BUGS

+
BUGS

 

       There are probably too many query options.
     

diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index 9530152baa..5e3566e9f9 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
dnssec-keygen  {-a algorithm} {-b keysize} {-n nametype} [-c class] [-e] [-f flag] [-g generator] [-h] [-k] [-p protocol] [-r randomdev] [-s strength] [-t type] [-v level] {name}

 

 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-keygen
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC <TBA\>.  It can also generate keys for use with
@@ -58,7 +58,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a algorithm

 

@@ -166,7 +166,7 @@
 

 

 

-
GENERATED KEYS

+
GENERATED KEYS

 

       When dnssec-keygen completes
       successfully,
@@ -212,7 +212,7 @@
     

 

 

-
EXAMPLE

+
EXAMPLE

 

       To generate a 768-bit DSA key for the domain
       example.com, the following command would be
@@ -233,7 +233,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
       RFC 2535,
@@ -242,7 +242,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index 48fd2f5c20..0d75d096a1 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
dnssec-signzone  [-a] [-c class] [-d directory] [-e end-time] [-f output-file] [-g] [-h] [-k key] [-l domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-p] [-r randomdev] [-s start-time] [-t] [-v level] [-z] {zonefile} [key...]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-signzone
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
@@ -61,7 +61,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a

 

@@ -257,7 +257,7 @@
 

 

 

-
EXAMPLE

+
EXAMPLE

 

       The following command signs the example.com
       zone with the DSA key generated in the dnssec-keygen
@@ -283,14 +283,14 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 2535.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html
index 764e84ead2..8e35f729f3 100644
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
host  [-aCdlnrsTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-m flag] [-4] [-6] {name} [server]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
host
       is a simple utility for performing DNS lookups.
       It is normally used to convert names to IP addresses and vice versa.
@@ -202,7 +202,7 @@
     

 

 

-
IDN SUPPORT

+
IDN SUPPORT

 

       If host has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names. 
@@ -216,12 +216,12 @@
     

 

 

-
FILES

+
FILES

 
/etc/resolv.conf
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dig(1),
       named(8).
     

diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index e8cb15657f..617276b037 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,14 +50,14 @@
 
named-checkconf  [-v] [-j] [-t directory] {filename} [-z]

 

 

-
DESCRIPTION

+
DESCRIPTION

 
named-checkconf
       checks the syntax, but not the semantics, of a named
       configuration file.
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-t directory

 

@@ -88,20 +88,20 @@
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 
named-checkconf
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
named(8),
       BIND 9 Administrator Reference Manual.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index ee6be9393c..6e3749f65a 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -51,7 +51,7 @@
 
named-compilezone  [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-i mode] [-k mode] [-m mode] [-n mode] [-o filename] [-s style] [-t directory] [-w directory] [-D] [-W mode] {zonename} {filename}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
named-checkzone
       checks the syntax and integrity of a zone file.  It performs the
       same checks as named does when loading a
@@ -71,7 +71,7 @@
      

 

 

-
OPTIONS

+
OPTIONS

 

 
-d

 

@@ -251,21 +251,21 @@
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 
named-checkzone
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
named(8),
       RFC 1035,
       BIND 9 Administrator Reference Manual.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index 544c813d18..ddb4f89f09 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
named  [-4] [-6] [-c config-file] [-d debug-level] [-f] [-g] [-n #cpus] [-p port] [-s] [-t directory] [-u user] [-v] [-x cache-file]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
named
       is a Domain Name System (DNS) server,
       part of the BIND 9 distribution from ISC.  For more
@@ -65,7 +65,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-4

 

@@ -198,7 +198,7 @@
 

 

 

-
SIGNALS

+
SIGNALS

 

       In routine operation, signals should not be used to control
       the nameserver; rndc should be used
@@ -219,7 +219,7 @@
     

 

 

-
CONFIGURATION

+
CONFIGURATION

 

       The named configuration file is too complex
       to describe in detail here.  A complete description is provided
@@ -228,7 +228,7 @@
     

 

 

-
FILES

+
FILES

 

 
/etc/named.conf

 

@@ -241,7 +241,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
RFC 1033,
       RFC 1034,
       RFC 1035,
@@ -252,7 +252,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index 3dd8418942..559bc98859 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -48,7 +48,7 @@
 
rndc-confgen  [-a] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc-confgen
       generates configuration files
       for rndc.  It can be used as a
@@ -64,7 +64,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a

 

@@ -171,7 +171,7 @@
 

 

 

-
EXAMPLES

+
EXAMPLES

 

       To allow rndc to be used with
       no manual configuration, run
@@ -188,7 +188,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc(8),
       rndc.conf(5),
       named(8),
@@ -196,7 +196,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index 9580fa8234..84d0ac3d78 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
rndc.conf 

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc.conf is the configuration file
       for rndc, the BIND 9 name server control
       utility.  This file has a similar structure and syntax to
@@ -135,7 +135,7 @@
     

 

 

-
EXAMPLE

+
EXAMPLE

 
       options {
         default-server  localhost;
@@ -209,7 +209,7 @@
     

 

 

-
NAME SERVER CONFIGURATION

+
NAME SERVER CONFIGURATION

 

       The name server must be configured to accept rndc connections and
       to recognize the key specified in the rndc.conf
@@ -219,7 +219,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc(8),
       rndc-confgen(8),
       mmencode(1),
@@ -227,7 +227,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index 6a43989e98..b2b4aabaf8 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
rndc  [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-V] [-y key_id] {command}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc
       controls the operation of a name
       server.  It supersedes the ndc utility
@@ -79,7 +79,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-b source-address

 

@@ -152,7 +152,7 @@
     

 

 

-
LIMITATIONS

+
LIMITATIONS

 
rndc
       does not yet support all the commands of
       the BIND 8 ndc utility.
@@ -166,7 +166,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc.conf(5),
       named(8),
       named.conf(5)
@@ -175,7 +175,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/misc/options b/doc/misc/options
index a17c52274e..b0dab9fb5d 100644
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -147,6 +147,7 @@ options {
         check-sibling ;
         zero-no-soa-ttl ;
         update-check-ksk ;
+        try-tcp-refresh ;
 };
 
 controls {
@@ -250,6 +251,7 @@ view   {
                 check-sibling ;
                 zero-no-soa-ttl ;
                 update-check-ksk ;
+                try-tcp-refresh ;
         };
         dlz  {
                 database ;
@@ -375,6 +377,7 @@ view   {
         check-sibling ;
         zero-no-soa-ttl ;
         update-check-ksk ;
+        try-tcp-refresh ;
         database ;
 };
 
@@ -452,6 +455,7 @@ zone   {
         check-sibling ;
         zero-no-soa-ttl ;
         update-check-ksk ;
+        try-tcp-refresh ;
 };
 
 dlz  {

From 5d51f534831bd648436d22e4faf203fb9abdf3d4 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Sun, 4 Jun 2006 23:59:33 +0000
Subject: [PATCH 255/465] 2036.   [bug]           'rndc recursing' could cause
 trigger a REQUIRE.                         [RT #16075]

---
 CHANGES                          |  3 +++
 bin/named/client.c               | 30 ++++++++++++++++++++++++++++--
 bin/named/include/named/client.h |  8 +++++++-
 bin/named/query.c                | 30 +++++++++++-------------------
 4 files changed, 49 insertions(+), 22 deletions(-)

diff --git a/CHANGES b/CHANGES
index 2e18766996..0046e4e564 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2036.	[bug]		'rndc recursing' could cause trigger a REQUIRE.
+			[RT #16075]
+
 2035.	[func]		Make falling back to TCP on UDP refresh failure
 			optional. Default "try-tcp-refresh yes;" for BIND 8
 			compatibility. [RT #16123]
diff --git a/bin/named/client.c b/bin/named/client.c
index 336433f6cb..af518ff51a 100644
--- a/bin/named/client.c
+++ b/bin/named/client.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: client.c,v 1.236 2006/05/29 01:27:58 marka Exp $ */
+/* $Id: client.c,v 1.237 2006/06/04 23:59:33 marka Exp $ */
 
 #include 
 
@@ -321,8 +321,17 @@ exit_check(ns_client_t *client) {
 		}
 		/*
 		 * I/O cancel is complete.  Burn down all state
-		 * related to the current request.
+		 * related to the current request.  Ensure that
+		 * the client is on the active list and not the
+		 * recursing list.
 		 */
+		LOCK(&client->manager->lock);
+		if (client->list == &client->manager->recursing) {
+			ISC_LIST_UNLINK(*client->list, client, link);
+			ISC_LIST_APPEND(client->manager->active, client, link);
+			client->list = &client->manager->active;
+		}
+		UNLOCK(&client->manager->lock);
 		ns_client_endrequest(client);
 
 		client->state = NS_CLIENTSTATE_READING;
@@ -2594,3 +2603,20 @@ ns_client_dumprecursing(FILE *f, ns_clientmgr_t *manager) {
 	}
 	UNLOCK(&manager->lock);
 }
+
+void
+ns_client_qnamereplace(ns_client_t *client, dns_name_t *name) {
+
+	if (client->manager != NULL)
+		LOCK(&client->manager->lock);
+	if (client->query.restarts > 0) {
+		/*
+		 * client->query.qname was dynamically allocated.
+		 */
+		dns_message_puttempname(client->message,
+					&client->query.qname);
+	}
+	client->query.qname = name;
+	if (client->manager != NULL)
+		UNLOCK(&client->manager->lock);
+}
diff --git a/bin/named/include/named/client.h b/bin/named/include/named/client.h
index 44e25668a8..82881eb416 100644
--- a/bin/named/include/named/client.h
+++ b/bin/named/include/named/client.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: client.h,v 1.77 2005/08/15 01:21:04 marka Exp $ */
+/* $Id: client.h,v 1.78 2006/06/04 23:59:33 marka Exp $ */
 
 #ifndef NAMED_CLIENT_H
 #define NAMED_CLIENT_H 1
@@ -344,6 +344,12 @@ ns_client_dumprecursing(FILE *f, ns_clientmgr_t *manager);
  * Dump the outstanding recursive queries to 'f'.
  */
 
+void
+ns_client_qnamereplace(ns_client_t *client, dns_name_t *name);
+/*%
+ * Replace the qname.
+ */
+
 isc_boolean_t
 ns_client_isself(dns_view_t *myview, dns_tsigkey_t *mykey,
                  isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
diff --git a/bin/named/query.c b/bin/named/query.c
index b274d4377a..ddd91508de 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: query.c,v 1.287 2006/05/26 02:44:02 marka Exp $ */
+/* $Id: query.c,v 1.288 2006/06/04 23:59:33 marka Exp $ */
 
 /*! \file */
 
@@ -179,18 +179,6 @@ query_next(ns_client_t *client, isc_result_t result) {
 	ns_client_next(client, result);
 }
 
-static inline void
-query_maybeputqname(ns_client_t *client) {
-	if (client->query.restarts > 0) {
-		/*
-		 * client->query.qname was dynamically allocated.
-		 */
-		dns_message_puttempname(client->message,
-					&client->query.qname);
-		client->query.qname = NULL;
-	}
-}
-
 static inline void
 query_freefreeversions(ns_client_t *client, isc_boolean_t everything) {
 	ns_dbversion_t *dbversion, *dbversion_next;
@@ -271,8 +259,14 @@ query_reset(ns_client_t *client, isc_boolean_t everything) {
 		}
 	}
 
-	query_maybeputqname(client);
-
+	if (client->query.restarts > 0) {
+		/*
+		 * client->query.qname was dynamically allocated.
+		 */
+		dns_message_puttempname(client->message,
+					&client->query.qname);
+	}
+	client->query.qname = NULL;
 	client->query.attributes = (NS_QUERYATTR_RECURSIONOK |
 				    NS_QUERYATTR_CACHEOK |
 				    NS_QUERYATTR_SECURE);
@@ -4004,8 +3998,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 			goto cleanup;
 		}
 		dns_rdata_freestruct(&cname);
-		query_maybeputqname(client);
-		client->query.qname = tname;
+		ns_client_qnamereplace(client, tname);
 		want_restart = ISC_TRUE;
 		if (!WANTRECURSION(client))
 			options |= DNS_GETDB_NOLOG;
@@ -4122,8 +4115,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		/*
 		 * Switch to the new qname and restart.
 		 */
-		query_maybeputqname(client);
-		client->query.qname = fname;
+		ns_client_qnamereplace(client, fname);
 		fname = NULL;
 		want_restart = ISC_TRUE;
 		if (!WANTRECURSION(client))

From d48f9877255f41b6074777da0639b6bc2bfad388 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Mon, 5 Jun 2006 00:38:56 +0000
Subject: [PATCH 256/465] 2037.   [func]          When unlinking the first or
 last element in a list                         check that the list head
 points to the element to                         be unlinked. [RT #15959]

---
 CHANGES                     | 4 ++++
 lib/bind/include/isc/list.h | 8 ++++++--
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index 0046e4e564..599f9cef2d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+2037.	[func]		When unlinking the first or last element in a list
+			check that the list head points to the element to
+			be unlinked. [RT #15959]
+
 2036.	[bug]		'rndc recursing' could cause trigger a REQUIRE.
 			[RT #16075]
 
diff --git a/lib/bind/include/isc/list.h b/lib/bind/include/isc/list.h
index 816709b723..c85c6676b5 100644
--- a/lib/bind/include/isc/list.h
+++ b/lib/bind/include/isc/list.h
@@ -66,12 +66,16 @@
 		INSIST(LINKED(elt, link));\
 		if ((elt)->link.next != NULL) \
 			(elt)->link.next->link.prev = (elt)->link.prev; \
-		else \
+		else { \
+			INSIST((list).tail == (elt)); \
 			(list).tail = (elt)->link.prev; \
+		} \
 		if ((elt)->link.prev != NULL) \
 			(elt)->link.prev->link.next = (elt)->link.next; \
-		else \
+		else { \
+			INSIST((list).head == (elt)); \
 			(list).head = (elt)->link.next; \
+		} \
 		INIT_LINK_TYPE(elt, link, type); \
 	} while (0)
 #define UNLINK(list, elt, link) \

From faab0349cbf2157f920df35ca982b96228204ae1 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Mon, 5 Jun 2006 00:40:01 +0000
Subject: [PATCH 257/465] 2037.   [func]          When unlinking the first or
 last element in a list                         check that the list head
 points to the element to                         be unlinked. [RT #15959]

---
 CHANGES                     |  4 ++++
 lib/bind/include/isc/list.h |  8 ++++++--
 lib/isc/include/isc/list.h  | 10 +++++++---
 3 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/CHANGES b/CHANGES
index 6305a7113d..3e032e8eda 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+2037.	[func]		When unlinking the first or last element in a list
+			check that the list head points to the element to
+			be unlinked. [RT #15959]
+
 2034.	[bug]		gcc: set -fno-strict-aliasing. [RT #16124]
 
 
diff --git a/lib/bind/include/isc/list.h b/lib/bind/include/isc/list.h
index ad574ac2b5..4e27eb19ba 100644
--- a/lib/bind/include/isc/list.h
+++ b/lib/bind/include/isc/list.h
@@ -66,12 +66,16 @@
 		INSIST(LINKED(elt, link));\
 		if ((elt)->link.next != NULL) \
 			(elt)->link.next->link.prev = (elt)->link.prev; \
-		else \
+		else { \
+			INSIST((list).tail == (elt)); \
 			(list).tail = (elt)->link.prev; \
+		} \
 		if ((elt)->link.prev != NULL) \
 			(elt)->link.prev->link.next = (elt)->link.next; \
-		else \
+		else { \
+			INSIST((list).head == (elt)); \
 			(list).head = (elt)->link.next; \
+		} \
 		INIT_LINK_TYPE(elt, link, type); \
 	} while (0)
 #define UNLINK(list, elt, link) \
diff --git a/lib/isc/include/isc/list.h b/lib/isc/include/isc/list.h
index cd5b2cf213..862c41e028 100644
--- a/lib/isc/include/isc/list.h
+++ b/lib/isc/include/isc/list.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: list.h,v 1.18.2.3 2004/03/09 06:11:57 marka Exp $ */
+/* $Id: list.h,v 1.18.2.4 2006/06/05 00:40:01 marka Exp $ */
 
 #ifndef ISC_LIST_H
 #define ISC_LIST_H 1
@@ -90,12 +90,16 @@
 	do { \
 		if ((elt)->link.next != NULL) \
 			(elt)->link.next->link.prev = (elt)->link.prev; \
-		else \
+		else { \
+			ISC_INSIST((list).tail == (elt)); \
 			(list).tail = (elt)->link.prev; \
+		} \
 		if ((elt)->link.prev != NULL) \
 			(elt)->link.prev->link.next = (elt)->link.next; \
-		else \
+		else { \
+			ISC_INSIST((list).head == (elt)); \
 			(list).head = (elt)->link.next; \
+		} \
 		(elt)->link.prev = (type *)(-1); \
 		(elt)->link.next = (type *)(-1); \
 	} while (0)

From ff6c8eed91f456a56827edd76f0374b83c62a9c1 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Mon, 5 Jun 2006 23:30:07 +0000
Subject: [PATCH 258/465] newcopyrights

---
 util/copyrights | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/util/copyrights b/util/copyrights
index b7c30ae9e7..62d9d2be79 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -1197,7 +1197,7 @@
 ./lib/bind/include/isc/eventlib.h		X	2001,2005
 ./lib/bind/include/isc/heap.h			X	2001
 ./lib/bind/include/isc/irpmarshall.h		X	2001
-./lib/bind/include/isc/list.h			X	2001
+./lib/bind/include/isc/list.h			X	2001,2006
 ./lib/bind/include/isc/logging.h		X	2001
 ./lib/bind/include/isc/memcluster.h		X	2001
 ./lib/bind/include/isc/misc.h			X	2001
@@ -1859,7 +1859,7 @@
 ./lib/isc/include/isc/lex.h			C	1998,1999,2000,2001,2002,2004
 ./lib/isc/include/isc/lfsr.h			C	1999,2000,2001,2004
 ./lib/isc/include/isc/lib.h			C	1999,2000,2001,2004
-./lib/isc/include/isc/list.h			C	1997,1998,1999,2000,2001,2002,2004
+./lib/isc/include/isc/list.h			C	1997,1998,1999,2000,2001,2002,2004,2006
 ./lib/isc/include/isc/log.h			C	1999,2000,2001,2002,2003,2004
 ./lib/isc/include/isc/magic.h			C	1999,2000,2001,2004
 ./lib/isc/include/isc/md5.h			C	2000,2001,2004

From ab81f57ca0c3addfec3df3babdcea9644757cf23 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Mon, 5 Jun 2006 23:30:28 +0000
Subject: [PATCH 259/465] newcopyrights

---
 util/copyrights | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/util/copyrights b/util/copyrights
index 810ac50418..9486101948 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -81,7 +81,7 @@
 ./bin/named/control.c				C	2001,2002,2003,2004,2005,2006
 ./bin/named/controlconf.c			C	2001,2002,2003,2004,2005,2006
 ./bin/named/include/named/builtin.h		C	2001,2004,2005
-./bin/named/include/named/client.h		C	1999,2000,2001,2002,2003,2004,2005
+./bin/named/include/named/client.h		C	1999,2000,2001,2002,2003,2004,2005,2006
 ./bin/named/include/named/config.h		C	2001,2002,2004,2005,2006
 ./bin/named/include/named/control.h		C	2001,2002,2003,2004,2005,2006
 ./bin/named/include/named/globals.h		C	1999,2000,2001,2002,2003,2004,2005,2006
@@ -1319,7 +1319,7 @@
 ./lib/bind/include/isc/eventlib.h		X	2001,2005
 ./lib/bind/include/isc/heap.h			X	2001,2005
 ./lib/bind/include/isc/irpmarshall.h		X	2001,2005
-./lib/bind/include/isc/list.h			X	2001,2005
+./lib/bind/include/isc/list.h			X	2001,2005,2006
 ./lib/bind/include/isc/logging.h		X	2001,2005
 ./lib/bind/include/isc/memcluster.h		X	2001,2005
 ./lib/bind/include/isc/misc.h			X	2001,2005

From 72811a6cd23262f1045ac444591fc5fdb1fbe247 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 6 Jun 2006 00:11:39 +0000
Subject: [PATCH 260/465] update copyright notice

---
 lib/isc/include/isc/list.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/isc/include/isc/list.h b/lib/isc/include/isc/list.h
index 862c41e028..8f72487d3b 100644
--- a/lib/isc/include/isc/list.h
+++ b/lib/isc/include/isc/list.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1997-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: list.h,v 1.18.2.4 2006/06/05 00:40:01 marka Exp $ */
+/* $Id: list.h,v 1.18.2.5 2006/06/06 00:11:39 marka Exp $ */
 
 #ifndef ISC_LIST_H
 #define ISC_LIST_H 1

From 472460e05f8ac12f8b28cbbe5a6dd3ade5628f0e Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 6 Jun 2006 00:11:42 +0000
Subject: [PATCH 261/465] update copyright notice

---
 bin/named/include/named/client.h | 4 ++--
 lib/isc/include/isc/list.h       | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/bin/named/include/named/client.h b/bin/named/include/named/client.h
index 82881eb416..9cf6c58007 100644
--- a/bin/named/include/named/client.h
+++ b/bin/named/include/named/client.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: client.h,v 1.78 2006/06/04 23:59:33 marka Exp $ */
+/* $Id: client.h,v 1.79 2006/06/06 00:11:42 marka Exp $ */
 
 #ifndef NAMED_CLIENT_H
 #define NAMED_CLIENT_H 1
diff --git a/lib/isc/include/isc/list.h b/lib/isc/include/isc/list.h
index 8220522d38..230f2bd67e 100644
--- a/lib/isc/include/isc/list.h
+++ b/lib/isc/include/isc/list.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1997-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: list.h,v 1.21 2006/05/30 04:18:36 marka Exp $ */
+/* $Id: list.h,v 1.22 2006/06/06 00:11:42 marka Exp $ */
 
 #ifndef ISC_LIST_H
 #define ISC_LIST_H 1

From bce4c2742010a6988ef604d5d8258a4b0d9c8c19 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 6 Jun 2006 00:17:12 +0000
Subject: [PATCH 262/465] OpenBSD

---
 README | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README b/README
index 737a391b5d..66013eb7c9 100644
--- a/README
+++ b/README
@@ -362,7 +362,7 @@ Building
 	        Red Hat Linux 7.1
 		Debian GNU/Linux 2.2 and 3.0
 		Mandrake 8.1
-		OpenBSD 2.6, 2.8, 2.9
+		OpenBSD 2.6, 2.8, 2.9, 3.1, 3.6, 3.8
 		UnixWare 7.1.1
 		HP-UX 10.20
 		BSD/OS 4.2

From 1b8d2b62ea401ff316ce9c144825dc4c00ff5485 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 6 Jun 2006 00:21:06 +0000
Subject: [PATCH 263/465] OpenBSD

---
 README | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README b/README
index 2c9f5e133e..2549662be5 100644
--- a/README
+++ b/README
@@ -212,7 +212,7 @@ Building
 		Slackware Linux 7.x, 8.0
 	        Red Hat Linux 7.1
 		Debian GNU/Linux 2.2 and 3.0
-		OpenBSD 2.6, 2.8, 2.9
+		OpenBSD 2.6, 2.8, 2.9, 3.1, 3.6, 3.8
 		UnixWare 7.1.1
 		HP-UX 10.20
 		BSD/OS 4.2

From 9a482d1fcead22ab0d639c463c77672846485f3e Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 6 Jun 2006 00:53:36 +0000
Subject: [PATCH 264/465] 2039.   [func]          Check that all buffers passed
 to the socket code                         have been retrieve when the socket
 event is freed.                         [RT #16122]

2038.   [bug]           dig/nslookup/host was unlinking from wrong list
                        when handling errors. [RT #16122]
---
 CHANGES                      |  7 +++++++
 bin/dig/dighost.c            | 23 +++++++++++++++++------
 lib/isc/include/isc/socket.h |  3 ++-
 lib/isc/unix/socket.c        | 13 ++++++++++++-
 lib/isc/win32/socket.c       | 13 ++++++++++++-
 5 files changed, 50 insertions(+), 9 deletions(-)

diff --git a/CHANGES b/CHANGES
index 599f9cef2d..f2c676f1f6 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,10 @@
+2039.	[func]		Check that all buffers passed to the socket code
+			have been retrieve when the socket event is freed.
+			[RT #16122]
+
+2038.	[bug]		dig/nslookup/host was unlinking from wrong list
+			when handling errors. [RT #16122]
+
 2037.	[func]		When unlinking the first or last element in a list
 			check that the list head points to the element to
 			be unlinked. [RT #15959]
diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
index 711428f18f..fa51b66554 100644
--- a/bin/dig/dighost.c
+++ b/bin/dig/dighost.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dighost.c,v 1.292 2006/02/17 00:10:42 marka Exp $ */
+/* $Id: dighost.c,v 1.293 2006/06/06 00:53:36 marka Exp $ */
 
 /*! \file
  *  \note
@@ -2026,12 +2026,20 @@ setup_lookup(dig_lookup_t *lookup) {
  */
 static void
 send_done(isc_task_t *_task, isc_event_t *event) {
+	isc_socketevent_t *sevent = (isc_socketevent_t *)event;
+	isc_buffer_t *b = NULL;
+
 	REQUIRE(event->ev_type == ISC_SOCKEVENT_SENDDONE);
 
 	UNUSED(_task);
 
 	LOCK_LOOKUP;
 
+	for  (b = ISC_LIST_HEAD(sevent->bufferlist);
+	      b != NULL;
+	      b = ISC_LIST_HEAD(sevent->bufferlist)) 
+		ISC_LIST_DEQUEUE(sevent->bufferlist, b, link);
+
 	isc_event_free(&event);
 
 	debug("send_done()");
@@ -2332,6 +2340,10 @@ tcp_length_done(isc_task_t *task, isc_event_t *event) {
 	recvcount--;
 	INSIST(recvcount >= 0);
 
+	b = ISC_LIST_HEAD(sevent->bufferlist);
+	INSIST(b ==  &query->lengthbuf);
+	ISC_LIST_DEQUEUE(sevent->bufferlist, b, link);
+
 	if (sevent->result == ISC_R_CANCELED) {
 		isc_event_free(&event);
 		l = query->lookup;
@@ -2357,8 +2369,6 @@ tcp_length_done(isc_task_t *task, isc_event_t *event) {
 		UNLOCK_LOOKUP;
 		return;
 	}
-	b = ISC_LIST_HEAD(sevent->bufferlist);
-	ISC_LIST_DEQUEUE(sevent->bufferlist, &query->lengthbuf, link);
 	length = isc_buffer_getuint16(b);
 	if (length == 0) {
 		isc_event_free(&event);
@@ -2720,6 +2730,10 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 	REQUIRE(event->ev_type == ISC_SOCKEVENT_RECVDONE);
 	sevent = (isc_socketevent_t *)event;
 
+	b = ISC_LIST_HEAD(sevent->bufferlist);
+	INSIST(b == &query->recvbuf);
+	ISC_LIST_DEQUEUE(sevent->bufferlist, &query->recvbuf, link);
+
 	if ((l->tcp_mode) && (l->timer != NULL))
 		isc_timer_touch(l->timer);
 	if ((!l->pending && !l->ns_search_only) || cancel_now) {
@@ -2753,9 +2767,6 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 		return;
 	}
 
-	b = ISC_LIST_HEAD(sevent->bufferlist);
-	ISC_LIST_DEQUEUE(sevent->bufferlist, &query->recvbuf, link);
-
 	if (!l->tcp_mode &&
 	    !isc_sockaddr_compare(&sevent->address, &query->sockaddr,
 				  ISC_SOCKADDR_CMPADDR|
diff --git a/lib/isc/include/isc/socket.h b/lib/isc/include/isc/socket.h
index 68fa1034f8..0f2f03b430 100644
--- a/lib/isc/include/isc/socket.h
+++ b/lib/isc/include/isc/socket.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: socket.h,v 1.63 2005/12/06 16:54:49 explorer Exp $ */
+/* $Id: socket.h,v 1.64 2006/06/06 00:53:36 marka Exp $ */
 
 #ifndef ISC_SOCKET_H
 #define ISC_SOCKET_H 1
@@ -93,6 +93,7 @@ struct isc_socketevent {
 	isc_time_t		timestamp;	/*%< timestamp of packet recv */
 	struct in6_pktinfo	pktinfo;	/*%< ipv6 pktinfo */
 	isc_uint32_t		attributes;	/*%< see below */
+	isc_eventdestructor_t   destroy;	/*%< original destructor */
 };
 
 typedef struct isc_socket_newconnev isc_socket_newconnev_t;
diff --git a/lib/isc/unix/socket.c b/lib/isc/unix/socket.c
index e53d692fff..b079922b4c 100644
--- a/lib/isc/unix/socket.c
+++ b/lib/isc/unix/socket.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: socket.c,v 1.264 2006/05/19 02:47:18 marka Exp $ */
+/* $Id: socket.c,v 1.265 2006/06/06 00:53:36 marka Exp $ */
 
 /*! \file */
 
@@ -891,6 +891,15 @@ set_dev_address(isc_sockaddr_t *address, isc_socket_t *sock,
 	}
 }
 
+static void
+destroy_socketevent(isc_event_t *event) {
+	isc_socketevent_t *ev = (isc_socketevent_t *)event;
+
+	INSIST(ISC_LIST_EMPTY(ev->bufferlist));
+
+	(ev->destroy)(event);
+}
+
 static isc_socketevent_t *
 allocate_socketevent(isc_socket_t *sock, isc_eventtype_t eventtype,
 		     isc_taskaction_t action, const void *arg)
@@ -912,6 +921,8 @@ allocate_socketevent(isc_socket_t *sock, isc_eventtype_t eventtype,
 	ev->n = 0;
 	ev->offset = 0;
 	ev->attributes = 0;
+	ev->destroy = ev->ev_destroy;
+	ev->ev_destroy = destroy_socketevent;
 
 	return (ev);
 }
diff --git a/lib/isc/win32/socket.c b/lib/isc/win32/socket.c
index 124d2742bb..f7f27d2c5e 100644
--- a/lib/isc/win32/socket.c
+++ b/lib/isc/win32/socket.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: socket.c,v 1.43 2006/01/07 00:23:35 marka Exp $ */
+/* $Id: socket.c,v 1.44 2006/06/06 00:53:36 marka Exp $ */
 
 /* This code has been rewritten to take advantage of Windows Sockets
  * I/O Completion Ports and Events. I/O Completion Ports is ONLY
@@ -1304,6 +1304,15 @@ set_dev_address(isc_sockaddr_t *address, isc_socket_t *sock,
 	}
 }
 
+static void
+destroy_socketevent(isc_event_t *event) {
+	isc_socketevent_t *ev = (isc_socketevent_t *)event;
+
+	INSIST(ISC_LIST_EMPTY(ev->bufferlist));
+
+	(ev->destroy)(event);
+}
+
 static isc_socketevent_t *
 allocate_socketevent(isc_socket_t *sock, isc_eventtype_t eventtype,
 		     isc_taskaction_t action, const void *arg)
@@ -1324,6 +1333,8 @@ allocate_socketevent(isc_socket_t *sock, isc_eventtype_t eventtype,
 	ev->n = 0;
 	ev->offset = 0;
 	ev->attributes = 0;
+	ev->destroy = ev->ev_destroy;
+	ev->ev_destroy = destroy_socketevent;
 
 	return (ev);
 }

From a3a5bf4df75efef191f6f2d401f703203833dcaf Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 6 Jun 2006 01:01:05 +0000
Subject: [PATCH 265/465] 2038.   [bug]           dig/nslookup/host was
 unlinking from wrong list                         when handling errors. [RT
 #16122]

---
 CHANGES           |  3 +++
 bin/dig/dighost.c | 23 +++++++++++++++++------
 2 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/CHANGES b/CHANGES
index 3e032e8eda..41bef0a5ee 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2038.	[bug]		dig/nslookup/host was unlinking from wrong list
+			when handling errors. [RT #16122]
+
 2037.	[func]		When unlinking the first or last element in a list
 			check that the list head points to the element to
 			be unlinked. [RT #15959]
diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
index 97c4fb3140..6277b91be4 100644
--- a/bin/dig/dighost.c
+++ b/bin/dig/dighost.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dighost.c,v 1.221.2.29 2005/10/14 01:37:48 marka Exp $ */
+/* $Id: dighost.c,v 1.221.2.30 2006/06/06 01:01:05 marka Exp $ */
 
 /*
  * Notice to programmers:  Do not use this code as an example of how to
@@ -1517,12 +1517,20 @@ setup_lookup(dig_lookup_t *lookup) {
  */
 static void
 send_done(isc_task_t *_task, isc_event_t *event) {
+	isc_socketevent_t *sevent = (isc_socketevent_t *)event;
+	isc_buffer_t *b = NULL;
+
 	REQUIRE(event->ev_type == ISC_SOCKEVENT_SENDDONE);
 
 	UNUSED(_task);
 
 	LOCK_LOOKUP;
 
+	for  (b = ISC_LIST_HEAD(sevent->bufferlist);
+	      b != NULL;
+	      b = ISC_LIST_HEAD(sevent->bufferlist)) 
+		ISC_LIST_DEQUEUE(sevent->bufferlist, b, link);
+
 	isc_event_free(&event);
 
 	debug("send_done()");
@@ -1832,6 +1840,10 @@ tcp_length_done(isc_task_t *task, isc_event_t *event) {
 	recvcount--;
 	INSIST(recvcount >= 0);
 
+	b = ISC_LIST_HEAD(sevent->bufferlist);
+	INSIST(b ==  &query->lengthbuf);
+	ISC_LIST_DEQUEUE(sevent->bufferlist, b, link);
+
 	if (sevent->result == ISC_R_CANCELED) {
 		isc_event_free(&event);
 		l = query->lookup;
@@ -1857,8 +1869,6 @@ tcp_length_done(isc_task_t *task, isc_event_t *event) {
 		UNLOCK_LOOKUP;
 		return;
 	}
-	b = ISC_LIST_HEAD(sevent->bufferlist);
-	ISC_LIST_DEQUEUE(sevent->bufferlist, &query->lengthbuf, link);
 	length = isc_buffer_getuint16(b);
 	if (length == 0) {
 		isc_event_free(&event);
@@ -2210,6 +2220,10 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 	REQUIRE(event->ev_type == ISC_SOCKEVENT_RECVDONE);
 	sevent = (isc_socketevent_t *)event;
 
+	b = ISC_LIST_HEAD(sevent->bufferlist);
+	INSIST(b == &query->recvbuf);
+	ISC_LIST_DEQUEUE(sevent->bufferlist, &query->recvbuf, link);
+
 	if ((l->tcp_mode) && (l->timer != NULL))
 		isc_timer_touch(l->timer);
 	if ((!l->pending && !l->ns_search_only) || cancel_now) {
@@ -2243,9 +2257,6 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 		return;
 	}
 
-	b = ISC_LIST_HEAD(sevent->bufferlist);
-	ISC_LIST_DEQUEUE(sevent->bufferlist, &query->recvbuf, link);
-
 	if (!l->tcp_mode &&
 	    !isc_sockaddr_equal(&sevent->address, &query->sockaddr)) {
 		char buf1[ISC_SOCKADDR_FORMATSIZE];

From 4f5a43c5f084290054ddf212add7b4c2abe6edc5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tatuya=20JINMEI=20=E7=A5=9E=E6=98=8E=E9=81=94=E5=93=89?=
 
Date: Tue, 6 Jun 2006 11:42:08 +0000
Subject: [PATCH 266/465] 2040.	[placeholder]	rt16022

---
 CHANGES | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/CHANGES b/CHANGES
index f2c676f1f6..dcb1dc0d61 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+2040.	[placeholder]	rt16022
+
 2039.	[func]		Check that all buffers passed to the socket code
 			have been retrieve when the socket event is freed.
 			[RT #16122]

From 9e29ceaf4ce5adb7059f13121bc39d86eaae8448 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 6 Jun 2006 23:16:50 +0000
Subject: [PATCH 267/465] auto update

---
 doc/private/branches | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/doc/private/branches b/doc/private/branches
index 287fb70e40..99e9ea08f5 100644
--- a/doc/private/branches
+++ b/doc/private/branches
@@ -40,7 +40,10 @@ rt15698				open
 rt15765				open	
 rt15860				open	
 rt15959				review	
+rt15978				new	
+rt16022				new	
 rt16075				review	
+rt16117				new	
 rt16122				review	
 rt16123				review	
 rt16124				review	

From 46390a96dd5f15c9a0b3663bdb7791bdecec3052 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 6 Jun 2006 23:21:56 +0000
Subject: [PATCH 268/465] spelling

---
 CHANGES | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index dcb1dc0d61..d99102bbbb 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,7 +1,7 @@
 2040.	[placeholder]	rt16022
 
 2039.	[func]		Check that all buffers passed to the socket code
-			have been retrieve when the socket event is freed.
+			have been retrieved when the socket event is freed.
 			[RT #16122]
 
 2038.	[bug]		dig/nslookup/host was unlinking from wrong list

From 4654a57213f772ccb70b0aa6bc11e486e2c5b7ad Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 6 Jun 2006 23:30:04 +0000
Subject: [PATCH 269/465] newcopyrights

---
 util/copyrights | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/util/copyrights b/util/copyrights
index 62d9d2be79..c46c715264 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -34,7 +34,7 @@
 ./bin/dig/dig.c					C	2000,2001,2002,2003,2004,2005
 ./bin/dig/dig.docbook				SGML	2000,2001,2003,2004,2005
 ./bin/dig/dig.html				HTML	DOCBOOK
-./bin/dig/dighost.c				C	2000,2001,2002,2003,2004,2005
+./bin/dig/dighost.c				C	2000,2001,2002,2003,2004,2005,2006
 ./bin/dig/host.1				MAN	DOCBOOK
 ./bin/dig/host.c				C	2000,2001,2002,2003,2004,2005
 ./bin/dig/host.docbook				SGML	2000,2001,2002,2003,2004,2005

From f6c7de9c4953033d0279eda0a664f164aab5f2a6 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 6 Jun 2006 23:30:25 +0000
Subject: [PATCH 270/465] newcopyrights

---
 util/copyrights | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/util/copyrights b/util/copyrights
index 9486101948..4cb6797ebb 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -2066,7 +2066,7 @@
 ./lib/isc/include/isc/sha1.h			C	2000,2001,2004,2005,2006
 ./lib/isc/include/isc/sha2.h			C	2005,2006
 ./lib/isc/include/isc/sockaddr.h		C	1998,1999,2000,2001,2002,2003,2004,2005,2006
-./lib/isc/include/isc/socket.h			C	1998,1999,2000,2001,2002,2004,2005
+./lib/isc/include/isc/socket.h			C	1998,1999,2000,2001,2002,2004,2005,2006
 ./lib/isc/include/isc/stdio.h			C	2000,2001,2004,2005
 ./lib/isc/include/isc/stdlib.h			C	2003,2004,2005
 ./lib/isc/include/isc/string.h			C	2000,2001,2003,2004,2005

From 5dbd1e50ee938e9e8cbab294b6584dec17d7632d Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 7 Jun 2006 00:29:43 +0000
Subject: [PATCH 271/465] update copyright notice

---
 bin/dig/dighost.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
index 6277b91be4..8e11e538b1 100644
--- a/bin/dig/dighost.c
+++ b/bin/dig/dighost.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dighost.c,v 1.221.2.30 2006/06/06 01:01:05 marka Exp $ */
+/* $Id: dighost.c,v 1.221.2.31 2006/06/07 00:29:43 marka Exp $ */
 
 /*
  * Notice to programmers:  Do not use this code as an example of how to

From 03f65be27b368dc846e99f604c4368fd0c20b83e Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 7 Jun 2006 00:29:46 +0000
Subject: [PATCH 272/465] update copyright notice

---
 lib/isc/include/isc/socket.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/isc/include/isc/socket.h b/lib/isc/include/isc/socket.h
index 0f2f03b430..cbb9bb9656 100644
--- a/lib/isc/include/isc/socket.h
+++ b/lib/isc/include/isc/socket.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: socket.h,v 1.64 2006/06/06 00:53:36 marka Exp $ */
+/* $Id: socket.h,v 1.65 2006/06/07 00:29:46 marka Exp $ */
 
 #ifndef ISC_SOCKET_H
 #define ISC_SOCKET_H 1

From eca38a9d43391482bfa22e2eb7b86e19be8bf461 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 7 Jun 2006 02:21:50 +0000
Subject: [PATCH 273/465] 2041.   [bug]           "configure
 --with-dlz-bdb=yes" produced a bad                         set of libraries
 to be linked. [RT #16129]

---
 CHANGES                   | 3 +++
 contrib/dlz/config.dlz.in | 2 ++
 2 files changed, 5 insertions(+)

diff --git a/CHANGES b/CHANGES
index d99102bbbb..29f23a1afe 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2041.	[bug]		"configure --with-dlz-bdb=yes" produced a bad
+			set of libraries to be linked. [RT #16129]
+
 2040.	[placeholder]	rt16022
 
 2039.	[func]		Check that all buffers passed to the socket code
diff --git a/contrib/dlz/config.dlz.in b/contrib/dlz/config.dlz.in
index af463eb21c..0e4b2e580b 100644
--- a/contrib/dlz/config.dlz.in
+++ b/contrib/dlz/config.dlz.in
@@ -237,6 +237,8 @@ case "$use_dlz_bdb" in
 					if test "$dd" != "/usr"
 					then
 						dlz_bdb_libs="-L${dd}/lib "
+					else
+						dlz_bdb_libs=""
 					fi
 					dlz_bdb_libs="${dlz_bdb_libs}-l${d}"
 					break

From c55dd77de4ce71b858afb291e44577b51be8b780 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 7 Jun 2006 02:28:28 +0000
Subject: [PATCH 274/465] 2042.   [bug]           named-checkconf was
 incorrectly rejecting the                         logging category "config".
 [RT #16117]

---
 CHANGES                | 3 +++
 bin/check/Makefile.in  | 5 +++--
 bin/check/check-tool.c | 5 ++++-
 bin/named/log.c        | 5 ++++-
 4 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/CHANGES b/CHANGES
index 29f23a1afe..f72baa66fa 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2042.	[bug]		named-checkconf was incorrectly rejecting the
+			logging category "config". [RT #16117]
+
 2041.	[bug]		"configure --with-dlz-bdb=yes" produced a bad
 			set of libraries to be linked. [RT #16129]
 
diff --git a/bin/check/Makefile.in b/bin/check/Makefile.in
index 84c76e1b58..b0feea0a14 100644
--- a/bin/check/Makefile.in
+++ b/bin/check/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.28 2005/09/12 02:16:29 marka Exp $
+# $Id: Makefile.in,v 1.29 2006/06/07 02:28:28 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -75,7 +75,8 @@ named-checkconf@EXEEXT@: named-checkconf.@O@ check-tool.@O@ ${ISCDEPLIBS} \
 
 named-checkzone@EXEEXT@: named-checkzone.@O@ check-tool.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
 	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-	named-checkzone.@O@ check-tool.@O@ ${DNSLIBS} ${ISCLIBS} ${LIBS}
+	named-checkzone.@O@ check-tool.@O@ ${ISCCFGLIBS} ${DNSLIBS} \
+	${ISCLIBS} ${LIBS}
 
 doc man:: ${MANOBJS}
 
diff --git a/bin/check/check-tool.c b/bin/check/check-tool.c
index 560aff12c0..998a1516a0 100644
--- a/bin/check/check-tool.c
+++ b/bin/check/check-tool.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: check-tool.c,v 1.24 2006/01/07 00:23:35 marka Exp $ */
+/* $Id: check-tool.c,v 1.25 2006/06/07 02:28:28 marka Exp $ */
 
 /*! \file */
 
@@ -44,6 +44,8 @@
 #include 
 #include 
 
+#include 
+
 #ifdef HAVE_ADDRINFO
 #ifdef HAVE_GETADDRINFO
 #ifdef HAVE_GAISTRERROR
@@ -402,6 +404,7 @@ setup_logging(isc_mem_t *mctx, isc_log_t **logp) {
 	isc_log_setcontext(log);
 	dns_log_init(log);
 	dns_log_setcontext(log);
+	cfg_log_init(log);
 
 	destination.file.stream = stdout;
 	destination.file.name = NULL;
diff --git a/bin/named/log.c b/bin/named/log.c
index fb5ad506f2..0ff5bdc0e0 100644
--- a/bin/named/log.c
+++ b/bin/named/log.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: log.c,v 1.41 2005/05/20 01:19:42 marka Exp $ */
+/* $Id: log.c,v 1.42 2006/06/07 02:28:28 marka Exp $ */
 
 /*! \file */
 
@@ -81,6 +81,9 @@ ns_log_init(isc_boolean_t safe) {
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
+	/*
+	 * named-checktool.c:setup_logging() needs to be kept in sync.
+	 */
 	isc_log_registercategories(ns_g_lctx, ns_g_categories);
 	isc_log_registermodules(ns_g_lctx, ns_g_modules);
 	isc_log_setcontext(ns_g_lctx);

From a08432f88689b2b918423718990eb97d5b58ce4f Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 7 Jun 2006 03:28:57 +0000
Subject: [PATCH 275/465] update

---
 doc/private/branches | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/doc/private/branches b/doc/private/branches
index 99e9ea08f5..d595fbdfa2 100644
--- a/doc/private/branches
+++ b/doc/private/branches
@@ -39,14 +39,14 @@ rt15473b			review	marka
 rt15698				open	
 rt15765				open	
 rt15860				open	
-rt15959				review	
-rt15978				new	
-rt16022				new	
-rt16075				review	
-rt16117				new	
-rt16122				review	
-rt16123				review	
-rt16124				review	
+rt15959				closed	
+rt15978				review	
+rt16022				review	
+rt16075				closed	
+rt16117				closed	
+rt16122				closed	
+rt16123				closed	
+rt16124				closed	
 rt1727				open		// ixfr-from-differences workfile
 skan				new	
 skan-metazones1			private	

From d79296d147cd4c35784dd3efd7ed7f09d976ee61 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 7 Jun 2006 03:38:04 +0000
Subject: [PATCH 276/465] 2040.   [bug]           rbtdb no_references() could
 trigger an INSIST                         failure with --enable-atomic.  [RT
 #16022]

---
 CHANGES         |  3 ++-
 lib/dns/rbtdb.c | 18 ++++++++----------
 2 files changed, 10 insertions(+), 11 deletions(-)

diff --git a/CHANGES b/CHANGES
index f72baa66fa..6f8363b520 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,7 +4,8 @@
 2041.	[bug]		"configure --with-dlz-bdb=yes" produced a bad
 			set of libraries to be linked. [RT #16129]
 
-2040.	[placeholder]	rt16022
+2040.	[bug]		rbtdb no_references() could trigger an INSIST
+			failure with --enable-atomic.  [RT #16022]
 
 2039.	[func]		Check that all buffers passed to the socket code
 			have been retrieved when the socket event is freed.
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index 13fbffa3bf..0d487bd52a 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbtdb.c,v 1.233 2006/05/16 04:06:55 marka Exp $ */
+/* $Id: rbtdb.c,v 1.234 2006/06/07 03:38:04 marka Exp $ */
 
 /*! \file */
 
@@ -1143,7 +1143,7 @@ no_references(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
 	 * We cannot request the node reference be 0 at the moment, since
 	 * the reference counter can atomically be modified without a lock.
 	 * It should still be safe unless we actually try to delete the node,
-	 * at which point the operation is properly protected by locking.
+	 * at which point the condition is explicitly checked.
 	 */
 
 	locknum = node->locknum;
@@ -1161,7 +1161,7 @@ no_references(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
 	NODE_WEAKUNLOCK(&rbtdb->node_locks[locknum].lock, isc_rwlocktype_read);
 
 	NODE_WEAKLOCK(&rbtdb->node_locks[locknum].lock, isc_rwlocktype_write);
-	if (node->dirty) {
+	if (node->dirty && dns_rbtnode_refcurrent(node) == 0) {
 		if (IS_CACHE(rbtdb))
 			clean_cache_node(rbtdb, node);
 		else {
@@ -1212,15 +1212,13 @@ no_references(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
 	} else
 		write_locked = ISC_TRUE;
 
-	if (write_locked) {
+	if (write_locked && dns_rbtnode_refcurrent(node) == 0) {
 		/*
-		 * We are now ready for deleting the node.  The node and tree
-		 * locks must ensure there be no other users.  (Note that
-		 * dns_rbt_findnode() could find the node to be deleted while
-		 * we are in this function.  However, the tree lock would
-		 * prevent us from entering this section in that case.)
+		 * We can now delete the node if the reference counter must be
+		 * zero.  This should be typically the case, but a different
+		 * thread may still gain a (new) reference just before the
+		 * current thread locks the tree (e.g., in findnode()).
 		 */
-		INSIST(dns_rbtnode_refcurrent(node) == 0);
 
 		if (isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(1))) {
 			char printname[DNS_NAME_FORMATSIZE];

From 67366b2ce542db8343e50aebedb2b58047dfe130 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 7 Jun 2006 23:17:03 +0000
Subject: [PATCH 277/465] auto update

---
 doc/private/branches | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/doc/private/branches b/doc/private/branches
index d595fbdfa2..648205eacb 100644
--- a/doc/private/branches
+++ b/doc/private/branches
@@ -39,14 +39,8 @@ rt15473b			review	marka
 rt15698				open	
 rt15765				open	
 rt15860				open	
-rt15959				closed	
 rt15978				review	
 rt16022				review	
-rt16075				closed	
-rt16117				closed	
-rt16122				closed	
-rt16123				closed	
-rt16124				closed	
 rt1727				open		// ixfr-from-differences workfile
 skan				new	
 skan-metazones1			private	
@@ -409,6 +403,7 @@ rt15855				closed
 rt15878				closed
 rt15941				closed
 rt15958				closed
+rt15959				closed
 rt15960				closed
 rt15970				closed
 rt15976				closed
@@ -421,6 +416,11 @@ rt16034				closed
 rt16037				closed
 rt16073				closed
 rt16074				closed
+rt16075				closed
+rt16117				closed
+rt16122				closed
+rt16123				closed
+rt16124				closed
 rt1727b				closed
 rt1727c				closed
 rt2471				closed

From d56e188030368b835122d759ebbf8d9613c166f4 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 7 Jun 2006 23:30:23 +0000
Subject: [PATCH 278/465] newcopyrights

---
 util/copyrights | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/util/copyrights b/util/copyrights
index 4cb6797ebb..0780ddd57f 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -11,7 +11,7 @@
 ./bin/.cvsignore				X	1999,2000,2001
 ./bin/Makefile.in				MAKE	1998,1999,2000,2001,2004
 ./bin/check/.cvsignore				X	2000,2001
-./bin/check/Makefile.in				MAKE	2000,2001,2002,2003,2004,2005
+./bin/check/Makefile.in				MAKE	2000,2001,2002,2003,2004,2005,2006
 ./bin/check/check-tool.c			C	2000,2001,2002,2004,2005,2006
 ./bin/check/check-tool.h			C	2000,2001,2002,2004,2005
 ./bin/check/named-checkconf.8			MAN	DOCBOOK
@@ -107,7 +107,7 @@
 ./bin/named/include/named/zoneconf.h		C	1999,2000,2001,2002,2004,2005,2006
 ./bin/named/interfacemgr.c			C	1999,2000,2001,2002,2004,2005
 ./bin/named/listenlist.c			C	2000,2001,2004,2005
-./bin/named/log.c				C	1999,2000,2001,2002,2004,2005
+./bin/named/log.c				C	1999,2000,2001,2002,2004,2005,2006
 ./bin/named/logconf.c				C	1999,2000,2001,2004,2005,2006
 ./bin/named/lwaddr.c				C	2000,2001,2004,2005
 ./bin/named/lwdclient.c				C	2000,2001,2004,2005
@@ -882,7 +882,7 @@
 ./contrib/dlz/bin/dlzbdb/.cvsignore		X	2005
 ./contrib/dlz/bin/dlzbdb/Makefile.in		X	2005
 ./contrib/dlz/bin/dlzbdb/dlzbdb.c		X	2005
-./contrib/dlz/config.dlz.in			X	2005
+./contrib/dlz/config.dlz.in			X	2005,2006
 ./contrib/dlz/drivers/.cvsignore		X	2005
 ./contrib/dlz/drivers/dlz_bdb_driver.c		X	2005
 ./contrib/dlz/drivers/dlz_bdbhpt_driver.c	X	2005

From 49810c555fb1ac4491322d23656cff970fbaa6e7 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 8 Jun 2006 01:41:21 +0000
Subject: [PATCH 279/465] spelling / grammer

---
 doc/arm/Bv9ARM-book.xml | 236 ++++++++++++++++++++--------------------
 1 file changed, 118 insertions(+), 118 deletions(-)

diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 91ef76ec15..edf896a37d 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   BIND 9 Administrator Reference Manual
 
@@ -491,7 +491,7 @@
 
         
           The length of time for which a record may be retained in
-          in the cache of a caching name server is controlled by the
+          the cache of a caching name server is controlled by the
           Time To Live (TTL) field associated with each resource record.
         
 
@@ -1155,7 +1155,7 @@ zone "eng.example.com" {
                     
                       
                         Suspend updates to a dynamic zone.  If no zone is
-                        specified
+                        specified,
                         then all zones are suspended.  This allows manual
                         edits to be made to a zone normally updated by dynamic
                         update.  It
@@ -1177,7 +1177,7 @@ zone "eng.example.com" {
                       
                         Enable updates to a frozen dynamic zone.  If no zone
                         is
-                        specified then all frozen zones are enabled.  This
+                        specified, then all frozen zones are enabled.  This
                         causes
                         the server to reload the zone from disk, and
                         re-enables dynamic updates
@@ -1246,10 +1246,10 @@ zone "eng.example.com" {
                         view ...
                     
                       
-                        Dump the server's caches (default) and / or zones to
+                        Dump the server's caches (default) and/or zones to
                         the
                         dump file for the specified views.  If no view is
-                        specified all
+                        specified, all
                         views are dumped.
                       
                     
@@ -1335,9 +1335,9 @@ zone "eng.example.com" {
                     
                       
                         Display status of the server.
-                        Note the number of zones includes the internal bind/CH zone
+                        Note that the number of zones includes the internal bind/CH zone
                         and the default ./IN
-                        hint zone if there is not a
+                        hint zone if there is not an
                         explicit root zone configured.
                       
                     
@@ -1420,7 +1420,7 @@ zone "eng.example.com" {
                 
 
                 
-                  The key statement defines an
+                  The key statement defines a
                   key to be used
                   by rndc when authenticating
                   with
@@ -1672,7 +1672,7 @@ controls {
         
           The zone files of dynamic zones cannot normally be edited by
           hand because they are not guaranteed to contain the most recent
-          dynamic changes - those are only in the journal file.
+          dynamic changes — those are only in the journal file.
           The only way to ensure that the zone file of a dynamic zone
           is up to date is to run rndc stop.
         
@@ -1855,7 +1855,7 @@ controls {
           Look up any hostnames on the Internet.
         
         
-          Exchange mail with internal AND external people.
+          Exchange mail with both internal and external people.
         
       
       
@@ -2028,11 +2028,11 @@ nameserver 172.16.72.4
         
           Automatic Generation
           
-            The following command will generate a 128 bit (16 byte) HMAC-MD5
+            The following command will generate a 128-bit (16 byte) HMAC-MD5
             key as described above. Longer keys are better, but shorter keys
             are easier to read. Note that the maximum key length is 512 bits;
-            keys longer than that will be digested with MD5 to produce a 128
-            bit key.
+            keys longer than that will be digested with MD5 to produce a
+            128-bit key.
           
           
             dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2.
@@ -2320,7 +2320,7 @@ allow-update { key host1-host2. ;};
         
 
         
-          The following command will generate a 768 bit RSASHA1 key for
+          The following command will generate a 768-bit RSASHA1 key for
           the child.example zone:
         
 
@@ -2373,7 +2373,7 @@ allow-update { key host1-host2. ;};
           records for the zone, as well as DS
           for
           the child zones if '-d' is specified.
-                If '-d' is not specified then
+                If '-d' is not specified, then
           DS RRsets for
           the secure child zones need to be added manually.
         
@@ -2413,7 +2413,7 @@ allow-update { key host1-host2. ;};
 
 	
 	  To enable named to respond appropriately
-	  to DNS requests from DNSSEC aware clients
+	  to DNS requests from DNSSEC aware clients,
 	  dnssec-enable must be set to yes.
         
 
@@ -2469,7 +2469,7 @@ trusted-keys {
 	     iA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ97S+LKUTpQcq27R7AT3/V5hRQxScI
 	     Nqwcz4jYqZD2fQdgxbcDTClU0CRBdiieyLMNzXG3";
 
-/* Key for out organizations forward zone */
+/* Key for our organization's forward zone */
 example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe
                       3Y9ifgEuq7vZ/zGZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb4JKUbb
 	              OTcM8pwXlj0EiX3oDFVmjHO444gLkBO UKUf/mC7HvfwYH/Be22GnC
@@ -2738,7 +2738,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
               
                 
                   A named list of one or more ip_addr
-		  with optional key_id and / or
+		  with optional key_id and/or
 		  ip_port.
 		  A masters_list may include other
 		  masters_lists.
@@ -2843,7 +2843,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
                   through 65535, with values
                   below 1024 typically restricted to use by processes running
                   as root.
-                  In some cases an asterisk (`*') character can be used as a
+                  In some cases, an asterisk (`*') character can be used as a
                   placeholder to
                   select a random high-numbered port.
                 
@@ -2905,7 +2905,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
               
               
                 
-                  A non-negative 32 bit integer
+                  A non-negative 32-bit integer
                   (i.e., a number between 0 and 4294967295, inclusive).
                   Its acceptable value might further
                   be limited by the context in which it is used.
@@ -3564,9 +3564,9 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
           named is running as) can access it.
           If you
           desire greater flexibility in allowing other users to access
-          rndc commands then you need to create
-          an
-          rndc.conf and make it group
+          rndc commands, then you need to create
+          a
+          rndc.conf file and make it group
           readable by a group
           that contains the users who should have access.
         
@@ -3759,9 +3759,9 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
             option, then
             named will retain that many backup
             versions of the file by
-            renaming them when opening.  For example, if you choose to keep 3
-            old versions
-            of the file lamers.log then just
+            renaming them when opening.  For example, if you choose to keep
+            three old versions
+            of the file lamers.log, then just
             before it is opened
             lamers.log.1 is renamed to
             lamers.log.2, lamers.log.0 is renamed
@@ -4195,7 +4195,7 @@ category notify { null; };
                     
                     
                       The query log entry reports the client's IP address and
-                      port number.  The
+                      port number, and the
                       query name, class and type.  It also reports whether the
                       Recursion Desired
                       flag was set (+ if set, - if not set), EDNS was in use
@@ -4710,7 +4710,7 @@ digits" + "tkey-domain". In most cases,
             preferred-glue
             
               
-                If specified the listed type (A or AAAA) will be emitted
+                If specified, the listed type (A or AAAA) will be emitted
                 before other glue
                 in the additional section of a query response.
                 The default is not to preference any type (NONE).
@@ -4727,7 +4727,7 @@ digits" + "tkey-domain". In most cases,
                 exclude list.
               
               
-                Note some TLDs are NOT delegation only (e.g. "DE", "LV", "US"
+                Note some TLDs are not delegation only (e.g. "DE", "LV", "US"
                 and "MUSEUM").
               
 
@@ -4757,7 +4757,7 @@ options {
             dnssec-lookaside
             
               
-                When set dnssec-lookaside
+                When set, dnssec-lookaside
                 provides the
                 validator with an alternate method to validate DNSKEY records
                 at the
@@ -4780,12 +4780,12 @@ options {
             dnssec-must-be-secure
             
               
-                Specify hierarchies which must / may not be secure (signed and
+                Specify hierarchies which must be or may not be secure (signed and
                 validated).
-                If yes then named will only accept
+                If yes, then named will only accept
                 answers if they
                 are secure.
-                If no then normal dnssec validation
+                If no, then normal dnssec validation
                 applies
                 allowing for insecure answers to be accepted.
                 The specified domain must be under a trusted-key or
@@ -4837,7 +4837,7 @@ options {
                   If yes, then the
                   server treats all zones as if they are doing zone transfers
                   across
-                  a dial on demand dialup link, which can be brought up by
+                  a dial-on-demand dialup link, which can be brought up by
                   traffic
                   originating from this server. This has different effects
                   according
@@ -4856,7 +4856,7 @@ options {
                   option.
                 
                 
-                  If the zone is a master zone then the server will send out a
+                  If the zone is a master zone, then the server will send out a
                   NOTIFY
                   request to all the slaves (default). This should trigger the
                   zone serial
@@ -5434,7 +5434,7 @@ options {
               ixfr-from-differences
               
                 
-                  When 'yes' and the server loads a new version of a master
+                  When yes and the server loads a new version of a master
                   zone from its zone file or receives a new version of a slave
                   file by a non-incremental zone transfer, it will compare
                   the new version to the previous one and calculate a set
@@ -5471,7 +5471,7 @@ options {
                 
                   This should be set when you have multiple masters for a zone
                   and the
-                  addresses refer to different machines.  If 'yes' named will
+                  addresses refer to different machines.  If yes, named will
                   not log
                   when the serial number on the master is less than what named
                   currently
@@ -5484,7 +5484,7 @@ options {
               dnssec-enable
               
                 
-                  Enable DNSSEC support in named.  Unless set to yes
+                  Enable DNSSEC support in named.  Unless set to yes,
                   named behaves as if it does not support DNSSEC.
                   The default is yes.
                 
@@ -5507,7 +5507,7 @@ options {
               dnssec-accept-expired
               
                 
-		  When verifying DNSSEC signatures accept expired signatures.
+		  Accept expired signatures when verifying DNSSEC signatures.
                   The default is no.
                 
               
@@ -5518,8 +5518,8 @@ options {
               
                 
                   Specify whether query logging should be started when named
-                  start.
-                  If querylog is not specified
+                  starts.
+                  If querylog is not specified,
                   then the query logging
                   is determined by the presence of the logging category queries.
                 
@@ -5539,11 +5539,11 @@ options {
                   master zones the default is fail.
                   For slave zones the default
                   is warn.
-                  For answer received from the network (response)
+                  For answers received from the network (response)
                   the default is ignore.
                 
                 
-                  The rules for legal hostnames or mail domains are derived
+                  The rules for legal hostnames and mail domains are derived
                   from RFC 952 and RFC 821 as modified by RFC 1123.
                 
                 check-names
@@ -5628,7 +5628,7 @@ options {
 	      check-sibling
 	      
 		
-		  When performing integrity checks also check that
+		  When performing integrity checks, also check that
 		  sibling glue exists.  The default is yes.
 		
 	      
@@ -5707,8 +5707,8 @@ options {
                   This option is only meaningful if the
                   forwarders list is not empty. A value of first,
                   the default, causes the server to query the forwarders
-                  first, and
-                  if that doesn't answer the question the server will then
+                  first — and
+                  if that doesn't answer the question, the server will then
                   look for
                   the answer itself. If only is
                   specified, the
@@ -5756,11 +5756,11 @@ options {
               
                 
                   Specifies host names or addresses of machines with access to
-                  both IPv4 and IPv6 transports. If a hostname is used the
+                  both IPv4 and IPv6 transports. If a hostname is used, the
                   server must be able
                   to resolve the name using only the transport it has.  If the
                   machine is dual
-                  stacked then the dual-stack-servers have no effect unless
+                  stacked, then the dual-stack-servers have no effect unless
                   access to a transport has been disabled on the command line
                   (e.g. named -4).
                 
@@ -6044,14 +6044,14 @@ listen-on-v6 port 1234 { !2001:db8::/32; any; };
             query other name servers. query-source specifies
             the address and port used for such queries. For queries sent over
             IPv6, there is a separate query-source-v6 option.
-            If address is * or is omitted,
+            If address is * (asterisk) or is omitted,
             a wildcard IP address (INADDR_ANY)
             will be used.
             If port is * or is omitted,
-            a random unprivileged port will be used, avoid-v4-udp-ports
-            and avoid-v6-udp-ports can be used
+            a random unprivileged port will be used. The avoid-v4-udp-ports
+            and avoid-v6-udp-ports options can be used
             to prevent named
-            from selecting certain ports. The defaults are
+            from selecting certain ports. The defaults are:
           
 
 query-source address * port *;
@@ -6328,7 +6328,7 @@ query-source-v6 address * port *;
                 
 		
 		  If you do not wish the alternate transfer source
-		  to be used you should set
+		  to be used, you should set
 		  use-alt-transfer-source
 		  appropriately and you should not depend upon
 		  getting a answer back to the first refresh
@@ -6542,7 +6542,7 @@ query-source-v6 address * port *;
               host-statistics-max
               
                 
-                  In BIND 8, specifies the maximum number of host statistic
+                  In BIND 8, specifies the maximum number of host statistics
                   entries to be kept.
                   Not implemented in BIND 9.
                 
@@ -6630,7 +6630,7 @@ query-source-v6 address * port *;
                   from the cache every cleaning-interval minutes.
                   The default is 60 minutes.  The maximum value is 28 days
                   (40320 minutes).
-                  If set to 0, no  periodic cleaning will occur.
+                  If set to 0, no periodic cleaning will occur.
                 
               
             
@@ -6756,7 +6756,7 @@ query-source-v6 address * port *;
             other addresses.
             However, not all resolvers can do this or are correctly
             configured.
-            When a client is using a local server the sorting can be performed
+            When a client is using a local server, the sorting can be performed
             in the server, based on the client's address. This only requires
             configuring the name servers, not all the clients.
           
@@ -6875,7 +6875,7 @@ query-source-v6 address * port *;
           
             If no class is specified, the default is ANY.
             If no type is specified, the default is ANY.
-            If no name is specified, the default is "*".
+            If no name is specified, the default is "*" (asterisk).
           
           
             The legal values for ordering are:
@@ -6963,8 +6963,8 @@ query-source-v6 address * port *;
                   Sets the number of seconds to cache a
                   lame server indication. 0 disables caching. (This is
                   NOT recommended.)
-                  Default is 600 (10 minutes).
-                  Maximum value is
+                  The default is 600 (10 minutes) and the
+                  maximum value is
                   1800 (30 minutes).
                 
 
@@ -6975,7 +6975,7 @@ query-source-v6 address * port *;
               max-ncache-ttl
               
                 
-                  To reduce network traffic and increase performance
+                  To reduce network traffic and increase performance,
                   the server stores negative answers. max-ncache-ttl is
                   used to set a maximum retention time for these answers in
                   the server
@@ -7005,7 +7005,7 @@ query-source-v6 address * port *;
                 
                   The minimum number of root servers that
                   is required for a request for the root servers to be
-                  accepted. Default
+                  accepted. The default
                   is 2.
                 
                 
@@ -7065,11 +7065,11 @@ query-source-v6 address * port *;
               edns-udp-size
               
                 
-		  Sets the advertised EDNS UDP buffer size.  Valid
+		  Sets the advertised EDNS UDP buffer size in bytes.  Valid
                   values are 512 to 4096 (values outside this range
                   will be silently adjusted).  The default value is
                   4096.  The usual reason for setting edns-udp-size to
-                  a non default value it to get UDP answers to pass
+                  a non-default value it to get UDP answers to pass
                   through broken firewalls that block fragmented
                   packets and/or block UDP packets that are greater
                   than 512 bytes.
@@ -7082,10 +7082,10 @@ query-source-v6 address * port *;
               
                 
 		  Sets the maximum EDNS UDP message size named will
-		  send.  Valid values are 512 to 4096 (values outside
+		  send in bytes.  Valid values are 512 to 4096 (values outside
 		  this range will be silently adjusted).  The default
 		  value is 4096.  The usual reason for setting
-		  max-udp-size to a non default value it to get UDP
+		  max-udp-size to a non-default value is to get UDP
 		  answers to pass through broken firewalls that
 		  block fragmented packets and/or block UDP packets
 		  that are greater than 512 bytes.
@@ -7102,7 +7102,7 @@ query-source-v6 address * port *;
 	          The default value is text, which is the
 		  standard textual representation.  Files in other formats
 		  than text are typically expected
-		  to be generated by the named-compilezone.
+		  to be generated by the named-compilezone tool.
 		  Note that when a zone file in a different format than
 		  text is loaded, named
 	          may omit some of the checks which would be performed for a
@@ -7138,20 +7138,20 @@ query-source-v6 address * port *;
 		
 	          This value should reflect how many queries come in for
 		  a given name in the time it takes to resolve that name.
-		  If the number of queries exceed this value named will
+		  If the number of queries exceed this value, named will
 		  assume that it is dealing with a non-responsive zone
 		  and will drop additional queries.  If it gets a response
-		  after dropping queries it will raise the estimate.  The
+		  after dropping queries, it will raise the estimate.  The
 		  estimate will then be lowered in 20 minutes if it has
 		  remained unchanged.
 		
 		
-		  If clients-per-query is set to zero
+		  If clients-per-query is set to zero,
 		  then there is no limit on the number of clients per query
 		  and no queries will be dropped.
 		
 		
-		  If max-clients-per-query is set to zero
+		  If max-clients-per-query is set to zero,
 		  then there is no upper bound other than imposed by
 		  recursive-clients.
 		
@@ -7297,13 +7297,13 @@ query-source-v6 address * port *;
 	    views of class IN.  Disabled empty zones are only inherited
 	    from options if there are no disabled empty zones specified
 	    at the view level.  To override the options list of disabled
-	    zones you can disable the root zone at the view level, for example:
+	    zones, you can disable the root zone at the view level, for example:
 
 	    disable-empty-zone ".";
 
 	  
 	  
-	    If you are using the address ranges covered here you should
+	    If you are using the address ranges covered here, you should
 	    already have reverse zones covering the addresses you use.
 	    In practice this appears to not be the case with many queries
 	    being made to the infrustructure servers for names in these
@@ -7314,7 +7314,7 @@ query-source-v6 address * port *;
 	  
 	    The real parent servers for these zones should disable all
 	    empty zone under the parent zone they serve.  For the real
-	    root servers this is all built in empty zones.  This will
+	    root servers, this is all built in empty zones.  This will
 	    enable them to return referrals to deeper in the tree.
 	  
           
@@ -7323,7 +7323,7 @@ query-source-v6 address * port *;
 	      
 	        
 		  Specify what server name will appear in the returned
-		  SOA record for empty zones.  If none is specified then
+		  SOA record for empty zones.  If none is specified, then
 		  the zone's name will be used.
 	        
 	       
@@ -7334,7 +7334,7 @@ query-source-v6 address * port *;
 	      
 	        
 		  Specify what contact name will appear in the returned
-		  SOA record for empty zones.  If none is specified then
+		  SOA record for empty zones.  If none is specified, then
 		  "." will be used.
 	        
 	      
@@ -7344,7 +7344,7 @@ query-source-v6 address * port *;
 	      empty-zones-enable
 	      
 	        
-		  Enable / disable all empty zones.  By default they
+		  Enable or disable all empty zones.  By default they
 		  are enabled.
 	        
 	      
@@ -7354,7 +7354,7 @@ query-source-v6 address * port *;
 	    disable-empty-zone
 	      
 	        
-		  Disable a indiviual empty zones.  By default none are
+		  Disable individual empty zones.  By default none are
 		  disabled.  This option can be specified multiple times.
 	        
 	      
@@ -7581,7 +7581,7 @@ query-source-v6 address * port *;
                   based
                   algorithm, every acache-cleaning-interval minutes.
                   The default is 60 minutes.
-                  If set to 0, no  periodic cleaning will occur.
+                  If set to 0, no periodic cleaning will occur.
                 
               
             
@@ -7590,11 +7590,10 @@ query-source-v6 address * port *;
               max-acache-size
               
                 
-                  The maximum amount of memory to use for the server's acache,
-                  in bytes.
+                  The maximum amount of memory in bytes to use for the server's acache.
                   When the amount of data in the acache reaches this limit,
                   the server
-                  will clean more aggressivly so that the limit is not
+                  will clean more aggressively so that the limit is not
                   exceeded.
                   In a server with multiple views, the limit applies
                   separately to the
@@ -7645,7 +7644,7 @@ query-source-v6 address * port *;
             The server statement defines
             characteristics
             to be associated with a remote name server.  If a prefix length is
-            specified then a range of servers is covered.  Only the most
+            specified, then a range of servers is covered.  Only the most
             specific
             server clause applies regardless of the order in
             named.conf.
@@ -7724,7 +7723,7 @@ query-source-v6 address * port *;
           
             The edns-udp-size option sets the EDNS UDP size
 	    that is advertised by named when querying the remote server.
-	    Valid values are 512 to 4096 (values outside this range will be
+	    Valid values are 512 to 4096 bytes (values outside this range will be
 	    silently adjusted).  This option is useful when you wish to
 	    advertises a different value to this server than the value you
 	    advertise globally, for example, when there is a firewall at the
@@ -7734,7 +7733,7 @@ query-source-v6 address * port *;
           
 	    The max-udp-size option sets the
 	    maximum EDNS UDP message size named will send.  Valid
-	    values are 512 to 4096 (values outside this range will
+	    values are 512 to 4096 bytes (values outside this range will
 	    be silently adjusted).  This option is useful when you
 	    know that there is a firewall that is blocking large
 	    replies from named.
@@ -7794,7 +7793,7 @@ query-source-v6 address * port *;
             Similarly, for an IPv6 remote server, only
             transfer-source-v6 can be
             specified.
-            Form more details, see the description of
+            For more details, see the description of
             transfer-source and
             transfer-source-v6 in
             .
@@ -7852,7 +7851,7 @@ query-source-v6 address * port *;
 	    trusted-keys are deemed to exist regardless
 	    of what parent zones say.  Similarly for all keys listed in
 	    trusted-keys only those keys are
-	    used to validate the DNSKEY RRset.  The parents DS RRset
+	    used to validate the DNSKEY RRset.  The parent's DS RRset
 	    will not be used.
 	  
 	  
@@ -7968,7 +7967,7 @@ query-source-v6 address * port *;
 
           
             Here is an example of a typical split DNS setup implemented
-            using view statements.
+            using view statements:
           
 
 view "internal" {
@@ -8198,7 +8197,7 @@ zone zone_name classexample.com might place
                         the zone contents into a file called
@@ -8293,8 +8292,8 @@ zone zone_name classforward option
-                        (that is, "forward first
-                        to", then "forward only", or vice versa, but want to
+                        (that is, "forward first"
+                        to, then "forward only", or vice versa, but want to
                         use the same
                         servers as set globally) you need to re-specify the
                         global forwarders.
@@ -8330,14 +8329,14 @@ zone zone_name class
                     
                       
-                        This is used to enforce the delegation only
+                        This is used to enforce the delegation-only
                         status of infrastructure zones (e.g. COM, NET, ORG).
                         Any answer that
-                        is received without a explicit or implicit delegation
+                        is received without an explicit or implicit delegation
                         in the authority
                         section will be treated as NXDOMAIN.  This does not
                         apply to the zone
-                        apex.  This SHOULD NOT be applied to leaf zones.
+                        apex.  This should not be applied to leaf zones.
                       
                       
                         delegation-only has no
@@ -8591,7 +8590,7 @@ zone zone_name class
                   
                     The flag only applies to hint and stub zones.  If set
-                    to yes then the zone will also be
+                    to yes, then the zone will also be
                     treated as if it
                     is also a delegation-only type zone.
                   
@@ -8617,7 +8616,7 @@ zone zone_name class
                     Used to override the list of global forwarders.
                     If it is not specified in a zone of type forward,
-                    no forwarding is done for the zone; the global options are
+                    no forwarding is done for the zone and the global options are
                     not used.
                   
                 
@@ -9022,7 +9021,7 @@ zone zone_name classidentity would
-			be specified as * in
+			be specified as * (an asterisk) in
 			this case.
 		      
 		    
@@ -9129,7 +9128,7 @@ zone zone_name class
                     
                       
-                        An encoded 16 bit value that specifies
+                        An encoded 16-bit value that specifies
                         the type of the resource record.
                       
                     
@@ -9142,8 +9141,8 @@ zone zone_name class
                     
                       
-                        The time to live of the RR. This field
-                        is a 32 bit integer in units of seconds, and is
+                        The time-to-live of the RR. This field
+                        is a 32-bit integer in units of seconds, and is
                         primarily used by
                         resolvers when they cache RRs. The TTL describes how
                         long a RR can
@@ -9159,7 +9158,7 @@ zone zone_name class
                     
                       
-                        An encoded 16 bit value that identifies
+                        An encoded 16-bit value that identifies
                         a protocol family or instance of a protocol.
                       
                     
@@ -9413,7 +9412,7 @@ zone zone_name class
                       
                         Identifies a mail exchange for the domain with
-                        a 16 bit preference value (lower is better)
+                        a 16-bit preference value (lower is better)
                         followed by the host name of the mail exchange.
                         Described in RFC 974, RFC 1035.
                       
@@ -9887,13 +9886,13 @@ zone zone_name class
             
             
-              The MX RRs have an RDATA section which consists of a 16 bit
+              The MX RRs have an RDATA section which consists of a 16-bit
               number followed by a domain name.  The address RRs use a
               standard
-              IP address format to contain a 32 bit internet address.
+              IP address format to contain a 32-bit internet address.
             
             
-              This example shows six RRs, with two RRs at each of three
+              The above example shows six RRs, with two RRs at each of three
               domain names.
             
             
@@ -10132,7 +10131,7 @@ zone zone_name class
           Setting TTLs
           
-            The time to live of the RR field is a 32 bit integer represented
+            The time-to-live of the RR field is a 32-bit integer represented
             in units of seconds, and is primarily used by resolvers when they
             cache RRs. The TTL describes how long a RR can be cached before it
             should be discarded. The following three types of TTL are
@@ -10406,7 +10405,7 @@ $GENERATE 1-127 $ CNAME $.0
                   
                     
                       This can be one of two forms: start-stop
-                      or start-stop/step. If the first form is used then step
+                      or start-stop/step. If the first form is used, then step
                       is set to
                       1. All of start, stop and step must be positive.
                     
@@ -10420,6 +10419,7 @@ $GENERATE 1-127 $ CNAME $.0
                     lhs
 		      describes the owner name of the resource records
                       to be created.  Any single $
+                      (dollar sign)
                       symbols within the lhs side
                       are replaced by the iterator value.
 
@@ -10437,7 +10437,7 @@ $GENERATE 1-127 $ CNAME $.0
                       ${offset[,width[,base]]}.
                       For example, ${-20,3,d}
                       subtracts 20 from the current value, prints the
-                      result as a decimal in a zero padded field of
+                      result as a decimal in a zero-padded field of
                       width 3.
 
 		      Available output forms are decimal
@@ -10451,7 +10451,7 @@ $GENERATE 1-127 $ CNAME $.0
                       to the name.
                     
                     
-                      For compatibility with earlier versions $$ is still
+                      For compatibility with earlier versions, $$ is still
                       recognized as indicating a literal $ in the output.
                     
                   
@@ -10584,7 +10584,7 @@ $GENERATE 1-127 $ CNAME $.0
         
           It is a good idea to use ACLs, and to
           control access to your server. Limiting access to your server by
-          outside parties can help prevent spoofing and DoS attacks against
+          outside parties can help prevent spoofing and denial of service (DoS) attacks against
           your server.
         
         
@@ -10635,7 +10635,7 @@ zone "example.com" {
         <command>chroot</command> and <command>setuid</command>
         
           On UNIX servers, it is possible to run BIND in a chrooted environment
-          (chroot()) by specifying the ""
+          (using the chroot() function) by specifying the ""
           option. This can help improve system security by placing BIND in
           a "sandbox", which will limit the damage done if a server is
           compromised.
@@ -10646,7 +10646,7 @@ zone "example.com" {
           We suggest running as an unprivileged user when using the chroot feature.
         
         
-          Here is an example command line to load BIND in a chroot() sandbox,
+          Here is an example command line to load BIND in a chroot sandbox,
           /var/named, and to run named setuid to
           user 202:
         
@@ -10711,7 +10711,7 @@ zone "example.com" {
         
           Access to the dynamic
           update facility should be strictly limited.  In earlier versions of
-          BIND the only way to do this was
+          BIND, the only way to do this was
           based on the IP
           address of the host requesting the update, by listing an IP address
           or
@@ -10740,7 +10740,7 @@ zone "example.com" {
         
 
         
-          Some sites choose to keep all dynamically updated DNS data
+          Some sites choose to keep all dynamically-updated DNS data
           in a subdomain and delegate that subdomain to a separate zone. This
           way, the top-level zone containing critical data such as the IP
           addresses
@@ -10838,7 +10838,7 @@ zone "example.com" {
             core of the new system was described in 1983 in RFCs 882 and
             883. From 1984 to 1987, the ARPAnet (the precursor to today's
             Internet) became a testbed of experimentation for developing the
-            new naming/addressing scheme in an rapidly expanding,
+            new naming/addressing scheme in a rapidly expanding,
             operational network environment.  New RFCs were written and
             published in 1987 that modified the original documents to
             incorporate improvements based on the working model. RFC 1034,
@@ -10886,7 +10886,7 @@ zone "example.com" {
             released by Digital Equipment
             Corporation (now Compaq Computer Corporation). Paul Vixie, then
             a DEC employee, became BIND's
-            primary caretaker. Paul was assisted
+            primary caretaker. He was assisted
             by Phil Almquist, Robert Elz, Alan Barrett, Paul Albitz, Bryan
             Beecher, Andrew
             Partan, Andy Cherenson, Tom Limoncelli, Berthold Paffrath, Fuat
@@ -10894,7 +10894,7 @@ zone "example.com" {
             Wolfhugel, and others.
           
           
-            BIND Version 4.9.2 was sponsored by
+            BIND version 4.9.2 was sponsored by
             Vixie Enterprises. Paul
             Vixie became BIND's principal
             architect/programmer.
@@ -12044,7 +12044,7 @@ zone "example.com" {
               
             
             
-              Obsoleted DNS Security RFC
+              Obsoleted DNS Security RFCs
 	      
 		
 		  Most of these have been consolidated into RFC4033,

From b05bdb520d83f7ecaad708fe305268c3420be01d Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 8 Jun 2006 02:44:05 +0000
Subject: [PATCH 280/465] regen

---
 doc/arm/Bv9ARM.ch01.html         |   4 +-
 doc/arm/Bv9ARM.ch03.html         |  16 +-
 doc/arm/Bv9ARM.ch04.html         |  20 +--
 doc/arm/Bv9ARM.ch06.html         | 256 +++++++++++++++----------------
 doc/arm/Bv9ARM.ch07.html         |  24 +--
 doc/arm/Bv9ARM.ch08.html         |  18 +--
 doc/arm/Bv9ARM.ch09.html         |  26 ++--
 doc/arm/Bv9ARM.html              |  42 ++---
 doc/arm/man.dig.html             |  20 +--
 doc/arm/man.dnssec-keygen.html   |  14 +-
 doc/arm/man.dnssec-signzone.html |  12 +-
 doc/arm/man.host.html            |  10 +-
 doc/arm/man.named-checkconf.html |  12 +-
 doc/arm/man.named-checkzone.html |  12 +-
 doc/arm/man.named.html           |  16 +-
 doc/arm/man.rndc-confgen.html    |  12 +-
 doc/arm/man.rndc.conf.html       |  12 +-
 doc/arm/man.rndc.html            |  12 +-
 18 files changed, 269 insertions(+), 269 deletions(-)

diff --git a/doc/arm/Bv9ARM.ch01.html b/doc/arm/Bv9ARM.ch01.html
index e0ef79e32a..0519dd40d6 100644
--- a/doc/arm/Bv9ARM.ch01.html
+++ b/doc/arm/Bv9ARM.ch01.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -482,7 +482,7 @@
         

 

           The length of time for which a record may be retained in
-          in the cache of a caching name server is controlled by the
+          the cache of a caching name server is controlled by the
           Time To Live (TTL) field associated with each resource record.
         

 

diff --git a/doc/arm/Bv9ARM.ch03.html b/doc/arm/Bv9ARM.ch03.html
index edd9b03c0c..55ad53e466 100644
--- a/doc/arm/Bv9ARM.ch03.html
+++ b/doc/arm/Bv9ARM.ch03.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -463,7 +463,7 @@ zone "eng.example.com" {
            [view]]]
 

                         Suspend updates to a dynamic zone.  If no zone is
-                        specified
+                        specified,
                         then all zones are suspended.  This allows manual
                         edits to be made to a zone normally updated by dynamic
                         update.  It
@@ -480,7 +480,7 @@ zone "eng.example.com" {
 

                         Enable updates to a frozen dynamic zone.  If no zone
                         is
-                        specified then all frozen zones are enabled.  This
+                        specified, then all frozen zones are enabled.  This
                         causes
                         the server to reload the zone from disk, and
                         re-enables dynamic updates
@@ -524,10 +524,10 @@ zone "eng.example.com" {
                         [-all|-cache|-zone]
                         [view ...]
 

-                        Dump the server's caches (default) and / or zones to
+                        Dump the server's caches (default) and/or zones to
                         the
                         dump file for the specified views.  If no view is
-                        specified all
+                        specified, all
                         views are dumped.
                       

 
stop [-p]

@@ -573,9 +573,9 @@ zone "eng.example.com" {
 
status

 

                         Display status of the server.
-                        Note the number of zones includes the internal bind/CH zone
+                        Note that the number of zones includes the internal bind/CH zone
                         and the default ./IN
-                        hint zone if there is not a
+                        hint zone if there is not an
                         explicit root zone configured.
                       

 
recursing

@@ -647,7 +647,7 @@ zone "eng.example.com" {
                   server statement.
                 

 

-                  The key statement defines an
+                  The key statement defines a
                   key to be used
                   by rndc when authenticating
                   with
diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html
index 9fd2c47684..a26dc2dc37 100644
--- a/doc/arm/Bv9ARM.ch04.html
+++ b/doc/arm/Bv9ARM.ch04.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -158,7 +158,7 @@
 

           The zone files of dynamic zones cannot normally be edited by
           hand because they are not guaranteed to contain the most recent
-          dynamic changes - those are only in the journal file.
+          dynamic changes — those are only in the journal file.
           The only way to ensure that the zone file of a dynamic zone
           is up to date is to run rndc stop.
         

@@ -328,7 +328,7 @@
             site2.internal domains.
           
 
  • Look up any hostnames on the Internet.
    • 
-
  • Exchange mail with internal AND external people.
    • 
+
  • Exchange mail with both internal and external people.
    • 
 
    
 
    
         Hosts on the Internet will be able to:
@@ -489,11 +489,11 @@ nameserver 172.16.72.4
 
    
 Automatic Generation
    
 
    
-            The following command will generate a 128 bit (16 byte) HMAC-MD5
+            The following command will generate a 128-bit (16 byte) HMAC-MD5
             key as described above. Longer keys are better, but shorter keys
             are easier to read. Note that the maximum key length is 512 bits;
-            keys longer than that will be digested with MD5 to produce a 128
-            bit key.
+            keys longer than that will be digested with MD5 to produce a
+            128-bit key.
           
    
 
    
             dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2.
@@ -764,7 +764,7 @@ allow-update { key host1-host2. ;};
           the only one is RSASHA1.
         
    
 
    
-          The following command will generate a 768 bit RSASHA1 key for
+          The following command will generate a 768-bit RSASHA1 key for
           the child.example zone:
         
    
 
    
@@ -811,7 +811,7 @@ allow-update { key host1-host2. ;};
           records for the zone, as well as DS
           for
           the child zones if '-d' is specified.
-                If '-d' is not specified then
+                If '-d' is not specified, then
           DS RRsets for
           the secure child zones need to be added manually.
         
    
@@ -845,7 +845,7 @@ allow-update { key host1-host2. ;};
 Configuring Servers
    
 
    
           To enable named to respond appropriately
-          to DNS requests from DNSSEC aware clients
+          to DNS requests from DNSSEC aware clients,
           dnssec-enable must be set to yes.
         
    
 
    
@@ -895,7 +895,7 @@ trusted-keys {
              iA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ97S+LKUTpQcq27R7AT3/V5hRQxScI
              Nqwcz4jYqZD2fQdgxbcDTClU0CRBdiieyLMNzXG3";
 
-/* Key for out organizations forward zone */
+/* Key for our organization's forward zone */
 example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe
                       3Y9ifgEuq7vZ/zGZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb4JKUbb
                       OTcM8pwXlj0EiX3oDFVmjHO444gLkBO UKUf/mC7HvfwYH/Be22GnC
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index 7c7b39e8ae..97330a497e 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -55,7 +55,7 @@
 
    acl Statement Grammar
    
 
    acl Statement Definition and
           Usage
    
-
    controls Statement Grammar
    
+
    controls Statement Grammar
    
 
    controls Statement Definition and
           Usage
    
 
    include Statement Grammar
    
@@ -77,23 +77,23 @@
 
    server Statement Grammar
    
 
    server Statement Definition and
             Usage
    
-
    trusted-keys Statement Grammar
    
-
    trusted-keys Statement Definition
+
    trusted-keys Statement Grammar
    
+
    trusted-keys Statement Definition
             and Usage
    
 
    view Statement Grammar
    
-
    view Statement Definition and Usage
    
+
    view Statement Definition and Usage
    
 
    zone
             Statement Grammar
    
-
    zone Statement Definition and Usage
    
+
    zone Statement Definition and Usage
    
 
-
    Zone File
    
+
    Zone File
    
 
    
 
    Types of Resource Records and When to Use Them
    
-
    Discussion of MX Records
    
+
    Discussion of MX Records
    
 
    Setting TTLs
    
-
    Inverse Mapping in IPv4
    
-
    Other Zone File Directives
    
-
    BIND Master File Extension: the  $GENERATE Directive
    
+
    Inverse Mapping in IPv4
    
+
    Other Zone File Directives
    
+
    BIND Master File Extension: the  $GENERATE Directive
    
 
    Additional File Formats
    
 
    
 
@@ -165,7 +165,7 @@
     
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index 7a9bbc0269..37a423bcdc 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -46,10 +46,10 @@
 
    Table of Contents
    
 
    
 
    Access Control Lists
    
-
    chroot and setuid
    
+
    chroot and setuid
    
 
    
-
    The chroot Environment
    
-
    Using the setuid Function
    
+
    The chroot Environment
    
+
    Using the setuid Function
    
 
    
 
    Dynamic Update Security
    
 
    
@@ -72,7 +72,7 @@
 
    
           It is a good idea to use ACLs, and to
           control access to your server. Limiting access to your server by
-          outside parties can help prevent spoofing and DoS attacks against
+          outside parties can help prevent spoofing and denial of service (DoS) attacks against
           your server.
         
    
 
    
@@ -118,10 +118,10 @@ zone "example.com" {
 
 
    
 
    
-chroot and setuid
    
+chroot and setuid
    
 
    
           On UNIX servers, it is possible to run BIND in a chrooted environment
-          (chroot()) by specifying the "-t"
+          (using the chroot() function) by specifying the "-t"
           option. This can help improve system security by placing BIND in
           a "sandbox", which will limit the damage done if a server is
           compromised.
@@ -132,7 +132,7 @@ zone "example.com" {
           We suggest running as an unprivileged user when using the chroot feature.
         
    
 
    
-          Here is an example command line to load BIND in a chroot() sandbox,
+          Here is an example command line to load BIND in a chroot sandbox,
           /var/named, and to run named setuid to
           user 202:
         
    
@@ -141,7 +141,7 @@ zone "example.com" {
         
    
 
    
 
    
-The chroot Environment
    
+The chroot Environment
    
 
    
             In order for a chroot environment
             to
@@ -169,7 +169,7 @@ zone "example.com" {
 
 
    
 
    
-Using the setuid Function
    
+Using the setuid Function
    
 
    
             Prior to running the named daemon,
             use
@@ -195,7 +195,7 @@ zone "example.com" {
 
    
           Access to the dynamic
           update facility should be strictly limited.  In earlier versions of
-          BIND the only way to do this was
+          BIND, the only way to do this was
           based on the IP
           address of the host requesting the update, by listing an IP address
           or
@@ -222,7 +222,7 @@ zone "example.com" {
           option can be used.
         
    
 
    
-          Some sites choose to keep all dynamically updated DNS data
+          Some sites choose to keep all dynamically-updated DNS data
           in a subdomain and delegate that subdomain to a separate zone. This
           way, the top-level zone containing critical data such as the IP
           addresses
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index 65161dc65f..550d3a48a4 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,18 +45,18 @@
 
    
 
    Table of Contents
    
 
    
-
    Common Problems
    
-
    It's not working; how can I figure out what's wrong?
    
-
    Incrementing and Changing the Serial Number
    
-
    Where Can I Get Help?
    
+
    Common Problems
    
+
    It's not working; how can I figure out what's wrong?
    
+
    Incrementing and Changing the Serial Number
    
+
    Where Can I Get Help?
    
 
    
 
    
 
    
 
    
-Common Problems
    
+Common Problems
    
 
    
 
    
-It's not working; how can I figure out what's wrong?
    
+It's not working; how can I figure out what's wrong?
    
 
    
             The best solution to solving installation and
             configuration issues is to take preventative measures by setting
@@ -68,7 +68,7 @@
 
 
    
 
    
-Incrementing and Changing the Serial Number
    
+Incrementing and Changing the Serial Number
    
 
    
           Zone serial numbers are just numbers-they aren't date
           related.  A lot of people set them to a number that represents a
@@ -95,7 +95,7 @@
 
 
    
 
    
-Where Can I Get Help?
    
+Where Can I Get Help?
    
 
    
           The Internet Systems Consortium
           (ISC) offers a wide range
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index 512d6bcef6..86702fa8c3 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,21 +45,21 @@
 
    
 
    Table of Contents
    
 
    
-
    Acknowledgments
    
+
    Acknowledgments
    
 
    A Brief History of the DNS and BIND
    
-
    General DNS Reference Information
    
+
    General DNS Reference Information
    
 
    IPv6 addresses (AAAA)
    
 
    Bibliography (and Suggested Reading)
    
 
    
 
    Request for Comments (RFCs)
    
 
    Internet Drafts
    
-
    Other Documents About BIND
    
+
    Other Documents About BIND
    
 
    
 
    
 
    
 
    
 
    
-Acknowledgments
    
+Acknowledgments
    
 
    
 
    
 A Brief History of the DNS and BIND
    
@@ -69,7 +69,7 @@
             core of the new system was described in 1983 in RFCs 882 and
             883. From 1984 to 1987, the ARPAnet (the precursor to today's
             Internet) became a testbed of experimentation for developing the
-            new naming/addressing scheme in an rapidly expanding,
+            new naming/addressing scheme in a rapidly expanding,
             operational network environment.  New RFCs were written and
             published in 1987 that modified the original documents to
             incorporate improvements based on the working model. RFC 1034,
@@ -116,7 +116,7 @@
             released by Digital Equipment
             Corporation (now Compaq Computer Corporation). Paul Vixie, then
             a DEC employee, became BIND's
-            primary caretaker. Paul was assisted
+            primary caretaker. He was assisted
             by Phil Almquist, Robert Elz, Alan Barrett, Paul Albitz, Bryan
             Beecher, Andrew
             Partan, Andy Cherenson, Tom Limoncelli, Berthold Paffrath, Fuat
@@ -124,7 +124,7 @@
             Wolfhugel, and others.
           
    
 
    
-            BIND Version 4.9.2 was sponsored by
+            BIND version 4.9.2 was sponsored by
             Vixie Enterprises. Paul
             Vixie became BIND's principal
             architect/programmer.
@@ -148,7 +148,7 @@
 
    
 
    
 
    
-General DNS Reference Information
    
+General DNS Reference Information
    
 
    
 
    
 IPv6 addresses (AAAA)
    
@@ -235,7 +235,7 @@
           
    
 
    
 
    
-Bibliography
    
+Bibliography
    
 
    
 
    Standards
    
 
    [RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 
    
@@ -380,7 +380,7 @@
                        and Renumbering. July 2000. 
    
 
 
    
-
    Obsoleted DNS Security RFC
    
+
    Obsoleted DNS Security RFCs
    
 
    
 
    Note
    
 
    
@@ -420,11 +420,11 @@
 
    
 
    
 
    
-Other Documents About BIND
    
+Other Documents About BIND
    
 
    
 
    
 
    
-Bibliography
    
+Bibliography
    
 
    Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 
    
 
 
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index ba814558c6..d737943534 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -133,7 +133,7 @@
 
    acl Statement Grammar
    
 
    acl Statement Definition and
           Usage
    
-
    controls Statement Grammar
    
+
    controls Statement Grammar
    
 
    controls Statement Definition and
           Usage
    
 
    include Statement Grammar
    
@@ -155,54 +155,54 @@
 
    server Statement Grammar
    
 
    server Statement Definition and
             Usage
    
-
    trusted-keys Statement Grammar
    
-
    trusted-keys Statement Definition
+
    trusted-keys Statement Grammar
    
+
    trusted-keys Statement Definition
             and Usage
    
 
    view Statement Grammar
    
-
    view Statement Definition and Usage
    
+
    view Statement Definition and Usage
    
 
    zone
             Statement Grammar
    
-
    zone Statement Definition and Usage
    
+
    zone Statement Definition and Usage
    
 
-
    Zone File
    
+
    Zone File
    
 
    
 
    Types of Resource Records and When to Use Them
    
-
    Discussion of MX Records
    
+
    Discussion of MX Records
    
 
    Setting TTLs
    
-
    Inverse Mapping in IPv4
    
-
    Other Zone File Directives
    
-
    BIND Master File Extension: the  $GENERATE Directive
    
+
    Inverse Mapping in IPv4
    
+
    Other Zone File Directives
    
+
    BIND Master File Extension: the  $GENERATE Directive
    
 
    Additional File Formats
    
 
    
 
 
    7. BIND 9 Security Considerations
    
 
    
 
    Access Control Lists
    
-
    chroot and setuid
    
+
    chroot and setuid
    
 
    
-
    The chroot Environment
    
-
    Using the setuid Function
    
+
    The chroot Environment
    
+
    Using the setuid Function
    
 
    
 
    Dynamic Update Security
    
 
    
 
    8. Troubleshooting
    
 
    
-
    Common Problems
    
-
    It's not working; how can I figure out what's wrong?
    
-
    Incrementing and Changing the Serial Number
    
-
    Where Can I Get Help?
    
+
    Common Problems
    
+
    It's not working; how can I figure out what's wrong?
    
+
    Incrementing and Changing the Serial Number
    
+
    Where Can I Get Help?
    
 
    
 
    A. Appendices
    
 
    
-
    Acknowledgments
    
+
    Acknowledgments
    
 
    A Brief History of the DNS and BIND
    
-
    General DNS Reference Information
    
+
    General DNS Reference Information
    
 
    IPv6 addresses (AAAA)
    
 
    Bibliography (and Suggested Reading)
    
 
    
 
    Request for Comments (RFCs)
    
 
    Internet Drafts
    
-
    Other Documents About BIND
    
+
    Other Documents About BIND
    
 
    
 
    
 
    I. Manual pages
    
diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index 4ee12d3970..b879338228 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -52,7 +52,7 @@
 
    dig  [global-queryopt...] [query...]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dig
       (domain information groper) is a flexible tool
       for interrogating DNS name servers.  It performs DNS lookups and
@@ -91,7 +91,7 @@
     
    
 
    
 
    
-
    SIMPLE USAGE
    
+
    SIMPLE USAGE
    
 
    
       A typical invocation of dig looks like:
       
    
@@ -137,7 +137,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
       The -b option sets the source IP address of the query
       to address.  This must be a valid
@@ -237,7 +237,7 @@
     
    
 
    
 
    
-
    QUERY OPTIONS
    
+
    QUERY OPTIONS
    
 
    dig
       provides a number of query options which affect
       the way in which lookups are made and the results displayed.  Some of
@@ -556,7 +556,7 @@
     
    
 
    
 
    
-
    MULTIPLE QUERIES
    
+
    MULTIPLE QUERIES
    
 
    
       The BIND 9 implementation of dig 
       supports
@@ -602,7 +602,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     
    
 
    
 
    
-
    IDN SUPPORT
    
+
    IDN SUPPORT
    
 
    
       If dig has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names.
@@ -616,14 +616,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    /etc/resolv.conf
     
    
 
    ${HOME}/.digrc
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    host(1),
       named(8),
       dnssec-keygen(8),
@@ -631,7 +631,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     
    
 
    
 
    
-
    BUGS
    
+
    BUGS
    
 
    
       There are probably too many query options.
     
    
diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index 5e3566e9f9..d466e50947 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    dnssec-keygen  {-a algorithm} {-b keysize} {-n nametype} [-c class] [-e] [-f flag] [-g generator] [-h] [-k] [-p protocol] [-r randomdev] [-s strength] [-t type] [-v level] {name}
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-keygen
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC <TBA\>.  It can also generate keys for use with
@@ -58,7 +58,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a algorithm
    
 
    
@@ -166,7 +166,7 @@
 
    
 
    
 
    
-
    GENERATED KEYS
    
+
    GENERATED KEYS
    
 
    
       When dnssec-keygen completes
       successfully,
@@ -212,7 +212,7 @@
     
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
    
       To generate a 768-bit DSA key for the domain
       example.com, the following command would be
@@ -233,7 +233,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
       RFC 2535,
@@ -242,7 +242,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index 0d75d096a1..2b30755cb2 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    dnssec-signzone  [-a] [-c class] [-d directory] [-e end-time] [-f output-file] [-g] [-h] [-k key] [-l domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-p] [-r randomdev] [-s start-time] [-t] [-v level] [-z] {zonefile} [key...]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-signzone
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
@@ -61,7 +61,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a
    
 
    
@@ -257,7 +257,7 @@
 
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
    
       The following command signs the example.com
       zone with the DSA key generated in the dnssec-keygen
@@ -283,14 +283,14 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 2535.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html
index 8e35f729f3..d02f1660db 100644
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    host  [-aCdlnrsTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-m flag] [-4] [-6] {name} [server]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    host
       is a simple utility for performing DNS lookups.
       It is normally used to convert names to IP addresses and vice versa.
@@ -202,7 +202,7 @@
     
    
 
    
 
    
-
    IDN SUPPORT
    
+
    IDN SUPPORT
    
 
    
       If host has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names. 
@@ -216,12 +216,12 @@
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    /etc/resolv.conf
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dig(1),
       named(8).
     
    
diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index 617276b037..3047bebdfa 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,14 +50,14 @@
 
    named-checkconf  [-v] [-j] [-t directory] {filename} [-z]
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    named-checkconf
       checks the syntax, but not the semantics, of a named
       configuration file.
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -t directory
    
 
    
@@ -88,20 +88,20 @@
 
    
 
    
 
    
-
    RETURN VALUES
    
+
    RETURN VALUES
    
 
    named-checkconf
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    named(8),
       BIND 9 Administrator Reference Manual.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index 6e3749f65a..7627e7c611 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -51,7 +51,7 @@
 
    named-compilezone  [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-i mode] [-k mode] [-m mode] [-n mode] [-o filename] [-s style] [-t directory] [-w directory] [-D] [-W mode] {zonename} {filename}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    named-checkzone
       checks the syntax and integrity of a zone file.  It performs the
       same checks as named does when loading a
@@ -71,7 +71,7 @@
      
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -d
    
 
    
@@ -251,21 +251,21 @@
 
    
 
    
 
    
-
    RETURN VALUES
    
+
    RETURN VALUES
    
 
    named-checkzone
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    named(8),
       RFC 1035,
       BIND 9 Administrator Reference Manual.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index ddb4f89f09..d15aeb54b4 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    named  [-4] [-6] [-c config-file] [-d debug-level] [-f] [-g] [-n #cpus] [-p port] [-s] [-t directory] [-u user] [-v] [-x cache-file]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    named
       is a Domain Name System (DNS) server,
       part of the BIND 9 distribution from ISC.  For more
@@ -65,7 +65,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -4
    
 
    
@@ -198,7 +198,7 @@
 
    
 
    
 
    
-
    SIGNALS
    
+
    SIGNALS
    
 
    
       In routine operation, signals should not be used to control
       the nameserver; rndc should be used
@@ -219,7 +219,7 @@
     
    
 
    
 
    
-
    CONFIGURATION
    
+
    CONFIGURATION
    
 
    
       The named configuration file is too complex
       to describe in detail here.  A complete description is provided
@@ -228,7 +228,7 @@
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    
 
    /etc/named.conf
    
 
    
@@ -241,7 +241,7 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    RFC 1033,
       RFC 1034,
       RFC 1035,
@@ -252,7 +252,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index 559bc98859..8786ddf032 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -48,7 +48,7 @@
 
    rndc-confgen  [-a] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    rndc-confgen
       generates configuration files
       for rndc.  It can be used as a
@@ -64,7 +64,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a
    
 
    
@@ -171,7 +171,7 @@
 
    
 
    
 
    
-
    EXAMPLES
    
+
    EXAMPLES
    
 
    
       To allow rndc to be used with
       no manual configuration, run
@@ -188,7 +188,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    rndc(8),
       rndc.conf(5),
       named(8),
@@ -196,7 +196,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index 84d0ac3d78..a25f78ddc3 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    rndc.conf 
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    rndc.conf is the configuration file
       for rndc, the BIND 9 name server control
       utility.  This file has a similar structure and syntax to
@@ -135,7 +135,7 @@
     
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
           options {
         default-server  localhost;
@@ -209,7 +209,7 @@
     
    
 
    
 
    
-
    NAME SERVER CONFIGURATION
    
+
    NAME SERVER CONFIGURATION
    
 
    
       The name server must be configured to accept rndc connections and
       to recognize the key specified in the rndc.conf
@@ -219,7 +219,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    rndc(8),
       rndc-confgen(8),
       mmencode(1),
@@ -227,7 +227,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index b2b4aabaf8..a37a8e2df5 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    rndc  [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-V] [-y key_id] {command}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    rndc
       controls the operation of a name
       server.  It supersedes the ndc utility
@@ -79,7 +79,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -b source-address
    
 
    
@@ -152,7 +152,7 @@
     
    
 
    
 
    
-
    LIMITATIONS
    
+
    LIMITATIONS
    
 
    rndc
       does not yet support all the commands of
       the BIND 8 ndc utility.
@@ -166,7 +166,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    rndc.conf(5),
       named(8),
       named.conf(5)
@@ -175,7 +175,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    

From b7b3e1681e2bab736891f1ea0104e8433b2e5d2c Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 9 Jun 2006 00:52:36 +0000
Subject: [PATCH 281/465] spelling / grammer

---
 doc/arm/Bv9ARM-book.xml | 115 ++++++++++++++++++++--------------------
 1 file changed, 58 insertions(+), 57 deletions(-)

diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 071d1f6d90..d2d601b086 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
 
 BIND 9 Administrator Reference Manual
@@ -333,7 +333,7 @@ caching are intimately connected, the terms
 caching server are often used synonymously.
 
 The length of time for which a record may be retained in
-in the cache of a caching name server is controlled by the 
+the cache of a caching name server is controlled by the 
 Time To Live (TTL) field associated with each resource record.
 
 
@@ -824,8 +824,8 @@ of a server.
 
    status
    Display status of the server.
-Note the number of zones includes the internal bind/CH zone
-and the default ./IN hint zone if there is not a
+Note that the number of zones includes the internal bind/CH zone
+and the default ./IN hint zone if there is not an
 explicit root zone configured.
 
 
@@ -1020,7 +1020,7 @@ reload the database. 
 
     The zone files of dynamic zones cannot normally be edited by
     hand because they are not guaranteed to contain the most recent
-    dynamic changes - those are only in the journal file.
+    dynamic changes — those are only in the journal file.
     The only way to ensure that the zone file of a dynamic zone
     is up to date is to run rndc stop.
 
@@ -1136,7 +1136,7 @@ internal clients will now be able to:
 
         Look up any hostnames on the Internet.
 
-        Exchange mail with internal AND external people.
+        Exchange mail with both internal AND external people.
 Hosts on the Internet will be able to:
 
         Look up any hostnames in the site1 and 
@@ -1270,11 +1270,11 @@ for TSIG.
 An arbitrary key name is chosen: "host1-host2.". The key name must
 be the same on both hosts.
 Automatic Generation
-The following command will generate a 128 bit (16 byte) HMAC-MD5
+The following command will generate a 128-bit (16 byte) HMAC-MD5
 key as described above. Longer keys are better, but shorter keys
 are easier to read. Note that the maximum key length is 512 bits;
-keys longer than that will be digested with MD5 to produce a 128
-bit key.
+keys longer than that will be digested with MD5 to produce a
+128-bit key.
         dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2.
 The key is in the file Khost1-host2.+157+00000.private.
 Nothing directly uses this file, but the base-64 encoded string
@@ -1413,7 +1413,7 @@ allow-update { key host1-host2. ;};
 
     When a SIG(0) signed message is received, it will only be
     verified if the key is known and trusted by the server; the server
-    will not attempt to locate and/or validate the key.
+    will not attempt to locate and / or validate the key.
 
     SIG(0) signing of multiple-message TCP streams is not
     supported.
@@ -1465,7 +1465,7 @@ allow-update { key host1-host2. ;};
       these are RSASHA1 (which is not yet supported in BIND 9.2)
       and DSA.
 
-      The following command will generate a 768 bit DSA key for
+      The following command will generate a 768-bit DSA key for
       the child.example zone:
 
       dnssec-keygen -a DSA -b 768 -n ZONE child.example.
@@ -1751,7 +1751,7 @@ in dotted_decimal notation.
 An IP port number.
  number is limited to 0 through 65535, with values
 below 1024 typically restricted to root-owned processes. In some
-cases an asterisk (`*') character can be used as a placeholder to
+cases, an asterisk (`*') character can be used as a placeholder to
 select a random high-numbered port.
 
 
@@ -1775,7 +1775,7 @@ separated by semicolons and ending with a semicolon.
 
 
 number
-A non-negative 32 bit unsigned integer
+A non-negative 32-bit unsigned integer
 (i.e., a number between 0 and 4294967295, inclusive).
 Its acceptable value might further
 be limited by the context in which it is used.
@@ -2156,8 +2156,8 @@ installed.
       permissions set such that only the owner of the file (the user that
       named is running as) can access it.  If you
       desire greater flexibility in allowing other users to access
-      rndc commands then you need to create an
-      rndc.conf and make it group readable by a group
+      rndc commands, then you need to create a
+      rndc.conf file and make it group readable by a group
       that contains the users who should have access.
 
       The UNIX control channel type of BIND 8 is not supported
@@ -2306,8 +2306,8 @@ of the file will be saved each time the file is opened.
 
 If you use the versions log file option, then
 named will retain that many backup versions of the file by
-renaming them when opening.  For example, if you choose to keep 3 old versions
-of the file lamers.log then just before it is opened
+renaming them when opening.  For example, if you choose to keep three old versions
+of the file lamers.log, then just before it is opened
 lamers.log.1 is renamed to
 lamers.log.2, lamers.log.0 is renamed
 to lamers.log.1, and lamers.log is
@@ -2856,7 +2856,7 @@ Turn on enforcment of delegation-only in TLDs and root zones with an optional
 exclude list.
 
 
-Note some TLDs are NOT delegation only (e.g. "DE", "LV", "US" and "MUSEUM").
+Note some TLDs are not delegation only (e.g. "DE", "LV", "US" and "MUSEUM").
 
 
 options {
@@ -2886,7 +2886,7 @@ the checks.
 dialup
 If yes, then the
 server treats all zones as if they are doing zone transfers across
-a dial on demand dialup link, which can be brought up by traffic
+a dial-on-demand dialup link, which can be brought up by traffic
 originating from this server. This has different effects according
 to zone type and concentrates the zone maintenance so that it all
 happens in a short interval, once every heartbeat-interval and
@@ -3142,8 +3142,8 @@ its cache.
 forward
 This option is only meaningful if the
 forwarders list is not empty. A value of first,
-the default, causes the server to query the forwarders first, and
-if that doesn't answer the question the server will then look for
+the default, causes the server to query the forwarders first — and
+if that doesn't answer the question, the server will then look for
 the answer itself. If only is specified, the
 server will only query the forwarders.
 
@@ -3565,7 +3565,7 @@ records are purged from the cache only when their TTLs expire.
 The server will remove expired resource records
 from the cache every cleaning-interval minutes.
 The default is 60 minutes.
-If set to 0, no  periodic cleaning will occur.
+If set to 0, no periodic cleaning will occur.
 
 
 heartbeat-interval
@@ -3640,7 +3640,7 @@ statement in ).
 The client resolver code should rearrange the RRs as appropriate,
 that is, using any addresses on the local net in preference to other addresses.
 However, not all resolvers can do this or are correctly configured.
-When a client is using a local server the sorting can be performed
+When a client is using a local server, the sorting can be performed
 in the server, based on the client's address. This only requires
 configuring the nameservers, not all the clients.
 
@@ -3720,7 +3720,7 @@ See also the sortlist statement,
 
 If no class is specified, the default is ANY.
 If no type is specified, the default is ANY.
-If no name is specified, the default is "*".
+If no name is specified, the default is "*" (asterisk).
 The legal values for ordering are:
 
@@ -3809,13 +3809,13 @@ clients that are supplied recursive service.
 Sets the number of seconds to cache a
 lame server indication. 0 disables caching. (This is
 NOT recommended.)
-Default is 600 (10 minutes). Maximum value is 
+The default is 600 (10 minutes) and the maximum value is 
 1800 (30 minutes).
 
 
 
 max-ncache-ttl
-To reduce network traffic and increase performance
+To reduce network traffic and increase performance,
 the server stores negative answers. max-ncache-ttl is
 used to set a maximum retention time for these answers in the server
 in seconds. The default
@@ -3825,7 +3825,7 @@ be silently truncated to 7 days if set to a greater value.
 
 
 host-statistics-max
-In BIND 8, specifies the maximum number of host statistic
+In BIND 8, specifies the maximum number of host statistics
 entries to be kept.
 Not implemented in BIND 9.
 
@@ -3838,7 +3838,7 @@ answers. The default is one week (7 days).
 
 min-roots
 The minimum number of root servers that
-is required for a request for the root servers to be accepted. Default
+is required for a request for the root servers to be accepted. The default
 is 2.
 
 Not yet implemented in BIND9.
@@ -4130,7 +4130,7 @@ are present, all zone statements must occur inside
 view statements.
 
 Here is an example of a typical split DNS setup implemented
-using view statements.
+using view statements:
 view "internal" {
                // This should match our internal networks.
       match-clients { 10.0.0.0/8; };
@@ -4296,7 +4296,7 @@ and reloaded from this file on a server restart. Use of a file is
 recommended, since it often speeds server startup and eliminates
 a needless waste of bandwidth. Note that for large numbers (in the
 tens or hundreds of thousands) of zones per server, it is best to
-use a two level naming scheme for zone file names. For example,
+use a two-level naming scheme for zone file names. For example,
 a slave server for the zone example.com might place
 the zone contents into a file called
 ex/example.com where ex/ is
@@ -4346,8 +4346,8 @@ an empty list for forwarders is given, then no
 forwarding will be done for the domain, canceling the effects of
 any forwarders in the options statement. Thus
 if you want to use this type of zone to change the behavior of the
-global forward option (that is, "forward first
-to", then "forward only", or vice versa, but want to use the same
+global forward option (that is, "forward first"
+to, then "forward only", or vice versa, but want to use the same
 servers as set globally) you need to respecify the global forwarders.
 
 
@@ -4477,7 +4477,7 @@ with the distribution but none are linked in by default.
 
 delegation-only
 The flag only applies to hint and stub zones.  If set
-to yes then the zone will also be treated as if it
+to yes, then the zone will also be treated as if it
 is also a delegation-only type zone.
 
 
@@ -4492,7 +4492,7 @@ allow a normal lookup to be tried.
 forwarders
 Used to override the list of global forwarders.
 If it is not specified in a zone of type forward,
-no forwarding is done for the zone; the global options are not used.
+no forwarding is done for the zone and the global options are not used.
 
 
 ixfr-base
@@ -4690,20 +4690,20 @@ and implemented in the DNS. These are also included.
 
 
 type
-an encoded 16 bit value that specifies
+an encoded 16-bit value that specifies
 the type of the resource in this resource record. Types refer to
 abstract resources.
 
 
 TTL
-the time to live of the RR. This field
-is a 32 bit integer in units of seconds, and is primarily used by
+the time-to-live of the RR. This field
+is a 32-bit integer in units of seconds, and is primarily used by
 resolvers when they cache RRs. The TTL describes how long a RR can
 be cached before it should be discarded.
 
 
 class
-an encoded 16 bit value that identifies
+an encoded 16-bit value that identifies
 a protocol family or instance of a protocol.
 
 
@@ -4882,7 +4882,7 @@ data that describes the resource:
 
 A
-for the IN class, a 32 bit IP address.
+for the IN class, a 32-bit IP address.
 
 
 A6
@@ -4902,7 +4902,7 @@ a name from the DNAME record's RDATA.
 
 
 MX
-a 16 bit preference value (lower is better)
+a 16-bit preference value (lower is better)
 followed by a host name willing to act as a mail exchange for the
 owner domain.
 
@@ -4998,10 +4998,10 @@ knowledge of the typical representation for the data.
 
 
    
-The MX RRs have an RDATA section which consists of a 16 bit
+The MX RRs have an RDATA section which consists of a 16-bit
 number followed by a domain name.  The address RRs use a standard
-IP address format to contain a 32 bit internet address.
-This example shows six RRs, with two RRs at each of three
+IP address format to contain a 32-bit internet address.
+The above example shows six RRs, with two RRs at each of three
 domain names.
 Similarly we might see:
 any order), and if neither of those succeed, delivery to mail.backup.org will
 be attempted.
 Setting TTLs
-The time to live of the RR field is a 32 bit integer represented
+The time-to-live of the RR field is a 32-bit integer represented
 in units of seconds, and is primarily used by resolvers when they
 cache RRs. The TTL describes how long a RR can be cached before it
 should be discarded. The following three types of TTL are currently
@@ -5236,13 +5236,14 @@ $GENERATE 1-127 $ CNAME $.0
             
               range
               This can be one of two forms: start-stop
-or start-stop/step. If the first form is used then step is set to
+or start-stop/step. If the first form is used, then step is set to
         1. All of start, stop and step must be positive.
       
         
           lhs
           lhs describes the
-owner name of the resource records to be created.      Any single $ symbols
+owner name of the resource records to be created. Any single
+$ (dollar sign) symbols
 within the lhs side are replaced by the iterator
 value.
 To get a $ in the output you need to escape the $
@@ -5252,14 +5253,14 @@ by modifiers which change the offset from the interator, field width and base.
 Modifiers are introduced by a { immediately following the
 $ as ${offset[,width[,base]]}.
 For example, ${-20,3,d} which subtracts 20 from the current value,
-prints the result as a decimal in a zero padded field of width 3.  Available
+prints the result as a decimal in a zero-padded field of width 3.  Available
 output forms are decimal (d), octal (o)
 and hexadecimal (x or X for uppercase).
 The default modifier is ${0,0,d}.
 If the lhs is not
 absolute, the current $ORIGIN is appended to
 the name.
-For compatibility with earlier versions $$ is still
+For compatibility with earlier versions, $$ is still
 recognised as indicating a literal $ in the output.
         
         
@@ -5291,8 +5292,8 @@ your nameserver, without cluttering up your config files with huge
 lists of IP addresses.
 It is a good idea to use ACLs, and to
 control access to your server. Limiting access to your server by
-outside parties can help prevent spoofing and DoS attacks against
-your server.
+outside parties can help prevent spoofing and denial of service (DoS)
+attacks against your server.
 Here is an example of how to properly apply ACLs:
 
 // Set up an ACL named "bogusnets" that will block RFC1918 space,
@@ -5325,13 +5326,13 @@ see the AUSCERT advisory at
 <command>chroot</command> and <command>setuid</command> (for
 UNIX servers)
 On UNIX servers, it is possible to run BIND in a chrooted environment
-(chroot()) by specifying the ""
+(using the chroot() function) by specifying the ""
 option. This can help improve system security by placing BIND in
 a "sandbox," which will limit the damage done if a server is compromised.
 Another useful feature in the UNIX version of BIND is the
 ability to run the daemon as a nonprivileged user (  user ).
 We suggest running as a nonprivileged user when using the chroot feature.
-Here is an example command line to load BIND in a chroot() sandbox, 
+Here is an example command line to load BIND in a chroot sandbox, 
 /var/named, and to run named setuid to
 user 202:
 /usr/local/bin/named -u 202 -t /var/named
@@ -5378,7 +5379,7 @@ server is reloaded.
 
 Access to the dynamic
 update facility should be strictly limited.  In earlier versions of
-BIND the only way to do this was based on the IP
+BIND, the only way to do this was based on the IP
 address of the host requesting the update, by listing an IP address or
 network prefix in the allow-update zone option.
 This method is insecure since the source address of the update UDP packet
@@ -5396,7 +5397,7 @@ list only TSIG key names, not IP addresses or network
 prefixes. Alternatively, the new update-policy
 option can be used.
 
-Some sites choose to keep all dynamically updated DNS data
+Some sites choose to keep all dynamically-updated DNS data
 in a subdomain and delegate that subdomain to a separate zone. This
 way, the top-level zone containing critical data such as the IP addresses
 of public web and mail servers need not allow dynamic update at
@@ -5475,7 +5476,7 @@ all.
       core of the new system was described in 1983 in RFCs 882 and
       883. From 1984 to 1987, the ARPAnet (the precursor to today's
       Internet) became a testbed of experimentation for developing the
-      new naming/addressing scheme in an rapidly expanding,
+      new naming/addressing scheme in a rapidly expanding,
       operational network environment.  New RFCs were written and
       published in 1987 that modified the original documents to
       incorporate improvements based on the working model. RFC 1034,
@@ -5508,12 +5509,12 @@ Mike Muuss, Jim Bloom and Mike Schwartz. BIND maintenance was
 handled by Mike Karels and O. Kure.
       BIND versions 4.9 and 4.9.1 were released by Digital Equipment
 Corporation (now Compaq Computer Corporation). Paul Vixie, then
-a DEC employee, became BIND's primary caretaker. Paul was assisted
+a DEC employee, became BIND's primary caretaker. He was assisted
 by Phil Almquist, Robert Elz, Alan Barrett, Paul Albitz, Bryan Beecher, Andrew
 Partan, Andy Cherenson, Tom Limoncelli, Berthold Paffrath, Fuat
 Baran, Anant Kumar, Art Harkin, Win Treese, Don Lewis, Christophe
 Wolfhugel, and others.
-      BIND Version 4.9.2 was sponsored by Vixie Enterprises. Paul
+      BIND version 4.9.2 was sponsored by Vixie Enterprises. Paul
 Vixie became BIND's principal architect/programmer.
       BIND versions from 4.9.3 onward have been developed and maintained
 by the Internet Software Consortium with support being provided

From c7efca8420205a70134dd65823886c41165a59d5 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 9 Jun 2006 00:54:09 +0000
Subject: [PATCH 282/465] update copyright notice

---
 bin/check/Makefile.in | 4 ++--
 bin/named/log.c       | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/bin/check/Makefile.in b/bin/check/Makefile.in
index b0feea0a14..328e8f4d3f 100644
--- a/bin/check/Makefile.in
+++ b/bin/check/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000-2003  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.29 2006/06/07 02:28:28 marka Exp $
+# $Id: Makefile.in,v 1.30 2006/06/09 00:54:09 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/bin/named/log.c b/bin/named/log.c
index 0ff5bdc0e0..f064d56eea 100644
--- a/bin/named/log.c
+++ b/bin/named/log.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: log.c,v 1.42 2006/06/07 02:28:28 marka Exp $ */
+/* $Id: log.c,v 1.43 2006/06/09 00:54:09 marka Exp $ */
 
 /*! \file */
 

From 2f54aa7de8f2bd8c04c97c44b44e73b09a30b592 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 9 Jun 2006 07:13:51 +0000
Subject: [PATCH 283/465] regen

---
 doc/arm/Bv9ARM.ch01.html |   4 +-
 doc/arm/Bv9ARM.ch03.html |   6 +-
 doc/arm/Bv9ARM.ch04.html |  16 ++--
 doc/arm/Bv9ARM.ch06.html | 161 ++++++++++++++++++++-------------------
 doc/arm/Bv9ARM.ch07.html |  26 +++----
 doc/arm/Bv9ARM.ch08.html |  18 ++---
 doc/arm/Bv9ARM.ch09.html |  32 ++++----
 doc/arm/Bv9ARM.html      |  52 ++++++-------
 8 files changed, 158 insertions(+), 157 deletions(-)

diff --git a/doc/arm/Bv9ARM.ch01.html b/doc/arm/Bv9ARM.ch01.html
index aa433d33bd..1491b85975 100644
--- a/doc/arm/Bv9ARM.ch01.html
+++ b/doc/arm/Bv9ARM.ch01.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -341,7 +341,7 @@ caching are intimately connected, the terms
 recursive server and
 caching server are often used synonymously.
    
 
    The length of time for which a record may be retained in
-in the cache of a caching name server is controlled by the 
+the cache of a caching name server is controlled by the 
 Time To Live (TTL) field associated with each resource record.
 
    
 
    
diff --git a/doc/arm/Bv9ARM.ch03.html b/doc/arm/Bv9ARM.ch03.html
index a03faf05a7..1993367002 100644
--- a/doc/arm/Bv9ARM.ch03.html
+++ b/doc/arm/Bv9ARM.ch03.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -349,8 +349,8 @@ of a server.
    
 
    Flushes the server's cache.
    
 
    status
    
 
    Display status of the server.
-Note the number of zones includes the internal bind/CH zone
-and the default ./IN hint zone if there is not a
+Note that the number of zones includes the internal bind/CH zone
+and the default ./IN hint zone if there is not an
 explicit root zone configured.
    
 
    
 
    In BIND 9.2, rndc
diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html
index 62758efc30..bb05a6237f 100644
--- a/doc/arm/Bv9ARM.ch04.html
+++ b/doc/arm/Bv9ARM.ch04.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -114,7 +114,7 @@
     journalled in a similar way.
    
 
    The zone files of dynamic zones cannot normally be edited by
     hand because they are not guaranteed to contain the most recent
-    dynamic changes - those are only in the journal file.
+    dynamic changes — those are only in the journal file.
     The only way to ensure that the zone file of a dynamic zone
     is up to date is to run rndc stop.
    
 
    If you have to make changes to a dynamic zone
@@ -224,7 +224,7 @@ internal clients will now be able to:
    
 
  • Look up any hostnames in the site1.internal and 
 site2.internal domains.
    • 
 
  • Look up any hostnames on the Internet.
    • 
-
  • Exchange mail with internal AND external people.
    • 
+
  • Exchange mail with both internal AND external people.
    • 
 
 
    Hosts on the Internet will be able to:
    
 
    
@@ -171,7 +171,7 @@ separated by semicolons and ending with a semicolon.
    
     
-
@@ -553,8 +553,8 @@ installed.
       permissions set such that only the owner of the file (the user that
       named is running as) can access it.  If you
       desire greater flexibility in allowing other users to access
-      rndc commands then you need to create an
-      rndc.conf and make it group readable by a group
+      rndc commands, then you need to create a
+      rndc.conf file and make it group readable by a group
       that contains the users who should have access.
    
 
    The UNIX control channel type of BIND 8 is not supported
       in BIND 9.0, BIND 9.1,
@@ -689,8 +689,8 @@ both on how large the file is allowed to become, and how many versions
 of the file will be saved each time the file is opened.
    
 
    If you use the versions log file option, then
 named will retain that many backup versions of the file by
-renaming them when opening.  For example, if you choose to keep 3 old versions
-of the file lamers.log then just before it is opened
+renaming them when opening.  For example, if you choose to keep three old versions
+of the file lamers.log, then just before it is opened
 lamers.log.1 is renamed to
 lamers.log.2, lamers.log.0 is renamed
 to lamers.log.1, and lamers.log is
@@ -964,7 +964,7 @@ a delegation-only in a hint or stu
 
 
    
 
    
-lwres Statement Grammar
    
+lwres Statement Grammar
    
 
     This is the grammar of the lwres
 statement in the named.conf file:
    
 
    lwres {
@@ -977,7 +977,7 @@ statement in the named.conf file:
    
 
 
    
 
    
-lwres Statement Definition and Usage
    
+lwres Statement Definition and Usage
    
 
    The lwres statement configures the name
 server to also act as a light-weight resolver daemon. (See
 the section called “Running a Resolver Daemon”.)  There may be be multiple
@@ -1005,7 +1005,7 @@ exact match lookup before search path elements are appended.
    
 
 
    
 
    
-options Statement Grammar
    
+options Statement Grammar
    
 
    This is the grammar of the options
 statement in the named.conf file:
    
 
    options {
@@ -1103,7 +1103,7 @@ statement in the named.conf file:
    
 
 
    
 
    
-options Statement Definition and Usage
    
+options Statement Definition and Usage
    
 
    The options statement sets up global options
 to be used by BIND. This statement may appear only
 once in a configuration file. If more than one occurrence is found,
@@ -1201,7 +1201,7 @@ Turn on enforcment of delegation-only in TLDs and root zones with an optional
 exclude list.
 
    
 
    
-Note some TLDs are NOT delegation only (e.g. "DE", "LV", "US" and "MUSEUM").
+Note some TLDs are not delegation only (e.g. "DE", "LV", "US" and "MUSEUM").
 
    
 
     options {
@@ -1228,7 +1228,7 @@ the checks.
    
 
    
 
    If yes, then the
 server treats all zones as if they are doing zone transfers across
-a dial on demand dialup link, which can be brought up by traffic
+a dial-on-demand dialup link, which can be brought up by traffic
 originating from this server. This has different effects according
 to zone type and concentrates the zone maintenance so that it all
 happens in a short interval, once every heartbeat-interval and
@@ -1454,7 +1454,7 @@ The use of this option for any other purpose is discouraged.
 
 
    
 
    
-Forwarding
    
+Forwarding
    
 
    The forwarding facility can be used to create a large site-wide
 cache on a few servers, reducing traffic over links to external
 nameservers. It can also be used to allow queries by servers that
@@ -1466,8 +1466,8 @@ its cache.
    
 
    forward
    
 
    This option is only meaningful if the
 forwarders list is not empty. A value of first,
-the default, causes the server to query the forwarders first, and
-if that doesn't answer the question the server will then look for
+the default, causes the server to query the forwarders first — and
+if that doesn't answer the question, the server will then look for
 the answer itself. If only is specified, the
 server will only query the forwarders.
 
    
@@ -1531,7 +1531,7 @@ from these addresses will not be responded to. The default is 
 
    
-Interfaces
    
+Interfaces
 
    The interfaces and ports that the server will answer queries
 from may be specified using the listen-on option. listen-on takes
 an optional port, and an address_match_list.
@@ -1573,7 +1573,7 @@ the server will not listen on any IPv6 address.
    
 
 
    
 
    
-Query Address
    
+Query Address
    
 
    If the server doesn't know the answer to a question, it will
 query other nameservers. query-source specifies
 the address and port used for such queries. For queries sent over
@@ -1736,7 +1736,7 @@ but applies to notify messages sent to IPv6 addresses.
    
 
 
    
 
    
-Operating System Resource Limits
    
+Operating System Resource Limits
    
 
    The server's usage of many system resources can be limited.
 Scaled values are allowed when specifying resource limits.  For
 example, 1G can be used instead of
@@ -1780,7 +1780,7 @@ may use. The default is default.
    
 
 
    
 
    
-Server  Resource Limits
    
+Server  Resource Limits
    
 
    The following options set limits on the server's
 resource consumption that are enforced internally by the
 server rather than the operating system.
    
@@ -1813,13 +1813,13 @@ records are purged from the cache only when their TTLs expire.
 
 
    
 
    
-Periodic Task Intervals
    
+Periodic Task Intervals
    
 
    
 
    cleaning-interval
    
 
    The server will remove expired resource records
 from the cache every cleaning-interval minutes.
 The default is 60 minutes.
-If set to 0, no  periodic cleaning will occur.
    
+If set to 0, no periodic cleaning will occur.
    
 
    heartbeat-interval
    
 
    The server will perform zone maintenance tasks
 for all zones marked as dialup whenever this
@@ -1891,7 +1891,7 @@ statement in th
 The client resolver code should rearrange the RRs as appropriate,
 that is, using any addresses on the local net in preference to other addresses.
 However, not all resolvers can do this or are correctly configured.
-When a client is using a local server the sorting can be performed
+When a client is using a local server, the sorting can be performed
 in the server, based on the client's address. This only requires
 configuring the nameservers, not all the clients.
    
 
    The sortlist statement (see below) takes
@@ -1971,7 +1971,7 @@ See also the sortlist statement,
 
    
 
    If no class is specified, the default is ANY.
 If no type is specified, the default is ANY.
-If no name is specified, the default is "*".
    
+If no name is specified, the default is "*" (asterisk).
    
 
    The legal values for ordering are:
    
 
    
 
 

    
                 
    
                   A named list of one or more ip_addr
-                  with optional key_id and / or
+                  with optional key_id and/or
                   ip_port.
                   A masters_list may include other
                   masters_lists.
@@ -270,7 +270,7 @@
                   through 65535, with values
                   below 1024 typically restricted to use by processes running
                   as root.
-                  In some cases an asterisk (`*') character can be used as a
+                  In some cases, an asterisk (`*') character can be used as a
                   placeholder to
                   select a random high-numbered port.
                 
    
@@ -332,7 +332,7 @@
                   		
 
                 
    
-                  A non-negative 32 bit integer
+                  A non-negative 32-bit integer
                   (i.e., a number between 0 and 4294967295, inclusive).
                   Its acceptable value might further
                   be limited by the context in which it is used.
@@ -857,7 +857,7 @@
 
 
    
 
    
-controls Statement Grammar
    
+controls Statement Grammar
    
 
    controls {
    [ inet ( ip_addr | * ) [ port ip_port ] allow {  address_match_list  }
                 keys { key_list }; ]
@@ -965,9 +965,9 @@
           named is running as) can access it.
           If you
           desire greater flexibility in allowing other users to access
-          rndc commands then you need to create
-          an
-          rndc.conf and make it group
+          rndc commands, then you need to create
+          a
+          rndc.conf file and make it group
           readable by a group
           that contains the users who should have access.
         
    
@@ -1147,9 +1147,9 @@
             option, then
             named will retain that many backup
             versions of the file by
-            renaming them when opening.  For example, if you choose to keep 3
-            old versions
-            of the file lamers.log then just
+            renaming them when opening.  For example, if you choose to keep
+            three old versions
+            of the file lamers.log, then just
             before it is opened
             lamers.log.1 is renamed to
             lamers.log.2, lamers.log.0 is renamed
@@ -1563,7 +1563,7 @@ category notify { null; };
                     
    
                     
    
                       The query log entry reports the client's IP address and
-                      port number.  The
+                      port number, and the
                       query name, class and type.  It also reports whether the
                       Recursion Desired
                       flag was set (+ if set, - if not set), EDNS was in use
@@ -2006,7 +2006,7 @@ digits" + "tkey-domain". In most cases,
               
    
 
    preferred-glue
    
 
    
-                If specified the listed type (A or AAAA) will be emitted
+                If specified, the listed type (A or AAAA) will be emitted
                 before other glue
                 in the additional section of a query response.
                 The default is not to preference any type (NONE).
@@ -2019,7 +2019,7 @@ digits" + "tkey-domain". In most cases,
                 exclude list.
               
    
 
    
-                Note some TLDs are NOT delegation only (e.g. "DE", "LV", "US"
+                Note some TLDs are not delegation only (e.g. "DE", "LV", "US"
                 and "MUSEUM").
               
    
 
    @@ -2038,7 +2038,7 @@ options {
               
    
 
    dnssec-lookaside
    
 
    
-                When set dnssec-lookaside
+                When set, dnssec-lookaside
                 provides the
                 validator with an alternate method to validate DNSKEY records
                 at the
@@ -2056,12 +2056,12 @@ options {
               
    
 
    dnssec-must-be-secure
    
 
    
-                Specify hierarchies which must / may not be secure (signed and
+                Specify hierarchies which must be or may not be secure (signed and
                 validated).
-                If yes then named will only accept
+                If yes, then named will only accept
                 answers if they
                 are secure.
-                If no then normal dnssec validation
+                If no, then normal dnssec validation
                 applies
                 allowing for insecure answers to be accepted.
                 The specified domain must be under a trusted-key or
@@ -2097,7 +2097,7 @@ options {
                   If yes, then the
                   server treats all zones as if they are doing zone transfers
                   across
-                  a dial on demand dialup link, which can be brought up by
+                  a dial-on-demand dialup link, which can be brought up by
                   traffic
                   originating from this server. This has different effects
                   according
@@ -2116,7 +2116,7 @@ options {
                   option.
                 
    
 
    
-                  If the zone is a master zone then the server will send out a
+                  If the zone is a master zone, then the server will send out a
                   NOTIFY
                   request to all the slaves (default). This should trigger the
                   zone serial
@@ -2600,7 +2600,7 @@ options {
 
    ixfr-from-differences
    
 
    
 
    
-                  When 'yes' and the server loads a new version of a master
+                  When yes and the server loads a new version of a master
                   zone from its zone file or receives a new version of a slave
                   file by a non-incremental zone transfer, it will compare
                   the new version to the previous one and calculate a set
@@ -2633,7 +2633,7 @@ options {
 
    
                   This should be set when you have multiple masters for a zone
                   and the
-                  addresses refer to different machines.  If 'yes' named will
+                  addresses refer to different machines.  If yes, named will
                   not log
                   when the serial number on the master is less than what named
                   currently
@@ -2641,7 +2641,7 @@ options {
                 
    
 
    dnssec-enable
    
 
    
-                  Enable DNSSEC support in named.  Unless set to yes
+                  Enable DNSSEC support in named.  Unless set to yes,
                   named behaves as if it does not support DNSSEC.
                   The default is yes.
                 
    
@@ -2654,14 +2654,14 @@ options {
                 
    
 
    dnssec-accept-expired
    
 
    
-                  When verifying DNSSEC signatures accept expired signatures.
+                  Accept expired signatures when verifying DNSSEC signatures.
                   The default is no.
                 
    
 
    querylog
    
 
    
                   Specify whether query logging should be started when named
-                  start.
-                  If querylog is not specified
+                  starts.
+                  If querylog is not specified,
                   then the query logging
                   is determined by the presence of the logging category queries.
                 
    
@@ -2677,11 +2677,11 @@ options {
                   master zones the default is fail.
                   For slave zones the default
                   is warn.
-                  For answer received from the network (response)
+                  For answers received from the network (response)
                   the default is ignore.
                 
    
 
    
-                  The rules for legal hostnames or mail domains are derived
+                  The rules for legal hostnames and mail domains are derived
                   from RFC 952 and RFC 821 as modified by RFC 1123.
                 
    
 
    check-names
@@ -2737,7 +2737,7 @@ options {
                 
    
 
    check-sibling
    
 
    
-                  When performing integrity checks also check that
+                  When performing integrity checks, also check that
                   sibling glue exists.  The default is yes.
                 
    
 
    zero-no-soa-ttl
    
@@ -2772,7 +2772,7 @@ options {
 
 
    
 
    
-Forwarding
    
+Forwarding
    
 
    
             The forwarding facility can be used to create a large site-wide
             cache on a few servers, reducing traffic over links to external
@@ -2789,8 +2789,8 @@ options {
                   This option is only meaningful if the
                   forwarders list is not empty. A value of first,
                   the default, causes the server to query the forwarders
-                  first, and
-                  if that doesn't answer the question the server will then
+                  first — and
+                  if that doesn't answer the question, the server will then
                   look for
                   the answer itself. If only is
                   specified, the
@@ -2816,7 +2816,7 @@ options {
 
 
    
 
    
-Dual-stack Servers
    
+Dual-stack Servers
    
 
    
             Dual-stack servers are used as servers of last resort to work
             around
@@ -2828,11 +2828,11 @@ options {
 
    dual-stack-servers
    
 
    
                   Specifies host names or addresses of machines with access to
-                  both IPv4 and IPv6 transports. If a hostname is used the
+                  both IPv4 and IPv6 transports. If a hostname is used, the
                   server must be able
                   to resolve the name using only the transport it has.  If the
                   machine is dual
-                  stacked then the dual-stack-servers have no effect unless
+                  stacked, then the dual-stack-servers have no effect unless
                   access to a transport has been disabled on the command line
                   (e.g. named -4).
                 
    
@@ -2976,7 +2976,7 @@ options {
 
 
    
 
    
-Interfaces
    
+Interfaces
    
 
    
             The interfaces and ports that the server will answer queries
             from may be specified using the listen-on option. listen-on takes
@@ -3056,20 +3056,20 @@ listen-on-v6 port 1234 { !2001:db8::/32; any; };
 
 
    
 
    
-Query Address
    
+Query Address
    
 
    
             If the server doesn't know the answer to a question, it will
             query other name servers. query-source specifies
             the address and port used for such queries. For queries sent over
             IPv6, there is a separate query-source-v6 option.
-            If address is * or is omitted,
+            If address is * (asterisk) or is omitted,
             a wildcard IP address (INADDR_ANY)
             will be used.
             If port is * or is omitted,
-            a random unprivileged port will be used, avoid-v4-udp-ports
-            and avoid-v6-udp-ports can be used
+            a random unprivileged port will be used. The avoid-v4-udp-ports
+            and avoid-v6-udp-ports options can be used
             to prevent named
-            from selecting certain ports. The defaults are
+            from selecting certain ports. The defaults are:
           
    
 
    query-source address * port *;
 query-source-v6 address * port *;
@@ -3281,7 +3281,7 @@ query-source-v6 address * port *;
 
    
 
    Note
    
                   If you do not wish the alternate transfer source
-                  to be used you should set
+                  to be used, you should set
                   use-alt-transfer-source
                   appropriately and you should not depend upon
                   getting a answer back to the first refresh
@@ -3336,7 +3336,7 @@ query-source-v6 address * port *;
 
    
 
    
 
    
-Bad UDP Port Lists
    
+Bad UDP Port Lists
    
 
    avoid-v4-udp-ports
             and avoid-v6-udp-ports specify a list
             of IPv4 and IPv6 UDP ports that will not be used as system
@@ -3350,7 +3350,7 @@ query-source-v6 address * port *;
 
 
    
 
    
-Operating System Resource Limits
    
+Operating System Resource Limits
    
 
    
             The server's usage of many system resources can be limited.
             Scaled values are allowed when specifying resource limits.  For
@@ -3409,7 +3409,7 @@ query-source-v6 address * port *;
 
 
    
 
    
-Server  Resource Limits
    
+Server  Resource Limits
    
 
    
             The following options set limits on the server's
             resource consumption that are enforced internally by the
@@ -3435,7 +3435,7 @@ query-source-v6 address * port *;
                 
    
 
    host-statistics-max
    
 
    
-                  In BIND 8, specifies the maximum number of host statistic
+                  In BIND 8, specifies the maximum number of host statistics
                   entries to be kept.
                   Not implemented in BIND 9.
                 
    
@@ -3487,7 +3487,7 @@ query-source-v6 address * port *;
 
 
    
 
    
-Periodic Task Intervals
    
+Periodic Task Intervals
    
 
    
 
    cleaning-interval
    
 
    
@@ -3495,7 +3495,7 @@ query-source-v6 address * port *;
                   from the cache every cleaning-interval minutes.
                   The default is 60 minutes.  The maximum value is 28 days
                   (40320 minutes).
-                  If set to 0, no  periodic cleaning will occur.
+                  If set to 0, no periodic cleaning will occur.
                 
    
 
    heartbeat-interval
    
 
    
@@ -3600,7 +3600,7 @@ query-source-v6 address * port *;
             other addresses.
             However, not all resolvers can do this or are correctly
             configured.
-            When a client is using a local server the sorting can be performed
+            When a client is using a local server, the sorting can be performed
             in the server, based on the client's address. This only requires
             configuring the name servers, not all the clients.
           
    
@@ -3714,7 +3714,7 @@ query-source-v6 address * port *;
 
    
             If no class is specified, the default is ANY.
             If no type is specified, the default is ANY.
-            If no name is specified, the default is "*".
+            If no name is specified, the default is "*" (asterisk).
           
    
 
    
             The legal values for ordering are:
@@ -3796,13 +3796,13 @@ query-source-v6 address * port *;
                   Sets the number of seconds to cache a
                   lame server indication. 0 disables caching. (This is
                   NOT recommended.)
-                  Default is 600 (10 minutes).
-                  Maximum value is
+                  The default is 600 (10 minutes) and the
+                  maximum value is
                   1800 (30 minutes).
                 
    
 
    max-ncache-ttl
    
 
    
-                  To reduce network traffic and increase performance
+                  To reduce network traffic and increase performance,
                   the server stores negative answers. max-ncache-ttl is
                   used to set a maximum retention time for these answers in
                   the server
@@ -3823,7 +3823,7 @@ query-source-v6 address * port *;
 
    
                   The minimum number of root servers that
                   is required for a request for the root servers to be
-                  accepted. Default
+                  accepted. The default
                   is 2.
                 
    
 
    
@@ -3871,11 +3871,11 @@ query-source-v6 address * port *;
 
    
 
    edns-udp-size
    
 
    
-                  Sets the advertised EDNS UDP buffer size.  Valid
+                  Sets the advertised EDNS UDP buffer size in bytes.  Valid
                   values are 512 to 4096 (values outside this range
                   will be silently adjusted).  The default value is
                   4096.  The usual reason for setting edns-udp-size to
-                  a non default value it to get UDP answers to pass
+                  a non-default value it to get UDP answers to pass
                   through broken firewalls that block fragmented
                   packets and/or block UDP packets that are greater
                   than 512 bytes.
@@ -3883,10 +3883,10 @@ query-source-v6 address * port *;
 
    max-udp-size
    
 
    
                   Sets the maximum EDNS UDP message size named will
-                  send.  Valid values are 512 to 4096 (values outside
+                  send in bytes.  Valid values are 512 to 4096 (values outside
                   this range will be silently adjusted).  The default
                   value is 4096.  The usual reason for setting
-                  max-udp-size to a non default value it to get UDP
+                  max-udp-size to a non-default value is to get UDP
                   answers to pass through broken firewalls that
                   block fragmented packets and/or block UDP packets
                   that are greater than 512 bytes.
@@ -3898,7 +3898,7 @@ query-source-v6 address * port *;
                   The default value is text, which is the
                   standard textual representation.  Files in other formats
                   than text are typically expected
-                  to be generated by the named-compilezone.
+                  to be generated by the named-compilezone tool.
                   Note that when a zone file in a different format than
                   text is loaded, named
                   may omit some of the checks which would be performed for a
@@ -3931,20 +3931,20 @@ query-source-v6 address * port *;
 
    
                   This value should reflect how many queries come in for
                   a given name in the time it takes to resolve that name.
-                  If the number of queries exceed this value named will
+                  If the number of queries exceed this value, named will
                   assume that it is dealing with a non-responsive zone
                   and will drop additional queries.  If it gets a response
-                  after dropping queries it will raise the estimate.  The
+                  after dropping queries, it will raise the estimate.  The
                   estimate will then be lowered in 20 minutes if it has
                   remained unchanged.
                 
    
 
    
-                  If clients-per-query is set to zero
+                  If clients-per-query is set to zero,
                   then there is no limit on the number of clients per query
                   and no queries will be dropped.
                 
    
 
    
-                  If max-clients-per-query is set to zero
+                  If max-clients-per-query is set to zero,
                   then there is no upper bound other than imposed by
                   recursive-clients.
                 
    
@@ -4071,7 +4071,7 @@ query-source-v6 address * port *;
             views of class IN.  Disabled empty zones are only inherited
             from options if there are no disabled empty zones specified
             at the view level.  To override the options list of disabled
-            zones you can disable the root zone at the view level, for example:
+            zones, you can disable the root zone at the view level, for example:
 
    
 
                 disable-empty-zone ".";
@@ -4079,7 +4079,7 @@ query-source-v6 address * port *;
 
    
           
    
 
    
-            If you are using the address ranges covered here you should
+            If you are using the address ranges covered here, you should
             already have reverse zones covering the addresses you use.
             In practice this appears to not be the case with many queries
             being made to the infrustructure servers for names in these
@@ -4091,30 +4091,30 @@ query-source-v6 address * port *;
 
    Note
    
             The real parent servers for these zones should disable all
             empty zone under the parent zone they serve.  For the real
-            root servers this is all built in empty zones.  This will
+            root servers, this is all built in empty zones.  This will
             enable them to return referrals to deeper in the tree.
           
    
 
    
 
    empty-server
    
 
    
                   Specify what server name will appear in the returned
-                  SOA record for empty zones.  If none is specified then
+                  SOA record for empty zones.  If none is specified, then
                   the zone's name will be used.
                 
    
 
    empty-contact
    
 
    
                   Specify what contact name will appear in the returned
-                  SOA record for empty zones.  If none is specified then
+                  SOA record for empty zones.  If none is specified, then
                   "." will be used.
                 
    
 
    empty-zones-enable
    
 
    
-                  Enable / disable all empty zones.  By default they
+                  Enable or disable all empty zones.  By default they
                   are enabled.
                 
    
 
    disable-empty-zone
    
 
    
-                  Disable a indiviual empty zones.  By default none are
+                  Disable individual empty zones.  By default none are
                   disabled.  This option can be specified multiple times.
                 
    
 
    
@@ -4321,15 +4321,14 @@ query-source-v6 address * port *;
                   based
                   algorithm, every acache-cleaning-interval minutes.
                   The default is 60 minutes.
-                  If set to 0, no  periodic cleaning will occur.
+                  If set to 0, no periodic cleaning will occur.
                 
    
 
    max-acache-size
    
 
    
-                  The maximum amount of memory to use for the server's acache,
-                  in bytes.
+                  The maximum amount of memory in bytes to use for the server's acache.
                   When the amount of data in the acache reaches this limit,
                   the server
-                  will clean more aggressivly so that the limit is not
+                  will clean more aggressively so that the limit is not
                   exceeded.
                   In a server with multiple views, the limit applies
                   separately to the
@@ -4372,7 +4371,7 @@ query-source-v6 address * port *;
             The server statement defines
             characteristics
             to be associated with a remote name server.  If a prefix length is
-            specified then a range of servers is covered.  Only the most
+            specified, then a range of servers is covered.  Only the most
             specific
             server clause applies regardless of the order in
             named.conf.
@@ -4445,7 +4444,7 @@ query-source-v6 address * port *;
 
    
             The edns-udp-size option sets the EDNS UDP size
             that is advertised by named when querying the remote server.
-            Valid values are 512 to 4096 (values outside this range will be
+            Valid values are 512 to 4096 bytes (values outside this range will be
             silently adjusted).  This option is useful when you wish to
             advertises a different value to this server than the value you
             advertise globally, for example, when there is a firewall at the
@@ -4454,7 +4453,7 @@ query-source-v6 address * port *;
 
    
             The max-udp-size option sets the
             maximum EDNS UDP message size named will send.  Valid
-            values are 512 to 4096 (values outside this range will
+            values are 512 to 4096 bytes (values outside this range will
             be silently adjusted).  This option is useful when you
             know that there is a firewall that is blocking large
             replies from named.
@@ -4509,7 +4508,7 @@ query-source-v6 address * port *;
             Similarly, for an IPv6 remote server, only
             transfer-source-v6 can be
             specified.
-            Form more details, see the description of
+            For more details, see the description of
             transfer-source and
             transfer-source-v6 in
             the section called “Zone Transfers”.
@@ -4535,7 +4534,7 @@ query-source-v6 address * port *;
 
 
    
 
    
-trusted-keys Statement Grammar
    
+trusted-keys Statement Grammar
    
 
    trusted-keys {
     string number number number string ;
     [ string number number number string ; [...]]
@@ -4544,7 +4543,7 @@ query-source-v6 address * port *;
 
 
    
 
    
-trusted-keys Statement Definition
+trusted-keys Statement Definition
             and Usage
    
 
    
             The trusted-keys statement defines
@@ -4562,7 +4561,7 @@ query-source-v6 address * port *;
             trusted-keys are deemed to exist regardless
             of what parent zones say.  Similarly for all keys listed in
             trusted-keys only those keys are
-            used to validate the DNSKEY RRset.  The parents DS RRset
+            used to validate the DNSKEY RRset.  The parent's DS RRset
             will not be used.
           
    
 
    
@@ -4587,7 +4586,7 @@ query-source-v6 address * port *;
 
    
 
    
 
    
-view Statement Definition and Usage
    
+view Statement Definition and Usage
    
 
    
             The view statement is a powerful
             feature
@@ -4670,7 +4669,7 @@ query-source-v6 address * port *;
           
    
 
    
             Here is an example of a typical split DNS setup implemented
-            using view statements.
+            using view statements:
           
    
 
    view "internal" {
       // This should match our internal networks.
@@ -4839,10 +4838,10 @@ zone zone_name [
 
    
 
    
-zone Statement Definition and Usage
    
+zone Statement Definition and Usage
    
 
    
 
    
-Zone Types
    
+Zone Types
    
 
    @@ -4898,7 +4897,7 @@ zone zone_name [example.com might place
                         the zone contents into a file called
@@ -4993,8 +4992,8 @@ zone zone_name [forward option
-                        (that is, "forward first
-                        to", then "forward only", or vice versa, but want to
+                        (that is, "forward first"
+                        to, then "forward only", or vice versa, but want to
                         use the same
                         servers as set globally) you need to re-specify the
                         global forwarders.
@@ -5030,14 +5029,14 @@ zone zone_name [
 
@@ -5561,7 +5560,7 @@ zone zone_name [
 
    
 
    
-Zone File
    
+Zone File
    
 
    
 
    
 Types of Resource Records and When to Use Them
    
@@ -5574,7 +5573,7 @@ zone zone_name [
 
    
 
    
-Resource Records
    
+Resource Records
    
 
    
               A domain name identifies a node.  Each node has a set of
               resource information, which may be empty.  The set of resource
@@ -5614,7 +5613,7 @@ zone zone_name [
 
    
@@ -5627,8 +5626,8 @@ zone zone_name [
 
@@ -5898,7 +5897,7 @@ zone zone_name [
                       
    
                         Identifies a mail exchange for the domain with
-                        a 16 bit preference value (lower is better)
+                        a 16-bit preference value (lower is better)
                         followed by the host name of the mail exchange.
                         Described in RFC 974, RFC 1035.
                       
    
@@ -6225,7 +6224,7 @@ zone zone_name [
 
    
 
    
-Textual expression of RRs
    
+Textual expression of RRs
    
 
    
               RRs are represented in binary form in the packets of the DNS
               protocol, and are usually represented in highly encoded form
@@ -6369,13 +6368,13 @@ zone zone_name [
 
    
 
 

    
                       
    
-                        This is used to enforce the delegation only
+                        This is used to enforce the delegation-only
                         status of infrastructure zones (e.g. COM, NET, ORG).
                         Any answer that
-                        is received without a explicit or implicit delegation
+                        is received without an explicit or implicit delegation
                         in the authority
                         section will be treated as NXDOMAIN.  This does not
                         apply to the zone
-                        apex.  This SHOULD NOT be applied to leaf zones.
+                        apex.  This should not be applied to leaf zones.
                       
    
                       
    
                         delegation-only has no
@@ -5051,7 +5050,7 @@ zone zone_name [
 
    
 
    
-Class
    
+Class
    
 
    
               The zone's name may optionally be followed by a class. If
               a class is not specified, class IN (for Internet),
@@ -5073,7 +5072,7 @@ zone zone_name [
 
    
 
    
-Zone Options
    
+Zone Options
    
 
    
 
    allow-notify
    
 
    
@@ -5203,7 +5202,7 @@ zone zone_name [delegation-only
 
    
                     The flag only applies to hint and stub zones.  If set
-                    to yes then the zone will also be
+                    to yes, then the zone will also be
                     treated as if it
                     is also a delegation-only type zone.
                   
    
@@ -5219,7 +5218,7 @@ zone zone_name [
    
                     Used to override the list of global forwarders.
                     If it is not specified in a zone of type forward,
-                    no forwarding is done for the zone; the global options are
+                    no forwarding is done for the zone and the global options are
                     not used.
                   
    
 
    ixfr-base
    
@@ -5506,7 +5505,7 @@ zone zone_name [identity would
-                        be specified as * in
+                        be specified as * (an asterisk) in
                         this case.
                       
    
                     
    		
                       
    
-                        An encoded 16 bit value that specifies
+                        An encoded 16-bit value that specifies
                         the type of the resource record.
                       
    
                         		
                       
    
-                        The time to live of the RR. This field
-                        is a 32 bit integer in units of seconds, and is
+                        The time-to-live of the RR. This field
+                        is a 32-bit integer in units of seconds, and is
                         primarily used by
                         resolvers when they cache RRs. The TTL describes how
                         long a RR can
@@ -5644,7 +5643,7 @@ zone zone_name [
 
    		
                       
    
-                        An encoded 16 bit value that identifies
+                        An encoded 16-bit value that identifies
                         a protocol family or instance of a protocol.
                       
    
                     
    
 
    
-              The MX RRs have an RDATA section which consists of a 16 bit
+              The MX RRs have an RDATA section which consists of a 16-bit
               number followed by a domain name.  The address RRs use a
               standard
-              IP address format to contain a 32 bit internet address.
+              IP address format to contain a 32-bit internet address.
             
    
 
    
-              This example shows six RRs, with two RRs at each of three
+              The above example shows six RRs, with two RRs at each of three
               domain names.
             
    
 
    
@@ -6428,7 +6427,7 @@ zone zone_name [
 
    
 
    
-Discussion of MX Records
    
+Discussion of MX Records
    
 
    
             As described above, domain servers store information as a
             series of resource records, each of which contains a particular
@@ -6615,7 +6614,7 @@ zone zone_name [
    
 Setting TTLs
    
 
    
-            The time to live of the RR field is a 32 bit integer represented
+            The time-to-live of the RR field is a 32-bit integer represented
             in units of seconds, and is primarily used by resolvers when they
             cache RRs. The TTL describes how long a RR can be cached before it
             should be discarded. The following three types of TTL are
@@ -6686,7 +6685,7 @@ zone zone_name [
 
    
 
    
-Inverse Mapping in IPv4
    
+Inverse Mapping in IPv4
    
 
    
             Reverse name resolution (that is, translation from IP address
             to name) is achieved by means of the in-addr.arpa domain
@@ -6747,7 +6746,7 @@ zone zone_name [
 
    
 
    
-Other Zone File Directives
    
+Other Zone File Directives
    
 
    
             The Master File Format was initially defined in RFC 1035 and
             has subsequently been extended. While the Master File Format
@@ -6762,7 +6761,7 @@ zone zone_name [
 
    
 
    
-The $ORIGIN Directive
    
+The $ORIGIN Directive
    
 
    
               Syntax: $ORIGIN
               domain-name
@@ -6790,7 +6789,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 
    
 
    
-The $INCLUDE Directive
    
+The $INCLUDE Directive
    
 
    
               Syntax: $INCLUDE
               filename
@@ -6826,7 +6825,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 
    
 
    
-The $TTL Directive
    
+The $TTL Directive
    
 
    
               Syntax: $TTL
               default-ttl
@@ -6845,7 +6844,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 
    
 
    
-BIND Master File Extension: the  $GENERATE Directive
    
+BIND Master File Extension: the  $GENERATE Directive
    
 
    
             Syntax: $GENERATE
             range
@@ -6890,7 +6889,7 @@ $GENERATE 1-127 $ CNAME $.0
    
 
    		
                     
    
                       This can be one of two forms: start-stop
-                      or start-stop/step. If the first form is used then step
+                      or start-stop/step. If the first form is used, then step
                       is set to
                       1. All of start, stop and step must be positive.
                     
    
@@ -6904,6 +6903,7 @@ $GENERATE 1-127 $ CNAME $.0
                     
    lhs
                       describes the owner name of the resource records
                       to be created.  Any single $
+                      (dollar sign)
                       symbols within the lhs side
                       are replaced by the iterator value.
 
@@ -6921,7 +6921,7 @@ $GENERATE 1-127 $ CNAME $.0
                       ${offset[,width[,base]]}.
                       For example, ${-20,3,d}
                       subtracts 20 from the current value, prints the
-                      result as a decimal in a zero padded field of
+                      result as a decimal in a zero-padded field of
                       width 3.
 
                       Available output forms are decimal
@@ -6935,7 +6935,7 @@ $GENERATE 1-127 $ CNAME $.0
                       to the name.
                     
    
                     
    
-                      For compatibility with earlier versions $$ is still
+                      For compatibility with earlier versions, $$ is still
                       recognized as indicating a literal $ in the output.
                     
    
                   
    
 
    An IP port number.
  number is limited to 0 through 65535, with values
 below 1024 typically restricted to root-owned processes. In some
-cases an asterisk (`*') character can be used as a placeholder to
+cases, an asterisk (`*') character can be used as a placeholder to
 select a random high-numbered port.
    		
 
    
 
    
 
    
 
    number
    A non-negative 32 bit unsigned integer
+
    A non-negative 32-bit unsigned integer
 (i.e., a number between 0 and 4294967295, inclusive).
 Its acceptable value might further
 be limited by the context in which it is used.
    @@ -2060,10 +2060,10 @@ clients that are supplied recursive service.
    
 
    Sets the number of seconds to cache a
 lame server indication. 0 disables caching. (This is
 NOT recommended.)
-Default is 600 (10 minutes). Maximum value is 
+The default is 600 (10 minutes) and the maximum value is 
 1800 (30 minutes).
    
 
    max-ncache-ttl
    
-
    To reduce network traffic and increase performance
+
    To reduce network traffic and increase performance,
 the server stores negative answers. max-ncache-ttl is
 used to set a maximum retention time for these answers in the server
 in seconds. The default
@@ -2071,7 +2071,7 @@ in seconds. The default
 max-ncache-ttl cannot exceed 7 days and will
 be silently truncated to 7 days if set to a greater value.
    
 
    host-statistics-max
    
-
    In BIND 8, specifies the maximum number of host statistic
+
    In BIND 8, specifies the maximum number of host statistics
 entries to be kept.
 Not implemented in BIND 9.
 
    
@@ -2082,7 +2082,7 @@ answers. The default is one week (7 days).
    
 
    min-roots
    
 
    
 
    The minimum number of root servers that
-is required for a request for the root servers to be accepted. Default
+is required for a request for the root servers to be accepted. The default
 is 2.
    
 
    
 
    Note
    
@@ -2278,7 +2278,7 @@ supported.
    
 
    
 
    
 
    
-trusted-keys Statement Grammar
    
+trusted-keys Statement Grammar
    
 
    trusted-keys {
     string number number number string ;
     [ string number number number string ; [...]]
@@ -2287,7 +2287,7 @@ supported.
    
 
 
    
 
    
-trusted-keys Statement Definition
+trusted-keys Statement Definition
 and Usage
    
 
    The trusted-keys statement defines DNSSEC
 security roots. DNSSEC is described in the section called “DNSSEC”. A security root is defined when the public key for a non-authoritative
@@ -2303,7 +2303,7 @@ key data.
    
 
    
 
    
 
    
-view Statement Grammar
    
+view Statement Grammar
    
 
    view view_name [class] {
       match-clients { address_match_list } ;
       match-destinations { address_match_list } ;
@@ -2316,7 +2316,7 @@ key data.
    
 
 
    
 
    
-view Statement Definition and Usage
    
+view Statement Definition and Usage
    
 
    The view statement is a powerful new feature
 of BIND 9 that lets a name server answer a DNS query differently
 depending on who is asking. It is particularly useful for implementing
@@ -2358,7 +2358,7 @@ this default view.  If any explicit view<
 are present, all zone statements must occur inside
 view statements.
    
 
    Here is an example of a typical split DNS setup implemented
-using view statements.
    
+using view statements:
    
 
    view "internal" {
                // This should match our internal networks.
       match-clients { 10.0.0.0/8; };
@@ -2499,10 +2499,10 @@ zone zone_name [
 
    
 
    
-zone Statement Definition and Usage
    
+zone Statement Definition and Usage
    
 
    
 
    
-Zone Types
    
+Zone Types
    
 
    
 

    @@ -2530,7 +2530,7 @@ and reloaded from this file on a server restart. Use of a file is
 recommended, since it often speeds server startup and eliminates
 a needless waste of bandwidth. Note that for large numbers (in the
 tens or hundreds of thousands) of zones per server, it is best to
-use a two level naming scheme for zone file names. For example,
+use a two-level naming scheme for zone file names. For example,
 a slave server for the zone example.com might place
 the zone contents into a file called
 ex/example.com where ex/ is
@@ -2582,8 +2582,8 @@ an empty list for forwarders is gi
 forwarding will be done for the domain, canceling the effects of
 any forwarders in the options statement. Thus
 if you want to use this type of zone to change the behavior of the
-global forward option (that is, "forward first
-to", then "forward only", or vice versa, but want to use the same
+global forward option (that is, "forward first"
+to, then "forward only", or vice versa, but want to use the same
 servers as set globally) you need to respecify the global forwarders.
    
 
 
@@ -2613,7 +2613,7 @@ from forwarders.
    
 
 
    
 
    
-Class
    
+Class
    
 
    The zone's name may optionally be followed by a class. If
 a class is not specified, class IN (for Internet),
 is assumed. This is correct for the vast majority of cases.
    
@@ -2628,7 +2628,7 @@ in the mid-1970s. Zone data for it can be specified with the 
 
    
-Zone Options
    
+Zone Options
 
    
 
    allow-notify
    
 
    See the description of
@@ -2700,7 +2700,7 @@ with the distribution but none are linked in by default.
    
 dialup in the section called “Boolean Options”.
    
 
    delegation-only
    
 
    The flag only applies to hint and stub zones.  If set
-to yes then the zone will also be treated as if it
+to yes, then the zone will also be treated as if it
 is also a delegation-only type zone.
 
    
 
    forward
    
@@ -2711,7 +2711,7 @@ allow a normal lookup to be tried.
    
 
    forwarders
    
 
    Used to override the list of global forwarders.
 If it is not specified in a zone of type forward,
-no forwarding is done for the zone; the global options are not used.
    
+no forwarding is done for the zone and the global options are not used.
    
 
    ixfr-base
    
 
    Was used in BIND 8 to specify the name
 of the transaction log (journal) file for dynamic update and IXFR.
@@ -2844,7 +2844,7 @@ SIG, NS, SOA, and NXT. Types may be specified by name, including
 
    
 
    
 
    
-Zone File
    
+Zone File
    
 
    
 
    
 Types of Resource Records and When to Use Them
    
@@ -2854,7 +2854,7 @@ Since the publication of RFC 1034, several new RRs have been identified
 and implemented in the DNS. These are also included.
    
 
    
 
    
-Resource Records
    
+Resource Records
    
 
    A domain name identifies a node.  Each node has a set of
         resource information, which may be empty.  The set of resource
         information associated with a particular name is composed of
@@ -2876,20 +2876,20 @@ and implemented in the DNS. These are also included.
    
 
     
-
-
-
@@ -3068,7 +3068,7 @@ data that describes the resource:
    
     
-
+
@@ -3088,7 +3088,7 @@ a name from the DNAME record's RDATA.
    
     
-
@@ -3129,7 +3129,7 @@ used as "pointers" to other data in the DNS.
    
 
 
    
 
    
-Textual expression of RRs
    
+Textual expression of RRs
    
 
    RRs are represented in binary form in the packets of the DNS
 protocol, and are usually represented in highly encoded form when
 stored in a nameserver or resolver.  In the examples provided in
@@ -3188,10 +3188,10 @@ knowledge of the typical representation for the data.
    
 
 
    
 
 

    
 
    type
    an encoded 16 bit value that specifies
+
    an encoded 16-bit value that specifies
 the type of the resource in this resource record. Types refer to
 abstract resources.
    		
 
    
 
    
 
    TTL
    the time to live of the RR. This field
-is a 32 bit integer in units of seconds, and is primarily used by
+
    the time-to-live of the RR. This field
+is a 32-bit integer in units of seconds, and is primarily used by
 resolvers when they cache RRs. The TTL describes how long a RR can
 be cached before it should be discarded.
    		
 
    
 
    
 
    class
    an encoded 16 bit value that identifies
+
    an encoded 16-bit value that identifies
 a protocol family or instance of a protocol.
    		
 
    
 
    
 
    
 
    A
    for the IN class, a 32 bit IP address.
    for the IN class, a 32-bit IP address.
    		
 
    
 
    
 
    A6
    
 
    
 
    MX
    a 16 bit preference value (lower is better)
+
    a 16-bit preference value (lower is better)
 followed by a host name willing to act as a mail exchange for the
 owner domain.
    		
 
    
 
    
-
    The MX RRs have an RDATA section which consists of a 16 bit
+
    The MX RRs have an RDATA section which consists of a 16-bit
 number followed by a domain name.  The address RRs use a standard
-IP address format to contain a 32 bit internet address.
    
-
    This example shows six RRs, with two RRs at each of three
+IP address format to contain a 32-bit internet address.
    
+
    The above example shows six RRs, with two RRs at each of three
 domain names.
    
 
    Similarly we might see:
    
 
    
@@ -3219,7 +3219,7 @@ each of a different class.
    
 
    
-Discussion of MX Records
    
+Discussion of MX Records
    As described above, domain servers store information as a
 series of resource records, each of which contains a particular
 piece of information about a given domain name (which is usually,
@@ -3296,7 +3296,7 @@ be attempted.
    
 
    
 Setting TTLs
    
-
    The time to live of the RR field is a 32 bit integer represented
+
    The time-to-live of the RR field is a 32-bit integer represented
 in units of seconds, and is primarily used by resolvers when they
 cache RRs. The TTL describes how long a RR can be cached before it
 should be discarded. The following three types of TTL are currently
@@ -3336,7 +3336,7 @@ can be explicitly specified, for example, 1h30m. 
 
    
 
    
-Inverse Mapping in IPv4
    
+Inverse Mapping in IPv4
    Reverse name resolution (that is, translation from IP address
 to name) is achieved by means of the in-addr.arpa domain
 and PTR records. Entries in the in-addr.arpa domain are made in
@@ -3374,7 +3374,7 @@ that the example is relative to the listed origin.
    
 
    
-Other Zone File Directives
    
+Other Zone File Directives
    The Master File Format was initially defined in RFC 1035 and
 has subsequently been extended. While the Master File Format itself
 is class independent all records in a Master File must be of the same
@@ -3383,7 +3383,7 @@ class.
    
 and $TTL.
    
 
    
-The $ORIGIN Directive
    
+The $ORIGIN Directive
    Syntax: $ORIGIN
 domain-name [ comment]
    $ORIGIN sets the domain name that will
@@ -3398,7 +3398,7 @@ WWW     CNAME   MAIN-SERVER
 
 
    
 
    
-The $INCLUDE Directive
    
+The $INCLUDE Directive
    Syntax: $INCLUDE
 filename [
 origin ] [ comment ]
    
@@ -3422,7 +3422,7 @@ This could be construed as a deviation from RFC 1035, a feature, or both.
 
    
 
    
-The $TTL Directive
    
+The $TTL Directive
    Syntax: $TTL
 default-ttl [
 comment ]
    
@@ -3433,7 +3433,7 @@ with undefined TTLs. Valid TTLs are of the range 0-2147483647 seconds.
    
 
    
-BIND Master File Extension: the  $GENERATE Directive
    .
+BIND Master File Extension: the  $GENERATE Directive
    .
         
    Syntax: $GENERATE range lhs type rhs [ comment ]
    $GENERATE is used to create a series of
 resource records that only differ from each other by an iterator. $GENERATE can
@@ -3460,14 +3460,15 @@ $GENERATE 1-127 $ CNAME $.0
 
    
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index f8d8fb0f2d..c18a340a8a 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
@@ -46,11 +46,11 @@
 
    Table of Contents
    
 
    Access Control Lists
    
-
    chroot and setuid (for
+
    chroot and setuid (for
 UNIX servers)
    
 
    
-
    The chroot Environment
    
-
    Using the setuid Function
    
+
    The chroot Environment
    
+
    Using the setuid Function
    
 
    
 
    Dynamic Update Security
    
 
    
@@ -68,8 +68,8 @@ your nameserver, without cluttering up your config files with huge
 lists of IP addresses.
    It is a good idea to use ACLs, and to
 control access to your server. Limiting access to your server by
-outside parties can help prevent spoofing and DoS attacks against
-your server.
    
+outside parties can help prevent spoofing and denial of service (DoS)
+attacks against your server.
    Here is an example of how to properly apply ACLs:
     // Set up an ACL named "bogusnets" that will block RFC1918 space,
@@ -102,22 +102,22 @@ see the AUSCERT advisory at
 
 
    
 
    
-chroot and setuid (for
+chroot and setuid (for
 UNIX servers)
    
 
    On UNIX servers, it is possible to run BIND in a chrooted environment
-(chroot()) by specifying the "-t"
+(using the chroot() function) by specifying the "-t"
 option. This can help improve system security by placing BIND in
 a "sandbox," which will limit the damage done if a server is compromised.
    
 
    Another useful feature in the UNIX version of BIND is the
 ability to run the daemon as a nonprivileged user ( -u user ).
 We suggest running as a nonprivileged user when using the chroot feature.
    
-
    Here is an example command line to load BIND in a chroot() sandbox, 
+
    Here is an example command line to load BIND in a chroot sandbox, 
 /var/named, and to run named setuid to
 user 202:
    
 
    /usr/local/bin/named -u 202 -t /var/named
    
 
    
 
    
-The chroot Environment
    
+The chroot Environment
    
 
    In order for a chroot environment to
 work properly in a particular directory
 (for example, /var/named),
@@ -142,7 +142,7 @@ to set up things like
 
 
    
 
    
-Using the setuid Function
    
+Using the setuid Function
    
 
    Prior to running the named daemon, use
 the touch utility (to change file access and
 modification times) or the chown utility (to
@@ -158,7 +158,7 @@ server is reloaded.
    
 Dynamic Update Security
 
    Access to the dynamic
 update facility should be strictly limited.  In earlier versions of
-BIND the only way to do this was based on the IP
+BIND, the only way to do this was based on the IP
 address of the host requesting the update, by listing an IP address or
 network prefix in the allow-update zone option.
 This method is insecure since the source address of the update UDP packet
@@ -174,7 +174,7 @@ cryptographically authenticated by means of transaction signatures
 list only TSIG key names, not IP addresses or network
 prefixes. Alternatively, the new update-policy
 option can be used.
    
-
    Some sites choose to keep all dynamically updated DNS data
+
    Some sites choose to keep all dynamically-updated DNS data
 in a subdomain and delegate that subdomain to a separate zone. This
 way, the top-level zone containing critical data such as the IP addresses
 of public web and mail servers need not allow dynamic update at
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index 47402d8056..d88a2e4a10 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,18 +45,18 @@
 
    
 
    Table of Contents
    
 
    
-
    Common Problems
    
-
    It's not working; how can I figure out what's wrong?
    
-
    Incrementing and Changing the Serial Number
    
-
    Where Can I Get Help?
    
+
    Common Problems
    
+
    It's not working; how can I figure out what's wrong?
    
+
    Incrementing and Changing the Serial Number
    
+
    Where Can I Get Help?
    
 
    
 
    
 
    
 
    
-Common Problems
    
+Common Problems
    
 
    
 
    
-It's not working; how can I figure out what's wrong?
    
+It's not working; how can I figure out what's wrong?
    
 
    The best solution to solving installation and
       configuration issues is to take preventative measures by setting
       up logging files beforehand. The log files provide a
@@ -66,7 +66,7 @@
 
 
    
 
    
-Incrementing and Changing the Serial Number
    
+Incrementing and Changing the Serial Number
    
 
    Zone serial numbers are just numbers-they aren't date
     related.  A lot of people set them to a number that represents a
     date, usually of the form YYYYMMDDRR. A number of people have been
@@ -87,7 +87,7 @@
 
 
    
 
    
-Where Can I Get Help?
    
+Where Can I Get Help?
    
 
    The Internet Software Consortium (ISC) offers a wide range
     of support and service agreements for BIND and DHCP servers. Four
     levels of premium support are available and each level includes
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index c320d641b1..aa60cb0bfa 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -43,32 +43,32 @@
 
    
 
    Table of Contents
    
 
    
-
    Acknowledgements
    
-
    A Brief History of the DNS and BIND
    
+
    Acknowledgements
    
+
    A Brief History of the DNS and BIND
    
 
    Historical DNS Information
    
 
    Classes of Resource Records
    
-
    General DNS Reference Information
    
+
    General DNS Reference Information
    
 
    IPv6 addresses (A6)
    
 
    Bibliography (and Suggested Reading)
    
 
    
 
    Request for Comments (RFCs)
    
 
    Internet Drafts
    
-
    Other Documents About BIND
    
+
    Other Documents About BIND
    
 
    
 
    
 
    
 
    
 
    
-Acknowledgements
    
+Acknowledgements
    
 
    
 
    
-A Brief History of the DNS and BIND
    
+A Brief History of the DNS and BIND
    
 
    Although the "official" beginning of the Domain Name
       System occurred in 1984 with the publication of RFC 920, the
       core of the new system was described in 1983 in RFCs 882 and
       883. From 1984 to 1987, the ARPAnet (the precursor to today's
       Internet) became a testbed of experimentation for developing the
-      new naming/addressing scheme in an rapidly expanding,
+      new naming/addressing scheme in a rapidly expanding,
       operational network environment.  New RFCs were written and
       published in 1987 that modified the original documents to
       incorporate improvements based on the working model. RFC 1034,
@@ -100,12 +100,12 @@ Mike Muuss, Jim Bloom and Mike Schwartz. BIND maint
 handled by Mike Karels and O. Kure.
    
 
    BIND versions 4.9 and 4.9.1 were released by Digital Equipment
 Corporation (now Compaq Computer Corporation). Paul Vixie, then
-a DEC employee, became BIND's primary caretaker. Paul was assisted
+a DEC employee, became BIND's primary caretaker. He was assisted
 by Phil Almquist, Robert Elz, Alan Barrett, Paul Albitz, Bryan Beecher, Andrew
 Partan, Andy Cherenson, Tom Limoncelli, Berthold Paffrath, Fuat
 Baran, Anant Kumar, Art Harkin, Win Treese, Don Lewis, Christophe
 Wolfhugel, and others.
    
-
    BIND Version 4.9.2 was sponsored by Vixie Enterprises. Paul
+
    BIND version 4.9.2 was sponsored by Vixie Enterprises. Paul
 Vixie became BIND's principal architect/programmer.
    
 
    BIND versions from 4.9.3 onward have been developed and maintained
 by the Internet Software Consortium with support being provided
@@ -125,7 +125,7 @@ individuals.
    
 Classes of Resource Records
 
    
 
    
-HS = hesiod
    
+HS = hesiod
    
 
    The [hesiod] class is an information service
 developed by MIT's Project Athena. It is used to share information
 about various systems databases, such as users, groups, printers
@@ -134,7 +134,7 @@ hesiod.
    
 
 
    
 
    
-CH = chaos
    
+CH = chaos
    
 
    The chaos class is used to specify zone
 data for the MIT-developed CHAOSnet, a LAN protocol created in the
 mid-1970s.
    
@@ -143,7 +143,7 @@ mid-1970s.
    
 
 
    
 
    
-General DNS Reference Information
    
+General DNS Reference Information
    
 
    
 
    
 IPv6 addresses (A6)
    
@@ -323,7 +323,7 @@ the number of the RFC). RFCs are also available via the Web at
 
    
 
    
 
    
-Bibliography
    
+Bibliography
    
 
    
 
    Standards
    
 
    [RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 
    
@@ -423,11 +423,11 @@ after which they are deleted unless updated by their authors.
 
    
 
    
 
    
-Other Documents About BIND
    
+Other Documents About BIND
    
 
    
 
    
 
    
-Bibliography
    
+Bibliography
    
 
    Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 
    
 
 
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index c27310f05a..b4f245c01a 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -143,62 +143,62 @@ Usage
 
    key Statement Definition and Usage
    
 
    logging Statement Grammar
    
 
    logging Statement Definition and Usage
    
-
    lwres Statement Grammar
    
-
    lwres Statement Definition and Usage
    
-
    options Statement Grammar
    
-
    options Statement Definition and Usage
    
+
    lwres Statement Grammar
    
+
    lwres Statement Definition and Usage
    
+
    options Statement Grammar
    
+
    options Statement Definition and Usage
    
 
    server Statement Grammar
    
 
    server Statement Definition and Usage
    
-
    trusted-keys Statement Grammar
    
-
    trusted-keys Statement Definition
+
    trusted-keys Statement Grammar
    
+
    trusted-keys Statement Definition
 and Usage
    
-
    view Statement Grammar
    
-
    view Statement Definition and Usage
    
+
    view Statement Grammar
    
+
    view Statement Definition and Usage
    
 
    zone
 Statement Grammar
    
-
    zone Statement Definition and Usage
    
+
    zone Statement Definition and Usage
    
 
-
    Zone File
    
+
    Zone File
    
 
    
 
    Types of Resource Records and When to Use Them
    
-
    Discussion of MX Records
    
+
    Discussion of MX Records
    
 
    Setting TTLs
    
-
    Inverse Mapping in IPv4
    
-
    Other Zone File Directives
    
-
    BIND Master File Extension: the  $GENERATE Directive
    
+
    Inverse Mapping in IPv4
    
+
    Other Zone File Directives
    
+
    BIND Master File Extension: the  $GENERATE Directive
    
 
    
 
 
    7. BIND 9 Security Considerations
    
 
    
 
    Access Control Lists
    
-
    chroot and setuid (for
+
    chroot and setuid (for
 UNIX servers)
    
 
    
-
    The chroot Environment
    
-
    Using the setuid Function
    
+
    The chroot Environment
    
+
    Using the setuid Function
    
 
    
 
    Dynamic Update Security
    
 
    
 
    8. Troubleshooting
    
 
    
-
    Common Problems
    
-
    It's not working; how can I figure out what's wrong?
    
-
    Incrementing and Changing the Serial Number
    
-
    Where Can I Get Help?
    
+
    Common Problems
    
+
    It's not working; how can I figure out what's wrong?
    
+
    Incrementing and Changing the Serial Number
    
+
    Where Can I Get Help?
    
 
    
 
    A. Appendices
    
 
    
-
    Acknowledgements
    
-
    A Brief History of the DNS and BIND
    
+
    Acknowledgements
    
+
    A Brief History of the DNS and BIND
    
 
    Historical DNS Information
    
 
    Classes of Resource Records
    
-
    General DNS Reference Information
    
+
    General DNS Reference Information
    
 
    IPv6 addresses (A6)
    
 
    Bibliography (and Suggested Reading)
    
 
    
 
    Request for Comments (RFCs)
    
 
    Internet Drafts
    
-
    Other Documents About BIND
    
+
    Other Documents About BIND
    
 
    
 
    
 

From 08eadd404a59a6befcf51cb13695abee5d03456d Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 9 Jun 2006 07:26:42 +0000
Subject: [PATCH 284/465] 2043.   [port]          nsupdate/nslookup: Force the
 flushing of the prompt                         for interactive sessions.
 [RT#16148]

---
 CHANGES                 | 3 +++
 bin/dig/nslookup.c      | 3 ++-
 bin/nsupdate/nsupdate.c | 6 ++++--
 3 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/CHANGES b/CHANGES
index 6f8363b520..11981278f8 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2043.	[port]		nsupdate/nslookup: Force the flushing of the prompt
+			for interactive sessions. [RT#16148]
+
 2042.	[bug]		named-checkconf was incorrectly rejecting the
 			logging category "config". [RT #16117]
 
diff --git a/bin/dig/nslookup.c b/bin/dig/nslookup.c
index d4fb87d923..2685b7cadc 100644
--- a/bin/dig/nslookup.c
+++ b/bin/dig/nslookup.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nslookup.c,v 1.111 2005/08/25 00:40:50 marka Exp $ */
+/* $Id: nslookup.c,v 1.112 2006/06/09 07:26:42 marka Exp $ */
 
 #include 
 
@@ -715,6 +715,7 @@ get_next_command(void) {
 	if (buf == NULL)
 		fatal("memory allocation failure");
 	fputs("> ", stderr);
+	fflush(stderr);
 	isc_app_block();
 	ptr = fgets(buf, COMMSIZE, stdin);
 	isc_app_unblock();
diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
index f55bc6fc1a..99ac4b83b0 100644
--- a/bin/nsupdate/nsupdate.c
+++ b/bin/nsupdate/nsupdate.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsupdate.c,v 1.143 2006/03/02 01:57:20 marka Exp $ */
+/* $Id: nsupdate.c,v 1.144 2006/06/09 07:26:42 marka Exp $ */
 
 /*! \file */
 
@@ -1499,8 +1499,10 @@ get_next_command(void) {
 	char *word;
 
 	ddebug("get_next_command()");
-	if (interactive)
+	if (interactive) {
 		fprintf(stdout, "> ");
+		fflush(stdout);
+	}
 	isc_app_block();
 	cmdline = fgets(cmdlinebuf, MAXCMD, input);
 	isc_app_unblock();

From fa2f7df995351489d4f7cd19e3d4a00f0241a291 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 9 Jun 2006 07:28:36 +0000
Subject: [PATCH 285/465] 2043.   [port]          nsupdate/nslookup: Force the
 flushing of the prompt                         for interactive sessions.
 [RT#16148]

---
 CHANGES                 | 3 +++
 bin/dig/nslookup.c      | 3 ++-
 bin/nsupdate/nsupdate.c | 6 ++++--
 3 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/CHANGES b/CHANGES
index 41bef0a5ee..daad2bb431 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2043.	[port]		nsupdate/nslookup: Force the flushing of the prompt
+			for interactive sessions. [RT#16148]
+
 2038.	[bug]		dig/nslookup/host was unlinking from wrong list
 			when handling errors. [RT #16122]
 
diff --git a/bin/dig/nslookup.c b/bin/dig/nslookup.c
index 73b0442960..fc1e73f8e3 100644
--- a/bin/dig/nslookup.c
+++ b/bin/dig/nslookup.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nslookup.c,v 1.90.2.11 2005/07/12 05:47:53 marka Exp $ */
+/* $Id: nslookup.c,v 1.90.2.12 2006/06/09 07:28:36 marka Exp $ */
 
 #include 
 
@@ -657,6 +657,7 @@ get_next_command(void) {
 	if (buf == NULL)
 		fatal("memory allocation failure");
 	fputs("> ", stderr);
+	fflush(stderr);
 	isc_app_block();
 	ptr = fgets(buf, COMMSIZE, stdin);
 	isc_app_unblock();
diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
index 5a4fb4c6ce..e37e88d359 100644
--- a/bin/nsupdate/nsupdate.c
+++ b/bin/nsupdate/nsupdate.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsupdate.c,v 1.103.2.26 2005/03/17 03:59:30 marka Exp $ */
+/* $Id: nsupdate.c,v 1.103.2.27 2006/06/09 07:28:36 marka Exp $ */
 
 #include 
 
@@ -1357,8 +1357,10 @@ get_next_command(void) {
 	char *word;
 
 	ddebug("get_next_command()");
-	if (interactive)
+	if (interactive) {
 		fprintf(stdout, "> ");
+		fflush(stdout);
+	}
 	isc_app_block();
 	cmdline = fgets(cmdlinebuf, MAXCMD, input);
 	isc_app_unblock();

From 396366ab0c68475a35a333fce72b8a0b3991aae8 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 9 Jun 2006 23:17:51 +0000
Subject: [PATCH 286/465] auto update

---
 doc/private/branches | 1 +
 1 file changed, 1 insertion(+)

diff --git a/doc/private/branches b/doc/private/branches
index 648205eacb..73441e980d 100644
--- a/doc/private/branches
+++ b/doc/private/branches
@@ -41,6 +41,7 @@ rt15765				open
 rt15860				open	
 rt15978				review	
 rt16022				review	
+rt16156				new	
 rt1727				open		// ixfr-from-differences workfile
 skan				new	
 skan-metazones1			private	

From 271323dcc76671dc0be4d6ca904b7cf1b147b8ec Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 9 Jun 2006 23:30:04 +0000
Subject: [PATCH 287/465] newcopyrights

---
 util/copyrights | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/util/copyrights b/util/copyrights
index c46c715264..1b1dea9a6e 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -41,7 +41,7 @@
 ./bin/dig/host.html				HTML	DOCBOOK
 ./bin/dig/include/dig/dig.h			C	2000,2001,2003,2004,2005
 ./bin/dig/nslookup.1				MAN	DOCBOOK
-./bin/dig/nslookup.c				C	2000,2001,2002,2003,2004,2005
+./bin/dig/nslookup.c				C	2000,2001,2002,2003,2004,2005,2006
 ./bin/dig/nslookup.docbook			SGML	2004,2005,2006
 ./bin/dig/nslookup.html				HTML	DOCBOOK
 ./bin/dig/win32/dig.dsp				X	2001
@@ -165,7 +165,7 @@
 ./bin/nsupdate/.cvsignore			X	2000,2001
 ./bin/nsupdate/Makefile.in			MAKE	2000,2001,2004
 ./bin/nsupdate/nsupdate.8			MAN	DOCBOOK
-./bin/nsupdate/nsupdate.c			C	2000,2001,2002,2003,2004,2005
+./bin/nsupdate/nsupdate.c			C	2000,2001,2002,2003,2004,2005,2006
 ./bin/nsupdate/nsupdate.docbook			SGML	2000,2001,2003,2004,2005
 ./bin/nsupdate/nsupdate.html			HTML	DOCBOOK
 ./bin/nsupdate/win32/nsupdate.dsp		X	2001

From 3f6174bffe227be44e241a29d186add00c032ff6 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 9 Jun 2006 23:30:26 +0000
Subject: [PATCH 288/465] newcopyrights

---
 util/copyrights | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/util/copyrights b/util/copyrights
index 0780ddd57f..56cafde6b8 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -41,7 +41,7 @@
 ./bin/dig/host.html				HTML	DOCBOOK
 ./bin/dig/include/dig/dig.h			C	2000,2001,2002,2003,2004,2005,2006
 ./bin/dig/nslookup.1				MAN	DOCBOOK
-./bin/dig/nslookup.c				C	2000,2001,2002,2003,2004,2005
+./bin/dig/nslookup.c				C	2000,2001,2002,2003,2004,2005,2006
 ./bin/dig/nslookup.docbook			SGML	2004,2005,2006
 ./bin/dig/nslookup.html				HTML	DOCBOOK
 ./bin/dig/win32/dig.dsp				X	2001,2005

From bdecdef309cb5ce97c826c97514cec76754f2c1b Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 9 Jun 2006 23:50:52 +0000
Subject: [PATCH 289/465] update copyright notice

---
 bin/dig/nslookup.c      | 4 ++--
 bin/nsupdate/nsupdate.c | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/bin/dig/nslookup.c b/bin/dig/nslookup.c
index fc1e73f8e3..c6bf1117ab 100644
--- a/bin/dig/nslookup.c
+++ b/bin/dig/nslookup.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nslookup.c,v 1.90.2.12 2006/06/09 07:28:36 marka Exp $ */
+/* $Id: nslookup.c,v 1.90.2.13 2006/06/09 23:50:52 marka Exp $ */
 
 #include 
 
diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
index e37e88d359..64f64d9072 100644
--- a/bin/nsupdate/nsupdate.c
+++ b/bin/nsupdate/nsupdate.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsupdate.c,v 1.103.2.27 2006/06/09 07:28:36 marka Exp $ */
+/* $Id: nsupdate.c,v 1.103.2.28 2006/06/09 23:50:52 marka Exp $ */
 
 #include 
 

From ae34d05b2093786c69ccd4953d5bc54dda90807a Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 9 Jun 2006 23:50:55 +0000
Subject: [PATCH 290/465] update copyright notice

---
 bin/dig/nslookup.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/bin/dig/nslookup.c b/bin/dig/nslookup.c
index 2685b7cadc..f02f6c13a2 100644
--- a/bin/dig/nslookup.c
+++ b/bin/dig/nslookup.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nslookup.c,v 1.112 2006/06/09 07:26:42 marka Exp $ */
+/* $Id: nslookup.c,v 1.113 2006/06/09 23:50:55 marka Exp $ */
 
 #include 
 

From b6f900cd8d9cbf9a399f5258c5f8f3be011989c7 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 13 Jun 2006 04:49:18 +0000
Subject: [PATCH 291/465] ISC_LOG_INFO -> ISC_LOG_DEBUG(1)

---
 lib/dns/cache.c | 8 ++++----
 lib/dns/rbtdb.c | 4 ++--
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/lib/dns/cache.c b/lib/dns/cache.c
index 2019aeaae6..0f650f9662 100644
--- a/lib/dns/cache.c
+++ b/lib/dns/cache.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cache.c,v 1.70 2006/05/16 03:54:35 marka Exp $ */
+/* $Id: cache.c,v 1.71 2006/06/13 04:49:18 marka Exp $ */
 
 /*! \file */
 
@@ -190,7 +190,7 @@ adjust_increment(cache_cleaner_t *cleaner, unsigned int remaining,
 	usecs = isc_time_microdiff(&end, start);
 
 	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_CACHE,
-		      ISC_LOG_INFO, "adjust_increment interval=%u "
+		      ISC_LOG_DEBUG(1), "adjust_increment interval=%u "
 		      "names=%u usec=%" ISC_PLATFORM_QUADFORMAT "u",
 		      interval, names, usecs);
 	
@@ -204,7 +204,7 @@ adjust_increment(cache_cleaner_t *cleaner, unsigned int remaining,
 			if (cleaner->increment > DNS_CACHE_CLEANERINCREMENT)
 				cleaner->increment = DNS_CACHE_CLEANERINCREMENT;
 			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
-				      DNS_LOGMODULE_CACHE, ISC_LOG_INFO,
+				      DNS_LOGMODULE_CACHE, ISC_LOG_DEBUG(1),
 				      "%p:new clear->increment = %d\n",
 				      cleaner, cleaner->increment);
 		}
@@ -225,7 +225,7 @@ adjust_increment(cache_cleaner_t *cleaner, unsigned int remaining,
 	cleaner->increment = (unsigned int)new;
 
 	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_CACHE,
-		      ISC_LOG_INFO, "%p:new clear->increment = %u\n",
+		      ISC_LOG_DEBUG(1), "%p:new clear->increment = %u\n",
 		      cleaner, cleaner->increment);
 }
 
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index 0d487bd52a..c6aa830349 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbtdb.c,v 1.234 2006/06/07 03:38:04 marka Exp $ */
+/* $Id: rbtdb.c,v 1.235 2006/06/13 04:49:18 marka Exp $ */
 
 /*! \file */
 
@@ -587,7 +587,7 @@ adjust_quantum(unsigned int old, isc_time_t *start) {
 	new = (new + old * 3) / 4;
 	
 	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_CACHE,
-		      ISC_LOG_INFO, "adjust_quantum -> %d", new);
+		      ISC_LOG_DEBUG(1), "adjust_quantum -> %d", new);
 
 	return (new);
 }

From 4a5fe001227424601fab2e049b260cc5d8934b76 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 14 Jun 2006 04:00:10 +0000
Subject: [PATCH 292/465] sunos 4 and --with-libtool

---
 README | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/README b/README
index 66013eb7c9..820a22a950 100644
--- a/README
+++ b/README
@@ -330,6 +330,9 @@ BIND 9.2.0
 
 		--with-libtool does not work on AIX.
 
+		--with-libtool does not work on SunOS 4.  configure
+		requires "printf" which is not available.
+
 	A bug in the Windows 2000 DNS server can cause zone transfers
 	from a BIND 9 server to a W2K server to fail.  For details,
 	see the "Zone Transfers" section in doc/misc/migration.

From efc9f40e873a009873cc0202155ce048cff0bd76 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 14 Jun 2006 05:03:56 +0000
Subject: [PATCH 293/465] sunos 4 and --with-libtool

---
 README | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/README b/README
index 2549662be5..12dbd6e2b8 100644
--- a/README
+++ b/README
@@ -181,6 +181,9 @@ BIND 9.2.0
 
 		--with-libtool does not work on AIX.
 
+		--with-libtool does not work on SunOS 4.  configure
+		requires "printf" which is not available.
+
 	A bug in the Windows 2000 DNS server can cause zone transfers
 	from a BIND 9 server to a W2K server to fail.  For details,
 	see the "Zone Transfers" section in doc/misc/migration.

From 1fc51b8dd9643d7158f2d354ac0592b2a9852e69 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 14 Jun 2006 23:16:50 +0000
Subject: [PATCH 294/465] auto update

---
 doc/private/branches | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/doc/private/branches b/doc/private/branches
index 73441e980d..a281c2fc21 100644
--- a/doc/private/branches
+++ b/doc/private/branches
@@ -16,6 +16,7 @@ gsstsig4_win32			open	danny	// sub-branch off gsstsig4 for windows development
 jinmei-mmapzone-test		new		// mmap based zone file. very experimental, just for reference purposes
 jinmei_libdnsng			new	
 libbind_clean			open	jinmei
+marka_libdnsng			new	
 mlg-20000518			new	
 newresolver0			new	
 openssl_stub			open	marka
@@ -42,6 +43,7 @@ rt15860				open
 rt15978				review	
 rt16022				review	
 rt16156				new	
+rt16157				new	
 rt1727				open		// ixfr-from-differences workfile
 skan				new	
 skan-metazones1			private	

From b91fdca5faffbc7e65a87cf4fa0f517cc43f5b41 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 16 Jun 2006 23:16:56 +0000
Subject: [PATCH 295/465] auto update

---
 doc/private/branches | 1 +
 1 file changed, 1 insertion(+)

diff --git a/doc/private/branches b/doc/private/branches
index a281c2fc21..e6e12d8cf6 100644
--- a/doc/private/branches
+++ b/doc/private/branches
@@ -44,6 +44,7 @@ rt15978				review
 rt16022				review	
 rt16156				new	
 rt16157				new	
+rt16170				new	
 rt1727				open		// ixfr-from-differences workfile
 skan				new	
 skan-metazones1			private	

From b985899251897302ee065a27cf06df7f5d6a38bf Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 20 Jun 2006 02:50:14 +0000
Subject: [PATCH 296/465] silence: value computed is not used

---
 lib/bind/inet/inet_net_ntop.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/bind/inet/inet_net_ntop.c b/lib/bind/inet/inet_net_ntop.c
index a4b81aafad..fb28e3cbe5 100644
--- a/lib/bind/inet/inet_net_ntop.c
+++ b/lib/bind/inet/inet_net_ntop.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: inet_net_ntop.c,v 1.4 2005/04/27 04:56:20 sra Exp $";
+static const char rcsid[] = "$Id: inet_net_ntop.c,v 1.5 2006/06/20 02:50:14 marka Exp $";
 #endif
 
 #include "port_before.h"
@@ -264,7 +264,7 @@ inet_net_ntop_ipv6(const u_char *src, int bits, char *dst, size_t size) {
 		}
 	}
 	/* Format CIDR /width. */
-	SPRINTF((cp, "/%u", bits));
+	sprintf(cp, "/%u", bits);
 	if (strlen(outbuf) + 1 > size)
 		goto emsgsize;
 	strcpy(dst, outbuf);

From 6babbe1e2670ac57c52633f50d61ef40b73a8867 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 20 Jun 2006 02:53:42 +0000
Subject: [PATCH 297/465] silence: value computed is not used

---
 lib/bind/inet/inet_net_ntop.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/bind/inet/inet_net_ntop.c b/lib/bind/inet/inet_net_ntop.c
index 4d21ca9a67..4ae220f599 100644
--- a/lib/bind/inet/inet_net_ntop.c
+++ b/lib/bind/inet/inet_net_ntop.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: inet_net_ntop.c,v 1.1.2.2 2004/03/09 09:17:27 marka Exp $";
+static const char rcsid[] = "$Id: inet_net_ntop.c,v 1.1.2.3 2006/06/20 02:53:42 marka Exp $";
 #endif
 
 #include "port_before.h"
@@ -264,7 +264,7 @@ inet_net_ntop_ipv6(const u_char *src, int bits, char *dst, size_t size) {
 		}
 	}
 	/* Format CIDR /width. */
-	SPRINTF((cp, "/%u", bits));
+	sprintf(cp, "/%u", bits);
 	if (strlen(outbuf) + 1 > size)
 		goto emsgsize;
 	strcpy(dst, outbuf);

From 1ad94515ee37580a2298b1484ddf44b52dc03a6a Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 20 Jun 2006 06:56:43 +0000
Subject: [PATCH 298/465] silence: aix 5.3 missing braces warnings

---
 configure             | 6 +++---
 configure.in          | 4 ++--
 lib/bind/configure    | 5 ++++-
 lib/bind/configure.in | 5 ++++-
 4 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/configure b/configure
index 29944a6e0d..b7702d22d9 100755
--- a/configure
+++ b/configure
@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 #
-# $Id: configure,v 1.394 2006/06/02 03:36:22 marka Exp $
+# $Id: configure,v 1.395 2006/06/20 06:56:42 marka Exp $
 #
 # Portions Copyright (C) 1996-2001  Nominum, Inc.
 #
@@ -29,7 +29,7 @@
 # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
 # OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-# From configure.in Revision: 1.406 .
+# From configure.in Revision: 1.407 .
 # Guess values for system-dependent variables and create Makefiles.
 # Generated by GNU Autoconf 2.59.
 #
@@ -27603,7 +27603,7 @@ LWRES_PLATFORM_USEDECLSPEC="#undef LWRES_PLATFORM_USEDECLSPEC"
 ISC_PLATFORM_BRACEPTHREADONCEINIT="#undef ISC_PLATFORM_BRACEPTHREADONCEINIT"
 
 case "$host" in
-	*-aix5.1.*)
+	*-aix5.[123].*)
 		hack_shutup_pthreadonceinit=yes
 		;;
 	*-bsdi3.1*)
diff --git a/configure.in b/configure.in
index 2c42fa89cb..aeaa135af0 100644
--- a/configure.in
+++ b/configure.in
@@ -18,7 +18,7 @@ AC_DIVERT_PUSH(1)dnl
 esyscmd([sed "s/^/# /" COPYRIGHT])dnl
 AC_DIVERT_POP()dnl
 
-AC_REVISION($Revision: 1.406 $)
+AC_REVISION($Revision: 1.407 $)
 
 AC_INIT(lib/dns/name.c)
 AC_PREREQ(2.59)
@@ -1817,7 +1817,7 @@ AC_SUBST(ISC_PLATFORM_BRACEPTHREADONCEINIT)
 ISC_PLATFORM_BRACEPTHREADONCEINIT="#undef ISC_PLATFORM_BRACEPTHREADONCEINIT"
 
 case "$host" in
-	*-aix5.1.*)
+	*-aix5.[[123]].*)
 		hack_shutup_pthreadonceinit=yes
 		;;
 	*-bsdi3.1*)
diff --git a/lib/bind/configure b/lib/bind/configure
index e85a2900a0..4b32f2e38b 100644
--- a/lib/bind/configure
+++ b/lib/bind/configure
@@ -1,5 +1,5 @@
 #! /bin/sh
-# From configure.in Revision: 1.117 .
+# From configure.in Revision: 1.118 .
 # Guess values for system-dependent variables and create Makefiles.
 # Generated by GNU Autoconf 2.59.
 #
@@ -30921,6 +30921,9 @@ case "$host" in
 		hack_shutup_pthreadmutexinit=yes
 		hack_shutup_in6addr_init_macros=yes
 		;;
+	*-aix5.[23].*)
+		hack_shutup_in6addr_init_macros=yes
+		;;
 	*-bsdi3.1*)
 		hack_shutup_sputaux=yes
 		;;
diff --git a/lib/bind/configure.in b/lib/bind/configure.in
index 620cc155bd..cc4c84f788 100644
--- a/lib/bind/configure.in
+++ b/lib/bind/configure.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-AC_REVISION($Revision: 1.117 $)
+AC_REVISION($Revision: 1.118 $)
 
 AC_INIT(resolv/herror.c)
 AC_PREREQ(2.13)
@@ -2345,6 +2345,9 @@ case "$host" in
 		hack_shutup_pthreadmutexinit=yes
 		hack_shutup_in6addr_init_macros=yes
 		;;
+	*-aix5.[[23]].*)
+		hack_shutup_in6addr_init_macros=yes
+		;;
 	*-bsdi3.1*)
 		hack_shutup_sputaux=yes
 		;;

From d0442bda66de086772747e8b9daf432f2d94aadd Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 20 Jun 2006 07:06:40 +0000
Subject: [PATCH 299/465] silence: aix 5.3 missing braces warnings

---
 configure             | 4 ++--
 configure.in          | 4 ++--
 lib/bind/configure    | 5 ++++-
 lib/bind/configure.in | 5 ++++-
 4 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/configure b/configure
index 09dc7ceb76..468f253fbf 100755
--- a/configure
+++ b/configure
@@ -1,5 +1,5 @@
 #! /bin/sh
-# From configure.in Revision: 1.294.2.62 .
+# From configure.in Revision: 1.294.2.63 .
 # Guess values for system-dependent variables and create Makefiles.
 # Generated by GNU Autoconf 2.59.
 #
@@ -26137,7 +26137,7 @@ LWRES_PLATFORM_USEDECLSPEC="#undef LWRES_PLATFORM_USEDECLSPEC"
 ISC_PLATFORM_BRACEPTHREADONCEINIT="#undef ISC_PLATFORM_BRACEPTHREADONCEINIT"
 
 case "$host" in
-	*-aix5.1.*)
+	*-aix5.[123].*)
 		hack_shutup_pthreadonceinit=yes
 		;;
 	*-bsdi3.1*)
diff --git a/configure.in b/configure.in
index 6377aae7e3..1c3947f016 100644
--- a/configure.in
+++ b/configure.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-AC_REVISION($Revision: 1.294.2.62 $)
+AC_REVISION($Revision: 1.294.2.63 $)
 
 AC_INIT(lib/dns/name.c)
 AC_PREREQ(2.13)
@@ -1590,7 +1590,7 @@ AC_SUBST(ISC_PLATFORM_BRACEPTHREADONCEINIT)
 ISC_PLATFORM_BRACEPTHREADONCEINIT="#undef ISC_PLATFORM_BRACEPTHREADONCEINIT"
 
 case "$host" in
-	*-aix5.1.*)
+	*-aix5.[[123]].*)
 		hack_shutup_pthreadonceinit=yes
 		;;
 	*-bsdi3.1*)
diff --git a/lib/bind/configure b/lib/bind/configure
index 1861ac31d6..7ef3659442 100644
--- a/lib/bind/configure
+++ b/lib/bind/configure
@@ -1,5 +1,5 @@
 #! /bin/sh
-# From configure.in Revision: 1.83.2.30 .
+# From configure.in Revision: 1.83.2.31 .
 # Guess values for system-dependent variables and create Makefiles.
 # Generated by GNU Autoconf 2.59.
 #
@@ -30921,6 +30921,9 @@ case "$host" in
 		hack_shutup_pthreadmutexinit=yes
 		hack_shutup_in6addr_init_macros=yes
 		;;
+	*-aix5.[23].*)
+		hack_shutup_in6addr_init_macros=yes
+		;;
 	*-bsdi3.1*)
 		hack_shutup_sputaux=yes
 		;;
diff --git a/lib/bind/configure.in b/lib/bind/configure.in
index 0c59c987ed..4797d191e0 100644
--- a/lib/bind/configure.in
+++ b/lib/bind/configure.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-AC_REVISION($Revision: 1.83.2.30 $)
+AC_REVISION($Revision: 1.83.2.31 $)
 
 AC_INIT(resolv/herror.c)
 AC_PREREQ(2.13)
@@ -2345,6 +2345,9 @@ case "$host" in
 		hack_shutup_pthreadmutexinit=yes
 		hack_shutup_in6addr_init_macros=yes
 		;;
+	*-aix5.[[23]].*)
+		hack_shutup_in6addr_init_macros=yes
+		;;
 	*-bsdi3.1*)
 		hack_shutup_sputaux=yes
 		;;

From 5a9efbf6bf951267e0844990f5b2cb69f5d5f01f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tatuya=20JINMEI=20=E7=A5=9E=E6=98=8E=E9=81=94=E5=93=89?=
 
Date: Tue, 20 Jun 2006 09:53:03 +0000
Subject: [PATCH 300/465] 2044.	[placeholder]	rt16179

---
 CHANGES | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/CHANGES b/CHANGES
index 11981278f8..8f4a18d8fa 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+2044.	[placeholder]	rt16179
+
 2043.	[port]		nsupdate/nslookup: Force the flushing of the prompt
 			for interactive sessions. [RT#16148]
 

From aff90f8be3c02c05a049de9f69378d1d780bc938 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 20 Jun 2006 23:16:49 +0000
Subject: [PATCH 301/465] auto update

---
 doc/private/branches | 1 +
 1 file changed, 1 insertion(+)

diff --git a/doc/private/branches b/doc/private/branches
index e6e12d8cf6..e90481aa42 100644
--- a/doc/private/branches
+++ b/doc/private/branches
@@ -45,6 +45,7 @@ rt16022				review
 rt16156				new	
 rt16157				new	
 rt16170				new	
+rt16179				new	
 rt1727				open		// ixfr-from-differences workfile
 skan				new	
 skan-metazones1			private	

From 3f767720601ab2d142357cf889992285eafcd7bb Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 20 Jun 2006 23:30:04 +0000
Subject: [PATCH 302/465] newcopyrights

---
 util/copyrights | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/util/copyrights b/util/copyrights
index 1b1dea9a6e..c8a9bb5802 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -1215,7 +1215,7 @@
 ./lib/bind/inet/inet_data.c			X	2001
 ./lib/bind/inet/inet_lnaof.c			X	2001
 ./lib/bind/inet/inet_makeaddr.c			X	2001
-./lib/bind/inet/inet_net_ntop.c			X	2001
+./lib/bind/inet/inet_net_ntop.c			X	2001,2006
 ./lib/bind/inet/inet_net_pton.c			X	2001
 ./lib/bind/inet/inet_neta.c			X	2001
 ./lib/bind/inet/inet_netof.c			X	2001

From bb81c053ad8a961f59f7cfedad5feddd15774bc7 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 20 Jun 2006 23:30:27 +0000
Subject: [PATCH 303/465] newcopyrights

---
 util/copyrights | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/util/copyrights b/util/copyrights
index 56cafde6b8..cf45e411a7 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -1337,7 +1337,7 @@
 ./lib/bind/inet/inet_data.c			X	2001,2005
 ./lib/bind/inet/inet_lnaof.c			X	2001,2005
 ./lib/bind/inet/inet_makeaddr.c			X	2001,2005
-./lib/bind/inet/inet_net_ntop.c			X	2001,2005
+./lib/bind/inet/inet_net_ntop.c			X	2001,2005,2006
 ./lib/bind/inet/inet_net_pton.c			X	2001,2005
 ./lib/bind/inet/inet_neta.c			X	2001,2005
 ./lib/bind/inet/inet_netof.c			X	2001,2005

From ea5775a7fde44639e2b4b7ad96d1499b7f8b4401 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 21 Jun 2006 01:21:59 +0000
Subject: [PATCH 304/465] silence: large integer implicitly truncated to
 unsigned type

---
 lib/isc/sockaddr.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/lib/isc/sockaddr.c b/lib/isc/sockaddr.c
index 280f38854b..5cc10f0a81 100644
--- a/lib/isc/sockaddr.c
+++ b/lib/isc/sockaddr.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sockaddr.c,v 1.67 2006/03/02 00:37:23 marka Exp $ */
+/* $Id: sockaddr.c,v 1.68 2006/06/21 01:21:59 marka Exp $ */
 
 /*! \file */
 
@@ -490,7 +490,8 @@ isc_sockaddr_frompath(isc_sockaddr_t *sockaddr, const char *path) {
 	sockaddr->length = sizeof(sockaddr->type.sunix);
 	sockaddr->type.sunix.sun_family = AF_UNIX;
 #ifdef ISC_PLATFORM_HAVESALEN
-	sockaddr->type.sunix.sun_len = sizeof(sockaddr->type.sunix);
+	sockaddr->type.sunix.sun_len =
+			(unsigned char)sizeof(sockaddr->type.sunix);
 #endif
 	strcpy(sockaddr->type.sunix.sun_path, path);
 	return (ISC_R_SUCCESS);

From 5b2c253a96f3c7efff2fe14b1c06719217922ee8 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 21 Jun 2006 03:30:37 +0000
Subject: [PATCH 305/465] move .NOTPARALLEL:/.NO_PARALLEL: so not first target

---
 lib/bind/Makefile.in | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/lib/bind/Makefile.in b/lib/bind/Makefile.in
index 6b7eec4fda..59a7712f1d 100644
--- a/lib/bind/Makefile.in
+++ b/lib/bind/Makefile.in
@@ -13,15 +13,12 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.27 2005/07/29 00:12:40 marka Exp $
+# $Id: Makefile.in,v 1.28 2006/06/21 03:30:37 marka Exp $
 
 srcdir =        @srcdir@
 VPATH =         @srcdir@
 top_srcdir =    @top_srcdir@
 
-# Attempt to disable parallel processing.
-.NOTPARALLEL:
-.NO_PARALLEL:
 
 @LIBBIND_API@
 
@@ -99,6 +96,10 @@ OBJS=	${BSDOBJS} ${DSTOBJS} ${INETOBJS} ${IRSOBJS} ${ISCOBJS} \
 
 @BIND9_MAKE_RULES@
 
+# Attempt to disable parallel processing.
+.NOTPARALLEL:
+.NO_PARALLEL:
+
 libbind.@SA@: ${OBJS}
 	${AR} ${ARFLAGS} $@ ${OBJS}
 	${RANLIB} $@

From 884a3da13cfa8f3c235f389f03ac766b7ccd6200 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 21 Jun 2006 03:33:19 +0000
Subject: [PATCH 306/465] move .NOTPARALLEL:/.NO_PARALLEL: so not first target

---
 lib/bind/Makefile.in | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/lib/bind/Makefile.in b/lib/bind/Makefile.in
index ca6d299df1..390f7e0af5 100644
--- a/lib/bind/Makefile.in
+++ b/lib/bind/Makefile.in
@@ -13,15 +13,12 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.12.2.14 2005/07/29 00:13:52 marka Exp $
+# $Id: Makefile.in,v 1.12.2.15 2006/06/21 03:33:19 marka Exp $
 
 srcdir =        @srcdir@
 VPATH =         @srcdir@
 top_srcdir =    @top_srcdir@
 
-# Attempt to disable parallel processing.
-.NOTPARALLEL:
-.NO_PARALLEL:
 
 @LIBBIND_API@
 
@@ -99,6 +96,10 @@ OBJS=	${BSDOBJS} ${DSTOBJS} ${INETOBJS} ${IRSOBJS} ${ISCOBJS} \
 
 @BIND9_MAKE_RULES@
 
+# Attempt to disable parallel processing.
+.NOTPARALLEL:
+.NO_PARALLEL:
+
 libbind.@SA@: ${OBJS}
 	${AR} ${ARFLAGS} $@ ${OBJS}
 	${RANLIB} $@

From 78ff0e94eae96f2cf8bf94454d8ff01ba280d30d Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 21 Jun 2006 03:40:34 +0000
Subject: [PATCH 307/465] 2044.   [port]          add support for atomic
 operations for Itanium.                         [RT #16179]

---
 CHANGES                           |  3 +-
 configure                         |  7 ++-
 configure.in                      |  5 +-
 lib/isc/ia64/include/isc/atomic.h | 88 +++++++++++++++++++++++++++++++
 4 files changed, 99 insertions(+), 4 deletions(-)
 create mode 100644 lib/isc/ia64/include/isc/atomic.h

diff --git a/CHANGES b/CHANGES
index 8f4a18d8fa..ed07314fce 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,5 @@
-2044.	[placeholder]	rt16179
+2044.	[port]		add support for atomic operations for Itanium.
+			[RT #16179]
 
 2043.	[port]		nsupdate/nslookup: Force the flushing of the prompt
 			for interactive sessions. [RT#16148]
diff --git a/configure b/configure
index b7702d22d9..857c96c3e6 100755
--- a/configure
+++ b/configure
@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 #
-# $Id: configure,v 1.395 2006/06/20 06:56:42 marka Exp $
+# $Id: configure,v 1.396 2006/06/21 03:40:34 marka Exp $
 #
 # Portions Copyright (C) 1996-2001  Nominum, Inc.
 #
@@ -29,7 +29,7 @@
 # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
 # OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-# From configure.in Revision: 1.407 .
+# From configure.in Revision: 1.408 .
 # Guess values for system-dependent variables and create Makefiles.
 # Generated by GNU Autoconf 2.59.
 #
@@ -27930,6 +27930,9 @@ fi
 	mips-*)
 		arch=mips
 	;;
+	ia64-*)
+		arch=ia64
+	;;
 	*)
 		have_atomic=no
 		arch=noatomic
diff --git a/configure.in b/configure.in
index aeaa135af0..aa7ccb12cd 100644
--- a/configure.in
+++ b/configure.in
@@ -18,7 +18,7 @@ AC_DIVERT_PUSH(1)dnl
 esyscmd([sed "s/^/# /" COPYRIGHT])dnl
 AC_DIVERT_POP()dnl
 
-AC_REVISION($Revision: 1.407 $)
+AC_REVISION($Revision: 1.408 $)
 
 AC_INIT(lib/dns/name.c)
 AC_PREREQ(2.59)
@@ -1943,6 +1943,9 @@ main() {
 	mips-*)
 		arch=mips
 	;;
+	ia64-*)
+		arch=ia64
+	;;
 	*)
 		have_atomic=no
 		arch=noatomic
diff --git a/lib/isc/ia64/include/isc/atomic.h b/lib/isc/ia64/include/isc/atomic.h
new file mode 100644
index 0000000000..94b0f7b7b8
--- /dev/null
+++ b/lib/isc/ia64/include/isc/atomic.h
@@ -0,0 +1,88 @@
+/*
+ * Copyright (C) 2006  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: atomic.h,v 1.2 2006/06/21 03:36:54 marka Exp $ */
+
+#ifndef ISC_ATOMIC_H
+#define ISC_ATOMIC_H 1
+
+#include 
+#include 
+
+#ifdef ISC_PLATFORM_USEGCCASM
+/*
+ * This routine atomically increments the value stored in 'p' by 'val', and
+ * returns the previous value.
+ *
+ * Open issue: can 'fetchadd' make the code faster for some particular values
+ * (e.g., 1 and -1)?
+ */
+static inline isc_int32_t
+isc_atomic_xadd(isc_int32_t *p, isc_int32_t val) {
+	isc_int32_t prev, swapped;
+
+	for (prev = *(volatile isc_int32_t *)p; ; prev = swapped) {
+		swapped = prev + val;
+		__asm__ volatile(
+			"mov ar.ccv=%2;"
+			"cmpxchg4.acq %0=%4,%3,ar.ccv"
+			: "=r" (swapped), "=m" (*p)
+			: "r" (prev), "r" (swapped), "m" (*p)
+			: "memory");
+		if (swapped == prev)
+			break;
+	}
+
+	return (prev);
+}
+
+/*
+ * This routine atomically stores the value 'val' in 'p'.
+ */
+static inline void
+isc_atomic_store(isc_int32_t *p, isc_int32_t val) {
+	__asm__ volatile(
+		"st4.rel %0=%1"
+		: "=m" (*p)
+		: "r" (val)
+		: "memory"
+		);
+}
+
+/*
+ * This routine atomically replaces the value in 'p' with 'val', if the
+ * original value is equal to 'cmpval'.  The original value is returned in any
+ * case.
+ */
+static inline isc_int32_t
+isc_atomic_cmpxchg(isc_int32_t *p, isc_int32_t cmpval, isc_int32_t val) {
+	isc_int32_t ret;
+
+	__asm__ volatile(
+		"mov ar.ccv=%2;"
+		"cmpxchg4.acq %0=%4,%3,ar.ccv"
+		: "=r" (ret), "=m" (*p)
+		: "r" (cmpval), "r" (val), "m" (*p)
+		: "memory");
+
+	return (ret);
+}
+#else /* !ISC_PLATFORM_USEGCCASM */
+
+#error "unsupported compiler.  disable atomic ops by --disable-atomic"
+
+#endif
+#endif /* ISC_ATOMIC_H */

From f5a156fa25e6d341e703782de6368fbe9e256dde Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tatuya=20JINMEI=20=E7=A5=9E=E6=98=8E=E9=81=94=E5=93=89?=
 
Date: Wed, 21 Jun 2006 09:28:57 +0000
Subject: [PATCH 308/465] 2045.	[placeholder]	rt16183

---
 CHANGES | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/CHANGES b/CHANGES
index ed07314fce..0ac1acb5c1 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+2045.	[placeholder]	rt16183
+
 2044.	[port]		add support for atomic operations for Itanium.
 			[RT #16179]
 

From d18f854f907a8f1e82a835e778e574e47d1cdaf6 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 21 Jun 2006 23:17:53 +0000
Subject: [PATCH 309/465] auto update

---
 doc/private/branches | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/doc/private/branches b/doc/private/branches
index e90481aa42..095e311dde 100644
--- a/doc/private/branches
+++ b/doc/private/branches
@@ -46,6 +46,8 @@ rt16156				new
 rt16157				new	
 rt16170				new	
 rt16179				new	
+rt16182				new	
+rt16183				new	
 rt1727				open		// ixfr-from-differences workfile
 skan				new	
 skan-metazones1			private	

From 0f7f47a50aeab31f3bd2763dffbf643015613d81 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 21 Jun 2006 23:30:04 +0000
Subject: [PATCH 310/465] newcopyrights

---
 util/copyrights | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/util/copyrights b/util/copyrights
index c8a9bb5802..172d8731e8 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -1148,7 +1148,7 @@
 ./lib/.cvsignore				X	1999,2000,2001
 ./lib/Makefile.in				MAKE	1998,1999,2000,2001,2002,2004
 ./lib/bind/.cvsignore				X	2001
-./lib/bind/Makefile.in				MAKE	2001,2002,2003,2004,2005
+./lib/bind/Makefile.in				MAKE	2001,2002,2003,2004,2005,2006
 ./lib/bind/README				X	2001
 ./lib/bind/aclocal.m4				X	2001
 ./lib/bind/api					X	2001,2005,2006

From 920c892667f7a1a284cc0f62e52a0cd3a7a78e14 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 21 Jun 2006 23:30:28 +0000
Subject: [PATCH 311/465] newcopyrights

---
 util/copyrights | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/util/copyrights b/util/copyrights
index cf45e411a7..6a47b8207d 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -1270,7 +1270,7 @@
 ./lib/.cvsignore				X	1999,2000,2001
 ./lib/Makefile.in				MAKE	1998,1999,2000,2001,2003,2004
 ./lib/bind/.cvsignore				X	2001
-./lib/bind/Makefile.in				MAKE	2001,2002,2003,2004,2005
+./lib/bind/Makefile.in				MAKE	2001,2002,2003,2004,2005,2006
 ./lib/bind/README				X	2001
 ./lib/bind/aclocal.m4				X	2001
 ./lib/bind/api					X	2001
@@ -2008,6 +2008,7 @@
 ./lib/isc/hex.c					C	2000,2001,2002,2003,2004,2005
 ./lib/isc/hmacmd5.c				C	2000,2001,2004,2005,2006
 ./lib/isc/hmacsha.c				C	2005,2006
+./lib/isc/ia64/include/isc/atomic.h		C	2006
 ./lib/isc/include/.cvsignore			X	1999,2000,2001
 ./lib/isc/include/Makefile.in			MAKE	1998,1999,2000,2001,2004
 ./lib/isc/include/isc/.cvsignore		X	1999,2000,2001

From 8bc2cb3b971dd6f3c6640e00cc97f18d34ce5426 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Sat, 24 Jun 2006 00:25:37 +0000
Subject: [PATCH 312/465] update copyright notice

---
 lib/bind/Makefile.in | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/bind/Makefile.in b/lib/bind/Makefile.in
index 390f7e0af5..ad1c0f4e32 100644
--- a/lib/bind/Makefile.in
+++ b/lib/bind/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2001-2003  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.12.2.15 2006/06/21 03:33:19 marka Exp $
+# $Id: Makefile.in,v 1.12.2.16 2006/06/24 00:25:37 marka Exp $
 
 srcdir =        @srcdir@
 VPATH =         @srcdir@

From ef718fa0d9003cb7ebbd3574efd9c5ec477c49af Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Sat, 24 Jun 2006 00:25:40 +0000
Subject: [PATCH 313/465] update copyright notice

---
 lib/bind/Makefile.in | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/bind/Makefile.in b/lib/bind/Makefile.in
index 59a7712f1d..679a978c01 100644
--- a/lib/bind/Makefile.in
+++ b/lib/bind/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2001-2003  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.28 2006/06/21 03:30:37 marka Exp $
+# $Id: Makefile.in,v 1.29 2006/06/24 00:25:40 marka Exp $
 
 srcdir =        @srcdir@
 VPATH =         @srcdir@

From 9a6522317c97e5487cea816173f63a0e5b4e428a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tatuya=20JINMEI=20=E7=A5=9E=E6=98=8E=E9=81=94=E5=93=89?=
 
Date: Wed, 28 Jun 2006 08:28:49 +0000
Subject: [PATCH 314/465] 2045.	[func]		use lock buckets for acache
 entries to limit memory 			consumption. [RT #16183]

---
 CHANGES          |   3 +-
 lib/dns/acache.c | 117 ++++++++++++++++++++++++++++++++++-------------
 2 files changed, 86 insertions(+), 34 deletions(-)

diff --git a/CHANGES b/CHANGES
index 0ac1acb5c1..d4215627a0 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,5 @@
-2045.	[placeholder]	rt16183
+2045.	[func]		use lock buckets for acache entries to limit memory
+			consumption. [RT #16183]
 
 2044.	[port]		add support for atomic operations for Itanium.
 			[RT #16179]
diff --git a/lib/dns/acache.c b/lib/dns/acache.c
index 5d68616ed1..6b8ff8b957 100644
--- a/lib/dns/acache.c
+++ b/lib/dns/acache.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: acache.c,v 1.16 2006/05/03 00:07:50 marka Exp $ */
+/* $Id: acache.c,v 1.17 2006/06/28 08:28:49 jinmei Exp $ */
 
 #include 
 
@@ -75,6 +75,8 @@
 #define DNS_ACACHE_MINSIZE 		2097152	/* Bytes.  2097152 = 2 MB */
 #define DNS_ACACHE_CLEANERINCREMENT	1000	/* Number of entries. */
 
+#define DEFAULT_ACACHE_ENTRY_LOCK_COUNT	1009	/*%< Should be prime. */
+
 #if defined(ISC_RWLOCK_USEATOMIC) && defined(ISC_PLATFORM_HAVEATOMICSTORE)
 #define ACACHE_USE_RWLOCK 1
 #endif
@@ -177,6 +179,12 @@ struct dns_acache {
 	isc_mem_t			*mctx;
 	isc_refcount_t			refs;
 
+#ifdef ACACHE_USE_RWLOCK
+	isc_rwlock_t 			*entrylocks;
+#else
+	isc_mutex_t 			*entrylocks;
+#endif
+
 	isc_mutex_t			lock;
 
 	int				live_cleaners;
@@ -197,11 +205,7 @@ struct dns_acache {
 struct dns_acacheentry {
 	unsigned int 		magic;
 
-#ifdef ACACHE_USE_RWLOCK
-	isc_rwlock_t 		lock;
-#else
-	isc_mutex_t 		lock;
-#endif
+	unsigned int		locknum;
 	isc_refcount_t 		references;
 
 	dns_acache_t 		*acache;
@@ -303,7 +307,8 @@ shutdown_entries(dns_acache_t *acache) {
 	     entry = entry_next) {
 		entry_next = ISC_LIST_NEXT(entry, link);
 
-		ACACHE_LOCK(&entry->lock, isc_rwlocktype_write);
+		ACACHE_LOCK(&acache->entrylocks[entry->locknum],
+			    isc_rwlocktype_write);
 
 		/*
 		 * If the cleaner holds this entry, it will be unlinked and
@@ -317,7 +322,8 @@ shutdown_entries(dns_acache_t *acache) {
 			entry->callback = NULL;
 		}
 
-		ACACHE_UNLOCK(&entry->lock, isc_rwlocktype_write);
+		ACACHE_UNLOCK(&acache->entrylocks[entry->locknum],
+			      isc_rwlocktype_write);
 
 		if (acache->cleaner.current_entry != entry)
 			dns_acache_detachentry(&entry);
@@ -413,8 +419,6 @@ destroy_entry(dns_acacheentry_t *entry) {
 	 */
 	clear_entry(acache, entry);
 
-	ACACHE_DESTROYLOCK(&entry->lock);
-
 	isc_mem_put(acache->mctx, entry, sizeof(*entry));
 
 	dns_acache_detach(&acache);
@@ -422,6 +426,8 @@ destroy_entry(dns_acacheentry_t *entry) {
 
 static void
 destroy(dns_acache_t *acache) {
+	int i;
+
 	REQUIRE(DNS_ACACHE_VALID(acache));
 
 	ATRACE("destroy");
@@ -437,6 +443,12 @@ destroy(dns_acache_t *acache) {
 	if (acache->task != NULL)
 		isc_task_detach(&acache->task);
 
+	for (i = 0; i < DEFAULT_ACACHE_ENTRY_LOCK_COUNT; i++)
+		ACACHE_DESTROYLOCK(&acache->entrylocks[i]);
+	isc_mem_put(acache->mctx, acache->entrylocks,
+		    sizeof(*acache->entrylocks) *
+		    DEFAULT_ACACHE_ENTRY_LOCK_COUNT);
+
 	DESTROYLOCK(&acache->cleaner.lock);
 
 	DESTROYLOCK(&acache->lock);
@@ -817,12 +829,13 @@ acache_incremental_cleaning_action(isc_task_t *task, isc_event_t *event) {
 
 	while (n_entries-- > 0) {
 		isc_boolean_t is_stale = ISC_FALSE;
-		
+
 		INSIST(entry != NULL);
 
 		next = ISC_LIST_NEXT(entry, link);
 
-		ACACHE_LOCK(&entry->lock, isc_rwlocktype_write);
+		ACACHE_LOCK(&acache->entrylocks[entry->locknum],
+			    isc_rwlocktype_write);
 
 		is_stale = entry_stale(cleaner, entry, now32, interval);
 		if (is_stale) {
@@ -835,7 +848,8 @@ acache_incremental_cleaning_action(isc_task_t *task, isc_event_t *event) {
 			cleaner->ncleaned++;
 		}
 
-		ACACHE_UNLOCK(&entry->lock, isc_rwlocktype_write);
+		ACACHE_UNLOCK(&acache->entrylocks[entry->locknum],
+			      isc_rwlocktype_write);
 
 		if (is_stale)
 			dns_acache_detachentry(&entry);
@@ -1047,6 +1061,8 @@ dns_acache_create(dns_acache_t **acachep, isc_mem_t *mctx,
 	acache->shutting_down = ISC_FALSE;
 
 	acache->task = NULL;
+	acache->entrylocks = NULL;
+
 	result = isc_task_create(taskmgr, 1, &acache->task);
 	if (result != ISC_R_SUCCESS) {
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
@@ -1065,6 +1081,25 @@ dns_acache_create(dns_acache_t **acachep, isc_mem_t *mctx,
 	for (i = 0; i < DBBUCKETS; i++)
 		ISC_LIST_INIT(acache->dbbucket[i]);
 
+	acache->entrylocks = isc_mem_get(mctx, sizeof(*acache->entrylocks) *
+					 DEFAULT_ACACHE_ENTRY_LOCK_COUNT);
+	if (acache->entrylocks == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+	for (i = 0; i < DEFAULT_ACACHE_ENTRY_LOCK_COUNT; i++) {
+		result = ACACHE_INITLOCK(&acache->entrylocks[i]);
+		if (result != ISC_R_SUCCESS) {
+			while (i-- > 0)
+				ACACHE_DESTROYLOCK(&acache->entrylocks[i]);
+			isc_mem_put(mctx, acache->entrylocks,
+				    sizeof(*acache->entrylocks) *
+				    DEFAULT_ACACHE_ENTRY_LOCK_COUNT);
+			acache->entrylocks = NULL;
+			goto cleanup;
+		}
+	}
+
 	acache->live_cleaners = 0;
 	result = acache_cleaner_init(acache, timermgr, &acache->cleaner); 
 	if (result != ISC_R_SUCCESS)
@@ -1084,6 +1119,13 @@ dns_acache_create(dns_acache_t **acachep, isc_mem_t *mctx,
 	DESTROYLOCK(&acache->lock);
 	isc_refcount_decrement(&acache->refs, NULL);
 	isc_refcount_destroy(&acache->refs);
+	if (acache->entrylocks != NULL) {
+		for (i = 0; i < DEFAULT_ACACHE_ENTRY_LOCK_COUNT; i++)
+			ACACHE_DESTROYLOCK(&acache->entrylocks[i]);
+		isc_mem_put(mctx, acache->entrylocks,
+			    sizeof(*acache->entrylocks) *
+			    DEFAULT_ACACHE_ENTRY_LOCK_COUNT);
+	}
 	isc_mem_put(mctx, acache, sizeof(*acache));
 	isc_mem_detach(&mctx);
 
@@ -1249,7 +1291,8 @@ dns_acache_putdb(dns_acache_t *acache, dns_db_t *db) {
 	 * original holder has canceled callback,) destroy it here.
 	 */
 	while ((entry = ISC_LIST_HEAD(dbentry->originlist)) != NULL) {
-		ACACHE_LOCK(&entry->lock, isc_rwlocktype_write);
+		ACACHE_LOCK(&acache->entrylocks[entry->locknum],
+			    isc_rwlocktype_write);
 
 		/*
 		 * Releasing olink first would avoid finddbent() in
@@ -1264,13 +1307,15 @@ dns_acache_putdb(dns_acache_t *acache, dns_db_t *db) {
 			(entry->callback)(entry, &entry->cbarg);
 		entry->callback = NULL;
 
-		ACACHE_UNLOCK(&entry->lock, isc_rwlocktype_write);
+		ACACHE_UNLOCK(&acache->entrylocks[entry->locknum],
+			      isc_rwlocktype_write);
 
 		if (acache->cleaner.current_entry != entry)
 			dns_acache_detachentry(&entry);
 	}
 	while ((entry = ISC_LIST_HEAD(dbentry->referlist)) != NULL) {
-		ACACHE_LOCK(&entry->lock, isc_rwlocktype_write);
+		ACACHE_LOCK(&acache->entrylocks[entry->locknum],
+			    isc_rwlocktype_write);
 
 		ISC_LIST_UNLINK(dbentry->referlist, entry, rlink);
 		if (acache->cleaner.current_entry != entry)
@@ -1281,7 +1326,8 @@ dns_acache_putdb(dns_acache_t *acache, dns_db_t *db) {
 			(entry->callback)(entry, &entry->cbarg);
 		entry->callback = NULL;
 
-		ACACHE_UNLOCK(&entry->lock, isc_rwlocktype_write);
+		ACACHE_UNLOCK(&acache->entrylocks[entry->locknum],
+			      isc_rwlocktype_write);
 
 		if (acache->cleaner.current_entry != entry)
 			dns_acache_detachentry(&entry);
@@ -1313,6 +1359,7 @@ dns_acache_createentry(dns_acache_t *acache, dns_db_t *origdb,
 {
 	dns_acacheentry_t *newentry;
 	isc_result_t result;
+	isc_uint32_t r;
 
 	REQUIRE(DNS_ACACHE_VALID(acache));
 	REQUIRE(entryp != NULL && *entryp == NULL);
@@ -1341,15 +1388,11 @@ dns_acache_createentry(dns_acache_t *acache, dns_db_t *origdb,
 		return (ISC_R_NOMEMORY);
 	}
 
-	result = ACACHE_INITLOCK(&newentry->lock);
-	if (result != ISC_R_SUCCESS) {
-		isc_mem_put(acache->mctx, newentry, sizeof(*newentry));
-		return (result);
-	};
-
+	isc_random_get(&r);
+	newentry->locknum = r % DEFAULT_ACACHE_ENTRY_LOCK_COUNT;
+	
 	result = isc_refcount_init(&newentry->references, 1);
 	if (result != ISC_R_SUCCESS) {
-		ACACHE_DESTROYLOCK(&newentry->lock);
 		isc_mem_put(acache->mctx, newentry, sizeof(*newentry));
 		return (result);
 	};
@@ -1390,6 +1433,8 @@ dns_acache_getentry(dns_acacheentry_t *entry, dns_zone_t **zonep,
 	isc_result_t result = ISC_R_SUCCESS;
 	dns_rdataset_t *erdataset;
 	isc_stdtime32_t	now32;
+	dns_acache_t *acache;
+	int locknum;
 
 	REQUIRE(DNS_ACACHEENTRY_VALID(entry));
 	REQUIRE(zonep == NULL || *zonep == NULL);
@@ -1398,8 +1443,11 @@ dns_acache_getentry(dns_acacheentry_t *entry, dns_zone_t **zonep,
 	REQUIRE(nodep != NULL && *nodep == NULL);
 	REQUIRE(fname != NULL);
 	REQUIRE(msg != NULL);
-	
-	ACACHE_LOCK(&entry->lock, isc_rwlocktype_read);
+	acache = entry->acache;
+	REQUIRE(DNS_ACACHE_VALID(acache));
+
+	locknum = entry->locknum;
+	ACACHE_LOCK(&acache->entrylocks[locknum], isc_rwlocktype_read);
 
 	isc_stdtime_convert32(now, &now32);
 	acache_storetime(entry, now32);
@@ -1429,7 +1477,7 @@ dns_acache_getentry(dns_acacheentry_t *entry, dns_zone_t **zonep,
 			ardataset = NULL;
 			result = dns_message_gettemprdataset(msg, &ardataset);
 			if (result != ISC_R_SUCCESS) {
-				ACACHE_UNLOCK(&entry->lock,
+				ACACHE_UNLOCK(&acache->entrylocks[locknum],
 					      isc_rwlocktype_read);
 				goto fail;
 			}
@@ -1449,7 +1497,7 @@ dns_acache_getentry(dns_acacheentry_t *entry, dns_zone_t **zonep,
 	entry->acache->stats.hits++; /* XXXMLG danger: unlocked! */
 	entry->acache->stats.queries++;
 
-	ACACHE_UNLOCK(&entry->lock, isc_rwlocktype_read);
+	ACACHE_UNLOCK(&acache->entrylocks[locknum], isc_rwlocktype_read);
 
 	return (result);
 
@@ -1486,7 +1534,7 @@ dns_acache_setentry(dns_acache_t *acache, dns_acacheentry_t *entry,
 	REQUIRE(DNS_ACACHEENTRY_VALID(entry));
 
 	LOCK(&acache->lock);	/* XXX: need to lock it here for ordering */
-	ACACHE_LOCK(&entry->lock, isc_rwlocktype_write);
+	ACACHE_LOCK(&acache->entrylocks[entry->locknum], isc_rwlocktype_write);
 
 	/* Set zone */
 	if (zone != NULL)
@@ -1578,7 +1626,8 @@ dns_acache_setentry(dns_acache_t *acache, dns_acacheentry_t *entry,
 	 */
 	dns_acache_attachentry(entry, &dummy_entry);
 
-	ACACHE_UNLOCK(&entry->lock, isc_rwlocktype_write);
+	ACACHE_UNLOCK(&acache->entrylocks[entry->locknum],
+		      isc_rwlocktype_write);
 
 	acache->stats.adds++;
 	UNLOCK(&acache->lock);
@@ -1588,7 +1637,8 @@ dns_acache_setentry(dns_acache_t *acache, dns_acacheentry_t *entry,
  fail:
 	clear_entry(acache, entry);
 
-	ACACHE_UNLOCK(&entry->lock, isc_rwlocktype_write);
+	ACACHE_UNLOCK(&acache->entrylocks[entry->locknum],
+		      isc_rwlocktype_write);
 	UNLOCK(&acache->lock);
 
 	return (result);
@@ -1602,7 +1652,7 @@ dns_acache_cancelentry(dns_acacheentry_t *entry) {
 	INSIST(DNS_ACACHE_VALID(acache));
 
 	LOCK(&acache->lock);
-	ACACHE_LOCK(&entry->lock, isc_rwlocktype_write);
+	ACACHE_LOCK(&acache->entrylocks[entry->locknum], isc_rwlocktype_write);
 
 	/*
 	 * Release dependencies stored in this entry as much as possible.
@@ -1616,7 +1666,8 @@ dns_acache_cancelentry(dns_acacheentry_t *entry) {
 	entry->callback = NULL;
 	entry->cbarg = NULL;
 
-	ACACHE_UNLOCK(&entry->lock, isc_rwlocktype_write);
+	ACACHE_UNLOCK(&acache->entrylocks[entry->locknum],
+		      isc_rwlocktype_write);
 	UNLOCK(&acache->lock);
 }
 

From cfe196a86888e182161fccca930baa2efce0b25c Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 29 Jun 2006 13:02:08 +0000
Subject: [PATCH 315/465] regen

---
 bin/check/named-checkconf.8             |  21 +-
 bin/check/named-checkconf.html          |  16 +-
 bin/check/named-checkzone.8             |  29 ++-
 bin/check/named-checkzone.html          |  16 +-
 bin/dig/dig.1                           |  87 ++++----
 bin/dig/dig.html                        |  22 +-
 bin/dig/host.1                          |  15 +-
 bin/dig/host.html                       |  12 +-
 bin/dig/nslookup.1                      |  87 ++++----
 bin/dig/nslookup.html                   |  18 +-
 bin/dnssec/dnssec-keygen.8              |  47 ++--
 bin/dnssec/dnssec-keygen.html           |  18 +-
 bin/dnssec/dnssec-makekeyset.8          |  33 +--
 bin/dnssec/dnssec-makekeyset.html       |  16 +-
 bin/dnssec/dnssec-signkey.8             |  35 +--
 bin/dnssec/dnssec-signkey.html          |  16 +-
 bin/dnssec/dnssec-signzone.8            |  47 ++--
 bin/dnssec/dnssec-signzone.html         |  16 +-
 bin/named/lwresd.8                      |  41 ++--
 bin/named/lwresd.html                   |  16 +-
 bin/named/named.8                       |  45 ++--
 bin/named/named.conf.5                  |  37 +++-
 bin/named/named.conf.html               |  32 +--
 bin/named/named.html                    |  20 +-
 bin/nsupdate/nsupdate.8                 |  61 ++---
 bin/nsupdate/nsupdate.html              |  20 +-
 bin/rndc/rndc-confgen.8                 |  35 +--
 bin/rndc/rndc-confgen.html              |  18 +-
 bin/rndc/rndc.8                         |  30 ++-
 bin/rndc/rndc.conf.5                    |  19 +-
 bin/rndc/rndc.conf.html                 |  16 +-
 bin/rndc/rndc.html                      |  16 +-
 doc/arm/Bv9ARM.ch01.html                |  96 ++++----
 doc/arm/Bv9ARM.ch02.html                |  42 ++--
 doc/arm/Bv9ARM.ch03.html                |  48 ++--
 doc/arm/Bv9ARM.ch04.html                | 116 +++++-----
 doc/arm/Bv9ARM.ch05.html                |  16 +-
 doc/arm/Bv9ARM.ch06.html                | 282 ++++++++++++------------
 doc/arm/Bv9ARM.ch07.html                |  38 ++--
 doc/arm/Bv9ARM.ch08.html                |  34 +--
 doc/arm/Bv9ARM.ch09.html                | 240 +++++++++++++-------
 doc/arm/Bv9ARM.html                     | 162 +++++++-------
 lib/lwres/man/lwres.3                   |  15 +-
 lib/lwres/man/lwres.html                |  16 +-
 lib/lwres/man/lwres_buffer.3            |  53 +++--
 lib/lwres/man/lwres_buffer.html         | 130 +++++++++--
 lib/lwres/man/lwres_config.3            |  28 ++-
 lib/lwres/man/lwres_config.html         |  60 +++--
 lib/lwres/man/lwres_context.3           |  29 ++-
 lib/lwres/man/lwres_context.html        |  61 ++++-
 lib/lwres/man/lwres_gabn.3              |  32 ++-
 lib/lwres/man/lwres_gabn.html           |  42 +++-
 lib/lwres/man/lwres_gai_strerror.3      |  39 ++--
 lib/lwres/man/lwres_gai_strerror.html   |  10 +-
 lib/lwres/man/lwres_getaddrinfo.3       |  32 ++-
 lib/lwres/man/lwres_getaddrinfo.html    |  29 ++-
 lib/lwres/man/lwres_gethostent.3        |  57 ++---
 lib/lwres/man/lwres_gethostent.html     |  51 ++++-
 lib/lwres/man/lwres_getipnode.3         |  49 ++--
 lib/lwres/man/lwres_getipnode.html      |  34 ++-
 lib/lwres/man/lwres_getnameinfo.3       |  30 ++-
 lib/lwres/man/lwres_getnameinfo.html    |  19 +-
 lib/lwres/man/lwres_getrrsetbyname.3    |  33 +--
 lib/lwres/man/lwres_getrrsetbyname.html |  29 ++-
 lib/lwres/man/lwres_gnba.3              |  32 ++-
 lib/lwres/man/lwres_gnba.html           |  51 ++++-
 lib/lwres/man/lwres_hstrerror.3         |  29 ++-
 lib/lwres/man/lwres_hstrerror.html      |  12 +-
 lib/lwres/man/lwres_inetntop.3          |  17 +-
 lib/lwres/man/lwres_inetntop.html       |  17 +-
 lib/lwres/man/lwres_noop.3              |  32 ++-
 lib/lwres/man/lwres_noop.html           |  42 +++-
 lib/lwres/man/lwres_packet.3            |  48 ++--
 lib/lwres/man/lwres_packet.html         |  20 +-
 lib/lwres/man/lwres_resutil.3           |  25 ++-
 lib/lwres/man/lwres_resutil.html        |  32 ++-
 76 files changed, 1977 insertions(+), 1289 deletions(-)

diff --git a/bin/check/named-checkconf.8 b/bin/check/named-checkconf.8
index 8f51ea2294..21b2520392 100644
--- a/bin/check/named-checkconf.8
+++ b/bin/check/named-checkconf.8
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: named-checkconf.8,v 1.11.2.5 2005/10/13 02:23:25 marka Exp $
+.\" $Id: named-checkconf.8,v 1.11.2.6 2006/06/29 13:02:05 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: named\-checkconf
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 
+.\"      Date: June 14, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "NAMED\-CHECKCONF" "8" "June 14, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -36,17 +39,17 @@ named\-checkconf \- named configuration file syntax checking tool
 \fBnamed\-checkconf\fR
 checks the syntax, but not the semantics, of a named configuration file.
 .SH "OPTIONS"
-.TP
+.TP 3n
 \-t \fIdirectory\fR
 chroot to
 \fIdirectory\fR
 so that include directives in the configuration file are processed as if run by a similarly chrooted named.
-.TP
+.TP 3n
 \-v
 Print the version of the
 \fBnamed\-checkconf\fR
 program and exit.
-.TP
+.TP 3n
 filename
 The name of the configuration file to be checked. If not specified, it defaults to
 \fI/etc/named.conf\fR.
@@ -61,3 +64,5 @@ BIND 9 Administrator Reference Manual.
 .SH "AUTHOR"
 .PP
 Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/bin/check/named-checkconf.html b/bin/check/named-checkconf.html
index 2f7472120c..10822b648e 100644
--- a/bin/check/named-checkconf.html
+++ b/bin/check/named-checkconf.html
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
 named-checkconf
-
+
 
 
    
-
    
+
    
 
    
 
    Name
    
 
    named-checkconf — named configuration file syntax checking tool
    
@@ -32,14 +32,14 @@
 
    named-checkconf  [-v] [-t directory] {filename}
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    
         named-checkconf checks the syntax, but not
 	the semantics, of a named configuration file.
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -t directory
    
 
    
@@ -60,21 +60,21 @@
 
    
 
    
 
    
-
    RETURN VALUES
    
+
    RETURN VALUES
    
 
    
         named-checkconf returns an exit status of 1 if
 	errors were detected and 0 otherwise.
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    
       named(8),
       BIND 9 Administrator Reference Manual.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    
         Internet Systems Consortium
     
    
diff --git a/bin/check/named-checkzone.8 b/bin/check/named-checkzone.8
index c71a485714..49768bae68 100644
--- a/bin/check/named-checkzone.8
+++ b/bin/check/named-checkzone.8
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: named-checkzone.8,v 1.11.2.6 2005/10/13 02:23:25 marka Exp $
+.\" $Id: named-checkzone.8,v 1.11.2.7 2006/06/29 13:02:05 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: named\-checkzone
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 
+.\"      Date: June 13, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "NAMED\-CHECKZONE" "8" "June 13, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -40,27 +43,27 @@ does when loading a zone. This makes
 \fBnamed\-checkzone\fR
 useful for checking zone files before configuring them into a name server.
 .SH "OPTIONS"
-.TP
+.TP 3n
 \-d
 Enable debugging.
-.TP
+.TP 3n
 \-q
 Quiet mode \- exit code only.
-.TP
+.TP 3n
 \-v
 Print the version of the
 \fBnamed\-checkzone\fR
 program and exit.
-.TP
+.TP 3n
 \-j
 When loading the zone file read the journal if it exists.
-.TP
+.TP 3n
 \-c \fIclass\fR
 Specify the class of the zone. If not specified "IN" is assumed.
-.TP
+.TP 3n
 zonename
 The domain name of the zone being checked.
-.TP
+.TP 3n
 filename
 The name of the zone file.
 .SH "RETURN VALUES"
@@ -75,3 +78,5 @@ BIND 9 Administrator Reference Manual.
 .SH "AUTHOR"
 .PP
 Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/bin/check/named-checkzone.html b/bin/check/named-checkzone.html
index c0afa9e9d2..417fda090d 100644
--- a/bin/check/named-checkzone.html
+++ b/bin/check/named-checkzone.html
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
 named-checkzone
-
+
 
 
    
-
    
+
    
 
    
 
    Name
    
 
    named-checkzone — zone file validity checking tool
    
@@ -32,7 +32,7 @@
 
    named-checkzone  [-d] [-j] [-q] [-v] [-c class] {zonename} {filename}
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    
         named-checkzone checks the syntax and integrity of
 	a zone file.  It performs the same checks as named
@@ -42,7 +42,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -d
    
 
    
@@ -76,14 +76,14 @@
 
    
 
    
 
    
-
    RETURN VALUES
    
+
    RETURN VALUES
    
 
    
         named-checkzone returns an exit status of 1 if
 	errors were detected and 0 otherwise.
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    
       named(8),
       RFC 1035,
@@ -91,7 +91,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    
         Internet Systems Consortium
     
    
diff --git a/bin/dig/dig.1 b/bin/dig/dig.1
index 3526420ddc..04d4a28c37 100644
--- a/bin/dig/dig.1
+++ b/bin/dig/dig.1
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dig.1,v 1.14.2.9 2005/10/13 02:23:26 marka Exp $
+.\" $Id: dig.1,v 1.14.2.10 2006/06/29 13:02:05 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: dig
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 
+.\"      Date: Jun 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "DIG" "1" "Jun 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -68,12 +71,14 @@ A typical invocation of
 \fBdig\fR
 looks like:
 .sp
+.RS 3n
 .nf
  dig @server name type 
 .fi
+.RE
 .sp
 where:
-.TP
+.TP 3n
 \fBserver\fR
 is the name or IP address of the name server to query. This can be an IPv4 address in dotted\-decimal notation or an IPv6 address in colon\-delimited notation. When the supplied
 \fIserver\fR
@@ -86,10 +91,10 @@ argument is provided,
 consults
 \fI/etc/resolv.conf\fR
 and queries the name servers listed there. The reply from the name server that responds is displayed.
-.TP
+.TP 3n
 \fBname\fR
 is the name of the resource record that is to be looked up.
-.TP
+.TP 3n
 \fBtype\fR
 indicates what type of query is required \(em ANY, A, MX, SIG, etc.
 \fItype\fR
@@ -187,18 +192,18 @@ Each query option is identified by a keyword preceded by a plus sign (+). Some k
 no
 to negate the meaning of that keyword. Other keywords assign values to options like the timeout interval. They have the form
 \fB+keyword=value\fR. The query options are:
-.TP
+.TP 3n
 \fB+[no]tcp\fR
 Use [do not use] TCP when querying name servers. The default behaviour is to use UDP unless an AXFR or IXFR query is requested, in which case a TCP connection is used.
-.TP
+.TP 3n
 \fB+[no]vc\fR
 Use [do not use] TCP when querying name servers. This alternate syntax to
 \fI+[no]tcp\fR
 is provided for backwards compatibility. The "vc" stands for "virtual circuit".
-.TP
+.TP 3n
 \fB+[no]ignore\fR
 Ignore truncation in UDP responses instead of retrying with TCP. By default, TCP retries are performed.
-.TP
+.TP 3n
 \fB+domain=somename\fR
 Set the search list to contain the single domain
 \fIsomename\fR, as if specified in a
@@ -207,27 +212,27 @@ directive in
 \fI/etc/resolv.conf\fR, and enable search list processing as if the
 \fI+search\fR
 option were given.
-.TP
+.TP 3n
 \fB+[no]search\fR
 Use [do not use] the search list defined by the searchlist or domain directive in
 \fIresolv.conf\fR
 (if any). The search list is not used by default.
-.TP
+.TP 3n
 \fB+[no]defname\fR
 Deprecated, treated as a synonym for
 \fI+[no]search\fR
-.TP
+.TP 3n
 \fB+[no]aaonly\fR
 This option does nothing. It is provided for compatibility with old versions of
 \fBdig\fR
 where it set an unimplemented resolver flag.
-.TP
+.TP 3n
 \fB+[no]adflag\fR
 Set [do not set] the AD (authentic data) bit in the query. The AD bit currently has a standard meaning only in responses, not in queries, but the ability to set the bit in the query is provided for completeness.
-.TP
+.TP 3n
 \fB+[no]cdflag\fR
 Set [do not set] the CD (checking disabled) bit in the query. This requests the server to not perform DNSSEC validation of responses.
-.TP
+.TP 3n
 \fB+[no]recurse\fR
 Toggle the setting of the RD (recursion desired) bit in the query. This bit is set by default, which means
 \fBdig\fR
@@ -236,68 +241,68 @@ normally sends recursive queries. Recursion is automatically disabled when the
 or
 \fI+trace\fR
 query options are used.
-.TP
+.TP 3n
 \fB+[no]nssearch\fR
 When this option is set,
 \fBdig\fR
 attempts to find the authoritative name servers for the zone containing the name being looked up and display the SOA record that each name server has for the zone.
-.TP
+.TP 3n
 \fB+[no]trace\fR
 Toggle tracing of the delegation path from the root name servers for the name being looked up. Tracing is disabled by default. When tracing is enabled,
 \fBdig\fR
 makes iterative queries to resolve the name being looked up. It will follow referrals from the root servers, showing the answer from each server that was used to resolve the lookup.
-.TP
+.TP 3n
 \fB+[no]cmd\fR
 toggles the printing of the initial comment in the output identifying the version of
 \fBdig\fR
 and the query options that have been applied. This comment is printed by default.
-.TP
+.TP 3n
 \fB+[no]short\fR
 Provide a terse answer. The default is to print the answer in a verbose form.
-.TP
+.TP 3n
 \fB+[no]identify\fR
 Show [or do not show] the IP address and port number that supplied the answer when the
 \fI+short\fR
 option is enabled. If short form answers are requested, the default is not to show the source address and port number of the server that provided the answer.
-.TP
+.TP 3n
 \fB+[no]comments\fR
 Toggle the display of comment lines in the output. The default is to print comments.
-.TP
+.TP 3n
 \fB+[no]stats\fR
 This query option toggles the printing of statistics: when the query was made, the size of the reply and so on. The default behaviour is to print the query statistics.
-.TP
+.TP 3n
 \fB+[no]qr\fR
 Print [do not print] the query as it is sent. By default, the query is not printed.
-.TP
+.TP 3n
 \fB+[no]question\fR
 Print [do not print] the question section of a query when an answer is returned. The default is to print the question section as a comment.
-.TP
+.TP 3n
 \fB+[no]answer\fR
 Display [do not display] the answer section of a reply. The default is to display it.
-.TP
+.TP 3n
 \fB+[no]authority\fR
 Display [do not display] the authority section of a reply. The default is to display it.
-.TP
+.TP 3n
 \fB+[no]additional\fR
 Display [do not display] the additional section of a reply. The default is to display it.
-.TP
+.TP 3n
 \fB+[no]all\fR
 Set or clear all display flags.
-.TP
+.TP 3n
 \fB+time=T\fR
 Sets the timeout for a query to
 \fIT\fR
 seconds. The default time out is 5 seconds. An attempt to set
 \fIT\fR
 to less than 1 will result in a query timeout of 1 second being applied.
-.TP
+.TP 3n
 \fB+tries=T\fR
 Sets the number of times to retry UDP queries to server to
 \fIT\fR
 instead of the default, 3. If
 \fIT\fR
 is less than or equal to zero, the number of retries is silently rounded up to 1.
-.TP
+.TP 3n
 \fB+ndots=D\fR
 Set the number of dots that have to appear in
 \fIname\fR
@@ -310,23 +315,23 @@ or
 \fBdomain\fR
 directive in
 \fI/etc/resolv.conf\fR.
-.TP
+.TP 3n
 \fB+bufsize=B\fR
 Set the UDP message buffer size advertised using EDNS0 to
 \fIB\fR
 bytes. The maximum and minimum sizes of this buffer are 65535 and 0 respectively. Values outside this range are rounded up or down appropriately.
-.TP
+.TP 3n
 \fB+[no]multiline\fR
 Print records like the SOA records in a verbose multi\-line format with human\-readable comments. The default is to print each record on a single line, to facilitate machine parsing of the
 \fBdig\fR
 output.
-.TP
+.TP 3n
 \fB+[no]fail\fR
 Do not try the next server if you receive a SERVFAIL. The default is to not try the next server which is the reverse of normal stub resolver behaviour.
-.TP
+.TP 3n
 \fB+[no]besteffort\fR
 Attempt to display the contents of messages which are malformed. The default is to not display malformed answers.
-.TP
+.TP 3n
 \fB+[no]dnssec\fR
 Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO) in the OPT record in the additional section of the query.
 .SH "MULTIPLE QUERIES"
@@ -345,9 +350,11 @@ A global set of query options, which should be applied to all queries, can also
 \fB+[no]cmd\fR
 option) can be overridden by a query\-specific set of query options. For example:
 .sp
+.RS 3n
 .nf
 dig +qr www.isc.org any \-x 127.0.0.1 isc.org ns +noqr
 .fi
+.RE
 .sp
 shows how
 \fBdig\fR
@@ -377,3 +384,5 @@ RFC1035.
 .SH "BUGS "
 .PP
 There are probably too many query options.
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/bin/dig/dig.html b/bin/dig/dig.html
index 6cdddb5325..34d3a4ff59 100644
--- a/bin/dig/dig.html
+++ b/bin/dig/dig.html
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
 dig
-
+
 
 
    
-
    
+
    
 
    
 
    Name
    
 
    dig — DNS lookup utility
    
@@ -34,7 +34,7 @@
 
    dig  [global-queryopt...] [query...]
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    
 dig (domain information groper) is a flexible tool
 for interrogating DNS name servers.  It performs DNS lookups and
@@ -69,7 +69,7 @@ are applied before the command line arguments.
 
    
 
    
 
    
-
    SIMPLE USAGE
    
+
    SIMPLE USAGE
    
 
    
 A typical invocation of dig looks like:
 
    
@@ -107,7 +107,7 @@ ANY, A, MX, SIG, etc.
 
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 The -b option sets the source IP address of the query
 to address.  This must be a valid address on
@@ -181,7 +181,7 @@ being used.  In BIND, this is done by providing appropriate
 
    
 
    
 
    
-
    QUERY OPTIONS
    
+
    QUERY OPTIONS
    
 
    
 dig provides a number of query options which affect
 the way in which lookups are made and the results displayed.  Some of
@@ -396,7 +396,7 @@ in the OPT record in the additional section of the query.
 
    
 
    
 
    
-
    MULTIPLE QUERIES
    
+
    MULTIPLE QUERIES
    
 
    
 The BIND 9 implementation of dig  supports
 specifying multiple queries on the command line (in addition to
@@ -437,7 +437,7 @@ will not print the initial query when it looks up the NS records for
 
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    
 /etc/resolv.conf
 
    
@@ -446,7 +446,7 @@ will not print the initial query when it looks up the NS records for
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    
 host(1),
 named(8),
@@ -455,7 +455,7 @@ will not print the initial query when it looks up the NS records for
 
    
 
    
 
    
-
    BUGS 
    
+
    BUGS 
    
 
    
 There are probably too many query options. 
 
    
diff --git a/bin/dig/host.1 b/bin/dig/host.1
index 3916d81cff..e719969372 100644
--- a/bin/dig/host.1
+++ b/bin/dig/host.1
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: host.1,v 1.11.2.5 2005/10/13 02:23:26 marka Exp $
+.\" $Id: host.1,v 1.11.2.6 2006/06/29 13:02:05 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: host
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 
+.\"      Date: Jun 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "HOST" "1" "Jun 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -171,3 +174,5 @@ will effectively wait forever for a reply. The time to wait for a response will
 .PP
 \fBdig\fR(1),
 \fBnamed\fR(8).
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/bin/dig/host.html b/bin/dig/host.html
index 78b0b204a8..fdfeaee6da 100644
--- a/bin/dig/host.html
+++ b/bin/dig/host.html
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
 host
-
+
 
 
    
-
    
+
    
 
    
 
    Name
    
 
    host — DNS lookup utility
    
@@ -32,7 +32,7 @@
 
    host  [-aCdlnrTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] {name} [server]
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    
 host
 is a simple utility for performing DNS lookups.
@@ -148,13 +148,13 @@ value for an integer quantity.
 
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    
 /etc/resolv.conf
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    
 dig(1),
 named(8).
diff --git a/bin/dig/nslookup.1 b/bin/dig/nslookup.1
index 5d287ae9aa..b84904662b 100644
--- a/bin/dig/nslookup.1
+++ b/bin/dig/nslookup.1
@@ -12,14 +12,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: nslookup.1,v 1.1.4.6 2006/01/06 01:46:37 marka Exp $
+.\" $Id: nslookup.1,v 1.1.4.7 2006/06/29 13:02:05 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: nslookup
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 
+.\"      Date: Jun 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "NSLOOKUP" "1" "Jun 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -39,26 +42,28 @@ has two modes: interactive and non\-interactive. Interactive mode allows the use
 .SH "ARGUMENTS"
 .PP
 Interactive mode is entered in the following cases:
-.TP 3
+.TP 3n
 1.
 when no arguments are given (the default name server will be used)
-.TP
+.TP 3n
 2.
 when the first argument is a hyphen (\-) and the second argument is the host name or Internet address of a name server.
+.sp
+.RE
 .PP
 Non\-interactive mode is used when the name or Internet address of the host to be looked up is given as the first argument. The optional second argument specifies the host name or address of a name server.
 .PP
 Options can also be specified on the command line if they precede the arguments and are prefixed with a hyphen. For example, to change the default query type to host information, and the initial timeout to 10 seconds, type:
-.IP .sp .nf nslookup \-query=hinfo \-timeout=10 .fi
+.sp .RS 3n .nf nslookup \-query=hinfo \-timeout=10 .fi .RE
 .SH "INTERACTIVE COMMANDS"
-.TP
+.TP 3n
 host [server]
 Look up information for host using the current default server or using server, if specified. If host is an Internet address and the query type is A or PTR, the name of the host is returned. If host is a name and does not have a trailing period, the search list is used to qualify the name.
 .sp
 To look up a host not in the current domain, append a period to the name.
-.TP
+.TP 3n
 \fBserver\fR \fIdomain\fR
-.TP
+.TP 3n
 \fBlserver\fR \fIdomain\fR
 Change the default server to
 \fIdomain\fR;
@@ -67,107 +72,107 @@ uses the initial server to look up information about
 \fIdomain\fR, while
 \fBserver\fR
 uses the current default server. If an authoritative answer can't be found, the names of servers that might have the answer are returned.
-.TP
+.TP 3n
 \fBroot\fR
 not implemented
-.TP
+.TP 3n
 \fBfinger\fR
 not implemented
-.TP
+.TP 3n
 \fBls\fR
 not implemented
-.TP
+.TP 3n
 \fBview\fR
 not implemented
-.TP
+.TP 3n
 \fBhelp\fR
 not implemented
-.TP
+.TP 3n
 \fB?\fR
 not implemented
-.TP
+.TP 3n
 \fBexit\fR
 Exits the program.
-.TP
+.TP 3n
 \fBset\fR \fIkeyword\fR\fI[=value]\fR
 This command is used to change state information that affects the lookups. Valid keywords are:
-.RS
-.TP
+.RS 3n
+.TP 3n
 \fBall\fR
 Prints the current values of the frequently used options to
 \fBset\fR. Information about the current default server and host is also printed.
-.TP
+.TP 3n
 \fBclass=\fR\fIvalue\fR
 Change the query class to one of:
-.RS
-.TP
+.RS 3n
+.TP 3n
 \fBIN\fR
 the Internet class
-.TP
+.TP 3n
 \fBCH\fR
 the Chaos class
-.TP
+.TP 3n
 \fBHS\fR
 the Hesiod class
-.TP
+.TP 3n
 \fBANY\fR
 wildcard
 .RE
-.IP
+.IP "" 3n
 The class specifies the protocol group of the information.
 .sp
 (Default = IN; abbreviation = cl)
-.TP
+.TP 3n
 \fB\fI[no]\fR\fR\fBdebug\fR
 Turn debugging mode on. A lot more information is printed about the packet sent to the server and the resulting answer.
 .sp
 (Default = nodebug; abbreviation =
 [no]deb)
-.TP
+.TP 3n
 \fB\fI[no]\fR\fR\fBd2\fR
 Turn debugging mode on. A lot more information is printed about the packet sent to the server and the resulting answer.
 .sp
 (Default = nod2)
-.TP
+.TP 3n
 \fBdomain=\fR\fIname\fR
 Sets the search list to
 \fIname\fR.
-.TP
+.TP 3n
 \fB\fI[no]\fR\fR\fBsearch\fR
 If the lookup request contains at least one period but doesn't end with a trailing period, append the domain names in the domain search list to the request until an answer is received.
 .sp
 (Default = search)
-.TP
+.TP 3n
 \fBport=\fR\fIvalue\fR
 Change the default TCP/UDP name server port to
 \fIvalue\fR.
 .sp
 (Default = 53; abbreviation = po)
-.TP
+.TP 3n
 \fBquerytype=\fR\fIvalue\fR
-.TP
+.TP 3n
 \fBtype=\fR\fIvalue\fR
 Change the type of the information query.
 .sp
 (Default = A; abbreviations = q, ty)
-.TP
+.TP 3n
 \fB\fI[no]\fR\fR\fBrecurse\fR
 Tell the name server to query other servers if it does not have the information.
 .sp
 (Default = recurse; abbreviation = [no]rec)
-.TP
+.TP 3n
 \fBretry=\fR\fInumber\fR
 Set the number of retries to number.
-.TP
+.TP 3n
 \fBtimeout=\fR\fInumber\fR
 Change the initial timeout interval for waiting for a reply to number seconds.
-.TP
+.TP 3n
 \fB\fI[no]\fR\fR\fBvc\fR
 Always use a virtual circuit when sending requests to the server.
 .sp
 (Default = novc)
 .RE
-.IP
+.IP "" 3n
 .SH "FILES"
 .PP
 \fI/etc/resolv.conf\fR
@@ -179,3 +184,5 @@ Always use a virtual circuit when sending requests to the server.
 .SH "AUTHOR"
 .PP
 Andrew Cherenson
+.SH "COPYRIGHT"
+Copyright \(co 2004\-2006 Internet Systems Consortium, Inc. ("ISC")
diff --git a/bin/dig/nslookup.html b/bin/dig/nslookup.html
index 63d4749ab5..3141058b01 100644
--- a/bin/dig/nslookup.html
+++ b/bin/dig/nslookup.html
@@ -13,15 +13,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
 nslookup
-
+
 
 
    
-
    
+
    
 
    
 
    Name
    
 
    nslookup — query Internet name servers interactively
    
@@ -31,7 +31,7 @@
 
    nslookup  [-option] [name | -] [server]
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    
 Nslookup
 is a program to query Internet domain name servers.  Nslookup
@@ -43,7 +43,7 @@ domain.
 
    
 
    
 
    
-
    ARGUMENTS
    
+
    ARGUMENTS
    
 
    
 Interactive mode is entered in the following cases:
 
    
@@ -75,7 +75,7 @@ nslookup -query=hinfo  -timeout=10
 
    
 
    
 
    
-
    INTERACTIVE COMMANDS
    
+
    INTERACTIVE COMMANDS
    
 
    
 
    host [server]
    
 
    
@@ -241,13 +241,13 @@ the lookups.  Valid keywords are:
 
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    
 /etc/resolv.conf
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    
 dig(1),
 host(1),
@@ -255,7 +255,7 @@ the lookups.  Valid keywords are:
 
    
 
    
 
    
-
    Author
    
+
    Author
    
 
    
 Andrew Cherenson
 
    
diff --git a/bin/dnssec/dnssec-keygen.8 b/bin/dnssec/dnssec-keygen.8
index a708ed3e35..afa4de42b0 100644
--- a/bin/dnssec/dnssec-keygen.8
+++ b/bin/dnssec/dnssec-keygen.8
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-keygen.8,v 1.19.2.5 2005/10/13 02:23:28 marka Exp $
+.\" $Id: dnssec-keygen.8,v 1.19.2.6 2006/06/29 13:02:05 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: dnssec\-keygen
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 
+.\"      Date: June 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "DNSSEC\-KEYGEN" "8" "June 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -36,38 +39,38 @@ dnssec\-keygen \- DNSSEC key generation tool
 \fBdnssec\-keygen\fR
 generates keys for DNSSEC (Secure DNS), as defined in RFC 2535. It can also generate keys for use with TSIG (Transaction Signatures), as defined in RFC 2845.
 .SH "OPTIONS"
-.TP
+.TP 3n
 \-a \fIalgorithm\fR
 Selects the cryptographic algorithm. The value of
 \fBalgorithm\fR
 must be one of RSAMD5 or RSA, DSA, DH (Diffie Hellman), or HMAC\-MD5. These values are case insensitive.
 .sp
 Note that for DNSSEC, DSA is a mandatory to implement algorithm, and RSA is recommended. For TSIG, HMAC\-MD5 is mandatory.
-.TP
+.TP 3n
 \-b \fIkeysize\fR
 Specifies the number of bits in the key. The choice of key size depends on the algorithm used. RSA keys must be between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 bits and an exact multiple of 64. HMAC\-MD5 keys must be between 1 and 512 bits.
-.TP
+.TP 3n
 \-n \fInametype\fR
 Specifies the owner type of the key. The value of
 \fBnametype\fR
 must either be ZONE (for a DNSSEC zone key), HOST or ENTITY (for a key associated with a host), or USER (for a key associated with a user). These values are case insensitive.
-.TP
+.TP 3n
 \-c \fIclass\fR
 Indicates that the DNS record containing the key should have the specified class. If not specified, class IN is used.
-.TP
+.TP 3n
 \-e
 If generating an RSA key, use a large exponent.
-.TP
+.TP 3n
 \-g \fIgenerator\fR
 If generating a Diffie Hellman key, use this generator. Allowed values are 2 and 5. If no generator is specified, a known prime from RFC 2539 will be used if possible; otherwise the default is 2.
-.TP
+.TP 3n
 \-h
 Prints a short summary of the options and arguments to
 \fBdnssec\-keygen\fR.
-.TP
+.TP 3n
 \-p \fIprotocol\fR
 Sets the protocol value for the generated key. The protocol is a number between 0 and 255. The default is 2 (email) for keys of type USER and 3 (DNSSEC) for all other key types. Other possible values for this argument are listed in RFC 2535 and its successors.
-.TP
+.TP 3n
 \-r \fIrandomdev\fR
 Specifies the source of randomness. If the operating system does not provide a
 \fI/dev/random\fR
@@ -76,15 +79,15 @@ or equivalent device, the default source of randomness is keyboard input.
 specifies the name of a character device or file containing random data to be used instead of the default. The special value
 \fIkeyboard\fR
 indicates that keyboard input should be used.
-.TP
+.TP 3n
 \-s \fIstrength\fR
 Specifies the strength value of the key. The strength is a number between 0 and 15, and currently has no defined purpose in DNSSEC.
-.TP
+.TP 3n
 \-t \fItype\fR
 Indicates the use of the key.
 \fBtype\fR
 must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH refers to the ability to authenticate data, and CONF the ability to encrypt data.
-.TP
+.TP 3n
 \-v \fIlevel\fR
 Sets the debugging level.
 .SH "GENERATED KEYS"
@@ -95,18 +98,20 @@ completes successfully, it prints a string of the form
 \fIKnnnn.+aaa+iiiii\fR
 to the standard output. This is an identification string for the key it has generated. These strings can be used as arguments to
 \fBdnssec\-makekeyset\fR.
-.TP 3
+.TP 3n
 \(bu
 \fInnnn\fR
 is the key name.
-.TP
+.TP 3n
 \(bu
 \fIaaa\fR
 is the numeric representation of the algorithm.
-.TP
+.TP 3n
 \(bu
 \fIiiiii\fR
 is the key identifier (or footprint).
+.sp
+.RE
 .PP
 \fBdnssec\-keygen\fR
 creates two file, with names based on the printed string.
@@ -157,3 +162,5 @@ RFC 2539.
 .SH "AUTHOR"
 .PP
 Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/bin/dnssec/dnssec-keygen.html b/bin/dnssec/dnssec-keygen.html
index 4abe59892f..e0b921f60e 100644
--- a/bin/dnssec/dnssec-keygen.html
+++ b/bin/dnssec/dnssec-keygen.html
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
 dnssec-keygen
-
+
 
 
    
-
    
+
    
 
    
 
    Name
    
 
    dnssec-keygen — DNSSEC key generation tool
    
@@ -32,7 +32,7 @@
 
    dnssec-keygen  {-a algorithm} {-b keysize} {-n nametype} [-c class] [-e] [-g generator] [-h] [-p protocol] [-r randomdev] [-s strength] [-t type] [-v level] {name}
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    
         dnssec-keygen generates keys for DNSSEC
 	(Secure DNS), as defined in RFC 2535.  It can also generate
@@ -41,7 +41,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a algorithm
    
 
    
@@ -133,7 +133,7 @@
 
    
 
    
 
    
-
    GENERATED KEYS
    
+
    GENERATED KEYS
    
 
    
         When dnssec-keygen completes successfully,
 	it prints a string of the form Knnnn.+aaa+iiiii
@@ -177,7 +177,7 @@
     
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
    
         To generate a 768-bit DSA key for the domain
 	example.com, the following command would be
@@ -199,7 +199,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    
       dnssec-makekeyset(8),
       dnssec-signkey(8),
@@ -211,7 +211,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    
         Internet Systems Consortium
     
    
diff --git a/bin/dnssec/dnssec-makekeyset.8 b/bin/dnssec/dnssec-makekeyset.8
index e49930077f..12e8ffda9e 100644
--- a/bin/dnssec/dnssec-makekeyset.8
+++ b/bin/dnssec/dnssec-makekeyset.8
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-makekeyset.8,v 1.16.2.7 2005/10/13 02:23:28 marka Exp $
+.\" $Id: dnssec-makekeyset.8,v 1.16.2.8 2006/06/29 13:02:05 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: dnssec\-makekeyset
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 
+.\"      Date: June 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "DNSSEC\-MAKEKEYSET" "8" "June 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -40,28 +43,28 @@ generates a key set from one or more keys created by
 \fInnnn\fR
 is the zone name.
 .SH "OPTIONS"
-.TP
+.TP 3n
 \-a
 Verify all generated signatures.
-.TP
+.TP 3n
 \-s \fIstart\-time\fR
 Specify the date and time when the generated SIG records become valid. This can be either an absolute or relative time. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation; 20000530144500 denotes 14:45:00 UTC on May 30th, 2000. A relative start time is indicated by +N, which is N seconds from the current time. If no
 \fBstart\-time\fR
 is specified, the current time is used.
-.TP
+.TP 3n
 \-e \fIend\-time\fR
 Specify the date and time when the generated SIG records expire. As with
 \fBstart\-time\fR, an absolute time is indicated in YYYYMMDDHHMMSS notation. A time relative to the start time is indicated with +N, which is N seconds from the start time. A time relative to the current time is indicated with now+N. If no
 \fBend\-time\fR
 is specified, 30 days from the start time is used as a default.
-.TP
+.TP 3n
 \-h
 Prints a short summary of the options and arguments to
 \fBdnssec\-makekeyset\fR.
-.TP
+.TP 3n
 \-p
 Use pseudo\-random data when signing the zone. This is faster, but less secure, than using real random data. This option may be useful when signing large zones or when the entropy source is limited.
-.TP
+.TP 3n
 \-r \fIrandomdev\fR
 Specifies the source of randomness. If the operating system does not provide a
 \fI/dev/random\fR
@@ -70,13 +73,13 @@ or equivalent device, the default source of randomness is keyboard input.
 specifies the name of a character device or file containing random data to be used instead of the default. The special value
 \fIkeyboard\fR
 indicates that keyboard input should be used.
-.TP
+.TP 3n
 \-t \fIttl\fR
 Specify the TTL (time to live) of the KEY and SIG records. The default is 3600 seconds.
-.TP
+.TP 3n
 \-v \fIlevel\fR
 Sets the debugging level.
-.TP
+.TP 3n
 key
 The list of keys to be included in the keyset file. These keys are expressed in the form
 \fIKnnnn.+aaa+iiiii\fR
@@ -113,3 +116,5 @@ RFC 2535.
 .SH "AUTHOR"
 .PP
 Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/bin/dnssec/dnssec-makekeyset.html b/bin/dnssec/dnssec-makekeyset.html
index 974fc5617f..33e2d66e61 100644
--- a/bin/dnssec/dnssec-makekeyset.html
+++ b/bin/dnssec/dnssec-makekeyset.html
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
 dnssec-makekeyset
-
+
 
 
    
-
    
+
    
 
    
 
    Name
    
 
    dnssec-makekeyset — DNSSEC zone signing tool
    
@@ -32,7 +32,7 @@
 
    dnssec-makekeyset  [-a] [-s start-time] [-e end-time] [-h] [-p] [-r randomdev] [-tttl] [-v level] {key...}
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    
         dnssec-makekeyset generates a key set from one
 	or more keys created by dnssec-keygen.  It creates
@@ -43,7 +43,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a
    
 
    
@@ -111,7 +111,7 @@
 
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
    
         The following command generates a keyset containing the DSA key for
 	example.com generated in the
@@ -135,7 +135,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    
       dnssec-keygen(8),
       dnssec-signkey(8),
@@ -144,7 +144,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    
         Internet Systems Consortium
     
    
diff --git a/bin/dnssec/dnssec-signkey.8 b/bin/dnssec/dnssec-signkey.8
index 5bee564e95..146338ccd9 100644
--- a/bin/dnssec/dnssec-signkey.8
+++ b/bin/dnssec/dnssec-signkey.8
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-signkey.8,v 1.18.2.6 2005/10/13 02:23:28 marka Exp $
+.\" $Id: dnssec-signkey.8,v 1.18.2.7 2006/06/29 13:02:05 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: dnssec\-signkey
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 
+.\"      Date: June 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "DNSSEC\-SIGNKEY" "8" "June 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -40,31 +43,31 @@ signs a keyset. Typically the keyset will be for a child zone, and will have bee
 \fInnnn\fR
 is the zone name.
 .SH "OPTIONS"
-.TP
+.TP 3n
 \-a
 Verify all generated signatures.
-.TP
+.TP 3n
 \-c \fIclass\fR
 Specifies the DNS class of the key sets.
-.TP
+.TP 3n
 \-s \fIstart\-time\fR
 Specify the date and time when the generated SIG records become valid. This can be either an absolute or relative time. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation; 20000530144500 denotes 14:45:00 UTC on May 30th, 2000. A relative start time is indicated by +N, which is N seconds from the current time. If no
 \fBstart\-time\fR
 is specified, the current time is used.
-.TP
+.TP 3n
 \-e \fIend\-time\fR
 Specify the date and time when the generated SIG records expire. As with
 \fBstart\-time\fR, an absolute time is indicated in YYYYMMDDHHMMSS notation. A time relative to the start time is indicated with +N, which is N seconds from the start time. A time relative to the current time is indicated with now+N. If no
 \fBend\-time\fR
 is specified, 30 days from the start time is used as a default.
-.TP
+.TP 3n
 \-h
 Prints a short summary of the options and arguments to
 \fBdnssec\-signkey\fR.
-.TP
+.TP 3n
 \-p
 Use pseudo\-random data when signing the zone. This is faster, but less secure, than using real random data. This option may be useful when signing large zones or when the entropy source is limited.
-.TP
+.TP 3n
 \-r \fIrandomdev\fR
 Specifies the source of randomness. If the operating system does not provide a
 \fI/dev/random\fR
@@ -73,13 +76,13 @@ or equivalent device, the default source of randomness is keyboard input.
 specifies the name of a character device or file containing random data to be used instead of the default. The special value
 \fIkeyboard\fR
 indicates that keyboard input should be used.
-.TP
+.TP 3n
 \-v \fIlevel\fR
 Sets the debugging level.
-.TP
+.TP 3n
 keyset
 The file containing the child's keyset.
-.TP
+.TP 3n
 key
 The keys used to sign the child's keyset.
 .SH "EXAMPLE"
@@ -113,3 +116,5 @@ keys.
 .SH "AUTHOR"
 .PP
 Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/bin/dnssec/dnssec-signkey.html b/bin/dnssec/dnssec-signkey.html
index c3c69d8baf..81be9ccb8c 100644
--- a/bin/dnssec/dnssec-signkey.html
+++ b/bin/dnssec/dnssec-signkey.html
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
 dnssec-signkey
-
+
 
 
    
-
    
+
    
 
    
 
    Name
    
 
    dnssec-signkey — DNSSEC key set signing tool
    
@@ -32,7 +32,7 @@
 
    dnssec-signkey  [-a] [-c class] [-s start-time] [-e end-time] [-h] [-p] [-r randomdev] [-v level] {keyset} {key...}
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    
         dnssec-signkey signs a keyset.  Typically
 	the keyset will be for a child zone, and will have been generated
@@ -43,7 +43,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a
    
 
    
@@ -112,7 +112,7 @@
 
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
    
         The DNS administrator for a DNSSEC-aware .com
 	zone would use the following command to sign the
@@ -131,7 +131,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    
       dnssec-keygen(8),
       dnssec-makekeyset(8),
@@ -139,7 +139,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    
         Internet Systems Consortium
     
    
diff --git a/bin/dnssec/dnssec-signzone.8 b/bin/dnssec/dnssec-signzone.8
index 7cb5529030..d788ba6791 100644
--- a/bin/dnssec/dnssec-signzone.8
+++ b/bin/dnssec/dnssec-signzone.8
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-signzone.8,v 1.23.2.8 2005/10/13 02:23:28 marka Exp $
+.\" $Id: dnssec-signzone.8,v 1.23.2.9 2006/06/29 13:02:05 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: dnssec\-signzone
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 
+.\"      Date: June 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "DNSSEC\-SIGNZONE" "8" "June 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -40,40 +43,40 @@ file from the zone's parent, the parent's signatures will be incorporated into t
 \fIsignedkey\fR
 file for each child zone.
 .SH "OPTIONS"
-.TP
+.TP 3n
 \-a
 Verify all generated signatures.
-.TP
+.TP 3n
 \-c \fIclass\fR
 Specifies the DNS class of the zone.
-.TP
+.TP 3n
 \-d \fIdirectory\fR
 Look for
 \fIsignedkey\fR
 files in
 \fBdirectory\fR
 as the directory
-.TP
+.TP 3n
 \-s \fIstart\-time\fR
 Specify the date and time when the generated SIG records become valid. This can be either an absolute or relative time. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation; 20000530144500 denotes 14:45:00 UTC on May 30th, 2000. A relative start time is indicated by +N, which is N seconds from the current time. If no
 \fBstart\-time\fR
 is specified, the current time is used.
-.TP
+.TP 3n
 \-e \fIend\-time\fR
 Specify the date and time when the generated SIG records expire. As with
 \fBstart\-time\fR, an absolute time is indicated in YYYYMMDDHHMMSS notation. A time relative to the start time is indicated with +N, which is N seconds from the start time. A time relative to the current time is indicated with now+N. If no
 \fBend\-time\fR
 is specified, 30 days from the start time is used as a default.
-.TP
+.TP 3n
 \-f \fIoutput\-file\fR
 The name of the output file containing the signed zone. The default is to append
 \fI.signed\fR
 to the input file.
-.TP
+.TP 3n
 \-h
 Prints a short summary of the options and arguments to
 \fBdnssec\-signzone\fR.
-.TP
+.TP 3n
 \-i \fIinterval\fR
 When a previously signed zone is passed as input, records may be resigned. The
 \fBinterval\fR
@@ -86,16 +89,16 @@ or
 are specified,
 \fBdnssec\-signzone\fR
 generates signatures that are valid for 30 days, with a cycle interval of 7.5 days. Therefore, if any existing SIG records are due to expire in less than 7.5 days, they would be replaced.
-.TP
+.TP 3n
 \-n \fIncpus\fR
 Specifies the number of threads to use. By default, one thread is started for each detected CPU.
-.TP
+.TP 3n
 \-o \fIorigin\fR
 The zone origin. If not specified, the name of the zone file is assumed to be the origin.
-.TP
+.TP 3n
 \-p
 Use pseudo\-random data when signing the zone. This is faster, but less secure, than using real random data. This option may be useful when signing large zones or when the entropy source is limited.
-.TP
+.TP 3n
 \-r \fIrandomdev\fR
 Specifies the source of randomness. If the operating system does not provide a
 \fI/dev/random\fR
@@ -104,16 +107,16 @@ or equivalent device, the default source of randomness is keyboard input.
 specifies the name of a character device or file containing random data to be used instead of the default. The special value
 \fIkeyboard\fR
 indicates that keyboard input should be used.
-.TP
+.TP 3n
 \-t
 Print statistics at completion.
-.TP
+.TP 3n
 \-v \fIlevel\fR
 Sets the debugging level.
-.TP
+.TP 3n
 zonefile
 The file containing the zone to be signed.
-.TP
+.TP 3n
 key
 The keys used to sign the zone. If no keys are specified, the default all zone keys that have private key files in the current directory.
 .SH "EXAMPLE"
@@ -146,3 +149,5 @@ RFC 2535.
 .SH "AUTHOR"
 .PP
 Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/bin/dnssec/dnssec-signzone.html b/bin/dnssec/dnssec-signzone.html
index 601c304a7d..803bb66037 100644
--- a/bin/dnssec/dnssec-signzone.html
+++ b/bin/dnssec/dnssec-signzone.html
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
 dnssec-signzone
-
+
 
 
    
-
    
+
    
 
    
 
    Name
    
 
    dnssec-signzone — DNSSEC zone signing tool
    
@@ -32,7 +32,7 @@
 
    dnssec-signzone  [-a] [-c class] [-d directory] [-s start-time] [-e end-time] [-f output-file] [-h] [-i interval] [-n nthreads] [-o origin] [-p] [-r randomdev] [-t] [-v level] {zonefile} [key...]
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    
         dnssec-signzone signs a zone.  It generates NXT
 	and SIG records and produces a signed version of the zone.  If there
@@ -45,7 +45,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a
    
 
    
@@ -162,7 +162,7 @@
 
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
    
         The following command signs the example.com
 	zone with the DSA key generated in the dnssec-keygen
@@ -186,7 +186,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    
       dnssec-keygen(8),
       dnssec-signkey(8),
@@ -195,7 +195,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    
         Internet Systems Consortium
     
    
diff --git a/bin/named/lwresd.8 b/bin/named/lwresd.8
index 0a3c3364a8..ad8a9c5c13 100644
--- a/bin/named/lwresd.8
+++ b/bin/named/lwresd.8
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwresd.8,v 1.13.2.5 2005/10/13 02:23:29 marka Exp $
+.\" $Id: lwresd.8,v 1.13.2.6 2006/06/29 13:02:06 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: lwresd
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 
+.\"      Date: June 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "LWRESD" "8" "June 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -57,41 +60,41 @@ entries are present, or if forwarding fails,
 \fBlwresd\fR
 resolves the queries autonomously starting at the root name servers, using a built\-in list of root server hints.
 .SH "OPTIONS"
-.TP
+.TP 3n
 \-C \fIconfig\-file\fR
 Use
 \fIconfig\-file\fR
 as the configuration file instead of the default,
 \fI/etc/resolv.conf\fR.
-.TP
+.TP 3n
 \-d \fIdebug\-level\fR
 Set the daemon's debug level to
 \fIdebug\-level\fR. Debugging traces from
 \fBlwresd\fR
 become more verbose as the debug level increases.
-.TP
+.TP 3n
 \-f
 Run the server in the foreground (i.e. do not daemonize).
-.TP
+.TP 3n
 \-g
 Run the server in the foreground and force all logging to
 \fIstderr\fR.
-.TP
+.TP 3n
 \-n \fI#cpus\fR
 Create
 \fI#cpus\fR
 worker threads to take advantage of multiple CPUs. If not specified,
 \fBlwresd\fR
 will try to determine the number of CPUs present and create one thread per CPU. If it is unable to determine the number of CPUs, a single worker thread will be created.
-.TP
+.TP 3n
 \-P \fIport\fR
 Listen for lightweight resolver queries on port
 \fIport\fR. If not specified, the default is port 921.
-.TP
+.TP 3n
 \-p \fIport\fR
 Send DNS lookups to port
 \fIport\fR. If not specified, the default is port 53. This provides a way of testing the lightweight resolver daemon with a name server that listens for queries on a non\-standard port number.
-.TP
+.TP 3n
 \-s
 Write memory usage statistics to
 \fIstdout\fR
@@ -100,7 +103,7 @@ on exit.
 .B "Note:"
 This option is mainly of interest to BIND 9 developers and may be removed or changed in a future release.
 .RE
-.TP
+.TP 3n
 \-t \fIdirectory\fR
 \fBchroot()\fR
 to
@@ -114,20 +117,20 @@ option, as chrooting a process running as root doesn't enhance security on most
 \fBchroot()\fR
 is defined allows a process with root privileges to escape a chroot jail.
 .RE
-.TP
+.TP 3n
 \-u \fIuser\fR
 \fBsetuid()\fR
 to
 \fIuser\fR
 after completing privileged operations, such as creating sockets that listen on privileged ports.
-.TP
+.TP 3n
 \-v
 Report the version number and exit.
 .SH "FILES"
-.TP
+.TP 3n
 \fI/etc/resolv.conf\fR
 The default configuration file.
-.TP
+.TP 3n
 \fI/var/run/lwresd.pid\fR
 The default process\-id file.
 .SH "SEE ALSO"
@@ -138,3 +141,5 @@ The default process\-id file.
 .SH "AUTHOR"
 .PP
 Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/bin/named/lwresd.html b/bin/named/lwresd.html
index 4ec3db1142..ae544a279f 100644
--- a/bin/named/lwresd.html
+++ b/bin/named/lwresd.html
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
 lwresd
-
+
 
 
    
-
    
+
    
 
    
 
    Name
    
 
    lwresd — lightweight resolver daemon
    
@@ -32,7 +32,7 @@
 
    lwresd  [-C config-file] [-d debug-level] [-f] [-g] [-i pid-file] [-n #cpus] [-P port] [-p port] [-s] [-t directory] [-u user] [-v]
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    
 	lwresd is the daemon providing name lookup
 	services to clients that use the BIND 9 lightweight resolver
@@ -67,7 +67,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -C config-file
    
 
    
@@ -159,7 +159,7 @@
 
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    
 
    /etc/resolv.conf
    
 
    
@@ -172,7 +172,7 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    
 	named(8),
 	lwres(3),
@@ -180,7 +180,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    
 	Internet Systems Consortium
     
    
diff --git a/bin/named/named.8 b/bin/named/named.8
index 4339ddfd70..c1c87873de 100644
--- a/bin/named/named.8
+++ b/bin/named/named.8
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: named.8,v 1.17.2.7 2006/01/18 04:58:58 marka Exp $
+.\" $Id: named.8,v 1.17.2.8 2006/06/29 13:02:06 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: named
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 
+.\"      Date: June 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "NAMED" "8" "June 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -41,7 +44,7 @@ When invoked without arguments,
 will read the default configuration file
 \fI/etc/named.conf\fR, read any initial data, and listen for queries.
 .SH "OPTIONS"
-.TP
+.TP 3n
 \-c \fIconfig\-file\fR
 Use
 \fIconfig\-file\fR
@@ -51,31 +54,31 @@ as the configuration file instead of the default,
 option in the configuration file,
 \fIconfig\-file\fR
 should be an absolute pathname.
-.TP
+.TP 3n
 \-d \fIdebug\-level\fR
 Set the daemon's debug level to
 \fIdebug\-level\fR. Debugging traces from
 \fBnamed\fR
 become more verbose as the debug level increases.
-.TP
+.TP 3n
 \-f
 Run the server in the foreground (i.e. do not daemonize).
-.TP
+.TP 3n
 \-g
 Run the server in the foreground and force all logging to
 \fIstderr\fR.
-.TP
+.TP 3n
 \-n \fI#cpus\fR
 Create
 \fI#cpus\fR
 worker threads to take advantage of multiple CPUs. If not specified,
 \fBnamed\fR
 will try to determine the number of CPUs present and create one thread per CPU. If it is unable to determine the number of CPUs, a single worker thread will be created.
-.TP
+.TP 3n
 \-p \fIport\fR
 Listen for queries on port
 \fIport\fR. If not specified, the default is port 53.
-.TP
+.TP 3n
 \-s
 Write memory usage statistics to
 \fIstdout\fR
@@ -84,7 +87,7 @@ on exit.
 .B "Note:"
 This option is mainly of interest to BIND 9 developers and may be removed or changed in a future release.
 .RE
-.TP
+.TP 3n
 \-t \fIdirectory\fR
 \fBchroot()\fR
 to
@@ -98,7 +101,7 @@ option, as chrooting a process running as root doesn't enhance security on most
 \fBchroot()\fR
 is defined allows a process with root privileges to escape a chroot jail.
 .RE
-.TP
+.TP 3n
 \-u \fIuser\fR
 \fBsetuid()\fR
 to
@@ -117,10 +120,10 @@ option only works when
 is run on kernel 2.2.18 or later, or kernel 2.3.99\-pre3 or later, since previous kernels did not allow privileges to be retained after
 \fBsetuid()\fR.
 .RE
-.TP
+.TP 3n
 \-v
 Report the version number and exit.
-.TP
+.TP 3n
 \-x \fIcache\-file\fR
 Load data from
 \fIcache\-file\fR
@@ -134,10 +137,10 @@ This option must not be used. It is only of interest to BIND 9 developers and ma
 In routine operation, signals should not be used to control the nameserver;
 \fBrndc\fR
 should be used instead.
-.TP
+.TP 3n
 SIGHUP
 Force a reload of the server.
-.TP
+.TP 3n
 SIGINT, SIGTERM
 Shut down the server.
 .PP
@@ -149,10 +152,10 @@ The
 configuration file is too complex to describe in detail here. A complete description is provided in the
 BIND 9 Administrator Reference Manual.
 .SH "FILES"
-.TP
+.TP 3n
 \fI/etc/named.conf\fR
 The default configuration file.
-.TP
+.TP 3n
 \fI/var/run/named.pid\fR
 The default process\-id file.
 .SH "SEE ALSO"
@@ -167,3 +170,5 @@ BIND 9 Administrator Reference Manual.
 .SH "AUTHOR"
 .PP
 Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2004\-2006 Internet Systems Consortium, Inc. ("ISC")
diff --git a/bin/named/named.conf.5 b/bin/named/named.conf.5
index 8d3e2be7ef..658d5688a0 100644
--- a/bin/named/named.conf.5
+++ b/bin/named/named.conf.5
@@ -12,15 +12,18 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: named.conf.5,v 1.1.6.8 2006/05/17 02:37:45 marka Exp $
+.\" $Id: named.conf.5,v 1.1.6.9 2006/06/29 13:02:06 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
-.TH "\\FINAMED.CONF\\FR" "5" "Aug 13, 2004" "BIND9" "BIND9"
+.\"     Title: \fInamed.conf\fR
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 
+.\"      Date: Aug 13, 2004
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
+.TH "\fINAMED.CONF\fR" "5" "Aug 13, 2004" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
@@ -43,19 +46,24 @@ C++ style: // to end of line
 Unix style: # to end of line
 .SH "ACL"
 .sp
+.RS 3n
 .nf
 acl \fIstring\fR { \fIaddress_match_element\fR; ... };
 .fi
+.RE
 .SH "KEY"
 .sp
+.RS 3n
 .nf
 key \fIdomain_name\fR {
 	algorithm \fIstring\fR;
 	secret \fIstring\fR;
 };
 .fi
+.RE
 .SH "SERVER"
 .sp
+.RS 3n
 .nf
 server ( \fIipv4_address\fR | \fIipv6_address\fR ) {
 	bogus \fIboolean\fR;
@@ -72,15 +80,19 @@ server ( \fIipv4_address\fR | \fIipv6_address\fR ) {
 	support\-ixfr \fIboolean\fR; // obsolete
 };
 .fi
+.RE
 .SH "TRUSTED\-KEYS"
 .sp
+.RS 3n
 .nf
 trusted\-keys {
 	\fIdomain_name\fR \fIflags\fR \fIprotocol\fR \fIalgorithm\fR \fIkey\fR; ... 
 };
 .fi
+.RE
 .SH "CONTROLS"
 .sp
+.RS 3n
 .nf
 controls {
 	inet ( \fIipv4_address\fR | \fIipv6_address\fR | * )
@@ -90,8 +102,10 @@ controls {
 	unix \fIunsupported\fR; // not implemented
 };
 .fi
+.RE
 .SH "LOGGING"
 .sp
+.RS 3n
 .nf
 logging {
 	channel \fIstring\fR {
@@ -107,8 +121,10 @@ logging {
 	category \fIstring\fR { \fIstring\fR; ... };
 };
 .fi
+.RE
 .SH "LWRES"
 .sp
+.RS 3n
 .nf
 lwres {
 	listen\-on [ port \fIinteger\fR ] {
@@ -119,8 +135,10 @@ lwres {
 	ndots \fIinteger\fR;
 };
 .fi
+.RE
 .SH "OPTIONS"
 .sp
+.RS 3n
 .nf
 options {
 	blackhole { \fIaddress_match_element\fR; ... };
@@ -224,8 +242,10 @@ options {
 	use\-id\-pool \fIboolean\fR; // obsolete
 };
 .fi
+.RE
 .SH "VIEW"
 .sp
+.RS 3n
 .nf
 view \fIstring\fR \fIoptional_class\fR {
 	match\-clients { \fIaddress_match_element\fR; ... };
@@ -307,8 +327,10 @@ view \fIstring\fR \fIoptional_class\fR {
 	max\-ixfr\-log\-size \fIsize\fR; // obsolete
 };
 .fi
+.RE
 .SH "ZONE"
 .sp
+.RS 3n
 .nf
 zone \fIstring\fR \fIoptional_class\fR {
 	type ( master | slave | stub | hint |
@@ -362,6 +384,7 @@ zone \fIstring\fR \fIoptional_class\fR {
 	pubkey \fIinteger\fR \fIinteger\fR \fIinteger\fR \fIquoted_string\fR; // obsolete
 };
 .fi
+.RE
 .SH "FILES"
 .PP
 \fI/etc/named.conf\fR
@@ -370,3 +393,5 @@ zone \fIstring\fR \fIoptional_class\fR {
 \fBnamed\fR(8),
 \fBrndc\fR(8),
 \fBBIND 9 Adminstrators Reference Manual\fR().
+.SH "COPYRIGHT"
+Copyright \(co 2004\-2006 Internet Systems Consortium, Inc. ("ISC")
diff --git a/bin/named/named.conf.html b/bin/named/named.conf.html
index de2f81a8c9..1151ac9dca 100644
--- a/bin/named/named.conf.html
+++ b/bin/named/named.conf.html
@@ -13,15 +13,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
 named.conf
-
+
 
 
    
-
    
+
    
 
    
 
    Name
    
 
    named.conf — configuration file for named
    
@@ -31,7 +31,7 @@
 
    named.conf 
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    
 	named.conf is the configuration file for
 	named.  Statements are enclosed
@@ -50,14 +50,14 @@
     
    
 
    
 
    
-
    ACL
    
+
    ACL
    
 

    
 acl string { address_match_element; ... };
    
 
    
 
    
 
    
 
    
-
    KEY
    
+
    KEY
    
 

    
 key domain_name {
    
 	algorithm string;
    
@@ -66,7 +66,7 @@ key
 
    
 
    
 
    
-
    SERVER
    
+
    SERVER
    
 

    
 server ( ipv4_address | ipv6_address ) {
    
 	bogus boolean;
    
@@ -86,7 +86,7 @@ server
 
    
 
    
 
    
-
    TRUSTED-KEYS
    
+
    TRUSTED-KEYS
    
 

    
 trusted-keys {
    
 	domain_name flags protocol algorithm key; ... 
    
@@ -94,7 +94,7 @@ trusted-keys
 
    
 
    
 
    
-
    CONTROLS
    
+
    CONTROLS
    
 

    
 controls {
    
 	inet ( ipv4_address | ipv6_address | * )
    
@@ -106,7 +106,7 @@ controls
 
    
 
    
 
    
-
    LOGGING
    
+
    LOGGING
    
 

    
 logging {
    
 	channel string {
    
@@ -124,7 +124,7 @@ logging
 
    
 
    
 
    
-
    LWRES
    
+
    LWRES
    
 

    
 lwres {
    
 	listen-on [ port integer ] {
    
@@ -137,7 +137,7 @@ lwres
 
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 

    
 options {
    
 	blackhole { address_match_element; ... };
    
@@ -251,7 +251,7 @@ options
 
    
 
    
 
    
-
    VIEW
    
+
    VIEW
    
 

    
 view string optional_class {
    
 	match-clients { address_match_element; ... };
    
@@ -348,7 +348,7 @@ view
 
    
 
    
 
    
-
    ZONE
    
+
    ZONE
    
 

    
 zone string optional_class {
    
 	type ( master | slave | stub | hint |
    
@@ -413,13 +413,13 @@ zone
 
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    
 /etc/named.conf
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    
 named(8),
 rndc(8),
diff --git a/bin/named/named.html b/bin/named/named.html
index e7da8cdf47..1fe72b0690 100644
--- a/bin/named/named.html
+++ b/bin/named/named.html
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
 named
-
+
 
 
    
-
    
+
    
 
    
 
    Name
    
 
    named — Internet domain name server
    
@@ -32,7 +32,7 @@
 
    named  [-c config-file] [-d debug-level] [-f] [-g] [-n #cpus] [-p port] [-s] [-t directory] [-u user] [-v] [-x cache-file]
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    
 	named is a Domain Name System (DNS) server,
 	part of the BIND 9 distribution from ISC.  For more
@@ -46,7 +46,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -c config-file
    
 
    
@@ -165,7 +165,7 @@
 
    
 
    
 
    
-
    SIGNALS
    
+
    SIGNALS
    
 
    
 	In routine operation, signals should not be used to control
 	the nameserver; rndc should be used
@@ -186,7 +186,7 @@
     
    
 
    
 
    
-
    CONFIGURATION
    
+
    CONFIGURATION
    
 
    
 	The named configuration file is too complex
 	to describe in detail here.  A complete description is
@@ -195,7 +195,7 @@
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    
 
    /etc/named.conf
    
 
    
@@ -208,7 +208,7 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    
 	RFC 1033,
 	RFC 1034,
@@ -220,7 +220,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    
 	Internet Systems Consortium
     
    
diff --git a/bin/nsupdate/nsupdate.8 b/bin/nsupdate/nsupdate.8
index 5e4a2b07cf..8f686d68e9 100644
--- a/bin/nsupdate/nsupdate.8
+++ b/bin/nsupdate/nsupdate.8
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: nsupdate.8,v 1.24.2.7 2005/10/13 02:23:31 marka Exp $
+.\" $Id: nsupdate.8,v 1.24.2.8 2006/06/29 13:02:06 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: nsupdate
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 
+.\"      Date: Jun 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "NSUPDATE" "8" "Jun 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -30,7 +33,7 @@
 nsupdate \- Dynamic DNS update utility
 .SH "SYNOPSIS"
 .HP 9
-\fBnsupdate\fR [\fB\-d\fR] [[\fB\-y\ \fR\fB\fIkeyname:secret\fR\fR] [\fB\-k\ \fR\fB\fIkeyfile\fR\fR]] [\fB\-v\fR] [filename]
+\fBnsupdate\fR [\fB\-d\fR] [[\fB\-y\ \fR\fB\fIkeyname:secret\fR\fR] | [\fB\-k\ \fR\fB\fIkeyfile\fR\fR]] [\fB\-v\fR] [filename]
 .SH "DESCRIPTION"
 .PP
 \fBnsupdate\fR
@@ -79,7 +82,8 @@ reads the shared secret from the file
 must also be present. When the
 \fB\-y\fR
 option is used, a signature is generated from
-\fIkeyname:secret.\fR\fIkeyname\fR
+\fIkeyname:secret.\fR
+\fIkeyname\fR
 is the name of the key, and
 \fIsecret\fR
 is the base64 encoded shared secret. Use of the
@@ -107,7 +111,7 @@ Every update request consists of zero or more prerequisites and zero or more upd
 command) causes the accumulated commands to be sent as one Dynamic DNS update request to the name server.
 .PP
 The command formats and their meaning are as follows:
-.TP
+.TP 3n
 .HP 7 \fBserver\fR {servername} [port]
 Sends all dynamic update requests to the name server
 \fIservername\fR. When no server statement is provided,
@@ -117,7 +121,7 @@ will send updates to the master server of the correct zone. The MNAME field of t
 is the port number on
 \fIservername\fR
 where the dynamic update requests get sent. If no port number is specified, the default DNS port number of 53 is used.
-.TP
+.TP 3n
 .HP 6 \fBlocal\fR {address} [port]
 Sends all dynamic update requests using the local
 \fIaddress\fR. When no local statement is provided,
@@ -125,7 +129,7 @@ Sends all dynamic update requests using the local
 will send updates using an address and port chosen by the system.
 \fIport\fR
 can additionally be used to make requests come from a specific port. If no port number is specified, the system will assign one.
-.TP
+.TP 3n
 .HP 5 \fBzone\fR {zonename}
 Specifies that all updates are to be made to the zone
 \fIzonename\fR. If no
@@ -133,32 +137,33 @@ Specifies that all updates are to be made to the zone
 statement is provided,
 \fBnsupdate\fR
 will attempt determine the correct zone to update based on the rest of the input.
-.TP
+.TP 3n
 .HP 6 \fBclass\fR {classname}
 Specify the default class. If no
 \fIclass\fR
 is specified the default class is
 \fIIN\fR.
-.TP
+.TP 3n
 .HP 4 \fBkey\fR {name} {secret}
 Specifies that all updates are to be TSIG signed using the
-\fIkeyname\fR\fIkeysecret\fR
+\fIkeyname\fR
+\fIkeysecret\fR
 pair. The
 \fBkey\fR
 command overrides any key specified on the command line via
 \fB\-y\fR
 or
 \fB\-k\fR.
-.TP
+.TP 3n
 .HP 16 \fBprereq nxdomain\fR {domain\-name}
 Requires that no resource record of any type exists with name
 \fIdomain\-name\fR.
-.TP
+.TP 3n
 .HP 16 \fBprereq yxdomain\fR {domain\-name}
 Requires that
 \fIdomain\-name\fR
 exists (has as at least one resource record, of any type).
-.TP
+.TP 3n
 .HP 15 \fBprereq nxrrset\fR {domain\-name} [class] {type}
 Requires that no resource record exists of the specified
 \fItype\fR,
@@ -167,7 +172,7 @@ and
 \fIdomain\-name\fR. If
 \fIclass\fR
 is omitted, IN (internet) is assumed.
-.TP
+.TP 3n
 .HP 15 \fBprereq yxrrset\fR {domain\-name} [class] {type}
 This requires that a resource record of the specified
 \fItype\fR,
@@ -177,7 +182,7 @@ and
 must exist. If
 \fIclass\fR
 is omitted, IN (internet) is assumed.
-.TP
+.TP 3n
 .HP 15 \fBprereq yxrrset\fR {domain\-name} [class] {type} {data...}
 The
 \fIdata\fR
@@ -191,7 +196,7 @@ are combined to form a set of RRs. This set of RRs must exactly match the set of
 \fIdomain\-name\fR. The
 \fIdata\fR
 are written in the standard text representation of the resource record's RDATA.
-.TP
+.TP 3n
 .HP 14 \fBupdate delete\fR {domain\-name} [ttl] [class] [type\ [data...]]
 Deletes any resource records named
 \fIdomain\-name\fR. If
@@ -203,17 +208,17 @@ is provided, only matching resource records will be removed. The internet class
 is not supplied. The
 \fIttl\fR
 is ignored, and is only allowed for compatibility.
-.TP
+.TP 3n
 .HP 11 \fBupdate add\fR {domain\-name} {ttl} [class] {type} {data...}
 Adds a new resource record with the specified
 \fIttl\fR,
 \fIclass\fR
 and
 \fIdata\fR.
-.TP
+.TP 3n
 .HP 5 \fBshow\fR
 Displays the current message, containing all of the prerequisites and updates specified since the last send.
-.TP
+.TP 3n
 .HP 5 \fBsend\fR
 Sends the current message. This is equivalent to entering a blank line.
 .PP
@@ -227,12 +232,14 @@ could be used to insert and delete resource records from the
 zone. Notice that the input in each example contains a trailing blank line so that a group of commands are sent as one dynamic update request to the master name server for
 \fBexample.com\fR.
 .sp
+.RS 3n
 .nf
 # nsupdate
 > update delete oldhost.example.com A
 > update add newhost.example.com 86400 A 172.16.1.1
 > send
 .fi
+.RE
 .sp
 .PP
 Any A records for
@@ -241,25 +248,27 @@ are deleted. and an A record for
 \fBnewhost.example.com\fR
 it IP address 172.16.1.1 is added. The newly\-added record has a 1 day TTL (86400 seconds)
 .sp
+.RS 3n
 .nf
 # nsupdate
 > prereq nxdomain nickname.example.com
 > update add nickname.example.com 86400 CNAME somehost.example.com
 > send
 .fi
+.RE
 .sp
 .PP
 The prerequisite condition gets the name server to check that there are no resource records of any type for
 \fBnickname.example.com\fR. If there are, the update request fails. If this name does not exist, a CNAME for it is added. This ensures that when the CNAME is added, it cannot conflict with the long\-standing rule in RFC1034 that a name must not exist as any other record type if it exists as a CNAME. (The rule has been updated for DNSSEC in RFC2535 to allow CNAMEs to have SIG, KEY and NXT records.)
 .SH "FILES"
-.TP
+.TP 3n
 \fB/etc/resolv.conf\fR
 used to identify default name server
-.TP
+.TP 3n
 \fBK{name}.+157.+{random}.key\fR
 base\-64 encoding of HMAC\-MD5 key created by
 \fBdnssec\-keygen\fR(8).
-.TP
+.TP 3n
 \fBK{name}.+157.+{random}.private\fR
 base\-64 encoding of HMAC\-MD5 key created by
 \fBdnssec\-keygen\fR(8).
@@ -276,3 +285,5 @@ base\-64 encoding of HMAC\-MD5 key created by
 .SH "BUGS"
 .PP
 The TSIG key is redundantly stored in two separate files. This is a consequence of nsupdate using the DST library for its cryptographic operations, and may change in future releases.
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/bin/nsupdate/nsupdate.html b/bin/nsupdate/nsupdate.html
index eda6375ecc..7d5c7b5818 100644
--- a/bin/nsupdate/nsupdate.html
+++ b/bin/nsupdate/nsupdate.html
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
 nsupdate
-
+
 
 
    
-
    
+
    
 
    
 
    Name
    
 
    nsupdate — Dynamic DNS update utility
    
@@ -32,7 +32,7 @@
 
    nsupdate  [-d] [[-y keyname:secret] |  [-k keyfile]] [-v] [filename]
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    
 nsupdate
 is used to submit Dynamic DNS Update requests as defined in RFC2136
@@ -141,7 +141,7 @@ This may be preferable when a batch of update requests is made.
 
    
 
    
 
    
-
    INPUT FORMAT
    
+
    INPUT FORMAT
    
 
    
 nsupdate
 reads input from
@@ -298,7 +298,7 @@ are written in the standard text representation of the resource record's
 RDATA.
 
    
 
    
-
    update delete  {domain-name} [ttl] [class] [type  [data...]]
    
+
    update delete  {domain-name} [ttl] [class] [type [data...]]
    
 
    
 
    
 Deletes any resource records named
@@ -345,7 +345,7 @@ Lines beginning with a semicolon are comments and are ignored.
 
    
 
    
 
    
-
    EXAMPLES
    
+
    EXAMPLES
    
 
    
 The examples below show how
 nsupdate
@@ -398,7 +398,7 @@ SIG, KEY and NXT records.)
 
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    
 
    /etc/resolv.conf
    
 
    
@@ -417,7 +417,7 @@ base-64 encoding of HMAC-MD5 key created by
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    
 RFC2136,
 RFC3007,
@@ -430,7 +430,7 @@ base-64 encoding of HMAC-MD5 key created by
 
    
 
    
 
    
-
    BUGS
    
+
    BUGS
    
 
    
 The TSIG key is redundantly stored in two separate files.
 This is a consequence of nsupdate using the DST library
diff --git a/bin/rndc/rndc-confgen.8 b/bin/rndc/rndc-confgen.8
index df441a69e1..36eb4ae3aa 100644
--- a/bin/rndc/rndc-confgen.8
+++ b/bin/rndc/rndc-confgen.8
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: rndc-confgen.8,v 1.3.2.11 2005/10/13 02:23:32 marka Exp $
+.\" $Id: rndc-confgen.8,v 1.3.2.12 2006/06/29 13:02:06 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: rndc\-confgen
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 
+.\"      Date: Aug 27, 2001
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "RNDC\-CONFGEN" "8" "Aug 27, 2001" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -53,7 +56,7 @@ file and a
 \fBcontrols\fR
 statement altogether.
 .SH "OPTIONS"
-.TP
+.TP 3n
 \-a
 Do automatic
 \fBrndc\fR
@@ -85,30 +88,30 @@ to be used as drop\-in replacements for BIND 8 and
 \fBndc\fR, with no changes to the existing BIND 8
 \fInamed.conf\fR
 file.
-.TP
+.TP 3n
 \-b \fIkeysize\fR
 Specifies the size of the authentication key in bits. Must be between 1 and 512 bits; the default is 128.
-.TP
+.TP 3n
 \-c \fIkeyfile\fR
 Used with the
 \fB\-a\fR
 option to specify an alternate location for
 \fIrndc.key\fR.
-.TP
+.TP 3n
 \-h
 Prints a short summary of the options and arguments to
 \fBrndc\-confgen\fR.
-.TP
+.TP 3n
 \-k \fIkeyname\fR
 Specifies the key name of the rndc authentication key. This must be a valid domain name. The default is
 \fBrndc\-key\fR.
-.TP
+.TP 3n
 \-p \fIport\fR
 Specifies the command channel port where
 \fBnamed\fR
 listens for connections from
 \fBrndc\fR. The default is 953.
-.TP
+.TP 3n
 \-r \fIrandomfile\fR
 Specifies a source of random data for generating the authorization. If the operating system does not provide a
 \fI/dev/random\fR
@@ -117,13 +120,13 @@ or equivalent device, the default source of randomness is keyboard input.
 specifies the name of a character device or file containing random data to be used instead of the default. The special value
 \fIkeyboard\fR
 indicates that keyboard input should be used.
-.TP
+.TP 3n
 \-s \fIaddress\fR
 Specifies the IP address where
 \fBnamed\fR
 listens for command channel connections from
 \fBrndc\fR. The default is the loopback address 127.0.0.1.
-.TP
+.TP 3n
 \-t \fIchrootdir\fR
 Used with the
 \fB\-a\fR
@@ -133,7 +136,7 @@ will run chrooted. An additional copy of the
 \fIrndc.key\fR
 will be written relative to this directory so that it will be found by the chrooted
 \fBnamed\fR.
-.TP
+.TP 3n
 \-u \fIuser\fR
 Used with the
 \fB\-a\fR
@@ -169,3 +172,5 @@ BIND 9 Administrator Reference Manual.
 .SH "AUTHOR"
 .PP
 Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/bin/rndc/rndc-confgen.html b/bin/rndc/rndc-confgen.html
index efab84a527..cd2def237d 100644
--- a/bin/rndc/rndc-confgen.html
+++ b/bin/rndc/rndc-confgen.html
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
 rndc-confgen
-
+
 
 
    
-
    
+
    
 
    
 
    Name
    
 
    rndc-confgen — rndc key generation tool
    
@@ -32,7 +32,7 @@
 
    rndc-confgen  [-a] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    
         rndc-confgen generates configuration files
 	for rndc.  It can be used as a
@@ -48,7 +48,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a
    
 
    
@@ -57,7 +57,7 @@
 	      This creates a file rndc.key
 	      in /etc (or whatever
               sysconfdir
-	      was specified as when BIND was built)
+	      was specified as when BIND was built)
               that is read by both rndc
               and named on startup.  The
 	      rndc.key file defines a default
@@ -137,7 +137,7 @@
 
    
 
    
 
    
-
    EXAMPLES
    
+
    EXAMPLES
    
 
    
         To allow rndc to be used with
 	no manual configuration, run
@@ -156,7 +156,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    
       rndc(8),
       rndc.conf(5),
@@ -165,7 +165,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    
         Internet Systems Consortium
     
    
diff --git a/bin/rndc/rndc.8 b/bin/rndc/rndc.8
index 22602a35b3..15063aff2b 100644
--- a/bin/rndc/rndc.8
+++ b/bin/rndc/rndc.8
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: rndc.8,v 1.24.2.5 2005/10/13 02:23:31 marka Exp $
+.\" $Id: rndc.8,v 1.24.2.6 2006/06/29 13:02:06 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: rndc
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 
+.\"      Date: June 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "RNDC" "8" "June 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -50,13 +53,13 @@ named the only supported authentication algorithm is HMAC\-MD5, which uses a sha
 \fBrndc\fR
 reads a configuration file to determine how to contact the name server and decide what algorithm and key it should use.
 .SH "OPTIONS"
-.TP
+.TP 3n
 \-c \fIconfig\-file\fR
 Use
 \fIconfig\-file\fR
 as the configuration file instead of the default,
 \fI/etc/rndc.conf\fR.
-.TP
+.TP 3n
 \-k \fIkey\-file\fR
 Use
 \fIkey\-file\fR
@@ -66,20 +69,20 @@ as the key file instead of the default,
 will be used to authenticate commands sent to the server if the
 \fIconfig\-file\fR
 does not exist.
-.TP
+.TP 3n
 \-s \fIserver\fR
 \fIserver\fR
 is the name or address of the server which matches a server statement in the configuration file for
 \fBrndc\fR. If no server is supplied on the command line, the host named by the default\-server clause in the option statement of the configuration file will be used.
-.TP
+.TP 3n
 \-p \fIport\fR
 Send commands to TCP port
 \fIport\fR
 instead of BIND 9's default control channel port, 953.
-.TP
+.TP 3n
 \-V
 Enable verbose logging.
-.TP
+.TP 3n
 \-y \fIkeyid\fR
 Use the key
 \fIkeyid\fR
@@ -111,8 +114,11 @@ Several error messages could be clearer.
 .PP
 \fBrndc.conf\fR(5),
 \fBnamed\fR(8),
-\fBnamed.conf\fR(5)\fBndc\fR(8),
+\fBnamed.conf\fR(5)
+\fBndc\fR(8),
 BIND 9 Administrator Reference Manual.
 .SH "AUTHOR"
 .PP
 Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/bin/rndc/rndc.conf.5 b/bin/rndc/rndc.conf.5
index 4586899bef..0120fc91b0 100644
--- a/bin/rndc/rndc.conf.5
+++ b/bin/rndc/rndc.conf.5
@@ -13,15 +13,18 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: rndc.conf.5,v 1.21.2.5 2005/10/13 02:23:32 marka Exp $
+.\" $Id: rndc.conf.5,v 1.21.2.6 2006/06/29 13:02:06 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
-.TH "\\FIRNDC.CONF\\FR" "5" "June 30, 2000" "BIND9" "BIND9"
+.\"     Title: \fIrndc.conf\fR
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 
+.\"      Date: June 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
+.TH "\fIRNDC.CONF\fR" "5" "June 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
@@ -98,6 +101,7 @@ program, also known as
 does not ship with BIND 9 but is available on many systems. See the EXAMPLE section for sample command lines for each.
 .SH "EXAMPLE"
 .sp
+.RS 3n
 .nf
     options {
         default\-server  localhost;
@@ -111,6 +115,7 @@ does not ship with BIND 9 but is available on many systems. See the EXAMPLE sect
         secret          "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
       };
 .fi
+.RE
 .PP
 In the above example,
 \fBrndc\fR
@@ -152,3 +157,5 @@ BIND 9 Administrator Reference Manual.
 .SH "AUTHOR"
 .PP
 Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/bin/rndc/rndc.conf.html b/bin/rndc/rndc.conf.html
index d2b3a8a693..59ca71c303 100644
--- a/bin/rndc/rndc.conf.html
+++ b/bin/rndc/rndc.conf.html
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
 rndc.conf
-
+
 
 
    
-
    
+
    
 
    
 
    Name
    
 
    rndc.conf — rndc configuration file
    
@@ -32,7 +32,7 @@
 
    rndc.conf 
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    
         rndc.conf is the configuration file
 	for rndc, the BIND 9 name server control
@@ -105,7 +105,7 @@
     
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
         options {
         default-server  localhost;
@@ -151,7 +151,7 @@
     
    
 
    
 
    
-
    NAME SERVER CONFIGURATION
    
+
    NAME SERVER CONFIGURATION
    
 
    
         The name server must be configured to accept rndc connections and
 	to recognize the key specified in the rndc.conf
@@ -161,7 +161,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    
       rndc(8),
       rndc-confgen(8),
@@ -170,7 +170,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    
         Internet Systems Consortium
     
    
diff --git a/bin/rndc/rndc.html b/bin/rndc/rndc.html
index 0591bb5321..10673e2de2 100644
--- a/bin/rndc/rndc.html
+++ b/bin/rndc/rndc.html
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
 rndc
-
+
 
 
    
-
    
+
    
 
    
 
    Name
    
 
    rndc — name server control utility
    
@@ -32,7 +32,7 @@
 
    rndc  [-c config-file] [-k key-file] [-s server] [-p port] [-V] [-y key_id] {command}
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    
         rndc controls the operation of a name
 	server.  It supersedes the ndc utility
@@ -61,7 +61,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -c config-file
    
 
    
@@ -123,7 +123,7 @@
     
    
 
    
 
    
-
    LIMITATIONS
    
+
    LIMITATIONS
    
 
    
         rndc does not yet support all the commands of
 	the BIND 8 ndc utility.
@@ -137,7 +137,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    
       rndc.conf(5),
       named(8),
@@ -147,7 +147,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    
         Internet Systems Consortium
     
    
diff --git a/doc/arm/Bv9ARM.ch01.html b/doc/arm/Bv9ARM.ch01.html
index 1491b85975..7c248b753a 100644
--- a/doc/arm/Bv9ARM.ch01.html
+++ b/doc/arm/Bv9ARM.ch01.html
@@ -14,12 +14,12 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
 Chapter 1. Introduction 
-
+
 
 
 
@@ -45,51 +45,51 @@
 
    
 
    Table of Contents
    
 
    
-
    Scope of Document
    
-
    Organization of This Document
    
-
    Conventions Used in This Document
    
-
    The Domain Name System (DNS)
    
+
    Scope of Document
    
+
    Organization of This Document
    
+
    Conventions Used in This Document
    
+
    The Domain Name System (DNS)
    
 
    
-
    DNS Fundamentals
    
-
    Domains and Domain Names
    
-
    Zones
    
-
    Authoritative Name Servers
    
-
    Caching Name Servers
    
-
    Name Servers in Multiple Roles
    
+
    DNS Fundamentals
    
+
    Domains and Domain Names
    
+
    Zones
    
+
    Authoritative Name Servers
    
+
    Caching Name Servers
    
+
    Name Servers in Multiple Roles
    
 
    
 
    
 
    
-
    The Internet Domain Name System (DNS) consists of the syntax
+
    The Internet Domain Name System (DNS) consists of the syntax
   to specify the names of entities in the Internet in a hierarchical
   manner, the rules used for delegating authority over names, and the
   system implementation that actually maps names to Internet
-  addresses.  DNS data is maintained in a group of distributed
+  addresses.  DNS data is maintained in a group of distributed
   hierarchical databases.
    
 
    
 
    
-Scope of Document
    
-
    The Berkeley Internet Name Domain (BIND) implements an
+Scope of Document
    
+
    The Berkeley Internet Name Domain (BIND) implements an
     domain name server for a number of operating systems. This
     document provides basic information about the installation and
-    care of the Internet Software Consortium (ISC)
-    BIND version 9 software package for system
+    care of the Internet Software Consortium (ISC)
+    BIND version 9 software package for system
     administrators.
    
 
    This version of the manual corresponds to BIND version 9.2.
    
 
    
 
    
 
    
-Organization of This Document
    
+Organization of This Document
    
 
    In this document, Section 1 introduces
-    the basic DNS and BIND concepts. Section 2
-    describes resource requirements for running BIND in various
+    the basic DNS and BIND concepts. Section 2
+    describes resource requirements for running BIND in various
     environments. Information in Section 3 is
     task-oriented in its presentation and is
     organized functionally, to aid in the process of installing the
-    BIND 9 software. The task-oriented section is followed by
+    BIND 9 software. The task-oriented section is followed by
     Section 4, which contains more advanced
     concepts that the system administrator may need for implementing
     certain options. Section 5
-    describes the BIND 9 lightweight
+    describes the BIND 9 lightweight
     resolver.  The contents of Section 6 are
     organized as in a reference manual to aid in the ongoing
     maintenance of the software. Section 7
@@ -98,12 +98,12 @@
     main body of the document is followed by several
     Appendices which contain useful reference
     information, such as a Bibliography and
-    historic information related to BIND and the Domain Name
+    historic information related to BIND and the Domain Name
     System.
    
 
    
 
    
 
    
-Conventions Used in This Document
    
+Conventions Used in This Document
    
 
    In this document, we use the following general typographic
     conventions:
    
 
    
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
    
 
    range
    		
 
    This can be one of two forms: start-stop
-or start-stop/step. If the first form is used then step is set to
+or start-stop/step. If the first form is used, then step is set to
         1. All of start, stop and step must be positive.
    		
 
    
 
    
 
    lhs
    		
 
 
    lhs describes the
-owner name of the resource records to be created.      Any single $ symbols
+owner name of the resource records to be created. Any single
+$ (dollar sign) symbols
 within the lhs side are replaced by the iterator
 value.
 To get a $ in the output you need to escape the $
@@ -3477,14 +3478,14 @@ by modifiers which change the offset from the interator, field width and base.
 Modifiers are introduced by a { immediately following the
 $ as ${offset[,width[,base]]}.
 For example, ${-20,3,d} which subtracts 20 from the current value,
-prints the result as a decimal in a zero padded field of width 3.  Available
+prints the result as a decimal in a zero-padded field of width 3.  Available
 output forms are decimal (d), octal (o)
 and hexadecimal (x or X for uppercase).
 The default modifier is ${0,0,d}.
 If the lhs is not
 absolute, the current $ORIGIN is appended to
 the name.
    
-
    For compatibility with earlier versions $$ is still
+
    For compatibility with earlier versions, $$ is still
 recognised as indicating a literal $ in the output.
    
     		
 
    
 
 
 
 
 
 
 
    
@@ -140,7 +140,7 @@ input
    
 
 
    
 
    The following conventions are used in descriptions of the
-BIND configuration file:
    
+BIND configuration file:
    
 
    @@ -169,15 +169,15 @@ describe:
    
 
    
-The Domain Name System (DNS)
    
+The Domain Name System (DNS)
    The purpose of this document is to explain the installation
-and upkeep of the BIND software package, and we
+and upkeep of the BIND software package, and we
 begin by reviewing the fundamentals of the Domain Name System
-(DNS) as they relate to BIND.
+(DNS) as they relate to BIND.
 
    
 
    
-DNS Fundamentals
    
+DNS Fundamentals
    The Domain Name System (DNS) is the hierarchical, distributed
 database.  It stores information for mapping Internet host names to IP
 addresses and vice versa, mail routing information, and other data
@@ -185,12 +185,12 @@ used by Internet applications.
    Clients look up information in the DNS by calling a
 resolver library, which sends queries to one or
 more name servers and interprets the responses.
-The BIND 9 software distribution contains both a 
+The BIND 9 software distribution contains both a 
 name server and a resolver library.
    
 
    
-Domains and Domain Names
    
+Domains and Domain Names
    The data stored in the DNS is identified by domain
 names that are organized as a tree according to
 organizational or administrative boundaries. Each node of the tree,
@@ -218,7 +218,7 @@ server, which answers queries about the zone using the
 DNS protocol.
 
    The data associated with each domain name is stored in the
-form of resource records (RRs).
+form of resource records (RRs).
 Some of the supported resource record types are described in
 the section called “Types of Resource Records and When to Use Them”.
    For more detailed information about the design of the DNS and
@@ -227,12 +227,12 @@ the DNS protocol, please refer to the standards documents listed in
 
 
    
 
    
-Zones
    
+Zones
    To properly operate a name server, it is important to understand
 the difference between a zone
 and a domain.
    As we stated previously, a zone is a point of delegation in
-the DNS tree. A zone consists of
+the DNS tree. A zone consists of
 those contiguous parts of the domain
 tree for which a name server has complete information and over which
 it has authority. It contains all domain names from a certain point
@@ -250,7 +250,7 @@ only delegations for the aaa.example.com and
 bbb.example.com zones.  A zone can map
 exactly to a single domain, but could also include only part of a
 domain, the rest of which could be delegated to other
-name servers. Every name in the DNS tree is a
+name servers. Every name in the DNS tree is a
 domain, even if it is
 terminal, that is, has no
 subdomains.  Every subdomain is a domain and
@@ -258,7 +258,7 @@ every domain except the root is also a subdomain. The terminology is
 not intuitive and we suggest that you read RFCs 1033, 1034 and 1035 to
 gain a complete understanding of this difficult and subtle
 topic.
    
-
    Though BIND is called a "domain name server",
+
    Though BIND is called a "domain name server",
 it deals primarily in terms of zones. The master and slave
 declarations in the named.conf file specify
 zones, not domains. When you ask some other site if it is willing to
@@ -267,7 +267,7 @@ actually asking for slave service for some collection of zones.
    
 
    
-Authoritative Name Servers
    
+Authoritative Name Servers
    Each zone is served by at least
 one authoritative name server,
 which contains the complete data for the zone.
@@ -280,7 +280,7 @@ easy to identify when debugging DNS configurations using tools like
 dig (the section called “Diagnostic Tools”).
    
 
    
-The Primary Master
    
+The Primary Master
    
 The authoritative server where the master copy of the zone data is maintained is
 called the primary master server, or simply the
@@ -291,7 +291,7 @@ the zone file or <
 
 
    
 
    
-Slave Servers
    
+Slave Servers
    The other authoritative servers, the slave
 servers (also known as secondary servers) load
 the zone contents from another server using a replication process
@@ -302,7 +302,7 @@ may itself act as a master to a subordinate slave server.
    
 
    
-Stealth Servers
    
+Stealth Servers
    Usually all of the zone's authoritative servers are listed in 
 NS records in the parent zone.  These NS records constitute
 a delegation of the zone from the parent.
@@ -327,7 +327,7 @@ with the outside world.
    
 
    
-Caching Name Servers
    
+Caching Name Servers
    The resolver libraries provided by most operating systems are 
 stub resolvers, meaning that they are not capable of
 performing the full DNS resolution process by themselves by talking
@@ -346,7 +346,7 @@ Time To Live (TTL) field associated with each resource record.
 
    
 
    
-Forwarding
    
+Forwarding
    Even a caching name server does not necessarily perform
 the complete recursive lookup itself.  Instead, it can
 forward some or all of the queries
@@ -358,9 +358,9 @@ and they are queried in turn until the list is exhausted or an answer
 is found. Forwarders are typically used when you do not
 wish all the servers at a given site to interact directly with the rest of
 the Internet servers. A typical scenario would involve a number
-of internal DNS servers and an Internet firewall. Servers unable
+of internal DNS servers and an Internet firewall. Servers unable
 to pass packets through the firewall would forward to the server
-that can do it, and that server would query the Internet DNS servers
+that can do it, and that server would query the Internet DNS servers
 on the internal server's behalf. An added benefit of using the forwarding
 feature is that the central machine develops a much more complete
 cache of information that all the clients can take advantage
@@ -369,8 +369,8 @@ of.
    
 
    
-Name Servers in Multiple Roles
    
-
    The BIND name server can simultaneously act as
+Name Servers in Multiple Roles
    
+
    The BIND name server can simultaneously act as
 a master for some zones, a slave for other zones, and as a caching
 (recursive) server for a set of local clients.
    However, since the functions of authoritative name service
@@ -402,7 +402,7 @@ be placed inside a firewall.
    
-
+
    
 
 

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
    
 BIND 9 Administrator Reference Manual 
 Home Chapter 2. BIND Resource Requirements Chapter 2. BIND Resource Requirements
 
    
 
    
 
    
diff --git a/doc/arm/Bv9ARM.ch02.html b/doc/arm/Bv9ARM.ch02.html
index 5123206ada..65d8a03b77 100644
--- a/doc/arm/Bv9ARM.ch02.html
+++ b/doc/arm/Bv9ARM.ch02.html
@@ -14,12 +14,12 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
 Chapter 2. BIND Resource Requirements
-
+
 
 
 
@@ -28,7 +28,7 @@
 
 
    
 
-
+
@@ -41,44 +41,44 @@
 
    
 
    
-Chapter 2. BIND Resource Requirements
    
+Chapter 2. BIND Resource Requirements
    
 
    Table of Contents
    
 
    
-
    Hardware requirements
    
-
    CPU Requirements
    
-
    Memory Requirements
    
-
    Nameserver Intensive Environment Issues
    
-
    Supported Operating Systems
    
+
    Hardware requirements
    
+
    CPU Requirements
    
+
    Memory Requirements
    
+
    Nameserver Intensive Environment Issues
    
+
    Supported Operating Systems
    
 
    
 
    
 
    
-Hardware requirements
    
-
    DNS hardware requirements have traditionally been quite modest.
+Hardware requirements
    
+
    DNS hardware requirements have traditionally been quite modest.
 For many installations, servers that have been pensioned off from
-active duty have performed admirably as DNS servers.
    
-
    The DNSSEC and IPv6 features of BIND 9 may prove to be quite
+active duty have performed admirably as DNS servers.
    
+
    The DNSSEC and IPv6 features of BIND 9 may prove to be quite
 CPU intensive however, so organizations that make heavy use of these
 features may wish to consider larger systems for these applications.
-BIND 9 is now fully multithreaded, allowing full utilization of
+BIND 9 is now fully multithreaded, allowing full utilization of
 multiprocessor systems for installations that need it.
    
 
    
-CPU Requirements
    
-
    CPU requirements for BIND 9 range from i486-class machines
+CPU Requirements
    
+
    CPU requirements for BIND 9 range from i486-class machines
 for serving of static zones without caching, to enterprise-class
 machines if you intend to process many dynamic updates and DNSSEC
 signed zones, serving many thousands of queries per second.
    
 
    
-Memory Requirements
    
+Memory Requirements
    The memory of the server has to be large enough to fit the
 cache and zones loaded off disk.  The max-cache-size
 option can be used to limit the amount of memory used by the cache,
-at the expense of reducing cache hit rates and causing more DNS
+at the expense of reducing cache hit rates and causing more DNS
 traffic. It is still good practice to have enough memory to load
 all zone and cache data into memory — unfortunately, the best way
 to determine this for a given installation is to watch the nameserver
@@ -89,7 +89,7 @@ be set higher than this stable size.
    
 
    
-Nameserver Intensive Environment Issues
    
+Nameserver Intensive Environment Issues
    For nameserver intensive environments, there are two alternative
 configurations that may be used. The first is where clients and
 any second-level internal nameservers query a main nameserver, which
@@ -103,8 +103,8 @@ as none of the nameservers share their cached data.
    
 
    
-Supported Operating Systems
    
-
    ISC BIND 9 compiles and runs on the following operating
+Supported Operating Systems
    
+
    ISC BIND 9 compiles and runs on the following operating
 systems:
    
@@ -67,7 +67,7 @@ option setting.
    Sample Configurations
    
 
    
-A Caching-only Nameserver
    
+A Caching-only Nameserver
    The following sample configuration is appropriate for a caching-only
 name server for use by clients internal to a corporation.  All queries
 from outside clients are refused.
    
@@ -91,7 +91,7 @@ zone "0.0.127.in-addr.arpa" {
 
    
 
    
-An Authoritative-only Nameserver
    
+An Authoritative-only Nameserver
    This sample configuration is for an authoritative-only server
 that is the master server for "example.com"
 and a slave for the subdomain "eng.example.com".
    
@@ -133,8 +133,8 @@ zone "eng.example.com" {
 
    
 
    
-Load Balancing
    
-
    Primitive load balancing can be achieved in DNS using multiple
+Load Balancing
    
+
    Primitive load balancing can be achieved in DNS using multiple
 A records for one name.
    For example, if you have three WWW servers with network addresses
 of 10.0.0.1, 10.0.0.2 and 10.0.0.3, a set of records such as the
@@ -179,7 +179,7 @@ of the time:
    Chapter 2. BIND Resource Requirements
    Chapter 2. BIND Resource Requirements
    
 
    
 
 Prev 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
    
     
 
    
-
    When a resolver queries for these records, BIND will rotate
+
    When a resolver queries for these records, BIND will rotate
     them and respond to the query with the records in a different
     order.  In the example above, clients will randomly receive
     records in the order 1, 2, 3; 2, 3, 1; and 3, 1, 2. Most clients
@@ -189,18 +189,18 @@ of the time:
    
     options statement, see
     RRset Ordering.
     This substatement is not supported in
-    BIND 9, and only the ordering scheme described above is
+    BIND 9, and only the ordering scheme described above is
     available.
    
 
 
    
 
    
 Notify
    
-
    DNS Notify is a mechanism that allows master nameservers to
+
    DNS Notify is a mechanism that allows master nameservers to
     notify their slave servers of changes to a zone's data. In
     response to a NOTIFY from a master server, the
     slave will check to see that its version of the zone is the
     current version and, if not, initiate a transfer.
    
-
    DNS
+
    DNS
     Notify is fully documented in RFC 1996. See also the description
     of the zone option also-notify, see
     the section called “Zone Transfers”. For more information about
@@ -208,10 +208,10 @@ of the time:
    
 
    
 
    
 
    
-Nameserver Operations
    
+Nameserver Operations
    
 
    
 
    
-Tools for Use With the Nameserver Daemon
    
+Tools for Use With the Nameserver Daemon
    
 
    There are several indispensable diagnostic, administrative
 and monitoring tools available to the system administrator for controlling
 and debugging the nameserver daemon. We describe several in this
@@ -237,7 +237,7 @@ options, see the dig man page.
    
 
    host
    
 
    
 
    The host utility
-provides a simple DNS lookup using a command-line interface for
+provides a simple DNS lookup using a command-line interface for
 looking up Internet hostnames. By default, the utility converts
 between host names and Internet addresses, but its functionality
 can be extended with the use of options.
    
@@ -253,7 +253,7 @@ and non-interactive. Interactive mode allows the user to query nameservers
 for information about various hosts and domains or to print a list
 of hosts in a domain. Non-interactive mode is used to print just
 the name and requested information for a host or domain.
    
-
    nslookup  [-option...] [[host-to-find] |  [-  [server]]]
    
+
    nslookup  [-option...] [[host-to-find] |  [- [server]]]
    
 
    Interactive mode is entered when no arguments are given (the
 default nameserver will be used) or when the first argument is a
 hyphen (`-') and the second argument is the host name or Internet address
@@ -353,7 +353,7 @@ Note that the number of zones includes the internal ./IN hint zone if there is not an
 explicit root zone configured.
    
 
-
    In BIND 9.2, rndc
+
    In BIND 9.2, rndc
 supports all the commands of the BIND 8 ndc
 utility except ndc start, which was also
 not supported in ndc's channel mode.
    
@@ -369,7 +369,7 @@ option.  If the configuration file is not found,
 rndc will also look in
 /etc/rndc.key (or whatever
 sysconfdir was defined when
-the BIND build was configured).
+the BIND build was configured).
 The rndc.key file is generated by
 running rndc-confgen -a as described in
 the section called “controls Statement Definition and Usage”.
    
@@ -451,7 +451,7 @@ a rndc.key file and not modify
 
 
    
 
    
-Signals
    
+Signals
    
 
    Certain UNIX signals cause the name server to take specific
 actions, as described in the following table.  These signals can
 be sent using the kill command.
    
@@ -492,7 +492,7 @@ reload the database. 
    
 
 
 
-Chapter 2. BIND Resource Requirements 
+Chapter 2. BIND Resource Requirements 
 Home
  Chapter 4. Advanced Concepts
 
diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html
index bb05a6237f..aa02f75b95 100644
--- a/doc/arm/Bv9ARM.ch04.html
+++ b/doc/arm/Bv9ARM.ch04.html
@@ -14,12 +14,12 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
 Chapter 4. Advanced Concepts
-
+
 
 
 
@@ -48,30 +48,30 @@
 
    Dynamic Update
    
 
    The journal file
    
 
    Incremental Zone Transfers (IXFR)
    
-
    Split DNS
    
+
    Split DNS
    
 
    TSIG
    
 
    
-
    Generate Shared Keys for Each Pair of Hosts
    
-
    Copying the Shared Secret to Both Machines
    
-
    Informing the Servers of the Key's Existence
    
-
    Instructing the Server to Use the Key
    
-
    TSIG Key Based Access Control
    
-
    Errors
    
+
    Generate Shared Keys for Each Pair of Hosts
    
+
    Copying the Shared Secret to Both Machines
    
+
    Informing the Servers of the Key's Existence
    
+
    Instructing the Server to Use the Key
    
+
    TSIG Key Based Access Control
    
+
    Errors
    
 
    
-
    TKEY
    
-
    SIG(0)
    
+
    TKEY
    
+
    SIG(0)
    
 
    DNSSEC
    
 
    
-
    Generating Keys
    
-
    Creating a Keyset
    
-
    Signing the Child's Keyset
    
-
    Signing the Zone
    
-
    Configuring Servers
    
+
    Generating Keys
    
+
    Creating a Keyset
    
+
    Signing the Child's Keyset
    
+
    Signing the Zone
    
+
    Configuring Servers
    
 
    
-
    IPv6 Support in BIND 9
    
+
    IPv6 Support in BIND 9
    
 
    
-
    Address Lookups Using AAAA Records
    
-
    Address to Name Lookups Using Nibble Format
    
+
    Address Lookups Using AAAA Records
    
+
    Address to Name Lookups Using Nibble Format
    
 
    
 
 
@@ -137,20 +137,20 @@
     slave servers to transfer only changed data, instead of having to
     transfer the entire zone. The IXFR protocol is documented in RFC
     1995. See Proposed Standards.
    
-
    When acting as a master, BIND 9 supports IXFR for those zones
+
    When acting as a master, BIND 9 supports IXFR for those zones
 where the necessary change history information is available. These
 include master zones maintained by dynamic update and slave zones
 whose data was obtained by IXFR, but not manually maintained master
 zones nor slave zones obtained by performing a full zone transfer
 (AXFR).
    
-
    When acting as a slave, BIND 9 will attempt to use IXFR unless
+
    When acting as a slave, BIND 9 will attempt to use IXFR unless
 it is explicitly disabled. For more information about disabling
 IXFR, see the description of the request-ixfr clause
 of the server statement.
    
 
 
    
 
    
-Split DNS
    
+Split DNS
    
 
    Setting up different views, or visibility, of DNS space to
 internal and external resolvers is usually referred to as a Split
 DNS setup. There are several reasons an organization
@@ -336,13 +336,13 @@ nameserver 172.16.72.4
 
    
 TSIG
    
 
    This is a short guide to setting up Transaction SIGnatures
-(TSIG) based transaction security in BIND. It describes changes
+(TSIG) based transaction security in BIND. It describes changes
 to the configuration file as well as what changes are required for
 different features, including the process of creating transaction
-keys and using transaction signatures with BIND.
    
-
    BIND primarily supports TSIG for server to server communication.
+keys and using transaction signatures with BIND.
    
+
    BIND primarily supports TSIG for server to server communication.
 This includes zone transfer, notify, and recursive query messages.
-Resolvers based on newer versions of BIND 8 have limited support
+Resolvers based on newer versions of BIND 8 have limited support
 for TSIG.
    
 
    TSIG might be most useful for dynamic update. A primary
     server for a dynamic zone should use access control to control
@@ -352,13 +352,13 @@ for TSIG.
    
     -y command line options.
    
 
    
 
    
-Generate Shared Keys for Each Pair of Hosts
    
+Generate Shared Keys for Each Pair of Hosts
    
 
    A shared secret is generated to be shared between host1 and host2.
 An arbitrary key name is chosen: "host1-host2.". The key name must
 be the same on both hosts.
    
 
    
 
    
-Automatic Generation
    
+Automatic Generation
    
 
    The following command will generate a 128-bit (16 byte) HMAC-MD5
 key as described above. Longer keys are better, but shorter keys
 are easier to read. Note that the maximum key length is 512 bits;
@@ -375,7 +375,7 @@ be used as the shared secret.
    
 
 
    
 
    
-Manual Generation
    
+Manual Generation
    
 
    The shared secret is simply a random sequence of bits, encoded
 in base-64. Most ASCII strings are valid base-64 strings (assuming
 the length is a multiple of 4 and only valid characters are used),
@@ -386,13 +386,13 @@ a similar program to generate base-64 encoded data.
    
 
 
    
 
    
-Copying the Shared Secret to Both Machines
    
+Copying the Shared Secret to Both Machines
    
 
    This is beyond the scope of DNS. A secure transport mechanism
 should be used. This could be secure FTP, ssh, telephone, etc.
    
 
 
    
 
    
-Informing the Servers of the Key's Existence
    
+Informing the Servers of the Key's Existence
    
 
    Imagine host1 and host 2 are
 both servers. The following is added to each server's named.conf file:
    
 
    @@ -401,7 +401,7 @@ key host1-host2. {
   secret "La/E5CjG9O+os1jq0a2jdA==";
 };
 
    
-
    The algorithm, hmac-md5, is the only one supported by BIND.
+
    The algorithm, hmac-md5, is the only one supported by BIND.
 The secret is the one generated above. Since this is a secret, it
 is recommended that either named.conf be non-world
 readable, or the key directive be added to a non-world readable
@@ -413,7 +413,7 @@ the same key.
    
 
 
    
 
    
-Instructing the Server to Use the Key
    
+Instructing the Server to Use the Key
    
 
    Since keys are shared between two hosts only, the server must
 be told when keys are to be used. The following is added to the named.conf file
 for host1, if the IP address of host2 is
@@ -436,8 +436,8 @@ sign request messages to host1.
    
 
 
    
 
    
-TSIG Key Based Access Control
    
-
    BIND allows IP addresses and ranges to be specified in ACL
+TSIG Key Based Access Control
    
+
    BIND allows IP addresses and ranges to be specified in ACL
 definitions and
 allow-{ query | transfer | update } directives.
 This has been extended to allow TSIG keys also. The above key would
@@ -454,7 +454,7 @@ allow-update { key host1-host2. ;};
 
 
    
 
    
-Errors
    
+Errors
    
 
    The processing of TSIG signed messages can result in
       several errors. If a signed message is sent to a non-TSIG
       aware server, a FORMERR (format error) will be returned, since
@@ -477,11 +477,11 @@ allow-update { key host1-host2. ;};
 
 
    
 
    
-TKEY
    
+TKEY
    
 
    TKEY is a mechanism for automatically
     generating a shared secret between two hosts.  There are several
     "modes" of TKEY that specify how the key is
-    generated or assigned.  BIND implements only one of these modes,
+    generated or assigned.  BIND implements only one of these modes,
     the Diffie-Hellman key exchange.  Both hosts are required to have
     a Diffie-Hellman KEY record (although this record is not required
     to be present in a zone).  The TKEY process
@@ -503,8 +503,8 @@ allow-update { key host1-host2. ;};
 
 
    
 
    
-SIG(0)
    
-
    BIND 9 partially supports DNSSEC SIG(0) transaction
+SIG(0)
    
+
    BIND 9 partially supports DNSSEC SIG(0) transaction
     signatures as specified in RFC 2535.  SIG(0) uses public/private
     keys to authenticate messages.  Access control is performed in the
     same manner as TSIG keys; privileges can be granted or denied
@@ -514,7 +514,7 @@ allow-update { key host1-host2. ;};
     will not attempt to locate and / or validate the key.
    
 
    SIG(0) signing of multiple-message TCP streams is not
     supported.
    
-
    BIND 9 does not ship with any tools that generate SIG(0)
+
    BIND 9 does not ship with any tools that generate SIG(0)
     signed messages.
    
 
 
    
@@ -525,7 +525,7 @@ allow-update { key host1-host2. ;};
     defined in RFC 2535. This section describes the creation and use
     of DNSSEC signed zones.
    
 
    In order to set up a DNSSEC secure zone, there are a series
-    of steps which must be followed.  BIND 9 ships
+    of steps which must be followed.  BIND 9 ships
     with several tools
     that are used in this process, which are explained in more detail
     below.  In all cases, the "-h" option prints a
@@ -542,7 +542,7 @@ allow-update { key host1-host2. ;};
     zone key of another zone above this one in the DNS tree.
    
 
    
 
    
-Generating Keys
    
+Generating Keys
    
 
    The dnssec-keygen program is used to
       generate keys.
    
 
    A secure zone must contain one or more zone keys.  The
@@ -575,7 +575,7 @@ allow-update { key host1-host2. ;};
 
 
    
 
    
-Creating a Keyset
    
+Creating a Keyset
    
 
    The dnssec-makekeyset program is used
       to create a key set from one or more keys.
    
 
    Once the zone keys have been generated, a key set must be
@@ -603,7 +603,7 @@ allow-update { key host1-host2. ;};
 
 
    
 
    
-Signing the Child's Keyset
    
+Signing the Child's Keyset
    
 
    The dnssec-signkey program is used to
       sign one child's keyset.
    
 
    If the child.example zone has any
@@ -623,7 +623,7 @@ allow-update { key host1-host2. ;};
 
 
    
 
    
-Signing the Zone
    
+Signing the Zone
    
 
    The dnssec-signzone program is used to
       sign a zone.
    
 
    Any signedkey files corresponding to
@@ -646,9 +646,9 @@ allow-update { key host1-host2. ;};
 
 
    
 
    
-Configuring Servers
    
-
    Unlike in BIND 8, 
-data is not verified on load in BIND 9,
+Configuring Servers
    
+
    Unlike in BIND 8, 
+data is not verified on load in BIND 9,
 so zone keys for authoritative zones do not need to be specified
 in the configuration file.
    
 
    The public key for any security root must be present in
@@ -658,12 +658,12 @@ statement, as described later in this document. 
    
 
 
    
 
    
-IPv6 Support in BIND 9
    
-
    BIND 9 fully supports all currently
+IPv6 Support in BIND 9
    
+
    BIND 9 fully supports all currently
     defined forms of IPv6 name to address and address to name
     lookups.  It will also use IPv6 addresses to make queries when
     running on an IPv6 capable system.
    
-
    For forward lookups, BIND 9 supports
+
    For forward lookups, BIND 9 supports
     both A6 and AAAA records.  The use of A6 records has been moved
     to experimental (RFC 3363) and should be treated as deprecated.
    
 
    The use of "bitstring" labels for IPv6 has been moved to
@@ -671,16 +671,16 @@ statement, as described later in this document. 
    
     suffix for the IPv6 reverse lookups has also changed from
     IP6.INT to IP6.ARPA (RFC
     3152).
    
-
    BIND 9 now defaults to nibble
+
    BIND 9 now defaults to nibble
     IP6.ARPA format lookups.
    
-
    BIND 9 includes a new lightweight resolver library and
+
    BIND 9 includes a new lightweight resolver library and
     resolver daemon which new applications may choose to use to avoid
-    the complexities of A6 chain following and bitstring labels, see Chapter 5, The BIND 9 Lightweight Resolver.
    
+    the complexities of A6 chain following and bitstring labels, see Chapter 5, The BIND 9 Lightweight Resolver.
    
 
    For an overview of the format and structure of IPv6 addresses,
     see the section called “IPv6 addresses (A6)”.
    
 
    
 
    
-Address Lookups Using AAAA Records
    
+Address Lookups Using AAAA Records
    
 
    The AAAA record is a parallel to the IPv4 A record.  It
       specifies the entire address in a single record.  For
       example,
    
@@ -691,7 +691,7 @@ host            3600    IN      AAAA    2001:db8::1
 
 
    
 
    
-Address to Name Lookups Using Nibble Format
    
+Address to Name Lookups Using Nibble Format
    
 
    When looking up an address in nibble format, the address
       components are simply reversed, just as in IPv4, and
       IP6.ARPA. is appended to the resulting name.
@@ -718,7 +718,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 
 Chapter 3. Nameserver Configuration 
 Home
- Chapter 5. The BIND 9 Lightweight Resolver
+ Chapter 5. The BIND 9 Lightweight Resolver
 
 
 
diff --git a/doc/arm/Bv9ARM.ch05.html b/doc/arm/Bv9ARM.ch05.html
index bb83157f47..89f0efcd78 100644
--- a/doc/arm/Bv9ARM.ch05.html
+++ b/doc/arm/Bv9ARM.ch05.html
@@ -14,12 +14,12 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
 Chapter 5. The BIND 9 Lightweight Resolver
-
+
 
 
 
@@ -28,7 +28,7 @@
 
 
    
 
-
+
@@ -41,17 +41,17 @@
 
    
 
    
-Chapter 5. The BIND 9 Lightweight Resolver
    
+Chapter 5. The BIND 9 Lightweight Resolver
    
 
    Table of Contents
    
 
    
-
    The Lightweight Resolver Library
    
+
    The Lightweight Resolver Library
    
 
    Running a Resolver Daemon
    
 
    
 
    
 
    
-The Lightweight Resolver Library
    
+The Lightweight Resolver Library
    Traditionally applications have been linked with a stub resolver
 library that sends recursive DNS queries to a local caching name
 server.
    
@@ -59,7 +59,7 @@ server.
    
 such as following A6 chains and DNAME records, and simultaneous
 lookup of IPv4 and IPv6 addresses.  These are hard or impossible
 to implement in a traditional stub resolver.
    
-
    Instead, BIND 9 provides resolution services to local clients
+
    Instead, BIND 9 provides resolution services to local clients
 using a combination of a lightweight resolver library and a resolver
 daemon process running on the local host.  These communicate using
 a simple UDP-based protocol, the "lightweight resolver protocol"
@@ -109,7 +109,7 @@ be configured to act as a lightweight resolver daemon using the
 
    
-
+
    Chapter 5. The BIND 9 Lightweight Resolver
    Chapter 5. The BIND 9 Lightweight Resolver
    
 
    
 
 Prev 
 
 
 
 
    
 Chapter 4. Advanced Concepts 
 Home Chapter 6. BIND 9 Configuration Reference Chapter 6. BIND 9 Configuration Reference
 
    
 
    
 
    
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index f2189dfaf0..814694a3a6 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -14,12 +14,12 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
 Chapter 6. BIND 9 Configuration Reference
-
+
 
 
 
@@ -28,7 +28,7 @@
 
 
    
 
-
+
@@ -41,67 +41,67 @@
 
    
 
    
-Chapter 6. BIND 9 Configuration Reference
    
+Chapter 6. BIND 9 Configuration Reference
    
 
    Table of Contents
    
 
    
 
    Configuration File Elements
    
 
    
 
    Address Match Lists
    
-
    Comment Syntax
    
+
    Comment Syntax
    
 
    
 
    Configuration File Grammar
    
 
    
-
    acl Statement Grammar
    
+
    acl Statement Grammar
    
 
    acl Statement Definition and
 Usage
    
-
    controls Statement Grammar
    
+
    controls Statement Grammar
    
 
    controls Statement Definition and Usage
    
-
    include Statement Grammar
    
-
    include Statement Definition and Usage
    
-
    key Statement Grammar
    
-
    key Statement Definition and Usage
    
-
    logging Statement Grammar
    
-
    logging Statement Definition and Usage
    
-
    lwres Statement Grammar
    
-
    lwres Statement Definition and Usage
    
-
    options Statement Grammar
    
-
    options Statement Definition and Usage
    
+
    include Statement Grammar
    
+
    include Statement Definition and Usage
    
+
    key Statement Grammar
    
+
    key Statement Definition and Usage
    
+
    logging Statement Grammar
    
+
    logging Statement Definition and Usage
    
+
    lwres Statement Grammar
    
+
    lwres Statement Definition and Usage
    
+
    options Statement Grammar
    
+
    options Statement Definition and Usage
    
 
    server Statement Grammar
    
 
    server Statement Definition and Usage
    
-
    trusted-keys Statement Grammar
    
-
    trusted-keys Statement Definition
+
    trusted-keys Statement Grammar
    
+
    trusted-keys Statement Definition
 and Usage
    
-
    view Statement Grammar
    
-
    view Statement Definition and Usage
    
+
    view Statement Grammar
    
+
    view Statement Definition and Usage
    
 
    zone
 Statement Grammar
    
-
    zone Statement Definition and Usage
    
+
    zone Statement Definition and Usage
    
 
    
-
    Zone File
    
+
    Zone File
    
 
    
 
    Types of Resource Records and When to Use Them
    
-
    Discussion of MX Records
    
+
    Discussion of MX Records
    
 
    Setting TTLs
    
-
    Inverse Mapping in IPv4
    
-
    Other Zone File Directives
    
-
    BIND Master File Extension: the  $GENERATE Directive
    
+
    Inverse Mapping in IPv4
    
+
    Other Zone File Directives
    
+
    BIND Master File Extension: the  $GENERATE Directive
    
 
    
 
    
 
    
-
    BIND 9 configuration is broadly similar to BIND 8.x; however,
-there are a few new areas of configuration, such as views. BIND
-8.x configuration files should work with few alterations in BIND
+
    BIND 9 configuration is broadly similar to BIND 8.x; however,
+there are a few new areas of configuration, such as views. BIND
+8.x configuration files should work with few alterations in BIND
 9, although more complex configurations should be reviewed to check
 if they can be more efficiently implemented using the new features
-found in BIND 9.
    
-
    BIND 4 configuration files can be converted to the new format
+found in BIND 9.
    
+
    BIND 4 configuration files can be converted to the new format
 using the shell script
 contrib/named-bootconf/named-bootconf.sh.
    
 
    
 Configuration File Elements
    
-
    Following is a list of elements used throughout the BIND configuration
+
    Following is a list of elements used throughout the BIND configuration
 file documentation:
    
 
    Chapter 6. BIND 9 Configuration Reference
    Chapter 6. BIND 9 Configuration Reference
    
 
    
 
 Prev 
 
 
 
    @@ -224,7 +224,7 @@ are restricted to slave and stub zones.
    Address Match Lists
    
 
    
-Syntax
    
+Syntax
    address_match_list = address_match_list_element ;
   [ address_match_list_element; ... ]
 address_match_list_element = [ ! ] (ip_address [/length] |
@@ -233,7 +233,7 @@ are restricted to slave and stub zones.
    
 
 
    
 
    
-Definition and Usage
    
+Definition and Usage
    
 
    Address match lists are primarily used to determine access
 control for various server operations. They are also used to define
 priorities for querying other nameservers and to set the addresses
@@ -288,29 +288,29 @@ other 1.2.3.* hosts fall through.
    
 
 
    
 
    
-Comment Syntax
    
-
    The BIND 9 comment syntax allows for comments to appear
-      anywhere that white space may appear in a BIND configuration
+Comment Syntax
    
+
    The BIND 9 comment syntax allows for comments to appear
+      anywhere that white space may appear in a BIND configuration
       file. To appeal to programmers of all kinds, they can be written
       in C, C++, or shell/perl constructs.
    
 
    
 
    
-Syntax
    
-
    /* This is a BIND comment as in C */
    
+Syntax
    
+
    /* This is a BIND comment as in C */
    
 
    
 
    
-
    // This is a BIND comment as in C++
    
+
    // This is a BIND comment as in C++
    
 
    
 
    
-
    # This is a BIND comment as in common UNIX shells and perl
    
+
    # This is a BIND comment as in common UNIX shells and perl
    
 
    
       
    
 
 
    
 
    
-Definition and Usage
    
+Definition and Usage
    
 
    Comments may appear anywhere that white space may appear in
-a BIND configuration file.
    
+a BIND configuration file.
    
 
    C-style comments start with the two characters /* (slash,
 star) and end with */ (star, slash). Because they are completely
 delimited with these characters, they can be used to comment only
@@ -352,7 +352,7 @@ physical line, as in C++ comments.
    
 
    
 
    
 Configuration File Grammar
    
-
    A BIND 9 configuration consists of statements and comments.
+
    A BIND 9 configuration consists of statements and comments.
     Statements end with a semicolon. Statements and comments are the
     only elements that can appear without enclosing braces. Many
     statements contain a block of substatements, which are also
@@ -417,7 +417,7 @@ a per-server basis.
    
     configuration.
    
 
    
 
    
-acl Statement Grammar
    
+acl Statement Grammar
    
 
    acl acl-name { 
     address_match_list 
 };
@@ -470,7 +470,7 @@ complete set of local IPv6 addresses for a host.
 
 
    
 
    
-controls Statement Grammar
    
+controls Statement Grammar
    
 
    controls {
    inet ( ip_addr | * ) [ port ip_port ] allow {  address_match_list  }
                 keys {  key_list  };
@@ -526,17 +526,17 @@ is present but does not have a keysnamed will attempt to load the command channel key
 from the file rndc.key in
 /etc (or whatever sysconfdir
-was specified as when BIND was built).
+was specified as when BIND was built).
 To create a rndc.key file, run
 rndc-confgen -a.
 
    
 
    The rndc.key feature was created to
-      ease the transition of systems from BIND 8,
+      ease the transition of systems from BIND 8,
       which did not have digital signatures on its command channel messages
       and thus did not have a keys clause.
 
-It makes it possible to use an existing BIND 8
-configuration file in BIND 9 unchanged,
+It makes it possible to use an existing BIND 8
+configuration file in BIND 9 unchanged,
 and still have rndc work the same way
 ndc worked in BIND 8, simply by executing the
 command rndc-confgen -a after BIND 9 is
@@ -545,7 +545,7 @@ installed.
 
    
       Since the rndc.key feature
       is only intended to allow the backward-compatible usage of
-      BIND 8 configuration files, this feature does not
+      BIND 8 configuration files, this feature does not
       have a high degree of configurability.  You cannot easily change
       the key name or the size of the secret, so you should make a
       rndc.conf with your own key if you wish to change
@@ -556,11 +556,11 @@ installed.
       rndc commands, then you need to create a
       rndc.conf file and make it group readable by a group
       that contains the users who should have access.
    
-
    The UNIX control channel type of BIND 8 is not supported
-      in BIND 9.0, BIND 9.1,
-      BIND 9.2 and BIND 9.3.
+
    The UNIX control channel type of BIND 8 is not supported
+      in BIND 9.0, BIND 9.1,
+      BIND 9.2 and BIND 9.3.
       If it is present in the controls statement from a
-      BIND 8 configuration file, it is ignored
+      BIND 8 configuration file, it is ignored
       and a warning is logged.
    
 
    
 To disable the command channel, use an empty controls
@@ -569,12 +569,12 @@ statement: controls { };.
 
 
    
 
    
-include Statement Grammar
    
+include Statement Grammar
    
 
    include filename;
    
 
 
    
 
    
-include Statement Definition and Usage
    
+include Statement Definition and Usage
    
 
    The include statement inserts the
       specified file at the point that the include
       statement is encountered. The include
@@ -585,7 +585,7 @@ statement: controls { };.
 
 
    
 
    
-key Statement Grammar
    
+key Statement Grammar
    
 
    key key_id {
     algorithm string;
     secret string;
@@ -594,7 +594,7 @@ statement: controls { };.
 
 
    
 
    
-key Statement Definition and Usage
    
+key Statement Definition and Usage
    
 
    The key statement defines a shared
 secret key for use with TSIG, see the section called “TSIG”.
    
 
    
@@ -622,7 +622,7 @@ string.
    
 
 
    
 
    
-logging Statement Grammar
    
+logging Statement Grammar
    
 
    logging {
    [ channel channel_name {
      ( file path name
@@ -646,7 +646,7 @@ string.
    
 
 
    
 
    
-logging Statement Definition and Usage
    
+logging Statement Definition and Usage
    
 
    The logging statement configures a wide
 variety of logging options for the nameserver. Its channel phrase
 associates output methods, format options and severity levels with
@@ -660,8 +660,8 @@ the logging configuration will be:
    
      category "default" { "default_syslog"; "default_debug"; };
 };
 
    
-
    In BIND 9, the logging configuration is only established when
-the entire configuration file has been parsed.  In BIND 8, it was
+
    In BIND 9, the logging configuration is only established when
+the entire configuration file has been parsed.  In BIND 8, it was
 established as soon as the logging statement
 was parsed. When the server is starting up, all logging messages
 regarding syntax errors in the configuration file go to the default
@@ -669,7 +669,7 @@ channels, or to standard error if the "-g" option
 was specified.
    
 
    
 
    
-The channel Phrase
    
+The channel Phrase
    
 
    All log output goes to one or more channels;
 you can make as many of them as you want.
    
 
    Every channel definition must include a destination clause that
@@ -861,7 +861,7 @@ category "notify" { "null"; };
 
    
 
    Following are the available categories and brief descriptions
 of the types of log information they contain. More
-categories may be added in future BIND releases.
    
+categories may be added in future BIND releases.
    
 
    
 

 
 
 
    @@ -964,7 +964,7 @@ a delegation-only in a hint or stu
 
    
 
    
-lwres Statement Grammar
    
+lwres Statement Grammar
     This is the grammar of the lwres
 statement in the named.conf file:
    lwres {
@@ -977,7 +977,7 @@ statement in the named.conf file:
    
 
 
    
 
    
-lwres Statement Definition and Usage
    
+lwres Statement Definition and Usage
    
 
    The lwres statement configures the name
 server to also act as a light-weight resolver daemon. (See
 the section called “Running a Resolver Daemon”.)  There may be be multiple
@@ -1005,7 +1005,7 @@ exact match lookup before search path elements are appended.
    
 
 
    
 
    
-options Statement Grammar
    
+options Statement Grammar
    
 
    This is the grammar of the options
 statement in the named.conf file:
    
 
    options {
@@ -1103,9 +1103,9 @@ statement in the named.conf file:
    
 
 
    
 
    
-options Statement Definition and Usage
    
+options Statement Definition and Usage
    
 
    The options statement sets up global options
-to be used by BIND. This statement may appear only
+to be used by BIND. This statement may appear only
 once in a configuration file. If more than one occurrence is found,
 the first occurrence determines the actual options used, and a warning
 will be generated.  If there is no options
@@ -1127,9 +1127,9 @@ to `.', the directory from which the server
 was started. The directory specified should be an absolute path.
    
 
    named-xfer
    
 
    This option is obsolete.
-It was used in BIND 8 to
+It was used in BIND 8 to
 specify the pathname to the named-xfer program.
-In BIND 9, no separate named-xfer program is
+In BIND 9, no separate named-xfer program is
 needed; its functionality is built into the name server.
    
 
    tkey-domain
    
 
    The domain appended to the names of all
@@ -1160,7 +1160,7 @@ usage statistics to on exit. If not specified,
 the default is named.memstats.
    
 
    
 
    Note
    
-
    Not yet implemented in BIND 9.
    
+
    Not yet implemented in BIND 9.
    
 
    
 
    
 
    pid-file
    
@@ -1218,11 +1218,11 @@ options {
 
    If yes, then the AA bit
 is always set on NXDOMAIN responses, even if the server is not actually
 authoritative. The default is no; this is
-a change from BIND 8. If you are using very old DNS software, you
+a change from BIND 8. If you are using very old DNS software, you
 may need to set it to yes.
    
 
    deallocate-on-exit
    
-
    This option was used in BIND 8 to enable checking
-for memory leaks on exit. BIND 9 ignores the option and always performs
+
    This option was used in BIND 8 to enable checking
+for memory leaks on exit. BIND 9 ignores the option and always performs
 the checks.
    
 
    dialup
    
 
    
@@ -1258,9 +1258,9 @@ when the heartbeat-interval expire
 processing.
    
 
    
 
    fake-iquery
    
-
    In BIND 8, this option was used to
+
    In BIND 8, this option was used to
 enable simulating the obsolete DNS query type
-IQUERY. BIND 9 never does IQUERY simulation.
+IQUERY. BIND 9 never does IQUERY simulation.
 
    
 
    fetch-glue
    
 
    This option is obsolete.
@@ -1271,7 +1271,7 @@ data section of a response.  This is now considered a bad idea
 and BIND 9 never does it.
    
 
    has-old-clients
    
 
    This option was incorrectly implemented
-in BIND 8, and is ignored by BIND 9.
+in BIND 8, and is ignored by BIND 9.
 To achieve the intended effect
 of
 has-old-clients yes, specify
@@ -1285,8 +1285,8 @@ Not implemented in BIND 9.
 
    
 
    maintain-ixfr-base
    
 
    This option is obsolete.
- It was used in BIND 8 to determine whether a transaction log was
-kept for Incremental Zone Transfer. BIND 9 maintains a transaction
+ It was used in BIND 8 to determine whether a transaction log was
+kept for Incremental Zone Transfer. BIND 9 maintains a transaction
 log whenever possible.  If you need to disable outgoing incremental zone
 transfers, use provide-ixfr no.
 
    
@@ -1298,9 +1298,9 @@ negative responses).  This may improve the performance of the server.
 The default is no.
 
    
 
    multiple-cnames
    
-
    This option was used in BIND 8 to allow
+
    This option was used in BIND 8 to allow
 a domain name to allow multiple CNAME records in violation of the
-DNS standards.  BIND 9.2 always strictly
+DNS standards.  BIND 9.2 always strictly
 enforces the CNAME rules both in master files and dynamic updates.
 
    
 
    notify
    
@@ -1344,12 +1344,12 @@ cause the server to send NS records along with the SOA record for negative
 answers. The default is no.
    
 
    
 
    Note
    
-
    Not yet implemented in BIND 9.
    
+
    Not yet implemented in BIND 9.
    
 
    
 
 
    use-id-pool
    
 
    This option is obsolete.
-BIND 9 always allocates query IDs from a pool.
+BIND 9 always allocates query IDs from a pool.
 
    
 
    zone-statistics
    
 
    If yes, the server will, by default, collect
@@ -1377,11 +1377,11 @@ See the description of
 the section called “server Statement Definition and Usage”.
 
    
 
    treat-cr-as-space
    
-
    This option was used in BIND 8 to make
+
    This option was used in BIND 8 to make
 the server treat carriage return ("\r") characters the same way
 as a space or tab character,
 to facilitate loading of zone files on a UNIX system that were generated
-on an NT or DOS machine. In BIND 9, both UNIX "\n"
+on an NT or DOS machine. In BIND 9, both UNIX "\n"
 and NT/DOS "\r\n" newlines are always accepted,
 and the option is ignored.
    
 
    
@@ -1454,7 +1454,7 @@ The use of this option for any other purpose is discouraged.
 
 
    
 
    
-Forwarding
    
+Forwarding
    
 
    The forwarding facility can be used to create a large site-wide
 cache on a few servers, reducing traffic over links to external
 nameservers. It can also be used to allow queries by servers that
@@ -1531,7 +1531,7 @@ from these addresses will not be responded to. The default is 
 
    
-Interfaces
    
+Interfaces
 
    The interfaces and ports that the server will answer queries
 from may be specified using the listen-on option. listen-on takes
 an optional port, and an address_match_list.
@@ -1573,7 +1573,7 @@ the server will not listen on any IPv6 address.
    
 
 
    
 
    
-Query Address
    
+Query Address
    
 
    If the server doesn't know the answer to a question, it will
 query other nameservers. query-source specifies
 the address and port used for such queries. For queries sent over
@@ -1608,7 +1608,7 @@ unprivileged port.
    
 
    
 
    
 Zone Transfers
    
-
    BIND has mechanisms in place to facilitate zone transfers
+
    BIND has mechanisms in place to facilitate zone transfers
 and set limits on the amount of load that transfers place on the
 system. The following options apply to zone transfers.
    
 
    
@@ -1668,8 +1668,8 @@ resource record transferred.
 many-answers packs as many resource records as
 possible into a message. many-answers is more
 efficient, but is only supported by relatively new slave servers,
-such as BIND 9, BIND 8.x and patched
-versions of BIND 4.9.5. The many-answers
+such as BIND 9, BIND 8.x and patched
+versions of BIND 4.9.5. The many-answers
 format is also supported by recent Microsoft Windows nameservers. The default is
 many-answers. transfer-format
 may be overridden on a per-server basis by using the
@@ -1736,7 +1736,7 @@ but applies to notify messages sent to IPv6 addresses.
    
 
    
 
    
 
    
-Operating System Resource Limits
    
+Operating System Resource Limits
    
 
    The server's usage of many system resources can be limited.
 Scaled values are allowed when specifying resource limits.  For
 example, 1G can be used instead of
@@ -1780,7 +1780,7 @@ may use. The default is default.
    
 
 
    
 
    
-Server  Resource Limits
    
+Server  Resource Limits
    
 
    The following options set limits on the server's
 resource consumption that are enforced internally by the
 server rather than the operating system.
    
@@ -1813,7 +1813,7 @@ records are purged from the cache only when their TTLs expire.
 
 
    
 
    
-Periodic Task Intervals
    
+Periodic Task Intervals
    
 
    
 
    cleaning-interval
    
 
    The server will remove expired resource records
@@ -1840,7 +1840,7 @@ every statistics-interval minutes.
 60. If set to 0, no statistics will be logged.
    
 
    
 
    Note
    
-
    Not yet implemented in BIND9.
    
+
    Not yet implemented in BIND9.
    
 
    
 
    
 
    
@@ -1875,7 +1875,7 @@ is preferred least of all.
    
 
    
 
    Note
    
 
    The topology option
-is not implemented in BIND 9.
+is not implemented in BIND 9.
 
    
 
    
 
@@ -1944,7 +1944,7 @@ their directly connected networks.
    
 };
    
 
    The following example will give reasonable behavior for the
 local host and hosts on directly connected networks. It is similar
-to the behavior of the address sort in BIND 4.9.x. Responses sent
+to the behavior of the address sort in BIND 4.9.x. Responses sent
 to queries from the local host will favor any of the directly connected
 networks. Responses sent to queries from any other hosts on a directly
 connected network will prefer addresses on that same network. Responses
@@ -2009,7 +2009,7 @@ they are not combined — the last one applies.
    
 
    
 
    Note
    
 
    The rrset-order statement
-is not yet implemented in BIND 9.
+is not yet implemented in BIND 9.
 BIND 9 currently supports only a "random-cyclic" ordering,
 where the server randomly chooses a starting point within
 the RRset and returns the records in order starting at
@@ -2086,7 +2086,7 @@ is required for a request for the root servers to be accepted. The default
 is 2.
    
 
    
 
    Note
    
-
    Not yet implemented in BIND9.
    
+
    Not yet implemented in BIND9.
    
 
    
 
 
    sig-validity-interval
    
@@ -2119,9 +2119,9 @@ and clamp the SOA refresh and retry times to the specified values.
 
    
 
    
 The Statistics File
    
-
    The statistics file generated by BIND 9
+
    The statistics file generated by BIND 9
 is similar, but not identical, to that
-generated by BIND 8.
+generated by BIND 8.
 
    
 
    The statistics dump begins with a line, like:
    
 
    
@@ -2255,8 +2255,8 @@ default is yes.
    
 
    The server supports two zone transfer methods. The first, one-answer,
 uses one DNS message per resource record transferred. many-answers packs
 as many resource records as possible into a message. many-answers is
-more efficient, but is only known to be understood by BIND 9, BIND
-8.x, and patched versions of BIND 4.9.5. You can specify which method
+more efficient, but is only known to be understood by BIND 9, BIND
+8.x, and patched versions of BIND 4.9.5. You can specify which method
 to use for a server with the transfer-format option.
 If transfer-format is not specified, the transfer-format specified
 by the options statement will be used.
    
@@ -2278,7 +2278,7 @@ supported.
    
 
    
 
    
 
    
-trusted-keys Statement Grammar
    
+trusted-keys Statement Grammar
    
 
    trusted-keys {
     string number number number string ;
     [ string number number number string ; [...]]
@@ -2287,7 +2287,7 @@ supported.
    
 
 
    
 
    
-trusted-keys Statement Definition
+trusted-keys Statement Definition
 and Usage
    
 
    The trusted-keys statement defines DNSSEC
 security roots. DNSSEC is described in the section called “DNSSEC”. A security root is defined when the public key for a non-authoritative
@@ -2303,7 +2303,7 @@ key data.
    
 
    
 
    
 
    
-view Statement Grammar
    
+view Statement Grammar
    
 
    view view_name [class] {
       match-clients { address_match_list } ;
       match-destinations { address_match_list } ;
@@ -2316,9 +2316,9 @@ key data.
    
 
 
    
 
    
-view Statement Definition and Usage
    
+view Statement Definition and Usage
    
 
    The view statement is a powerful new feature
-of BIND 9 that lets a name server answer a DNS query differently
+of BIND 9 that lets a name server answer a DNS query differently
 depending on who is asking. It is particularly useful for implementing
 split DNS setups without having to run multiple servers.
    
 
    Each view statement defines a view of the
@@ -2499,10 +2499,10 @@ zone zone_name [
 
    
 
    
-zone Statement Definition and Usage
    
+zone Statement Definition and Usage
    
 
    
 
    
-Zone Types
    
+Zone Types
    
 
    
 
 

 
 
 
    @@ -2543,7 +2543,7 @@ behave very slowly if you put 100K files into a single directory.)
    
 
    A stub zone is similar to a slave zone,
 except that it replicates only the NS records of a master zone instead
 of the entire zone. Stub zones are not a standard part of the DNS;
-they are a feature specific to the BIND implementation.
+they are a feature specific to the BIND implementation.
 
    
 
 
    Stub zones can be used to eliminate the need for glue NS record
@@ -2551,12 +2551,12 @@ in a parent zone at the expense of maintaining a stub zone entry and
 a set of name server addresses in named.conf.
 This usage is not recommended for new configurations, and BIND 9
 supports it only in a limited way.
-In BIND 4/8, zone transfers of a parent zone
+In BIND 4/8, zone transfers of a parent zone
 included the NS records from stub children of that zone. This meant
 that, in some cases, users could get away with configuring child stubs
-only in the master server for the parent zone. BIND
+only in the master server for the parent zone. BIND
 9 never mixes together zone data from different zones in this
-way. Therefore, if a BIND 9 master serving a parent
+way. Therefore, if a BIND 9 master serving a parent
 zone has child stub zones configured, all the slave servers for the
 parent zone also need to have the same child stub zones
 configured.
    
@@ -2613,7 +2613,7 @@ from forwarders.
    
 
 
    
 
    
-Class
    
+Class
    
 
    The zone's name may optionally be followed by a class. If
 a class is not specified, class IN (for Internet),
 is assumed. This is correct for the vast majority of cases.
    
@@ -2628,7 +2628,7 @@ in the mid-1970s. Zone data for it can be specified with the 
 
    
-Zone Options
    
+Zone Options
 
    
 
    allow-notify
    
 
    See the description of
@@ -2713,14 +2713,14 @@ allow a normal lookup to be tried.
    
 If it is not specified in a zone of type forward,
 no forwarding is done for the zone and the global options are not used.
    
 
    ixfr-base
    
-
    Was used in BIND 8 to specify the name
+
    Was used in BIND 8 to specify the name
 of the transaction log (journal) file for dynamic update and IXFR.
-BIND 9 ignores the option and constructs the name of the journal
+BIND 9 ignores the option and constructs the name of the journal
 file by appending ".jnl" to the name of the
 zone file.
    
 
    ixfr-tmp-file
    
-
    Was an undocumented option in BIND 8.
-Ignored in BIND 9.
    
+
    Was an undocumented option in BIND 8.
+Ignored in BIND 9.
    
 
    max-transfer-time-in
    
 
    See the description of
 max-transfer-time-in in the section called “Zone Transfers”.
    
@@ -2737,9 +2737,9 @@ Ignored in BIND 9.
    
 
    See the description of
 notify in the section called “Boolean Options”.
    
 
    pubkey
    
-
    In BIND 8, this option was intended for specifying
+
    In BIND 8, this option was intended for specifying
 a public zone key for verification of signatures in DNSSEC signed
-zones when they are loaded from disk. BIND 9 does not verify signatures
+zones when they are loaded from disk. BIND 9 does not verify signatures
 on loading and ignores the option.
    
 
    zone-statistics
    
 
    If yes, the server will keep statistical
@@ -2775,14 +2775,14 @@ See the description in the sect
 
    
 
    
 Dynamic Update Policies
    
-
    BIND 9 supports two alternative methods of granting clients
+
    BIND 9 supports two alternative methods of granting clients
 the right to perform dynamic updates to a zone, 
 configured by the allow-update and
 update-policy option, respectively.
    
 
    The allow-update clause works the same
-way as in previous versions of BIND. It grants given clients the
+way as in previous versions of BIND. It grants given clients the
 permission to update any record of any name in the zone.
    
-
    The update-policy clause is new in BIND
+
    The update-policy clause is new in BIND
 9 and allows more fine-grained control over what updates are allowed.
 A set of rules is specified, where each rule either grants or denies
 permissions for one or more names to be updated by one or more identities.
@@ -2844,7 +2844,7 @@ SIG, NS, SOA, and NXT. Types may be specified by name, including
 
    
 
    
 
    
-Zone File
    
+Zone File
    
 
    
 
    
 Types of Resource Records and When to Use Them
    
@@ -2854,7 +2854,7 @@ Since the publication of RFC 1034, several new RRs have been identified
 and implemented in the DNS. These are also included.
    
 
    
 
    
-Resource Records
    
+Resource Records
    
 
    A domain name identifies a node.  Each node has a set of
         resource information, which may be empty.  The set of resource
         information associated with a particular name is composed of
@@ -3129,7 +3129,7 @@ used as "pointers" to other data in the DNS.
    
 
 
    
 
    
-Textual expression of RRs
    
+Textual expression of RRs
    
 
    RRs are represented in binary form in the packets of the DNS
 protocol, and are usually represented in highly encoded form when
 stored in a nameserver or resolver.  In the examples provided in
@@ -3219,7 +3219,7 @@ each of a different class.
    
 
 
    
 
    
-Discussion of MX Records
    
+Discussion of MX Records
    
 
    As described above, domain servers store information as a
 series of resource records, each of which contains a particular
 piece of information about a given domain name (which is usually,
@@ -3336,7 +3336,7 @@ can be explicitly specified, for example, 1h30m. 
 
    
 
    
-Inverse Mapping in IPv4
    
+Inverse Mapping in IPv4
    
 
    Reverse name resolution (that is, translation from IP address
 to name) is achieved by means of the in-addr.arpa domain
 and PTR records. Entries in the in-addr.arpa domain are made in
@@ -3374,7 +3374,7 @@ that the example is relative to the listed origin.
    
 
 
    
 
    
-Other Zone File Directives
    
+Other Zone File Directives
    
 
    The Master File Format was initially defined in RFC 1035 and
 has subsequently been extended. While the Master File Format itself
 is class independent all records in a Master File must be of the same
@@ -3383,7 +3383,7 @@ class.
    
 and $TTL.
    
 
    
 
    
-The $ORIGIN Directive
    
+The $ORIGIN Directive
    
 
    Syntax: $ORIGIN
 domain-name [ comment]
    
 
    $ORIGIN sets the domain name that will
@@ -3398,7 +3398,7 @@ WWW     CNAME   MAIN-SERVER
 
 
    
 
    
-The $INCLUDE Directive
    
+The $INCLUDE Directive
    
 
    Syntax: $INCLUDE
 filename [
 origin ] [ comment ]
    
@@ -3422,7 +3422,7 @@ This could be construed as a deviation from RFC 1035, a feature, or both.
 
 
    
 
    
-The $TTL Directive
    
+The $TTL Directive
    
 
    Syntax: $TTL
 default-ttl [
 comment ]
    
@@ -3433,7 +3433,7 @@ with undefined TTLs. Valid TTLs are of the range 0-2147483647 seconds.
    
 
 
    
 
    
-BIND Master File Extension: the  $GENERATE Directive
    .
+BIND Master File Extension: the  $GENERATE Directive
    .
         
    Syntax: $GENERATE range lhs type rhs [ comment ]
    
 
    $GENERATE is used to create a series of
 resource records that only differ from each other by an iterator. $GENERATE can
@@ -3501,7 +3501,7 @@ similarly to lhs.
    
 
 
 
    
 
 

    
-
    The $GENERATE directive is a BIND extension
+
    The $GENERATE directive is a BIND extension
 and not part of the standard zone file format.
    
 
 
@@ -3517,9 +3517,9 @@ and not part of the standard zone file format.
    
 
 
 
-Chapter 5. The BIND 9 Lightweight Resolver 
+Chapter 5. The BIND 9 Lightweight Resolver 
 Home
- Chapter 7. BIND 9 Security Considerations
+ Chapter 7. BIND 9 Security Considerations
 
 
 
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index c18a340a8a..c5a3b29ef5 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -14,12 +14,12 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
 Chapter 7. BIND 9 Security Considerations
-
+
 
 
 
@@ -28,7 +28,7 @@
 
 
    
 
-
+
@@ -41,16 +41,16 @@
 
    
 
    
-Chapter 7. BIND 9 Security Considerations
    
+Chapter 7. BIND 9 Security Considerations
    
 
    Table of Contents
    
 
    
 
    Access Control Lists
    
-
    chroot and setuid (for
+
    chroot and setuid (for
 UNIX servers)
    
 
    
-
    The chroot Environment
    
-
    Using the setuid Function
    
+
    The chroot Environment
    
+
    Using the setuid Function
    
 
    
 
    Dynamic Update Security
    
 
    
@@ -102,28 +102,28 @@ see the AUSCERT advisory at
 
    
 
    
-chroot and setuid (for
+chroot and setuid (for
 UNIX servers)
    
-
    On UNIX servers, it is possible to run BIND in a chrooted environment
+
    On UNIX servers, it is possible to run BIND in a chrooted environment
 (using the chroot() function) by specifying the "-t"
-option. This can help improve system security by placing BIND in
+option. This can help improve system security by placing BIND in
 a "sandbox," which will limit the damage done if a server is compromised.
    
-
    Another useful feature in the UNIX version of BIND is the
+
    Another useful feature in the UNIX version of BIND is the
 ability to run the daemon as a nonprivileged user ( -u user ).
 We suggest running as a nonprivileged user when using the chroot feature.
    
-
    Here is an example command line to load BIND in a chroot sandbox, 
+
    Here is an example command line to load BIND in a chroot sandbox, 
 /var/named, and to run named setuid to
 user 202:
    
 
    /usr/local/bin/named -u 202 -t /var/named
    
 
    
 
    
-The chroot Environment
    
+The chroot Environment
    In order for a chroot environment to
 work properly in a particular directory
 (for example, /var/named),
 you will need to set up an environment that includes everything
-BIND needs to run.
-From BIND's point of view, /var/named is
+BIND needs to run.
+From BIND's point of view, /var/named is
 the root of the filesystem.  You will need to adjust the values of options like
 like directory and pid-file to account
 for this.
@@ -142,12 +142,12 @@ to set up things like
 
 
    
 
    
-Using the setuid Function
    
+Using the setuid Function
    Prior to running the named daemon, use
 the touch utility (to change file access and
 modification times) or the chown utility (to
 set the user id and/or group id) on files
-to which you want BIND
+to which you want BIND
 to write.  Note that if the named daemon is running as a
 nonprivileged user, it will not be able to bind to new restricted ports if the
 server is reloaded.
    
@@ -158,7 +158,7 @@ server is reloaded.
    Dynamic Update Security
    Access to the dynamic
 update facility should be strictly limited.  In earlier versions of
-BIND, the only way to do this was based on the IP
+BIND, the only way to do this was based on the IP
 address of the host requesting the update, by listing an IP address or
 network prefix in the allow-update zone option.
 This method is insecure since the source address of the update UDP packet
@@ -192,7 +192,7 @@ all.
    
-
+
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index d88a2e4a10..da266a82c1 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -14,12 +14,12 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+Chapter 8. Troubleshooting
-
+
@@ -45,18 +45,18 @@
 
    
 
    Table of Contents
    
 
    
-
    Common Problems
    
-
    It's not working; how can I figure out what's wrong?
    
-
    Incrementing and Changing the Serial Number
    
-
    Where Can I Get Help?
    
+
    Common Problems
    
+
    It's not working; how can I figure out what's wrong?
    
+
    Incrementing and Changing the Serial Number
    
+
    Where Can I Get Help?
    
 
    
 
    
 
    
-Common Problems
    
+Common Problems
    
 
    
-It's not working; how can I figure out what's wrong?
    
+It's not working; how can I figure out what's wrong?
    The best solution to solving installation and
       configuration issues is to take preventative measures by setting
       up logging files beforehand. The log files provide a
@@ -66,7 +66,7 @@
 
 
    
 
    
-Incrementing and Changing the Serial Number
    
+Incrementing and Changing the Serial Number
    Zone serial numbers are just numbers-they aren't date
     related.  A lot of people set them to a number that represents a
     date, usually of the form YYYYMMDDRR. A number of people have been
@@ -87,19 +87,19 @@
 
 
    
 
    
-Where Can I Get Help?
    
-
    The Internet Software Consortium (ISC) offers a wide range
-    of support and service agreements for BIND and DHCP servers. Four
+Where Can I Get Help?
    
+
    The Internet Software Consortium (ISC) offers a wide range
+    of support and service agreements for BIND and DHCP servers. Four
     levels of premium support are available and each level includes
-    support for all ISC programs, significant discounts on products
+    support for all ISC programs, significant discounts on products
     and training, and a recognized priority on bug fixes and
-    non-funded feature requests. In addition, ISC offers a standard
+    non-funded feature requests. In addition, ISC offers a standard
     support agreement package which includes services ranging from bug
     fix announcements to remote support. It also includes training in
-    BIND and DHCP.
    
+    BIND and DHCP.
    To discuss arrangements for support, contact
     info@isc.org or visit the
-    ISC web page at http://www.isc.org/services/support/
+    ISC web page at http://www.isc.org/services/support/
     to read more.
    
@@ -114,7 +114,7 @@
 
-
+
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index aa60cb0bfa..6a9cd594eb 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -14,12 +14,12 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+Appendix A. Appendices
-
+
@@ -43,26 +43,26 @@
 
    
 
    Table of Contents
    
 
    
-
    Acknowledgements
    
-
    A Brief History of the DNS and BIND
    
-
    Historical DNS Information
    
+
    Acknowledgements
    
+
    A Brief History of the DNS and BIND
    
+
    Historical DNS Information
    
 
    Classes of Resource Records
    
-
    General DNS Reference Information
    
+
    General DNS Reference Information
    
 
    IPv6 addresses (A6)
    
 
    Bibliography (and Suggested Reading)
    
 
    
 
    Request for Comments (RFCs)
    
 
    Internet Drafts
    
-
    Other Documents About BIND
    
+
    Other Documents About BIND
    
 
    
 
    
 
    
 
    
-Acknowledgements
    
+Acknowledgements
    
 
    
-A Brief History of the DNS and BIND
    
+A Brief History of the DNS and BIND
    Although the "official" beginning of the Domain Name
       System occurred in 1984 with the publication of RFC 920, the
       core of the new system was described in 1983 in RFCs 882 and
@@ -74,58 +74,58 @@
       incorporate improvements based on the working model. RFC 1034,
       "Domain Names-Concepts and Facilities," and RFC 1035, "Domain
       Names-Implementation and Specification" were published and
-      became the standards upon which all DNS implementations are
+      became the standards upon which all DNS implementations are
       built.
 
    The first working domain name server, called "Jeeves," was
 written in 1983-84 by Paul Mockapetris for operation on DEC Tops-20
 machines located at the University of Southern California's Information
 Sciences Institute (USC-ISI) and SRI International's Network Information
-Center (SRI-NIC). A DNS server for Unix machines, the Berkeley Internet
-Name Domain (BIND) package, was written soon after by a group of
+Center (SRI-NIC). A DNS server for Unix machines, the Berkeley Internet
+Name Domain (BIND) package, was written soon after by a group of
 graduate students at the University of California at Berkeley under
 a grant from the US Defense Advanced Research Projects Administration
 (DARPA).
 
    
-Versions of BIND through 4.8.3 were maintained by the Computer
+Versions of BIND through 4.8.3 were maintained by the Computer
 Systems Research Group (CSRG) at UC Berkeley. Douglas Terry, Mark
-Painter, David Riggle and Songnian Zhou made up the initial BIND
+Painter, David Riggle and Songnian Zhou made up the initial BIND
 project team. After that, additional work on the software package
 was done by Ralph Campbell. Kevin Dunlap, a Digital Equipment Corporation
-employee on loan to the CSRG, worked on BIND for 2 years, from 1985
-to 1987. Many other people also contributed to BIND development
+employee on loan to the CSRG, worked on BIND for 2 years, from 1985
+to 1987. Many other people also contributed to BIND development
 during that time: Doug Kingston, Craig Partridge, Smoot Carl-Mitchell,
-Mike Muuss, Jim Bloom and Mike Schwartz. BIND maintenance was subsequently
+Mike Muuss, Jim Bloom and Mike Schwartz. BIND maintenance was subsequently
 handled by Mike Karels and O. Kure.
    
-
    BIND versions 4.9 and 4.9.1 were released by Digital Equipment
+
    BIND versions 4.9 and 4.9.1 were released by Digital Equipment
 Corporation (now Compaq Computer Corporation). Paul Vixie, then
-a DEC employee, became BIND's primary caretaker. He was assisted
+a DEC employee, became BIND's primary caretaker. He was assisted
 by Phil Almquist, Robert Elz, Alan Barrett, Paul Albitz, Bryan Beecher, Andrew
 Partan, Andy Cherenson, Tom Limoncelli, Berthold Paffrath, Fuat
 Baran, Anant Kumar, Art Harkin, Win Treese, Don Lewis, Christophe
 Wolfhugel, and others.
    
-
    BIND version 4.9.2 was sponsored by Vixie Enterprises. Paul
-Vixie became BIND's principal architect/programmer.
    
-
    BIND versions from 4.9.3 onward have been developed and maintained
+
    BIND version 4.9.2 was sponsored by Vixie Enterprises. Paul
+Vixie became BIND's principal architect/programmer.
    
+
    BIND versions from 4.9.3 onward have been developed and maintained
 by the Internet Software Consortium with support being provided
 by ISC's sponsors. As co-architects/programmers, Bob Halley and
-Paul Vixie released the first production-ready version of BIND version
+Paul Vixie released the first production-ready version of BIND version
 8 in May 1997.
    
-
    BIND development work is made possible today by the sponsorship
+
    BIND development work is made possible today by the sponsorship
 of several corporations, and by the tireless work efforts of numerous
 individuals.
    
 
    
-Historical DNS Information
    
+Historical DNS Information
    
 
    
 Classes of Resource Records
    
 
    
 
    
-HS = hesiod
    
+HS = hesiod
    The [hesiod] class is an information service
 developed by MIT's Project Athena. It is used to share information
 about various systems databases, such as users, groups, printers
@@ -134,7 +134,7 @@ hesiod.
    
 
    
-CH = chaos
    
+CH = chaos
    The chaos class is used to specify zone
 data for the MIT-developed CHAOSnet, a LAN protocol created in the
 mid-1970s.
    
@@ -143,12 +143,12 @@ mid-1970s.
    
 
    
-General DNS Reference Information
    
+General DNS Reference Information
    
 
    
 IPv6 addresses (A6)
    
 
    IPv6 addresses are 128-bit identifiers for interfaces and
-sets of interfaces which were introduced in the DNS to facilitate
+sets of interfaces which were introduced in the DNS to facilitate
 scalable Internet routing. There are three types of addresses: Unicast,
 an identifier for a single interface; Anycast,
 an identifier for a set of interfaces; and Multicast,
@@ -313,7 +313,7 @@ of zeros that can fit, and can be used only once in an address.
    
 
    
 Request for Comments (RFCs)
    
 
    Specification documents for the Internet protocol suite, including
-the DNS, are published as part of the Request for Comments (RFCs)
+the DNS, are published as part of the Request for Comments (RFCs)
 series of technical notes. The standards themselves are defined
 by the Internet Engineering Task Force (IETF) and the Internet Engineering
 Steering Group (IESG). RFCs can be obtained online via FTP at 
@@ -323,23 +323,41 @@ the number of the RFC). RFCs are also available via the Web at
 
    
 
    
 
    
-Bibliography
    
+Bibliography
    
 
    Standards
    
-
    [RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 
    
-
    [RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987. 
    
-
    [RFC1035] P. V. Mockapetris. Domain Names — Implementation and
-Specification. November 1987. 
    
+
    
+
    [RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 
    
+
    
+
    
+
    [RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987. 
    
+
    
+
    
+
    [RFC1035] P. V. Mockapetris. Domain Names — Implementation and
+Specification. November 1987. 
    
+
    
 
    
 
    
 Proposed Standards
    
-
    [RFC2181] R., R. Bush Elz. Clarifications to the DNS Specification. July 1997. 
    
-
    [RFC2308] M. Andrews. Negative Caching of DNS Queries. March 1998. 
    
-
    [RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996. 
    
-
    [RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996. 
    
-
    [RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997. 
    
-
    [RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000. 
    
+
    
+
    [RFC2181] R., R. Bush Elz. Clarifications to the DNS Specification. July 1997. 
    
+
    
+
    
+
    [RFC2308] M. Andrews. Negative Caching of DNS Queries. March 1998. 
    
+
    
+
    
+
    [RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996. 
    
+
    
+
    
+
    [RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996. 
    
+
    
+
    
+
    [RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997. 
    
+
    
+
    
+
    [RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000. 
    
+
    
 
    
 
    Proposed Standards Still Under Development
    
@@ -348,64 +366,120 @@ Specification. November 1987. 
    Note: the following list of
 RFCs are undergoing major revision by the IETF.
    
-
    [RFC1886] S. Thomson and C. Huitema. DNS Extensions to support IP version 6. December 1995. 
    
-
    [RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997. 
    
-
    [RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997. 
    
+
    
+
    [RFC1886] S. Thomson and C. Huitema. DNS Extensions to support IP version 6. December 1995. 
    
+
    
+
    
+
    [RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997. 
    
+
    
+
    
+
    [RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997. 
    
+
    
-
    Other Important RFCs About DNS Implementation
    
-
    [RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely Deployed DNS Software.. October 1993. 
    
-
    [RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation Errors and Suggested Fixes. October 1993. 
    
-
    [RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996. 
    
+
    Other Important RFCs About DNS Implementation
    
+
    
+
    [RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely Deployed DNS Software.. October 1993. 
    
+
    
+
    
+
    [RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation Errors and Suggested Fixes. October 1993. 
    
+
    
+
    
+
    [RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996. 
    
+
    
 
    
 
    Resource Record Types
    
-
    [RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990. 
    
-
    [RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994. 
    
-
    [RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using
-the Domain Name System. June 1997. 
    
-
    [RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the Domain
-Name System. January 1996. 
    
-
    [RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the Location of
-Services.. October 1996. 
    
-
    [RFC2163] A. Allocchio. Using the Internet DNS to Distribute MIXER
-Conformant Global Address Mapping. January 1998. 
    
-
    [RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997. 
    
+
    
+
    [RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990. 
    
+
    
+
    
+
    [RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994. 
    
+
    
+
    
+
    [RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using
+the Domain Name System. June 1997. 
    
+
    
+
    
+
    [RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the Domain
+Name System. January 1996. 
    
+
    
+
    
+
    [RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the Location of
+Services.. October 1996. 
    
+
    
+
    
+
    [RFC2163] A. Allocchio. Using the Internet DNS to Distribute MIXER
+Conformant Global Address Mapping. January 1998. 
    
+
    
+
    
+
    [RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997. 
    
+
    
 
    
 
    
-DNS and the Internet
    
-
    [RFC1101] P. V. Mockapetris. DNS Encoding of Network Names and Other Types. April 1989. 
    
-
    [RFC1123] Braden. Requirements for Internet Hosts - Application and Support. October 1989. 
    
-
    [RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994. 
    
-
    [RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998. 
    
+DNS and the Internet
+
    
+
    [RFC1101] P. V. Mockapetris. DNS Encoding of Network Names and Other Types. April 1989. 
    
+
    
+
    
+
    [RFC1123] Braden. Requirements for Internet Hosts - Application and Support. October 1989. 
    
+
    
+
    
+
    [RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994. 
    
+
    
+
    
+
    [RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998. 
    
+
    
 
    
 
    
-DNS Operations
    
-
    [RFC1537] P. Beertema. Common DNS Data File Configuration Errors. October 1993. 
    
-
    [RFC1912] D. Barr. Common DNS Operational and Configuration Errors. February 1996. 
    
-
    [RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers.. October 1996. 
    
-
    [RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for Network Services.. October 1997. 
    
+DNS Operations
+
    
+
    [RFC1537] P. Beertema. Common DNS Data File Configuration Errors. October 1993. 
    
+
    
+
    
+
    [RFC1912] D. Barr. Common DNS Operational and Configuration Errors. February 1996. 
    
+
    
+
    
+
    [RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers.. October 1996. 
    
+
    
+
    
+
    [RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for Network Services.. October 1997. 
    
+
    
 
    
-
    Other DNS-related RFCs
    
+
    Other DNS-related RFCs
    
 
    
 
    Note
    
 
    Note: the following list of RFCs, although
-DNS-related, are not concerned with implementing software.
    
+DNS-related, are not concerned with implementing software.
    
+
    
+
    
+
    [RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String Attributes. May 1993. 
    
+
    
+
    
+
    [RFC1713] A. Romao. Tools for DNS Debugging. November 1994. 
    
+
    
+
    
+
    [RFC1794] T. Brisco. DNS Support for Load Balancing. April 1995. 
    
+
    
+
    
+
    [RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997. 
    
+
    
+
    
+
    [RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998. 
    
+
    
+
    
+
    [RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998. 
    
 
    
-
    [RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String Attributes. May 1993. 
    
-
    [RFC1713] A. Romao. Tools for DNS Debugging. November 1994. 
    
-
    [RFC1794] T. Brisco. DNS Support for Load Balancing. April 1995. 
    
-
    [RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997. 
    
-
    [RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998. 
    
-
    [RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998. 
    
 
    
 
    Obsolete and Unimplemented Experimental RRs
    
-
    [RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical
-Location. November 1994. 
    
+
    
+
    [RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical
+Location. November 1994. 
    
+
    
 
    
@@ -423,12 +497,14 @@ after which they are deleted unless updated by their authors.
 
    
 
    
-Other Documents About BIND
    
+Other Documents About BIND
    
 
    
-Bibliography
    
-
    Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 
    
+Bibliography
    
+
    
+
    Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 
    
+
    
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index b4f245c01a..40c23426dc 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -14,12 +14,12 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+BIND 9 Administrator Reference Manual
-
+
@@ -40,7 +40,7 @@
 
    
 
    
 
    
-BIND 9 Administrator Reference Manual
    
+BIND 9 Administrator Reference Manual
    
 
    Copyright © 2004-2006 Internet Systems Consortium, Inc. ("ISC")
    
 
    Copyright © 2000-2003 Internet Software Consortium.
    
 
    
@@ -51,40 +51,40 @@
 
    
 
    1. Introduction 
    
 
    
-
    Scope of Document
    
-
    Organization of This Document
    
-
    Conventions Used in This Document
    
-
    The Domain Name System (DNS)
    
+
    Scope of Document
    
+
    Organization of This Document
    
+
    Conventions Used in This Document
    
+
    The Domain Name System (DNS)
    
 
    
-
    DNS Fundamentals
    
-
    Domains and Domain Names
    
-
    Zones
    
-
    Authoritative Name Servers
    
-
    Caching Name Servers
    
-
    Name Servers in Multiple Roles
    
+
    DNS Fundamentals
    
+
    Domains and Domain Names
    
+
    Zones
    
+
    Authoritative Name Servers
    
+
    Caching Name Servers
    
+
    Name Servers in Multiple Roles
    
 
    
 
    
-
    2. BIND Resource Requirements
    
+
    2. BIND Resource Requirements
    
 
    
-
    Hardware requirements
    
-
    CPU Requirements
    
-
    Memory Requirements
    
-
    Nameserver Intensive Environment Issues
    
-
    Supported Operating Systems
    
+
    Hardware requirements
    
+
    CPU Requirements
    
+
    Memory Requirements
    
+
    Nameserver Intensive Environment Issues
    
+
    Supported Operating Systems
    
 
    
 
    3. Nameserver Configuration
    
 
    
 
    Sample Configurations
    
 
    
-
    A Caching-only Nameserver
    
-
    An Authoritative-only Nameserver
    
+
    A Caching-only Nameserver
    
+
    An Authoritative-only Nameserver
    
 
    
-
    Load Balancing
    
+
    Load Balancing
    
 
    Notify
    
-
    Nameserver Operations
    
+
    Nameserver Operations
    
 
    
-
    Tools for Use With the Nameserver Daemon
    
-
    Signals
    
+
    Tools for Use With the Nameserver Daemon
    
+
    Signals
    
 
    
 
    
 
    4. Advanced Concepts
    
@@ -92,113 +92,113 @@
 
    Dynamic Update
    
 
    The journal file
    
 
    Incremental Zone Transfers (IXFR)
    
-
    Split DNS
    
+
    Split DNS
    
 
    TSIG
    
 
    
-
    Generate Shared Keys for Each Pair of Hosts
    
-
    Copying the Shared Secret to Both Machines
    
-
    Informing the Servers of the Key's Existence
    
-
    Instructing the Server to Use the Key
    
-
    TSIG Key Based Access Control
    
-
    Errors
    
+
    Generate Shared Keys for Each Pair of Hosts
    
+
    Copying the Shared Secret to Both Machines
    
+
    Informing the Servers of the Key's Existence
    
+
    Instructing the Server to Use the Key
    
+
    TSIG Key Based Access Control
    
+
    Errors
    
 
    
-
    TKEY
    
-
    SIG(0)
    
+
    TKEY
    
+
    SIG(0)
    
 
    DNSSEC
    
 
    
-
    Generating Keys
    
-
    Creating a Keyset
    
-
    Signing the Child's Keyset
    
-
    Signing the Zone
    
-
    Configuring Servers
    
+
    Generating Keys
    
+
    Creating a Keyset
    
+
    Signing the Child's Keyset
    
+
    Signing the Zone
    
+
    Configuring Servers
    
 
    
-
    IPv6 Support in BIND 9
    
+
    IPv6 Support in BIND 9
    
 
    
-
    Address Lookups Using AAAA Records
    
-
    Address to Name Lookups Using Nibble Format
    
+
    Address Lookups Using AAAA Records
    
+
    Address to Name Lookups Using Nibble Format
    
 
    
 
    
-
    5. The BIND 9 Lightweight Resolver
    
+
    5. The BIND 9 Lightweight Resolver
    
-
    The Lightweight Resolver Library
    
+
    The Lightweight Resolver Library
    
 
    Running a Resolver Daemon
    
 
    
-
    6. BIND 9 Configuration Reference
    
+
    6. BIND 9 Configuration Reference
    
 
    Configuration File Elements
    
 
    
 
    Address Match Lists
    
-
    Comment Syntax
    
+
    Comment Syntax
    
 
    
 
    Configuration File Grammar
    
 
    
-
    acl Statement Grammar
    
+
    acl Statement Grammar
    
 
    acl Statement Definition and
 Usage
    
-
    controls Statement Grammar
    
+
    controls Statement Grammar
    
 
    controls Statement Definition and Usage
    
-
    include Statement Grammar
    
-
    include Statement Definition and Usage
    
-
    key Statement Grammar
    
-
    key Statement Definition and Usage
    
-
    logging Statement Grammar
    
-
    logging Statement Definition and Usage
    
-
    lwres Statement Grammar
    
-
    lwres Statement Definition and Usage
    
-
    options Statement Grammar
    
-
    options Statement Definition and Usage
    
+
    include Statement Grammar
    
+
    include Statement Definition and Usage
    
+
    key Statement Grammar
    
+
    key Statement Definition and Usage
    
+
    logging Statement Grammar
    
+
    logging Statement Definition and Usage
    
+
    lwres Statement Grammar
    
+
    lwres Statement Definition and Usage
    
+
    options Statement Grammar
    
+
    options Statement Definition and Usage
    
 
    server Statement Grammar
    
 
    server Statement Definition and Usage
    
-
    trusted-keys Statement Grammar
    
-
    trusted-keys Statement Definition
+
    trusted-keys Statement Grammar
    
+
    trusted-keys Statement Definition
 and Usage
    
-
    view Statement Grammar
    
-
    view Statement Definition and Usage
    
+
    view Statement Grammar
    
+
    view Statement Definition and Usage
    
 
    zone
 Statement Grammar
    
-
    zone Statement Definition and Usage
    
+
    zone Statement Definition and Usage
    
 
    
-
    Zone File
    
+
    Zone File
    
 
    
 
    Types of Resource Records and When to Use Them
    
-
    Discussion of MX Records
    
+
    Discussion of MX Records
    
 
    Setting TTLs
    
-
    Inverse Mapping in IPv4
    
-
    Other Zone File Directives
    
-
    BIND Master File Extension: the  $GENERATE Directive
    
+
    Inverse Mapping in IPv4
    
+
    Other Zone File Directives
    
+
    BIND Master File Extension: the  $GENERATE Directive
    
 
    
 
    
-
    7. BIND 9 Security Considerations
    
+
    7. BIND 9 Security Considerations
    
 
    Access Control Lists
    
-
    chroot and setuid (for
+
    chroot and setuid (for
 UNIX servers)
    
 
    
-
    The chroot Environment
    
-
    Using the setuid Function
    
+
    The chroot Environment
    
+
    Using the setuid Function
    
 
    
 
    Dynamic Update Security
    
 
    8. Troubleshooting
    
-
    Common Problems
    
-
    It's not working; how can I figure out what's wrong?
    
-
    Incrementing and Changing the Serial Number
    
-
    Where Can I Get Help?
    
+
    Common Problems
    
+
    It's not working; how can I figure out what's wrong?
    
+
    Incrementing and Changing the Serial Number
    
+
    Where Can I Get Help?
    
 
    A. Appendices
    
-
    Acknowledgements
    
-
    A Brief History of the DNS and BIND
    
-
    Historical DNS Information
    
+
    Acknowledgements
    
+
    A Brief History of the DNS and BIND
    
+
    Historical DNS Information
    
 
    Classes of Resource Records
    
-
    General DNS Reference Information
    
+
    General DNS Reference Information
    
 
    IPv6 addresses (A6)
    
 
    Bibliography (and Suggested Reading)
    
 
    
 
    Request for Comments (RFCs)
    
 
    Internet Drafts
    
-
    Other Documents About BIND
    
+
    Other Documents About BIND
    
 
    
 
    
diff --git a/lib/lwres/man/lwres.3 b/lib/lwres/man/lwres.3
index fb01832304..d5faa77e57 100644
--- a/lib/lwres/man/lwres.3
+++ b/lib/lwres/man/lwres.3
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres.3,v 1.15.2.5 2005/10/13 02:23:40 marka Exp $
+.\" $Id: lwres.3,v 1.15.2.6 2006/06/29 13:02:06 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: lwres
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 
+.\"      Date: Jun 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "LWRES" "3" "Jun 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -155,3 +158,5 @@ bit should be set.
 \fBlwres_config\fR(3),
 \fBresolver\fR(5),
 \fBlwresd\fR(8).
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/lib/lwres/man/lwres.html b/lib/lwres/man/lwres.html
index 1718f4caa7..e490dd1e1e 100644
--- a/lib/lwres/man/lwres.html
+++ b/lib/lwres/man/lwres.html
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
 lwres
-
+
 
 
    
-
    
+
    
 
    
 
    Name
    
 
    lwres — introduction to the lightweight resolver library
    
@@ -32,7 +32,7 @@
 
    #include <lwres/lwres.h>
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    
 The BIND 9 lightweight resolver library is a simple, name service
 independent stub resolver library.  It provides hostname-to-address
@@ -47,7 +47,7 @@ UDP-based protocol.
 
    
 
    
 
    
-
    OVERVIEW
    
+
    OVERVIEW
    
 
    
 The lwresd library implements multiple name service APIs.
 The standard
@@ -101,7 +101,7 @@ and servers is outlined in the following sections.
 
    
 
    
 
    
-
    CLIENT-SIDE LOW-LEVEL API CALL FLOW
    
+
    CLIENT-SIDE LOW-LEVEL API CALL FLOW
    
 
    
 When a client program wishes to make an lwres request using the
 native low-level API, it typically performs the following 
@@ -147,7 +147,7 @@ packet specific information contained in the body.
 
    
 
    
 
    
-
    SERVER-SIDE LOW-LEVEL API CALL FLOW
    
+
    SERVER-SIDE LOW-LEVEL API CALL FLOW
    
 
    
 When implementing the server side of the lightweight resolver
 protocol using the lwres library, a sequence of actions like the
@@ -188,7 +188,7 @@ set.
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    
 lwres_gethostent(3),
 
diff --git a/lib/lwres/man/lwres_buffer.3 b/lib/lwres/man/lwres_buffer.3
index fbf0992faf..b4369762b5 100644
--- a/lib/lwres/man/lwres_buffer.3
+++ b/lib/lwres/man/lwres_buffer.3
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_buffer.3,v 1.12.2.6 2005/10/13 02:23:40 marka Exp $
+.\" $Id: lwres_buffer.3,v 1.12.2.7 2006/06/29 13:02:06 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: lwres_buffer
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 
+.\"      Date: Jun 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "LWRES_BUFFER" "3" "Jun 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -33,37 +36,37 @@ lwres_buffer_init, lwres_buffer_invalidate, lwres_buffer_add, lwres_buffer_subtr
 #include 
 .fi
 .HP 23
-\fBvoid\ \fBlwres_buffer_init\fR\fR\fB(\fR\fBlwres_buffer_t\ *b\fR\fB, \fR\fBvoid\ *base\fR\fB, \fR\fBunsigned\ int\ length\fR\fB);\fR
+.BI "void lwres_buffer_init(lwres_buffer_t\ *b, void\ *base, unsigned\ int\ length);"
 .HP 29
-\fBvoid\ \fBlwres_buffer_invalidate\fR\fR\fB(\fR\fBlwres_buffer_t\ *b\fR\fB);\fR
+.BI "void lwres_buffer_invalidate(lwres_buffer_t\ *b);"
 .HP 22
-\fBvoid\ \fBlwres_buffer_add\fR\fR\fB(\fR\fBlwres_buffer_t\ *b\fR\fB, \fR\fBunsigned\ int\ n\fR\fB);\fR
+.BI "void lwres_buffer_add(lwres_buffer_t\ *b, unsigned\ int\ n);"
 .HP 27
-\fBvoid\ \fBlwres_buffer_subtract\fR\fR\fB(\fR\fBlwres_buffer_t\ *b\fR\fB, \fR\fBunsigned\ int\ n\fR\fB);\fR
+.BI "void lwres_buffer_subtract(lwres_buffer_t\ *b, unsigned\ int\ n);"
 .HP 24
-\fBvoid\ \fBlwres_buffer_clear\fR\fR\fB(\fR\fBlwres_buffer_t\ *b\fR\fB);\fR
+.BI "void lwres_buffer_clear(lwres_buffer_t\ *b);"
 .HP 24
-\fBvoid\ \fBlwres_buffer_first\fR\fR\fB(\fR\fBlwres_buffer_t\ *b\fR\fB);\fR
+.BI "void lwres_buffer_first(lwres_buffer_t\ *b);"
 .HP 26
-\fBvoid\ \fBlwres_buffer_forward\fR\fR\fB(\fR\fBlwres_buffer_t\ *b\fR\fB, \fR\fBunsigned\ int\ n\fR\fB);\fR
+.BI "void lwres_buffer_forward(lwres_buffer_t\ *b, unsigned\ int\ n);"
 .HP 23
-\fBvoid\ \fBlwres_buffer_back\fR\fR\fB(\fR\fBlwres_buffer_t\ *b\fR\fB, \fR\fBunsigned\ int\ n\fR\fB);\fR
+.BI "void lwres_buffer_back(lwres_buffer_t\ *b, unsigned\ int\ n);"
 .HP 36
-\fBlwres_uint8_t\ \fBlwres_buffer_getuint8\fR\fR\fB(\fR\fBlwres_buffer_t\ *b\fR\fB);\fR
+.BI "lwres_uint8_t lwres_buffer_getuint8(lwres_buffer_t\ *b);"
 .HP 27
-\fBvoid\ \fBlwres_buffer_putuint8\fR\fR\fB(\fR\fBlwres_buffer_t\ *b\fR\fB, \fR\fBlwres_uint8_t\ val\fR\fB);\fR
+.BI "void lwres_buffer_putuint8(lwres_buffer_t\ *b, lwres_uint8_t\ val);"
 .HP 38
-\fBlwres_uint16_t\ \fBlwres_buffer_getuint16\fR\fR\fB(\fR\fBlwres_buffer_t\ *b\fR\fB);\fR
+.BI "lwres_uint16_t lwres_buffer_getuint16(lwres_buffer_t\ *b);"
 .HP 28
-\fBvoid\ \fBlwres_buffer_putuint16\fR\fR\fB(\fR\fBlwres_buffer_t\ *b\fR\fB, \fR\fBlwres_uint16_t\ val\fR\fB);\fR
+.BI "void lwres_buffer_putuint16(lwres_buffer_t\ *b, lwres_uint16_t\ val);"
 .HP 38
-\fBlwres_uint32_t\ \fBlwres_buffer_getuint32\fR\fR\fB(\fR\fBlwres_buffer_t\ *b\fR\fB);\fR
+.BI "lwres_uint32_t lwres_buffer_getuint32(lwres_buffer_t\ *b);"
 .HP 28
-\fBvoid\ \fBlwres_buffer_putuint32\fR\fR\fB(\fR\fBlwres_buffer_t\ *b\fR\fB, \fR\fBlwres_uint32_t\ val\fR\fB);\fR
+.BI "void lwres_buffer_putuint32(lwres_buffer_t\ *b, lwres_uint32_t\ val);"
 .HP 25
-\fBvoid\ \fBlwres_buffer_putmem\fR\fR\fB(\fR\fBlwres_buffer_t\ *b\fR\fB, \fR\fBconst\ unsigned\ char\ *base\fR\fB, \fR\fBunsigned\ int\ length\fR\fB);\fR
+.BI "void lwres_buffer_putmem(lwres_buffer_t\ *b, const\ unsigned\ char\ *base, unsigned\ int\ length);"
 .HP 25
-\fBvoid\ \fBlwres_buffer_getmem\fR\fR\fB(\fR\fBlwres_buffer_t\ *b\fR\fB, \fR\fBunsigned\ char\ *base\fR\fB, \fR\fBunsigned\ int\ length\fR\fB);\fR
+.BI "void lwres_buffer_getmem(lwres_buffer_t\ *b, unsigned\ char\ *base, unsigned\ int\ length);"
 .SH "DESCRIPTION"
 .PP
 These functions provide bounds checked access to a region of memory where data is being read or written. They are based on, and similar to, the
@@ -89,6 +92,8 @@ The
 \fIactive region\fR
 is an (optional) subregion of the remaining region. It extends from the current offset to an offset in the remaining region. Initially, the active region is empty. If the current offset advances beyond the chosen offset, the active region will also be empty.
 .PP
+.sp
+.RS 3n
 .nf
    /\-\-\-\-\-\-\-\-\-\-\-\-entire length\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\\\\
    /\-\-\-\-\- used region \-\-\-\-\-\\\\/\-\- available \-\-\\\\
@@ -107,11 +112,13 @@ is an (optional) subregion of the remaining region. It extends from the current
   b\-d == remaining region.
   b\-c == optional active region.
 .fi
+.RE
 .sp
 .PP
 \fBlwres_buffer_init()\fR
 initializes the
-\fBlwres_buffer_t\fR\fI*b\fR
+\fBlwres_buffer_t\fR
+\fI*b\fR
 and assocates it with the memory region of size
 \fIlength\fR
 bytes starting at location
@@ -209,3 +216,5 @@ bytes of memory from
 \fIb\fR
 to
 \fIbase\fR.
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/lib/lwres/man/lwres_buffer.html b/lib/lwres/man/lwres_buffer.html
index 5e2266e9e7..96fe755b62 100644
--- a/lib/lwres/man/lwres_buffer.html
+++ b/lib/lwres/man/lwres_buffer.html
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
 lwres_buffer
-
+
 
 
    
-
    
+
    
 
    
 
    Name
    
 
    lwres_buffer_init, lwres_buffer_invalidate, lwres_buffer_add, lwres_buffer_subtract, lwres_buffer_clear, lwres_buffer_first, lwres_buffer_forward, lwres_buffer_back, lwres_buffer_getuint8, lwres_buffer_putuint8, lwres_buffer_getuint16, lwres_buffer_putuint16, lwres_buffer_getuint32, lwres_buffer_putuint32, lwres_buffer_putmem, lwres_buffer_getmem — lightweight resolver buffer management
    
@@ -49,18 +49,31 @@ void
 
    
+
+
+
+
+
    Chapter 7. BIND 9 Security Considerations
    Chapter 7. BIND 9 Security Considerations
    
 
    
 
 Prev 
 
 
 
 
 
 
 
 
 
    
 
    Chapter 6. BIND 9 Configuration Reference Chapter 6. BIND 9 Configuration Reference 
 Home
  Chapter 8. Troubleshooting
 
    
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
    Chapter 7. BIND 9 Security Considerations Chapter 7. BIND 9 Security Considerations 
 Home
  Appendix A. Appendices
 
    
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
    
  
  , 
      
 
 );
 
    
 
    
-
+
    
+
-
    
 
 void
 lwres_buffer_invalidate(
  
 
 );
    
+
+
+ 
+ 
+
+);
+
+
 
+
+
+
+
+
@@ -87,26 +105,47 @@ void
 
+
+
+
+
+
    
 
    
 
@@ -72,6 +85,11 @@ void
 
    
  
  , 
      
 
 );
 
    
  
  , 
      
 
 );
 
    
 
    
-
+
    
+
-
    
 
 void
 lwres_buffer_clear(
  
 
 );
    
-
+
+
+
+
+
+
+
      
+);
    
+
+
-
    
 
 void
 lwres_buffer_first(
  
 
 );
    
+
+
+ 
+ 
+
+);
+
+
 
+
+
+
+
+
@@ -133,18 +177,31 @@ void
 
+
+
+
+
+
    
 
    
 
@@ -118,6 +157,11 @@ void
 
    
  
  , 
      
 
 );
 
    
  
  , 
      
 
 );
 
    
 
    
-
+
    
+
-
    
 
 lwres_uint8_t
 lwres_buffer_getuint8(
  
 
 );
    
+
+
+ 
+ 
+
+);
+
+
 
+
+
+
+
+
    
 
    
 
@@ -156,18 +213,31 @@ void
 
    
  
  , 
      
 
 );
 
    
 
    
-
+
    
+
-
    
 
 lwres_uint16_t
 lwres_buffer_getuint16(
  
 
 );
    
+
+
+ 
+ 
+
+);
+
+
 
+
+
+
+
+
    
 
    
 
@@ -179,18 +249,31 @@ void
 
    
  
  , 
      
 
 );
 
    
 
    
-
+
    
+
-
    
 
 lwres_uint32_t
 lwres_buffer_getuint32(
  
 
 );
    
+
+
+ 
+ 
+
+);
+
+
 
+
+
+
+
+
@@ -222,6 +310,11 @@ void
 
+
+
+
+
+
@@ -242,6 +335,11 @@ void
 
+
+
+
+
+
@@ -249,7 +347,7 @@ void
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    
 These functions provide bounds checked access to a region of memory
 where data is being read or written.
diff --git a/lib/lwres/man/lwres_config.3 b/lib/lwres/man/lwres_config.3
index 2e9791217a..fedfb70481 100644
--- a/lib/lwres/man/lwres_config.3
+++ b/lib/lwres/man/lwres_config.3
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_config.3,v 1.12.2.6 2005/10/13 02:23:40 marka Exp $
+.\" $Id: lwres_config.3,v 1.12.2.7 2006/06/29 13:02:06 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: lwres_config
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 
+.\"      Date: Jun 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "LWRES_CONFIG" "3" "Jun 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -33,15 +36,15 @@ lwres_conf_init, lwres_conf_clear, lwres_conf_parse, lwres_conf_print, lwres_con
 #include 
 .fi
 .HP 21
-\fBvoid\ \fBlwres_conf_init\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB);\fR
+.BI "void lwres_conf_init(lwres_context_t\ *ctx);"
 .HP 22
-\fBvoid\ \fBlwres_conf_clear\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB);\fR
+.BI "void lwres_conf_clear(lwres_context_t\ *ctx);"
 .HP 32
-\fBlwres_result_t\ \fBlwres_conf_parse\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBconst\ char\ *filename\fR\fB);\fR
+.BI "lwres_result_t lwres_conf_parse(lwres_context_t\ *ctx, const\ char\ *filename);"
 .HP 32
-\fBlwres_result_t\ \fBlwres_conf_print\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBFILE\ *fp\fR\fB);\fR
+.BI "lwres_result_t lwres_conf_print(lwres_context_t\ *ctx, FILE\ *fp);"
 .HP 30
-\fBlwres_conf_t\ *\ \fBlwres_conf_get\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB);\fR
+.BI "lwres_conf_t * lwres_conf_get(lwres_context_t\ *ctx);"
 .SH "DESCRIPTION"
 .PP
 \fBlwres_conf_init()\fR
@@ -70,7 +73,8 @@ prints the
 structure for resolver context
 \fIctx\fR
 to the
-\fBFILE\fR\fIfp\fR.
+\fBFILE\fR
+\fIfp\fR.
 .SH "RETURN VALUES"
 .PP
 \fBlwres_conf_parse()\fR
@@ -95,3 +99,5 @@ unless an error occurred when converting the network addresses to a numeric host
 .SH "FILES"
 .PP
 \fI/etc/resolv.conf\fR
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/lib/lwres/man/lwres_config.html b/lib/lwres/man/lwres_config.html
index 78d7597c42..29528ef3c7 100644
--- a/lib/lwres/man/lwres_config.html
+++ b/lib/lwres/man/lwres_config.html
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
 lwres_config
-
+
 
 
    
-
    
+
    
 
    
 
    Name
    
 
    lwres_conf_init, lwres_conf_clear, lwres_conf_parse, lwres_conf_print, lwres_conf_get — lightweight resolver configuration
    
@@ -31,22 +31,38 @@
 
    Synopsis
    
 
    
 
    #include <lwres/lwres.h>
    
-
    
 
    
 
@@ -202,6 +285,11 @@ void
 
    
  
  , 
      
 
 );
 
    
  
  , 
      
 
 );
 
    
  
  , 
      
 
 );
 
    
 
 
    
+
    
+
-
    
 
 void
 lwres_conf_init(
  
 
 );
    
-
+
+
+
+
+
+
+
      
+);
    
+
+
-
    
 
 void
 lwres_conf_clear(
  
 
 );
    
+
+
+ 
+ 
+
+);
+
+
 
+
+
+
+
+
@@ -73,22 +94,35 @@ lwres_result_t
 
+
+
+
+
+
    
 
    
 
@@ -58,6 +74,11 @@ lwres_result_t
 
    
  
  , 
      
 
 );
 
    
  
  , 
      
 
 );
 
    
 
    
-
+
    
+
-
    
 
 lwres_conf_t *
 lwres_conf_get(
  
 
 );
    
+
+
+ 
+ 
+
+);
+
+
 
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    
 lwres_conf_init()
 creates an empty
@@ -125,7 +159,7 @@ to the
 
    
 
    
 
    
-
    RETURN VALUES
    
+
    RETURN VALUES
    
 
    
 lwres_conf_parse()
 returns
@@ -150,14 +184,14 @@ If this happens, the function returns
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    
 stdio(3),
 resolver(5).
 
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    
 /etc/resolv.conf
 
    
diff --git a/lib/lwres/man/lwres_context.3 b/lib/lwres/man/lwres_context.3
index b781a7c601..305e66f747 100644
--- a/lib/lwres/man/lwres_context.3
+++ b/lib/lwres/man/lwres_context.3
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_context.3,v 1.13.2.7 2005/10/13 02:23:40 marka Exp $
+.\" $Id: lwres_context.3,v 1.13.2.8 2006/06/29 13:02:06 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: lwres_context
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 
+.\"      Date: Jun 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "LWRES_CONTEXT" "3" "Jun 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -33,19 +36,19 @@ lwres_context_create, lwres_context_destroy, lwres_context_nextserial, lwres_con
 #include 
 .fi
 .HP 36
-\fBlwres_result_t\ \fBlwres_context_create\fR\fR\fB(\fR\fBlwres_context_t\ **contextp\fR\fB, \fR\fBvoid\ *arg\fR\fB, \fR\fBlwres_malloc_t\ malloc_function\fR\fB, \fR\fBlwres_free_t\ free_function\fR\fB);\fR
+.BI "lwres_result_t lwres_context_create(lwres_context_t\ **contextp, void\ *arg, lwres_malloc_t\ malloc_function, lwres_free_t\ free_function);"
 .HP 37
-\fBlwres_result_t\ \fBlwres_context_destroy\fR\fR\fB(\fR\fBlwres_context_t\ **contextp\fR\fB);\fR
+.BI "lwres_result_t lwres_context_destroy(lwres_context_t\ **contextp);"
 .HP 30
-\fBvoid\ \fBlwres_context_initserial\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBlwres_uint32_t\ serial\fR\fB);\fR
+.BI "void lwres_context_initserial(lwres_context_t\ *ctx, lwres_uint32_t\ serial);"
 .HP 40
-\fBlwres_uint32_t\ \fBlwres_context_nextserial\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB);\fR
+.BI "lwres_uint32_t lwres_context_nextserial(lwres_context_t\ *ctx);"
 .HP 27
-\fBvoid\ \fBlwres_context_freemem\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBvoid\ *mem\fR\fB, \fR\fBsize_t\ len\fR\fB);\fR
+.BI "void lwres_context_freemem(lwres_context_t\ *ctx, void\ *mem, size_t\ len);"
 .HP 28
-\fBvoid\ \fBlwres_context_allocmem\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBsize_t\ len\fR\fB);\fR
+.BI "void lwres_context_allocmem(lwres_context_t\ *ctx, size_t\ len);"
 .HP 30
-\fBvoid\ *\ \fBlwres_context_sendrecv\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBvoid\ *sendbase\fR\fB, \fR\fBint\ sendlen\fR\fB, \fR\fBvoid\ *recvbase\fR\fB, \fR\fBint\ recvlen\fR\fB, \fR\fBint\ *recvd_len\fR\fB);\fR
+.BI "void * lwres_context_sendrecv(lwres_context_t\ *ctx, void\ *sendbase, int\ sendlen, void\ *recvbase, int\ recvlen, int\ *recvd_len);"
 .SH "DESCRIPTION"
 .PP
 \fBlwres_context_create()\fR
@@ -159,3 +162,5 @@ times out waiting for a response.
 \fBlwres_conf_init\fR(3),
 \fBmalloc\fR(3),
 \fBfree\fR(3 ).
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/lib/lwres/man/lwres_context.html b/lib/lwres/man/lwres_context.html
index 221ef224e9..81588c32e9 100644
--- a/lib/lwres/man/lwres_context.html
+++ b/lib/lwres/man/lwres_context.html
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
 lwres_context
-
+
 
 
    
-
    
+
    
 
    
 
    Name
    
 
    lwres_context_create, lwres_context_destroy, lwres_context_nextserial, lwres_context_initserial, lwres_context_freemem, lwres_context_allocmem, lwres_context_sendrecv — lightweight resolver context management
    
@@ -52,18 +52,31 @@ lwres_result_t
 
  
  
+, 
+
+
+ 
+ 
 
 );
 
 
-
+
    
+
-
    
 
 lwres_result_t
 lwres_context_destroy(
  
 
 );
    
+
+
+ 
+ 
+
+);
+
+
 
+
+
+
+
+
    
 
    
 
@@ -75,18 +88,31 @@ void
 
    
  
  , 
      
 
 );
 
    
 
    
-
+
    
+
-
    
 
 lwres_uint32_t
 lwres_context_nextserial(
  
 
 );
    
+
+
+ 
+ 
+
+);
+
+
 
+
+
+
+
+
@@ -118,6 +149,11 @@ void
 
+
+
+
+
+
@@ -153,6 +189,11 @@ void *
 
+
+
+
+
+
@@ -160,7 +201,7 @@ void *
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    
 lwres_context_create()
 creates a
@@ -290,7 +331,7 @@ returned in
 
    
 
    
-
    RETURN VALUES
    
+
    RETURN VALUES
    
 
    
 lwres_context_create()
 returns
@@ -321,7 +362,7 @@ times out waiting for a response.
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    
 lwres_conf_init(3),
 
diff --git a/lib/lwres/man/lwres_gabn.3 b/lib/lwres/man/lwres_gabn.3
index 1c2b0f8348..713c732554 100644
--- a/lib/lwres/man/lwres_gabn.3
+++ b/lib/lwres/man/lwres_gabn.3
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_gabn.3,v 1.13.2.6 2005/10/13 02:23:41 marka Exp $
+.\" $Id: lwres_gabn.3,v 1.13.2.7 2006/06/29 13:02:06 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: lwres_gabn
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 
+.\"      Date: Jun 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "LWRES_GABN" "3" "Jun 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -33,17 +36,17 @@ lwres_gabnrequest_render, lwres_gabnresponse_render, lwres_gabnrequest_parse, lw
 #include 
 .fi
 .HP 40
-\fBlwres_result_t\ \fBlwres_gabnrequest_render\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBlwres_gabnrequest_t\ *req\fR\fB, \fR\fBlwres_lwpacket_t\ *pkt\fR\fB, \fR\fBlwres_buffer_t\ *b\fR\fB);\fR
+.BI "lwres_result_t lwres_gabnrequest_render(lwres_context_t\ *ctx, lwres_gabnrequest_t\ *req, lwres_lwpacket_t\ *pkt, lwres_buffer_t\ *b);"
 .HP 41
-\fBlwres_result_t\ \fBlwres_gabnresponse_render\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBlwres_gabnresponse_t\ *req\fR\fB, \fR\fBlwres_lwpacket_t\ *pkt\fR\fB, \fR\fBlwres_buffer_t\ *b\fR\fB);\fR
+.BI "lwres_result_t lwres_gabnresponse_render(lwres_context_t\ *ctx, lwres_gabnresponse_t\ *req, lwres_lwpacket_t\ *pkt, lwres_buffer_t\ *b);"
 .HP 39
-\fBlwres_result_t\ \fBlwres_gabnrequest_parse\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBlwres_buffer_t\ *b\fR\fB, \fR\fBlwres_lwpacket_t\ *pkt\fR\fB, \fR\fBlwres_gabnrequest_t\ **structp\fR\fB);\fR
+.BI "lwres_result_t lwres_gabnrequest_parse(lwres_context_t\ *ctx, lwres_buffer_t\ *b, lwres_lwpacket_t\ *pkt, lwres_gabnrequest_t\ **structp);"
 .HP 40
-\fBlwres_result_t\ \fBlwres_gabnresponse_parse\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBlwres_buffer_t\ *b\fR\fB, \fR\fBlwres_lwpacket_t\ *pkt\fR\fB, \fR\fBlwres_gabnresponse_t\ **structp\fR\fB);\fR
+.BI "lwres_result_t lwres_gabnresponse_parse(lwres_context_t\ *ctx, lwres_buffer_t\ *b, lwres_lwpacket_t\ *pkt, lwres_gabnresponse_t\ **structp);"
 .HP 29
-\fBvoid\ \fBlwres_gabnresponse_free\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBlwres_gabnresponse_t\ **structp\fR\fB);\fR
+.BI "void lwres_gabnresponse_free(lwres_context_t\ *ctx, lwres_gabnresponse_t\ **structp);"
 .HP 28
-\fBvoid\ \fBlwres_gabnrequest_free\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBlwres_gabnrequest_t\ **structp\fR\fB);\fR
+.BI "void lwres_gabnrequest_free(lwres_context_t\ *ctx, lwres_gabnrequest_t\ **structp);"
 .SH "DESCRIPTION"
 .PP
 These are low\-level routines for creating and parsing lightweight resolver name\-to\-address lookup request and response messages.
@@ -57,6 +60,7 @@ There are four main functions for the getaddrbyname opcode. One render function
 These structures are defined in
 \fI\fR. They are shown below.
 .sp
+.RS 3n
 .nf
 #define LWRES_OPCODE_GETADDRSBYNAME     0x00010001U
 typedef struct lwres_addr lwres_addr_t;
@@ -80,6 +84,7 @@ typedef struct {
         size_t                  baselen;
 } lwres_gabnresponse_t;
 .fi
+.RE
 .sp
 .PP
 \fBlwres_gabnrequest_render()\fR
@@ -133,7 +138,8 @@ structures referenced via
 .PP
 The getaddrbyname opcode functions
 \fBlwres_gabnrequest_render()\fR,
-\fBlwres_gabnresponse_render()\fR\fBlwres_gabnrequest_parse()\fR
+\fBlwres_gabnresponse_render()\fR
+\fBlwres_gabnrequest_parse()\fR
 and
 \fBlwres_gabnresponse_parse()\fR
 all return
@@ -164,3 +170,5 @@ indicate that the packet is not a response to an earlier query.
 .SH "SEE ALSO"
 .PP
 \fBlwres_packet\fR(3 )
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/lib/lwres/man/lwres_gabn.html b/lib/lwres/man/lwres_gabn.html
index 1b33532de3..993ea37c36 100644
--- a/lib/lwres/man/lwres_gabn.html
+++ b/lib/lwres/man/lwres_gabn.html
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
 lwres_gabn
-
+
 
 
    
-
    
+
    
 
    
 
    Name
    
 
    lwres_gabnrequest_render, lwres_gabnresponse_render, lwres_gabnrequest_parse, lwres_gabnresponse_parse, lwres_gabnresponse_free, lwres_gabnrequest_free — lightweight resolver getaddrbyname message handling
    
@@ -52,6 +52,11 @@ lwres_result_t
 
    
+
+
+
+
+
@@ -77,6 +82,11 @@ lwres_result_t
 
+
+
+
+
+
@@ -102,6 +112,11 @@ lwres_result_t
 
+
+
+
+
+
@@ -127,6 +142,11 @@ lwres_result_t
 
+
+
+
+
+
@@ -142,6 +162,11 @@ void
 
+
+
+
+
+
@@ -157,6 +182,11 @@ void
 
+
+
+
+
+
@@ -164,7 +194,7 @@ void
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    
 These are low-level routines for creating and parsing
 lightweight resolver name-to-address lookup request and 
@@ -279,7 +309,7 @@ structures is also discarded.
 
    
 
    
-
    RETURN VALUES
    
+
    RETURN VALUES
    
 
    
 The getaddrbyname opcode functions
 lwres_gabnrequest_render(), 
@@ -317,7 +347,7 @@ indicate that the packet is not a response to an earlier query.
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    
 lwres_packet(3
 )
diff --git a/lib/lwres/man/lwres_gai_strerror.3 b/lib/lwres/man/lwres_gai_strerror.3
index c4fb3191c3..fbc103c1ae 100644
--- a/lib/lwres/man/lwres_gai_strerror.3
+++ b/lib/lwres/man/lwres_gai_strerror.3
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_gai_strerror.3,v 1.13.2.6 2005/10/13 02:23:39 marka Exp $
+.\" $Id: lwres_gai_strerror.3,v 1.13.2.7 2006/06/29 13:02:06 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: lwres_gai_strerror
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 
+.\"      Date: Jun 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "LWRES_GAI_STRERROR" "3" "Jun 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -33,48 +36,48 @@ gai_strerror \- print suitable error string
 #include 
 .fi
 .HP 20
-\fBchar\ *\ \fBgai_strerror\fR\fR\fB(\fR\fBint\ ecode\fR\fB);\fR
+.BI "char * gai_strerror(int\ ecode);"
 .SH "DESCRIPTION"
 .PP
 \fBlwres_gai_strerror()\fR
 returns an error message corresponding to an error code returned by
 \fBgetaddrinfo()\fR. The following error codes and their meaning are defined in
 \fIinclude/lwres/netdb.h\fR.
-.TP
+.TP 3n
 \fBEAI_ADDRFAMILY\fR
 address family for hostname not supported
-.TP
+.TP 3n
 \fBEAI_AGAIN\fR
 temporary failure in name resolution
-.TP
+.TP 3n
 \fBEAI_BADFLAGS\fR
 invalid value for
 \fBai_flags\fR
-.TP
+.TP 3n
 \fBEAI_FAIL\fR
 non\-recoverable failure in name resolution
-.TP
+.TP 3n
 \fBEAI_FAMILY\fR
 \fBai_family\fR
 not supported
-.TP
+.TP 3n
 \fBEAI_MEMORY\fR
 memory allocation failure
-.TP
+.TP 3n
 \fBEAI_NODATA\fR
 no address associated with hostname
-.TP
+.TP 3n
 \fBEAI_NONAME\fR
 hostname or servname not provided, or not known
-.TP
+.TP 3n
 \fBEAI_SERVICE\fR
 servname not supported for
 \fBai_socktype\fR
-.TP
+.TP 3n
 \fBEAI_SOCKTYPE\fR
 \fBai_socktype\fR
 not supported
-.TP
+.TP 3n
 \fBEAI_SYSTEM\fR
 system error returned in errno
 The message
@@ -97,3 +100,5 @@ used by
 \fBlwres_getaddrinfo\fR(3),
 \fBgetaddrinfo\fR(3),
 \fBRFC2133\fR().
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/lib/lwres/man/lwres_gai_strerror.html b/lib/lwres/man/lwres_gai_strerror.html
index ed73b3b4ae..3308153db8 100644
--- a/lib/lwres/man/lwres_gai_strerror.html
+++ b/lib/lwres/man/lwres_gai_strerror.html
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
 lwres_gai_strerror
-
+
 
 
    
-
    
+
    
 
    
 
    Name
    
 
    gai_strerror — print suitable error string
    
@@ -37,7 +37,7 @@ char *
 
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    
 lwres_gai_strerror()
 returns an error message corresponding to an error code returned by
@@ -109,7 +109,7 @@ used by
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    
 strerror(3),
 
diff --git a/lib/lwres/man/lwres_getaddrinfo.3 b/lib/lwres/man/lwres_getaddrinfo.3
index fb855ef25e..7e8bd3b190 100644
--- a/lib/lwres/man/lwres_getaddrinfo.3
+++ b/lib/lwres/man/lwres_getaddrinfo.3
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_getaddrinfo.3,v 1.16.2.7 2005/10/13 02:23:39 marka Exp $
+.\" $Id: lwres_getaddrinfo.3,v 1.16.2.8 2006/06/29 13:02:06 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: lwres_getaddrinfo
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 
+.\"      Date: Jun 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "LWRES_GETADDRINFO" "3" "Jun 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -33,13 +36,14 @@ lwres_getaddrinfo, lwres_freeaddrinfo \- socket address structure to host and se
 #include 
 .fi
 .HP 22
-\fBint\ \fBlwres_getaddrinfo\fR\fR\fB(\fR\fBconst\ char\ *hostname\fR\fB, \fR\fBconst\ char\ *servname\fR\fB, \fR\fBconst\ struct\ addrinfo\ *hints\fR\fB, \fR\fBstruct\ addrinfo\ **res\fR\fB);\fR
+.BI "int lwres_getaddrinfo(const\ char\ *hostname, const\ char\ *servname, const\ struct\ addrinfo\ *hints, struct\ addrinfo\ **res);"
 .HP 24
-\fBvoid\ \fBlwres_freeaddrinfo\fR\fR\fB(\fR\fBstruct\ addrinfo\ *ai\fR\fB);\fR
+.BI "void lwres_freeaddrinfo(struct\ addrinfo\ *ai);"
 .PP
 If the operating system does not provide a
 \fBstruct addrinfo\fR, the following structure is used:
 .sp
+.RS 3n
 .nf
 struct  addrinfo {
         int             ai_flags;       /* AI_PASSIVE, AI_CANONNAME */
@@ -52,6 +56,7 @@ struct  addrinfo {
         struct addrinfo *ai_next;       /* next structure in linked list */
 };
 .fi
+.RE
 .sp
 .SH "DESCRIPTION"
 .PP
@@ -77,13 +82,13 @@ is either a decimal port number or a service name as listed in
 is an optional pointer to a
 \fBstruct addrinfo\fR. This structure can be used to provide hints concerning the type of socket that the caller supports or wishes to use. The caller can supply the following structure elements in
 \fI*hints\fR:
-.TP
+.TP 3n
 \fBai_family\fR
 The protocol family that should be used. When
 \fBai_family\fR
 is set to
 \fBPF_UNSPEC\fR, it means the caller will accept any protocol family supported by the operating system.
-.TP
+.TP 3n
 \fBai_socktype\fR
 denotes the type of socket \(em
 \fBSOCK_STREAM\fR,
@@ -93,12 +98,12 @@ or
 \(em that is wanted. When
 \fBai_socktype\fR
 is zero the caller will accept any socket type.
-.TP
+.TP 3n
 \fBai_protocol\fR
 indicates which transport protocol is wanted: IPPROTO_UDP or IPPROTO_TCP. If
 \fBai_protocol\fR
 is zero the caller will accept any protocol.
-.TP
+.TP 3n
 \fBai_flags\fR
 Flag bits. If the
 \fBAI_CANONNAME\fR
@@ -209,7 +214,8 @@ if an error occurs. If both
 and
 \fIservname\fR
 are
-\fBNULL\fR\fBlwres_getaddrinfo()\fR
+\fBNULL\fR
+\fBlwres_getaddrinfo()\fR
 returns
 \fBEAI_NONAME\fR.
 .SH "SEE ALSO"
@@ -225,3 +231,5 @@ returns
 \fBsendto\fR(2),
 \fBsendmsg\fR(2),
 \fBsocket\fR(2).
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/lib/lwres/man/lwres_getaddrinfo.html b/lib/lwres/man/lwres_getaddrinfo.html
index fb2b0fc4c5..e8927453db 100644
--- a/lib/lwres/man/lwres_getaddrinfo.html
+++ b/lib/lwres/man/lwres_getaddrinfo.html
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
 lwres_getaddrinfo
-
+
 
 
    
-
    
+
    
 
    
 
    Name
    
 
    lwres_getaddrinfo, lwres_freeaddrinfo — socket address structure to host and service name
    
@@ -52,18 +52,31 @@ int
 
    
+
+
+
+
+
    
 
    
 
@@ -103,6 +129,11 @@ void
 
    
  
  , 
      
 
 );
 
    
  
  , 
      
 
 );
 
    
  
  , 
      
 
 );
 
    
 
 
 
 
    
  
  , 
      
 
 );
 
    
  
  , 
      
 
 );
 
    
  
  , 
      
 
 );
 
    
  
  , 
      
 
 );
 
    
  
  , 
      
 
 );
 
    
  
  , 
      
 
 );
 
    
 
 
 
 
    
  
  , 
      
 
 );
 
    
 
    
-
+
    
+
-
    
 
 void
 lwres_freeaddrinfo(
  
 
 );
    
+
+
+ 
+ 
+
+);
+
+
 
    
 
    
 If the operating system does not provide a
@@ -87,7 +100,7 @@ struct  addrinfo {
 
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    
 lwres_getaddrinfo()
 is used to get a list of IP addresses and port numbers for host
@@ -284,7 +297,7 @@ created by a call to
 
    
 
    
 
    
-
    RETURN VALUES
    
+
    RETURN VALUES
    
 
    
 lwres_getaddrinfo()
 returns zero on success or one of the error codes listed in
@@ -304,7 +317,7 @@ returns
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    
 lwres(3),
 
diff --git a/lib/lwres/man/lwres_gethostent.3 b/lib/lwres/man/lwres_gethostent.3
index 0cd523fac7..b276e29c5c 100644
--- a/lib/lwres/man/lwres_gethostent.3
+++ b/lib/lwres/man/lwres_gethostent.3
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_gethostent.3,v 1.16.2.6 2005/10/13 02:23:39 marka Exp $
+.\" $Id: lwres_gethostent.3,v 1.16.2.7 2006/06/29 13:02:06 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: lwres_gethostent
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 
+.\"      Date: Jun 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "LWRES_GETHOSTENT" "3" "Jun 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -33,27 +36,27 @@ lwres_gethostbyname, lwres_gethostbyname2, lwres_gethostbyaddr, lwres_gethostent
 #include 
 .fi
 .HP 37
-\fBstruct\ hostent\ *\ \fBlwres_gethostbyname\fR\fR\fB(\fR\fBconst\ char\ *name\fR\fB);\fR
+.BI "struct hostent * lwres_gethostbyname(const\ char\ *name);"
 .HP 38
-\fBstruct\ hostent\ *\ \fBlwres_gethostbyname2\fR\fR\fB(\fR\fBconst\ char\ *name\fR\fB, \fR\fBint\ af\fR\fB);\fR
+.BI "struct hostent * lwres_gethostbyname2(const\ char\ *name, int\ af);"
 .HP 37
-\fBstruct\ hostent\ *\ \fBlwres_gethostbyaddr\fR\fR\fB(\fR\fBconst\ char\ *addr\fR\fB, \fR\fBint\ len\fR\fB, \fR\fBint\ type\fR\fB);\fR
+.BI "struct hostent * lwres_gethostbyaddr(const\ char\ *addr, int\ len, int\ type);"
 .HP 34
-\fBstruct\ hostent\ *\ \fBlwres_gethostent\fR\fR\fB(\fR\fBvoid\fR\fB);\fR
+.BI "struct hostent * lwres_gethostent(void);"
 .HP 22
-\fBvoid\ \fBlwres_sethostent\fR\fR\fB(\fR\fBint\ stayopen\fR\fB);\fR
+.BI "void lwres_sethostent(int\ stayopen);"
 .HP 22
-\fBvoid\ \fBlwres_endhostent\fR\fR\fB(\fR\fBvoid\fR\fB);\fR
+.BI "void lwres_endhostent(void);"
 .HP 39
-\fBstruct\ hostent\ *\ \fBlwres_gethostbyname_r\fR\fR\fB(\fR\fBconst\ char\ *name\fR\fB, \fR\fBstruct\ hostent\ *resbuf\fR\fB, \fR\fBchar\ *buf\fR\fB, \fR\fBint\ buflen\fR\fB, \fR\fBint\ *error\fR\fB);\fR
+.BI "struct hostent * lwres_gethostbyname_r(const\ char\ *name, struct\ hostent\ *resbuf, char\ *buf, int\ buflen, int\ *error);"
 .HP 39
-\fBstruct\ hostent\ *\ \fBlwres_gethostbyaddr_r\fR\fR\fB(\fR\fBconst\ char\ *addr\fR\fB, \fR\fBint\ len\fR\fB, \fR\fBint\ type\fR\fB, \fR\fBstruct\ hostent\ *resbuf\fR\fB, \fR\fBchar\ *buf\fR\fB, \fR\fBint\ buflen\fR\fB, \fR\fBint\ *error\fR\fB);\fR
+.BI "struct hostent * lwres_gethostbyaddr_r(const\ char\ *addr, int\ len, int\ type, struct\ hostent\ *resbuf, char\ *buf, int\ buflen, int\ *error);"
 .HP 36
-\fBstruct\ hostent\ *\ \fBlwres_gethostent_r\fR\fR\fB(\fR\fBstruct\ hostent\ *resbuf\fR\fB, \fR\fBchar\ *buf\fR\fB, \fR\fBint\ buflen\fR\fB, \fR\fBint\ *error\fR\fB);\fR
+.BI "struct hostent * lwres_gethostent_r(struct\ hostent\ *resbuf, char\ *buf, int\ buflen, int\ *error);"
 .HP 24
-\fBvoid\ \fBlwres_sethostent_r\fR\fR\fB(\fR\fBint\ stayopen\fR\fB);\fR
+.BI "void lwres_sethostent_r(int\ stayopen);"
 .HP 24
-\fBvoid\ \fBlwres_endhostent_r\fR\fR\fB(\fR\fBvoid\fR\fB);\fR
+.BI "void lwres_endhostent_r(void);"
 .SH "DESCRIPTION"
 .PP
 These functions provide hostname\-to\-address and address\-to\-hostname lookups by means of the lightweight resolver. They are similar to the standard
@@ -63,6 +66,7 @@ functions provided by most operating systems. They use a
 which is usually defined in
 \fI\fR.
 .sp
+.RS 3n
 .nf
 struct  hostent {
         char    *h_name;        /* official name of host */
@@ -73,25 +77,26 @@ struct  hostent {
 };
 #define h_addr  h_addr_list[0]  /* address, for backward compatibility */
 .fi
+.RE
 .sp
 .PP
 The members of this structure are:
-.TP
+.TP 3n
 \fBh_name\fR
 The official (canonical) name of the host.
-.TP
+.TP 3n
 \fBh_aliases\fR
 A NULL\-terminated array of alternate names (nicknames) for the host.
-.TP
+.TP 3n
 \fBh_addrtype\fR
 The type of address being returned \(em
 \fBPF_INET\fR
 or
 \fBPF_INET6\fR.
-.TP
+.TP 3n
 \fBh_length\fR
 The length of the address in bytes.
-.TP
+.TP 3n
 \fBh_addr_list\fR
 A
 \fBNULL\fR
@@ -217,16 +222,16 @@ return NULL to indicate an error. In this case the global variable
 \fBlwres_h_errno\fR
 will contain one of the following error codes defined in
 \fI\fR:
-.TP
+.TP 3n
 \fBHOST_NOT_FOUND\fR
 The host or address was not found.
-.TP
+.TP 3n
 \fBTRY_AGAIN\fR
 A recoverable error occurred, e.g., a timeout. Retrying the lookup may succeed.
-.TP
+.TP 3n
 \fBNO_RECOVERY\fR
 A non\-recoverable error occurred.
-.TP
+.TP 3n
 \fBNO_DATA\fR
 The name exists, but has no address information associated with it (or vice versa in the case of a reverse lookup). The code NO_ADDRESS is accepted as a synonym for NO_DATA for backwards compatibility.
 .PP
@@ -286,3 +291,5 @@ The resolver daemon does not currently support any non\-DNS name services such a
 \fI/etc/hosts\fR
 or
 \fBNIS\fR, consequently the above functions don't, either.
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/lib/lwres/man/lwres_gethostent.html b/lib/lwres/man/lwres_gethostent.html
index 0f2214f648..756d0a2c31 100644
--- a/lib/lwres/man/lwres_gethostent.html
+++ b/lib/lwres/man/lwres_gethostent.html
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
 lwres_gethostent
-
+
 
 
    
-
    
+
    
 
    
 
    Name
    
 
    lwres_gethostbyname, lwres_gethostbyname2, lwres_gethostbyaddr, lwres_gethostent, lwres_sethostent, lwres_endhostent, lwres_gethostbyname_r, lwres_gethostbyaddr_r, lwres_gethostent_r, lwres_sethostent_r, lwres_endhostent_r — lightweight resolver get network host entry
    
@@ -31,14 +31,22 @@
 
    Synopsis
    
 
    
 
    #include <lwres/netdb.h>
    
-
+
    
+
-
    
 
 struct hostent *
 lwres_gethostbyname(
  
 
 );
    
+
+
+ 
+ 
+
+);
+
+
 
+
+
+
+
+
@@ -70,6 +83,11 @@ struct hostent *
 
+
+
+
+
+
@@ -109,6 +127,11 @@ struct hostent *
 
+
+
+
+
+
@@ -149,6 +172,11 @@ struct hostent  *
 
+
+
+
+
+
@@ -174,6 +202,11 @@ struct hostent  *
 
+
+
+
+
+
@@ -187,7 +220,7 @@ void
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    
 These functions provide hostname-to-address and
 address-to-hostname lookups by means of the lightweight resolver.
@@ -324,7 +357,7 @@ calls to lwres_gethostbyaddr_r() return
 
    
 
    
-
    RETURN VALUES
    
+
    RETURN VALUES
    
 
    
 The functions
 lwres_gethostbyname(),
@@ -391,7 +424,7 @@ hostent.  If buf was too small, b
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    
 gethostent(3),
 
@@ -402,7 +435,7 @@ hostent.  If buf was too small, b
 
    
 
    
-
    BUGS
    
+
    BUGS
    
 
    
 lwres_gethostbyname(),
 lwres_gethostbyname2(),
diff --git a/lib/lwres/man/lwres_getipnode.3 b/lib/lwres/man/lwres_getipnode.3
index 170eae65c2..222cd92b2a 100644
--- a/lib/lwres/man/lwres_getipnode.3
+++ b/lib/lwres/man/lwres_getipnode.3
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_getipnode.3,v 1.13.2.7 2005/10/13 02:23:39 marka Exp $
+.\" $Id: lwres_getipnode.3,v 1.13.2.8 2006/06/29 13:02:06 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: lwres_getipnode
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 
+.\"      Date: Jun 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "LWRES_GETIPNODE" "3" "Jun 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -33,11 +36,11 @@ lwres_getipnodebyname, lwres_getipnodebyaddr, lwres_freehostent \- lightweight r
 #include 
 .fi
 .HP 39
-\fBstruct\ hostent\ *\ \fBlwres_getipnodebyname\fR\fR\fB(\fR\fBconst\ char\ *name\fR\fB, \fR\fBint\ af\fR\fB, \fR\fBint\ flags\fR\fB, \fR\fBint\ *error_num\fR\fB);\fR
+.BI "struct hostent * lwres_getipnodebyname(const\ char\ *name, int\ af, int\ flags, int\ *error_num);"
 .HP 39
-\fBstruct\ hostent\ *\ \fBlwres_getipnodebyaddr\fR\fR\fB(\fR\fBconst\ void\ *src\fR\fB, \fR\fBsize_t\ len\fR\fB, \fR\fBint\ af\fR\fB, \fR\fBint\ *error_num\fR\fB);\fR
+.BI "struct hostent * lwres_getipnodebyaddr(const\ void\ *src, size_t\ len, int\ af, int\ *error_num);"
 .HP 23
-\fBvoid\ \fBlwres_freehostent\fR\fR\fB(\fR\fBstruct\ hostent\ *he\fR\fB);\fR
+.BI "void lwres_freehostent(struct\ hostent\ *he);"
 .SH "DESCRIPTION"
 .PP
 These functions perform thread safe, protocol independent nodename\-to\-address and address\-to\-nodename translation as defined in RFC2553.
@@ -47,6 +50,7 @@ They use a
 which is defined in
 \fInamedb.h\fR:
 .sp
+.RS 3n
 .nf
 struct  hostent {
         char    *h_name;        /* official name of host */
@@ -57,25 +61,26 @@ struct  hostent {
 };
 #define h_addr  h_addr_list[0]  /* address, for backward compatibility */
 .fi
+.RE
 .sp
 .PP
 The members of this structure are:
-.TP
+.TP 3n
 \fBh_name\fR
 The official (canonical) name of the host.
-.TP
+.TP 3n
 \fBh_aliases\fR
 A NULL\-terminated array of alternate names (nicknames) for the host.
-.TP
+.TP 3n
 \fBh_addrtype\fR
 The type of address being returned \- usually
 \fBPF_INET\fR
 or
 \fBPF_INET6\fR.
-.TP
+.TP 3n
 \fBh_length\fR
 The length of the address in bytes.
-.TP
+.TP 3n
 \fBh_addr_list\fR
 A
 \fBNULL\fR
@@ -88,20 +93,20 @@ for the hostname
 \fIname\fR. The
 \fIflags\fR
 parameter contains ORed flag bits to specify the types of addresses that are searched for, and the types of addresses that are returned. The flag bits are:
-.TP
+.TP 3n
 \fBAI_V4MAPPED\fR
 This is used with an
 \fIaf\fR
 of AF_INET6, and causes IPv4 addresses to be returned as IPv4\-mapped IPv6 addresses.
-.TP
+.TP 3n
 \fBAI_ALL\fR
 This is used with an
 \fIaf\fR
 of AF_INET6, and causes all known addresses (IPv6 and IPv4) to be returned. If AI_V4MAPPED is also set, the IPv4 addresses are return as mapped IPv6 addresses.
-.TP
+.TP 3n
 \fBAI_ADDRCONFIG\fR
 Only return an IPv6 or IPv4 address if here is an active network interface of that type. This is not currently implemented in the BIND 9 lightweight resolver, and the flag is ignored.
-.TP
+.TP 3n
 \fBAI_DEFAULT\fR
 This default sets the
 \fBAI_V4MAPPED\fR
@@ -145,16 +150,16 @@ to an appropriate error code and the function returns a
 \fBNULL\fR
 pointer. The error codes and their meanings are defined in
 \fI\fR:
-.TP
+.TP 3n
 \fBHOST_NOT_FOUND\fR
 No such host is known.
-.TP
+.TP 3n
 \fBNO_ADDRESS\fR
 The server recognised the request and the name but no address is available. Another type of request to the name server for the domain might return an answer.
-.TP
+.TP 3n
 \fBTRY_AGAIN\fR
 A temporary and possibly transient error occurred, such as a failure of a server to respond. The request may succeed if retried.
-.TP
+.TP 3n
 \fBNO_RECOVERY\fR
 An unexpected failure occurred, and retrying the request is pointless.
 .PP
@@ -168,3 +173,5 @@ translates these error codes to suitable error messages.
 \fBlwres_getaddrinfo\fR(3),
 \fBlwres_getnameinfo\fR(3),
 \fBlwres_hstrerror\fR(3).
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/lib/lwres/man/lwres_getipnode.html b/lib/lwres/man/lwres_getipnode.html
index b6a9469e83..9b162872fd 100644
--- a/lib/lwres/man/lwres_getipnode.html
+++ b/lib/lwres/man/lwres_getipnode.html
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
 lwres_getipnode
-
+
 
 
    
-
    
+
    
 
    
 
    Name
    
 
    lwres_getipnodebyname, lwres_getipnodebyaddr, lwres_freehostent — lightweight resolver nodename / address translation API
    
@@ -52,6 +52,11 @@ struct hostent *
 
    
+
+
+
+
+
@@ -77,22 +82,35 @@ struct hostent *
 
+
+
+
+
+
    
 
    
 
@@ -50,6 +58,11 @@ struct hostent *
 
    
  
  , 
      
 
 );
 
    
  
  , 
      
 
 );
 
    
  
  , 
      
 
 );
 
    
  
  , 
      
 
 );
 
    
  
  , 
      
 
 );
 
    
 
 
 
 
 
    
  
  , 
      
 
 );
 
    
  
  , 
      
 
 );
 
    
 
    
-
+
    
+
-
    
 
 void
 lwres_freehostent(
  
 
 );
    
+
+
+ 
+ 
+
+);
+
+
 
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    
 These functions perform thread safe, protocol independent
 nodename-to-address and address-to-nodename 
@@ -233,7 +251,7 @@ structure itself.
 
    
 
    
 
    
-
    RETURN VALUES
    
+
    RETURN VALUES
    
 
    
 If an error occurs,
 lwres_getipnodebyname()
@@ -279,7 +297,7 @@ translates these error codes to suitable error messages.
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    
 RFC2553,
 
diff --git a/lib/lwres/man/lwres_getnameinfo.3 b/lib/lwres/man/lwres_getnameinfo.3
index b866f5ca6b..7b24ff0268 100644
--- a/lib/lwres/man/lwres_getnameinfo.3
+++ b/lib/lwres/man/lwres_getnameinfo.3
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_getnameinfo.3,v 1.15.2.6 2005/10/13 02:23:33 marka Exp $
+.\" $Id: lwres_getnameinfo.3,v 1.15.2.7 2006/06/29 13:02:06 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: lwres_getnameinfo
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 
+.\"      Date: Jun 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "LWRES_GETNAMEINFO" "3" "Jun 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -33,7 +36,7 @@ lwres_getnameinfo \- lightweight resolver socket address structure to hostname a
 #include 
 .fi
 .HP 22
-\fBint\ \fBlwres_getnameinfo\fR\fR\fB(\fR\fBconst\ struct\ sockaddr\ *sa\fR\fB, \fR\fBsize_t\ salen\fR\fB, \fR\fBchar\ *host\fR\fB, \fR\fBsize_t\ hostlen\fR\fB, \fR\fBchar\ *serv\fR\fB, \fR\fBsize_t\ servlen\fR\fB, \fR\fBint\ flags\fR\fB);\fR
+.BI "int lwres_getnameinfo(const\ struct\ sockaddr\ *sa, size_t\ salen, char\ *host, size_t\ hostlen, char\ *serv, size_t\ servlen, int\ flags);"
 .SH "DESCRIPTION"
 .PP
 This function is equivalent to the
@@ -41,7 +44,8 @@ This function is equivalent to the
 function defined in RFC2133.
 \fBlwres_getnameinfo()\fR
 returns the hostname for the
-\fBstruct sockaddr\fR\fIsa\fR
+\fBstruct sockaddr\fR
+\fIsa\fR
 which is
 \fIsalen\fR
 bytes long. The hostname is of length
@@ -64,19 +68,19 @@ bytes long. The maximum length of the service name is
 The
 \fIflags\fR
 argument sets the following bits:
-.TP
+.TP 3n
 \fBNI_NOFQDN\fR
 A fully qualified domain name is not required for local hosts. The local part of the fully qualified domain name is returned instead.
-.TP
+.TP 3n
 \fBNI_NUMERICHOST\fR
 Return the address in numeric form, as if calling inet_ntop(), instead of a host name.
-.TP
+.TP 3n
 \fBNI_NAMEREQD\fR
 A name is required. If the hostname cannot be found in the DNS and this flag is set, a non\-zero error code is returned. If the hostname is not found and the flag is not set, the address is returned in numeric form.
-.TP
+.TP 3n
 \fBNI_NUMERICSERV\fR
 The service name is returned as a digit string representing the port number.
-.TP
+.TP 3n
 \fBNI_DGRAM\fR
 Specifies that the service being looked up is a datagram service, and causes getservbyport() to be called with a second argument of "udp" instead of its default of "tcp". This is required for the few ports (512\-514) that have different services for UDP and TCP.
 .SH "RETURN VALUES"
@@ -96,3 +100,5 @@ returns 0 on success or a non\-zero error code if an error occurs.
 RFC2133 fails to define what the nonzero return values of
 \fBgetnameinfo\fR(3)
 are.
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/lib/lwres/man/lwres_getnameinfo.html b/lib/lwres/man/lwres_getnameinfo.html
index 92eb47869f..2dad0d256a 100644
--- a/lib/lwres/man/lwres_getnameinfo.html
+++ b/lib/lwres/man/lwres_getnameinfo.html
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
 lwres_getnameinfo
-
+
 
 
    
-
    
+
    
 
    
 
    Name
    
 
    lwres_getnameinfo — lightweight resolver socket address structure to hostname and service name
    
@@ -67,6 +67,11 @@ int
 
  
  
+, 
+
+
+ 
+ 
 
 );
 
@@ -74,7 +79,7 @@ int
 
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
     This function is equivalent to the getnameinfo(3) function defined in RFC2133.
 lwres_getnameinfo() returns the hostname for the
 struct sockaddr sa which is
@@ -125,14 +130,14 @@ TCP.
 
    
 
    
 
    
-
    RETURN VALUES
    
+
    RETURN VALUES
    
 
    
 lwres_getnameinfo()
 returns 0 on success or a non-zero error code if an error occurs.
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    
 RFC2133,
 getservbyport(3),
@@ -143,7 +148,7 @@ returns 0 on success or a non-zero error code if an error occurs.
 
    
 
    
 
    
-
    BUGS
    
+
    BUGS
    
 
    
 RFC2133 fails to define what the nonzero return values of
 getnameinfo(3)
diff --git a/lib/lwres/man/lwres_getrrsetbyname.3 b/lib/lwres/man/lwres_getrrsetbyname.3
index 612d2c3371..b8d71cdfde 100644
--- a/lib/lwres/man/lwres_getrrsetbyname.3
+++ b/lib/lwres/man/lwres_getrrsetbyname.3
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_getrrsetbyname.3,v 1.11.2.6 2005/10/13 02:23:33 marka Exp $
+.\" $Id: lwres_getrrsetbyname.3,v 1.11.2.7 2006/06/29 13:02:06 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: lwres_getrrsetbyname
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 
+.\"      Date: Oct 18, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "LWRES_GETRRSETBYNAME" "3" "Oct 18, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -33,12 +36,13 @@ lwres_getrrsetbyname, lwres_freerrset \- retrieve DNS records
 #include 
 .fi
 .HP 25
-\fBint\ \fBlwres_getrrsetbyname\fR\fR\fB(\fR\fBconst\ char\ *hostname\fR\fB, \fR\fBunsigned\ int\ rdclass\fR\fB, \fR\fBunsigned\ int\ rdtype\fR\fB, \fR\fBunsigned\ int\ flags\fR\fB, \fR\fBstruct\ rrsetinfo\ **res\fR\fB);\fR
+.BI "int lwres_getrrsetbyname(const\ char\ *hostname, unsigned\ int\ rdclass, unsigned\ int\ rdtype, unsigned\ int\ flags, struct\ rrsetinfo\ **res);"
 .HP 21
-\fBvoid\ \fBlwres_freerrset\fR\fR\fB(\fR\fBstruct\ rrsetinfo\ *rrset\fR\fB);\fR
+.BI "void lwres_freerrset(struct\ rrsetinfo\ *rrset);"
 .PP
 The following structures are used:
 .sp
+.RS 3n
 .nf
 struct  rdatainfo {
         unsigned int            rdi_length;     /* length of data */
@@ -56,6 +60,7 @@ struct  rrsetinfo {
         struct rdatainfo        *rri_sigs;      /* individual signatures */
 };
 .fi
+.RE
 .sp
 .SH "DESCRIPTION"
 .PP
@@ -115,22 +120,24 @@ created by a call to
 .PP
 \fBlwres_getrrsetbyname()\fR
 returns zero on success, and one of the following error codes if an error occurred:
-.TP
+.TP 3n
 \fBERRSET_NONAME\fR
 the name does not exist
-.TP
+.TP 3n
 \fBERRSET_NODATA\fR
 the name exists, but does not have data of the desired type
-.TP
+.TP 3n
 \fBERRSET_NOMEMORY\fR
 memory could not be allocated
-.TP
+.TP 3n
 \fBERRSET_INVAL\fR
 a parameter is invalid
-.TP
+.TP 3n
 \fBERRSET_FAIL\fR
 other failure
-.TP
+.TP 3n
 .SH "SEE ALSO"
 .PP
 \fBlwres\fR(3).
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/lib/lwres/man/lwres_getrrsetbyname.html b/lib/lwres/man/lwres_getrrsetbyname.html
index 672e9406ac..dbaa1378c6 100644
--- a/lib/lwres/man/lwres_getrrsetbyname.html
+++ b/lib/lwres/man/lwres_getrrsetbyname.html
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
 lwres_getrrsetbyname
-
+
 
 
    
-
    
+
    
 
    
 
    Name
    
 
    lwres_getrrsetbyname, lwres_freerrset — retrieve DNS records
    
@@ -57,18 +57,31 @@ int
 
  
  
+, 
+
+
+ 
+ 
 
 );
 
 
-
+
    
+
-
    
 
 void
 lwres_freerrset(
  
 
 );
    
+
+
+ 
+ 
+
+);
+
+
 
    
 
    
 The following structures are used:
@@ -95,7 +108,7 @@ struct  rrsetinfo {
 
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    
 lwres_getrrsetbyname()
 gets a set of resource records associated with a
@@ -172,7 +185,7 @@ created by a call to
 
    
 
    
 
    
-
    RETURN VALUES
    
+
    RETURN VALUES
    
 
    
 lwres_getrrsetbyname()
 returns zero on success, and one of the following error
@@ -208,7 +221,7 @@ other failure
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    
 lwres(3).
 
    
diff --git a/lib/lwres/man/lwres_gnba.3 b/lib/lwres/man/lwres_gnba.3
index 48eb1f7f4b..5490d3f8d2 100644
--- a/lib/lwres/man/lwres_gnba.3
+++ b/lib/lwres/man/lwres_gnba.3
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_gnba.3,v 1.13.2.6 2005/10/13 02:23:33 marka Exp $
+.\" $Id: lwres_gnba.3,v 1.13.2.7 2006/06/29 13:02:06 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: lwres_gnba
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 
+.\"      Date: Jun 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "LWRES_GNBA" "3" "Jun 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -33,17 +36,17 @@ lwres_gnbarequest_render, lwres_gnbaresponse_render, lwres_gnbarequest_parse, lw
 #include 
 .fi
 .HP 40
-\fBlwres_result_t\ \fBlwres_gnbarequest_render\fR\fR\fB(\fR\fBlwres_context_t\ *\fR\fB\fIctx\fR\fR\fB, \fR\fBlwres_gnbarequest_t\ *\fR\fB\fIreq\fR\fR\fB, \fR\fBlwres_lwpacket_t\ *\fR\fB\fIpkt\fR\fR\fB, \fR\fBlwres_buffer_t\ *\fR\fB\fIb\fR\fR\fB);\fR
+.BI "lwres_result_t lwres_gnbarequest_render(lwres_context_t\ *" "ctx" ", lwres_gnbarequest_t\ *" "req" ", lwres_lwpacket_t\ *" "pkt" ", lwres_buffer_t\ *" "b" ");"
 .HP 41
-\fBlwres_result_t\ \fBlwres_gnbaresponse_render\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBlwres_gnbaresponse_t\ *req\fR\fB, \fR\fBlwres_lwpacket_t\ *pkt\fR\fB, \fR\fBlwres_buffer_t\ *b\fR\fB);\fR
+.BI "lwres_result_t lwres_gnbaresponse_render(lwres_context_t\ *ctx, lwres_gnbaresponse_t\ *req, lwres_lwpacket_t\ *pkt, lwres_buffer_t\ *b);"
 .HP 39
-\fBlwres_result_t\ \fBlwres_gnbarequest_parse\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBlwres_buffer_t\ *b\fR\fB, \fR\fBlwres_lwpacket_t\ *pkt\fR\fB, \fR\fBlwres_gnbarequest_t\ **structp\fR\fB);\fR
+.BI "lwres_result_t lwres_gnbarequest_parse(lwres_context_t\ *ctx, lwres_buffer_t\ *b, lwres_lwpacket_t\ *pkt, lwres_gnbarequest_t\ **structp);"
 .HP 40
-\fBlwres_result_t\ \fBlwres_gnbaresponse_parse\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBlwres_buffer_t\ *b\fR\fB, \fR\fBlwres_lwpacket_t\ *pkt\fR\fB, \fR\fBlwres_gnbaresponse_t\ **structp\fR\fB);\fR
+.BI "lwres_result_t lwres_gnbaresponse_parse(lwres_context_t\ *ctx, lwres_buffer_t\ *b, lwres_lwpacket_t\ *pkt, lwres_gnbaresponse_t\ **structp);"
 .HP 29
-\fBvoid\ \fBlwres_gnbaresponse_free\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBlwres_gnbaresponse_t\ **structp\fR\fB);\fR
+.BI "void lwres_gnbaresponse_free(lwres_context_t\ *ctx, lwres_gnbaresponse_t\ **structp);"
 .HP 28
-\fBvoid\ \fBlwres_gnbarequest_free\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBlwres_gnbarequest_t\ **structp\fR\fB);\fR
+.BI "void lwres_gnbarequest_free(lwres_context_t\ *ctx, lwres_gnbarequest_t\ **structp);"
 .SH "DESCRIPTION"
 .PP
 These are low\-level routines for creating and parsing lightweight resolver address\-to\-name lookup request and response messages.
@@ -57,6 +60,7 @@ to the canonical format. This is complemented by a parse function which converts
 These structures are defined in
 \fIlwres/lwres.h\fR. They are shown below.
 .sp
+.RS 3n
 .nf
 #define LWRES_OPCODE_GETNAMEBYADDR      0x00010002U
 typedef struct {
@@ -74,6 +78,7 @@ typedef struct {
         size_t          baselen;
 } lwres_gnbaresponse_t;
 .fi
+.RE
 .sp
 .PP
 \fBlwres_gnbarequest_render()\fR
@@ -127,7 +132,8 @@ structures referenced via
 .PP
 The getnamebyaddr opcode functions
 \fBlwres_gnbarequest_render()\fR,
-\fBlwres_gnbaresponse_render()\fR\fBlwres_gnbarequest_parse()\fR
+\fBlwres_gnbaresponse_render()\fR
+\fBlwres_gnbarequest_parse()\fR
 and
 \fBlwres_gnbaresponse_parse()\fR
 all return
@@ -158,3 +164,5 @@ indicate that the packet is not a response to an earlier query.
 .SH "SEE ALSO"
 .PP
 \fBlwres_packet\fR(3).
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/lib/lwres/man/lwres_gnba.html b/lib/lwres/man/lwres_gnba.html
index 9a7fec77f3..221277f9a5 100644
--- a/lib/lwres/man/lwres_gnba.html
+++ b/lib/lwres/man/lwres_gnba.html
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
 lwres_gnba
-
+
 
 
    
-
    
+
    
 
    
 
    Name
    
 
    lwres_gnbarequest_render, lwres_gnbaresponse_render, lwres_gnbarequest_parse, lwres_gnbaresponse_parse, lwres_gnbaresponse_free, lwres_gnbarequest_free — lightweight resolver getnamebyaddress message handling
    
@@ -39,25 +39,31 @@
 lwres_result_t
 lwres_gnbarequest_render
 (
-lwres_context_t * 
+ 
 
 ctx, 
 
 
  
-lwres_gnbarequest_t * 
+ 
+
+ctx, 
+
+
+ 
+ 
 
 req, 
 
 
  
-lwres_lwpacket_t * 
+ 
 
 pkt, 
 
 
  
-lwres_buffer_t * 
+ 
 
 b);
 
@@ -84,6 +90,11 @@ lwres_result_t
 
  
  
+, 
+
+
+ 
+ 
 
 );
 
@@ -109,6 +120,11 @@ lwres_result_t
 
  
  
+, 
+
+
+ 
+ 
 
 );
 
@@ -134,6 +150,11 @@ lwres_result_t
 
  
  
+, 
+
+
+ 
+ 
 
 );
 
@@ -150,6 +171,11 @@ void
 
  
  
+, 
+
+
+ 
+ 
 
 );
 
@@ -165,6 +191,11 @@ void
 
  
  
+, 
+
+
+ 
+ 
 
 );
 
@@ -172,7 +203,7 @@ void
 
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    
 These are low-level routines for creating and parsing
 lightweight resolver address-to-name lookup request and 
@@ -277,7 +308,7 @@ structures is also discarded.
 
    
 
    
 
    
-
    RETURN VALUES
    
+
    RETURN VALUES
    
 
    
 The getnamebyaddr opcode functions
 lwres_gnbarequest_render(),
@@ -315,7 +346,7 @@ indicate that the packet is not a response to an earlier query.
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    
 lwres_packet(3).
 
    
diff --git a/lib/lwres/man/lwres_hstrerror.3 b/lib/lwres/man/lwres_hstrerror.3
index 6706c0ee06..e875c446b0 100644
--- a/lib/lwres/man/lwres_hstrerror.3
+++ b/lib/lwres/man/lwres_hstrerror.3
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_hstrerror.3,v 1.13.2.6 2005/10/13 02:23:34 marka Exp $
+.\" $Id: lwres_hstrerror.3,v 1.13.2.7 2006/06/29 13:02:06 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: lwres_hstrerror
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 
+.\"      Date: Jun 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "LWRES_HSTRERROR" "3" "Jun 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -33,9 +36,9 @@ lwres_herror, lwres_hstrerror \- lightweight resolver error message generation
 #include 
 .fi
 .HP 18
-\fBvoid\ \fBlwres_herror\fR\fR\fB(\fR\fBconst\ char\ *s\fR\fB);\fR
+.BI "void lwres_herror(const\ char\ *s);"
 .HP 29
-\fBconst\ char\ *\ \fBlwres_hstrerror\fR\fR\fB(\fR\fBint\ err\fR\fB);\fR
+.BI "const char * lwres_hstrerror(int\ err);"
 .SH "DESCRIPTION"
 .PP
 \fBlwres_herror()\fR
@@ -51,19 +54,19 @@ for the error code stored in the global variable
 \fBlwres_hstrerror()\fR
 returns an appropriate string for the error code gievn by
 \fIerr\fR. The values of the error codes and messages are as follows:
-.TP
+.TP 3n
 \fBNETDB_SUCCESS\fR
 Resolver Error 0 (no error)
-.TP
+.TP 3n
 \fBHOST_NOT_FOUND\fR
 Unknown host
-.TP
+.TP 3n
 \fBTRY_AGAIN\fR
 Host name lookup failure
-.TP
+.TP 3n
 \fBNO_RECOVERY\fR
 Unknown server error
-.TP
+.TP 3n
 \fBNO_DATA\fR
 No address associated with name
 .SH "RETURN VALUES"
@@ -79,3 +82,5 @@ is not a valid error code.
 .PP
 \fBherror\fR(3),
 \fBlwres_hstrerror\fR(3).
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/lib/lwres/man/lwres_hstrerror.html b/lib/lwres/man/lwres_hstrerror.html
index 4618947439..4890e30f4f 100644
--- a/lib/lwres/man/lwres_hstrerror.html
+++ b/lib/lwres/man/lwres_hstrerror.html
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
 lwres_hstrerror
-
+
 
 
    
-
    
+
    
 
    
 
    Name
    
 
    lwres_herror, lwres_hstrerror — lightweight resolver error message generation
    
@@ -40,7 +40,7 @@ const char *
 
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    
 lwres_herror() prints the string
 s on stderr followed by the string
@@ -79,7 +79,7 @@ the error codes and messages are as follows:
 
    
 
    
 
    
-
    RETURN VALUES
    
+
    RETURN VALUES
    
 
    
 The string Unknown resolver error is returned by
 lwres_hstrerror()
@@ -89,7 +89,7 @@ is not a valid error code.
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    
 herror(3),
 
diff --git a/lib/lwres/man/lwres_inetntop.3 b/lib/lwres/man/lwres_inetntop.3
index 94e2dcee77..f611469704 100644
--- a/lib/lwres/man/lwres_inetntop.3
+++ b/lib/lwres/man/lwres_inetntop.3
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_inetntop.3,v 1.12.2.6 2005/10/13 02:23:34 marka Exp $
+.\" $Id: lwres_inetntop.3,v 1.12.2.7 2006/06/29 13:02:06 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: lwres_inetntop
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 
+.\"      Date: Jun 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "LWRES_INETNTOP" "3" "Jun 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -33,7 +36,7 @@ lwres_net_ntop \- lightweight resolver IP address presentation
 #include 
 .fi
 .HP 28
-\fBconst\ char\ *\ \fBlwres_net_ntop\fR\fR\fB(\fR\fBint\ af\fR\fB, \fR\fBconst\ void\ *src\fR\fB, \fR\fBchar\ *dst\fR\fB, \fR\fBsize_t\ size\fR\fB);\fR
+.BI "const char * lwres_net_ntop(int\ af, const\ void\ *src, char\ *dst, size_t\ size);"
 .SH "DESCRIPTION"
 .PP
 \fBlwres_net_ntop()\fR
@@ -67,3 +70,5 @@ is not supported.
 \fBRFC1884\fR(),
 \fBinet_ntop\fR(3),
 \fBerrno\fR(3).
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/lib/lwres/man/lwres_inetntop.html b/lib/lwres/man/lwres_inetntop.html
index 34bfd963f5..70f143ff8c 100644
--- a/lib/lwres/man/lwres_inetntop.html
+++ b/lib/lwres/man/lwres_inetntop.html
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
 lwres_inetntop
-
+
 
 
    
-
    
+
    
 
    
 
    Name
    
 
    lwres_net_ntop — lightweight resolver IP address presentation
    
@@ -52,6 +52,11 @@ const char *
 
  
  
+, 
+
+
+ 
+ 
 
 );
 
@@ -59,7 +64,7 @@ const char *
 
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    
 lwres_net_ntop() converts an IP address of
 protocol family af — IPv4 or IPv6 —
@@ -75,7 +80,7 @@ ASCII representation of the address.
 
    
 
    
 
    
-
    RETURN VALUES
    
+
    RETURN VALUES
    
 
    
 If successful, the function returns dst:
 a pointer to a string containing the presentation format of the
@@ -87,7 +92,7 @@ supported.
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    
 RFC1884,
 inet_ntop(3),
diff --git a/lib/lwres/man/lwres_noop.3 b/lib/lwres/man/lwres_noop.3
index d4c9d9cccb..9f6219f7e9 100644
--- a/lib/lwres/man/lwres_noop.3
+++ b/lib/lwres/man/lwres_noop.3
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_noop.3,v 1.14.2.6 2005/10/13 02:23:34 marka Exp $
+.\" $Id: lwres_noop.3,v 1.14.2.7 2006/06/29 13:02:06 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: lwres_noop
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 
+.\"      Date: Jun 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "LWRES_NOOP" "3" "Jun 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -33,17 +36,17 @@ lwres_nooprequest_render, lwres_noopresponse_render, lwres_nooprequest_parse, lw
 #include 
 .fi
 .HP 40
-\fBlwres_result_t\ \fBlwres_nooprequest_render\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBlwres_nooprequest_t\ *req\fR\fB, \fR\fBlwres_lwpacket_t\ *pkt\fR\fB, \fR\fBlwres_buffer_t\ *b\fR\fB);\fR
+.BI "lwres_result_t lwres_nooprequest_render(lwres_context_t\ *ctx, lwres_nooprequest_t\ *req, lwres_lwpacket_t\ *pkt, lwres_buffer_t\ *b);"
 .HP 41
-\fBlwres_result_t\ \fBlwres_noopresponse_render\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBlwres_noopresponse_t\ *req\fR\fB, \fR\fBlwres_lwpacket_t\ *pkt\fR\fB, \fR\fBlwres_buffer_t\ *b\fR\fB);\fR
+.BI "lwres_result_t lwres_noopresponse_render(lwres_context_t\ *ctx, lwres_noopresponse_t\ *req, lwres_lwpacket_t\ *pkt, lwres_buffer_t\ *b);"
 .HP 39
-\fBlwres_result_t\ \fBlwres_nooprequest_parse\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBlwres_buffer_t\ *b\fR\fB, \fR\fBlwres_lwpacket_t\ *pkt\fR\fB, \fR\fBlwres_nooprequest_t\ **structp\fR\fB);\fR
+.BI "lwres_result_t lwres_nooprequest_parse(lwres_context_t\ *ctx, lwres_buffer_t\ *b, lwres_lwpacket_t\ *pkt, lwres_nooprequest_t\ **structp);"
 .HP 40
-\fBlwres_result_t\ \fBlwres_noopresponse_parse\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBlwres_buffer_t\ *b\fR\fB, \fR\fBlwres_lwpacket_t\ *pkt\fR\fB, \fR\fBlwres_noopresponse_t\ **structp\fR\fB);\fR
+.BI "lwres_result_t lwres_noopresponse_parse(lwres_context_t\ *ctx, lwres_buffer_t\ *b, lwres_lwpacket_t\ *pkt, lwres_noopresponse_t\ **structp);"
 .HP 29
-\fBvoid\ \fBlwres_noopresponse_free\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBlwres_noopresponse_t\ **structp\fR\fB);\fR
+.BI "void lwres_noopresponse_free(lwres_context_t\ *ctx, lwres_noopresponse_t\ **structp);"
 .HP 28
-\fBvoid\ \fBlwres_nooprequest_free\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBlwres_nooprequest_t\ **structp\fR\fB);\fR
+.BI "void lwres_nooprequest_free(lwres_context_t\ *ctx, lwres_nooprequest_t\ **structp);"
 .SH "DESCRIPTION"
 .PP
 These are low\-level routines for creating and parsing lightweight resolver no\-op request and response messages.
@@ -61,6 +64,7 @@ to the canonical format. This is complemented by a parse function which converts
 These structures are defined in
 \fIlwres/lwres.h\fR. They are shown below.
 .sp
+.RS 3n
 .nf
 #define LWRES_OPCODE_NOOP       0x00000000U
 typedef struct {
@@ -72,6 +76,7 @@ typedef struct {
         unsigned char   *data;
 } lwres_noopresponse_t;
 .fi
+.RE
 .sp
 Although the structures have different types, they are identical. This is because the no\-op opcode simply echos whatever data was sent: the response is therefore identical to the request.
 .PP
@@ -126,7 +131,8 @@ structures referenced via
 .PP
 The no\-op opcode functions
 \fBlwres_nooprequest_render()\fR,
-\fBlwres_noopresponse_render()\fR\fBlwres_nooprequest_parse()\fR
+\fBlwres_noopresponse_render()\fR
+\fBlwres_nooprequest_parse()\fR
 and
 \fBlwres_noopresponse_parse()\fR
 all return
@@ -157,3 +163,5 @@ indicate that the packet is not a response to an earlier query.
 .SH "SEE ALSO"
 .PP
 \fBlwres_packet\fR(3 )
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/lib/lwres/man/lwres_noop.html b/lib/lwres/man/lwres_noop.html
index 6e8db7a6b9..03ce8edfee 100644
--- a/lib/lwres/man/lwres_noop.html
+++ b/lib/lwres/man/lwres_noop.html
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
 lwres_noop
-
+
 
 
    
-
    
+
    
 
    
 
    Name
    
 
    lwres_nooprequest_render, lwres_noopresponse_render, lwres_nooprequest_parse, lwres_noopresponse_parse, lwres_noopresponse_free, lwres_nooprequest_free — lightweight resolver no-op message handling
    
@@ -53,6 +53,11 @@ lwres_result_t
 
  
  
+, 
+
+
+ 
+ 
 
 );
 
@@ -78,6 +83,11 @@ lwres_result_t
 
  
  
+, 
+
+
+ 
+ 
 
 );
 
@@ -103,6 +113,11 @@ lwres_result_t
 
  
  
+, 
+
+
+ 
+ 
 
 );
 
@@ -128,6 +143,11 @@ lwres_result_t
 
  
  
+, 
+
+
+ 
+ 
 
 );
 
@@ -143,6 +163,11 @@ void
 
  
  
+, 
+
+
+ 
+ 
 
 );
 
@@ -158,6 +183,11 @@ void
 
  
  
+, 
+
+
+ 
+ 
 
 );
 
@@ -165,7 +195,7 @@ void
 
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    
 These are low-level routines for creating and parsing
 lightweight resolver no-op request and response messages.
@@ -246,7 +276,7 @@ structures referenced via structp.
 
    
 
    
 
    
-
    RETURN VALUES
    
+
    RETURN VALUES
    
 
    
 The no-op opcode functions
 lwres_nooprequest_render(),
@@ -285,7 +315,7 @@ indicate that the packet is not a response to an earlier query.
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    
 lwres_packet(3
 )
diff --git a/lib/lwres/man/lwres_packet.3 b/lib/lwres/man/lwres_packet.3
index e307360198..4f60f4d858 100644
--- a/lib/lwres/man/lwres_packet.3
+++ b/lib/lwres/man/lwres_packet.3
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_packet.3,v 1.15.2.6 2005/10/13 02:23:34 marka Exp $
+.\" $Id: lwres_packet.3,v 1.15.2.7 2006/06/29 13:02:06 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: lwres_packet
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 
+.\"      Date: Jun 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "LWRES_PACKET" "3" "Jun 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -33,9 +36,9 @@ lwres_lwpacket_renderheader, lwres_lwpacket_parseheader \- lightweight resolver
 #include 
 .fi
 .HP 43
-\fBlwres_result_t\ \fBlwres_lwpacket_renderheader\fR\fR\fB(\fR\fBlwres_buffer_t\ *b\fR\fB, \fR\fBlwres_lwpacket_t\ *pkt\fR\fB);\fR
+.BI "lwres_result_t lwres_lwpacket_renderheader(lwres_buffer_t\ *b, lwres_lwpacket_t\ *pkt);"
 .HP 42
-\fBlwres_result_t\ \fBlwres_lwpacket_parseheader\fR\fR\fB(\fR\fBlwres_buffer_t\ *b\fR\fB, \fR\fBlwres_lwpacket_t\ *pkt\fR\fB);\fR
+.BI "lwres_result_t lwres_lwpacket_parseheader(lwres_buffer_t\ *b, lwres_lwpacket_t\ *pkt);"
 .SH "DESCRIPTION"
 .PP
 These functions rely on a
@@ -43,6 +46,7 @@ These functions rely on a
 which is defined in
 \fIlwres/lwpacket.h\fR.
 .sp
+.RS 3n
 .nf
 typedef struct lwres_lwpacket lwres_lwpacket_t;
 struct lwres_lwpacket {
@@ -57,52 +61,54 @@ struct lwres_lwpacket {
         lwres_uint16_t          authlength;
 };
 .fi
+.RE
 .sp
 .PP
 The elements of this structure are:
-.TP
+.TP 3n
 \fBlength\fR
 the overall packet length, including the entire packet header. This field is filled in by the lwres_gabn_*() and lwres_gnba_*() calls.
-.TP
+.TP 3n
 \fBversion\fR
 the header format. There is currently only one format,
 \fBLWRES_LWPACKETVERSION_0\fR. This field is filled in by the lwres_gabn_*() and lwres_gnba_*() calls.
-.TP
+.TP 3n
 \fBpktflags\fR
 library\-defined flags for this packet: for instance whether the packet is a request or a reply. Flag values can be set, but not defined by the caller. This field is filled in by the application wit the exception of the LWRES_LWPACKETFLAG_RESPONSE bit, which is set by the library in the lwres_gabn_*() and lwres_gnba_*() calls.
-.TP
+.TP 3n
 \fBserial\fR
 is set by the requestor and is returned in all replies. If two or more packets from the same source have the same serial number and are from the same source, they are assumed to be duplicates and the latter ones may be dropped. This field must be set by the application.
-.TP
+.TP 3n
 \fBopcode\fR
 indicates the operation. Opcodes between 0x00000000 and 0x03ffffff are reserved for use by the lightweight resolver library. Opcodes between 0x04000000 and 0xffffffff are application defined. This field is filled in by the lwres_gabn_*() and lwres_gnba_*() calls.
-.TP
+.TP 3n
 \fBresult\fR
 is only valid for replies. Results between 0x04000000 and 0xffffffff are application defined. Results between 0x00000000 and 0x03ffffff are reserved for library use. This field is filled in by the lwres_gabn_*() and lwres_gnba_*() calls.
-.TP
+.TP 3n
 \fBrecvlength\fR
 is the maximum buffer size that the receiver can handle on requests and the size of the buffer needed to satisfy a request when the buffer is too large for replies. This field is supplied by the application.
-.TP
+.TP 3n
 \fBauthtype\fR
 defines the packet level authentication that is used. Authorisation types between 0x1000 and 0xffff are application defined and types between 0x0000 and 0x0fff are reserved for library use. Currently these are not used and must be zero.
-.TP
+.TP 3n
 \fBauthlen\fR
 gives the length of the authentication data. Since packet authentication is currently not used, this must be zero.
 .PP
 The following opcodes are currently defined:
-.TP
+.TP 3n
 \fBNOOP\fR
 Success is always returned and the packet contents are echoed. The lwres_noop_*() functions should be used for this type.
-.TP
+.TP 3n
 \fBGETADDRSBYNAME\fR
 returns all known addresses for a given name. The lwres_gabn_*() functions should be used for this type.
-.TP
+.TP 3n
 \fBGETNAMEBYADDR\fR
 return the hostname for the given address. The lwres_gnba_*() functions should be used for this type.
 .PP
 \fBlwres_lwpacket_renderheader()\fR
 transfers the contents of lightweight resolver packet structure
-\fBlwres_lwpacket_t\fR\fI*pkt\fR
+\fBlwres_lwpacket_t\fR
+\fI*pkt\fR
 in network byte order to the lightweight resolver buffer,
 \fI*b\fR.
 .PP
@@ -127,3 +133,5 @@ and lightweight resolver packet
 \fI*pkt\fR
 both functions return
 \fBLWRES_R_UNEXPECTEDEND\fR.
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/lib/lwres/man/lwres_packet.html b/lib/lwres/man/lwres_packet.html
index 981a0ad24d..87c23522f2 100644
--- a/lib/lwres/man/lwres_packet.html
+++ b/lib/lwres/man/lwres_packet.html
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
 lwres_packet
-
+
 
 
    
-
    
+
    
 
    
 
    Name
    
 
    lwres_lwpacket_renderheader, lwres_lwpacket_parseheader — lightweight resolver packet handling functions
    
@@ -42,6 +42,11 @@ lwres_result_t
 
  
  
+, 
+
+
+ 
+ 
 
 );
 
@@ -57,6 +62,11 @@ lwres_result_t
 
  
  
+, 
+
+
+ 
+ 
 
 );
 
@@ -64,7 +74,7 @@ lwres_result_t
 
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    
 These functions rely on a
 struct lwres_lwpacket
@@ -202,7 +212,7 @@ buffer *b to resolver packet
 
    
 
    
 
    
-
    RETURN VALUES
    
+
    RETURN VALUES
    
 
     Successful calls to
 lwres_lwpacket_renderheader() and
 lwres_lwpacket_parseheader() return
diff --git a/lib/lwres/man/lwres_resutil.3 b/lib/lwres/man/lwres_resutil.3
index bdd2f4eefb..f9ac7a4849 100644
--- a/lib/lwres/man/lwres_resutil.3
+++ b/lib/lwres/man/lwres_resutil.3
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_resutil.3,v 1.14.2.6 2005/10/13 02:23:34 marka Exp $
+.\" $Id: lwres_resutil.3,v 1.14.2.7 2006/06/29 13:02:06 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: lwres_resutil
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 
+.\"      Date: Jun 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "LWRES_RESUTIL" "3" "Jun 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -33,13 +36,13 @@ lwres_string_parse, lwres_addr_parse, lwres_getaddrsbyname, lwres_getnamebyaddr
 #include 
 .fi
 .HP 34
-\fBlwres_result_t\ \fBlwres_string_parse\fR\fR\fB(\fR\fBlwres_buffer_t\ *b\fR\fB, \fR\fBchar\ **c\fR\fB, \fR\fBlwres_uint16_t\ *len\fR\fB);\fR
+.BI "lwres_result_t lwres_string_parse(lwres_buffer_t\ *b, char\ **c, lwres_uint16_t\ *len);"
 .HP 32
-\fBlwres_result_t\ \fBlwres_addr_parse\fR\fR\fB(\fR\fBlwres_buffer_t\ *b\fR\fB, \fR\fBlwres_addr_t\ *addr\fR\fB);\fR
+.BI "lwres_result_t lwres_addr_parse(lwres_buffer_t\ *b, lwres_addr_t\ *addr);"
 .HP 36
-\fBlwres_result_t\ \fBlwres_getaddrsbyname\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBconst\ char\ *name\fR\fB, \fR\fBlwres_uint32_t\ addrtypes\fR\fB, \fR\fBlwres_gabnresponse_t\ **structp\fR\fB);\fR
+.BI "lwres_result_t lwres_getaddrsbyname(lwres_context_t\ *ctx, const\ char\ *name, lwres_uint32_t\ addrtypes, lwres_gabnresponse_t\ **structp);"
 .HP 35
-\fBlwres_result_t\ \fBlwres_getnamebyaddr\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBlwres_uint32_t\ addrtype\fR\fB, \fR\fBlwres_uint16_t\ addrlen\fR\fB, \fR\fBconst\ unsigned\ char\ *addr\fR\fB, \fR\fBlwres_gnbaresponse_t\ **structp\fR\fB);\fR
+.BI "lwres_result_t lwres_getnamebyaddr(lwres_context_t\ *ctx, lwres_uint32_t\ addrtype, lwres_uint16_t\ addrlen, const\ unsigned\ char\ *addr, lwres_gnbaresponse_t\ **structp);"
 .SH "DESCRIPTION"
 .PP
 \fBlwres_string_parse()\fR
@@ -71,6 +74,7 @@ use the
 \fBlwres_gnbaresponse_t\fR
 structure defined below:
 .sp
+.RS 3n
 .nf
 typedef struct {
         lwres_uint32_t          flags;
@@ -85,6 +89,7 @@ typedef struct {
         size_t                  baselen;
 } lwres_gabnresponse_t;
 .fi
+.RE
 .sp
 The contents of this structure are not manipulated directly but they are controlled through the
 \fBlwres_gabn\fR(3 )
@@ -158,3 +163,5 @@ if the buffers used for sending queries and receiving replies are too small.
 .PP
 \fBlwres_buffer\fR(3),
 \fBlwres_gabn\fR(3).
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/lib/lwres/man/lwres_resutil.html b/lib/lwres/man/lwres_resutil.html
index 694907b939..568c5f0e11 100644
--- a/lib/lwres/man/lwres_resutil.html
+++ b/lib/lwres/man/lwres_resutil.html
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
 lwres_resutil
-
+
 
 
    
-
    
+
    
 
    
 
    Name
    
 
    lwres_string_parse, lwres_addr_parse, lwres_getaddrsbyname, lwres_getnamebyaddr — lightweight resolver utility functions
    
@@ -47,6 +47,11 @@ lwres_result_t
 
  
  
+, 
+
+
+ 
+ 
 
 );
 
@@ -62,6 +67,11 @@ lwres_result_t
 
  
  
+, 
+
+
+ 
+ 
 
 );
 
@@ -87,6 +97,11 @@ lwres_result_t
 
  
  
+, 
+
+
+ 
+ 
 
 );
 
@@ -117,6 +132,11 @@ lwres_result_t
 
  
  
+, 
+
+
+ 
+ 
 
 );
 
@@ -124,7 +144,7 @@ lwres_result_t
 
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    
 lwres_string_parse() retrieves a DNS-encoded
 string starting the current pointer of lightweight resolver buffer
@@ -200,7 +220,7 @@ is made available through *structp.
 
    
 
    
 
    
-
    RETURN VALUES
    
+
    RETURN VALUES
    
 
    
 Successful calls to
 lwres_string_parse()
@@ -244,7 +264,7 @@ small.
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    
 lwres_buffer(3),
 

From 71c66a876ecca77923638d3f94cc0783152b2f03 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 29 Jun 2006 13:03:32 +0000
Subject: [PATCH 316/465] regen

---
 bin/check/named-checkconf.8             |  25 +-
 bin/check/named-checkconf.html          |  14 +-
 bin/check/named-checkzone.8             |  57 +--
 bin/check/named-checkzone.html          |  14 +-
 bin/dig/dig.1                           | 105 +++---
 bin/dig/dig.html                        |  22 +-
 bin/dig/host.1                          |  18 +-
 bin/dig/host.html                       |  12 +-
 bin/dig/nslookup.1                      |  89 ++---
 bin/dig/nslookup.html                   |  18 +-
 bin/dnssec/dnssec-keygen.8              |  51 +--
 bin/dnssec/dnssec-keygen.html           |  16 +-
 bin/dnssec/dnssec-signzone.8            |  71 ++--
 bin/dnssec/dnssec-signzone.html         |  14 +-
 bin/named/lwresd.8                      |  41 ++-
 bin/named/lwresd.html                   |  16 +-
 bin/named/named.8                       |  49 +--
 bin/named/named.conf.5                  |  39 +-
 bin/named/named.conf.html               |  34 +-
 bin/named/named.html                    |  18 +-
 bin/nsupdate/nsupdate.8                 |  63 ++--
 bin/nsupdate/nsupdate.html              |  20 +-
 bin/rndc/rndc-confgen.8                 |  35 +-
 bin/rndc/rndc-confgen.html              |  16 +-
 bin/rndc/rndc.8                         |  32 +-
 bin/rndc/rndc.conf.5                    |  27 +-
 bin/rndc/rndc.conf.html                 |  14 +-
 bin/rndc/rndc.html                      |  14 +-
 doc/arm/Bv9ARM.ch01.html                |  96 ++---
 doc/arm/Bv9ARM.ch02.html                |  42 +--
 doc/arm/Bv9ARM.ch03.html                |  40 +--
 doc/arm/Bv9ARM.ch04.html                | 116 +++---
 doc/arm/Bv9ARM.ch05.html                |  16 +-
 doc/arm/Bv9ARM.ch06.html                | 278 +++++++--------
 doc/arm/Bv9ARM.ch07.html                |  38 +-
 doc/arm/Bv9ARM.ch08.html                |  34 +-
 doc/arm/Bv9ARM.ch09.html                | 452 ++++++++++++++++--------
 doc/arm/Bv9ARM.ch10.html                |  24 +-
 doc/arm/Bv9ARM.html                     | 176 ++++-----
 doc/arm/man.dig.html                    |  22 +-
 doc/arm/man.dnssec-keygen.html          |  16 +-
 doc/arm/man.dnssec-signzone.html        |  14 +-
 doc/arm/man.host.html                   |  12 +-
 doc/arm/man.named-checkconf.html        |  14 +-
 doc/arm/man.named-checkzone.html        |  14 +-
 doc/arm/man.named.html                  |  18 +-
 doc/arm/man.rndc-confgen.html           |  16 +-
 doc/arm/man.rndc.conf.html              |  14 +-
 doc/arm/man.rndc.html                   |  14 +-
 lib/lwres/man/lwres.3                   |  15 +-
 lib/lwres/man/lwres.html                |  16 +-
 lib/lwres/man/lwres_buffer.3            |  56 +--
 lib/lwres/man/lwres_buffer.html         | 198 ++++++++---
 lib/lwres/man/lwres_config.3            |  28 +-
 lib/lwres/man/lwres_config.html         |  76 ++--
 lib/lwres/man/lwres_context.3           |  29 +-
 lib/lwres/man/lwres_context.html        | 104 ++++--
 lib/lwres/man/lwres_gabn.3              |  38 +-
 lib/lwres/man/lwres_gabn.html           |  88 +++--
 lib/lwres/man/lwres_gai_strerror.3      |  39 +-
 lib/lwres/man/lwres_gai_strerror.html   |  10 +-
 lib/lwres/man/lwres_getaddrinfo.3       |  32 +-
 lib/lwres/man/lwres_getaddrinfo.html    |  40 ++-
 lib/lwres/man/lwres_gethostent.3        |  57 +--
 lib/lwres/man/lwres_gethostent.html     | 100 ++++--
 lib/lwres/man/lwres_getipnode.3         |  49 +--
 lib/lwres/man/lwres_getipnode.html      |  54 ++-
 lib/lwres/man/lwres_getnameinfo.3       |  30 +-
 lib/lwres/man/lwres_getnameinfo.html    |  34 +-
 lib/lwres/man/lwres_getrrsetbyname.3    |  35 +-
 lib/lwres/man/lwres_getrrsetbyname.html |  42 ++-
 lib/lwres/man/lwres_gnba.3              |  36 +-
 lib/lwres/man/lwres_gnba.html           |  88 +++--
 lib/lwres/man/lwres_hstrerror.3         |  29 +-
 lib/lwres/man/lwres_hstrerror.html      |  12 +-
 lib/lwres/man/lwres_inetntop.3          |  17 +-
 lib/lwres/man/lwres_inetntop.html       |  26 +-
 lib/lwres/man/lwres_noop.3              |  36 +-
 lib/lwres/man/lwres_noop.html           |  88 +++--
 lib/lwres/man/lwres_packet.3            |  50 +--
 lib/lwres/man/lwres_packet.html         |  30 +-
 lib/lwres/man/lwres_resutil.3           |  25 +-
 lib/lwres/man/lwres_resutil.html        |  64 ++--
 83 files changed, 2465 insertions(+), 1616 deletions(-)

diff --git a/bin/check/named-checkconf.8 b/bin/check/named-checkconf.8
index a6db56de77..3f6973e6f0 100644
--- a/bin/check/named-checkconf.8
+++ b/bin/check/named-checkconf.8
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: named-checkconf.8,v 1.24 2005/10/13 03:13:55 marka Exp $
+.\" $Id: named-checkconf.8,v 1.25 2006/06/29 13:03:31 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: named\-checkconf
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 
+.\"      Date: June 14, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "NAMED\-CHECKCONF" "8" "June 14, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -36,24 +39,24 @@ named\-checkconf \- named configuration file syntax checking tool
 \fBnamed\-checkconf\fR
 checks the syntax, but not the semantics, of a named configuration file.
 .SH "OPTIONS"
-.TP
+.TP 3n
 \-t \fIdirectory\fR
 chroot to
 \fIdirectory\fR
 so that include directives in the configuration file are processed as if run by a similarly chrooted named.
-.TP
+.TP 3n
 \-v
 Print the version of the
 \fBnamed\-checkconf\fR
 program and exit.
-.TP
+.TP 3n
 \-z
 Perform a check load the master zonefiles found in
 \fInamed.conf\fR.
-.TP
+.TP 3n
 \-j
 When loading a zonefile read the journal if it exists.
-.TP
+.TP 3n
 filename
 The name of the configuration file to be checked. If not specified, it defaults to
 \fI/etc/named.conf\fR.
@@ -68,3 +71,5 @@ BIND 9 Administrator Reference Manual.
 .SH "AUTHOR"
 .PP
 Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/bin/check/named-checkconf.html b/bin/check/named-checkconf.html
index ce2b7b435e..789fe50c48 100644
--- a/bin/check/named-checkconf.html
+++ b/bin/check/named-checkconf.html
@@ -14,12 +14,12 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
 named-checkconf
-
+
 
 
    
 
    
@@ -32,14 +32,14 @@
 
    named-checkconf  [-v] [-j] [-t directory] {filename} [-z]
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    named-checkconf
       checks the syntax, but not the semantics, of a named
       configuration file.
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -t directory
    
 
    
@@ -70,20 +70,20 @@
 
    
 
    
 
    
-
    RETURN VALUES
    
+
    RETURN VALUES
    
 
    named-checkconf
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    named(8),
       BIND 9 Administrator Reference Manual.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/bin/check/named-checkzone.8 b/bin/check/named-checkzone.8
index adf6117678..74e2f1ea72 100644
--- a/bin/check/named-checkzone.8
+++ b/bin/check/named-checkzone.8
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: named-checkzone.8,v 1.33 2006/01/07 03:34:55 marka Exp $
+.\" $Id: named-checkzone.8,v 1.34 2006/06/29 13:03:31 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: named\-checkzone
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 
+.\"      Date: June 13, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "NAMED\-CHECKZONE" "8" "June 13, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -49,24 +52,24 @@ is similar to
 \fBnamed\fR
 configuration file.
 .SH "OPTIONS"
-.TP
+.TP 3n
 \-d
 Enable debugging.
-.TP
+.TP 3n
 \-q
 Quiet mode \- exit code only.
-.TP
+.TP 3n
 \-v
 Print the version of the
 \fBnamed\-checkzone\fR
 program and exit.
-.TP
+.TP 3n
 \-j
 When loading the zone file read the journal if it exists.
-.TP
+.TP 3n
 \-c \fIclass\fR
 Specify the class of the zone. If not specified "IN" is assumed.
-.TP
+.TP 3n
 \-i \fImode\fR
 Perform post load zone integrity checks. Possible modes are
 \fB"full"\fR
@@ -108,20 +111,20 @@ respectively.
 Mode
 \fB"none"\fR
 disables the checks.
-.TP
+.TP 3n
 \-f \fIformat\fR
 Specify the format of the zone file. Possible formats are
 \fB"text"\fR
 (default) and
 \fB"raw"\fR.
-.TP
+.TP 3n
 \-F \fIformat\fR
 Specify the format of the output file specified. Possible formats are
 \fB"text"\fR
 (default) and
 \fB"raw"\fR. For
 \fBnamed\-checkzone\fR, this does not cause any effects unless it dumps the zone contents.
-.TP
+.TP 3n
 \-k \fImode\fR
 Perform
 \fB"check\-name"\fR
@@ -133,21 +136,21 @@ checks with the specified failure mode. Possible modes are
 (default for
 \fBnamed\-checkzone\fR) and
 \fB"ignore"\fR.
-.TP
+.TP 3n
 \-m \fImode\fR
 Specify whether MX records should be checked to see if they are addresses. Possible modes are
 \fB"fail"\fR,
 \fB"warn"\fR
 (default) and
 \fB"ignore"\fR.
-.TP
+.TP 3n
 \-M \fImode\fR
 Check if a MX record refers to a CNAME. Possible modes are
 \fB"fail"\fR,
 \fB"warn"\fR
 (default) and
 \fB"ignore"\fR.
-.TP
+.TP 3n
 \-n \fImode\fR
 Specify whether NS records should be checked to see if they are addresses. Possible modes are
 \fB"fail"\fR
@@ -157,12 +160,12 @@ Specify whether NS records should be checked to see if they are addresses. Possi
 (default for
 \fBnamed\-checkzone\fR) and
 \fB"ignore"\fR.
-.TP
+.TP 3n
 \-o \fIfilename\fR
 Write zone output to
 \fIfilename\fR. This is mandatory for
 \fBnamed\-compilezone\fR.
-.TP
+.TP 3n
 \-s \fIstyle\fR
 Specify the style of the dumped zone file. Possible styles are
 \fB"full"\fR
@@ -170,38 +173,38 @@ Specify the style of the dumped zone file. Possible styles are
 \fB"default"\fR. The full format is most suitable for processing automatically by a separate script. On the other hand, the default format is more human\-readable and is thus suitable for editing by hand. For
 \fBnamed\-checkzone\fR
 this does not cause any effects unless it dumps the zone contents. It also does not have any meaning if the output format is not text.
-.TP
+.TP 3n
 \-S \fImode\fR
 Check if a SRV record refers to a CNAME. Possible modes are
 \fB"fail"\fR,
 \fB"warn"\fR
 (default) and
 \fB"ignore"\fR.
-.TP
+.TP 3n
 \-t \fIdirectory\fR
 chroot to
 \fIdirectory\fR
 so that include directives in the configuration file are processed as if run by a similarly chrooted named.
-.TP
+.TP 3n
 \-w \fIdirectory\fR
 chdir to
 \fIdirectory\fR
 so that relative filenames in master file $INCLUDE directives work. This is similar to the directory clause in
 \fInamed.conf\fR.
-.TP
+.TP 3n
 \-D
 Dump zone file in canonical format. This is always enabled for
 \fBnamed\-compilezone\fR.
-.TP
+.TP 3n
 \-W \fImode\fR
 Specify whether to check for non\-terminal wildcards. Non\-terminal wildcards are almost always the result of a failure to understand the wildcard matching algorithm (RFC 1034). Possible modes are
 \fB"warn"\fR
 (default) and
 \fB"ignore"\fR.
-.TP
+.TP 3n
 zonename
 The domain name of the zone being checked.
-.TP
+.TP 3n
 filename
 The name of the zone file.
 .SH "RETURN VALUES"
@@ -216,3 +219,5 @@ BIND 9 Administrator Reference Manual.
 .SH "AUTHOR"
 .PP
 Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2004\-2006 Internet Systems Consortium, Inc. ("ISC")
diff --git a/bin/check/named-checkzone.html b/bin/check/named-checkzone.html
index 7e7c128a2d..55891d4ab2 100644
--- a/bin/check/named-checkzone.html
+++ b/bin/check/named-checkzone.html
@@ -14,12 +14,12 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
 named-checkzone
-
+
 
 
    
 
    
@@ -33,7 +33,7 @@
 
    named-compilezone  [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-i mode] [-k mode] [-m mode] [-n mode] [-o filename] [-s style] [-t directory] [-w directory] [-D] [-W mode] {zonename} {filename}
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    named-checkzone
       checks the syntax and integrity of a zone file.  It performs the
       same checks as named does when loading a
@@ -53,7 +53,7 @@
      
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -d
    
 
    
@@ -233,21 +233,21 @@
 
    
 
    
 
    
-
    RETURN VALUES
    
+
    RETURN VALUES
    
 
    named-checkzone
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    named(8),
       RFC 1035,
       BIND 9 Administrator Reference Manual.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/bin/dig/dig.1 b/bin/dig/dig.1
index 4dd6ceb5f3..5f4534b675 100644
--- a/bin/dig/dig.1
+++ b/bin/dig/dig.1
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dig.1,v 1.38 2006/01/28 02:15:53 marka Exp $
+.\" $Id: dig.1,v 1.39 2006/06/29 13:03:31 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: dig
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 
+.\"      Date: Jun 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "DIG" "1" "Jun 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -68,12 +71,14 @@ A typical invocation of
 \fBdig\fR
 looks like:
 .sp
+.RS 3n
 .nf
  dig @server name type 
 .fi
+.RE
 .sp
 where:
-.TP
+.TP 3n
 \fBserver\fR
 is the name or IP address of the name server to query. This can be an IPv4 address in dotted\-decimal notation or an IPv6 address in colon\-delimited notation. When the supplied
 \fIserver\fR
@@ -86,10 +91,10 @@ argument is provided,
 consults
 \fI/etc/resolv.conf\fR
 and queries the name servers listed there. The reply from the name server that responds is displayed.
-.TP
+.TP 3n
 \fBname\fR
 is the name of the resource record that is to be looked up.
-.TP
+.TP 3n
 \fBtype\fR
 indicates what type of query is required \(em ANY, A, MX, SIG, etc.
 \fItype\fR
@@ -206,18 +211,18 @@ Each query option is identified by a keyword preceded by a plus sign (+). Some k
 no
 to negate the meaning of that keyword. Other keywords assign values to options like the timeout interval. They have the form
 \fB+keyword=value\fR. The query options are:
-.TP
+.TP 3n
 \fB+[no]tcp\fR
 Use [do not use] TCP when querying name servers. The default behaviour is to use UDP unless an AXFR or IXFR query is requested, in which case a TCP connection is used.
-.TP
+.TP 3n
 \fB+[no]vc\fR
 Use [do not use] TCP when querying name servers. This alternate syntax to
 \fI+[no]tcp\fR
 is provided for backwards compatibility. The "vc" stands for "virtual circuit".
-.TP
+.TP 3n
 \fB+[no]ignore\fR
 Ignore truncation in UDP responses instead of retrying with TCP. By default, TCP retries are performed.
-.TP
+.TP 3n
 \fB+domain=somename\fR
 Set the search list to contain the single domain
 \fIsomename\fR, as if specified in a
@@ -226,38 +231,38 @@ directive in
 \fI/etc/resolv.conf\fR, and enable search list processing as if the
 \fI+search\fR
 option were given.
-.TP
+.TP 3n
 \fB+[no]search\fR
 Use [do not use] the search list defined by the searchlist or domain directive in
 \fIresolv.conf\fR
 (if any). The search list is not used by default.
-.TP
+.TP 3n
 \fB+[no]showsearch\fR
 Perform [do not perform] a search showing intermediate results.
-.TP
+.TP 3n
 \fB+[no]defname\fR
 Deprecated, treated as a synonym for
 \fI+[no]search\fR
-.TP
+.TP 3n
 \fB+[no]aaonly\fR
 Sets the "aa" flag in the query.
-.TP
+.TP 3n
 \fB+[no]aaflag\fR
 A synonym for
 \fI+[no]aaonly\fR.
-.TP
+.TP 3n
 \fB+[no]adflag\fR
 Set [do not set] the AD (authentic data) bit in the query. The AD bit currently has a standard meaning only in responses, not in queries, but the ability to set the bit in the query is provided for completeness.
-.TP
+.TP 3n
 \fB+[no]cdflag\fR
 Set [do not set] the CD (checking disabled) bit in the query. This requests the server to not perform DNSSEC validation of responses.
-.TP
+.TP 3n
 \fB+[no]cl\fR
 Display [do not display] the CLASS when printing the record.
-.TP
+.TP 3n
 \fB+[no]ttlid\fR
 Display [do not display] the TTL when printing the record.
-.TP
+.TP 3n
 \fB+[no]recurse\fR
 Toggle the setting of the RD (recursion desired) bit in the query. This bit is set by default, which means
 \fBdig\fR
@@ -266,74 +271,74 @@ normally sends recursive queries. Recursion is automatically disabled when the
 or
 \fI+trace\fR
 query options are used.
-.TP
+.TP 3n
 \fB+[no]nssearch\fR
 When this option is set,
 \fBdig\fR
 attempts to find the authoritative name servers for the zone containing the name being looked up and display the SOA record that each name server has for the zone.
-.TP
+.TP 3n
 \fB+[no]trace\fR
 Toggle tracing of the delegation path from the root name servers for the name being looked up. Tracing is disabled by default. When tracing is enabled,
 \fBdig\fR
 makes iterative queries to resolve the name being looked up. It will follow referrals from the root servers, showing the answer from each server that was used to resolve the lookup.
-.TP
+.TP 3n
 \fB+[no]cmd\fR
 toggles the printing of the initial comment in the output identifying the version of
 \fBdig\fR
 and the query options that have been applied. This comment is printed by default.
-.TP
+.TP 3n
 \fB+[no]short\fR
 Provide a terse answer. The default is to print the answer in a verbose form.
-.TP
+.TP 3n
 \fB+[no]identify\fR
 Show [or do not show] the IP address and port number that supplied the answer when the
 \fI+short\fR
 option is enabled. If short form answers are requested, the default is not to show the source address and port number of the server that provided the answer.
-.TP
+.TP 3n
 \fB+[no]comments\fR
 Toggle the display of comment lines in the output. The default is to print comments.
-.TP
+.TP 3n
 \fB+[no]stats\fR
 This query option toggles the printing of statistics: when the query was made, the size of the reply and so on. The default behaviour is to print the query statistics.
-.TP
+.TP 3n
 \fB+[no]qr\fR
 Print [do not print] the query as it is sent. By default, the query is not printed.
-.TP
+.TP 3n
 \fB+[no]question\fR
 Print [do not print] the question section of a query when an answer is returned. The default is to print the question section as a comment.
-.TP
+.TP 3n
 \fB+[no]answer\fR
 Display [do not display] the answer section of a reply. The default is to display it.
-.TP
+.TP 3n
 \fB+[no]authority\fR
 Display [do not display] the authority section of a reply. The default is to display it.
-.TP
+.TP 3n
 \fB+[no]additional\fR
 Display [do not display] the additional section of a reply. The default is to display it.
-.TP
+.TP 3n
 \fB+[no]all\fR
 Set or clear all display flags.
-.TP
+.TP 3n
 \fB+time=T\fR
 Sets the timeout for a query to
 \fIT\fR
 seconds. The default time out is 5 seconds. An attempt to set
 \fIT\fR
 to less than 1 will result in a query timeout of 1 second being applied.
-.TP
+.TP 3n
 \fB+tries=T\fR
 Sets the number of times to try UDP queries to server to
 \fIT\fR
 instead of the default, 3. If
 \fIT\fR
 is less than or equal to zero, the number of tries is silently rounded up to 1.
-.TP
+.TP 3n
 \fB+retry=T\fR
 Sets the number of times to retry UDP queries to server to
 \fIT\fR
 instead of the default, 2. Unlike
 \fI+tries\fR, this does not include the initial query.
-.TP
+.TP 3n
 \fB+ndots=D\fR
 Set the number of dots that have to appear in
 \fIname\fR
@@ -346,34 +351,34 @@ or
 \fBdomain\fR
 directive in
 \fI/etc/resolv.conf\fR.
-.TP
+.TP 3n
 \fB+bufsize=B\fR
 Set the UDP message buffer size advertised using EDNS0 to
 \fIB\fR
 bytes. The maximum and minimum sizes of this buffer are 65535 and 0 respectively. Values outside this range are rounded up or down appropriately. Values other than zero will cause a EDNS query to be sent.
-.TP
+.TP 3n
 \fB+edns=#\fR
 Specify the EDNS version to query with. Valid values are 0 to 255. Setting the EDNS version will cause a EDNS query to be sent.
 \fB+noedns\fR
 clears the remembered EDNS version.
-.TP
+.TP 3n
 \fB+[no]multiline\fR
 Print records like the SOA records in a verbose multi\-line format with human\-readable comments. The default is to print each record on a single line, to facilitate machine parsing of the
 \fBdig\fR
 output.
-.TP
+.TP 3n
 \fB+[no]fail\fR
 Do not try the next server if you receive a SERVFAIL. The default is to not try the next server which is the reverse of normal stub resolver behaviour.
-.TP
+.TP 3n
 \fB+[no]besteffort\fR
 Attempt to display the contents of messages which are malformed. The default is to not display malformed answers.
-.TP
+.TP 3n
 \fB+[no]dnssec\fR
 Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO) in the OPT record in the additional section of the query.
-.TP
+.TP 3n
 \fB+[no]sigchase\fR
 Chase DNSSEC signature chains. Requires dig be compiled with \-DDIG_SIGCHASE.
-.TP
+.TP 3n
 \fB+trusted\-key=####\fR
 Specifies a file containing trusted keys to be used with
 \fB+sigchase\fR. Each DNSKEY record must be on its own line.
@@ -387,7 +392,7 @@ then
 in the current directory.
 .sp
 Requires dig be compiled with \-DDIG_SIGCHASE.
-.TP
+.TP 3n
 \fB+[no]topdown\fR
 When chasing DNSSEC signature chains perform a top down validation. Requires dig be compiled with \-DDIG_SIGCHASE.
 .SH "MULTIPLE QUERIES"
@@ -406,9 +411,11 @@ A global set of query options, which should be applied to all queries, can also
 \fB+[no]cmd\fR
 option) can be overridden by a query\-specific set of query options. For example:
 .sp
+.RS 3n
 .nf
 dig +qr www.isc.org any \-x 127.0.0.1 isc.org ns +noqr
 .fi
+.RE
 .sp
 shows how
 \fBdig\fR
@@ -449,3 +456,5 @@ RFC1035.
 .SH "BUGS"
 .PP
 There are probably too many query options.
+.SH "COPYRIGHT"
+Copyright \(co 2004\-2006 Internet Systems Consortium, Inc. ("ISC")
diff --git a/bin/dig/dig.html b/bin/dig/dig.html
index c33abbc585..856173dfe2 100644
--- a/bin/dig/dig.html
+++ b/bin/dig/dig.html
@@ -14,12 +14,12 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
 dig
-
+
 
 
    
 
    
@@ -34,7 +34,7 @@
 
    dig  [global-queryopt...] [query...]
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dig
       (domain information groper) is a flexible tool
       for interrogating DNS name servers.  It performs DNS lookups and
@@ -73,7 +73,7 @@
     
    
 
    
 
    
-
    SIMPLE USAGE
    
+
    SIMPLE USAGE
    
 
    
       A typical invocation of dig looks like:
       
    
@@ -119,7 +119,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
       The -b option sets the source IP address of the query
       to address.  This must be a valid
@@ -219,7 +219,7 @@
     
    
 
    
 
    
-
    QUERY OPTIONS
    
+
    QUERY OPTIONS
    
 
    dig
       provides a number of query options which affect
       the way in which lookups are made and the results displayed.  Some of
@@ -538,7 +538,7 @@
     
    
 
    
 
    
-
    MULTIPLE QUERIES
    
+
    MULTIPLE QUERIES
    
 
    
       The BIND 9 implementation of dig 
       supports
@@ -584,7 +584,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     
    
 
    
 
    
-
    IDN SUPPORT
    
+
    IDN SUPPORT
    
 
    
       If dig has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names.
@@ -598,14 +598,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    /etc/resolv.conf
     
    
 
    ${HOME}/.digrc
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    host(1),
       named(8),
       dnssec-keygen(8),
@@ -613,7 +613,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     
    
 
    
 
    
-
    BUGS
    
+
    BUGS
    
 
    
       There are probably too many query options.
     
    
diff --git a/bin/dig/host.1 b/bin/dig/host.1
index 1864baf45c..4da38fd23c 100644
--- a/bin/dig/host.1
+++ b/bin/dig/host.1
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: host.1,v 1.24 2005/10/13 03:13:56 marka Exp $
+.\" $Id: host.1,v 1.25 2006/06/29 13:03:32 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: host
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 
+.\"      Date: Jun 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "HOST" "1" "Jun 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -180,7 +183,8 @@ will effectively wait forever for a reply. The time to wait for a response will
 The
 \fB\-s\fR
 option tells
-\fBhost\fR\fInot\fR
+\fBhost\fR
+\fInot\fR
 to send the query to the next nameserver if any server responds with a SERVFAIL response, which is the reverse of normal stub resolver behaviour.
 .PP
 The
@@ -208,3 +212,5 @@ runs.
 .PP
 \fBdig\fR(1),
 \fBnamed\fR(8).
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/bin/dig/host.html b/bin/dig/host.html
index 1cc092d875..97ca9bb44a 100644
--- a/bin/dig/host.html
+++ b/bin/dig/host.html
@@ -14,12 +14,12 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
 host
-
+
 
 
    
 
    
@@ -32,7 +32,7 @@
 
    host  [-aCdlnrsTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-m flag] [-4] [-6] {name} [server]
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    host
       is a simple utility for performing DNS lookups.
       It is normally used to convert names to IP addresses and vice versa.
@@ -184,7 +184,7 @@
     
    
 
    
 
    
-
    IDN SUPPORT
    
+
    IDN SUPPORT
    
 
    
       If host has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names. 
@@ -198,12 +198,12 @@
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    /etc/resolv.conf
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dig(1),
       named(8).
     
    
diff --git a/bin/dig/nslookup.1 b/bin/dig/nslookup.1
index 6041ea39f4..4daa6aae44 100644
--- a/bin/dig/nslookup.1
+++ b/bin/dig/nslookup.1
@@ -12,14 +12,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: nslookup.1,v 1.8 2006/01/06 01:55:38 marka Exp $
+.\" $Id: nslookup.1,v 1.9 2006/06/29 13:03:32 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: nslookup
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 
+.\"      Date: Jun 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "NSLOOKUP" "1" "Jun 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -39,26 +42,28 @@ has two modes: interactive and non\-interactive. Interactive mode allows the use
 .SH "ARGUMENTS"
 .PP
 Interactive mode is entered in the following cases:
-.TP 3
+.TP 3n
 1.
 when no arguments are given (the default name server will be used)
-.TP
+.TP 3n
 2.
 when the first argument is a hyphen (\-) and the second argument is the host name or Internet address of a name server.
+.sp
+.RE
 .PP
 Non\-interactive mode is used when the name or Internet address of the host to be looked up is given as the first argument. The optional second argument specifies the host name or address of a name server.
 .PP
 Options can also be specified on the command line if they precede the arguments and are prefixed with a hyphen. For example, to change the default query type to host information, and the initial timeout to 10 seconds, type:
-.IP .sp .nf nslookup \-query=hinfo \-timeout=10 .fi
+.sp .RS 3n .nf nslookup \-query=hinfo \-timeout=10 .fi .RE
 .SH "INTERACTIVE COMMANDS"
-.TP
+.TP 3n
 host [server]
 Look up information for host using the current default server or using server, if specified. If host is an Internet address and the query type is A or PTR, the name of the host is returned. If host is a name and does not have a trailing period, the search list is used to qualify the name.
 .sp
 To look up a host not in the current domain, append a period to the name.
-.TP
+.TP 3n
 \fBserver\fR \fIdomain\fR
-.TP
+.TP 3n
 \fBlserver\fR \fIdomain\fR
 Change the default server to
 \fIdomain\fR;
@@ -67,112 +72,112 @@ uses the initial server to look up information about
 \fIdomain\fR, while
 \fBserver\fR
 uses the current default server. If an authoritative answer can't be found, the names of servers that might have the answer are returned.
-.TP
+.TP 3n
 \fBroot\fR
 not implemented
-.TP
+.TP 3n
 \fBfinger\fR
 not implemented
-.TP
+.TP 3n
 \fBls\fR
 not implemented
-.TP
+.TP 3n
 \fBview\fR
 not implemented
-.TP
+.TP 3n
 \fBhelp\fR
 not implemented
-.TP
+.TP 3n
 \fB?\fR
 not implemented
-.TP
+.TP 3n
 \fBexit\fR
 Exits the program.
-.TP
+.TP 3n
 \fBset\fR \fIkeyword\fR\fI[=value]\fR
 This command is used to change state information that affects the lookups. Valid keywords are:
-.RS
-.TP
+.RS 3n
+.TP 3n
 \fBall\fR
 Prints the current values of the frequently used options to
 \fBset\fR. Information about the current default server and host is also printed.
-.TP
+.TP 3n
 \fBclass=\fR\fIvalue\fR
 Change the query class to one of:
-.RS
-.TP
+.RS 3n
+.TP 3n
 \fBIN\fR
 the Internet class
-.TP
+.TP 3n
 \fBCH\fR
 the Chaos class
-.TP
+.TP 3n
 \fBHS\fR
 the Hesiod class
-.TP
+.TP 3n
 \fBANY\fR
 wildcard
 .RE
-.IP
+.IP "" 3n
 The class specifies the protocol group of the information.
 .sp
 (Default = IN; abbreviation = cl)
-.TP
+.TP 3n
 \fB \fR\fB\fI[no]\fR\fR\fBdebug\fR
 Turn debugging mode on. A lot more information is printed about the packet sent to the server and the resulting answer.
 .sp
 (Default = nodebug; abbreviation =
 [no]deb)
-.TP
+.TP 3n
 \fB \fR\fB\fI[no]\fR\fR\fBd2\fR
 Turn debugging mode on. A lot more information is printed about the packet sent to the server and the resulting answer.
 .sp
 (Default = nod2)
-.TP
+.TP 3n
 \fBdomain=\fR\fIname\fR
 Sets the search list to
 \fIname\fR.
-.TP
+.TP 3n
 \fB \fR\fB\fI[no]\fR\fR\fBsearch\fR
 If the lookup request contains at least one period but doesn't end with a trailing period, append the domain names in the domain search list to the request until an answer is received.
 .sp
 (Default = search)
-.TP
+.TP 3n
 \fBport=\fR\fIvalue\fR
 Change the default TCP/UDP name server port to
 \fIvalue\fR.
 .sp
 (Default = 53; abbreviation = po)
-.TP
+.TP 3n
 \fBquerytype=\fR\fIvalue\fR
-.TP
+.TP 3n
 \fBtype=\fR\fIvalue\fR
 Change the type of the information query.
 .sp
 (Default = A; abbreviations = q, ty)
-.TP
+.TP 3n
 \fB \fR\fB\fI[no]\fR\fR\fBrecurse\fR
 Tell the name server to query other servers if it does not have the information.
 .sp
 (Default = recurse; abbreviation = [no]rec)
-.TP
+.TP 3n
 \fBretry=\fR\fInumber\fR
 Set the number of retries to number.
-.TP
+.TP 3n
 \fBtimeout=\fR\fInumber\fR
 Change the initial timeout interval for waiting for a reply to number seconds.
-.TP
+.TP 3n
 \fB \fR\fB\fI[no]\fR\fR\fBvc\fR
 Always use a virtual circuit when sending requests to the server.
 .sp
 (Default = novc)
-.TP
+.TP 3n
 \fB \fR\fB\fI[no]\fR\fR\fBfail\fR
 Try the next nameserver if a nameserver responds with SERVFAIL or a referral (nofail) or terminate query (fail) on such a response.
 .sp
 (Default = nofail)
 .RE
-.IP
+.IP "" 3n
 .SH "FILES"
 .PP
 \fI/etc/resolv.conf\fR
@@ -184,3 +189,5 @@ Try the next nameserver if a nameserver responds with SERVFAIL or a referral (no
 .SH "AUTHOR"
 .PP
 Andrew Cherenson
+.SH "COPYRIGHT"
+Copyright \(co 2004\-2006 Internet Systems Consortium, Inc. ("ISC")
diff --git a/bin/dig/nslookup.html b/bin/dig/nslookup.html
index bbd9c11b2c..11dd001ac6 100644
--- a/bin/dig/nslookup.html
+++ b/bin/dig/nslookup.html
@@ -13,15 +13,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
 nslookup
-
+
 
 
    
-
    
+
    
 
    
 
    Name
    
 
    nslookup — query Internet name servers interactively
    
@@ -31,7 +31,7 @@
 
    nslookup  [-option] [name | -] [server]
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    Nslookup
       is a program to query Internet domain name servers.  Nslookup
       has two modes: interactive and non-interactive.  Interactive mode allows
@@ -43,7 +43,7 @@
     
    
 
    
 
    
-
    ARGUMENTS
    
+
    ARGUMENTS
    
 
    
       Interactive mode is entered in the following cases:
       
    
@@ -76,7 +76,7 @@ nslookup -query=hinfo  -timeout=10
     
    
 
    
 
    
-
    INTERACTIVE COMMANDS
    
+
    INTERACTIVE COMMANDS
    
 
    
 
    host [server]
    
 
    
@@ -288,19 +288,19 @@ nslookup -query=hinfo  -timeout=10
 
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    /etc/resolv.conf
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dig(1),
       host(1),
       named(8).
     
    
 
    
 
    
-
    Author
    
+
    Author
    
 
    
       Andrew Cherenson
     
    
diff --git a/bin/dnssec/dnssec-keygen.8 b/bin/dnssec/dnssec-keygen.8
index d4436b9e93..1abda701d4 100644
--- a/bin/dnssec/dnssec-keygen.8
+++ b/bin/dnssec/dnssec-keygen.8
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-keygen.8,v 1.33 2005/10/13 03:13:57 marka Exp $
+.\" $Id: dnssec-keygen.8,v 1.34 2006/06/29 13:03:32 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: dnssec\-keygen
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 
+.\"      Date: June 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "DNSSEC\-KEYGEN" "8" "June 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -36,7 +39,7 @@ dnssec\-keygen \- DNSSEC key generation tool
 \fBdnssec\-keygen\fR
 generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC . It can also generate keys for use with TSIG (Transaction Signatures), as defined in RFC 2845.
 .SH "OPTIONS"
-.TP
+.TP 3n
 \-a \fIalgorithm\fR
 Selects the cryptographic algorithm. The value of
 \fBalgorithm\fR
@@ -45,37 +48,37 @@ must be one of RSAMD5 (RSA) or RSASHA1, DSA, DH (Diffie Hellman), or HMAC\-MD5.
 Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, and DSA is recommended. For TSIG, HMAC\-MD5 is mandatory.
 .sp
 Note 2: HMAC\-MD5 and DH automatically set the \-k flag.
-.TP
+.TP 3n
 \-b \fIkeysize\fR
 Specifies the number of bits in the key. The choice of key size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 bits and an exact multiple of 64. HMAC\-MD5 keys must be between 1 and 512 bits.
-.TP
+.TP 3n
 \-n \fInametype\fR
 Specifies the owner type of the key. The value of
 \fBnametype\fR
 must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are case insensitive.
-.TP
+.TP 3n
 \-c \fIclass\fR
 Indicates that the DNS record containing the key should have the specified class. If not specified, class IN is used.
-.TP
+.TP 3n
 \-e
 If generating an RSAMD5/RSASHA1 key, use a large exponent.
-.TP
+.TP 3n
 \-f \fIflag\fR
 Set the specified flag in the flag field of the KEY/DNSKEY record. The only recognized flag is KSK (Key Signing Key) DNSKEY.
-.TP
+.TP 3n
 \-g \fIgenerator\fR
 If generating a Diffie Hellman key, use this generator. Allowed values are 2 and 5. If no generator is specified, a known prime from RFC 2539 will be used if possible; otherwise the default is 2.
-.TP
+.TP 3n
 \-h
 Prints a short summary of the options and arguments to
 \fBdnssec\-keygen\fR.
-.TP
+.TP 3n
 \-k
 Generate KEY records rather than DNSKEY records.
-.TP
+.TP 3n
 \-p \fIprotocol\fR
 Sets the protocol value for the generated key. The protocol is a number between 0 and 255. The default is 3 (DNSSEC). Other possible values for this argument are listed in RFC 2535 and its successors.
-.TP
+.TP 3n
 \-r \fIrandomdev\fR
 Specifies the source of randomness. If the operating system does not provide a
 \fI/dev/random\fR
@@ -84,15 +87,15 @@ or equivalent device, the default source of randomness is keyboard input.
 specifies the name of a character device or file containing random data to be used instead of the default. The special value
 \fIkeyboard\fR
 indicates that keyboard input should be used.
-.TP
+.TP 3n
 \-s \fIstrength\fR
 Specifies the strength value of the key. The strength is a number between 0 and 15, and currently has no defined purpose in DNSSEC.
-.TP
+.TP 3n
 \-t \fItype\fR
 Indicates the use of the key.
 \fBtype\fR
 must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH refers to the ability to authenticate data, and CONF the ability to encrypt data.
-.TP
+.TP 3n
 \-v \fIlevel\fR
 Sets the debugging level.
 .SH "GENERATED KEYS"
@@ -102,18 +105,20 @@ When
 completes successfully, it prints a string of the form
 \fIKnnnn.+aaa+iiiii\fR
 to the standard output. This is an identification string for the key it has generated.
-.TP 3
+.TP 3n
 \(bu
 \fInnnn\fR
 is the key name.
-.TP
+.TP 3n
 \(bu
 \fIaaa\fR
 is the numeric representation of the algorithm.
-.TP
+.TP 3n
 \(bu
 \fIiiiii\fR
 is the key identifier (or footprint).
+.sp
+.RE
 .PP
 \fBdnssec\-keygen\fR
 creates two file, with names based on the printed string.
@@ -162,3 +167,5 @@ RFC 2539.
 .SH "AUTHOR"
 .PP
 Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/bin/dnssec/dnssec-keygen.html b/bin/dnssec/dnssec-keygen.html
index 8ec86a46ec..f73884cc3c 100644
--- a/bin/dnssec/dnssec-keygen.html
+++ b/bin/dnssec/dnssec-keygen.html
@@ -14,12 +14,12 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
 dnssec-keygen
-
+
 
 
    
 
    
@@ -32,7 +32,7 @@
 
    dnssec-keygen  {-a algorithm} {-b keysize} {-n nametype} [-c class] [-e] [-f flag] [-g generator] [-h] [-k] [-p protocol] [-r randomdev] [-s strength] [-t type] [-v level] {name}
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-keygen
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC <TBA\>.  It can also generate keys for use with
@@ -40,7 +40,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a algorithm
    
 
    
@@ -148,7 +148,7 @@
 
    
 
    
 
    
-
    GENERATED KEYS
    
+
    GENERATED KEYS
    
 
    
       When dnssec-keygen completes
       successfully,
@@ -194,7 +194,7 @@
     
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
    
       To generate a 768-bit DSA key for the domain
       example.com, the following command would be
@@ -215,7 +215,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
       RFC 2535,
@@ -224,7 +224,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/bin/dnssec/dnssec-signzone.8 b/bin/dnssec/dnssec-signzone.8
index d86d2a331c..53c47aa508 100644
--- a/bin/dnssec/dnssec-signzone.8
+++ b/bin/dnssec/dnssec-signzone.8
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-signzone.8,v 1.41 2006/04/23 10:14:12 marka Exp $
+.\" $Id: dnssec-signzone.8,v 1.42 2006/06/29 13:03:32 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: dnssec\-signzone
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 
+.\"      Date: June 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "DNSSEC\-SIGNZONE" "8" "June 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -38,49 +41,49 @@ signs a zone. It generates NSEC and RRSIG records and produces a signed version
 \fIkeyset\fR
 file for each child zone.
 .SH "OPTIONS"
-.TP
+.TP 3n
 \-a
 Verify all generated signatures.
-.TP
+.TP 3n
 \-c \fIclass\fR
 Specifies the DNS class of the zone.
-.TP
+.TP 3n
 \-k \fIkey\fR
 Treat specified key as a key signing key ignoring any key flags. This option may be specified multiple times.
-.TP
+.TP 3n
 \-l \fIdomain\fR
 Generate a DLV set in addition to the key (DNSKEY) and DS sets. The domain is appended to the name of the records.
-.TP
+.TP 3n
 \-d \fIdirectory\fR
 Look for
 \fIkeyset\fR
 files in
 \fBdirectory\fR
 as the directory
-.TP
+.TP 3n
 \-g
 Generate DS records for child zones from keyset files. Existing DS records will be removed.
-.TP
+.TP 3n
 \-s \fIstart\-time\fR
 Specify the date and time when the generated RRSIG records become valid. This can be either an absolute or relative time. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation; 20000530144500 denotes 14:45:00 UTC on May 30th, 2000. A relative start time is indicated by +N, which is N seconds from the current time. If no
 \fBstart\-time\fR
 is specified, the current time minus 1 hour (to allow for clock skew) is used.
-.TP
+.TP 3n
 \-e \fIend\-time\fR
 Specify the date and time when the generated RRSIG records expire. As with
 \fBstart\-time\fR, an absolute time is indicated in YYYYMMDDHHMMSS notation. A time relative to the start time is indicated with +N, which is N seconds from the start time. A time relative to the current time is indicated with now+N. If no
 \fBend\-time\fR
 is specified, 30 days from the start time is used as a default.
-.TP
+.TP 3n
 \-f \fIoutput\-file\fR
 The name of the output file containing the signed zone. The default is to append
 \fI.signed\fR
 to the input file.
-.TP
+.TP 3n
 \-h
 Prints a short summary of the options and arguments to
 \fBdnssec\-signzone\fR.
-.TP
+.TP 3n
 \-i \fIinterval\fR
 When a previously signed zone is passed as input, records may be resigned. The
 \fBinterval\fR
@@ -93,23 +96,23 @@ or
 are specified,
 \fBdnssec\-signzone\fR
 generates signatures that are valid for 30 days, with a cycle interval of 7.5 days. Therefore, if any existing RRSIG records are due to expire in less than 7.5 days, they would be replaced.
-.TP
+.TP 3n
 \-I \fIinput\-format\fR
 The format of the input zone file. Possible formats are
 \fB"text"\fR
 (default) and
 \fB"raw"\fR. This option is primarily intended to be used for dynamic signed zones so that the dumped zone file in a non\-text format containing updates can be signed directly. The use of this option does not make much sense for non\-dynamic zones.
-.TP
+.TP 3n
 \-j \fIjitter\fR
 When signing a zone with a fixed signature lifetime, all RRSIG records issued at the time of signing expires simultaneously. If the zone is incrementally signed, i.e. a previously signed zone is passed as input to the signer, all expired signatures has to be regenerated at about the same time. The
 \fBjitter\fR
 option specifies a jitter window that will be used to randomize the signature expire time, thus spreading incremental signature regeneration over time.
 .sp
 Signature lifetime jitter also to some extent benefits validators and servers by spreading out cache expiration, i.e. if large numbers of RRSIGs don't expire at the same time from all caches there will be less congestion than if all validators need to refetch at mostly the same time.
-.TP
+.TP 3n
 \-n \fIncpus\fR
 Specifies the number of threads to use. By default, one thread is started for each detected CPU.
-.TP
+.TP 3n
 \-N \fIsoa\-serial\-format\fR
 The SOA serial number format of the signed zone. Possible formats are
 \fB"keep"\fR
@@ -117,30 +120,30 @@ The SOA serial number format of the signed zone. Possible formats are
 \fB"increment"\fR
 and
 \fB"unixtime"\fR.
-.RS
-.TP
+.RS 3n
+.TP 3n
 \fB"keep"\fR
 Do not modify the SOA serial number.
-.TP
+.TP 3n
 \fB"increment"\fR
 Increment the SOA serial number using RFC 1982 arithmetics.
-.TP
+.TP 3n
 \fB"unixtime"\fR
 Set the SOA serial number to the number of seconds since epoch.
 .RE
-.TP
+.TP 3n
 \-o \fIorigin\fR
 The zone origin. If not specified, the name of the zone file is assumed to be the origin.
-.TP
+.TP 3n
 \-O \fIoutput\-format\fR
 The format of the output file containing the signed zone. Possible formats are
 \fB"text"\fR
 (default) and
 \fB"raw"\fR.
-.TP
+.TP 3n
 \-p
 Use pseudo\-random data when signing the zone. This is faster, but less secure, than using real random data. This option may be useful when signing large zones or when the entropy source is limited.
-.TP
+.TP 3n
 \-r \fIrandomdev\fR
 Specifies the source of randomness. If the operating system does not provide a
 \fI/dev/random\fR
@@ -149,19 +152,19 @@ or equivalent device, the default source of randomness is keyboard input.
 specifies the name of a character device or file containing random data to be used instead of the default. The special value
 \fIkeyboard\fR
 indicates that keyboard input should be used.
-.TP
+.TP 3n
 \-t
 Print statistics at completion.
-.TP
+.TP 3n
 \-v \fIlevel\fR
 Sets the debugging level.
-.TP
+.TP 3n
 \-z
 Ignore KSK flag on key when determining what to sign.
-.TP
+.TP 3n
 zonefile
 The file containing the zone to be signed.
-.TP
+.TP 3n
 key
 The keys used to sign the zone. If no keys are specified, the default all zone keys that have private key files in the current directory.
 .SH "EXAMPLE"
@@ -193,3 +196,5 @@ RFC 2535.
 .SH "AUTHOR"
 .PP
 Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2004\-2006 Internet Systems Consortium, Inc. ("ISC")
diff --git a/bin/dnssec/dnssec-signzone.html b/bin/dnssec/dnssec-signzone.html
index 74e4cbcda2..ed660c9e51 100644
--- a/bin/dnssec/dnssec-signzone.html
+++ b/bin/dnssec/dnssec-signzone.html
@@ -14,12 +14,12 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
 dnssec-signzone
-
+
 
 
    
 
    
@@ -32,7 +32,7 @@
 
    dnssec-signzone  [-a] [-c class] [-d directory] [-e end-time] [-f output-file] [-g] [-h] [-k key] [-l domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-p] [-r randomdev] [-s start-time] [-t] [-v level] [-z] {zonefile} [key...]
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-signzone
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
@@ -43,7 +43,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a
    
 
    
@@ -239,7 +239,7 @@
 
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
    
       The following command signs the example.com
       zone with the DSA key generated in the dnssec-keygen
@@ -265,14 +265,14 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 2535.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/bin/named/lwresd.8 b/bin/named/lwresd.8
index d18ff439db..d8c3e856a9 100644
--- a/bin/named/lwresd.8
+++ b/bin/named/lwresd.8
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwresd.8,v 1.22 2005/10/13 03:13:58 marka Exp $
+.\" $Id: lwresd.8,v 1.23 2006/06/29 13:03:32 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: lwresd
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 
+.\"      Date: June 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "LWRESD" "8" "June 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -57,41 +60,41 @@ entries are present, or if forwarding fails,
 \fBlwresd\fR
 resolves the queries autonomously starting at the root name servers, using a built\-in list of root server hints.
 .SH "OPTIONS"
-.TP
+.TP 3n
 \-C \fIconfig\-file\fR
 Use
 \fIconfig\-file\fR
 as the configuration file instead of the default,
 \fI/etc/resolv.conf\fR.
-.TP
+.TP 3n
 \-d \fIdebug\-level\fR
 Set the daemon's debug level to
 \fIdebug\-level\fR. Debugging traces from
 \fBlwresd\fR
 become more verbose as the debug level increases.
-.TP
+.TP 3n
 \-f
 Run the server in the foreground (i.e. do not daemonize).
-.TP
+.TP 3n
 \-g
 Run the server in the foreground and force all logging to
 \fIstderr\fR.
-.TP
+.TP 3n
 \-n \fI#cpus\fR
 Create
 \fI#cpus\fR
 worker threads to take advantage of multiple CPUs. If not specified,
 \fBlwresd\fR
 will try to determine the number of CPUs present and create one thread per CPU. If it is unable to determine the number of CPUs, a single worker thread will be created.
-.TP
+.TP 3n
 \-P \fIport\fR
 Listen for lightweight resolver queries on port
 \fIport\fR. If not specified, the default is port 921.
-.TP
+.TP 3n
 \-p \fIport\fR
 Send DNS lookups to port
 \fIport\fR. If not specified, the default is port 53. This provides a way of testing the lightweight resolver daemon with a name server that listens for queries on a non\-standard port number.
-.TP
+.TP 3n
 \-s
 Write memory usage statistics to
 \fIstdout\fR
@@ -100,7 +103,7 @@ on exit.
 .B "Note:"
 This option is mainly of interest to BIND 9 developers and may be removed or changed in a future release.
 .RE
-.TP
+.TP 3n
 \-t \fIdirectory\fR
 \fBchroot()\fR
 to
@@ -114,20 +117,20 @@ option, as chrooting a process running as root doesn't enhance security on most
 \fBchroot()\fR
 is defined allows a process with root privileges to escape a chroot jail.
 .RE
-.TP
+.TP 3n
 \-u \fIuser\fR
 \fBsetuid()\fR
 to
 \fIuser\fR
 after completing privileged operations, such as creating sockets that listen on privileged ports.
-.TP
+.TP 3n
 \-v
 Report the version number and exit.
 .SH "FILES"
-.TP
+.TP 3n
 \fI/etc/resolv.conf\fR
 The default configuration file.
-.TP
+.TP 3n
 \fI/var/run/lwresd.pid\fR
 The default process\-id file.
 .SH "SEE ALSO"
@@ -138,3 +141,5 @@ The default process\-id file.
 .SH "AUTHOR"
 .PP
 Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/bin/named/lwresd.html b/bin/named/lwresd.html
index ade92711e2..b0979a3ad4 100644
--- a/bin/named/lwresd.html
+++ b/bin/named/lwresd.html
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
 lwresd
-
+
 
 
    
-
    
+
    
 
    
 
    Name
    
 
    lwresd — lightweight resolver daemon
    
@@ -32,7 +32,7 @@
 
    lwresd  [-C config-file] [-d debug-level] [-f] [-g] [-i pid-file] [-n #cpus] [-P port] [-p port] [-s] [-t directory] [-u user] [-v]
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    lwresd
       is the daemon providing name lookup
       services to clients that use the BIND 9 lightweight resolver
@@ -67,7 +67,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -C config-file
    
 
    
@@ -159,7 +159,7 @@
 
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    
 
    /etc/resolv.conf
    
 
    
@@ -172,14 +172,14 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    named(8),
       lwres(3),
       resolver(5).
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/bin/named/named.8 b/bin/named/named.8
index 75fa11becf..96916971a6 100644
--- a/bin/named/named.8
+++ b/bin/named/named.8
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: named.8,v 1.28 2006/03/11 02:07:52 marka Exp $
+.\" $Id: named.8,v 1.29 2006/06/29 13:03:32 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: named
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 
+.\"      Date: June 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "NAMED" "8" "June 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -41,21 +44,21 @@ When invoked without arguments,
 will read the default configuration file
 \fI/etc/named.conf\fR, read any initial data, and listen for queries.
 .SH "OPTIONS"
-.TP
+.TP 3n
 \-4
 Use IPv4 only even if the host machine is capable of IPv6.
 \fB\-4\fR
 and
 \fB\-6\fR
 are mutually exclusive.
-.TP
+.TP 3n
 \-6
 Use IPv6 only even if the host machine is capable of IPv4.
 \fB\-4\fR
 and
 \fB\-6\fR
 are mutually exclusive.
-.TP
+.TP 3n
 \-c \fIconfig\-file\fR
 Use
 \fIconfig\-file\fR
@@ -65,31 +68,31 @@ as the configuration file instead of the default,
 option in the configuration file,
 \fIconfig\-file\fR
 should be an absolute pathname.
-.TP
+.TP 3n
 \-d \fIdebug\-level\fR
 Set the daemon's debug level to
 \fIdebug\-level\fR. Debugging traces from
 \fBnamed\fR
 become more verbose as the debug level increases.
-.TP
+.TP 3n
 \-f
 Run the server in the foreground (i.e. do not daemonize).
-.TP
+.TP 3n
 \-g
 Run the server in the foreground and force all logging to
 \fIstderr\fR.
-.TP
+.TP 3n
 \-n \fI#cpus\fR
 Create
 \fI#cpus\fR
 worker threads to take advantage of multiple CPUs. If not specified,
 \fBnamed\fR
 will try to determine the number of CPUs present and create one thread per CPU. If it is unable to determine the number of CPUs, a single worker thread will be created.
-.TP
+.TP 3n
 \-p \fIport\fR
 Listen for queries on port
 \fIport\fR. If not specified, the default is port 53.
-.TP
+.TP 3n
 \-s
 Write memory usage statistics to
 \fIstdout\fR
@@ -98,7 +101,7 @@ on exit.
 .B "Note:"
 This option is mainly of interest to BIND 9 developers and may be removed or changed in a future release.
 .RE
-.TP
+.TP 3n
 \-t \fIdirectory\fR
 \fBchroot()\fR
 to
@@ -112,7 +115,7 @@ option, as chrooting a process running as root doesn't enhance security on most
 \fBchroot()\fR
 is defined allows a process with root privileges to escape a chroot jail.
 .RE
-.TP
+.TP 3n
 \-u \fIuser\fR
 \fBsetuid()\fR
 to
@@ -131,10 +134,10 @@ option only works when
 is run on kernel 2.2.18 or later, or kernel 2.3.99\-pre3 or later, since previous kernels did not allow privileges to be retained after
 \fBsetuid()\fR.
 .RE
-.TP
+.TP 3n
 \-v
 Report the version number and exit.
-.TP
+.TP 3n
 \-x \fIcache\-file\fR
 Load data from
 \fIcache\-file\fR
@@ -148,10 +151,10 @@ This option must not be used. It is only of interest to BIND 9 developers and ma
 In routine operation, signals should not be used to control the nameserver;
 \fBrndc\fR
 should be used instead.
-.TP
+.TP 3n
 SIGHUP
 Force a reload of the server.
-.TP
+.TP 3n
 SIGINT, SIGTERM
 Shut down the server.
 .PP
@@ -163,10 +166,10 @@ The
 configuration file is too complex to describe in detail here. A complete description is provided in the
 BIND 9 Administrator Reference Manual.
 .SH "FILES"
-.TP
+.TP 3n
 \fI/etc/named.conf\fR
 The default configuration file.
-.TP
+.TP 3n
 \fI/var/run/named.pid\fR
 The default process\-id file.
 .SH "SEE ALSO"
@@ -181,3 +184,5 @@ BIND 9 Administrator Reference Manual.
 .SH "AUTHOR"
 .PP
 Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2004\-2006 Internet Systems Consortium, Inc. ("ISC")
diff --git a/bin/named/named.conf.5 b/bin/named/named.conf.5
index fb1aee1886..3deb3a2963 100644
--- a/bin/named/named.conf.5
+++ b/bin/named/named.conf.5
@@ -12,15 +12,18 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: named.conf.5,v 1.20 2006/06/04 23:38:17 marka Exp $
+.\" $Id: named.conf.5,v 1.21 2006/06/29 13:03:32 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
-.TH "\\FINAMED.CONF\\FR" "5" "Aug 13, 2004" "BIND9" "BIND9"
+.\"     Title: \fInamed.conf\fR
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 
+.\"      Date: Aug 13, 2004
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
+.TH "\fINAMED.CONF\fR" "5" "Aug 13, 2004" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
@@ -43,27 +46,34 @@ C++ style: // to end of line
 Unix style: # to end of line
 .SH "ACL"
 .sp
+.RS 3n
 .nf
 acl \fIstring\fR { \fIaddress_match_element\fR; ... };
 .fi
+.RE
 .SH "KEY"
 .sp
+.RS 3n
 .nf
 key \fIdomain_name\fR {
 	algorithm \fIstring\fR;
 	secret \fIstring\fR;
 };
 .fi
+.RE
 .SH "MASTERS"
 .sp
+.RS 3n
 .nf
 masters \fIstring\fR [ port \fIinteger\fR ] {
 	( \fImasters\fR | \fIipv4_address\fR [port \fIinteger\fR] |
 	\fIipv6_address\fR [port \fIinteger\fR] ) [ key \fIstring\fR ]; ...
 };
 .fi
+.RE
 .SH "SERVER"
 .sp
+.RS 3n
 .nf
 server ( \fIipv4_address\fR\fI[/prefixlen]\fR | \fIipv6_address\fR\fI[/prefixlen]\fR ) {
 	bogus \fIboolean\fR;
@@ -82,15 +92,19 @@ server ( \fIipv4_address\fR\fI[/prefixlen]\fR | \fIipv6_address\fR\fI[/prefixlen
 	support\-ixfr \fIboolean\fR; // obsolete
 };
 .fi
+.RE
 .SH "TRUSTED\-KEYS"
 .sp
+.RS 3n
 .nf
 trusted\-keys {
 	\fIdomain_name\fR \fIflags\fR \fIprotocol\fR \fIalgorithm\fR \fIkey\fR; ... 
 };
 .fi
+.RE
 .SH "CONTROLS"
 .sp
+.RS 3n
 .nf
 controls {
 	inet ( \fIipv4_address\fR | \fIipv6_address\fR | * )
@@ -100,8 +114,10 @@ controls {
 	unix \fIunsupported\fR; // not implemented
 };
 .fi
+.RE
 .SH "LOGGING"
 .sp
+.RS 3n
 .nf
 logging {
 	channel \fIstring\fR {
@@ -117,8 +133,10 @@ logging {
 	category \fIstring\fR { \fIstring\fR; ... };
 };
 .fi
+.RE
 .SH "LWRES"
 .sp
+.RS 3n
 .nf
 lwres {
 	listen\-on [ port \fIinteger\fR ] {
@@ -129,8 +147,10 @@ lwres {
 	ndots \fIinteger\fR;
 };
 .fi
+.RE
 .SH "OPTIONS"
 .sp
+.RS 3n
 .nf
 options {
 	avoid\-v4\-udp\-ports { \fIport\fR; ... };
@@ -283,8 +303,10 @@ options {
 	use\-id\-pool \fIboolean\fR; // obsolete
 };
 .fi
+.RE
 .SH "VIEW"
 .sp
+.RS 3n
 .nf
 view \fIstring\fR \fIoptional_class\fR {
 	match\-clients { \fIaddress_match_element\fR; ... };
@@ -407,8 +429,10 @@ view \fIstring\fR \fIoptional_class\fR {
 	max\-ixfr\-log\-size \fIsize\fR; // obsolete
 };
 .fi
+.RE
 .SH "ZONE"
 .sp
+.RS 3n
 .nf
 zone \fIstring\fR \fIoptional_class\fR {
 	type ( master | slave | stub | hint |
@@ -481,6 +505,7 @@ zone \fIstring\fR \fIoptional_class\fR {
 	pubkey \fIinteger\fR \fIinteger\fR \fIinteger\fR \fIquoted_string\fR; // obsolete
 };
 .fi
+.RE
 .SH "FILES"
 .PP
 \fI/etc/named.conf\fR
@@ -489,3 +514,5 @@ zone \fIstring\fR \fIoptional_class\fR {
 \fBnamed\fR(8),
 \fBrndc\fR(8),
 \fBBIND 9 Administrator Reference Manual\fR().
+.SH "COPYRIGHT"
+Copyright \(co 2004\-2006 Internet Systems Consortium, Inc. ("ISC")
diff --git a/bin/named/named.conf.html b/bin/named/named.conf.html
index 481f8936d4..18437734b2 100644
--- a/bin/named/named.conf.html
+++ b/bin/named/named.conf.html
@@ -13,15 +13,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
 named.conf
-
+
 
 
    
-
    
+
    
 
    
 
    Name
    
 
    named.conf — configuration file for named
    
@@ -31,7 +31,7 @@
 
    named.conf 
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    named.conf is the configuration file
       for
       named.  Statements are enclosed
@@ -50,14 +50,14 @@
     
    
 
    
 
    
-
    ACL
    
+
    ACL
    
 

    
 acl string { address_match_element; ... };
    
 
    
 
    
 
    
 
    
-
    KEY
    
+
    KEY
    
 

    
 key domain_name {
    
 	algorithm string;
    
@@ -66,7 +66,7 @@ key
 
    
 
    
 
    
-
    MASTERS
    
+
    MASTERS
    
 

    
 masters string [ port integer ] {
    masters | ipv4_address [port integer] |
    
@@ -75,7 +75,7 @@ masters
 
    
 
    
 
    
-
    SERVER
    
+
    SERVER
    
 

    
 server ( ipv4_address[/prefixlen] | ipv6_address[/prefixlen] ) {
    
 	bogus boolean;
    
@@ -97,7 +97,7 @@ server
 
    
 
    
 
    
-
    TRUSTED-KEYS
    
+
    TRUSTED-KEYS
    
 

    
 trusted-keys {
    
 	domain_name flags protocol algorithm key; ... 
    
@@ -105,7 +105,7 @@ trusted-keys
 
    
 
    
 
    
-
    CONTROLS
    
+
    CONTROLS
    
 

    
 controls {
    
 	inet ( ipv4_address | ipv6_address | * )
    
@@ -117,7 +117,7 @@ controls
 
    
 
    
 
    
-
    LOGGING
    
+
    LOGGING
    
 

    
 logging {
    
 	channel string {
    
@@ -135,7 +135,7 @@ logging
 
    
 
    
 
    
-
    LWRES
    
+
    LWRES
    
 

    
 lwres {
    
 	listen-on [ port integer ] {
    
@@ -148,7 +148,7 @@ lwres
 
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 

    
 options {
    
 	avoid-v4-udp-ports { port; ... };
    
@@ -313,7 +313,7 @@ options
 
    
 
    
 
    
-
    VIEW
    
+
    VIEW
    
 

    
 view string optional_class {
    
 	match-clients { address_match_element; ... };
    
@@ -453,7 +453,7 @@ view
 
    
 
    
 
    
-
    ZONE
    
+
    ZONE
    
 

    
 zone string optional_class {
    
 	type ( master | slave | stub | hint |
    
@@ -538,12 +538,12 @@ zone
 
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    /etc/named.conf
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    named(8),
       rndc(8),
       BIND 9 Administrator Reference Manual.
diff --git a/bin/named/named.html b/bin/named/named.html
index a60897cc07..e7040cbf2e 100644
--- a/bin/named/named.html
+++ b/bin/named/named.html
@@ -14,12 +14,12 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
 named
-
+
 
 
    
 
    
@@ -32,7 +32,7 @@
 
    named  [-4] [-6] [-c config-file] [-d debug-level] [-f] [-g] [-n #cpus] [-p port] [-s] [-t directory] [-u user] [-v] [-x cache-file]
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    named
       is a Domain Name System (DNS) server,
       part of the BIND 9 distribution from ISC.  For more
@@ -47,7 +47,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -4
    
 
    
@@ -180,7 +180,7 @@
 
    
 
    
 
    
-
    SIGNALS
    
+
    SIGNALS
    
 
    
       In routine operation, signals should not be used to control
       the nameserver; rndc should be used
@@ -201,7 +201,7 @@
     
    
 
    
 
    
-
    CONFIGURATION
    
+
    CONFIGURATION
    
 
    
       The named configuration file is too complex
       to describe in detail here.  A complete description is provided
@@ -210,7 +210,7 @@
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    
 
    /etc/named.conf
    
 
    
@@ -223,7 +223,7 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    RFC 1033,
       RFC 1034,
       RFC 1035,
@@ -234,7 +234,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/bin/nsupdate/nsupdate.8 b/bin/nsupdate/nsupdate.8
index 91faa21189..2088621377 100644
--- a/bin/nsupdate/nsupdate.8
+++ b/bin/nsupdate/nsupdate.8
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: nsupdate.8,v 1.39 2006/01/28 02:15:53 marka Exp $
+.\" $Id: nsupdate.8,v 1.40 2006/06/29 13:03:32 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: nsupdate
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 
+.\"      Date: Jun 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "NSUPDATE" "8" "Jun 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -30,7 +33,7 @@
 nsupdate \- Dynamic DNS update utility
 .SH "SYNOPSIS"
 .HP 9
-\fBnsupdate\fR [\fB\-d\fR] [[\fB\-y\ \fR\fB\fI[hmac:]\fR\fIkeyname:secret\fR\fR] [\fB\-k\ \fR\fB\fIkeyfile\fR\fR]] [\fB\-t\ \fR\fB\fItimeout\fR\fR] [\fB\-u\ \fR\fB\fIudptimeout\fR\fR] [\fB\-r\ \fR\fB\fIudpretries\fR\fR] [\fB\-v\fR] [filename]
+\fBnsupdate\fR [\fB\-d\fR] [[\fB\-y\ \fR\fB\fI[hmac:]\fR\fIkeyname:secret\fR\fR] | [\fB\-k\ \fR\fB\fIkeyfile\fR\fR]] [\fB\-t\ \fR\fB\fItimeout\fR\fR] [\fB\-u\ \fR\fB\fIudptimeout\fR\fR] [\fB\-r\ \fR\fB\fIudpretries\fR\fR] [\fB\-v\fR] [filename]
 .SH "DESCRIPTION"
 .PP
 \fBnsupdate\fR
@@ -79,7 +82,8 @@ reads the shared secret from the file
 must also be present. When the
 \fB\-y\fR
 option is used, a signature is generated from
-[\fIhmac:\fR]\fIkeyname:secret.\fR\fIkeyname\fR
+[\fIhmac:\fR]\fIkeyname:secret.\fR
+\fIkeyname\fR
 is the name of the key, and
 \fIsecret\fR
 is the base64 encoded shared secret. Use of the
@@ -123,7 +127,7 @@ Every update request consists of zero or more prerequisites and zero or more upd
 command) causes the accumulated commands to be sent as one Dynamic DNS update request to the name server.
 .PP
 The command formats and their meaning are as follows:
-.TP
+.TP 3n
 .HP 7 \fBserver\fR {servername} [port]
 Sends all dynamic update requests to the name server
 \fIservername\fR. When no server statement is provided,
@@ -133,7 +137,7 @@ will send updates to the master server of the correct zone. The MNAME field of t
 is the port number on
 \fIservername\fR
 where the dynamic update requests get sent. If no port number is specified, the default DNS port number of 53 is used.
-.TP
+.TP 3n
 .HP 6 \fBlocal\fR {address} [port]
 Sends all dynamic update requests using the local
 \fIaddress\fR. When no local statement is provided,
@@ -141,7 +145,7 @@ Sends all dynamic update requests using the local
 will send updates using an address and port chosen by the system.
 \fIport\fR
 can additionally be used to make requests come from a specific port. If no port number is specified, the system will assign one.
-.TP
+.TP 3n
 .HP 5 \fBzone\fR {zonename}
 Specifies that all updates are to be made to the zone
 \fIzonename\fR. If no
@@ -149,32 +153,33 @@ Specifies that all updates are to be made to the zone
 statement is provided,
 \fBnsupdate\fR
 will attempt determine the correct zone to update based on the rest of the input.
-.TP
+.TP 3n
 .HP 6 \fBclass\fR {classname}
 Specify the default class. If no
 \fIclass\fR
 is specified the default class is
 \fIIN\fR.
-.TP
+.TP 3n
 .HP 4 \fBkey\fR {name} {secret}
 Specifies that all updates are to be TSIG signed using the
-\fIkeyname\fR\fIkeysecret\fR
+\fIkeyname\fR
+\fIkeysecret\fR
 pair. The
 \fBkey\fR
 command overrides any key specified on the command line via
 \fB\-y\fR
 or
 \fB\-k\fR.
-.TP
+.TP 3n
 .HP 16 \fBprereq nxdomain\fR {domain\-name}
 Requires that no resource record of any type exists with name
 \fIdomain\-name\fR.
-.TP
+.TP 3n
 .HP 16 \fBprereq yxdomain\fR {domain\-name}
 Requires that
 \fIdomain\-name\fR
 exists (has as at least one resource record, of any type).
-.TP
+.TP 3n
 .HP 15 \fBprereq nxrrset\fR {domain\-name} [class] {type}
 Requires that no resource record exists of the specified
 \fItype\fR,
@@ -183,7 +188,7 @@ and
 \fIdomain\-name\fR. If
 \fIclass\fR
 is omitted, IN (internet) is assumed.
-.TP
+.TP 3n
 .HP 15 \fBprereq yxrrset\fR {domain\-name} [class] {type}
 This requires that a resource record of the specified
 \fItype\fR,
@@ -193,7 +198,7 @@ and
 must exist. If
 \fIclass\fR
 is omitted, IN (internet) is assumed.
-.TP
+.TP 3n
 .HP 15 \fBprereq yxrrset\fR {domain\-name} [class] {type} {data...}
 The
 \fIdata\fR
@@ -207,7 +212,7 @@ are combined to form a set of RRs. This set of RRs must exactly match the set of
 \fIdomain\-name\fR. The
 \fIdata\fR
 are written in the standard text representation of the resource record's RDATA.
-.TP
+.TP 3n
 .HP 14 \fBupdate delete\fR {domain\-name} [ttl] [class] [type\ [data...]]
 Deletes any resource records named
 \fIdomain\-name\fR. If
@@ -219,20 +224,20 @@ is provided, only matching resource records will be removed. The internet class
 is not supplied. The
 \fIttl\fR
 is ignored, and is only allowed for compatibility.
-.TP
+.TP 3n
 .HP 11 \fBupdate add\fR {domain\-name} {ttl} [class] {type} {data...}
 Adds a new resource record with the specified
 \fIttl\fR,
 \fIclass\fR
 and
 \fIdata\fR.
-.TP
+.TP 3n
 .HP 5 \fBshow\fR
 Displays the current message, containing all of the prerequisites and updates specified since the last send.
-.TP
+.TP 3n
 .HP 5 \fBsend\fR
 Sends the current message. This is equivalent to entering a blank line.
-.TP
+.TP 3n
 .HP 7 \fBanswer\fR
 Displays the answer.
 .PP
@@ -246,12 +251,14 @@ could be used to insert and delete resource records from the
 zone. Notice that the input in each example contains a trailing blank line so that a group of commands are sent as one dynamic update request to the master name server for
 \fBexample.com\fR.
 .sp
+.RS 3n
 .nf
 # nsupdate
 > update delete oldhost.example.com A
 > update add newhost.example.com 86400 A 172.16.1.1
 > send
 .fi
+.RE
 .sp
 .PP
 Any A records for
@@ -260,25 +267,27 @@ are deleted. and an A record for
 \fBnewhost.example.com\fR
 it IP address 172.16.1.1 is added. The newly\-added record has a 1 day TTL (86400 seconds)
 .sp
+.RS 3n
 .nf
 # nsupdate
 > prereq nxdomain nickname.example.com
 > update add nickname.example.com 86400 CNAME somehost.example.com
 > send
 .fi
+.RE
 .sp
 .PP
 The prerequisite condition gets the name server to check that there are no resource records of any type for
 \fBnickname.example.com\fR. If there are, the update request fails. If this name does not exist, a CNAME for it is added. This ensures that when the CNAME is added, it cannot conflict with the long\-standing rule in RFC1034 that a name must not exist as any other record type if it exists as a CNAME. (The rule has been updated for DNSSEC in RFC2535 to allow CNAMEs to have RRSIG, DNSKEY and NSEC records.)
 .SH "FILES"
-.TP
+.TP 3n
 \fB/etc/resolv.conf\fR
 used to identify default name server
-.TP
+.TP 3n
 \fBK{name}.+157.+{random}.key\fR
 base\-64 encoding of HMAC\-MD5 key created by
 \fBdnssec\-keygen\fR(8).
-.TP
+.TP 3n
 \fBK{name}.+157.+{random}.private\fR
 base\-64 encoding of HMAC\-MD5 key created by
 \fBdnssec\-keygen\fR(8).
@@ -296,3 +305,5 @@ base\-64 encoding of HMAC\-MD5 key created by
 .SH "BUGS"
 .PP
 The TSIG key is redundantly stored in two separate files. This is a consequence of nsupdate using the DST library for its cryptographic operations, and may change in future releases.
+.SH "COPYRIGHT"
+Copyright \(co 2004\-2006 Internet Systems Consortium, Inc. ("ISC")
diff --git a/bin/nsupdate/nsupdate.html b/bin/nsupdate/nsupdate.html
index 554d7bc843..0a5227c898 100644
--- a/bin/nsupdate/nsupdate.html
+++ b/bin/nsupdate/nsupdate.html
@@ -14,15 +14,15 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
 nsupdate
-
+
 
 
    
-
    
+
    
 
    
 
    Name
    
 
    nsupdate — Dynamic DNS update utility
    
@@ -32,7 +32,7 @@
 
    nsupdate  [-d] [[-y [hmac:]keyname:secret] |  [-k keyfile]] [-t timeout] [-u udptimeout] [-r udpretries] [-v] [filename]
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    nsupdate
       is used to submit Dynamic DNS Update requests as defined in RFC2136
       to a name server.
@@ -153,7 +153,7 @@
     
    
 
    
 
    
-
    INPUT FORMAT
    
+
    INPUT FORMAT
    
 
    nsupdate
       reads input from
       filename
@@ -297,7 +297,7 @@
               record's
               RDATA.
             
    
-
    update delete  {domain-name} [ttl] [class] [type  [data...]]
    
+
    update delete  {domain-name} [ttl] [class] [type [data...]]
    
 
    
               Deletes any resource records named
               domain-name.
@@ -343,7 +343,7 @@
     
    
 
    
 
    
-
    EXAMPLES
    
+
    EXAMPLES
    
 
    
       The examples below show how
       nsupdate
@@ -397,7 +397,7 @@
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    
 
    /etc/resolv.conf
    
 
    
@@ -416,7 +416,7 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    RFC2136,
       RFC3007,
       RFC2104,
@@ -429,7 +429,7 @@
     
    
 
    
 
    
-
    BUGS
    
+
    BUGS
    
 
    
       The TSIG key is redundantly stored in two separate files.
       This is a consequence of nsupdate using the DST library
diff --git a/bin/rndc/rndc-confgen.8 b/bin/rndc/rndc-confgen.8
index f88fb8964b..26ea77a441 100644
--- a/bin/rndc/rndc-confgen.8
+++ b/bin/rndc/rndc-confgen.8
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: rndc-confgen.8,v 1.17 2005/10/13 03:13:59 marka Exp $
+.\" $Id: rndc-confgen.8,v 1.18 2006/06/29 13:03:32 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: rndc\-confgen
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 
+.\"      Date: Aug 27, 2001
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "RNDC\-CONFGEN" "8" "Aug 27, 2001" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -53,7 +56,7 @@ file and a
 \fBcontrols\fR
 statement altogether.
 .SH "OPTIONS"
-.TP
+.TP 3n
 \-a
 Do automatic
 \fBrndc\fR
@@ -97,30 +100,30 @@ option and set up a
 and
 \fInamed.conf\fR
 as directed.
-.TP
+.TP 3n
 \-b \fIkeysize\fR
 Specifies the size of the authentication key in bits. Must be between 1 and 512 bits; the default is 128.
-.TP
+.TP 3n
 \-c \fIkeyfile\fR
 Used with the
 \fB\-a\fR
 option to specify an alternate location for
 \fIrndc.key\fR.
-.TP
+.TP 3n
 \-h
 Prints a short summary of the options and arguments to
 \fBrndc\-confgen\fR.
-.TP
+.TP 3n
 \-k \fIkeyname\fR
 Specifies the key name of the rndc authentication key. This must be a valid domain name. The default is
 \fBrndc\-key\fR.
-.TP
+.TP 3n
 \-p \fIport\fR
 Specifies the command channel port where
 \fBnamed\fR
 listens for connections from
 \fBrndc\fR. The default is 953.
-.TP
+.TP 3n
 \-r \fIrandomfile\fR
 Specifies a source of random data for generating the authorization. If the operating system does not provide a
 \fI/dev/random\fR
@@ -129,13 +132,13 @@ or equivalent device, the default source of randomness is keyboard input.
 specifies the name of a character device or file containing random data to be used instead of the default. The special value
 \fIkeyboard\fR
 indicates that keyboard input should be used.
-.TP
+.TP 3n
 \-s \fIaddress\fR
 Specifies the IP address where
 \fBnamed\fR
 listens for command channel connections from
 \fBrndc\fR. The default is the loopback address 127.0.0.1.
-.TP
+.TP 3n
 \-t \fIchrootdir\fR
 Used with the
 \fB\-a\fR
@@ -145,7 +148,7 @@ will run chrooted. An additional copy of the
 \fIrndc.key\fR
 will be written relative to this directory so that it will be found by the chrooted
 \fBnamed\fR.
-.TP
+.TP 3n
 \-u \fIuser\fR
 Used with the
 \fB\-a\fR
@@ -181,3 +184,5 @@ BIND 9 Administrator Reference Manual.
 .SH "AUTHOR"
 .PP
 Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/bin/rndc/rndc-confgen.html b/bin/rndc/rndc-confgen.html
index 852086ea90..70a2b02781 100644
--- a/bin/rndc/rndc-confgen.html
+++ b/bin/rndc/rndc-confgen.html
@@ -14,12 +14,12 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
 rndc-confgen
-
+
 
 
    
 
    
@@ -32,7 +32,7 @@
 
    rndc-confgen  [-a] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    rndc-confgen
       generates configuration files
       for rndc.  It can be used as a
@@ -48,7 +48,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a
    
 
    
@@ -57,7 +57,7 @@
             This creates a file rndc.key
             in /etc (or whatever
             sysconfdir
-            was specified as when BIND was
+            was specified as when BIND was
             built)
             that is read by both rndc
             and named on startup.  The
@@ -155,7 +155,7 @@
 
    
 
    
 
    
-
    EXAMPLES
    
+
    EXAMPLES
    
 
    
       To allow rndc to be used with
       no manual configuration, run
@@ -172,7 +172,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    rndc(8),
       rndc.conf(5),
       named(8),
@@ -180,7 +180,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/bin/rndc/rndc.8 b/bin/rndc/rndc.8
index 8cfa366cbc..00141ad739 100644
--- a/bin/rndc/rndc.8
+++ b/bin/rndc/rndc.8
@@ -13,14 +13,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: rndc.8,v 1.35 2005/10/13 03:13:59 marka Exp $
+.\" $Id: rndc.8,v 1.36 2006/06/29 13:03:32 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: rndc
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 
+.\"      Date: June 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "RNDC" "8" "June 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -50,18 +53,18 @@ named the only supported authentication algorithm is HMAC\-MD5, which uses a sha
 \fBrndc\fR
 reads a configuration file to determine how to contact the name server and decide what algorithm and key it should use.
 .SH "OPTIONS"
-.TP
+.TP 3n
 \-b \fIsource\-address\fR
 Use
 \fIsource\-address\fR
 as the source address for the connection to the server. Multiple instances are permitted to allow setting of both the IPv4 and IPv6 source addresses.
-.TP
+.TP 3n
 \-c \fIconfig\-file\fR
 Use
 \fIconfig\-file\fR
 as the configuration file instead of the default,
 \fI/etc/rndc.conf\fR.
-.TP
+.TP 3n
 \-k \fIkey\-file\fR
 Use
 \fIkey\-file\fR
@@ -71,20 +74,20 @@ as the key file instead of the default,
 will be used to authenticate commands sent to the server if the
 \fIconfig\-file\fR
 does not exist.
-.TP
+.TP 3n
 \-s \fIserver\fR
 \fIserver\fR
 is the name or address of the server which matches a server statement in the configuration file for
 \fBrndc\fR. If no server is supplied on the command line, the host named by the default\-server clause in the option statement of the configuration file will be used.
-.TP
+.TP 3n
 \-p \fIport\fR
 Send commands to TCP port
 \fIport\fR
 instead of BIND 9's default control channel port, 953.
-.TP
+.TP 3n
 \-V
 Enable verbose logging.
-.TP
+.TP 3n
 \-y \fIkeyid\fR
 Use the key
 \fIkeyid\fR
@@ -116,8 +119,11 @@ Several error messages could be clearer.
 .PP
 \fBrndc.conf\fR(5),
 \fBnamed\fR(8),
-\fBnamed.conf\fR(5)\fBndc\fR(8),
+\fBnamed.conf\fR(5)
+\fBndc\fR(8),
 BIND 9 Administrator Reference Manual.
 .SH "AUTHOR"
 .PP
 Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/bin/rndc/rndc.conf.5 b/bin/rndc/rndc.conf.5
index b8101da310..070f4bd80f 100644
--- a/bin/rndc/rndc.conf.5
+++ b/bin/rndc/rndc.conf.5
@@ -13,15 +13,18 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: rndc.conf.5,v 1.33 2005/10/13 03:13:59 marka Exp $
+.\" $Id: rndc.conf.5,v 1.34 2006/06/29 13:03:32 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
-.TH "\\FIRNDC.CONF\\FR" "5" "June 30, 2000" "BIND9" "BIND9"
+.\"     Title: \fIrndc.conf\fR
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 
+.\"      Date: June 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
+.TH "\fIRNDC.CONF\fR" "5" "June 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
@@ -109,43 +112,53 @@ program, also known as
 does not ship with BIND 9 but is available on many systems. See the EXAMPLE section for sample command lines for each.
 .SH "EXAMPLE"
 .PP
+.RS 3n
 .nf
       options {
         default\-server  localhost;
         default\-key     samplekey;
       };
 .fi
+.RE
 .sp
 .PP
+.RS 3n
 .nf
       server localhost {
         key             samplekey;
       };
 .fi
+.RE
 .sp
 .PP
+.RS 3n
 .nf
       server testserver {
         key		testkey;
         addresses	{ localhost port 5353; };
       };
 .fi
+.RE
 .sp
 .PP
+.RS 3n
 .nf
       key samplekey {
         algorithm       hmac\-md5;
         secret          "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz";
       };
 .fi
+.RE
 .sp
 .PP
+.RS 3n
 .nf
       key testkey {
         algorithm	hmac\-md5;
         secret		"R3HI8P6BKw9ZwXwN3VZKuQ==";
       }
 .fi
+.RE
 .sp
 .PP
 In the above example,
@@ -194,3 +207,5 @@ BIND 9 Administrator Reference Manual.
 .SH "AUTHOR"
 .PP
 Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
diff --git a/bin/rndc/rndc.conf.html b/bin/rndc/rndc.conf.html
index 2c5a5e73aa..5ec2f2de47 100644
--- a/bin/rndc/rndc.conf.html
+++ b/bin/rndc/rndc.conf.html
@@ -14,12 +14,12 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
 rndc.conf
-
+
 
 
    
 
    
@@ -32,7 +32,7 @@
 
    rndc.conf 
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    rndc.conf is the configuration file
       for rndc, the BIND 9 name server control
       utility.  This file has a similar structure and syntax to
@@ -117,7 +117,7 @@
     
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
           options {
         default-server  localhost;
@@ -191,7 +191,7 @@
     
    
 
    
 
    
-
    NAME SERVER CONFIGURATION
    
+
    NAME SERVER CONFIGURATION
    
 
    
       The name server must be configured to accept rndc connections and
       to recognize the key specified in the rndc.conf
@@ -201,7 +201,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    rndc(8),
       rndc-confgen(8),
       mmencode(1),
@@ -209,7 +209,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/bin/rndc/rndc.html b/bin/rndc/rndc.html
index 927c9f9778..49a2f9e710 100644
--- a/bin/rndc/rndc.html
+++ b/bin/rndc/rndc.html
@@ -14,12 +14,12 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
 rndc
-
+
 
 
    
 
    
@@ -32,7 +32,7 @@
 
    rndc  [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-V] [-y key_id] {command}
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    rndc
       controls the operation of a name
       server.  It supersedes the ndc utility
@@ -61,7 +61,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -b source-address
    
 
    
@@ -134,7 +134,7 @@
     
    
 
    
 
    
-
    LIMITATIONS
    
+
    LIMITATIONS
    
 
    rndc
       does not yet support all the commands of
       the BIND 8 ndc utility.
@@ -148,7 +148,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    rndc.conf(5),
       named(8),
       named.conf(5)
@@ -157,7 +157,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/Bv9ARM.ch01.html b/doc/arm/Bv9ARM.ch01.html
index 0519dd40d6..daeb8b7ea8 100644
--- a/doc/arm/Bv9ARM.ch01.html
+++ b/doc/arm/Bv9ARM.ch01.html
@@ -14,12 +14,12 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
 Chapter 1. Introduction
-
+
 
 
 
@@ -45,40 +45,40 @@
 
    
 
    Table of Contents
    
 
    
-
    Scope of Document
    
-
    Organization of This Document
    
-
    Conventions Used in This Document
    
-
    The Domain Name System (DNS)
    
+
    Scope of Document
    
+
    Organization of This Document
    
+
    Conventions Used in This Document
    
+
    The Domain Name System (DNS)
    
 
    
-
    DNS Fundamentals
    
-
    Domains and Domain Names
    
-
    Zones
    
-
    Authoritative Name Servers
    
-
    Caching Name Servers
    
-
    Name Servers in Multiple Roles
    
+
    DNS Fundamentals
    
+
    Domains and Domain Names
    
+
    Zones
    
+
    Authoritative Name Servers
    
+
    Caching Name Servers
    
+
    Name Servers in Multiple Roles
    
 
    
 
    
 
    
 
    
-      The Internet Domain Name System (DNS)
+      The Internet Domain Name System (DNS)
       consists of the syntax
       to specify the names of entities in the Internet in a hierarchical
       manner, the rules used for delegating authority over names, and the
       system implementation that actually maps names to Internet
-      addresses.  DNS data is maintained in a
+      addresses.  DNS data is maintained in a
       group of distributed
       hierarchical databases.
     
    
 
    
 
    
-Scope of Document
    
+Scope of Document
    
 
    
         The Berkeley Internet Name Domain
-        (BIND) implements an
+        (BIND) implements an
         domain name server for a number of operating systems. This
         document provides basic information about the installation and
-        care of the Internet Systems Consortium (ISC)
-        BIND version 9 software package for
+        care of the Internet Systems Consortium (ISC)
+        BIND version 9 software package for
         system administrators.
       
    
 
    
@@ -87,20 +87,20 @@
 
    
 
    
 
    
-Organization of This Document
    
+Organization of This Document
    
 
    
         In this document, Section 1 introduces
-        the basic DNS and BIND concepts. Section 2
-        describes resource requirements for running BIND in various
+        the basic DNS and BIND concepts. Section 2
+        describes resource requirements for running BIND in various
         environments. Information in Section 3 is
         task-oriented in its presentation and is
         organized functionally, to aid in the process of installing the
-        BIND 9 software. The task-oriented
+        BIND 9 software. The task-oriented
         section is followed by
         Section 4, which contains more advanced
         concepts that the system administrator may need for implementing
         certain options. Section 5
-        describes the BIND 9 lightweight
+        describes the BIND 9 lightweight
         resolver.  The contents of Section 6 are
         organized as in a reference manual to aid in the ongoing
         maintenance of the software. Section 7 addresses
@@ -109,14 +109,14 @@
         main body of the document is followed by several
         Appendices which contain useful reference
         information, such as a Bibliography and
-        historic information related to BIND
+        historic information related to BIND
         and the Domain Name
         System.
       
    
 
    
 
    
 
    
-Conventions Used in This Document
    
+Conventions Used in This Document
    
 
    
         In this document, we use the following general typographic
         conventions:
@@ -181,7 +181,7 @@
 
    
 
    
         The following conventions are used in descriptions of the
-        BIND configuration file:
    
+        BIND configuration file:
    
 
    @@ -243,17 +243,17 @@
 
    
 
    
-The Domain Name System (DNS)
    
+The Domain Name System (DNS)
    
         The purpose of this document is to explain the installation
-        and upkeep of the BIND software
+        and upkeep of the BIND software
         package, and we
         begin by reviewing the fundamentals of the Domain Name System
-        (DNS) as they relate to BIND.
+        (DNS) as they relate to BIND.
       
    
 
    
-DNS Fundamentals
    
+DNS Fundamentals
    
           The Domain Name System (DNS) is a hierarchical, distributed
           database.  It stores information for mapping Internet host names to
@@ -265,7 +265,7 @@
           Clients look up information in the DNS by calling a
           resolver library, which sends queries to one or
           more name servers and interprets the responses.
-          The BIND 9 software distribution
+          The BIND 9 software distribution
           contains a
           name server, named, and two resolver
           libraries, liblwres and libbind.
@@ -273,7 +273,7 @@
 
 
    
 
    
-Domains and Domain Names
    
+Domains and Domain Names
    
           The data stored in the DNS is identified by domain names that are organized as a tree according to
           organizational or administrative boundaries. Each node of the tree,
@@ -307,7 +307,7 @@
         
    
           The data associated with each domain name is stored in the
-          form of resource records (RRs).
+          form of resource records (RRs).
           Some of the supported resource record types are described in
           the section called “Types of Resource Records and When to Use Them”.
         
    
@@ -319,7 +319,7 @@
 
    
 
    
-Zones
    
+Zones
    
           To properly operate a name server, it is important to understand
           the difference between a zone
@@ -327,7 +327,7 @@
         
    
           As stated previously, a zone is a point of delegation in
-          the DNS tree. A zone consists of
+          the DNS tree. A zone consists of
           those contiguous parts of the domain
           tree for which a name server has complete information and over which
           it has authority. It contains all domain names from a certain point
@@ -348,7 +348,7 @@
           map
           exactly to a single domain, but could also include only part of a
           domain, the rest of which could be delegated to other
-          name servers. Every name in the DNS
+          name servers. Every name in the DNS
           tree is a
           domain, even if it is
           terminal, that is, has no
@@ -360,7 +360,7 @@
           topic.
         
    
-          Though BIND is called a "domain name
+          Though BIND is called a "domain name
           server",
           it deals primarily in terms of zones. The master and slave
           declarations in the named.conf file
@@ -372,7 +372,7 @@
 
 
    
 
    
-Authoritative Name Servers
    
+Authoritative Name Servers
    
           Each zone is served by at least
           one authoritative name server,
@@ -389,7 +389,7 @@
         
    
 
    
-The Primary Master
    
+The Primary Master
    
             The authoritative server where the master copy of the zone
             data is maintained is called the
@@ -409,7 +409,7 @@
 
 
    
 
    
-Slave Servers
    
+Slave Servers
    
             The other authoritative servers, the slave
             servers (also known as secondary servers)
@@ -425,7 +425,7 @@
 
 
    
 
    
-Stealth Servers
    
+Stealth Servers
    
             Usually all of the zone's authoritative servers are listed in
             NS records in the parent zone.  These NS records constitute
@@ -460,7 +460,7 @@
 
 
    
 
    
-Caching Name Servers
    
+Caching Name Servers
    
           The resolver libraries provided by most operating systems are
           stub resolvers, meaning that they are not
@@ -487,7 +487,7 @@
         
    
 
    
-Forwarding
    
+Forwarding
    
             Even a caching name server does not necessarily perform
             the complete recursive lookup itself.  Instead, it can
@@ -504,19 +504,19 @@
             wish all the servers at a given site to interact directly with the
             rest of
             the Internet servers. A typical scenario would involve a number
-            of internal DNS servers and an
+            of internal DNS servers and an
             Internet firewall. Servers unable
             to pass packets through the firewall would forward to the server
-            that can do it, and that server would query the Internet DNS servers
+            that can do it, and that server would query the Internet DNS servers
             on the internal server's behalf.
           
    
 
    
-Name Servers in Multiple Roles
    
+Name Servers in Multiple Roles
    
-          The BIND name server can
+          The BIND name server can
           simultaneously act as
           a master for some zones, a slave for other zones, and as a caching
           (recursive) server for a set of local clients.
@@ -552,7 +552,7 @@
 
    
-
+
    
 
 

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
    
 BIND 9 Administrator Reference Manual 
 Home Chapter 2. BIND Resource Requirements Chapter 2. BIND Resource Requirements
 
    
 
    
 
    
diff --git a/doc/arm/Bv9ARM.ch02.html b/doc/arm/Bv9ARM.ch02.html
index 2ec2e32996..0d1bc69894 100644
--- a/doc/arm/Bv9ARM.ch02.html
+++ b/doc/arm/Bv9ARM.ch02.html
@@ -14,12 +14,12 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
 Chapter 2. BIND Resource Requirements
-
+
 
 
 
@@ -28,7 +28,7 @@
 
 
    
 
-
+
@@ -41,41 +41,41 @@
 
    
 
    
-Chapter 2. BIND Resource Requirements
    
+Chapter 2. BIND Resource Requirements
    
 
    Table of Contents
    
 
    
-
    Hardware requirements
    
-
    CPU Requirements
    
-
    Memory Requirements
    
-
    Name Server Intensive Environment Issues
    
-
    Supported Operating Systems
    
+
    Hardware requirements
    
+
    CPU Requirements
    
+
    Memory Requirements
    
+
    Name Server Intensive Environment Issues
    
+
    Supported Operating Systems
    
 
    
 
    
 
    
-Hardware requirements
    
+Hardware requirements
    
-        DNS hardware requirements have
+        DNS hardware requirements have
         traditionally been quite modest.
         For many installations, servers that have been pensioned off from
-        active duty have performed admirably as DNS servers.
+        active duty have performed admirably as DNS servers.
       
    
-        The DNSSEC features of BIND 9
+        The DNSSEC features of BIND 9
         may prove to be quite
         CPU intensive however, so organizations that make heavy use of these
         features may wish to consider larger systems for these applications.
-        BIND 9 is fully multithreaded, allowing
+        BIND 9 is fully multithreaded, allowing
         full utilization of
         multiprocessor systems for installations that need it.
       
    
 
    
-CPU Requirements
    
+CPU Requirements
    
-        CPU requirements for BIND 9 range from
+        CPU requirements for BIND 9 range from
         i486-class machines
         for serving of static zones without caching, to enterprise-class
         machines if you intend to process many dynamic updates and DNSSEC
@@ -84,12 +84,12 @@
 
 
    
 
    
-Memory Requirements
    
+Memory Requirements
    
         The memory of the server has to be large enough to fit the
         cache and zones loaded off disk.  The max-cache-size
         option can be used to limit the amount of memory used by the cache,
-        at the expense of reducing cache hit rates and causing more DNS
+        at the expense of reducing cache hit rates and causing more DNS
         traffic.
         Additionally, if additional section caching
         (the section called “Additional Section Caching”) is enabled,
@@ -107,7 +107,7 @@
 
 
    
 
    
-Name Server Intensive Environment Issues
    
+Name Server Intensive Environment Issues
    
         For name server intensive environments, there are two alternative
         configurations that may be used. The first is where clients and
@@ -124,9 +124,9 @@
 
 
    
 
    
-Supported Operating Systems
    
+Supported Operating Systems
    
-        ISC BIND 9 compiles and runs on a large
+        ISC BIND 9 compiles and runs on a large
         number
         of Unix-like operating system and on NT-derived versions of
         Microsoft Windows such as Windows 2000 and Windows XP.  For an
diff --git a/doc/arm/Bv9ARM.ch03.html b/doc/arm/Bv9ARM.ch03.html
index 55ad53e466..880d4b1627 100644
--- a/doc/arm/Bv9ARM.ch03.html
+++ b/doc/arm/Bv9ARM.ch03.html
@@ -14,12 +14,12 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
 Chapter 3. Name Server Configuration
-
+
 
 
 
@@ -47,14 +47,14 @@
 
    
 
    Sample Configurations
    
 
    
-
    A Caching-only Name Server
    
-
    An Authoritative-only Name Server
    
+
    A Caching-only Name Server
    
+
    An Authoritative-only Name Server
    
 
    
-
    Load Balancing
    
-
    Name Server Operations
    
+
    Load Balancing
    
+
    Name Server Operations
    
 
    
-
    Tools for Use With the Name Server Daemon
    
-
    Signals
    
+
    Tools for Use With the Name Server Daemon
    
+
    Signals
    
 
    
 
    
@@ -68,7 +68,7 @@
 Sample Configurations
    
 
    
-A Caching-only Name Server
    
+A Caching-only Name Server
    
           The following sample configuration is appropriate for a caching-only
           name server for use by clients internal to a corporation.  All
@@ -95,7 +95,7 @@ zone "0.0.127.in-addr.arpa" {
 
 
    
 
    
-An Authoritative-only Name Server
    
+An Authoritative-only Name Server
    
           This sample configuration is for an authoritative-only server
           that is the master server for "example.com"
@@ -137,10 +137,10 @@ zone "eng.example.com" {
 
 
    
 
    
-Load Balancing
    
+Load Balancing
    
         A primitive form of load balancing can be achieved in
-        the DNS by using multiple A records for
+        the DNS by using multiple A records for
         one name.
       
    
@@ -265,7 +265,7 @@ zone "eng.example.com" {
 
    Chapter 2. BIND Resource Requirements
    Chapter 2. BIND Resource Requirements
    
 
    
 
 Prev 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
    
 
    
 
    
-        When a resolver queries for these records, BIND will rotate
+        When a resolver queries for these records, BIND will rotate
         them and respond to the query with the records in a different
         order.  In the example above, clients will randomly receive
         records in the order 1, 2, 3; 2, 3, 1; and 3, 1, 2. Most clients
@@ -280,10 +280,10 @@ zone "eng.example.com" {
 
    
 
    
 
    
-Name Server Operations
    
+Name Server Operations
    
 
    
 
    
-Tools for Use With the Name Server Daemon
    
+Tools for Use With the Name Server Daemon
    
 
    
           This section describes several indispensable diagnostic,
           administrative and monitoring tools available to the system
@@ -354,7 +354,7 @@ zone "eng.example.com" {
                   the name and requested information for a host or
                   domain.
                 
    
-
    nslookup  [-option...] [[host-to-find] |  [-  [server]]]
    
+
    nslookup  [-option...] [[host-to-find] |  [- [server]]]
    
 
    
                   Interactive mode is entered when no arguments are given (the
                   default name server will be used) or when the first argument
@@ -585,7 +585,7 @@ zone "eng.example.com" {
                       
    
 
    
 
    
-                  In BIND 9.2, rndc
+                  In BIND 9.2, rndc
                   supports all the commands of the BIND 8 ndc
                   utility except ndc start and
                   ndc restart, which were also
@@ -606,7 +606,7 @@ zone "eng.example.com" {
                   rndc will also look in
                   /etc/rndc.key (or whatever
                   sysconfdir was defined when
-                  the BIND build was
+                  the BIND build was
                   configured).
                   The rndc.key file is
                   generated by
@@ -741,7 +741,7 @@ controls {
 
    
 
    
 
    
-Signals
    
+Signals
    
 
    
           Certain UNIX signals cause the name server to take specific
           actions, as described in the following table.  These signals can
@@ -800,7 +800,7 @@ controls {
 
 
 
-Chapter 2. BIND Resource Requirements 
+Chapter 2. BIND Resource Requirements 
 Home
  Chapter 4. Advanced DNS Features
 
diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html
index a26dc2dc37..4d15280902 100644
--- a/doc/arm/Bv9ARM.ch04.html
+++ b/doc/arm/Bv9ARM.ch04.html
@@ -14,12 +14,12 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
 Chapter 4. Advanced DNS Features
-
+
 
 
 
@@ -49,28 +49,28 @@
 
    Dynamic Update
    
 
    The journal file
    
 
    Incremental Zone Transfers (IXFR)
    
-
    Split DNS
    
+
    Split DNS
    
 
    TSIG
    
 
    
-
    Generate Shared Keys for Each Pair of Hosts
    
-
    Copying the Shared Secret to Both Machines
    
-
    Informing the Servers of the Key's Existence
    
-
    Instructing the Server to Use the Key
    
-
    TSIG Key Based Access Control
    
-
    Errors
    
+
    Generate Shared Keys for Each Pair of Hosts
    
+
    Copying the Shared Secret to Both Machines
    
+
    Informing the Servers of the Key's Existence
    
+
    Instructing the Server to Use the Key
    
+
    TSIG Key Based Access Control
    
+
    Errors
    
 
    
-
    TKEY
    
-
    SIG(0)
    
+
    TKEY
    
+
    SIG(0)
    
 
    DNSSEC
    
 
    
-
    Generating Keys
    
-
    Signing the Zone
    
-
    Configuring Servers
    
+
    Generating Keys
    
+
    Signing the Zone
    
+
    Configuring Servers
    
 
    
-
    IPv6 Support in BIND 9
    
+
    IPv6 Support in BIND 9
    
 
    
-
    Address Lookups Using AAAA Records
    
-
    Address to Name Lookups Using Nibble Format
    
+
    Address Lookups Using AAAA Records
    
+
    Address to Name Lookups Using Nibble Format
    
 
    
 
 
    
@@ -78,14 +78,14 @@
 
    
 Notify
    
 
    
-        DNS NOTIFY is a mechanism that allows master
+        DNS NOTIFY is a mechanism that allows master
         servers to notify their slave servers of changes to a zone's data. In
         response to a NOTIFY from a master server, the
         slave will check to see that its version of the zone is the
         current version and, if not, initiate a zone transfer.
       
    
 
    
-        For more information about DNS
+        For more information about DNS
         NOTIFY, see the description of the
         notify option in the section called “Boolean Options” and
         the description of the zone option also-notify in
@@ -184,7 +184,7 @@
         1995. See Proposed Standards.
       
    
 
    
-        When acting as a master, BIND 9
+        When acting as a master, BIND 9
         supports IXFR for those zones
         where the necessary change history information is available. These
         include master zones maintained by dynamic update and slave zones
@@ -195,7 +195,7 @@
         to yes.
       
    
 
    
-        When acting as a slave, BIND 9 will
+        When acting as a slave, BIND 9 will
         attempt to use IXFR unless
         it is explicitly disabled. For more information about disabling
         IXFR, see the description of the request-ixfr clause
@@ -204,7 +204,7 @@
 
    
 
    
 
    
-Split DNS
    
+Split DNS
    
 
    
         Setting up different views, or visibility, of the DNS space to
         internal and external resolvers is usually referred to as a
@@ -455,16 +455,16 @@ nameserver 172.16.72.4
 TSIG
 
    
         This is a short guide to setting up Transaction SIGnatures
-        (TSIG) based transaction security in BIND. It describes changes
+        (TSIG) based transaction security in BIND. It describes changes
         to the configuration file as well as what changes are required for
         different features, including the process of creating transaction
-        keys and using transaction signatures with BIND.
+        keys and using transaction signatures with BIND.
       
    
 
    
-        BIND primarily supports TSIG for server
+        BIND primarily supports TSIG for server
         to server communication.
         This includes zone transfer, notify, and recursive query messages.
-        Resolvers based on newer versions of BIND 8 have limited support
+        Resolvers based on newer versions of BIND 8 have limited support
         for TSIG.
       
    
 
    
@@ -479,7 +479,7 @@ nameserver 172.16.72.4
       
    
 
    
 
    
-Generate Shared Keys for Each Pair of Hosts
    
+Generate Shared Keys for Each Pair of Hosts
    
 
    
           A shared secret is generated to be shared between host1 and host2.
           An arbitrary key name is chosen: "host1-host2.". The key name must
@@ -487,7 +487,7 @@ nameserver 172.16.72.4
         
    
 
    
 
    
-Automatic Generation
    
+Automatic Generation
    
 
    
             The following command will generate a 128-bit (16 byte) HMAC-MD5
             key as described above. Longer keys are better, but shorter keys
@@ -512,7 +512,7 @@ nameserver 172.16.72.4
 
 
    
 
    
-Manual Generation
    
+Manual Generation
    
 
    
             The shared secret is simply a random sequence of bits, encoded
             in base-64. Most ASCII strings are valid base-64 strings (assuming
@@ -527,7 +527,7 @@ nameserver 172.16.72.4
 
 
    
 
    
-Copying the Shared Secret to Both Machines
    
+Copying the Shared Secret to Both Machines
    
 
    
           This is beyond the scope of DNS. A secure transport mechanism
           should be used. This could be secure FTP, ssh, telephone, etc.
@@ -535,7 +535,7 @@ nameserver 172.16.72.4
 
 
    
 
    
-Informing the Servers of the Key's Existence
    
+Informing the Servers of the Key's Existence
    
 
    
           Imagine host1 and host 2
           are
@@ -548,7 +548,7 @@ key host1-host2. {
 };
 
    
 
    
-          The algorithm, hmac-md5, is the only one supported by BIND.
+          The algorithm, hmac-md5, is the only one supported by BIND.
           The secret is the one generated above. Since this is a secret, it
           is recommended that either named.conf be non-world
           readable, or the key directive be added to a non-world readable
@@ -564,7 +564,7 @@ key host1-host2. {
 
 
    
 
    
-Instructing the Server to Use the Key
    
+Instructing the Server to Use the Key
    
 
    
           Since keys are shared between two hosts only, the server must
           be told when keys are to be used. The following is added to the named.conf file
@@ -596,9 +596,9 @@ server 10.1.2.3 {
 
 
    
 
    
-TSIG Key Based Access Control
    
+TSIG Key Based Access Control
    
 
    
-          BIND allows IP addresses and ranges
+          BIND allows IP addresses and ranges
           to be specified in ACL
           definitions and
           allow-{ query | transfer | update }
@@ -624,7 +624,7 @@ allow-update { key host1-host2. ;};
 
 
    
 
    
-Errors
    
+Errors
    
 
    
           The processing of TSIG signed messages can result in
           several errors. If a signed message is sent to a non-TSIG aware
@@ -650,12 +650,12 @@ allow-update { key host1-host2. ;};
 
 
    
 
    
-TKEY
    
+TKEY
    
 
    TKEY
         is a mechanism for automatically generating a shared secret
         between two hosts.  There are several "modes" of
         TKEY that specify how the key is generated
-        or assigned.  BIND 9 implements only one of
+        or assigned.  BIND 9 implements only one of
         these modes, the Diffie-Hellman key exchange.  Both hosts are
         required to have a Diffie-Hellman KEY record (although this
         record is not required to be present in a zone).  The
@@ -686,9 +686,9 @@ allow-update { key host1-host2. ;};
 
 
    
 
    
-SIG(0)
    
+SIG(0)
    
 
    
-        BIND 9 partially supports DNSSEC SIG(0)
+        BIND 9 partially supports DNSSEC SIG(0)
             transaction signatures as specified in RFC 2535 and RFC2931.
         SIG(0)
         uses public/private keys to authenticate messages.  Access control
@@ -705,7 +705,7 @@ allow-update { key host1-host2. ;};
         supported.
       
    
 
    
-        The only tool shipped with BIND 9 that
+        The only tool shipped with BIND 9 that
         generates SIG(0) signed messages is nsupdate.
       
    
 
@@ -720,7 +720,7 @@ allow-update { key host1-host2. ;};
       
    
 
    
         In order to set up a DNSSEC secure zone, there are a series
-        of steps which must be followed.  BIND
+        of steps which must be followed.  BIND
         9 ships
         with several tools
         that are used in this process, which are explained in more detail
@@ -747,7 +747,7 @@ allow-update { key host1-host2. ;};
       
    
 
    
 
    
-Generating Keys
    
+Generating Keys
    
 
    
           The dnssec-keygen program is used to
           generate keys.
@@ -798,7 +798,7 @@ allow-update { key host1-host2. ;};
 
 
    
 
    
-Signing the Zone
    
+Signing the Zone
    
 
    
           The dnssec-signzone program is used
           to
@@ -842,7 +842,7 @@ allow-update { key host1-host2. ;};
 
 
    
 
    
-Configuring Servers
    
+Configuring Servers
    
 
    
           To enable named to respond appropriately
           to DNS requests from DNSSEC aware clients,
@@ -868,7 +868,7 @@ allow-update { key host1-host2. ;};
           later in this document.
         
    
 
    
-          Unlike BIND 8, BIND
+          Unlike BIND 8, BIND
           9 does not verify signatures on load, so zone keys for
           authoritative zones do not need to be specified in the
           configuration file.
@@ -930,37 +930,37 @@ options {
 
 
    
 
    
-IPv6 Support in BIND 9
    
+IPv6 Support in BIND 9
    
 
    
-        BIND 9 fully supports all currently
+        BIND 9 fully supports all currently
         defined forms of IPv6
         name to address and address to name lookups.  It will also use
         IPv6 addresses to make queries when running on an IPv6 capable
         system.
       
    
 
    
-        For forward lookups, BIND 9 supports
+        For forward lookups, BIND 9 supports
         only AAAA records.  RFC 3363 deprecated the use of A6 records,
         and client-side support for A6 records was accordingly removed
-        from BIND 9.
-        However, authoritative BIND 9 name servers still
+        from BIND 9.
+        However, authoritative BIND 9 name servers still
         load zone files containing A6 records correctly, answer queries
         for A6 records, and accept zone transfer for a zone containing A6
         records.
       
    
 
    
-        For IPv6 reverse lookups, BIND 9 supports
+        For IPv6 reverse lookups, BIND 9 supports
         the traditional "nibble" format used in the
         ip6.arpa domain, as well as the older, deprecated
         ip6.int domain.
-        Older versions of BIND 9 
+        Older versions of BIND 9 
         supported the "binary label" (also known as "bitstring") format,
         but support of binary labels has been completely removed per
         RFC 3363.
-        Many applications in BIND 9 do not understand
+        Many applications in BIND 9 do not understand
         the binary label format at all any more, and will return an
         error if given.
-        In particular, an authoritative BIND 9
+        In particular, an authoritative BIND 9
         name server will not load a zone file containing binary labels.
       
    
 
    
@@ -969,7 +969,7 @@ options {
       
    
 
    
 
    
-Address Lookups Using AAAA Records
    
+Address Lookups Using AAAA Records
    
 
    
           The IPv6 AAAA record is a parallel to the IPv4 A record,
           and, unlike the deprecated A6 record, specifies the entire
@@ -988,7 +988,7 @@ host            3600    IN      AAAA    2001:db8::1
 
 
    
 
    
-Address to Name Lookups Using Nibble Format
    
+Address to Name Lookups Using Nibble Format
    
 
    
           When looking up an address in nibble format, the address
           components are simply reversed, just as in IPv4, and
@@ -1018,7 +1018,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 
 Chapter 3. Name Server Configuration 
 Home
- Chapter 5. The BIND 9 Lightweight Resolver
+ Chapter 5. The BIND 9 Lightweight Resolver
 
 
 
diff --git a/doc/arm/Bv9ARM.ch05.html b/doc/arm/Bv9ARM.ch05.html
index 5fd5d74e00..a85bd653f7 100644
--- a/doc/arm/Bv9ARM.ch05.html
+++ b/doc/arm/Bv9ARM.ch05.html
@@ -14,12 +14,12 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
 Chapter 5. The BIND 9 Lightweight Resolver
-
+
 
 
 
@@ -28,7 +28,7 @@
 
 
    
 
-
+
@@ -41,17 +41,17 @@
 
    
 
    
-Chapter 5. The BIND 9 Lightweight Resolver
    
+Chapter 5. The BIND 9 Lightweight Resolver
    
 
    Table of Contents
    
 
    
-
    The Lightweight Resolver Library
    
+
    The Lightweight Resolver Library
    
 
    Running a Resolver Daemon
    
 
    
 
    
 
    
-The Lightweight Resolver Library
    
+The Lightweight Resolver Library
    
         Traditionally applications have been linked with a stub resolver
         library that sends recursive DNS queries to a local caching name
@@ -65,7 +65,7 @@
         to implement in a traditional stub resolver.
       
    
-        BIND 9 therefore can also provide resolution
+        BIND 9 therefore can also provide resolution
         services to local clients
         using a combination of a lightweight resolver library and a resolver
         daemon process running on the local host.  These communicate using
@@ -135,7 +135,7 @@
 
    
-
+
    Chapter 5. The BIND 9 Lightweight Resolver
    Chapter 5. The BIND 9 Lightweight Resolver
    
 
    
 
 Prev 
 
 
 
 
 
    
 Chapter 4. Advanced DNS Features 
 Home Chapter 6. BIND 9 Configuration Reference Chapter 6. BIND 9 Configuration Reference
 
    
 
    
 
    
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index 97330a497e..53b216a7a7 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -14,12 +14,12 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
 Chapter 6. BIND 9 Configuration Reference
-
+
 
 
 
@@ -28,7 +28,7 @@
 
 
    
 
-
+
@@ -41,75 +41,75 @@
 
    
 
    
-Chapter 6. BIND 9 Configuration Reference
    
+Chapter 6. BIND 9 Configuration Reference
    
 
    Table of Contents
    
 
    
 
    Configuration File Elements
    
 
    
 
    Address Match Lists
    
-
    Comment Syntax
    
+
    Comment Syntax
    
 
    
 
    Configuration File Grammar
    
 
    
-
    acl Statement Grammar
    
+
    acl Statement Grammar
    
 
    acl Statement Definition and
           Usage
    
-
    controls Statement Grammar
    
+
    controls Statement Grammar
    
 
    controls Statement Definition and
           Usage
    
-
    include Statement Grammar
    
-
    include Statement Definition and
+
    include Statement Grammar
    
+
    include Statement Definition and
           Usage
    
-
    key Statement Grammar
    
-
    key Statement Definition and Usage
    
-
    logging Statement Grammar
    
-
    logging Statement Definition and
+
    key Statement Grammar
    
+
    key Statement Definition and Usage
    
+
    logging Statement Grammar
    
+
    logging Statement Definition and
           Usage
    
-
    lwres Statement Grammar
    
-
    lwres Statement Definition and Usage
    
-
    masters Statement Grammar
    
-
    masters Statement Definition and
+
    lwres Statement Grammar
    
+
    lwres Statement Definition and Usage
    
+
    masters Statement Grammar
    
+
    masters Statement Definition and
           Usage
    
-
    options Statement Grammar
    
+
    options Statement Grammar
    
 
    options Statement Definition and
           Usage
    
 
    server Statement Grammar
    
 
    server Statement Definition and
             Usage
    
-
    trusted-keys Statement Grammar
    
-
    trusted-keys Statement Definition
+
    trusted-keys Statement Grammar
    
+
    trusted-keys Statement Definition
             and Usage
    
 
    view Statement Grammar
    
-
    view Statement Definition and Usage
    
+
    view Statement Definition and Usage
    
 
    zone
             Statement Grammar
    
-
    zone Statement Definition and Usage
    
+
    zone Statement Definition and Usage
    
 
    
-
    Zone File
    
+
    Zone File
    
 
    
 
    Types of Resource Records and When to Use Them
    
-
    Discussion of MX Records
    
+
    Discussion of MX Records
    
 
    Setting TTLs
    
-
    Inverse Mapping in IPv4
    
-
    Other Zone File Directives
    
-
    BIND Master File Extension: the  $GENERATE Directive
    
+
    Inverse Mapping in IPv4
    
+
    Other Zone File Directives
    
+
    BIND Master File Extension: the  $GENERATE Directive
    
 
    Additional File Formats
    
 
    
 
    
 
    
-      BIND 9 configuration is broadly similar
-      to BIND 8; however, there are a few new
+      BIND 9 configuration is broadly similar
+      to BIND 8; however, there are a few new
       areas
-      of configuration, such as views. BIND
-      8 configuration files should work with few alterations in BIND
+      of configuration, such as views. BIND
+      8 configuration files should work with few alterations in BIND
       9, although more complex configurations should be reviewed to check
       if they can be more efficiently implemented using the new features
-      found in BIND 9.
+      found in BIND 9.
     
    
-      BIND 4 configuration files can be
+      BIND 4 configuration files can be
       converted to the new format
       using the shell script
       contrib/named-bootconf/named-bootconf.sh.
@@ -118,7 +118,7 @@
 
    
 Configuration File Elements
    
-        Following is a list of elements used throughout the BIND configuration
+        Following is a list of elements used throughout the BIND configuration
         file documentation:
       
    Chapter 6. BIND 9 Configuration Reference
    Chapter 6. BIND 9 Configuration Reference
    
 
    
 
 Prev 
 
 
 
 
 
 
    
@@ -428,7 +428,7 @@
 Address Match Lists
    
 
    
-Syntax
    
+Syntax
    address_match_list = address_match_list_element ;
   [ address_match_list_element; ... ]
 address_match_list_element = [ ! ] (ip_address [/length] |
@@ -437,7 +437,7 @@
 
 
    
 
    
-Definition and Usage
    
+Definition and Usage
    
 
    
             Address match lists are primarily used to determine access
             control for various server operations. They are also used in
@@ -515,35 +515,35 @@
 
 
    
 
    
-Comment Syntax
    
+Comment Syntax
    
 
    
-          The BIND 9 comment syntax allows for
+          The BIND 9 comment syntax allows for
           comments to appear
-          anywhere that white space may appear in a BIND configuration
+          anywhere that white space may appear in a BIND configuration
           file. To appeal to programmers of all kinds, they can be written
           in the C, C++, or shell/perl style.
         
    
 
    
 
    
-Syntax
    
+Syntax
    
 
    
             
    
-
    /* This is a BIND comment as in C */
    
+
    /* This is a BIND comment as in C */
    
 
    
             
    
-
    // This is a BIND comment as in C++
    
+
    // This is a BIND comment as in C++
    
 
    
             
    
-
    # This is a BIND comment as in common UNIX shells and perl
    
+
    # This is a BIND comment as in common UNIX shells and perl
    
 
    
           
    
 
 
    
 
    
-Definition and Usage
    
+Definition and Usage
    
 
    
             Comments may appear anywhere that white space may appear in
-            a BIND configuration file.
+            a BIND configuration file.
           
    
 
    
             C-style comments start with the two characters /* (slash,
@@ -620,7 +620,7 @@
 
    
 Configuration File Grammar
    
 
    
-        A BIND 9 configuration consists of
+        A BIND 9 configuration consists of
         statements and comments.
         Statements end with a semicolon. Statements and comments are the
         only elements that can appear without enclosing braces. Many
@@ -774,7 +774,7 @@
       
    
 
    
 
    
-acl Statement Grammar
    
+acl Statement Grammar
    
 
    acl acl-name {
     address_match_list
 };
@@ -857,7 +857,7 @@
 
 
    
 
    
-controls Statement Grammar
    
+controls Statement Grammar
    
 
    controls {
    [ inet ( ip_addr | * ) [ port ip_port ] allow {  address_match_list  }
                 keys { key_list }; ]
@@ -933,18 +933,18 @@
           named will attempt to load the command channel key
           from the file rndc.key in
           /etc (or whatever sysconfdir
-          was specified as when BIND was built).
+          was specified as when BIND was built).
           To create a rndc.key file, run
           rndc-confgen -a.
         
    
 
    
           The rndc.key feature was created to
-          ease the transition of systems from BIND 8,
+          ease the transition of systems from BIND 8,
           which did not have digital signatures on its command channel
           messages and thus did not have a keys clause.
 
-          It makes it possible to use an existing BIND 8
-          configuration file in BIND 9 unchanged,
+          It makes it possible to use an existing BIND 8
+          configuration file in BIND 9 unchanged,
           and still have rndc work the same way
           ndc worked in BIND 8, simply by executing the
           command rndc-confgen -a after BIND 9 is
@@ -953,7 +953,7 @@
 
    
           Since the rndc.key feature
           is only intended to allow the backward-compatible usage of
-          BIND 8 configuration files, this
+          BIND 8 configuration files, this
           feature does not
           have a high degree of configurability.  You cannot easily change
           the key name or the size of the secret, so you should make a
@@ -979,12 +979,12 @@
 
 
    
 
    
-include Statement Grammar
    
+include Statement Grammar
    
 
    include filename;
    
 
 
    
 
    
-include Statement Definition and
+include Statement Definition and
           Usage
    
 
    
           The include statement inserts the
@@ -999,7 +999,7 @@
 
    
 
    
 
    
-key Statement Grammar
    
+key Statement Grammar
    
 
    key key_id {
     algorithm string;
     secret string;
@@ -1008,7 +1008,7 @@
 
 
    
 
    
-key Statement Definition and Usage
    
+key Statement Definition and Usage
    
 
    
           The key statement defines a shared
           secret key for use with TSIG (see the section called “TSIG”)
@@ -1055,7 +1055,7 @@
 
 
    
 
    
-logging Statement Grammar
    
+logging Statement Grammar
    
 
    logging {
    [ channel channel_name {
      ( file path name
@@ -1079,7 +1079,7 @@
 
 
    
 
    
-logging Statement Definition and
+logging Statement Definition and
           Usage
    
 
    
           The logging statement configures a
@@ -1101,9 +1101,9 @@
 };
 
    
 
    
-          In BIND 9, the logging configuration
+          In BIND 9, the logging configuration
           is only established when
-          the entire configuration file has been parsed.  In BIND 8, it was
+          the entire configuration file has been parsed.  In BIND 8, it was
           established as soon as the logging
           statement
           was parsed. When the server is starting up, all logging messages
@@ -1113,7 +1113,7 @@
         
    
 
    
 
    
-The channel Phrase
    
+The channel Phrase
    
 
    
             All log output goes to one or more channels;
             you can make as many of them as you want.
@@ -1387,7 +1387,7 @@ category notify { null; };
 
    
             Following are the available categories and brief descriptions
             of the types of log information they contain. More
-            categories may be added in future BIND releases.
+            categories may be added in future BIND releases.
           
    
 
    
 
 
    @@ -1632,7 +1632,7 @@ category notify { null; };
 
    
 
    
-lwres Statement Grammar
    
+lwres Statement Grammar
    
            This is the grammar of the lwres
           statement in the named.conf file:
@@ -1647,7 +1647,7 @@ category notify { null; };
 
 
    
 
    
-lwres Statement Definition and Usage
    
+lwres Statement Definition and Usage
    
           The lwres statement configures the
           name
@@ -1698,14 +1698,14 @@ category notify { null; };
 
 
    
 
    
-masters Statement Grammar
    
+masters Statement Grammar
     masters name [port ip_port] { ( masters_list | ip_addr [port ip_port] [key key] ) ; [...] };
 
    
 
    
-masters Statement Definition and
+masters Statement Definition and
           Usage
    
 
    masters
           lists allow for a common set of masters to be easily used by
@@ -1714,7 +1714,7 @@ category notify { null; };
 
    
 
    
-options Statement Grammar
    
+options Statement Grammar
    
           This is the grammar of the options
           statement in the named.conf file:
@@ -1872,7 +1872,7 @@ category notify { null; };
 
    
           The options statement sets up global
           options
-          to be used by BIND. This statement
+          to be used by BIND. This statement
           may appear only
           once in a configuration file. If there is no options
           statement, an options block with each option set to its default will
@@ -1906,9 +1906,9 @@ category notify { null; };
 
    named-xfer
    
                 This option is obsolete.
-                It was used in BIND 8 to
+                It was used in BIND 8 to
                 specify the pathname to the named-xfer program.
-                In BIND 9, no separate named-xfer program is
+                In BIND 9, no separate named-xfer program is
                 needed; its functionality is built into the name server.
               
    tkey-domain
    
@@ -2080,15 +2080,15 @@ options {
                   not actually
                   authoritative. The default is no;
                   this is
-                  a change from BIND 8. If you
+                  a change from BIND 8. If you
                   are using very old DNS software, you
                   may need to set it to yes.
                 
    deallocate-on-exit
    
-                  This option was used in BIND
+                  This option was used in BIND
                   8 to enable checking
-                  for memory leaks on exit. BIND 9 ignores the option and always performs
+                  for memory leaks on exit. BIND 9 ignores the option and always performs
                   the checks.
                 
    dialup
    
@@ -2311,9 +2311,9 @@ options {
 
    fake-iquery
    
-                  In BIND 8, this option
+                  In BIND 8, this option
                   enabled simulating the obsolete DNS query type
-                  IQUERY. BIND 9 never does
+                  IQUERY. BIND 9 never does
                   IQUERY simulation.
                 
    fetch-glue
    
@@ -2337,7 +2337,7 @@ options {
 
    has-old-clients
    
                   This option was incorrectly implemented
-                  in BIND 8, and is ignored by BIND 9.
+                  in BIND 8, and is ignored by BIND 9.
                   To achieve the intended effect
                   of
                   has-old-clients yes, specify
@@ -2354,9 +2354,9 @@ options {
 
    maintain-ixfr-base
    
                   This option is obsolete.
-                  It was used in BIND 8 to
+                  It was used in BIND 8 to
                   determine whether a transaction log was
-                  kept for Incremental Zone Transfer. BIND 9 maintains a transaction
+                  kept for Incremental Zone Transfer. BIND 9 maintains a transaction
                   log whenever possible.  If you need to disable outgoing
                   incremental zone
                   transfers, use provide-ixfr no.
@@ -2372,9 +2372,9 @@ options {
                 
    multiple-cnames
    
-                  This option was used in BIND 8 to allow
+                  This option was used in BIND 8 to allow
                   a domain name to have multiple CNAME records in violation of
-                  the DNS standards.  BIND 9.2 onwards
+                  the DNS standards.  BIND 9.2 onwards
                   always strictly enforces the CNAME rules both in master
                   files and dynamic updates.
                 
    
@@ -2440,7 +2440,7 @@ options {
 
    
 
    Note
    
 
    
-                    Not yet implemented in BIND
+                    Not yet implemented in BIND
                     9.
                   
    
 
    
@@ -2448,7 +2448,7 @@ options {
 
    use-id-pool
    
                   This option is obsolete.
-                  BIND 9 always allocates query
+                  BIND 9 always allocates query
                   IDs from a pool.
                 
    zone-statistics
    
@@ -2494,13 +2494,13 @@ options {
                 
    treat-cr-as-space
    
-                  This option was used in BIND
+                  This option was used in BIND
                   8 to make
                   the server treat carriage return ("\r") characters the same way
                   as a space or tab character,
                   to facilitate loading of zone files on a UNIX system that
                   were generated
-                  on an NT or DOS machine. In BIND 9, both UNIX "\n"
+                  on an NT or DOS machine. In BIND 9, both UNIX "\n"
                   and NT/DOS "\r\n" newlines
                   are always accepted,
                   and the option is ignored.
@@ -2772,7 +2772,7 @@ options {
 
 
    
 
    
-Forwarding
    
+Forwarding
    
 
    
             The forwarding facility can be used to create a large site-wide
             cache on a few servers, reducing traffic over links to external
@@ -2816,7 +2816,7 @@ options {
 
 
    
 
    
-Dual-stack Servers
    
+Dual-stack Servers
    
 
    
             Dual-stack servers are used as servers of last resort to work
             around
@@ -2976,7 +2976,7 @@ options {
 
 
    
 
    
-Interfaces
    
+Interfaces
    
 
    
             The interfaces and ports that the server will answer queries
             from may be specified using the listen-on option. listen-on takes
@@ -3056,7 +3056,7 @@ listen-on-v6 port 1234 { !2001:db8::/32; any; };
 
 
    
 
    
-Query Address
    
+Query Address
    
 
    
             If the server doesn't know the answer to a question, it will
             query other name servers. query-source specifies
@@ -3103,7 +3103,7 @@ query-source-v6 address * port *;
 
    
 Zone Transfers
    
 
    
-            BIND has mechanisms in place to
+            BIND has mechanisms in place to
             facilitate zone transfers
             and set limits on the amount of load that transfers place on the
             system. The following options apply to zone transfers.
@@ -3195,8 +3195,8 @@ query-source-v6 address * port *;
                   records as possible into a message.
                   many-answers is more efficient, but is
                   only supported by relatively new slave servers,
-                  such as BIND 9, BIND
-                  8.x and BIND 4.9.5 onwards.
+                  such as BIND 9, BIND
+                  8.x and BIND 4.9.5 onwards.
                   The many-answers format is also supported by
                   recent Microsoft Windows nameservers.
                   The default is many-answers.
@@ -3336,7 +3336,7 @@ query-source-v6 address * port *;
 
 
    
 
    
-Bad UDP Port Lists
    
+Bad UDP Port Lists
    
 
    avoid-v4-udp-ports
             and avoid-v6-udp-ports specify a list
             of IPv4 and IPv6 UDP ports that will not be used as system
@@ -3350,7 +3350,7 @@ query-source-v6 address * port *;
 
 
    
 
    
-Operating System Resource Limits
    
+Operating System Resource Limits
    
 
    
             The server's usage of many system resources can be limited.
             Scaled values are allowed when specifying resource limits.  For
@@ -3409,7 +3409,7 @@ query-source-v6 address * port *;
 
 
    
 
    
-Server  Resource Limits
    
+Server  Resource Limits
    
 
    
             The following options set limits on the server's
             resource consumption that are enforced internally by the
@@ -3487,7 +3487,7 @@ query-source-v6 address * port *;
 
 
    
 
    
-Periodic Task Intervals
    
+Periodic Task Intervals
    
 
    
 
    cleaning-interval
    
 
    
@@ -3535,7 +3535,7 @@ query-source-v6 address * port *;
 
    Note
    
 
    
                     Not yet implemented in
-                    BIND9.
+                    BIND9.
                   
    
 
    
 
    
@@ -3581,7 +3581,7 @@ query-source-v6 address * port *;
 
    Note
    
               The topology option
-              is not implemented in BIND 9.
+              is not implemented in BIND 9.
             
    
@@ -3673,7 +3673,7 @@ query-source-v6 address * port *;
 
    
             The following example will give reasonable behavior for the
             local host and hosts on directly connected networks. It is similar
-            to the behavior of the address sort in BIND 4.9.x. Responses sent
+            to the behavior of the address sort in BIND 4.9.x. Responses sent
             to queries from the local host will favor any of the directly
             connected
             networks. Responses sent to queries from any other hosts on a
@@ -3782,7 +3782,7 @@ query-source-v6 address * port *;
 
    Note
    
               The rrset-order statement
-              is not yet fully implemented in BIND 9.
+              is not yet fully implemented in BIND 9.
               BIND 9 currently does not fully support "fixed" ordering.
             
    
@@ -3829,7 +3829,7 @@ query-source-v6 address * port *;
 
    
 
    Note
    
 
    
-                    Not implemented in BIND 9.
+                    Not implemented in BIND 9.
                   
    
 
    
@@ -4123,9 +4123,9 @@ query-source-v6 address * port *;
 
    
 The Statistics File
    
-            The statistics file generated by BIND 9
+            The statistics file generated by BIND 9
             is similar, but not identical, to that
-            generated by BIND 8.
+            generated by BIND 8.
           
    
             The statistics dump begins with a line, like:
@@ -4462,8 +4462,8 @@ query-source-v6 address * port *;
             The server supports two zone transfer methods. The first, one-answer,
             uses one DNS message per resource record transferred. many-answers packs
             as many resource records as possible into a message. many-answers is
-            more efficient, but is only known to be understood by BIND 9, BIND
-            8.x, and patched versions of BIND
+            more efficient, but is only known to be understood by BIND 9, BIND
+            8.x, and patched versions of BIND
             4.9.5. You can specify which method
             to use for a server with the transfer-format option.
             If transfer-format is not
@@ -4534,7 +4534,7 @@ query-source-v6 address * port *;
 
 
    
 
    
-trusted-keys Statement Grammar
    
+trusted-keys Statement Grammar
    trusted-keys {
     string number number number string ;
     [ string number number number string ; [...]]
@@ -4543,7 +4543,7 @@ query-source-v6 address * port *;
 
 
    
 
    
-trusted-keys Statement Definition
+trusted-keys Statement Definition
             and Usage
    
 
    
             The trusted-keys statement defines
@@ -4586,11 +4586,11 @@ query-source-v6 address * port *;
 
    
 
    
 
    
-view Statement Definition and Usage
    
+view Statement Definition and Usage
    
 
    
             The view statement is a powerful
             feature
-            of BIND 9 that lets a name server
+            of BIND 9 that lets a name server
             answer a DNS query differently
             depending on who is asking. It is particularly useful for
             implementing
@@ -4838,10 +4838,10 @@ zone zone_name [
 
    
 
    
-zone Statement Definition and Usage
    
+zone Statement Definition and Usage
    
 
    
 
    
-Zone Types
    
+Zone Types
    
 
    
 

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
    @@ -4922,7 +4922,7 @@ zone zone_name [BIND implementation.
+                        they are a feature specific to the BIND implementation.
                       
    
@@ -4934,16 +4934,16 @@ zone zone_name [BIND 4/8, zone
+                        In BIND 4/8, zone
                         transfers of a parent zone
                         included the NS records from stub children of that
                         zone. This meant
                         that, in some cases, users could get away with
                         configuring child stubs
-                        only in the master server for the parent zone. BIND
+                        only in the master server for the parent zone. BIND
                         9 never mixes together zone data from different zones
                         in this
-                        way. Therefore, if a BIND 9 master serving a parent
+                        way. Therefore, if a BIND 9 master serving a parent
                         zone has child stub zones configured, all the slave
                         servers for the
                         parent zone also need to have the same child stub
@@ -5050,7 +5050,7 @@ zone zone_name [
 
    
 
    
-Class
    
+Class
    
               The zone's name may optionally be followed by a class. If
               a class is not specified, class IN (for Internet),
@@ -5072,7 +5072,7 @@ zone zone_name [
 
    
 
    
-Zone Options
    
+Zone Options
    
 
    allow-notify
    
 
    
@@ -5223,11 +5223,11 @@ zone zone_name [
    
 
    ixfr-base
    
 
    
-                    Was used in BIND 8 to
+                    Was used in BIND 8 to
                     specify the name
                     of the transaction log (journal) file for dynamic update
                     and IXFR.
-                    BIND 9 ignores the option
+                    BIND 9 ignores the option
                     and constructs the name of the journal
                     file by appending ".jnl"
                     to the name of the
@@ -5235,8 +5235,8 @@ zone zone_name [
    
 
    ixfr-tmp-file
    
 
    
-                    Was an undocumented option in BIND 8.
-                    Ignored in BIND 9.
+                    Was an undocumented option in BIND 8.
+                    Ignored in BIND 9.
                   
    
 
    journal
    
 
    
@@ -5271,11 +5271,11 @@ zone zone_name [
    
 
    pubkey
    
 
    
-                    In BIND 8, this option was
+                    In BIND 8, this option was
                     intended for specifying
                     a public zone key for verification of signatures in DNSSEC
                     signed
-                    zones when they are loaded from disk. BIND 9 does not verify signatures
+                    zones when they are loaded from disk. BIND 9 does not verify signatures
                     on load and ignores the option.
                   
    
 
    zone-statistics
    
@@ -5360,7 +5360,7 @@ zone zone_name [
    
 Dynamic Update Policies
    
-              BIND 9 supports two alternative
+              BIND 9 supports two alternative
               methods of granting clients
               the right to perform dynamic updates to a zone,
               configured by the allow-update
@@ -5371,12 +5371,12 @@ zone zone_name [
               The allow-update clause works the
               same
-              way as in previous versions of BIND. It grants given clients the
+              way as in previous versions of BIND. It grants given clients the
               permission to update any record of any name in the zone.
             
    
               The update-policy clause is new
-              in BIND
+              in BIND
               9 and allows more fine-grained control over what updates are
               allowed.
               A set of rules is specified, where each rule either grants or
@@ -5560,7 +5560,7 @@ zone zone_name [
 
    
 
    
-Zone File
    
+Zone File
    
 
    
 Types of Resource Records and When to Use Them
    
@@ -5573,7 +5573,7 @@ zone zone_name [
 
    
 
    
-Resource Records
    
+Resource Records
    
               A domain name identifies a node.  Each node has a set of
               resource information, which may be empty.  The set of resource
@@ -6224,7 +6224,7 @@ zone zone_name [
 
    
 
    
-Textual expression of RRs
    
+Textual expression of RRs
    
               RRs are represented in binary form in the packets of the DNS
               protocol, and are usually represented in highly encoded form
@@ -6427,7 +6427,7 @@ zone zone_name [
 
    
 
    
-Discussion of MX Records
    
+Discussion of MX Records
    
             As described above, domain servers store information as a
             series of resource records, each of which contains a particular
@@ -6685,7 +6685,7 @@ zone zone_name [
 
    
 
    
-Inverse Mapping in IPv4
    
+Inverse Mapping in IPv4
    
             Reverse name resolution (that is, translation from IP address
             to name) is achieved by means of the in-addr.arpa domain
@@ -6746,7 +6746,7 @@ zone zone_name [
 
    
 
    
-Other Zone File Directives
    
+Other Zone File Directives
    
             The Master File Format was initially defined in RFC 1035 and
             has subsequently been extended. While the Master File Format
@@ -6761,7 +6761,7 @@ zone zone_name [
 
    
 
    
-The $ORIGIN Directive
    
+The $ORIGIN Directive
    
               Syntax: $ORIGIN
               domain-name
@@ -6789,7 +6789,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 
    
 
    
-The $INCLUDE Directive
    
+The $INCLUDE Directive
    
               Syntax: $INCLUDE
               filename
@@ -6825,7 +6825,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 
    
 
    
-The $TTL Directive
    
+The $TTL Directive
    
               Syntax: $TTL
               default-ttl
@@ -6844,7 +6844,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 
    
 
    
-BIND Master File Extension: the  $GENERATE Directive
    
+BIND Master File Extension: the  $GENERATE Directive
    
             Syntax: $GENERATE
             range
@@ -6997,7 +6997,7 @@ $GENERATE 1-127 $ CNAME $.0
 
 
    
 
 

 
                       
 
 
 
 
 
 
 
 
 
 
 
 
 
 
    
 
    
-            The $GENERATE directive is a BIND extension
+            The $GENERATE directive is a BIND extension
             and not part of the standard zone file format.
           
    
 
    
@@ -7059,9 +7059,9 @@ $GENERATE 1-127 $ CNAME $.0
    -Chapter 5. The BIND 9 Lightweight Resolver  +Chapter 5. The BIND 9 Lightweight Resolver  Home - Chapter 7. BIND 9 Security Considerations + Chapter 7. BIND 9 Security Considerations diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html index 37a423bcdc..c903af0d69 100644 --- a/doc/arm/Bv9ARM.ch07.html +++ b/doc/arm/Bv9ARM.ch07.html @@ -14,12 +14,12 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + Chapter 7. BIND 9 Security Considerations - + @@ -28,7 +28,7 @@
    - + @@ -41,15 +41,15 @@

    -Chapter 7. BIND 9 Security Considerations

    +Chapter 7. BIND 9 Security Considerations

    Table of Contents

    Access Control Lists
    -
    chroot and setuid
    +
    chroot and setuid
    -
    The chroot Environment
    -
    Using the setuid Function
    +
    The chroot Environment
    +
    Using the setuid Function
    Dynamic Update Security
    @@ -118,21 +118,21 @@ zone "example.com" {

    -chroot and setuid

    +chroot and setuid

    - On UNIX servers, it is possible to run BIND in a chrooted environment + On UNIX servers, it is possible to run BIND in a chrooted environment (using the chroot() function) by specifying the "-t" - option. This can help improve system security by placing BIND in + option. This can help improve system security by placing BIND in a "sandbox", which will limit the damage done if a server is compromised.

    - Another useful feature in the UNIX version of BIND is the + Another useful feature in the UNIX version of BIND is the ability to run the daemon as an unprivileged user ( -u user ). We suggest running as an unprivileged user when using the chroot feature.

    - Here is an example command line to load BIND in a chroot sandbox, + Here is an example command line to load BIND in a chroot sandbox, /var/named, and to run named setuid to user 202:

    @@ -141,15 +141,15 @@ zone "example.com" {

    -The chroot Environment

    +The chroot Environment

    In order for a chroot environment to work properly in a particular directory (for example, /var/named), you will need to set up an environment that includes everything - BIND needs to run. - From BIND's point of view, /var/named is + BIND needs to run. + From BIND's point of view, /var/named is the root of the filesystem. You will need to adjust the values of options like like directory and pid-file to account @@ -169,7 +169,7 @@ zone "example.com" {

    -Using the setuid Function

    +Using the setuid Function

    Prior to running the named daemon, use @@ -178,7 +178,7 @@ zone "example.com" { modification times) or the chown utility (to set the user id and/or group id) on files - to which you want BIND + to which you want BIND to write.

    @@ -195,7 +195,7 @@ zone "example.com" {

    Access to the dynamic update facility should be strictly limited. In earlier versions of - BIND, the only way to do this was + BIND, the only way to do this was based on the IP address of the host requesting the update, by listing an IP address or @@ -242,7 +242,7 @@ zone "example.com" {

    - + diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html index 550d3a48a4..47bd5155ed 100644 --- a/doc/arm/Bv9ARM.ch08.html +++ b/doc/arm/Bv9ARM.ch08.html @@ -14,12 +14,12 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - +Chapter 8. Troubleshooting - + @@ -45,18 +45,18 @@

    Table of Contents

    -
    Common Problems
    -
    It's not working; how can I figure out what's wrong?
    -
    Incrementing and Changing the Serial Number
    -
    Where Can I Get Help?
    +
    Common Problems
    +
    It's not working; how can I figure out what's wrong?
    +
    Incrementing and Changing the Serial Number
    +
    Where Can I Get Help?

    -Common Problems

    +Common Problems

    -It's not working; how can I figure out what's wrong?

    +It's not working; how can I figure out what's wrong?

    The best solution to solving installation and configuration issues is to take preventative measures by setting @@ -68,7 +68,7 @@

    -Incrementing and Changing the Serial Number

    +Incrementing and Changing the Serial Number

    Zone serial numbers are just numbers-they aren't date related. A lot of people set them to a number that represents a @@ -95,24 +95,24 @@

    -Where Can I Get Help?

    +Where Can I Get Help?

    The Internet Systems Consortium - (ISC) offers a wide range - of support and service agreements for BIND and DHCP servers. Four + (ISC) offers a wide range + of support and service agreements for BIND and DHCP servers. Four levels of premium support are available and each level includes - support for all ISC programs, + support for all ISC programs, significant discounts on products and training, and a recognized priority on bug fixes and - non-funded feature requests. In addition, ISC offers a standard + non-funded feature requests. In addition, ISC offers a standard support agreement package which includes services ranging from bug fix announcements to remote support. It also includes training in - BIND and DHCP. + BIND and DHCP.

    To discuss arrangements for support, contact info@isc.org or visit the - ISC web page at + ISC web page at http://www.isc.org/services/support/ to read more.

    @@ -129,7 +129,7 @@ - + diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html index 86702fa8c3..1a130bfa7e 100644 --- a/doc/arm/Bv9ARM.ch09.html +++ b/doc/arm/Bv9ARM.ch09.html @@ -14,12 +14,12 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - +Appendix A. Appendices - + @@ -45,24 +45,24 @@

    Table of Contents

    -
    Acknowledgments
    -
    A Brief History of the DNS and BIND
    -
    General DNS Reference Information
    +
    Acknowledgments
    +
    A Brief History of the DNS and BIND
    +
    General DNS Reference Information
    IPv6 addresses (AAAA)
    Bibliography (and Suggested Reading)
    Request for Comments (RFCs)
    Internet Drafts
    -
    Other Documents About BIND
    +
    Other Documents About BIND

    -Acknowledgments

    +Acknowledgments

    -A Brief History of the DNS and BIND

    +A Brief History of the DNS and BIND

    Although the "official" beginning of the Domain Name System occurred in 1984 with the publication of RFC 920, the @@ -75,7 +75,7 @@ incorporate improvements based on the working model. RFC 1034, "Domain Names-Concepts and Facilities", and RFC 1035, "Domain Names-Implementation and Specification" were published and - became the standards upon which all DNS implementations are + became the standards upon which all DNS implementations are built.

    @@ -86,9 +86,9 @@ Information Sciences Institute (USC-ISI) and SRI International's Network Information - Center (SRI-NIC). A DNS server for + Center (SRI-NIC). A DNS server for Unix machines, the Berkeley Internet - Name Domain (BIND) package, was + Name Domain (BIND) package, was written soon after by a group of graduate students at the University of California at Berkeley under @@ -97,25 +97,25 @@ (DARPA).

    - Versions of BIND through + Versions of BIND through 4.8.3 were maintained by the Computer Systems Research Group (CSRG) at UC Berkeley. Douglas Terry, Mark - Painter, David Riggle and Songnian Zhou made up the initial BIND + Painter, David Riggle and Songnian Zhou made up the initial BIND project team. After that, additional work on the software package was done by Ralph Campbell. Kevin Dunlap, a Digital Equipment Corporation - employee on loan to the CSRG, worked on BIND for 2 years, from 1985 - to 1987. Many other people also contributed to BIND development + employee on loan to the CSRG, worked on BIND for 2 years, from 1985 + to 1987. Many other people also contributed to BIND development during that time: Doug Kingston, Craig Partridge, Smoot Carl-Mitchell, - Mike Muuss, Jim Bloom and Mike Schwartz. BIND maintenance was subsequently + Mike Muuss, Jim Bloom and Mike Schwartz. BIND maintenance was subsequently handled by Mike Karels and O. Kure.

    - BIND versions 4.9 and 4.9.1 were + BIND versions 4.9 and 4.9.1 were released by Digital Equipment Corporation (now Compaq Computer Corporation). Paul Vixie, then - a DEC employee, became BIND's + a DEC employee, became BIND's primary caretaker. He was assisted by Phil Almquist, Robert Elz, Alan Barrett, Paul Albitz, Bryan Beecher, Andrew @@ -124,22 +124,22 @@ Wolfhugel, and others.

    - BIND version 4.9.2 was sponsored by + BIND version 4.9.2 was sponsored by Vixie Enterprises. Paul - Vixie became BIND's principal + Vixie became BIND's principal architect/programmer.

    - BIND versions from 4.9.3 onward + BIND versions from 4.9.3 onward have been developed and maintained by the Internet Systems Consortium and its predecessor, the Internet Software Consortium, with support being provided by ISC's sponsors. As co-architects/programmers, Bob Halley and Paul Vixie released the first production-ready version of - BIND version 8 in May 1997. + BIND version 8 in May 1997.

    - BIND development work is made + BIND development work is made possible today by the sponsorship of several corporations, and by the tireless work efforts of numerous individuals. @@ -148,13 +148,13 @@

    -General DNS Reference Information

    +General DNS Reference Information

    IPv6 addresses (AAAA)

    IPv6 addresses are 128-bit identifiers for interfaces and - sets of interfaces which were introduced in the DNS to facilitate + sets of interfaces which were introduced in the DNS to facilitate scalable Internet routing. There are three types of addresses: Unicast, an identifier for a single interface; Anycast, @@ -215,7 +215,7 @@ Request for Comments (RFCs)

    Specification documents for the Internet protocol suite, including - the DNS, are published as part of + the DNS, are published as part of the Request for Comments (RFCs) series of technical notes. The standards themselves are defined by the Internet Engineering Task Force (IETF) and the Internet @@ -235,149 +235,289 @@

    -Bibliography

    +Bibliography

    Standards

    -

    [RFC974] C. Partridge. Mail Routing and the Domain System. January 1986.

    -

    [RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987.

    -

    [RFC1035] P. V. Mockapetris. Domain Names — Implementation and - Specification. November 1987.

    +
    +

    [RFC974] C. Partridge. Mail Routing and the Domain System. January 1986.

    +
    +
    +

    [RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987.

    +
    +
    +

    [RFC1035] P. V. Mockapetris. Domain Names — Implementation and + Specification. November 1987.

    +

    Proposed Standards

    -

    [RFC2181] R., R. Bush Elz. Clarifications to the DNS - Specification. July 1997.

    -

    [RFC2308] M. Andrews. Negative Caching of DNS - Queries. March 1998.

    -

    [RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996.

    -

    [RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996.

    -

    [RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997.

    -

    [RFC2671] P. Vixie. Extension Mechanisms for DNS (EDNS0). August 1997.

    -

    [RFC2672] M. Crawford. Non-Terminal DNS Name Redirection. August 1999.

    -

    [RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000.

    -

    [RFC2930] D. Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000.

    -

    [RFC2931] D. Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000.

    -

    [RFC3007] B. Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000.

    -

    [RFC3645] S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. Generic Security Service Algorithm for Secret +

    +

    [RFC2181] R., R. Bush Elz. Clarifications to the DNS + Specification. July 1997.

    +
    +
    +

    [RFC2308] M. Andrews. Negative Caching of DNS + Queries. March 1998.

    +
    +
    +

    [RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996.

    +
    +
    +

    [RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996.

    +
    +
    +

    [RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997.

    +
    +
    +

    [RFC2671] P. Vixie. Extension Mechanisms for DNS (EDNS0). August 1997.

    +
    +
    +

    [RFC2672] M. Crawford. Non-Terminal DNS Name Redirection. August 1999.

    +
    +
    +

    [RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000.

    +
    +
    +

    [RFC2930] D. Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000.

    +
    +
    +

    [RFC2931] D. Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000.

    +
    +
    +

    [RFC3007] B. Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000.

    +
    +
    +

    [RFC3645] S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. Generic Security Service Algorithm for Secret Key Transaction Authentication for DNS - (GSS-TSIG). October 2003.

    + (GSS-TSIG)    . October 2003.

    +

    -DNS Security Proposed Standards

    -

    [RFC3225] D. Conrad. Indicating Resolver Support of DNSSEC. December 2001.

    -

    [RFC3833] D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). August 2004.

    -

    [RFC4033] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. March 2005.

    -

    [RFC4044] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. March 2005.

    -

    [RFC4035] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS - Security Extensions. March 2005.

    +DNS Security Proposed Standards +
    +

    [RFC3225] D. Conrad. Indicating Resolver Support of DNSSEC. December 2001.

    +
    +
    +

    [RFC3833] D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). August 2004.

    +
    +
    +

    [RFC4033] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. March 2005.

    +
    +
    +

    [RFC4044] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. March 2005.

    +
    +
    +

    [RFC4035] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS + Security Extensions. March 2005.

    +
    -

    Other Important RFCs About DNS +

    Other Important RFCs About DNS Implementation

    -

    [RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely - Deployed DNS Software.. October 1993.

    -

    [RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation - Errors and Suggested Fixes. October 1993.

    -

    [RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996.

    -

    [RFC4074] Y. Morishita and T. Jinmei. Common Misbehaviour Against DNS - Queries for IPv6 Addresses. May 2005.

    +
    +

    [RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely + Deployed DNS Software.. October 1993.

    +
    +
    +

    [RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation + Errors and Suggested Fixes. October 1993.

    +
    +
    +

    [RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996.

    +
    +
    +

    [RFC4074] Y. Morishita and T. Jinmei. Common Misbehaviour Against DNS + Queries for IPv6 Addresses. May 2005.

    +

    Resource Record Types

    -

    [RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990.

    -

    [RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994.

    -

    [RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using - the Domain Name System. June 1997.

    -

    [RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the +

    +

    [RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990.

    +
    +
    +

    [RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994.

    +
    +
    +

    [RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using + the Domain Name System. June 1997.

    +
    +
    +

    [RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the Domain - Name System. January 1996.

    -

    [RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the + Name System. January 1996.

    +
    +
    +

    [RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the Location of - Services.. October 1996.

    -

    [RFC2163] A. Allocchio. Using the Internet DNS to + Services.. October 1996.

    +
    +
    +

    [RFC2163] A. Allocchio. Using the Internet DNS to Distribute MIXER - Conformant Global Address Mapping. January 1998.

    -

    [RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997.

    -

    [RFC2536] D. Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999.

    -

    [RFC2537] D. Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999.

    -

    [RFC2538] D. Eastlake, 3rd and O. Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999.

    -

    [RFC2539] D. Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999.

    -

    [RFC2540] D. Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999.

    -

    [RFC2782] A. Gulbrandsen. P. Vixie. L. Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000.

    -

    [RFC2915] M. Mealling. R. Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000.

    -

    [RFC3110] D. Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001.

    -

    [RFC3123] P. Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001.

    -

    [RFC3596] S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. DNS Extensions to support IP - version 6. October 2003.

    -

    [RFC3597] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003.

    + Conformant Global Address Mapping    . January 1998.

    +
    +
    +

    [RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997.

    +
    +
    +

    [RFC2536] D. Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999.

    +
    +
    +

    [RFC2537] D. Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999.

    +
    +
    +

    [RFC2538] D. Eastlake, 3rd and O. Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999.

    +
    +
    +

    [RFC2539] D. Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999.

    +
    +
    +

    [RFC2540] D. Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999.

    +
    +
    +

    [RFC2782] A. Gulbrandsen. P. Vixie. L. Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000.

    +
    +
    +

    [RFC2915] M. Mealling. R. Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000.

    +
    +
    +

    [RFC3110] D. Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001.

    +
    +
    +

    [RFC3123] P. Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001.

    +
    +
    +

    [RFC3596] S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. DNS Extensions to support IP + version 6. October 2003.

    +
    +
    +

    [RFC3597] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003.

    +

    -DNS and the Internet

    -

    [RFC1101] P. V. Mockapetris. DNS Encoding of Network Names - and Other Types. April 1989.

    -

    [RFC1123] Braden. Requirements for Internet Hosts - Application and - Support. October 1989.

    -

    [RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994.

    -

    [RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998.

    -

    [RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000.

    -

    [RFC2929] D. Eastlake, 3rd, E. Brunner-Williams, and B. Manning. Domain Name System (DNS) IANA Considerations. September 2000.

    +DNS and the Internet +
    +

    [RFC1101] P. V. Mockapetris. DNS Encoding of Network Names + and Other Types. April 1989.

    +
    +
    +

    [RFC1123] Braden. Requirements for Internet Hosts - Application and + Support. October 1989.

    +
    +
    +

    [RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994.

    +
    +
    +

    [RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998.

    +
    +
    +

    [RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000.

    +
    +
    +

    [RFC2929] D. Eastlake, 3rd, E. Brunner-Williams, and B. Manning. Domain Name System (DNS) IANA Considerations. September 2000.

    +

    -DNS Operations

    -

    [RFC1033] M. Lottor. Domain administrators operations guide.. November 1987.

    -

    [RFC1537] P. Beertema. Common DNS Data File - Configuration Errors. October 1993.

    -

    [RFC1912] D. Barr. Common DNS Operational and - Configuration Errors. February 1996.

    -

    [RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers.. October 1996.

    -

    [RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for - Network Services.. October 1997.

    +DNS Operations +
    +

    [RFC1033] M. Lottor. Domain administrators operations guide.. November 1987.

    +
    +
    +

    [RFC1537] P. Beertema. Common DNS Data File + Configuration Errors. October 1993.

    +
    +
    +

    [RFC1912] D. Barr. Common DNS Operational and + Configuration Errors. February 1996.

    +
    +
    +

    [RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers.. October 1996.

    +
    +
    +

    [RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for + Network Services.. October 1997.

    +

    Internationalized Domain Names

    -

    [RFC2825] IAB and R. Daigle. A Tangled Web: Issues of I18N, Domain Names, - and the Other Internet protocols. May 2000.

    -

    [RFC3490] P. Faltstrom, P. Hoffman, and A. Costello. Internationalizing Domain Names in Applications (IDNA). March 2003.

    -

    [RFC3491] P. Hoffman and M. Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003.

    -

    [RFC3492] A. Costello. Punycode: A Bootstring encoding of Unicode +

    +

    [RFC2825] IAB and R. Daigle. A Tangled Web: Issues of I18N, Domain Names, + and the Other Internet protocols. May 2000.

    +
    +
    +

    [RFC3490] P. Faltstrom, P. Hoffman, and A. Costello. Internationalizing Domain Names in Applications (IDNA). March 2003.

    +
    +
    +

    [RFC3491] P. Hoffman and M. Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003.

    +
    +
    +

    [RFC3492] A. Costello. Punycode: A Bootstring encoding of Unicode for Internationalized Domain Names in - Applications (IDNA). March 2003.

    + Applications (IDNA)    . March 2003.

    +
    -

    Other DNS-related RFCs

    +

    Other DNS-related RFCs

    Note

    Note: the following list of RFCs, although - DNS-related, are not + DNS-related, are not concerned with implementing software.

    -

    [RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String - Attributes. May 1993.

    -

    [RFC1713] A. Romao. Tools for DNS Debugging. November 1994.

    -

    [RFC1794] T. Brisco. DNS Support for Load - Balancing. April 1995.

    -

    [RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997.

    -

    [RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998.

    -

    [RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998.

    -

    [RFC3071] J. Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001.

    -

    [RFC3258] T. Hardie. Distributing Authoritative Name Servers via - Shared Unicast Addresses. April 2002.

    -

    [RFC3901] A. Durand and J. Ihren. DNS IPv6 Transport Operational Guidelines. September 2004.

    -

    [RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998.

    +
    +

    [RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String + Attributes. May 1993.

    +
    +
    +

    [RFC1713] A. Romao. Tools for DNS Debugging. November 1994.

    +
    +
    +

    [RFC1794] T. Brisco. DNS Support for Load + Balancing. April 1995.

    +
    +
    +

    [RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997.

    +
    +
    +

    [RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998.

    +
    +
    +

    [RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998.

    +
    +
    +

    [RFC3071] J. Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001.

    +
    +
    +

    [RFC3258] T. Hardie. Distributing Authoritative Name Servers via + Shared Unicast Addresses. April 2002.

    +
    +
    +

    [RFC3901] A. Durand and J. Ihren. DNS IPv6 Transport Operational Guidelines. September 2004.

    +
    +
    +

    [RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998.

    +

    Obsolete and Unimplemented Experimental RFC

    -

    [RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical - Location. November 1994.

    -

    [RFC2673] M. Crawford. Binary Labels in the Domain Name System. August 1999.

    -

    [RFC2874] M. Crawford and C. Huitema. DNS Extensions to Support IPv6 Address Aggregation - and Renumbering. July 2000.

    +
    +

    [RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical + Location. November 1994.

    +
    +
    +

    [RFC2673] M. Crawford. Binary Labels in the Domain Name System. August 1999.

    +
    +
    +

    [RFC2874] M. Crawford and C. Huitema. DNS Extensions to Support IPv6 Address Aggregation + and Renumbering. July 2000.

    +

    Obsoleted DNS Security RFCs

    @@ -388,19 +528,41 @@ RFC4034 and RFC4035 which collectively describe DNSSECbis.

    -

    [RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997.

    -

    [RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997.

    -

    [RFC2535] D. Eastlake, 3rd. Domain Name System Security Extensions. March 1999.

    -

    [RFC3008] B. Wellington. Domain Name System Security (DNSSEC) - Signing Authority. November 2000.

    -

    [RFC3090] E. Lewis. DNS Security Extension Clarification on Zone Status. March 2001.

    -

    [RFC3445] D. Massey and S. Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002.

    -

    [RFC3655] B. Wellington and O. Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003.

    -

    [RFC3658] O. Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003.

    -

    [RFC3755] S. Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004.

    -

    [RFC3757] O. Kolkman, J. Schlyter, and E. Lewis. Domain Name System KEY (DNSKEY) Resource Record - (RR) Secure Entry Point (SEP) Flag. April 2004.

    -

    [RFC3845] J. Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004.

    +
    +

    [RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997.

    +
    +
    +

    [RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997.

    +
    +
    +

    [RFC2535] D. Eastlake, 3rd. Domain Name System Security Extensions. March 1999.

    +
    +
    +

    [RFC3008] B. Wellington. Domain Name System Security (DNSSEC) + Signing Authority. November 2000.

    +
    +
    +

    [RFC3090] E. Lewis. DNS Security Extension Clarification on Zone Status. March 2001.

    +
    +
    +

    [RFC3445] D. Massey and S. Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002.

    +
    +
    +

    [RFC3655] B. Wellington and O. Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003.

    +
    +
    +

    [RFC3658] O. Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003.

    +
    +
    +

    [RFC3755] S. Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004.

    +
    +
    +

    [RFC3757] O. Kolkman, J. Schlyter, and E. Lewis. Domain Name System KEY (DNSKEY) Resource Record + (RR) Secure Entry Point (SEP) Flag. April 2004.

    +
    +
    +

    [RFC3845] J. Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004.

    +
    @@ -420,12 +582,14 @@

    -Other Documents About BIND

    +Other Documents About BIND

    -Bibliography

    -

    Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates.

    +Bibliography
    +
    +

    Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates.

    +
    diff --git a/doc/arm/Bv9ARM.ch10.html b/doc/arm/Bv9ARM.ch10.html index a62e845d32..6154fa74e3 100644 --- a/doc/arm/Bv9ARM.ch10.html +++ b/doc/arm/Bv9ARM.ch10.html @@ -14,12 +14,12 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - +Manual pages - + @@ -49,34 +49,34 @@

    Table of Contents

    -dig - DNS lookup utility +dig — DNS lookup utility
    -host - DNS lookup utility +host — DNS lookup utility
    -dnssec-keygen - DNSSEC key generation tool +dnssec-keygen — DNSSEC key generation tool
    -dnssec-signzone - DNSSEC zone signing tool +dnssec-signzone — DNSSEC zone signing tool
    -named-checkconf - named configuration file syntax checking tool +named-checkconf — named configuration file syntax checking tool
    -named-checkzone - zone file validity checking or converting tool +named-checkzone — zone file validity checking or converting tool
    -named - Internet domain name server +named — Internet domain name server
    -rndc - name server control utility +rndc — name server control utility
    -rndc.conf - rndc configuration file +rndc.conf — rndc configuration file
    -rndc-confgen - rndc key generation tool +rndc-confgen — rndc key generation tool
    diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html index d737943534..4cd7b41821 100644 --- a/doc/arm/Bv9ARM.html +++ b/doc/arm/Bv9ARM.html @@ -14,12 +14,12 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - +BIND 9 Administrator Reference Manual - + @@ -40,7 +40,7 @@

    -BIND 9 Administrator Reference Manual

    +BIND 9 Administrator Reference Manual

    Copyright © 2004-2006 Internet Systems Consortium, Inc. ("ISC")

    Copyright © 2000-2003 Internet Software Consortium.

    @@ -51,39 +51,39 @@
    1. Introduction
    -
    Scope of Document
    -
    Organization of This Document
    -
    Conventions Used in This Document
    -
    The Domain Name System (DNS)
    +
    Scope of Document
    +
    Organization of This Document
    +
    Conventions Used in This Document
    +
    The Domain Name System (DNS)
    -
    DNS Fundamentals
    -
    Domains and Domain Names
    -
    Zones
    -
    Authoritative Name Servers
    -
    Caching Name Servers
    -
    Name Servers in Multiple Roles
    +
    DNS Fundamentals
    +
    Domains and Domain Names
    +
    Zones
    +
    Authoritative Name Servers
    +
    Caching Name Servers
    +
    Name Servers in Multiple Roles
    -
    2. BIND Resource Requirements
    +
    2. BIND Resource Requirements
    -
    Hardware requirements
    -
    CPU Requirements
    -
    Memory Requirements
    -
    Name Server Intensive Environment Issues
    -
    Supported Operating Systems
    +
    Hardware requirements
    +
    CPU Requirements
    +
    Memory Requirements
    +
    Name Server Intensive Environment Issues
    +
    Supported Operating Systems
    3. Name Server Configuration
    Sample Configurations
    -
    A Caching-only Name Server
    -
    An Authoritative-only Name Server
    +
    A Caching-only Name Server
    +
    An Authoritative-only Name Server
    -
    Load Balancing
    -
    Name Server Operations
    +
    Load Balancing
    +
    Name Server Operations
    -
    Tools for Use With the Name Server Daemon
    -
    Signals
    +
    Tools for Use With the Name Server Daemon
    +
    Signals
    4. Advanced DNS Features
    @@ -92,150 +92,150 @@
    Dynamic Update
    The journal file
    Incremental Zone Transfers (IXFR)
    -
    Split DNS
    +
    Split DNS
    TSIG
    -
    Generate Shared Keys for Each Pair of Hosts
    -
    Copying the Shared Secret to Both Machines
    -
    Informing the Servers of the Key's Existence
    -
    Instructing the Server to Use the Key
    -
    TSIG Key Based Access Control
    -
    Errors
    +
    Generate Shared Keys for Each Pair of Hosts
    +
    Copying the Shared Secret to Both Machines
    +
    Informing the Servers of the Key's Existence
    +
    Instructing the Server to Use the Key
    +
    TSIG Key Based Access Control
    +
    Errors
    -
    TKEY
    -
    SIG(0)
    +
    TKEY
    +
    SIG(0)
    DNSSEC
    -
    Generating Keys
    -
    Signing the Zone
    -
    Configuring Servers
    +
    Generating Keys
    +
    Signing the Zone
    +
    Configuring Servers
    -
    IPv6 Support in BIND 9
    +
    IPv6 Support in BIND 9
    -
    Address Lookups Using AAAA Records
    -
    Address to Name Lookups Using Nibble Format
    +
    Address Lookups Using AAAA Records
    +
    Address to Name Lookups Using Nibble Format
    -
    5. The BIND 9 Lightweight Resolver
    +
    5. The BIND 9 Lightweight Resolver
    -
    The Lightweight Resolver Library
    +
    The Lightweight Resolver Library
    Running a Resolver Daemon
    -
    6. BIND 9 Configuration Reference
    +
    6. BIND 9 Configuration Reference
    Configuration File Elements
    Address Match Lists
    -
    Comment Syntax
    +
    Comment Syntax
    Configuration File Grammar
    -
    acl Statement Grammar
    +
    acl Statement Grammar
    acl Statement Definition and Usage
    -
    controls Statement Grammar
    +
    controls Statement Grammar
    controls Statement Definition and Usage
    -
    include Statement Grammar
    -
    include Statement Definition and +
    include Statement Grammar
    +
    include Statement Definition and Usage
    -
    key Statement Grammar
    -
    key Statement Definition and Usage
    -
    logging Statement Grammar
    -
    logging Statement Definition and +
    key Statement Grammar
    +
    key Statement Definition and Usage
    +
    logging Statement Grammar
    +
    logging Statement Definition and Usage
    -
    lwres Statement Grammar
    -
    lwres Statement Definition and Usage
    -
    masters Statement Grammar
    -
    masters Statement Definition and +
    lwres Statement Grammar
    +
    lwres Statement Definition and Usage
    +
    masters Statement Grammar
    +
    masters Statement Definition and Usage
    -
    options Statement Grammar
    +
    options Statement Grammar
    options Statement Definition and Usage
    server Statement Grammar
    server Statement Definition and Usage
    -
    trusted-keys Statement Grammar
    -
    trusted-keys Statement Definition +
    trusted-keys Statement Grammar
    +
    trusted-keys Statement Definition and Usage
    view Statement Grammar
    -
    view Statement Definition and Usage
    +
    view Statement Definition and Usage
    zone Statement Grammar
    -
    zone Statement Definition and Usage
    +
    zone Statement Definition and Usage
    -
    Zone File
    +
    Zone File
    Types of Resource Records and When to Use Them
    -
    Discussion of MX Records
    +
    Discussion of MX Records
    Setting TTLs
    -
    Inverse Mapping in IPv4
    -
    Other Zone File Directives
    -
    BIND Master File Extension: the $GENERATE Directive
    +
    Inverse Mapping in IPv4
    +
    Other Zone File Directives
    +
    BIND Master File Extension: the $GENERATE Directive
    Additional File Formats
    -
    7. BIND 9 Security Considerations
    +
    7. BIND 9 Security Considerations
    Access Control Lists
    -
    chroot and setuid
    +
    chroot and setuid
    -
    The chroot Environment
    -
    Using the setuid Function
    +
    The chroot Environment
    +
    Using the setuid Function
    Dynamic Update Security
    8. Troubleshooting
    -
    Common Problems
    -
    It's not working; how can I figure out what's wrong?
    -
    Incrementing and Changing the Serial Number
    -
    Where Can I Get Help?
    +
    Common Problems
    +
    It's not working; how can I figure out what's wrong?
    +
    Incrementing and Changing the Serial Number
    +
    Where Can I Get Help?
    A. Appendices
    -
    Acknowledgments
    -
    A Brief History of the DNS and BIND
    -
    General DNS Reference Information
    +
    Acknowledgments
    +
    A Brief History of the DNS and BIND
    +
    General DNS Reference Information
    IPv6 addresses (AAAA)
    Bibliography (and Suggested Reading)
    Request for Comments (RFCs)
    Internet Drafts
    -
    Other Documents About BIND
    +
    Other Documents About BIND
    I. Manual pages
    -dig - DNS lookup utility +dig — DNS lookup utility
    -host - DNS lookup utility +host — DNS lookup utility
    -dnssec-keygen - DNSSEC key generation tool +dnssec-keygen — DNSSEC key generation tool
    -dnssec-signzone - DNSSEC zone signing tool +dnssec-signzone — DNSSEC zone signing tool
    -named-checkconf - named configuration file syntax checking tool +named-checkconf — named configuration file syntax checking tool
    -named-checkzone - zone file validity checking or converting tool +named-checkzone — zone file validity checking or converting tool
    -named - Internet domain name server +named — Internet domain name server
    -rndc - name server control utility +rndc — name server control utility
    -rndc.conf - rndc configuration file +rndc.conf — rndc configuration file
    -rndc-confgen - rndc key generation tool +rndc-confgen — rndc key generation tool
    diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html index b879338228..abfc89e462 100644 --- a/doc/arm/man.dig.html +++ b/doc/arm/man.dig.html @@ -14,12 +14,12 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - +dig - + @@ -52,7 +52,7 @@

    dig [global-queryopt...] [query...]

    -

    DESCRIPTION

    +

    DESCRIPTION

    dig (domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and @@ -91,7 +91,7 @@

    -

    SIMPLE USAGE

    +

    SIMPLE USAGE

    A typical invocation of dig looks like:

    @@ -137,7 +137,7 @@

    -

    OPTIONS

    +

    OPTIONS

    The -b option sets the source IP address of the query to address. This must be a valid @@ -237,7 +237,7 @@

    -

    QUERY OPTIONS

    +

    QUERY OPTIONS

    dig provides a number of query options which affect the way in which lookups are made and the results displayed. Some of @@ -556,7 +556,7 @@

    -

    MULTIPLE QUERIES

    +

    MULTIPLE QUERIES

    The BIND 9 implementation of dig supports @@ -602,7 +602,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr

    -

    IDN SUPPORT

    +

    IDN SUPPORT

    If dig has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. @@ -616,14 +616,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr

    -

    FILES

    +

    FILES

    /etc/resolv.conf

    ${HOME}/.digrc

    -

    SEE ALSO

    +

    SEE ALSO

    host(1), named(8), dnssec-keygen(8), @@ -631,7 +631,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr

    -

    BUGS

    +

    BUGS

    There are probably too many query options.

    diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html index d466e50947..c4ef941771 100644 --- a/doc/arm/man.dnssec-keygen.html +++ b/doc/arm/man.dnssec-keygen.html @@ -14,12 +14,12 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + dnssec-keygen - + @@ -50,7 +50,7 @@

    dnssec-keygen {-a algorithm} {-b keysize} {-n nametype} [-c class] [-e] [-f flag] [-g generator] [-h] [-k] [-p protocol] [-r randomdev] [-s strength] [-t type] [-v level] {name}

    -

    DESCRIPTION

    +

    DESCRIPTION

    dnssec-keygen generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC <TBA\>. It can also generate keys for use with @@ -58,7 +58,7 @@

    -

    OPTIONS

    +

    OPTIONS

    -a algorithm
    @@ -166,7 +166,7 @@
    -

    GENERATED KEYS

    +

    GENERATED KEYS

    When dnssec-keygen completes successfully, @@ -212,7 +212,7 @@

    -

    EXAMPLE

    +

    EXAMPLE

    To generate a 768-bit DSA key for the domain example.com, the following command would be @@ -233,7 +233,7 @@

    -

    SEE ALSO

    +

    SEE ALSO

    dnssec-signzone(8), BIND 9 Administrator Reference Manual, RFC 2535, @@ -242,7 +242,7 @@

    -

    AUTHOR

    +

    AUTHOR

    Internet Systems Consortium

    diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html index 2b30755cb2..c6420fd8b7 100644 --- a/doc/arm/man.dnssec-signzone.html +++ b/doc/arm/man.dnssec-signzone.html @@ -14,12 +14,12 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - +dnssec-signzone - + @@ -50,7 +50,7 @@

    dnssec-signzone [-a] [-c class] [-d directory] [-e end-time] [-f output-file] [-g] [-h] [-k key] [-l domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-p] [-r randomdev] [-s start-time] [-t] [-v level] [-z] {zonefile} [key...]

    -

    DESCRIPTION

    +

    DESCRIPTION

    dnssec-signzone signs a zone. It generates NSEC and RRSIG records and produces a signed version of the @@ -61,7 +61,7 @@

    -

    OPTIONS

    +

    OPTIONS

    -a

    @@ -257,7 +257,7 @@

    -

    EXAMPLE

    +

    EXAMPLE

    The following command signs the example.com zone with the DSA key generated in the dnssec-keygen @@ -283,14 +283,14 @@

    -

    SEE ALSO

    +

    SEE ALSO

    dnssec-keygen(8), BIND 9 Administrator Reference Manual, RFC 2535.

    -

    AUTHOR

    +

    AUTHOR

    Internet Systems Consortium

    diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html index d02f1660db..eb11fc4b42 100644 --- a/doc/arm/man.host.html +++ b/doc/arm/man.host.html @@ -14,12 +14,12 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - +host - + @@ -50,7 +50,7 @@

    host [-aCdlnrsTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-m flag] [-4] [-6] {name} [server]

    -

    DESCRIPTION

    +

    DESCRIPTION

    host is a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa. @@ -202,7 +202,7 @@

    -

    IDN SUPPORT

    +

    IDN SUPPORT

    If host has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. @@ -216,12 +216,12 @@

    -

    FILES

    +

    FILES

    /etc/resolv.conf

    -

    SEE ALSO

    +

    SEE ALSO

    dig(1), named(8).

    diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html index 3047bebdfa..8476af7ad4 100644 --- a/doc/arm/man.named-checkconf.html +++ b/doc/arm/man.named-checkconf.html @@ -14,12 +14,12 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + named-checkconf - + @@ -50,14 +50,14 @@

    named-checkconf [-v] [-j] [-t directory] {filename} [-z]

    -

    DESCRIPTION

    +

    DESCRIPTION

    named-checkconf checks the syntax, but not the semantics, of a named configuration file.

    -

    OPTIONS

    +

    OPTIONS

    -t directory

    @@ -88,20 +88,20 @@

    -

    RETURN VALUES

    +

    RETURN VALUES

    named-checkconf returns an exit status of 1 if errors were detected and 0 otherwise.

    -

    SEE ALSO

    +

    SEE ALSO

    named(8), BIND 9 Administrator Reference Manual.

    -

    AUTHOR

    +

    AUTHOR

    Internet Systems Consortium

    diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html index 7627e7c611..c1ef3a8e08 100644 --- a/doc/arm/man.named-checkzone.html +++ b/doc/arm/man.named-checkzone.html @@ -14,12 +14,12 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - +named-checkzone - + @@ -51,7 +51,7 @@

    named-compilezone [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-i mode] [-k mode] [-m mode] [-n mode] [-o filename] [-s style] [-t directory] [-w directory] [-D] [-W mode] {zonename} {filename}

    -

    DESCRIPTION

    +

    DESCRIPTION

    named-checkzone checks the syntax and integrity of a zone file. It performs the same checks as named does when loading a @@ -71,7 +71,7 @@

    -

    OPTIONS

    +

    OPTIONS

    -d

    @@ -251,21 +251,21 @@

    -

    RETURN VALUES

    +

    RETURN VALUES

    named-checkzone returns an exit status of 1 if errors were detected and 0 otherwise.

    -

    SEE ALSO

    +

    SEE ALSO

    named(8), RFC 1035, BIND 9 Administrator Reference Manual.

    -

    AUTHOR

    +

    AUTHOR

    Internet Systems Consortium

    diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html index d15aeb54b4..6adae0df9b 100644 --- a/doc/arm/man.named.html +++ b/doc/arm/man.named.html @@ -14,12 +14,12 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - +named - + @@ -50,7 +50,7 @@

    named [-4] [-6] [-c config-file] [-d debug-level] [-f] [-g] [-n #cpus] [-p port] [-s] [-t directory] [-u user] [-v] [-x cache-file]

    -

    DESCRIPTION

    +

    DESCRIPTION

    named is a Domain Name System (DNS) server, part of the BIND 9 distribution from ISC. For more @@ -65,7 +65,7 @@

    -

    OPTIONS

    +

    OPTIONS

    -4

    @@ -198,7 +198,7 @@

    -

    SIGNALS

    +

    SIGNALS

    In routine operation, signals should not be used to control the nameserver; rndc should be used @@ -219,7 +219,7 @@

    -

    CONFIGURATION

    +

    CONFIGURATION

    The named configuration file is too complex to describe in detail here. A complete description is provided @@ -228,7 +228,7 @@

    -

    FILES

    +

    FILES

    /etc/named.conf

    @@ -241,7 +241,7 @@

    -

    SEE ALSO

    +

    SEE ALSO

    RFC 1033, RFC 1034, RFC 1035, @@ -252,7 +252,7 @@

    -

    AUTHOR

    +

    AUTHOR

    Internet Systems Consortium

    diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html index 8786ddf032..b62daecd2a 100644 --- a/doc/arm/man.rndc-confgen.html +++ b/doc/arm/man.rndc-confgen.html @@ -14,12 +14,12 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - +rndc-confgen - + @@ -48,7 +48,7 @@

    rndc-confgen [-a] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]

    -

    DESCRIPTION

    +

    DESCRIPTION

    rndc-confgen generates configuration files for rndc. It can be used as a @@ -64,7 +64,7 @@

    -

    OPTIONS

    +

    OPTIONS

    -a
    @@ -73,7 +73,7 @@ This creates a file rndc.key in /etc (or whatever sysconfdir - was specified as when BIND was + was specified as when BIND was built) that is read by both rndc and named on startup. The @@ -171,7 +171,7 @@
    -

    EXAMPLES

    +

    EXAMPLES

    To allow rndc to be used with no manual configuration, run @@ -188,7 +188,7 @@

    -

    SEE ALSO

    +

    SEE ALSO

    rndc(8), rndc.conf(5), named(8), @@ -196,7 +196,7 @@

    -

    AUTHOR

    +

    AUTHOR

    Internet Systems Consortium

    diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html index a25f78ddc3..bdb25a6d01 100644 --- a/doc/arm/man.rndc.conf.html +++ b/doc/arm/man.rndc.conf.html @@ -14,12 +14,12 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - +rndc.conf - + @@ -50,7 +50,7 @@

    rndc.conf

    -

    DESCRIPTION

    +

    DESCRIPTION

    rndc.conf is the configuration file for rndc, the BIND 9 name server control utility. This file has a similar structure and syntax to @@ -135,7 +135,7 @@

    -

    EXAMPLE

    +

    EXAMPLE

           options {
         default-server  localhost;
@@ -209,7 +209,7 @@
    -

    NAME SERVER CONFIGURATION

    +

    NAME SERVER CONFIGURATION

    The name server must be configured to accept rndc connections and to recognize the key specified in the rndc.conf @@ -219,7 +219,7 @@

    -

    SEE ALSO

    +

    SEE ALSO

    rndc(8), rndc-confgen(8), mmencode(1), @@ -227,7 +227,7 @@

    -

    AUTHOR

    +

    AUTHOR

    Internet Systems Consortium

    diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html index a37a8e2df5..f907fec77d 100644 --- a/doc/arm/man.rndc.html +++ b/doc/arm/man.rndc.html @@ -14,12 +14,12 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - +rndc - + @@ -50,7 +50,7 @@

    rndc [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-V] [-y key_id] {command}

    -

    DESCRIPTION

    +

    DESCRIPTION

    rndc controls the operation of a name server. It supersedes the ndc utility @@ -79,7 +79,7 @@

    -

    OPTIONS

    +

    OPTIONS

    -b source-address

    @@ -152,7 +152,7 @@

    -

    LIMITATIONS

    +

    LIMITATIONS

    rndc does not yet support all the commands of the BIND 8 ndc utility. @@ -166,7 +166,7 @@

    -

    SEE ALSO

    +

    SEE ALSO

    rndc.conf(5), named(8), named.conf(5) @@ -175,7 +175,7 @@

    -

    AUTHOR

    +

    AUTHOR

    Internet Systems Consortium

    diff --git a/lib/lwres/man/lwres.3 b/lib/lwres/man/lwres.3 index aaf15dd283..3ff8879cf0 100644 --- a/lib/lwres/man/lwres.3 +++ b/lib/lwres/man/lwres.3 @@ -13,14 +13,17 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: lwres.3,v 1.25 2005/10/13 03:14:00 marka Exp $ +.\" $Id: lwres.3,v 1.26 2006/06/29 13:03:32 marka Exp $ .\" .hy 0 .ad l -.\" ** You probably do not want to edit this file directly ** -.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1). -.\" Instead of manually editing it, you probably should edit the DocBook XML -.\" source for it and then use the DocBook XSL Stylesheets to regenerate it. +.\" Title: lwres +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.70.1 +.\" Date: Jun 30, 2000 +.\" Manual: BIND9 +.\" Source: BIND9 +.\" .TH "LWRES" "3" "Jun 30, 2000" "BIND9" "BIND9" .\" disable hyphenation .nh @@ -155,3 +158,5 @@ bit should be set. \fBlwres_config\fR(3), \fBresolver\fR(5), \fBlwresd\fR(8). +.SH "COPYRIGHT" +Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC") diff --git a/lib/lwres/man/lwres.html b/lib/lwres/man/lwres.html index 1818c5de3a..26dd126f07 100644 --- a/lib/lwres/man/lwres.html +++ b/lib/lwres/man/lwres.html @@ -14,15 +14,15 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + lwres - +
    -
    +

    Name

    lwres — introduction to the lightweight resolver library

    @@ -32,7 +32,7 @@ 
    #include <lwres/lwres.h>
    -

    DESCRIPTION

    +

    DESCRIPTION

    The BIND 9 lightweight resolver library is a simple, name service independent stub resolver library. It provides hostname-to-address @@ -47,7 +47,7 @@

    -

    OVERVIEW

    +

    OVERVIEW

    The lwresd library implements multiple name service APIs. The standard @@ -101,7 +101,7 @@

    -

    CLIENT-SIDE LOW-LEVEL API CALL FLOW

    +

    CLIENT-SIDE LOW-LEVEL API CALL FLOW

    When a client program wishes to make an lwres request using the native low-level API, it typically performs the following @@ -149,7 +149,7 @@

    -

    SERVER-SIDE LOW-LEVEL API CALL FLOW

    +

    SERVER-SIDE LOW-LEVEL API CALL FLOW

    When implementing the server side of the lightweight resolver protocol using the lwres library, a sequence of actions like the @@ -191,7 +191,7 @@

    -

    SEE ALSO

    +

    SEE ALSO

    lwres_gethostent(3), lwres_getipnode(3), diff --git a/lib/lwres/man/lwres_buffer.3 b/lib/lwres/man/lwres_buffer.3 index 1826b0e278..5172341329 100644 --- a/lib/lwres/man/lwres_buffer.3 +++ b/lib/lwres/man/lwres_buffer.3 @@ -13,14 +13,17 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: lwres_buffer.3,v 1.23 2005/10/13 03:14:00 marka Exp $ +.\" $Id: lwres_buffer.3,v 1.24 2006/06/29 13:03:32 marka Exp $ .\" .hy 0 .ad l -.\" ** You probably do not want to edit this file directly ** -.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1). -.\" Instead of manually editing it, you probably should edit the DocBook XML -.\" source for it and then use the DocBook XSL Stylesheets to regenerate it. +.\" Title: lwres_buffer +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.70.1 +.\" Date: Jun 30, 2000 +.\" Manual: BIND9 +.\" Source: BIND9 +.\" .TH "LWRES_BUFFER" "3" "Jun 30, 2000" "BIND9" "BIND9" .\" disable hyphenation .nh @@ -33,37 +36,37 @@ lwres_buffer_init, lwres_buffer_invalidate, lwres_buffer_add, lwres_buffer_subtr #include .fi .HP 23 -\fBvoid\ \fBlwres_buffer_init\fR\fR\fB(\fR\fBlwres_buffer_t\ *\fR\fB\fIb\fR\fR\fB, \fR\fBvoid\ *\fR\fB\fIbase\fR\fR\fB, \fR\fBunsigned\ int\ \fR\fB\fIlength\fR\fR\fB);\fR +.BI "void lwres_buffer_init(lwres_buffer_t\ *" "b" ", void\ *" "base" ", unsigned\ int\ " "length" ");" .HP 29 -\fBvoid\ \fBlwres_buffer_invalidate\fR\fR\fB(\fR\fBlwres_buffer_t\ *\fR\fB\fIb\fR\fR\fB);\fR +.BI "void lwres_buffer_invalidate(lwres_buffer_t\ *" "b" ");" .HP 22 -\fBvoid\ \fBlwres_buffer_add\fR\fR\fB(\fR\fBlwres_buffer_t\ *\fR\fB\fIb\fR\fR\fB, \fR\fBunsigned\ int\ \fR\fB\fIn\fR\fR\fB);\fR +.BI "void lwres_buffer_add(lwres_buffer_t\ *" "b" ", unsigned\ int\ " "n" ");" .HP 27 -\fBvoid\ \fBlwres_buffer_subtract\fR\fR\fB(\fR\fBlwres_buffer_t\ *\fR\fB\fIb\fR\fR\fB, \fR\fBunsigned\ int\ \fR\fB\fIn\fR\fR\fB);\fR +.BI "void lwres_buffer_subtract(lwres_buffer_t\ *" "b" ", unsigned\ int\ " "n" ");" .HP 24 -\fBvoid\ \fBlwres_buffer_clear\fR\fR\fB(\fR\fBlwres_buffer_t\ *\fR\fB\fIb\fR\fR\fB);\fR +.BI "void lwres_buffer_clear(lwres_buffer_t\ *" "b" ");" .HP 24 -\fBvoid\ \fBlwres_buffer_first\fR\fR\fB(\fR\fBlwres_buffer_t\ *\fR\fB\fIb\fR\fR\fB);\fR +.BI "void lwres_buffer_first(lwres_buffer_t\ *" "b" ");" .HP 26 -\fBvoid\ \fBlwres_buffer_forward\fR\fR\fB(\fR\fBlwres_buffer_t\ *\fR\fB\fIb\fR\fR\fB, \fR\fBunsigned\ int\ \fR\fB\fIn\fR\fR\fB);\fR +.BI "void lwres_buffer_forward(lwres_buffer_t\ *" "b" ", unsigned\ int\ " "n" ");" .HP 23 -\fBvoid\ \fBlwres_buffer_back\fR\fR\fB(\fR\fBlwres_buffer_t\ *\fR\fB\fIb\fR\fR\fB, \fR\fBunsigned\ int\ \fR\fB\fIn\fR\fR\fB);\fR +.BI "void lwres_buffer_back(lwres_buffer_t\ *" "b" ", unsigned\ int\ " "n" ");" .HP 36 -\fBlwres_uint8_t\ \fBlwres_buffer_getuint8\fR\fR\fB(\fR\fBlwres_buffer_t\ *\fR\fB\fIb\fR\fR\fB);\fR +.BI "lwres_uint8_t lwres_buffer_getuint8(lwres_buffer_t\ *" "b" ");" .HP 27 -\fBvoid\ \fBlwres_buffer_putuint8\fR\fR\fB(\fR\fBlwres_buffer_t\ *\fR\fB\fIb\fR\fR\fB, \fR\fBlwres_uint8_t\ \fR\fB\fIval\fR\fR\fB);\fR +.BI "void lwres_buffer_putuint8(lwres_buffer_t\ *" "b" ", lwres_uint8_t\ " "val" ");" .HP 38 -\fBlwres_uint16_t\ \fBlwres_buffer_getuint16\fR\fR\fB(\fR\fBlwres_buffer_t\ *\fR\fB\fIb\fR\fR\fB);\fR +.BI "lwres_uint16_t lwres_buffer_getuint16(lwres_buffer_t\ *" "b" ");" .HP 28 -\fBvoid\ \fBlwres_buffer_putuint16\fR\fR\fB(\fR\fBlwres_buffer_t\ *\fR\fB\fIb\fR\fR\fB, \fR\fBlwres_uint16_t\ \fR\fB\fIval\fR\fR\fB);\fR +.BI "void lwres_buffer_putuint16(lwres_buffer_t\ *" "b" ", lwres_uint16_t\ " "val" ");" .HP 38 -\fBlwres_uint32_t\ \fBlwres_buffer_getuint32\fR\fR\fB(\fR\fBlwres_buffer_t\ *\fR\fB\fIb\fR\fR\fB);\fR +.BI "lwres_uint32_t lwres_buffer_getuint32(lwres_buffer_t\ *" "b" ");" .HP 28 -\fBvoid\ \fBlwres_buffer_putuint32\fR\fR\fB(\fR\fBlwres_buffer_t\ *\fR\fB\fIb\fR\fR\fB, \fR\fBlwres_uint32_t\ \fR\fB\fIval\fR\fR\fB);\fR +.BI "void lwres_buffer_putuint32(lwres_buffer_t\ *" "b" ", lwres_uint32_t\ " "val" ");" .HP 25 -\fBvoid\ \fBlwres_buffer_putmem\fR\fR\fB(\fR\fBlwres_buffer_t\ *\fR\fB\fIb\fR\fR\fB, \fR\fBconst\ unsigned\ char\ *\fR\fB\fIbase\fR\fR\fB, \fR\fBunsigned\ int\ \fR\fB\fIlength\fR\fR\fB);\fR +.BI "void lwres_buffer_putmem(lwres_buffer_t\ *" "b" ", const\ unsigned\ char\ *" "base" ", unsigned\ int\ " "length" ");" .HP 25 -\fBvoid\ \fBlwres_buffer_getmem\fR\fR\fB(\fR\fBlwres_buffer_t\ *\fR\fB\fIb\fR\fR\fB, \fR\fBunsigned\ char\ *\fR\fB\fIbase\fR\fR\fB, \fR\fBunsigned\ int\ \fR\fB\fIlength\fR\fR\fB);\fR +.BI "void lwres_buffer_getmem(lwres_buffer_t\ *" "b" ", unsigned\ char\ *" "base" ", unsigned\ int\ " "length" ");" .SH "DESCRIPTION" .PP These functions provide bounds checked access to a region of memory where data is being read or written. They are based on, and similar to, the @@ -89,6 +92,7 @@ The \fIactive region\fR is an (optional) subregion of the remaining region. It extends from the current offset to an offset in the remaining region. Initially, the active region is empty. If the current offset advances beyond the chosen offset, the active region will also be empty. .PP +.RS 3n .nf /\-\-\-\-\-\-\-\-\-\-\-\-entire length\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\\\\ /\-\-\-\-\- used region \-\-\-\-\-\\\\/\-\- available \-\-\\\\ @@ -97,8 +101,10 @@ is an (optional) subregion of the remaining region. It extends from the current +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-+ a b c d e .fi +.RE .sp .PP +.RS 3n .nf a == base of buffer. b == current pointer. Can be anywhere between a and d. @@ -106,8 +112,10 @@ is an (optional) subregion of the remaining region. It extends from the current d == used pointer. e == length of buffer. .fi +.RE .sp .PP +.RS 3n .nf a\-e == entire length of buffer. a\-d == used region. @@ -115,11 +123,13 @@ is an (optional) subregion of the remaining region. It extends from the current b\-d == remaining region. b\-c == optional active region. .fi +.RE .sp .PP \fBlwres_buffer_init()\fR initializes the -\fBlwres_buffer_t\fR\fI*b\fR +\fBlwres_buffer_t\fR +\fI*b\fR and assocates it with the memory region of size \fIlength\fR bytes starting at location @@ -216,3 +226,5 @@ bytes of memory from \fIb\fR to \fIbase\fR. +.SH "COPYRIGHT" +Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC") diff --git a/lib/lwres/man/lwres_buffer.html b/lib/lwres/man/lwres_buffer.html index 026f2f37b0..4fe6c3c933 100644 --- a/lib/lwres/man/lwres_buffer.html +++ b/lib/lwres/man/lwres_buffer.html @@ -14,15 +14,15 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + lwres_buffer - +

    -
    +

    Name

    lwres_buffer_init, lwres_buffer_invalidate, lwres_buffer_add, lwres_buffer_subtract, lwres_buffer_clear, lwres_buffer_first, lwres_buffer_forward, lwres_buffer_back, lwres_buffer_getuint8, lwres_buffer_putuint8, lwres_buffer_getuint16, lwres_buffer_putuint16, lwres_buffer_getuint32, lwres_buffer_putuint32, lwres_buffer_putmem, lwres_buffer_getmem — lightweight resolver buffer management

    @@ -38,43 +38,63 @@
    - + - + + + + + + - +
    Chapter 7. BIND 9 Security Considerations
    Chapter 7. BIND 9 Security Considerations
    Prev 
    Chapter 6. BIND 9 Configuration Reference Chapter 6. BIND 9 Configuration Reference  Home  Chapter 8. Troubleshooting
    Chapter 7. BIND 9 Security Considerations Chapter 7. BIND 9 Security Considerations  Home  Appendix A. Appendices
    void lwres_buffer_init(lwres_buffer_t *   b,
     void *   +b,
       base,
     unsigned int    length);
    - +
    + - + -
    void lwres_buffer_invalidate(lwres_buffer_t *   b);
    + + +  +  + +b); + + - + - + + + + + + @@ -84,45 +104,73 @@ void - + - + + + + + +
    void lwres_buffer_add(lwres_buffer_t *   b,
     unsigned int    +b,
       n);
    void lwres_buffer_subtract(lwres_buffer_t *   b,
     unsigned int    +b,
       n);
    - +
    + - + -
    void lwres_buffer_clear(lwres_buffer_t *   b);
    - + + + + + + +
       +b);
    + + - + -
    void lwres_buffer_first(lwres_buffer_t *   b);
    + + +  +  + +b); + + - + - + + + + + + @@ -132,85 +180,133 @@ void - + - + + + + + +
    void lwres_buffer_forward(lwres_buffer_t *   b,
     unsigned int    +b,
       n);
    void lwres_buffer_back(lwres_buffer_t *   b,
     unsigned int    +b,
       n);
    - +
    + - + -
    lwres_uint8_t lwres_buffer_getuint8(lwres_buffer_t *   b);
    + + +  +  + +b); + + - + - + + + + + +
    void lwres_buffer_putuint8(lwres_buffer_t *   b,
     lwres_uint8_t    +b,
       val);
    - +
    + - + -
    lwres_uint16_t lwres_buffer_getuint16(lwres_buffer_t *   b);
    + + +  +  + +b); + + - + - + + + + + +
    void lwres_buffer_putuint16(lwres_buffer_t *   b,
     lwres_uint16_t    +b,
       val);
    - +
    + - + -
    lwres_uint32_t lwres_buffer_getuint32(lwres_buffer_t *   b);
    + + +  +  + +b); + + - + - + + + + + + @@ -220,19 +316,25 @@ void - + - + + + + + + - + @@ -242,19 +344,25 @@ void - + - + + + + + + - + @@ -262,7 +370,7 @@ void
    -

    DESCRIPTION

    +

    DESCRIPTION

    These functions provide bounds checked access to a region of memory where data is being read or written. diff --git a/lib/lwres/man/lwres_config.3 b/lib/lwres/man/lwres_config.3 index ba61772dcc..7bb3baccd0 100644 --- a/lib/lwres/man/lwres_config.3 +++ b/lib/lwres/man/lwres_config.3 @@ -13,14 +13,17 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: lwres_config.3,v 1.23 2005/10/13 03:14:00 marka Exp $ +.\" $Id: lwres_config.3,v 1.24 2006/06/29 13:03:32 marka Exp $ .\" .hy 0 .ad l -.\" ** You probably do not want to edit this file directly ** -.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1). -.\" Instead of manually editing it, you probably should edit the DocBook XML -.\" source for it and then use the DocBook XSL Stylesheets to regenerate it. +.\" Title: lwres_config +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.70.1 +.\" Date: Jun 30, 2000 +.\" Manual: BIND9 +.\" Source: BIND9 +.\" .TH "LWRES_CONFIG" "3" "Jun 30, 2000" "BIND9" "BIND9" .\" disable hyphenation .nh @@ -33,15 +36,15 @@ lwres_conf_init, lwres_conf_clear, lwres_conf_parse, lwres_conf_print, lwres_con #include .fi .HP 21 -\fBvoid\ \fBlwres_conf_init\fR\fR\fB(\fR\fBlwres_context_t\ *\fR\fB\fIctx\fR\fR\fB);\fR +.BI "void lwres_conf_init(lwres_context_t\ *" "ctx" ");" .HP 22 -\fBvoid\ \fBlwres_conf_clear\fR\fR\fB(\fR\fBlwres_context_t\ *\fR\fB\fIctx\fR\fR\fB);\fR +.BI "void lwres_conf_clear(lwres_context_t\ *" "ctx" ");" .HP 32 -\fBlwres_result_t\ \fBlwres_conf_parse\fR\fR\fB(\fR\fBlwres_context_t\ *\fR\fB\fIctx\fR\fR\fB, \fR\fBconst\ char\ *\fR\fB\fIfilename\fR\fR\fB);\fR +.BI "lwres_result_t lwres_conf_parse(lwres_context_t\ *" "ctx" ", const\ char\ *" "filename" ");" .HP 32 -\fBlwres_result_t\ \fBlwres_conf_print\fR\fR\fB(\fR\fBlwres_context_t\ *\fR\fB\fIctx\fR\fR\fB, \fR\fBFILE\ *\fR\fB\fIfp\fR\fR\fB);\fR +.BI "lwres_result_t lwres_conf_print(lwres_context_t\ *" "ctx" ", FILE\ *" "fp" ");" .HP 30 -\fBlwres_conf_t\ *\ \fBlwres_conf_get\fR\fR\fB(\fR\fBlwres_context_t\ *\fR\fB\fIctx\fR\fR\fB);\fR +.BI "lwres_conf_t * lwres_conf_get(lwres_context_t\ *" "ctx" ");" .SH "DESCRIPTION" .PP \fBlwres_conf_init()\fR @@ -70,7 +73,8 @@ prints the structure for resolver context \fIctx\fR to the -\fBFILE\fR\fIfp\fR. +\fBFILE\fR +\fIfp\fR. .SH "RETURN VALUES" .PP \fBlwres_conf_parse()\fR @@ -95,3 +99,5 @@ unless an error occurred when converting the network addresses to a numeric host .SH "FILES" .PP \fI/etc/resolv.conf\fR +.SH "COPYRIGHT" +Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC") diff --git a/lib/lwres/man/lwres_config.html b/lib/lwres/man/lwres_config.html index 84f1192e8c..b0b89aebe7 100644 --- a/lib/lwres/man/lwres_config.html +++ b/lib/lwres/man/lwres_config.html @@ -14,15 +14,15 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + lwres_config - +

    -
    +

    Name

    lwres_conf_init, lwres_conf_clear, lwres_conf_parse, lwres_conf_print, lwres_conf_get — lightweight resolver configuration

    @@ -31,34 +31,56 @@

    Synopsis

    #include <lwres/lwres.h>
    -
    void lwres_buffer_putuint32(lwres_buffer_t *   b,
     lwres_uint32_t    +b,
       val);
    void lwres_buffer_putmem(lwres_buffer_t *   b,
     const unsigned char *   +b,
       base,
     unsigned int    length);
    void lwres_buffer_getmem(lwres_buffer_t *   b,
     unsigned char *   +b,
       base,
     unsigned int    length);
    +
    + - + -
    void lwres_conf_init(lwres_context_t *   ctx);
    - + + + + + + +
       +ctx);
    + + - + -
    void lwres_conf_clear(lwres_context_t *   ctx);
    + + +  +  + +ctx); + + - + - + + + + + + @@ -68,29 +90,43 @@ lwres_result_t - + - + + + + + +
    lwres_result_t lwres_conf_parse(lwres_context_t *   ctx,
     const char *   +ctx,
       filename);
    lwres_result_t lwres_conf_print(lwres_context_t *   ctx,
     FILE *   +ctx,
       fp);
    - +
    + - + -
    lwres_conf_t * lwres_conf_get(lwres_context_t *   ctx);
    + + +  +  + +ctx); + +
    -

    DESCRIPTION

    +

    DESCRIPTION

    lwres_conf_init() creates an empty lwres_conf_t @@ -123,7 +159,7 @@ lwres_conf_t *

    -

    RETURN VALUES

    +

    RETURN VALUES

    lwres_conf_parse() returns LWRES_R_SUCCESS if it successfully read and parsed @@ -142,13 +178,13 @@ lwres_conf_t *

    -

    SEE ALSO

    +

    SEE ALSO

    stdio(3), resolver(5).

    -

    FILES

    +

    FILES

    /etc/resolv.conf

    diff --git a/lib/lwres/man/lwres_context.3 b/lib/lwres/man/lwres_context.3 index bb123f150d..ef6690b293 100644 --- a/lib/lwres/man/lwres_context.3 +++ b/lib/lwres/man/lwres_context.3 @@ -13,14 +13,17 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: lwres_context.3,v 1.25 2005/10/13 03:14:00 marka Exp $ +.\" $Id: lwres_context.3,v 1.26 2006/06/29 13:03:32 marka Exp $ .\" .hy 0 .ad l -.\" ** You probably do not want to edit this file directly ** -.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1). -.\" Instead of manually editing it, you probably should edit the DocBook XML -.\" source for it and then use the DocBook XSL Stylesheets to regenerate it. +.\" Title: lwres_context +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.70.1 +.\" Date: Jun 30, 2000 +.\" Manual: BIND9 +.\" Source: BIND9 +.\" .TH "LWRES_CONTEXT" "3" "Jun 30, 2000" "BIND9" "BIND9" .\" disable hyphenation .nh @@ -33,19 +36,19 @@ lwres_context_create, lwres_context_destroy, lwres_context_nextserial, lwres_con #include .fi .HP 36 -\fBlwres_result_t\ \fBlwres_context_create\fR\fR\fB(\fR\fBlwres_context_t\ **\fR\fB\fIcontextp\fR\fR\fB, \fR\fBvoid\ *\fR\fB\fIarg\fR\fR\fB, \fR\fBlwres_malloc_t\ \fR\fB\fImalloc_function\fR\fR\fB, \fR\fBlwres_free_t\ \fR\fB\fIfree_function\fR\fR\fB);\fR +.BI "lwres_result_t lwres_context_create(lwres_context_t\ **" "contextp" ", void\ *" "arg" ", lwres_malloc_t\ " "malloc_function" ", lwres_free_t\ " "free_function" ");" .HP 37 -\fBlwres_result_t\ \fBlwres_context_destroy\fR\fR\fB(\fR\fBlwres_context_t\ **\fR\fB\fIcontextp\fR\fR\fB);\fR +.BI "lwres_result_t lwres_context_destroy(lwres_context_t\ **" "contextp" ");" .HP 30 -\fBvoid\ \fBlwres_context_initserial\fR\fR\fB(\fR\fBlwres_context_t\ *\fR\fB\fIctx\fR\fR\fB, \fR\fBlwres_uint32_t\ \fR\fB\fIserial\fR\fR\fB);\fR +.BI "void lwres_context_initserial(lwres_context_t\ *" "ctx" ", lwres_uint32_t\ " "serial" ");" .HP 40 -\fBlwres_uint32_t\ \fBlwres_context_nextserial\fR\fR\fB(\fR\fBlwres_context_t\ *\fR\fB\fIctx\fR\fR\fB);\fR +.BI "lwres_uint32_t lwres_context_nextserial(lwres_context_t\ *" "ctx" ");" .HP 27 -\fBvoid\ \fBlwres_context_freemem\fR\fR\fB(\fR\fBlwres_context_t\ *\fR\fB\fIctx\fR\fR\fB, \fR\fBvoid\ *\fR\fB\fImem\fR\fR\fB, \fR\fBsize_t\ \fR\fB\fIlen\fR\fR\fB);\fR +.BI "void lwres_context_freemem(lwres_context_t\ *" "ctx" ", void\ *" "mem" ", size_t\ " "len" ");" .HP 28 -\fBvoid\ \fBlwres_context_allocmem\fR\fR\fB(\fR\fBlwres_context_t\ *\fR\fB\fIctx\fR\fR\fB, \fR\fBsize_t\ \fR\fB\fIlen\fR\fR\fB);\fR +.BI "void lwres_context_allocmem(lwres_context_t\ *" "ctx" ", size_t\ " "len" ");" .HP 30 -\fBvoid\ *\ \fBlwres_context_sendrecv\fR\fR\fB(\fR\fBlwres_context_t\ *\fR\fB\fIctx\fR\fR\fB, \fR\fBvoid\ *\fR\fB\fIsendbase\fR\fR\fB, \fR\fBint\ \fR\fB\fIsendlen\fR\fR\fB, \fR\fBvoid\ *\fR\fB\fIrecvbase\fR\fR\fB, \fR\fBint\ \fR\fB\fIrecvlen\fR\fR\fB, \fR\fBint\ *\fR\fB\fIrecvd_len\fR\fR\fB);\fR +.BI "void * lwres_context_sendrecv(lwres_context_t\ *" "ctx" ", void\ *" "sendbase" ", int\ " "sendlen" ", void\ *" "recvbase" ", int\ " "recvlen" ", int\ *" "recvd_len" ");" .SH "DESCRIPTION" .PP \fBlwres_context_create()\fR @@ -160,3 +163,5 @@ times out waiting for a response. \fBlwres_conf_init\fR(3), \fBmalloc\fR(3), \fBfree\fR(3). +.SH "COPYRIGHT" +Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC") diff --git a/lib/lwres/man/lwres_context.html b/lib/lwres/man/lwres_context.html index 290742b351..d0169a3e69 100644 --- a/lib/lwres/man/lwres_context.html +++ b/lib/lwres/man/lwres_context.html @@ -14,15 +14,15 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + lwres_context - +
    -
    +

    Name

    lwres_context_create, lwres_context_destroy, lwres_context_nextserial, lwres_context_initserial, lwres_context_freemem, lwres_context_allocmem, lwres_context_sendrecv — lightweight resolver context management

    @@ -36,79 +36,113 @@ lwres_result_t lwres_context_create( -lwres_context_t **  +  contextp,   -void *  +  + +contextp, + + +  +  arg,   -lwres_malloc_t   +  malloc_function,   -lwres_free_t   +  free_function); - +
    + - + -
    lwres_result_t lwres_context_destroy(lwres_context_t **   contextp);
    + + +  +  + +contextp); + + - + - + + + + + +
    void lwres_context_initserial(lwres_context_t *   ctx,
     lwres_uint32_t    +ctx,
       serial);
    - +
    + - + -
    lwres_uint32_t lwres_context_nextserial(lwres_context_t *   ctx);
    + + +  +  + +ctx); + + - + - + + + + + + - + @@ -118,13 +152,19 @@ void - + - + + + + + + @@ -134,37 +174,43 @@ void - + - + + + + + + - + - + - + - + @@ -172,7 +218,7 @@ void *
    -

    DESCRIPTION

    +

    DESCRIPTION

    lwres_context_create() creates a lwres_context_t structure for use in lightweight resolver operations. It holds a socket and other @@ -258,7 +304,7 @@ void *

    -

    RETURN VALUES

    +

    RETURN VALUES

    lwres_context_create() returns LWRES_R_NOMEMORY if memory for the struct lwres_context could not be allocated, @@ -283,7 +329,7 @@ void *

    -

    SEE ALSO

    +

    SEE ALSO

    lwres_conf_init(3), malloc(3), diff --git a/lib/lwres/man/lwres_gabn.3 b/lib/lwres/man/lwres_gabn.3 index 720053ef92..57449938cb 100644 --- a/lib/lwres/man/lwres_gabn.3 +++ b/lib/lwres/man/lwres_gabn.3 @@ -13,14 +13,17 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: lwres_gabn.3,v 1.24 2005/10/13 03:14:00 marka Exp $ +.\" $Id: lwres_gabn.3,v 1.25 2006/06/29 13:03:32 marka Exp $ .\" .hy 0 .ad l -.\" ** You probably do not want to edit this file directly ** -.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1). -.\" Instead of manually editing it, you probably should edit the DocBook XML -.\" source for it and then use the DocBook XSL Stylesheets to regenerate it. +.\" Title: lwres_gabn +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.70.1 +.\" Date: Jun 30, 2000 +.\" Manual: BIND9 +.\" Source: BIND9 +.\" .TH "LWRES_GABN" "3" "Jun 30, 2000" "BIND9" "BIND9" .\" disable hyphenation .nh @@ -33,17 +36,17 @@ lwres_gabnrequest_render, lwres_gabnresponse_render, lwres_gabnrequest_parse, lw #include .fi .HP 40 -\fBlwres_result_t\ \fBlwres_gabnrequest_render\fR\fR\fB(\fR\fBlwres_context_t\ *\fR\fB\fIctx\fR\fR\fB, \fR\fBlwres_gabnrequest_t\ *\fR\fB\fIreq\fR\fR\fB, \fR\fBlwres_lwpacket_t\ *\fR\fB\fIpkt\fR\fR\fB, \fR\fBlwres_buffer_t\ *\fR\fB\fIb\fR\fR\fB);\fR +.BI "lwres_result_t lwres_gabnrequest_render(lwres_context_t\ *" "ctx" ", lwres_gabnrequest_t\ *" "req" ", lwres_lwpacket_t\ *" "pkt" ", lwres_buffer_t\ *" "b" ");" .HP 41 -\fBlwres_result_t\ \fBlwres_gabnresponse_render\fR\fR\fB(\fR\fBlwres_context_t\ *\fR\fB\fIctx\fR\fR\fB, \fR\fBlwres_gabnresponse_t\ *\fR\fB\fIreq\fR\fR\fB, \fR\fBlwres_lwpacket_t\ *\fR\fB\fIpkt\fR\fR\fB, \fR\fBlwres_buffer_t\ *\fR\fB\fIb\fR\fR\fB);\fR +.BI "lwres_result_t lwres_gabnresponse_render(lwres_context_t\ *" "ctx" ", lwres_gabnresponse_t\ *" "req" ", lwres_lwpacket_t\ *" "pkt" ", lwres_buffer_t\ *" "b" ");" .HP 39 -\fBlwres_result_t\ \fBlwres_gabnrequest_parse\fR\fR\fB(\fR\fBlwres_context_t\ *\fR\fB\fIctx\fR\fR\fB, \fR\fBlwres_buffer_t\ *\fR\fB\fIb\fR\fR\fB, \fR\fBlwres_lwpacket_t\ *\fR\fB\fIpkt\fR\fR\fB, \fR\fBlwres_gabnrequest_t\ **\fR\fB\fIstructp\fR\fR\fB);\fR +.BI "lwres_result_t lwres_gabnrequest_parse(lwres_context_t\ *" "ctx" ", lwres_buffer_t\ *" "b" ", lwres_lwpacket_t\ *" "pkt" ", lwres_gabnrequest_t\ **" "structp" ");" .HP 40 -\fBlwres_result_t\ \fBlwres_gabnresponse_parse\fR\fR\fB(\fR\fBlwres_context_t\ *\fR\fB\fIctx\fR\fR\fB, \fR\fBlwres_buffer_t\ *\fR\fB\fIb\fR\fR\fB, \fR\fBlwres_lwpacket_t\ *\fR\fB\fIpkt\fR\fR\fB, \fR\fBlwres_gabnresponse_t\ **\fR\fB\fIstructp\fR\fR\fB);\fR +.BI "lwres_result_t lwres_gabnresponse_parse(lwres_context_t\ *" "ctx" ", lwres_buffer_t\ *" "b" ", lwres_lwpacket_t\ *" "pkt" ", lwres_gabnresponse_t\ **" "structp" ");" .HP 29 -\fBvoid\ \fBlwres_gabnresponse_free\fR\fR\fB(\fR\fBlwres_context_t\ *\fR\fB\fIctx\fR\fR\fB, \fR\fBlwres_gabnresponse_t\ **\fR\fB\fIstructp\fR\fR\fB);\fR +.BI "void lwres_gabnresponse_free(lwres_context_t\ *" "ctx" ", lwres_gabnresponse_t\ **" "structp" ");" .HP 28 -\fBvoid\ \fBlwres_gabnrequest_free\fR\fR\fB(\fR\fBlwres_context_t\ *\fR\fB\fIctx\fR\fR\fB, \fR\fBlwres_gabnrequest_t\ **\fR\fB\fIstructp\fR\fR\fB);\fR +.BI "void lwres_gabnrequest_free(lwres_context_t\ *" "ctx" ", lwres_gabnrequest_t\ **" "structp" ");" .SH "DESCRIPTION" .PP These are low\-level routines for creating and parsing lightweight resolver name\-to\-address lookup request and response messages. @@ -57,17 +60,22 @@ There are four main functions for the getaddrbyname opcode. One render function These structures are defined in \fI\fR. They are shown below. .PP +.RS 3n .nf #define LWRES_OPCODE_GETADDRSBYNAME 0x00010001U .fi +.RE .sp .PP +.RS 3n .nf typedef struct lwres_addr lwres_addr_t; typedef LWRES_LIST(lwres_addr_t) lwres_addrlist_t; .fi +.RE .sp .PP +.RS 3n .nf typedef struct { lwres_uint32_t flags; @@ -76,8 +84,10 @@ typedef struct { char *name; } lwres_gabnrequest_t; .fi +.RE .sp .PP +.RS 3n .nf typedef struct { lwres_uint32_t flags; @@ -92,6 +102,7 @@ typedef struct { size_t baselen; } lwres_gabnresponse_t; .fi +.RE .sp .PP \fBlwres_gabnrequest_render()\fR @@ -145,7 +156,8 @@ structures referenced via .PP The getaddrbyname opcode functions \fBlwres_gabnrequest_render()\fR, -\fBlwres_gabnresponse_render()\fR\fBlwres_gabnrequest_parse()\fR +\fBlwres_gabnresponse_render()\fR +\fBlwres_gabnrequest_parse()\fR and \fBlwres_gabnresponse_parse()\fR all return @@ -176,3 +188,5 @@ indicate that the packet is not a response to an earlier query. .SH "SEE ALSO" .PP \fBlwres_packet\fR(3) +.SH "COPYRIGHT" +Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC") diff --git a/lib/lwres/man/lwres_gabn.html b/lib/lwres/man/lwres_gabn.html index f22762450c..62c07e9e19 100644 --- a/lib/lwres/man/lwres_gabn.html +++ b/lib/lwres/man/lwres_gabn.html @@ -14,15 +14,15 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + lwres_gabn - +

    -
    +

    Name

    lwres_gabnrequest_render, lwres_gabnresponse_render, lwres_gabnrequest_parse, lwres_gabnresponse_parse, lwres_gabnresponse_free, lwres_gabnrequest_free — lightweight resolver getaddrbyname message handling

    @@ -36,25 +36,31 @@
    - + - + + + + + + - + - + @@ -64,25 +70,31 @@ lwres_result_t - + - + + + + + + - + - + @@ -92,25 +104,31 @@ lwres_result_t - + - + + + + + + - + - + @@ -120,25 +138,31 @@ lwres_result_t - + - + + + + + + - + - + @@ -148,13 +172,19 @@ lwres_result_t - + - + + + + + + @@ -164,13 +194,19 @@ void - + - + + + + + + @@ -178,7 +214,7 @@ void
    -

    DESCRIPTION

    +

    DESCRIPTION

    These are low-level routines for creating and parsing lightweight resolver name-to-address lookup request and @@ -278,7 +314,7 @@ typedef struct {

    -

    RETURN VALUES

    +

    RETURN VALUES

    The getaddrbyname opcode functions lwres_gabnrequest_render(), @@ -316,7 +352,7 @@ typedef struct {

    -

    SEE ALSO

    +

    SEE ALSO

    lwres_packet(3)

    diff --git a/lib/lwres/man/lwres_gai_strerror.3 b/lib/lwres/man/lwres_gai_strerror.3 index a7c8646430..0436f406b6 100644 --- a/lib/lwres/man/lwres_gai_strerror.3 +++ b/lib/lwres/man/lwres_gai_strerror.3 @@ -13,14 +13,17 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: lwres_gai_strerror.3,v 1.24 2005/10/13 03:14:00 marka Exp $ +.\" $Id: lwres_gai_strerror.3,v 1.25 2006/06/29 13:03:32 marka Exp $ .\" .hy 0 .ad l -.\" ** You probably do not want to edit this file directly ** -.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1). -.\" Instead of manually editing it, you probably should edit the DocBook XML -.\" source for it and then use the DocBook XSL Stylesheets to regenerate it. +.\" Title: lwres_gai_strerror +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.70.1 +.\" Date: Jun 30, 2000 +.\" Manual: BIND9 +.\" Source: BIND9 +.\" .TH "LWRES_GAI_STRERROR" "3" "Jun 30, 2000" "BIND9" "BIND9" .\" disable hyphenation .nh @@ -33,48 +36,48 @@ lwres_gai_strerror \- print suitable error string #include .fi .HP 20 -\fBchar\ *\ \fBgai_strerror\fR\fR\fB(\fR\fBint\ \fR\fB\fIecode\fR\fR\fB);\fR +.BI "char * gai_strerror(int\ " "ecode" ");" .SH "DESCRIPTION" .PP \fBlwres_gai_strerror()\fR returns an error message corresponding to an error code returned by \fBgetaddrinfo()\fR. The following error codes and their meaning are defined in \fIinclude/lwres/netdb.h\fR. -.TP +.TP 3n \fBEAI_ADDRFAMILY\fR address family for hostname not supported -.TP +.TP 3n \fBEAI_AGAIN\fR temporary failure in name resolution -.TP +.TP 3n \fBEAI_BADFLAGS\fR invalid value for \fBai_flags\fR -.TP +.TP 3n \fBEAI_FAIL\fR non\-recoverable failure in name resolution -.TP +.TP 3n \fBEAI_FAMILY\fR \fBai_family\fR not supported -.TP +.TP 3n \fBEAI_MEMORY\fR memory allocation failure -.TP +.TP 3n \fBEAI_NODATA\fR no address associated with hostname -.TP +.TP 3n \fBEAI_NONAME\fR hostname or servname not provided, or not known -.TP +.TP 3n \fBEAI_SERVICE\fR servname not supported for \fBai_socktype\fR -.TP +.TP 3n \fBEAI_SOCKTYPE\fR \fBai_socktype\fR not supported -.TP +.TP 3n \fBEAI_SYSTEM\fR system error returned in errno The message @@ -97,3 +100,5 @@ used by \fBlwres_getaddrinfo\fR(3), \fBgetaddrinfo\fR(3), \fBRFC2133\fR(). +.SH "COPYRIGHT" +Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC") diff --git a/lib/lwres/man/lwres_gai_strerror.html b/lib/lwres/man/lwres_gai_strerror.html index 2ef18441fa..58bbb30ff0 100644 --- a/lib/lwres/man/lwres_gai_strerror.html +++ b/lib/lwres/man/lwres_gai_strerror.html @@ -14,15 +14,15 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + lwres_gai_strerror - +
    -
    +

    Name

    lwres_gai_strerror — print suitable error string

    @@ -37,7 +37,7 @@ char *
    -

    DESCRIPTION

    +

    DESCRIPTION

    lwres_gai_strerror() returns an error message corresponding to an error code returned by getaddrinfo(). @@ -105,7 +105,7 @@ char *

    -

    SEE ALSO

    +

    SEE ALSO

    strerror(3), lwres_getaddrinfo(3), diff --git a/lib/lwres/man/lwres_getaddrinfo.3 b/lib/lwres/man/lwres_getaddrinfo.3 index ffcf9fb2fe..1f86ebc61e 100644 --- a/lib/lwres/man/lwres_getaddrinfo.3 +++ b/lib/lwres/man/lwres_getaddrinfo.3 @@ -13,14 +13,17 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: lwres_getaddrinfo.3,v 1.28 2005/10/13 03:14:00 marka Exp $ +.\" $Id: lwres_getaddrinfo.3,v 1.29 2006/06/29 13:03:32 marka Exp $ .\" .hy 0 .ad l -.\" ** You probably do not want to edit this file directly ** -.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1). -.\" Instead of manually editing it, you probably should edit the DocBook XML -.\" source for it and then use the DocBook XSL Stylesheets to regenerate it. +.\" Title: lwres_getaddrinfo +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.70.1 +.\" Date: Jun 30, 2000 +.\" Manual: BIND9 +.\" Source: BIND9 +.\" .TH "LWRES_GETADDRINFO" "3" "Jun 30, 2000" "BIND9" "BIND9" .\" disable hyphenation .nh @@ -33,13 +36,14 @@ lwres_getaddrinfo, lwres_freeaddrinfo \- socket address structure to host and se #include .fi .HP 22 -\fBint\ \fBlwres_getaddrinfo\fR\fR\fB(\fR\fBconst\ char\ *\fR\fB\fIhostname\fR\fR\fB, \fR\fBconst\ char\ *\fR\fB\fIservname\fR\fR\fB, \fR\fBconst\ struct\ addrinfo\ *\fR\fB\fIhints\fR\fR\fB, \fR\fBstruct\ addrinfo\ **\fR\fB\fIres\fR\fR\fB);\fR +.BI "int lwres_getaddrinfo(const\ char\ *" "hostname" ", const\ char\ *" "servname" ", const\ struct\ addrinfo\ *" "hints" ", struct\ addrinfo\ **" "res" ");" .HP 24 -\fBvoid\ \fBlwres_freeaddrinfo\fR\fR\fB(\fR\fBstruct\ addrinfo\ *\fR\fB\fIai\fR\fR\fB);\fR +.BI "void lwres_freeaddrinfo(struct\ addrinfo\ *" "ai" ");" .PP If the operating system does not provide a \fBstruct addrinfo\fR, the following structure is used: .PP +.RS 3n .nf struct addrinfo { int ai_flags; /* AI_PASSIVE, AI_CANONNAME */ @@ -52,6 +56,7 @@ struct addrinfo { struct addrinfo *ai_next; /* next structure in linked list */ }; .fi +.RE .sp .SH "DESCRIPTION" .PP @@ -77,13 +82,13 @@ is either a decimal port number or a service name as listed in is an optional pointer to a \fBstruct addrinfo\fR. This structure can be used to provide hints concerning the type of socket that the caller supports or wishes to use. The caller can supply the following structure elements in \fI*hints\fR: -.TP +.TP 3n \fBai_family\fR The protocol family that should be used. When \fBai_family\fR is set to \fBPF_UNSPEC\fR, it means the caller will accept any protocol family supported by the operating system. -.TP +.TP 3n \fBai_socktype\fR denotes the type of socket \(em \fBSOCK_STREAM\fR, @@ -93,12 +98,12 @@ or \(em that is wanted. When \fBai_socktype\fR is zero the caller will accept any socket type. -.TP +.TP 3n \fBai_protocol\fR indicates which transport protocol is wanted: IPPROTO_UDP or IPPROTO_TCP. If \fBai_protocol\fR is zero the caller will accept any protocol. -.TP +.TP 3n \fBai_flags\fR Flag bits. If the \fBAI_CANONNAME\fR @@ -209,7 +214,8 @@ if an error occurs. If both and \fIservname\fR are -\fBNULL\fR\fBlwres_getaddrinfo()\fR +\fBNULL\fR +\fBlwres_getaddrinfo()\fR returns \fBEAI_NONAME\fR. .SH "SEE ALSO" @@ -225,3 +231,5 @@ returns \fBsendto\fR(2), \fBsendmsg\fR(2), \fBsocket\fR(2). +.SH "COPYRIGHT" +Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC") diff --git a/lib/lwres/man/lwres_getaddrinfo.html b/lib/lwres/man/lwres_getaddrinfo.html index 6aea3c88c5..18fbd43703 100644 --- a/lib/lwres/man/lwres_getaddrinfo.html +++ b/lib/lwres/man/lwres_getaddrinfo.html @@ -14,15 +14,15 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + lwres_getaddrinfo - +

    -
    +

    Name

    lwres_getaddrinfo, lwres_freeaddrinfo — socket address structure to host and service name

    @@ -36,37 +36,51 @@
    - + - + + + + + + - + - +
    void lwres_context_freemem(lwres_context_t *   ctx,
     void *   +ctx,
       mem,
     size_t    len);
    void lwres_context_allocmem(lwres_context_t *   ctx,
     size_t    +ctx,
       len);
    void * lwres_context_sendrecv(lwres_context_t *   ctx,
     void *   +ctx,
       sendbase,
     int    sendlen,
     void *   recvbase,
     int    recvlen,
     int *   recvd_len);
    lwres_result_t lwres_gabnrequest_render(lwres_context_t *   ctx,
     lwres_gabnrequest_t *   +ctx,
       req,
     lwres_lwpacket_t *   pkt,
     lwres_buffer_t *   b);
    lwres_result_t lwres_gabnresponse_render(lwres_context_t *   ctx,
     lwres_gabnresponse_t *   +ctx,
       req,
     lwres_lwpacket_t *   pkt,
     lwres_buffer_t *   b);
    lwres_result_t lwres_gabnrequest_parse(lwres_context_t *   ctx,
     lwres_buffer_t *   +ctx,
       b,
     lwres_lwpacket_t *   pkt,
     lwres_gabnrequest_t **   structp);
    lwres_result_t lwres_gabnresponse_parse(lwres_context_t *   ctx,
     lwres_buffer_t *   +ctx,
       b,
     lwres_lwpacket_t *   pkt,
     lwres_gabnresponse_t **   structp);
    void lwres_gabnresponse_free(lwres_context_t *   ctx,
     lwres_gabnresponse_t **   +ctx,
       structp);
    void lwres_gabnrequest_free(lwres_context_t *   ctx,
     lwres_gabnrequest_t **   +ctx,
       structp);
    int lwres_getaddrinfo(const char *   hostname,
     const char *   +hostname,
       servname,
     const struct addrinfo *   hints,
     struct addrinfo **   res);
    - +
    + - + -
    void lwres_freeaddrinfo(struct addrinfo *   ai);
    + + +  +  + +ai); + +

    If the operating system does not provide a @@ -89,7 +103,7 @@ struct addrinfo {

    -

    DESCRIPTION

    +

    DESCRIPTION

    lwres_getaddrinfo() is used to get a list of IP addresses and port numbers for host hostname and service @@ -283,7 +297,7 @@ struct addrinfo {

    -

    RETURN VALUES

    +

    RETURN VALUES

    lwres_getaddrinfo() returns zero on success or one of the error codes listed in gai_strerror(3) @@ -294,7 +308,7 @@ struct addrinfo {

    -

    SEE ALSO

    +

    SEE ALSO

    lwres(3), lwres_getaddrinfo(3), diff --git a/lib/lwres/man/lwres_gethostent.3 b/lib/lwres/man/lwres_gethostent.3 index 755657aac0..f297dcce44 100644 --- a/lib/lwres/man/lwres_gethostent.3 +++ b/lib/lwres/man/lwres_gethostent.3 @@ -13,14 +13,17 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: lwres_gethostent.3,v 1.26 2005/10/13 03:14:01 marka Exp $ +.\" $Id: lwres_gethostent.3,v 1.27 2006/06/29 13:03:32 marka Exp $ .\" .hy 0 .ad l -.\" ** You probably do not want to edit this file directly ** -.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1). -.\" Instead of manually editing it, you probably should edit the DocBook XML -.\" source for it and then use the DocBook XSL Stylesheets to regenerate it. +.\" Title: lwres_gethostent +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.70.1 +.\" Date: Jun 30, 2000 +.\" Manual: BIND9 +.\" Source: BIND9 +.\" .TH "LWRES_GETHOSTENT" "3" "Jun 30, 2000" "BIND9" "BIND9" .\" disable hyphenation .nh @@ -33,27 +36,27 @@ lwres_gethostbyname, lwres_gethostbyname2, lwres_gethostbyaddr, lwres_gethostent #include .fi .HP 37 -\fBstruct\ hostent\ *\ \fBlwres_gethostbyname\fR\fR\fB(\fR\fBconst\ char\ *\fR\fB\fIname\fR\fR\fB);\fR +.BI "struct hostent * lwres_gethostbyname(const\ char\ *" "name" ");" .HP 38 -\fBstruct\ hostent\ *\ \fBlwres_gethostbyname2\fR\fR\fB(\fR\fBconst\ char\ *\fR\fB\fIname\fR\fR\fB, \fR\fBint\ \fR\fB\fIaf\fR\fR\fB);\fR +.BI "struct hostent * lwres_gethostbyname2(const\ char\ *" "name" ", int\ " "af" ");" .HP 37 -\fBstruct\ hostent\ *\ \fBlwres_gethostbyaddr\fR\fR\fB(\fR\fBconst\ char\ *\fR\fB\fIaddr\fR\fR\fB, \fR\fBint\ \fR\fB\fIlen\fR\fR\fB, \fR\fBint\ \fR\fB\fItype\fR\fR\fB);\fR +.BI "struct hostent * lwres_gethostbyaddr(const\ char\ *" "addr" ", int\ " "len" ", int\ " "type" ");" .HP 34 -\fBstruct\ hostent\ *\ \fBlwres_gethostent\fR\fR\fB(\fR\fBvoid\fR\fB);\fR +.BI "struct hostent * lwres_gethostent(void);" .HP 22 -\fBvoid\ \fBlwres_sethostent\fR\fR\fB(\fR\fBint\ \fR\fB\fIstayopen\fR\fR\fB);\fR +.BI "void lwres_sethostent(int\ " "stayopen" ");" .HP 22 -\fBvoid\ \fBlwres_endhostent\fR\fR\fB(\fR\fBvoid\fR\fB);\fR +.BI "void lwres_endhostent(void);" .HP 39 -\fBstruct\ hostent\ *\ \fBlwres_gethostbyname_r\fR\fR\fB(\fR\fBconst\ char\ *\fR\fB\fIname\fR\fR\fB, \fR\fBstruct\ hostent\ *\fR\fB\fIresbuf\fR\fR\fB, \fR\fBchar\ *\fR\fB\fIbuf\fR\fR\fB, \fR\fBint\ \fR\fB\fIbuflen\fR\fR\fB, \fR\fBint\ *\fR\fB\fIerror\fR\fR\fB);\fR +.BI "struct hostent * lwres_gethostbyname_r(const\ char\ *" "name" ", struct\ hostent\ *" "resbuf" ", char\ *" "buf" ", int\ " "buflen" ", int\ *" "error" ");" .HP 39 -\fBstruct\ hostent\ *\ \fBlwres_gethostbyaddr_r\fR\fR\fB(\fR\fBconst\ char\ *\fR\fB\fIaddr\fR\fR\fB, \fR\fBint\ \fR\fB\fIlen\fR\fR\fB, \fR\fBint\ \fR\fB\fItype\fR\fR\fB, \fR\fBstruct\ hostent\ *\fR\fB\fIresbuf\fR\fR\fB, \fR\fBchar\ *\fR\fB\fIbuf\fR\fR\fB, \fR\fBint\ \fR\fB\fIbuflen\fR\fR\fB, \fR\fBint\ *\fR\fB\fIerror\fR\fR\fB);\fR +.BI "struct hostent * lwres_gethostbyaddr_r(const\ char\ *" "addr" ", int\ " "len" ", int\ " "type" ", struct\ hostent\ *" "resbuf" ", char\ *" "buf" ", int\ " "buflen" ", int\ *" "error" ");" .HP 36 -\fBstruct\ hostent\ *\ \fBlwres_gethostent_r\fR\fR\fB(\fR\fBstruct\ hostent\ *\fR\fB\fIresbuf\fR\fR\fB, \fR\fBchar\ *\fR\fB\fIbuf\fR\fR\fB, \fR\fBint\ \fR\fB\fIbuflen\fR\fR\fB, \fR\fBint\ *\fR\fB\fIerror\fR\fR\fB);\fR +.BI "struct hostent * lwres_gethostent_r(struct\ hostent\ *" "resbuf" ", char\ *" "buf" ", int\ " "buflen" ", int\ *" "error" ");" .HP 24 -\fBvoid\ \fBlwres_sethostent_r\fR\fR\fB(\fR\fBint\ \fR\fB\fIstayopen\fR\fR\fB);\fR +.BI "void lwres_sethostent_r(int\ " "stayopen" ");" .HP 24 -\fBvoid\ \fBlwres_endhostent_r\fR\fR\fB(\fR\fBvoid\fR\fB);\fR +.BI "void lwres_endhostent_r(void);" .SH "DESCRIPTION" .PP These functions provide hostname\-to\-address and address\-to\-hostname lookups by means of the lightweight resolver. They are similar to the standard @@ -63,6 +66,7 @@ functions provided by most operating systems. They use a which is usually defined in \fI\fR. .PP +.RS 3n .nf struct hostent { char *h_name; /* official name of host */ @@ -73,25 +77,26 @@ struct hostent { }; #define h_addr h_addr_list[0] /* address, for backward compatibility */ .fi +.RE .sp .PP The members of this structure are: -.TP +.TP 3n \fBh_name\fR The official (canonical) name of the host. -.TP +.TP 3n \fBh_aliases\fR A NULL\-terminated array of alternate names (nicknames) for the host. -.TP +.TP 3n \fBh_addrtype\fR The type of address being returned \(em \fBPF_INET\fR or \fBPF_INET6\fR. -.TP +.TP 3n \fBh_length\fR The length of the address in bytes. -.TP +.TP 3n \fBh_addr_list\fR A \fBNULL\fR @@ -216,16 +221,16 @@ return NULL to indicate an error. In this case the global variable \fBlwres_h_errno\fR will contain one of the following error codes defined in \fI\fR: -.TP +.TP 3n \fBHOST_NOT_FOUND\fR The host or address was not found. -.TP +.TP 3n \fBTRY_AGAIN\fR A recoverable error occurred, e.g., a timeout. Retrying the lookup may succeed. -.TP +.TP 3n \fBNO_RECOVERY\fR A non\-recoverable error occurred. -.TP +.TP 3n \fBNO_DATA\fR The name exists, but has no address information associated with it (or vice versa in the case of a reverse lookup). The code NO_ADDRESS is accepted as a synonym for NO_DATA for backwards compatibility. .PP @@ -285,3 +290,5 @@ The resolver daemon does not currently support any non\-DNS name services such a \fI/etc/hosts\fR or \fBNIS\fR, consequently the above functions don't, either. +.SH "COPYRIGHT" +Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC") diff --git a/lib/lwres/man/lwres_gethostent.html b/lib/lwres/man/lwres_gethostent.html index 8aadc050a2..3965c398f8 100644 --- a/lib/lwres/man/lwres_gethostent.html +++ b/lib/lwres/man/lwres_gethostent.html @@ -14,15 +14,15 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + lwres_gethostent - +

    -
    +

    Name

    lwres_gethostbyname, lwres_gethostbyname2, lwres_gethostbyaddr, lwres_gethostent, lwres_sethostent, lwres_endhostent, lwres_gethostbyname_r, lwres_gethostbyaddr_r, lwres_gethostent_r, lwres_sethostent_r, lwres_endhostent_r — lightweight resolver get network host entry

    @@ -31,26 +31,40 @@

    Synopsis

    #include <lwres/netdb.h>
    - +
    + - + -
    struct hostent * lwres_gethostbyname(const char *   name);
    + + +  +  + +name); + + - + - + + + + + + @@ -60,19 +74,25 @@ struct hostent * - + - + + + + + + - + @@ -91,31 +111,37 @@ void - + - + + + + + + - + - + - + @@ -125,43 +151,49 @@ struct hostent * - + - + + + + + + - + - + - + - + - + @@ -171,25 +203,31 @@ struct hostent * - + - + + + + + + - + - + @@ -203,7 +241,7 @@ void
    -

    DESCRIPTION

    +

    DESCRIPTION

    These functions provide hostname-to-address and address-to-hostname lookups by means of the lightweight resolver. @@ -341,7 +379,7 @@ struct hostent {

    -

    RETURN VALUES

    +

    RETURN VALUES

    The functions lwres_gethostbyname(), @@ -405,7 +443,7 @@ struct hostent {

    -

    SEE ALSO

    +

    SEE ALSO

    gethostent(3), lwres_getipnode(3), @@ -414,7 +452,7 @@ struct hostent {

    -

    BUGS

    +

    BUGS

    lwres_gethostbyname(), lwres_gethostbyname2(), lwres_gethostbyaddr() diff --git a/lib/lwres/man/lwres_getipnode.3 b/lib/lwres/man/lwres_getipnode.3 index 3a0c715ae1..6bf3ef64c0 100644 --- a/lib/lwres/man/lwres_getipnode.3 +++ b/lib/lwres/man/lwres_getipnode.3 @@ -13,14 +13,17 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: lwres_getipnode.3,v 1.25 2005/10/13 03:14:01 marka Exp $ +.\" $Id: lwres_getipnode.3,v 1.26 2006/06/29 13:03:32 marka Exp $ .\" .hy 0 .ad l -.\" ** You probably do not want to edit this file directly ** -.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1). -.\" Instead of manually editing it, you probably should edit the DocBook XML -.\" source for it and then use the DocBook XSL Stylesheets to regenerate it. +.\" Title: lwres_getipnode +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.70.1 +.\" Date: Jun 30, 2000 +.\" Manual: BIND9 +.\" Source: BIND9 +.\" .TH "LWRES_GETIPNODE" "3" "Jun 30, 2000" "BIND9" "BIND9" .\" disable hyphenation .nh @@ -33,11 +36,11 @@ lwres_getipnodebyname, lwres_getipnodebyaddr, lwres_freehostent \- lightweight r #include .fi .HP 39 -\fBstruct\ hostent\ *\ \fBlwres_getipnodebyname\fR\fR\fB(\fR\fBconst\ char\ *\fR\fB\fIname\fR\fR\fB, \fR\fBint\ \fR\fB\fIaf\fR\fR\fB, \fR\fBint\ \fR\fB\fIflags\fR\fR\fB, \fR\fBint\ *\fR\fB\fIerror_num\fR\fR\fB);\fR +.BI "struct hostent * lwres_getipnodebyname(const\ char\ *" "name" ", int\ " "af" ", int\ " "flags" ", int\ *" "error_num" ");" .HP 39 -\fBstruct\ hostent\ *\ \fBlwres_getipnodebyaddr\fR\fR\fB(\fR\fBconst\ void\ *\fR\fB\fIsrc\fR\fR\fB, \fR\fBsize_t\ \fR\fB\fIlen\fR\fR\fB, \fR\fBint\ \fR\fB\fIaf\fR\fR\fB, \fR\fBint\ *\fR\fB\fIerror_num\fR\fR\fB);\fR +.BI "struct hostent * lwres_getipnodebyaddr(const\ void\ *" "src" ", size_t\ " "len" ", int\ " "af" ", int\ *" "error_num" ");" .HP 23 -\fBvoid\ \fBlwres_freehostent\fR\fR\fB(\fR\fBstruct\ hostent\ *\fR\fB\fIhe\fR\fR\fB);\fR +.BI "void lwres_freehostent(struct\ hostent\ *" "he" ");" .SH "DESCRIPTION" .PP These functions perform thread safe, protocol independent nodename\-to\-address and address\-to\-nodename translation as defined in RFC2553. @@ -47,6 +50,7 @@ They use a which is defined in \fInamedb.h\fR: .PP +.RS 3n .nf struct hostent { char *h_name; /* official name of host */ @@ -57,25 +61,26 @@ struct hostent { }; #define h_addr h_addr_list[0] /* address, for backward compatibility */ .fi +.RE .sp .PP The members of this structure are: -.TP +.TP 3n \fBh_name\fR The official (canonical) name of the host. -.TP +.TP 3n \fBh_aliases\fR A NULL\-terminated array of alternate names (nicknames) for the host. -.TP +.TP 3n \fBh_addrtype\fR The type of address being returned \- usually \fBPF_INET\fR or \fBPF_INET6\fR. -.TP +.TP 3n \fBh_length\fR The length of the address in bytes. -.TP +.TP 3n \fBh_addr_list\fR A \fBNULL\fR @@ -88,20 +93,20 @@ for the hostname \fIname\fR. The \fIflags\fR parameter contains ORed flag bits to specify the types of addresses that are searched for, and the types of addresses that are returned. The flag bits are: -.TP +.TP 3n \fBAI_V4MAPPED\fR This is used with an \fIaf\fR of AF_INET6, and causes IPv4 addresses to be returned as IPv4\-mapped IPv6 addresses. -.TP +.TP 3n \fBAI_ALL\fR This is used with an \fIaf\fR of AF_INET6, and causes all known addresses (IPv6 and IPv4) to be returned. If AI_V4MAPPED is also set, the IPv4 addresses are return as mapped IPv6 addresses. -.TP +.TP 3n \fBAI_ADDRCONFIG\fR Only return an IPv6 or IPv4 address if here is an active network interface of that type. This is not currently implemented in the BIND 9 lightweight resolver, and the flag is ignored. -.TP +.TP 3n \fBAI_DEFAULT\fR This default sets the \fBAI_V4MAPPED\fR @@ -145,16 +150,16 @@ to an appropriate error code and the function returns a \fBNULL\fR pointer. The error codes and their meanings are defined in \fI\fR: -.TP +.TP 3n \fBHOST_NOT_FOUND\fR No such host is known. -.TP +.TP 3n \fBNO_ADDRESS\fR The server recognised the request and the name but no address is available. Another type of request to the name server for the domain might return an answer. -.TP +.TP 3n \fBTRY_AGAIN\fR A temporary and possibly transient error occurred, such as a failure of a server to respond. The request may succeed if retried. -.TP +.TP 3n \fBNO_RECOVERY\fR An unexpected failure occurred, and retrying the request is pointless. .PP @@ -168,3 +173,5 @@ translates these error codes to suitable error messages. \fBlwres_getaddrinfo\fR(3), \fBlwres_getnameinfo\fR(3), \fBlwres_hstrerror\fR(3). +.SH "COPYRIGHT" +Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC") diff --git a/lib/lwres/man/lwres_getipnode.html b/lib/lwres/man/lwres_getipnode.html index d44df8402d..baf36e173e 100644 --- a/lib/lwres/man/lwres_getipnode.html +++ b/lib/lwres/man/lwres_getipnode.html @@ -14,15 +14,15 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + lwres_getipnode - +

    -
    +

    Name

    lwres_getipnodebyname, lwres_getipnodebyaddr, lwres_freehostent — lightweight resolver nodename / address translation API

    @@ -36,25 +36,31 @@
    - + - + + + + + + - + - + @@ -64,41 +70,55 @@ struct hostent * - + - + + + + + + - + - +
    struct hostent * lwres_gethostbyname2(const char *   name,
     int    +name,
       af);
    struct hostent * lwres_gethostbyaddr(const char *   addr,
     int    +addr,
       len,
     int    type);
    struct hostent * lwres_gethostbyname_r(const char *   name,
     struct hostent *   +name,
       resbuf,
     char *   buf,
     int    buflen,
     int *   error);
    struct hostent * lwres_gethostbyaddr_r(const char *   addr,
     int    +addr,
       len,
     int    type,
     struct hostent *   resbuf,
     char *   buf,
     int    buflen,
     int *   error);
    struct hostent * lwres_gethostent_r(struct hostent *   resbuf,
     char *   +resbuf,
       buf,
     int    buflen,
     int *   error);
    struct hostent * lwres_getipnodebyname(const char *   name,
     int    +name,
       af,
     int    flags,
     int *   error_num);
    struct hostent * lwres_getipnodebyaddr(const void *   src,
     size_t    +src,
       len,
     int    af,
     int *   error_num);
    - +
    + - + -
    void lwres_freehostent(struct hostent *   he);
    + + +  +  + +he); + +
    -

    DESCRIPTION

    +

    DESCRIPTION

    These functions perform thread safe, protocol independent nodename-to-address and address-to-nodename @@ -217,7 +237,7 @@ struct hostent {

    -

    RETURN VALUES

    +

    RETURN VALUES

    If an error occurs, lwres_getipnodebyname() @@ -261,7 +281,7 @@ struct hostent {

    -

    SEE ALSO

    +

    SEE ALSO

    RFC2553, lwres(3), diff --git a/lib/lwres/man/lwres_getnameinfo.3 b/lib/lwres/man/lwres_getnameinfo.3 index 14f4c11587..0570ba2c0c 100644 --- a/lib/lwres/man/lwres_getnameinfo.3 +++ b/lib/lwres/man/lwres_getnameinfo.3 @@ -13,14 +13,17 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: lwres_getnameinfo.3,v 1.26 2005/10/13 03:14:01 marka Exp $ +.\" $Id: lwres_getnameinfo.3,v 1.27 2006/06/29 13:03:32 marka Exp $ .\" .hy 0 .ad l -.\" ** You probably do not want to edit this file directly ** -.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1). -.\" Instead of manually editing it, you probably should edit the DocBook XML -.\" source for it and then use the DocBook XSL Stylesheets to regenerate it. +.\" Title: lwres_getnameinfo +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.70.1 +.\" Date: Jun 30, 2000 +.\" Manual: BIND9 +.\" Source: BIND9 +.\" .TH "LWRES_GETNAMEINFO" "3" "Jun 30, 2000" "BIND9" "BIND9" .\" disable hyphenation .nh @@ -33,7 +36,7 @@ lwres_getnameinfo \- lightweight resolver socket address structure to hostname a #include .fi .HP 22 -\fBint\ \fBlwres_getnameinfo\fR\fR\fB(\fR\fBconst\ struct\ sockaddr\ *\fR\fB\fIsa\fR\fR\fB, \fR\fBsize_t\ \fR\fB\fIsalen\fR\fR\fB, \fR\fBchar\ *\fR\fB\fIhost\fR\fR\fB, \fR\fBsize_t\ \fR\fB\fIhostlen\fR\fR\fB, \fR\fBchar\ *\fR\fB\fIserv\fR\fR\fB, \fR\fBsize_t\ \fR\fB\fIservlen\fR\fR\fB, \fR\fBint\ \fR\fB\fIflags\fR\fR\fB);\fR +.BI "int lwres_getnameinfo(const\ struct\ sockaddr\ *" "sa" ", size_t\ " "salen" ", char\ *" "host" ", size_t\ " "hostlen" ", char\ *" "serv" ", size_t\ " "servlen" ", int\ " "flags" ");" .SH "DESCRIPTION" .PP This function is equivalent to the @@ -41,7 +44,8 @@ This function is equivalent to the function defined in RFC2133. \fBlwres_getnameinfo()\fR returns the hostname for the -\fBstruct sockaddr\fR\fIsa\fR +\fBstruct sockaddr\fR +\fIsa\fR which is \fIsalen\fR bytes long. The hostname is of length @@ -64,19 +68,19 @@ bytes long. The maximum length of the service name is The \fIflags\fR argument sets the following bits: -.TP +.TP 3n \fBNI_NOFQDN\fR A fully qualified domain name is not required for local hosts. The local part of the fully qualified domain name is returned instead. -.TP +.TP 3n \fBNI_NUMERICHOST\fR Return the address in numeric form, as if calling inet_ntop(), instead of a host name. -.TP +.TP 3n \fBNI_NAMEREQD\fR A name is required. If the hostname cannot be found in the DNS and this flag is set, a non\-zero error code is returned. If the hostname is not found and the flag is not set, the address is returned in numeric form. -.TP +.TP 3n \fBNI_NUMERICSERV\fR The service name is returned as a digit string representing the port number. -.TP +.TP 3n \fBNI_DGRAM\fR Specifies that the service being looked up is a datagram service, and causes getservbyport() to be called with a second argument of "udp" instead of its default of "tcp". This is required for the few ports (512\-514) that have different services for UDP and TCP. .SH "RETURN VALUES" @@ -96,3 +100,5 @@ returns 0 on success or a non\-zero error code if an error occurs. RFC2133 fails to define what the nonzero return values of \fBgetnameinfo\fR(3) are. +.SH "COPYRIGHT" +Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC") diff --git a/lib/lwres/man/lwres_getnameinfo.html b/lib/lwres/man/lwres_getnameinfo.html index cdc449f79b..40545f09fb 100644 --- a/lib/lwres/man/lwres_getnameinfo.html +++ b/lib/lwres/man/lwres_getnameinfo.html @@ -14,15 +14,15 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + lwres_getnameinfo - +

    -
    +

    Name

    lwres_getnameinfo — lightweight resolver socket address structure to hostname and @@ -38,43 +38,49 @@ int lwres_getnameinfo( -const struct sockaddr *  +  sa,   -size_t   +  + +sa, + + +  +  salen,   -char *  +  host,   -size_t   +  hostlen,   -char *  +  serv,   -size_t   +  servlen,   -int   +  flags); @@ -82,7 +88,7 @@ int

    -

    DESCRIPTION

    +

    DESCRIPTION

    This function is equivalent to the getnameinfo(3) function defined in RFC2133. @@ -149,13 +155,13 @@ int

    -

    RETURN VALUES

    +

    RETURN VALUES

    lwres_getnameinfo() returns 0 on success or a non-zero error code if an error occurs.

    -

    SEE ALSO

    +

    SEE ALSO

    RFC2133, getservbyport(3), lwres(3), @@ -165,7 +171,7 @@ int

    -

    BUGS

    +

    BUGS

    RFC2133 fails to define what the nonzero return values of getnameinfo(3) diff --git a/lib/lwres/man/lwres_getrrsetbyname.3 b/lib/lwres/man/lwres_getrrsetbyname.3 index 35c9410ffc..b0e92836fd 100644 --- a/lib/lwres/man/lwres_getrrsetbyname.3 +++ b/lib/lwres/man/lwres_getrrsetbyname.3 @@ -13,14 +13,17 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: lwres_getrrsetbyname.3,v 1.22 2005/10/13 03:14:01 marka Exp $ +.\" $Id: lwres_getrrsetbyname.3,v 1.23 2006/06/29 13:03:32 marka Exp $ .\" .hy 0 .ad l -.\" ** You probably do not want to edit this file directly ** -.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1). -.\" Instead of manually editing it, you probably should edit the DocBook XML -.\" source for it and then use the DocBook XSL Stylesheets to regenerate it. +.\" Title: lwres_getrrsetbyname +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.70.1 +.\" Date: Oct 18, 2000 +.\" Manual: BIND9 +.\" Source: BIND9 +.\" .TH "LWRES_GETRRSETBYNAME" "3" "Oct 18, 2000" "BIND9" "BIND9" .\" disable hyphenation .nh @@ -33,20 +36,23 @@ lwres_getrrsetbyname, lwres_freerrset \- retrieve DNS records #include .fi .HP 25 -\fBint\ \fBlwres_getrrsetbyname\fR\fR\fB(\fR\fBconst\ char\ *\fR\fB\fIhostname\fR\fR\fB, \fR\fBunsigned\ int\ \fR\fB\fIrdclass\fR\fR\fB, \fR\fBunsigned\ int\ \fR\fB\fIrdtype\fR\fR\fB, \fR\fBunsigned\ int\ \fR\fB\fIflags\fR\fR\fB, \fR\fBstruct\ rrsetinfo\ **\fR\fB\fIres\fR\fR\fB);\fR +.BI "int lwres_getrrsetbyname(const\ char\ *" "hostname" ", unsigned\ int\ " "rdclass" ", unsigned\ int\ " "rdtype" ", unsigned\ int\ " "flags" ", struct\ rrsetinfo\ **" "res" ");" .HP 21 -\fBvoid\ \fBlwres_freerrset\fR\fR\fB(\fR\fBstruct\ rrsetinfo\ *\fR\fB\fIrrset\fR\fR\fB);\fR +.BI "void lwres_freerrset(struct\ rrsetinfo\ *" "rrset" ");" .PP The following structures are used: .PP +.RS 3n .nf struct rdatainfo { unsigned int rdi_length; /* length of data */ unsigned char *rdi_data; /* record data */ }; .fi +.RE .sp .PP +.RS 3n .nf struct rrsetinfo { unsigned int rri_flags; /* RRSET_VALIDATED... */ @@ -60,6 +66,7 @@ struct rrsetinfo { struct rdatainfo *rri_sigs; /* individual signatures */ }; .fi +.RE .sp .SH "DESCRIPTION" .PP @@ -119,22 +126,24 @@ created by a call to .PP \fBlwres_getrrsetbyname()\fR returns zero on success, and one of the following error codes if an error occurred: -.TP +.TP 3n \fBERRSET_NONAME\fR the name does not exist -.TP +.TP 3n \fBERRSET_NODATA\fR the name exists, but does not have data of the desired type -.TP +.TP 3n \fBERRSET_NOMEMORY\fR memory could not be allocated -.TP +.TP 3n \fBERRSET_INVAL\fR a parameter is invalid -.TP +.TP 3n \fBERRSET_FAIL\fR other failure -.TP +.TP 3n .SH "SEE ALSO" .PP \fBlwres\fR(3). +.SH "COPYRIGHT" +Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC") diff --git a/lib/lwres/man/lwres_getrrsetbyname.html b/lib/lwres/man/lwres_getrrsetbyname.html index c8ead6da8f..35a54dd6d1 100644 --- a/lib/lwres/man/lwres_getrrsetbyname.html +++ b/lib/lwres/man/lwres_getrrsetbyname.html @@ -14,15 +14,15 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + lwres_getrrsetbyname - +

    -
    +

    Name

    lwres_getrrsetbyname, lwres_freerrset — retrieve DNS records

    @@ -36,43 +36,57 @@ int lwres_getrrsetbyname( -const char *  +  hostname,   -unsigned int   +  + +hostname, + + +  +  rdclass,   -unsigned int   +  rdtype,   -unsigned int   +  flags,   -struct rrsetinfo **  +  res); - +
    + - + -
    void lwres_freerrset(struct rrsetinfo *   rrset);
    + + +  +  + +rrset); + +

    The following structures are used: @@ -102,7 +116,7 @@ struct rrsetinfo {

    -

    DESCRIPTION

    +

    DESCRIPTION

    lwres_getrrsetbyname() gets a set of resource records associated with a hostname, class, @@ -150,7 +164,7 @@ struct rrsetinfo {

    -

    RETURN VALUES

    +

    RETURN VALUES

    lwres_getrrsetbyname() returns zero on success, and one of the following error codes if an error occurred: @@ -184,7 +198,7 @@ struct rrsetinfo {

    -

    SEE ALSO

    +

    SEE ALSO

    lwres(3).

    diff --git a/lib/lwres/man/lwres_gnba.3 b/lib/lwres/man/lwres_gnba.3 index b0e5907cdd..f790693242 100644 --- a/lib/lwres/man/lwres_gnba.3 +++ b/lib/lwres/man/lwres_gnba.3 @@ -13,14 +13,17 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: lwres_gnba.3,v 1.24 2005/10/13 03:14:01 marka Exp $ +.\" $Id: lwres_gnba.3,v 1.25 2006/06/29 13:03:32 marka Exp $ .\" .hy 0 .ad l -.\" ** You probably do not want to edit this file directly ** -.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1). -.\" Instead of manually editing it, you probably should edit the DocBook XML -.\" source for it and then use the DocBook XSL Stylesheets to regenerate it. +.\" Title: lwres_gnba +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.70.1 +.\" Date: Jun 30, 2000 +.\" Manual: BIND9 +.\" Source: BIND9 +.\" .TH "LWRES_GNBA" "3" "Jun 30, 2000" "BIND9" "BIND9" .\" disable hyphenation .nh @@ -33,17 +36,17 @@ lwres_gnbarequest_render, lwres_gnbaresponse_render, lwres_gnbarequest_parse, lw #include .fi .HP 40 -\fBlwres_result_t\ \fBlwres_gnbarequest_render\fR\fR\fB(\fR\fBlwres_context_t\ *\fR\fB\fIctx\fR\fR\fB, \fR\fBlwres_gnbarequest_t\ *\fR\fB\fIreq\fR\fR\fB, \fR\fBlwres_lwpacket_t\ *\fR\fB\fIpkt\fR\fR\fB, \fR\fBlwres_buffer_t\ *\fR\fB\fIb\fR\fR\fB);\fR +.BI "lwres_result_t lwres_gnbarequest_render(lwres_context_t\ *" "ctx" ", lwres_gnbarequest_t\ *" "req" ", lwres_lwpacket_t\ *" "pkt" ", lwres_buffer_t\ *" "b" ");" .HP 41 -\fBlwres_result_t\ \fBlwres_gnbaresponse_render\fR\fR\fB(\fR\fBlwres_context_t\ *\fR\fB\fIctx\fR\fR\fB, \fR\fBlwres_gnbaresponse_t\ *\fR\fB\fIreq\fR\fR\fB, \fR\fBlwres_lwpacket_t\ *\fR\fB\fIpkt\fR\fR\fB, \fR\fBlwres_buffer_t\ *\fR\fB\fIb\fR\fR\fB);\fR +.BI "lwres_result_t lwres_gnbaresponse_render(lwres_context_t\ *" "ctx" ", lwres_gnbaresponse_t\ *" "req" ", lwres_lwpacket_t\ *" "pkt" ", lwres_buffer_t\ *" "b" ");" .HP 39 -\fBlwres_result_t\ \fBlwres_gnbarequest_parse\fR\fR\fB(\fR\fBlwres_context_t\ *\fR\fB\fIctx\fR\fR\fB, \fR\fBlwres_buffer_t\ *\fR\fB\fIb\fR\fR\fB, \fR\fBlwres_lwpacket_t\ *\fR\fB\fIpkt\fR\fR\fB, \fR\fBlwres_gnbarequest_t\ **\fR\fB\fIstructp\fR\fR\fB);\fR +.BI "lwres_result_t lwres_gnbarequest_parse(lwres_context_t\ *" "ctx" ", lwres_buffer_t\ *" "b" ", lwres_lwpacket_t\ *" "pkt" ", lwres_gnbarequest_t\ **" "structp" ");" .HP 40 -\fBlwres_result_t\ \fBlwres_gnbaresponse_parse\fR\fR\fB(\fR\fBlwres_context_t\ *\fR\fB\fIctx\fR\fR\fB, \fR\fBlwres_buffer_t\ *\fR\fB\fIb\fR\fR\fB, \fR\fBlwres_lwpacket_t\ *\fR\fB\fIpkt\fR\fR\fB, \fR\fBlwres_gnbaresponse_t\ **\fR\fB\fIstructp\fR\fR\fB);\fR +.BI "lwres_result_t lwres_gnbaresponse_parse(lwres_context_t\ *" "ctx" ", lwres_buffer_t\ *" "b" ", lwres_lwpacket_t\ *" "pkt" ", lwres_gnbaresponse_t\ **" "structp" ");" .HP 29 -\fBvoid\ \fBlwres_gnbaresponse_free\fR\fR\fB(\fR\fBlwres_context_t\ *\fR\fB\fIctx\fR\fR\fB, \fR\fBlwres_gnbaresponse_t\ **\fR\fB\fIstructp\fR\fR\fB);\fR +.BI "void lwres_gnbaresponse_free(lwres_context_t\ *" "ctx" ", lwres_gnbaresponse_t\ **" "structp" ");" .HP 28 -\fBvoid\ \fBlwres_gnbarequest_free\fR\fR\fB(\fR\fBlwres_context_t\ *\fR\fB\fIctx\fR\fR\fB, \fR\fBlwres_gnbarequest_t\ **\fR\fB\fIstructp\fR\fR\fB);\fR +.BI "void lwres_gnbarequest_free(lwres_context_t\ *" "ctx" ", lwres_gnbarequest_t\ **" "structp" ");" .SH "DESCRIPTION" .PP These are low\-level routines for creating and parsing lightweight resolver address\-to\-name lookup request and response messages. @@ -57,19 +60,24 @@ to the canonical format. This is complemented by a parse function which converts These structures are defined in \fIlwres/lwres.h\fR. They are shown below. .PP +.RS 3n .nf #define LWRES_OPCODE_GETNAMEBYADDR 0x00010002U .fi +.RE .sp .PP +.RS 3n .nf typedef struct { lwres_uint32_t flags; lwres_addr_t addr; } lwres_gnbarequest_t; .fi +.RE .sp .PP +.RS 3n .nf typedef struct { lwres_uint32_t flags; @@ -82,6 +90,7 @@ typedef struct { size_t baselen; } lwres_gnbaresponse_t; .fi +.RE .sp .PP \fBlwres_gnbarequest_render()\fR @@ -135,7 +144,8 @@ structures referenced via .PP The getnamebyaddr opcode functions \fBlwres_gnbarequest_render()\fR, -\fBlwres_gnbaresponse_render()\fR\fBlwres_gnbarequest_parse()\fR +\fBlwres_gnbaresponse_render()\fR +\fBlwres_gnbarequest_parse()\fR and \fBlwres_gnbaresponse_parse()\fR all return @@ -166,3 +176,5 @@ indicate that the packet is not a response to an earlier query. .SH "SEE ALSO" .PP \fBlwres_packet\fR(3). +.SH "COPYRIGHT" +Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC") diff --git a/lib/lwres/man/lwres_gnba.html b/lib/lwres/man/lwres_gnba.html index b026a29c08..3ec3e6a06f 100644 --- a/lib/lwres/man/lwres_gnba.html +++ b/lib/lwres/man/lwres_gnba.html @@ -14,15 +14,15 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + lwres_gnba - +
    -
    +

    Name

    lwres_gnbarequest_render, lwres_gnbaresponse_render, lwres_gnbarequest_parse, lwres_gnbaresponse_parse, lwres_gnbaresponse_free, lwres_gnbarequest_free — lightweight resolver getnamebyaddress message handling

    @@ -39,25 +39,31 @@ lwres_result_t lwres_gnbarequest_render (     -lwres_context_t *  +  ctx,   -lwres_gnbarequest_t *  +  + +ctx, + + +  +  req,   -lwres_lwpacket_t *  +  pkt,   -lwres_buffer_t *  +  b); @@ -68,25 +74,31 @@ lwres_result_t lwres_result_t lwres_gnbaresponse_render (     -lwres_context_t *  +  ctx,   -lwres_gnbaresponse_t *  +  + +ctx, + + +  +  req,   -lwres_lwpacket_t *  +  pkt,   -lwres_buffer_t *  +  b); @@ -96,25 +108,31 @@ lwres_result_t lwres_result_t lwres_gnbarequest_parse( -lwres_context_t *  +  ctx,   -lwres_buffer_t *  +  + +ctx, + + +  +  b,   -lwres_lwpacket_t *  +  pkt,   -lwres_gnbarequest_t **  +  structp); @@ -124,25 +142,31 @@ lwres_result_t lwres_result_t lwres_gnbaresponse_parse( -lwres_context_t *  +  ctx,   -lwres_buffer_t *  +  + +ctx, + + +  +  b,   -lwres_lwpacket_t *  +  pkt,   -lwres_gnbaresponse_t **  +  structp); @@ -153,13 +177,19 @@ lwres_result_t void lwres_gnbaresponse_free ( -lwres_context_t *  +  ctx,   -lwres_gnbaresponse_t **  +  + +ctx, + + +  +  structp); @@ -169,13 +199,19 @@ void void lwres_gnbarequest_free( -lwres_context_t *  +  ctx,   -lwres_gnbarequest_t **  +  + +ctx, + + +  +  structp); @@ -183,7 +219,7 @@ void
    -

    DESCRIPTION

    +

    DESCRIPTION

    These are low-level routines for creating and parsing lightweight resolver address-to-name lookup request and @@ -270,7 +306,7 @@ typedef struct {

    -

    RETURN VALUES

    +

    RETURN VALUES

    The getnamebyaddr opcode functions lwres_gnbarequest_render(), @@ -308,7 +344,7 @@ typedef struct {

    -

    SEE ALSO

    +

    SEE ALSO

    lwres_packet(3).

    diff --git a/lib/lwres/man/lwres_hstrerror.3 b/lib/lwres/man/lwres_hstrerror.3 index 07efc927f1..9d0c9612b2 100644 --- a/lib/lwres/man/lwres_hstrerror.3 +++ b/lib/lwres/man/lwres_hstrerror.3 @@ -13,14 +13,17 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: lwres_hstrerror.3,v 1.24 2005/10/13 03:14:01 marka Exp $ +.\" $Id: lwres_hstrerror.3,v 1.25 2006/06/29 13:03:32 marka Exp $ .\" .hy 0 .ad l -.\" ** You probably do not want to edit this file directly ** -.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1). -.\" Instead of manually editing it, you probably should edit the DocBook XML -.\" source for it and then use the DocBook XSL Stylesheets to regenerate it. +.\" Title: lwres_hstrerror +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.70.1 +.\" Date: Jun 30, 2000 +.\" Manual: BIND9 +.\" Source: BIND9 +.\" .TH "LWRES_HSTRERROR" "3" "Jun 30, 2000" "BIND9" "BIND9" .\" disable hyphenation .nh @@ -33,9 +36,9 @@ lwres_herror, lwres_hstrerror \- lightweight resolver error message generation #include .fi .HP 18 -\fBvoid\ \fBlwres_herror\fR\fR\fB(\fR\fBconst\ char\ *\fR\fB\fIs\fR\fR\fB);\fR +.BI "void lwres_herror(const\ char\ *" "s" ");" .HP 29 -\fBconst\ char\ *\ \fBlwres_hstrerror\fR\fR\fB(\fR\fBint\ \fR\fB\fIerr\fR\fR\fB);\fR +.BI "const char * lwres_hstrerror(int\ " "err" ");" .SH "DESCRIPTION" .PP \fBlwres_herror()\fR @@ -51,19 +54,19 @@ for the error code stored in the global variable \fBlwres_hstrerror()\fR returns an appropriate string for the error code gievn by \fIerr\fR. The values of the error codes and messages are as follows: -.TP +.TP 3n \fBNETDB_SUCCESS\fR Resolver Error 0 (no error) -.TP +.TP 3n \fBHOST_NOT_FOUND\fR Unknown host -.TP +.TP 3n \fBTRY_AGAIN\fR Host name lookup failure -.TP +.TP 3n \fBNO_RECOVERY\fR Unknown server error -.TP +.TP 3n \fBNO_DATA\fR No address associated with name .SH "RETURN VALUES" @@ -79,3 +82,5 @@ is not a valid error code. .PP \fBherror\fR(3), \fBlwres_hstrerror\fR(3). +.SH "COPYRIGHT" +Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC") diff --git a/lib/lwres/man/lwres_hstrerror.html b/lib/lwres/man/lwres_hstrerror.html index 58154c8631..5abe39671c 100644 --- a/lib/lwres/man/lwres_hstrerror.html +++ b/lib/lwres/man/lwres_hstrerror.html @@ -14,15 +14,15 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + lwres_hstrerror - +
    -
    +

    Name

    lwres_herror, lwres_hstrerror — lightweight resolver error message generation

    @@ -40,7 +40,7 @@ const char *
    -

    DESCRIPTION

    +

    DESCRIPTION

    lwres_herror() prints the string s on stderr followed by the string generated by @@ -74,7 +74,7 @@ const char *

    -

    RETURN VALUES

    +

    RETURN VALUES

    The string Unknown resolver error is returned by lwres_hstrerror() @@ -84,7 +84,7 @@ const char *

    -

    SEE ALSO

    +

    SEE ALSO

    herror(3), lwres_hstrerror(3). diff --git a/lib/lwres/man/lwres_inetntop.3 b/lib/lwres/man/lwres_inetntop.3 index cbad444c20..2fb101bf16 100644 --- a/lib/lwres/man/lwres_inetntop.3 +++ b/lib/lwres/man/lwres_inetntop.3 @@ -13,14 +13,17 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: lwres_inetntop.3,v 1.23 2005/10/13 03:14:01 marka Exp $ +.\" $Id: lwres_inetntop.3,v 1.24 2006/06/29 13:03:32 marka Exp $ .\" .hy 0 .ad l -.\" ** You probably do not want to edit this file directly ** -.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1). -.\" Instead of manually editing it, you probably should edit the DocBook XML -.\" source for it and then use the DocBook XSL Stylesheets to regenerate it. +.\" Title: lwres_inetntop +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.70.1 +.\" Date: Jun 30, 2000 +.\" Manual: BIND9 +.\" Source: BIND9 +.\" .TH "LWRES_INETNTOP" "3" "Jun 30, 2000" "BIND9" "BIND9" .\" disable hyphenation .nh @@ -33,7 +36,7 @@ lwres_net_ntop \- lightweight resolver IP address presentation #include .fi .HP 28 -\fBconst\ char\ *\ \fBlwres_net_ntop\fR\fR\fB(\fR\fBint\ \fR\fB\fIaf\fR\fR\fB, \fR\fBconst\ void\ *\fR\fB\fIsrc\fR\fR\fB, \fR\fBchar\ *\fR\fB\fIdst\fR\fR\fB, \fR\fBsize_t\ \fR\fB\fIsize\fR\fR\fB);\fR +.BI "const char * lwres_net_ntop(int\ " "af" ", const\ void\ *" "src" ", char\ *" "dst" ", size_t\ " "size" ");" .SH "DESCRIPTION" .PP \fBlwres_net_ntop()\fR @@ -67,3 +70,5 @@ is not supported. \fBRFC1884\fR(), \fBinet_ntop\fR(3), \fBerrno\fR(3). +.SH "COPYRIGHT" +Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC") diff --git a/lib/lwres/man/lwres_inetntop.html b/lib/lwres/man/lwres_inetntop.html index 9994aa1ab0..fd0de3f371 100644 --- a/lib/lwres/man/lwres_inetntop.html +++ b/lib/lwres/man/lwres_inetntop.html @@ -14,15 +14,15 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + lwres_inetntop - +

    -
    +

    Name

    lwres_net_ntop — lightweight resolver IP address presentation

    @@ -36,25 +36,31 @@ const char * lwres_net_ntop( -int   +  af,   -const void *  +  + +af, + + +  +  src,   -char *  +  dst,   -size_t   +  size); @@ -62,7 +68,7 @@ const char *
    -

    DESCRIPTION

    +

    DESCRIPTION

    lwres_net_ntop() converts an IP address of protocol family af — IPv4 or IPv6 — at @@ -80,7 +86,7 @@ const char *

    -

    RETURN VALUES

    +

    RETURN VALUES

    If successful, the function returns dst: a pointer to a string containing the presentation format of the @@ -93,7 +99,7 @@ const char *

    -

    SEE ALSO

    +

    SEE ALSO

    RFC1884, inet_ntop(3), errno(3). diff --git a/lib/lwres/man/lwres_noop.3 b/lib/lwres/man/lwres_noop.3 index d98006d022..f822041889 100644 --- a/lib/lwres/man/lwres_noop.3 +++ b/lib/lwres/man/lwres_noop.3 @@ -13,14 +13,17 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: lwres_noop.3,v 1.25 2005/10/13 03:14:01 marka Exp $ +.\" $Id: lwres_noop.3,v 1.26 2006/06/29 13:03:32 marka Exp $ .\" .hy 0 .ad l -.\" ** You probably do not want to edit this file directly ** -.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1). -.\" Instead of manually editing it, you probably should edit the DocBook XML -.\" source for it and then use the DocBook XSL Stylesheets to regenerate it. +.\" Title: lwres_noop +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.70.1 +.\" Date: Jun 30, 2000 +.\" Manual: BIND9 +.\" Source: BIND9 +.\" .TH "LWRES_NOOP" "3" "Jun 30, 2000" "BIND9" "BIND9" .\" disable hyphenation .nh @@ -33,17 +36,17 @@ lwres_nooprequest_render, lwres_noopresponse_render, lwres_nooprequest_parse, lw #include .fi .HP 40 -\fBlwres_result_t\ \fBlwres_nooprequest_render\fR\fR\fB(\fR\fBlwres_context_t\ *\fR\fB\fIctx\fR\fR\fB, \fR\fBlwres_nooprequest_t\ *\fR\fB\fIreq\fR\fR\fB, \fR\fBlwres_lwpacket_t\ *\fR\fB\fIpkt\fR\fR\fB, \fR\fBlwres_buffer_t\ *\fR\fB\fIb\fR\fR\fB);\fR +.BI "lwres_result_t lwres_nooprequest_render(lwres_context_t\ *" "ctx" ", lwres_nooprequest_t\ *" "req" ", lwres_lwpacket_t\ *" "pkt" ", lwres_buffer_t\ *" "b" ");" .HP 41 -\fBlwres_result_t\ \fBlwres_noopresponse_render\fR\fR\fB(\fR\fBlwres_context_t\ *\fR\fB\fIctx\fR\fR\fB, \fR\fBlwres_noopresponse_t\ *\fR\fB\fIreq\fR\fR\fB, \fR\fBlwres_lwpacket_t\ *\fR\fB\fIpkt\fR\fR\fB, \fR\fBlwres_buffer_t\ *\fR\fB\fIb\fR\fR\fB);\fR +.BI "lwres_result_t lwres_noopresponse_render(lwres_context_t\ *" "ctx" ", lwres_noopresponse_t\ *" "req" ", lwres_lwpacket_t\ *" "pkt" ", lwres_buffer_t\ *" "b" ");" .HP 39 -\fBlwres_result_t\ \fBlwres_nooprequest_parse\fR\fR\fB(\fR\fBlwres_context_t\ *\fR\fB\fIctx\fR\fR\fB, \fR\fBlwres_buffer_t\ *\fR\fB\fIb\fR\fR\fB, \fR\fBlwres_lwpacket_t\ *\fR\fB\fIpkt\fR\fR\fB, \fR\fBlwres_nooprequest_t\ **\fR\fB\fIstructp\fR\fR\fB);\fR +.BI "lwres_result_t lwres_nooprequest_parse(lwres_context_t\ *" "ctx" ", lwres_buffer_t\ *" "b" ", lwres_lwpacket_t\ *" "pkt" ", lwres_nooprequest_t\ **" "structp" ");" .HP 40 -\fBlwres_result_t\ \fBlwres_noopresponse_parse\fR\fR\fB(\fR\fBlwres_context_t\ *\fR\fB\fIctx\fR\fR\fB, \fR\fBlwres_buffer_t\ *\fR\fB\fIb\fR\fR\fB, \fR\fBlwres_lwpacket_t\ *\fR\fB\fIpkt\fR\fR\fB, \fR\fBlwres_noopresponse_t\ **\fR\fB\fIstructp\fR\fR\fB);\fR +.BI "lwres_result_t lwres_noopresponse_parse(lwres_context_t\ *" "ctx" ", lwres_buffer_t\ *" "b" ", lwres_lwpacket_t\ *" "pkt" ", lwres_noopresponse_t\ **" "structp" ");" .HP 29 -\fBvoid\ \fBlwres_noopresponse_free\fR\fR\fB(\fR\fBlwres_context_t\ *\fR\fB\fIctx\fR\fR\fB, \fR\fBlwres_noopresponse_t\ **\fR\fB\fIstructp\fR\fR\fB);\fR +.BI "void lwres_noopresponse_free(lwres_context_t\ *" "ctx" ", lwres_noopresponse_t\ **" "structp" ");" .HP 28 -\fBvoid\ \fBlwres_nooprequest_free\fR\fR\fB(\fR\fBlwres_context_t\ *\fR\fB\fIctx\fR\fR\fB, \fR\fBlwres_nooprequest_t\ **\fR\fB\fIstructp\fR\fR\fB);\fR +.BI "void lwres_nooprequest_free(lwres_context_t\ *" "ctx" ", lwres_nooprequest_t\ **" "structp" ");" .SH "DESCRIPTION" .PP These are low\-level routines for creating and parsing lightweight resolver no\-op request and response messages. @@ -61,25 +64,31 @@ to the canonical format. This is complemented by a parse function which converts These structures are defined in \fIlwres/lwres.h\fR. They are shown below. .PP +.RS 3n .nf #define LWRES_OPCODE_NOOP 0x00000000U .fi +.RE .sp .PP +.RS 3n .nf typedef struct { lwres_uint16_t datalength; unsigned char *data; } lwres_nooprequest_t; .fi +.RE .sp .PP +.RS 3n .nf typedef struct { lwres_uint16_t datalength; unsigned char *data; } lwres_noopresponse_t; .fi +.RE .sp .PP Although the structures have different types, they are identical. This is because the no\-op opcode simply echos whatever data was sent: the response is therefore identical to the request. @@ -135,7 +144,8 @@ structures referenced via .PP The no\-op opcode functions \fBlwres_nooprequest_render()\fR, -\fBlwres_noopresponse_render()\fR\fBlwres_nooprequest_parse()\fR +\fBlwres_noopresponse_render()\fR +\fBlwres_nooprequest_parse()\fR and \fBlwres_noopresponse_parse()\fR all return @@ -166,3 +176,5 @@ indicate that the packet is not a response to an earlier query. .SH "SEE ALSO" .PP \fBlwres_packet\fR(3) +.SH "COPYRIGHT" +Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC") diff --git a/lib/lwres/man/lwres_noop.html b/lib/lwres/man/lwres_noop.html index 168469b267..247792f925 100644 --- a/lib/lwres/man/lwres_noop.html +++ b/lib/lwres/man/lwres_noop.html @@ -14,15 +14,15 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + lwres_noop - +

    -
    +

    Name

    lwres_nooprequest_render, lwres_noopresponse_render, lwres_nooprequest_parse, lwres_noopresponse_parse, lwres_noopresponse_free, lwres_nooprequest_free — lightweight resolver no-op message handling

    @@ -37,25 +37,31 @@ lwres_result_t lwres_nooprequest_render( -lwres_context_t *  +  ctx,   -lwres_nooprequest_t *  +  + +ctx, + + +  +  req,   -lwres_lwpacket_t *  +  pkt,   -lwres_buffer_t *  +  b); @@ -65,25 +71,31 @@ lwres_result_t lwres_result_t lwres_noopresponse_render( -lwres_context_t *  +  ctx,   -lwres_noopresponse_t *  +  + +ctx, + + +  +  req,   -lwres_lwpacket_t *  +  pkt,   -lwres_buffer_t *  +  b); @@ -93,25 +105,31 @@ lwres_result_t lwres_result_t lwres_nooprequest_parse( -lwres_context_t *  +  ctx,   -lwres_buffer_t *  +  + +ctx, + + +  +  b,   -lwres_lwpacket_t *  +  pkt,   -lwres_nooprequest_t **  +  structp); @@ -121,25 +139,31 @@ lwres_result_t lwres_result_t lwres_noopresponse_parse( -lwres_context_t *  +  ctx,   -lwres_buffer_t *  +  + +ctx, + + +  +  b,   -lwres_lwpacket_t *  +  pkt,   -lwres_noopresponse_t **  +  structp); @@ -149,13 +173,19 @@ lwres_result_t void lwres_noopresponse_free( -lwres_context_t *  +  ctx,   -lwres_noopresponse_t **  +  + +ctx, + + +  +  structp); @@ -165,13 +195,19 @@ void void lwres_nooprequest_free( -lwres_context_t *  +  ctx,   -lwres_nooprequest_t **  +  + +ctx, + + +  +  structp); @@ -179,7 +215,7 @@ void
    -

    DESCRIPTION

    +

    DESCRIPTION

    These are low-level routines for creating and parsing lightweight resolver no-op request and response messages. @@ -270,7 +306,7 @@ typedef struct {

    -

    RETURN VALUES

    +

    RETURN VALUES

    The no-op opcode functions lwres_nooprequest_render(), @@ -309,7 +345,7 @@ typedef struct {

    -

    SEE ALSO

    +

    SEE ALSO

    lwres_packet(3)

    diff --git a/lib/lwres/man/lwres_packet.3 b/lib/lwres/man/lwres_packet.3 index df9190e422..f60714aea2 100644 --- a/lib/lwres/man/lwres_packet.3 +++ b/lib/lwres/man/lwres_packet.3 @@ -13,14 +13,17 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: lwres_packet.3,v 1.26 2005/10/13 03:14:01 marka Exp $ +.\" $Id: lwres_packet.3,v 1.27 2006/06/29 13:03:32 marka Exp $ .\" .hy 0 .ad l -.\" ** You probably do not want to edit this file directly ** -.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1). -.\" Instead of manually editing it, you probably should edit the DocBook XML -.\" source for it and then use the DocBook XSL Stylesheets to regenerate it. +.\" Title: lwres_packet +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.70.1 +.\" Date: Jun 30, 2000 +.\" Manual: BIND9 +.\" Source: BIND9 +.\" .TH "LWRES_PACKET" "3" "Jun 30, 2000" "BIND9" "BIND9" .\" disable hyphenation .nh @@ -33,9 +36,9 @@ lwres_lwpacket_renderheader, lwres_lwpacket_parseheader \- lightweight resolver #include .fi .HP 43 -\fBlwres_result_t\ \fBlwres_lwpacket_renderheader\fR\fR\fB(\fR\fBlwres_buffer_t\ *\fR\fB\fIb\fR\fR\fB, \fR\fBlwres_lwpacket_t\ *\fR\fB\fIpkt\fR\fR\fB);\fR +.BI "lwres_result_t lwres_lwpacket_renderheader(lwres_buffer_t\ *" "b" ", lwres_lwpacket_t\ *" "pkt" ");" .HP 42 -\fBlwres_result_t\ \fBlwres_lwpacket_parseheader\fR\fR\fB(\fR\fBlwres_buffer_t\ *\fR\fB\fIb\fR\fR\fB, \fR\fBlwres_lwpacket_t\ *\fR\fB\fIpkt\fR\fR\fB);\fR +.BI "lwres_result_t lwres_lwpacket_parseheader(lwres_buffer_t\ *" "b" ", lwres_lwpacket_t\ *" "pkt" ");" .SH "DESCRIPTION" .PP These functions rely on a @@ -43,11 +46,14 @@ These functions rely on a which is defined in \fIlwres/lwpacket.h\fR. .PP +.RS 3n .nf typedef struct lwres_lwpacket lwres_lwpacket_t; .fi +.RE .sp .PP +.RS 3n .nf struct lwres_lwpacket { lwres_uint32_t length; @@ -61,52 +67,54 @@ struct lwres_lwpacket { lwres_uint16_t authlength; }; .fi +.RE .sp .PP The elements of this structure are: -.TP +.TP 3n \fBlength\fR the overall packet length, including the entire packet header. This field is filled in by the lwres_gabn_*() and lwres_gnba_*() calls. -.TP +.TP 3n \fBversion\fR the header format. There is currently only one format, \fBLWRES_LWPACKETVERSION_0\fR. This field is filled in by the lwres_gabn_*() and lwres_gnba_*() calls. -.TP +.TP 3n \fBpktflags\fR library\-defined flags for this packet: for instance whether the packet is a request or a reply. Flag values can be set, but not defined by the caller. This field is filled in by the application wit the exception of the LWRES_LWPACKETFLAG_RESPONSE bit, which is set by the library in the lwres_gabn_*() and lwres_gnba_*() calls. -.TP +.TP 3n \fBserial\fR is set by the requestor and is returned in all replies. If two or more packets from the same source have the same serial number and are from the same source, they are assumed to be duplicates and the latter ones may be dropped. This field must be set by the application. -.TP +.TP 3n \fBopcode\fR indicates the operation. Opcodes between 0x00000000 and 0x03ffffff are reserved for use by the lightweight resolver library. Opcodes between 0x04000000 and 0xffffffff are application defined. This field is filled in by the lwres_gabn_*() and lwres_gnba_*() calls. -.TP +.TP 3n \fBresult\fR is only valid for replies. Results between 0x04000000 and 0xffffffff are application defined. Results between 0x00000000 and 0x03ffffff are reserved for library use. This field is filled in by the lwres_gabn_*() and lwres_gnba_*() calls. -.TP +.TP 3n \fBrecvlength\fR is the maximum buffer size that the receiver can handle on requests and the size of the buffer needed to satisfy a request when the buffer is too large for replies. This field is supplied by the application. -.TP +.TP 3n \fBauthtype\fR defines the packet level authentication that is used. Authorisation types between 0x1000 and 0xffff are application defined and types between 0x0000 and 0x0fff are reserved for library use. Currently these are not used and must be zero. -.TP +.TP 3n \fBauthlen\fR gives the length of the authentication data. Since packet authentication is currently not used, this must be zero. .PP The following opcodes are currently defined: -.TP +.TP 3n \fBNOOP\fR Success is always returned and the packet contents are echoed. The lwres_noop_*() functions should be used for this type. -.TP +.TP 3n \fBGETADDRSBYNAME\fR returns all known addresses for a given name. The lwres_gabn_*() functions should be used for this type. -.TP +.TP 3n \fBGETNAMEBYADDR\fR return the hostname for the given address. The lwres_gnba_*() functions should be used for this type. .PP \fBlwres_lwpacket_renderheader()\fR transfers the contents of lightweight resolver packet structure -\fBlwres_lwpacket_t\fR\fI*pkt\fR +\fBlwres_lwpacket_t\fR +\fI*pkt\fR in network byte order to the lightweight resolver buffer, \fI*b\fR. .PP @@ -131,3 +139,5 @@ and lightweight resolver packet \fI*pkt\fR both functions return \fBLWRES_R_UNEXPECTEDEND\fR. +.SH "COPYRIGHT" +Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC") diff --git a/lib/lwres/man/lwres_packet.html b/lib/lwres/man/lwres_packet.html index bfd05317e8..1563543906 100644 --- a/lib/lwres/man/lwres_packet.html +++ b/lib/lwres/man/lwres_packet.html @@ -14,15 +14,15 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + lwres_packet - +
    -
    +

    Name

    lwres_lwpacket_renderheader, lwres_lwpacket_parseheader — lightweight resolver packet handling functions

    @@ -36,13 +36,19 @@ lwres_result_t lwres_lwpacket_renderheader( -lwres_buffer_t *  +  b,   -lwres_lwpacket_t *  +  + +b, + + +  +  pkt); @@ -52,13 +58,19 @@ lwres_result_t lwres_result_t lwres_lwpacket_parseheader( -lwres_buffer_t *  +  b,   -lwres_lwpacket_t *  +  + +b, + + +  +  pkt); @@ -66,7 +78,7 @@ lwres_result_t
    -

    DESCRIPTION

    +

    DESCRIPTION

    These functions rely on a struct lwres_lwpacket @@ -219,7 +231,7 @@ struct lwres_lwpacket {

    -

    RETURN VALUES

    +

    RETURN VALUES

    Successful calls to lwres_lwpacket_renderheader() and diff --git a/lib/lwres/man/lwres_resutil.3 b/lib/lwres/man/lwres_resutil.3 index 1fb3999e44..f24232828b 100644 --- a/lib/lwres/man/lwres_resutil.3 +++ b/lib/lwres/man/lwres_resutil.3 @@ -13,14 +13,17 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: lwres_resutil.3,v 1.25 2005/10/13 03:14:01 marka Exp $ +.\" $Id: lwres_resutil.3,v 1.26 2006/06/29 13:03:32 marka Exp $ .\" .hy 0 .ad l -.\" ** You probably do not want to edit this file directly ** -.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1). -.\" Instead of manually editing it, you probably should edit the DocBook XML -.\" source for it and then use the DocBook XSL Stylesheets to regenerate it. +.\" Title: lwres_resutil +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.70.1 +.\" Date: Jun 30, 2000 +.\" Manual: BIND9 +.\" Source: BIND9 +.\" .TH "LWRES_RESUTIL" "3" "Jun 30, 2000" "BIND9" "BIND9" .\" disable hyphenation .nh @@ -33,13 +36,13 @@ lwres_string_parse, lwres_addr_parse, lwres_getaddrsbyname, lwres_getnamebyaddr #include .fi .HP 34 -\fBlwres_result_t\ \fBlwres_string_parse\fR\fR\fB(\fR\fBlwres_buffer_t\ *\fR\fB\fIb\fR\fR\fB, \fR\fBchar\ **\fR\fB\fIc\fR\fR\fB, \fR\fBlwres_uint16_t\ *\fR\fB\fIlen\fR\fR\fB);\fR +.BI "lwres_result_t lwres_string_parse(lwres_buffer_t\ *" "b" ", char\ **" "c" ", lwres_uint16_t\ *" "len" ");" .HP 32 -\fBlwres_result_t\ \fBlwres_addr_parse\fR\fR\fB(\fR\fBlwres_buffer_t\ *\fR\fB\fIb\fR\fR\fB, \fR\fBlwres_addr_t\ *\fR\fB\fIaddr\fR\fR\fB);\fR +.BI "lwres_result_t lwres_addr_parse(lwres_buffer_t\ *" "b" ", lwres_addr_t\ *" "addr" ");" .HP 36 -\fBlwres_result_t\ \fBlwres_getaddrsbyname\fR\fR\fB(\fR\fBlwres_context_t\ *\fR\fB\fIctx\fR\fR\fB, \fR\fBconst\ char\ *\fR\fB\fIname\fR\fR\fB, \fR\fBlwres_uint32_t\ \fR\fB\fIaddrtypes\fR\fR\fB, \fR\fBlwres_gabnresponse_t\ **\fR\fB\fIstructp\fR\fR\fB);\fR +.BI "lwres_result_t lwres_getaddrsbyname(lwres_context_t\ *" "ctx" ", const\ char\ *" "name" ", lwres_uint32_t\ " "addrtypes" ", lwres_gabnresponse_t\ **" "structp" ");" .HP 35 -\fBlwres_result_t\ \fBlwres_getnamebyaddr\fR\fR\fB(\fR\fBlwres_context_t\ *\fR\fB\fIctx\fR\fR\fB, \fR\fBlwres_uint32_t\ \fR\fB\fIaddrtype\fR\fR\fB, \fR\fBlwres_uint16_t\ \fR\fB\fIaddrlen\fR\fR\fB, \fR\fBconst\ unsigned\ char\ *\fR\fB\fIaddr\fR\fR\fB, \fR\fBlwres_gnbaresponse_t\ **\fR\fB\fIstructp\fR\fR\fB);\fR +.BI "lwres_result_t lwres_getnamebyaddr(lwres_context_t\ *" "ctx" ", lwres_uint32_t\ " "addrtype" ", lwres_uint16_t\ " "addrlen" ", const\ unsigned\ char\ *" "addr" ", lwres_gnbaresponse_t\ **" "structp" ");" .SH "DESCRIPTION" .PP \fBlwres_string_parse()\fR @@ -71,6 +74,7 @@ use the \fBlwres_gnbaresponse_t\fR structure defined below: .PP +.RS 3n .nf typedef struct { lwres_uint32_t flags; @@ -85,6 +89,7 @@ typedef struct { size_t baselen; } lwres_gabnresponse_t; .fi +.RE .PP The contents of this structure are not manipulated directly but they are controlled through the \fBlwres_gabn\fR(3) @@ -158,3 +163,5 @@ if the buffers used for sending queries and receiving replies are too small. .PP \fBlwres_buffer\fR(3), \fBlwres_gabn\fR(3). +.SH "COPYRIGHT" +Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC") diff --git a/lib/lwres/man/lwres_resutil.html b/lib/lwres/man/lwres_resutil.html index 0e116bfaf9..48037f5302 100644 --- a/lib/lwres/man/lwres_resutil.html +++ b/lib/lwres/man/lwres_resutil.html @@ -14,15 +14,15 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + lwres_resutil - +

    -
    +

    Name

    lwres_string_parse, lwres_addr_parse, lwres_getaddrsbyname, lwres_getnamebyaddr — lightweight resolver utility functions

    @@ -36,19 +36,25 @@ lwres_result_t lwres_string_parse( -lwres_buffer_t *  +  b,   -char **  +  + +b, + + +  +  c,   -lwres_uint16_t *  +  len); @@ -58,13 +64,19 @@ lwres_result_t lwres_result_t lwres_addr_parse( -lwres_buffer_t *  +  b,   -lwres_addr_t *  +  + +b, + + +  +  addr); @@ -74,25 +86,31 @@ lwres_result_t lwres_result_t lwres_getaddrsbyname( -lwres_context_t *  +  ctx,   -const char *  +  + +ctx, + + +  +  name,   -lwres_uint32_t   +  addrtypes,   -lwres_gabnresponse_t **  +  structp); @@ -102,31 +120,37 @@ lwres_result_t lwres_result_t lwres_getnamebyaddr( -lwres_context_t *  +  ctx,   -lwres_uint32_t   +  + +ctx, + + +  +  addrtype,   -lwres_uint16_t   +  addrlen,   -const unsigned char *  +  addr,   -lwres_gnbaresponse_t **  +  structp); @@ -134,7 +158,7 @@ lwres_result_t
    -

    DESCRIPTION

    +

    DESCRIPTION

    lwres_string_parse() retrieves a DNS-encoded string starting the current pointer of lightweight resolver buffer b: i.e. @@ -210,7 +234,7 @@ typedef struct {

    -

    RETURN VALUES

    +

    RETURN VALUES

    Successful calls to lwres_string_parse() @@ -248,7 +272,7 @@ typedef struct {

    -

    SEE ALSO

    +

    SEE ALSO

    lwres_buffer(3), lwres_gabn(3). From c5071a060e7fd29bc8d6a0c52fd70326dff173b3 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 30 Jun 2006 23:16:53 +0000 Subject: [PATCH 317/465] auto update --- doc/private/branches | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/private/branches b/doc/private/branches index 095e311dde..3ccc1d2405 100644 --- a/doc/private/branches +++ b/doc/private/branches @@ -48,6 +48,7 @@ rt16170 new rt16179 new rt16182 new rt16183 new +rt16218 new rt1727 open // ixfr-from-differences workfile skan new skan-metazones1 private From 4b603631904e7dadd86a78b9215e97643232c909 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 3 Jul 2006 23:16:51 +0000 Subject: [PATCH 318/465] auto update --- doc/private/branches | 2 ++ 1 file changed, 2 insertions(+) diff --git a/doc/private/branches b/doc/private/branches index 3ccc1d2405..7763810132 100644 --- a/doc/private/branches +++ b/doc/private/branches @@ -49,6 +49,8 @@ rt16179 new rt16182 new rt16183 new rt16218 new +rt16219 new +rt16220 new rt1727 open // ixfr-from-differences workfile skan new skan-metazones1 private From 3d5430b75a454e3b4ebe4aecb2083fab1bb9569b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tatuya=20JINMEI=20=E7=A5=9E=E6=98=8E=E9=81=94=E5=93=89?= Date: Thu, 6 Jul 2006 06:30:00 +0000 Subject: [PATCH 319/465] warning fix in a call to isc_atomic_store() [RT#16219] --- lib/dns/acache.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/dns/acache.c b/lib/dns/acache.c index 6b8ff8b957..35e36ce6f7 100644 --- a/lib/dns/acache.c +++ b/lib/dns/acache.c @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: acache.c,v 1.17 2006/06/28 08:28:49 jinmei Exp $ */ +/* $Id: acache.c,v 1.18 2006/07/06 06:30:00 jinmei Exp $ */ #include @@ -87,7 +87,8 @@ #define ACACHE_LOCK(l, t) RWLOCK((l), (t)) #define ACACHE_UNLOCK(l, t) RWUNLOCK((l), (t)) -#define acache_storetime(entry, t) (isc_atomic_store(&(entry)->lastused, (t))) +#define acache_storetime(entry, t) \ + (isc_atomic_store((isc_int32_t *)&(entry)->lastused, (t))) #else #define ACACHE_INITLOCK(l) isc_mutex_init(l) #define ACACHE_DESTROYLOCK(l) DESTROYLOCK(l) From c6ee5082db1e40ab64e08a540620da79996efa9c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tatuya=20JINMEI=20=E7=A5=9E=E6=98=8E=E9=81=94=E5=93=89?= Date: Thu, 6 Jul 2006 06:36:51 +0000 Subject: [PATCH 320/465] 2046. [bug] rbtdb.c:rdataset_setadditional() could cause duplicate cleanup. --- CHANGES | 3 +++ lib/dns/rbtdb.c | 10 ++++++---- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/CHANGES b/CHANGES index d4215627a0..b689247dca 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2046. [bug] rbtdb.c:rdataset_setadditional() could cause duplicate + cleanup. + 2045. [func] use lock buckets for acache entries to limit memory consumption. [RT #16183] diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c index c6aa830349..5093d5d734 100644 --- a/lib/dns/rbtdb.c +++ b/lib/dns/rbtdb.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rbtdb.c,v 1.235 2006/06/13 04:49:18 marka Exp $ */ +/* $Id: rbtdb.c,v 1.236 2006/07/06 06:36:51 jinmei Exp $ */ /*! \file */ @@ -6629,10 +6629,12 @@ rdataset_setadditional(dns_rdataset_t *rdataset, dns_rdatasetadditional_t type, acache_cancelentry(rbtdb->common.mctx, newentry, &newcbarg); dns_acache_detachentry(&newentry); + } else { + dns_db_detachnode((dns_db_t *)rbtdb, &newcbarg->node); + dns_db_detach(&newcbarg->db); + isc_mem_put(rbtdb->common.mctx, newcbarg, + sizeof(*newcbarg)); } - dns_db_detachnode((dns_db_t *)rbtdb, &newcbarg->node); - dns_db_detach(&newcbarg->db); - isc_mem_put(rbtdb->common.mctx, newcbarg, sizeof(*newcbarg)); } return (result); From 222dcab0a6456c5395545e885f21b5542b7d841d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tatuya=20JINMEI=20=E7=A5=9E=E6=98=8E=E9=81=94=E5=93=89?= Date: Thu, 6 Jul 2006 06:39:26 +0000 Subject: [PATCH 321/465] added RT# to the previous change item --- CHANGES | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index b689247dca..1e78d5154a 100644 --- a/CHANGES +++ b/CHANGES @@ -1,5 +1,5 @@ 2046. [bug] rbtdb.c:rdataset_setadditional() could cause duplicate - cleanup. + cleanup [RT #16247]. 2045. [func] use lock buckets for acache entries to limit memory consumption. [RT #16183] From 3a1674243a4a7462f512df26ae5143ba499bdfcb Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 18 Jul 2006 04:10:06 +0000 Subject: [PATCH 322/465] spelling --- bin/named/named.conf.docbook | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bin/named/named.conf.docbook b/bin/named/named.conf.docbook index 39360adeca..5068cf5156 100644 --- a/bin/named/named.conf.docbook +++ b/bin/named/named.conf.docbook @@ -17,7 +17,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -460,7 +460,7 @@ zone string optional_class rndc8 , -BIND 9 Adminstrators Reference Manual +BIND 9 Administrator Reference Manual . From 63ead20bd465e87ad57cd28575c32229fafc6371 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 18 Jul 2006 20:50:03 +0000 Subject: [PATCH 323/465] regen --- bin/named/named.conf.5 | 4 ++-- bin/named/named.conf.html | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/bin/named/named.conf.5 b/bin/named/named.conf.5 index 658d5688a0..2d80a817d4 100644 --- a/bin/named/named.conf.5 +++ b/bin/named/named.conf.5 @@ -12,7 +12,7 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: named.conf.5,v 1.1.6.9 2006/06/29 13:02:06 marka Exp $ +.\" $Id: named.conf.5,v 1.1.6.10 2006/07/18 20:50:03 marka Exp $ .\" .hy 0 .ad l @@ -392,6 +392,6 @@ zone \fIstring\fR \fIoptional_class\fR { .PP \fBnamed\fR(8), \fBrndc\fR(8), -\fBBIND 9 Adminstrators Reference Manual\fR(). +\fBBIND 9 Administrator Reference Manual\fR(). .SH "COPYRIGHT" Copyright \(co 2004\-2006 Internet Systems Consortium, Inc. ("ISC") diff --git a/bin/named/named.conf.html b/bin/named/named.conf.html index 1151ac9dca..bad2b05142 100644 --- a/bin/named/named.conf.html +++ b/bin/named/named.conf.html @@ -13,7 +13,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -423,7 +423,7 @@ zone

    named(8), rndc(8), -BIND 9 Adminstrators Reference Manual. +BIND 9 Administrator Reference Manual.

    From 8626c376a038da969de1ee6c158957dfe638daac Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 19 Jul 2006 00:08:20 +0000 Subject: [PATCH 324/465] 2047. [bug] Failed to initialise the interface flags to zero. [RT #16245] --- CHANGES | 3 +++ bin/named/interfacemgr.c | 3 ++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 1e78d5154a..71735c3d84 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2047. [bug] Failed to initialise the interface flags to zero. + [RT #16245] + 2046. [bug] rbtdb.c:rdataset_setadditional() could cause duplicate cleanup [RT #16247]. diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c index 5b1660a5eb..b96b533c4c 100644 --- a/bin/named/interfacemgr.c +++ b/bin/named/interfacemgr.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: interfacemgr.c,v 1.83 2005/11/30 03:33:48 marka Exp $ */ +/* $Id: interfacemgr.c,v 1.84 2006/07/19 00:08:20 marka Exp $ */ /*! \file */ @@ -191,6 +191,7 @@ ns_interface_create(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr, ifp->mgr = NULL; ifp->generation = mgr->generation; ifp->addr = *addr; + ifp->flags = 0; strncpy(ifp->name, name, sizeof(ifp->name)); ifp->name[sizeof(ifp->name)-1] = '\0'; ifp->clientmgr = NULL; From ce9cfc26a1d0ec8ec34b9c1b4d0977fd2feb1857 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 19 Jul 2006 00:24:17 +0000 Subject: [PATCH 325/465] log message typo and %d -> %u --- lib/dns/cache.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/dns/cache.c b/lib/dns/cache.c index 0f650f9662..78d98c54e6 100644 --- a/lib/dns/cache.c +++ b/lib/dns/cache.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: cache.c,v 1.71 2006/06/13 04:49:18 marka Exp $ */ +/* $Id: cache.c,v 1.72 2006/07/19 00:24:17 marka Exp $ */ /*! \file */ @@ -205,7 +205,7 @@ adjust_increment(cache_cleaner_t *cleaner, unsigned int remaining, cleaner->increment = DNS_CACHE_CLEANERINCREMENT; isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_CACHE, ISC_LOG_DEBUG(1), - "%p:new clear->increment = %d\n", + "%p:new cleaner->increment = %u\n", cleaner, cleaner->increment); } return; @@ -225,7 +225,7 @@ adjust_increment(cache_cleaner_t *cleaner, unsigned int remaining, cleaner->increment = (unsigned int)new; isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_CACHE, - ISC_LOG_DEBUG(1), "%p:new clear->increment = %u\n", + ISC_LOG_DEBUG(1), "%p:new cleaner->increment = %u\n", cleaner, cleaner->increment); } From 7076f000ea3487299a9da9318915d042aaba62c5 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 19 Jul 2006 00:42:13 +0000 Subject: [PATCH 326/465] 2048. [bug] It was possible to loop forever when using avoid-v4-udp-ports / avoid-v6-udp-ports when the OS always returned the same local port. [RT #16182] --- CHANGES | 5 +++++ lib/dns/dispatch.c | 41 ++++++++++++++++++++++++++++++++--------- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/CHANGES b/CHANGES index 71735c3d84..c8237e56d9 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,8 @@ +2048. [bug] It was possible to loop forever when using + avoid-v4-udp-ports / avoid-v6-udp-ports when + the OS always returned the same local port. + [RT #16182] + 2047. [bug] Failed to initialise the interface flags to zero. [RT #16245] diff --git a/lib/dns/dispatch.c b/lib/dns/dispatch.c index 91607027ea..2a12d3cb71 100644 --- a/lib/dns/dispatch.c +++ b/lib/dns/dispatch.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dispatch.c,v 1.126 2006/01/06 00:01:44 marka Exp $ */ +/* $Id: dispatch.c,v 1.127 2006/07/19 00:42:13 marka Exp $ */ /*! \file */ @@ -1735,6 +1735,11 @@ dns_dispatch_getudp(dns_dispatchmgr_t *mgr, isc_socketmgr_t *sockmgr, /* * mgr should be locked. */ + +#ifndef DNS_DISPATCH_HELD +#define DNS_DISPATCH_HELD 20U +#endif + static isc_result_t dispatch_createudp(dns_dispatchmgr_t *mgr, isc_socketmgr_t *sockmgr, isc_taskmgr_t *taskmgr, @@ -1745,7 +1750,9 @@ dispatch_createudp(dns_dispatchmgr_t *mgr, isc_socketmgr_t *sockmgr, { isc_result_t result; dns_dispatch_t *disp; - isc_socket_t *sock; + isc_socket_t *sock = NULL; + isc_socket_t *held[DNS_DISPATCH_HELD]; + unsigned int i = 0, j = 0; /* * dispatch_allocate() checks mgr for us. @@ -1756,17 +1763,30 @@ dispatch_createudp(dns_dispatchmgr_t *mgr, isc_socketmgr_t *sockmgr, return (result); /* - * This assumes that the IP stack will *not* quickly reallocate - * the same port. If it does continually reallocate the same port - * then we need a mechanism to hold all the blacklisted sockets - * until we find a usable socket. + * Try to allocate a socket that is not on the blacklist. + * Hold up to DNS_DISPATCH_HELD sockets to prevent the OS + * from returning the same port to us too quickly. */ + memset(held, 0, sizeof(held)); getsocket: result = create_socket(sockmgr, localaddr, &sock); if (result != ISC_R_SUCCESS) goto deallocate_dispatch; if (isc_sockaddr_getport(localaddr) == 0 && blacklisted(mgr, sock)) { - isc_socket_detach(&sock); + if (held[i] != NULL) + isc_socket_detach(&held[i]); + held[i++] = sock; + sock = NULL; + if (i == DNS_DISPATCH_HELD) + i = 0; + if (j++ == 0xffffU) { + mgr_log(mgr, ISC_LOG_ERROR, "avoid-v%s-udp-ports: " + "unable to allocate a non-blacklisted port", + isc_sockaddr_pf(localaddr) == AF_INET ? + "4" : "6"); + result = ISC_R_FAILURE; + goto deallocate_dispatch; + } goto getsocket; } @@ -1803,7 +1823,7 @@ dispatch_createudp(dns_dispatchmgr_t *mgr, isc_socketmgr_t *sockmgr, *dispp = disp; - return (ISC_R_SUCCESS); + goto cleanheld; /* * Error returns. @@ -1814,7 +1834,10 @@ dispatch_createudp(dns_dispatchmgr_t *mgr, isc_socketmgr_t *sockmgr, isc_socket_detach(&disp->socket); deallocate_dispatch: dispatch_free(&disp); - + cleanheld: + for (i = 0; i < DNS_DISPATCH_HELD; i++) + if (held[i] != NULL) + isc_socket_detach(&held[i]); return (result); } From 2db8db63992d081c75d664340866e2a21913705d Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 19 Jul 2006 00:53:42 +0000 Subject: [PATCH 327/465] 2049. [bug] Restore SOA before AXFR when falling back from a attempted IXFR when transfering in a zone. Allow a initial SOA query before attempting a AXFR to be requested. [RT #16156] --- CHANGES | 5 ++++ lib/dns/include/dns/xfrin.h | 10 +++++--- lib/dns/xfrin.c | 50 ++++++++++++++++++++++++++++++++----- lib/dns/zone.c | 19 +++++++++++--- 4 files changed, 71 insertions(+), 13 deletions(-) diff --git a/CHANGES b/CHANGES index c8237e56d9..8ec9c9af80 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,8 @@ +2049. [bug] Restore SOA before AXFR when falling back from + a attempted IXFR when transfering in a zone. + Allow a initial SOA query before attempting + a AXFR to be requested. [RT #16156] + 2048. [bug] It was possible to loop forever when using avoid-v4-udp-ports / avoid-v6-udp-ports when the OS always returned the same local port. diff --git a/lib/dns/include/dns/xfrin.h b/lib/dns/include/dns/xfrin.h index ab6469d8cc..2158d24af7 100644 --- a/lib/dns/include/dns/xfrin.h +++ b/lib/dns/include/dns/xfrin.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: xfrin.h,v 1.22 2005/04/29 00:23:06 marka Exp $ */ +/* $Id: xfrin.h,v 1.23 2006/07/19 00:53:42 marka Exp $ */ #ifndef DNS_XFRIN_H #define DNS_XFRIN_H 1 @@ -77,10 +77,12 @@ dns_xfrin_create2(dns_zone_t *zone, dns_rdatatype_t xfrtype, * code as arguments when the transfer finishes. * * Requires: - *\li 'xfrtype' is dns_rdatatype_axfr or dns_rdatatype_ixfr. + *\li 'xfrtype' is dns_rdatatype_axfr, dns_rdatatype_ixfr + * of dns_rdatatype_soa (soa query followed by axfr if + * serial is greater than current serial). * - *\li If 'xfrtype' is dns_rdatatype_ixfr, the zone has a - * database. + *\li If 'xfrtype' is dns_rdatatype_ixfr or dns_rdatatype_soa, + * the zone has a database. */ void diff --git a/lib/dns/xfrin.c b/lib/dns/xfrin.c index 2b640eedc7..7d45035b0e 100644 --- a/lib/dns/xfrin.c +++ b/lib/dns/xfrin.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: xfrin.c,v 1.146 2006/03/01 02:05:11 marka Exp $ */ +/* $Id: xfrin.c,v 1.147 2006/07/19 00:53:42 marka Exp $ */ /*! \file */ @@ -75,6 +75,8 @@ * when the first two (2) response RRs have already been received. */ typedef enum { + XFRST_SOAQUERY, + XFRST_GOTSOA, XFRST_INITIALSOA, XFRST_FIRSTDATA, XFRST_IXFR_DELSOA, @@ -426,6 +428,30 @@ xfr_rr(dns_xfrin_ctx_t *xfr, dns_name_t *name, isc_uint32_t ttl, redo: switch (xfr->state) { + case XFRST_SOAQUERY: + if (rdata->type != dns_rdatatype_soa) { + xfrin_log(xfr, ISC_LOG_ERROR, + "non-SOA response to SOA query"); + FAIL(DNS_R_FORMERR); + } + xfr->end_serial = dns_soa_getserial(rdata); + if (!DNS_SERIAL_GT(xfr->end_serial, xfr->ixfr.request_serial) && + !dns_zone_isforced(xfr->zone)) { + xfrin_log(xfr, ISC_LOG_DEBUG(3), + "requested serial %u, " + "master has %u, not updating", + xfr->ixfr.request_serial, xfr->end_serial); + FAIL(DNS_R_UPTODATE); + } + xfr->state = XFRST_GOTSOA; + break; + + case XFRST_GOTSOA: + /* + * Skip other records in the answer section. + */ + break; + case XFRST_INITIALSOA: if (rdata->type != dns_rdatatype_soa) { xfrin_log(xfr, ISC_LOG_ERROR, @@ -591,6 +617,9 @@ dns_xfrin_create2(dns_zone_t *zone, dns_rdatatype_t xfrtype, (void)dns_zone_getdb(zone, &db); + if (xfrtype == dns_rdatatype_soa || xfrtype == dns_rdatatype_ixfr) + REQUIRE(db != NULL); + CHECK(xfrin_create(mctx, zone, db, task, timermgr, socketmgr, zonename, dns_zone_getclass(zone), xfrtype, masteraddr, sourceaddr, tsigkey, &xfr)); @@ -759,7 +788,10 @@ xfrin_create(isc_mem_t *mctx, dns_diff_init(xfr->mctx, &xfr->diff); xfr->difflen = 0; - xfr->state = XFRST_INITIALSOA; + if (reqtype == dns_rdatatype_soa) + xfr->state = XFRST_SOAQUERY; + else + xfr->state = XFRST_INITIALSOA; /* end_serial */ xfr->nmsg = 0; @@ -1005,7 +1037,9 @@ xfrin_send_request(dns_xfrin_ctx_t *xfr) { CHECK(tuple2msgname(soatuple, msg, &msgsoaname)); dns_message_addname(msg, msgsoaname, DNS_SECTION_AUTHORITY); - } + } else if (xfr->reqtype == dns_rdatatype_soa) + CHECK(dns_db_getsoaserial(xfr->db, NULL, + &xfr->ixfr.request_serial)); xfr->checkid = ISC_TRUE; xfr->id++; @@ -1166,8 +1200,8 @@ xfrin_recv_done(isc_task_t *task, isc_event_t *ev) { try_axfr: dns_message_destroy(&msg); xfrin_reset(xfr); - xfr->reqtype = dns_rdatatype_axfr; - xfr->state = XFRST_INITIALSOA; + xfr->reqtype = dns_rdatatype_soa; + xfr->state = XFRST_SOAQUERY; (void)xfrin_start(xfr); return; } @@ -1264,7 +1298,11 @@ xfrin_recv_done(isc_task_t *task, isc_event_t *ev) { dns_message_destroy(&msg); - if (xfr->state == XFRST_END) { + if (xfr->state == XFRST_GOTSOA) { + xfr->reqtype = dns_rdatatype_axfr; + xfr->state = XFRST_INITIALSOA; + CHECK(xfrin_send_request(xfr)); + } else if (xfr->state == XFRST_END) { /* * Inform the caller we succeeded. */ diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 6f65db39ed..fb94c8066c 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: zone.c,v 1.456 2006/06/04 23:17:06 marka Exp $ */ +/* $Id: zone.c,v 1.457 2006/07/19 00:53:42 marka Exp $ */ /*! \file */ @@ -297,6 +297,7 @@ struct dns_zone { #define DNS_ZONEFLG_FLUSH 0x00200000U #define DNS_ZONEFLG_NOEDNS 0x00400000U #define DNS_ZONEFLG_USEALTXFRSRC 0x00800000U +#define DNS_ZONEFLG_SOABEFOREAXFR 0x01000000U #define DNS_ZONE_OPTION(z,o) (((z)->options & (o)) != 0) @@ -4286,8 +4287,13 @@ refresh_callback(isc_task_t *task, isc_event_t *event) { master, source); /* Try with slave with TCP. */ if (zone->type == dns_zone_slave && - DNS_ZONE_OPTION(zone, DNS_ZONEOPT_TRYTCPREFRESH)) + DNS_ZONE_OPTION(zone, DNS_ZONEOPT_TRYTCPREFRESH)) { + LOCK_ZONE(zone); + DNS_ZONE_SETFLAG(zone, + DNS_ZONEFLG_SOABEFOREAXFR); + UNLOCK_ZONE(zone); goto tcp_transfer; + } } else dns_zone_log(zone, ISC_LOG_INFO, "refresh: failure trying master " @@ -4354,6 +4360,9 @@ refresh_callback(isc_task_t *task, isc_event_t *event) { "initiating TCP zone xfer " "for master %s (source %s)", master, source); + LOCK_ZONE(zone); + DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_SOABEFOREAXFR); + UNLOCK_ZONE(zone); goto tcp_transfer; } else { INSIST(zone->type == dns_zone_stub); @@ -6334,6 +6343,7 @@ zone_xfrdone(dns_zone_t *zone, isc_result_t result) { LOCK_ZONE(zone); INSIST((zone->flags & DNS_ZONEFLG_REFRESH) != 0); DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH); + DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_SOABEFOREAXFR); TIME_NOW(&now); switch (result) { @@ -6691,7 +6701,10 @@ got_transfer_quota(isc_task_t *task, isc_event_t *event) { "IXFR disabled, " "requesting AXFR from %s", mastertext); - xfrtype = dns_rdatatype_axfr; + if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_SOABEFOREAXFR)) + xfrtype = dns_rdatatype_soa; + else + xfrtype = dns_rdatatype_axfr; } else { dns_zone_log(zone, ISC_LOG_DEBUG(1), "requesting IXFR from %s", From 799a39bc800efadc9012c55d4ba1a2682879d0ba Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 19 Jul 2006 01:04:08 +0000 Subject: [PATCH 328/465] of -> or --- lib/dns/include/dns/xfrin.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/dns/include/dns/xfrin.h b/lib/dns/include/dns/xfrin.h index 2158d24af7..84122ed1f6 100644 --- a/lib/dns/include/dns/xfrin.h +++ b/lib/dns/include/dns/xfrin.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: xfrin.h,v 1.23 2006/07/19 00:53:42 marka Exp $ */ +/* $Id: xfrin.h,v 1.24 2006/07/19 01:04:08 marka Exp $ */ #ifndef DNS_XFRIN_H #define DNS_XFRIN_H 1 @@ -78,7 +78,7 @@ dns_xfrin_create2(dns_zone_t *zone, dns_rdatatype_t xfrtype, * * Requires: *\li 'xfrtype' is dns_rdatatype_axfr, dns_rdatatype_ixfr - * of dns_rdatatype_soa (soa query followed by axfr if + * or dns_rdatatype_soa (soa query followed by axfr if * serial is greater than current serial). * *\li If 'xfrtype' is dns_rdatatype_ixfr or dns_rdatatype_soa, From 12bf059e87af5512bd73228e331047f121e6d111 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 19 Jul 2006 23:18:02 +0000 Subject: [PATCH 329/465] auto update --- doc/private/branches | 2 ++ 1 file changed, 2 insertions(+) diff --git a/doc/private/branches b/doc/private/branches index 7763810132..3f2d41262f 100644 --- a/doc/private/branches +++ b/doc/private/branches @@ -48,9 +48,11 @@ rt16170 new rt16179 new rt16182 new rt16183 new +rt16187 new rt16218 new rt16219 new rt16220 new +rt16220a new rt1727 open // ixfr-from-differences workfile skan new skan-metazones1 private From d3a3e690ab1f87fa02b3fa77be5ddea5c1fe0cd4 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 19 Jul 2006 23:30:27 +0000 Subject: [PATCH 330/465] newcopyrights --- util/copyrights | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/util/copyrights b/util/copyrights index 6a47b8207d..f3b6210eaf 100644 --- a/util/copyrights +++ b/util/copyrights @@ -105,7 +105,7 @@ ./bin/named/include/named/update.h C 1999,2000,2001,2004,2005 ./bin/named/include/named/xfrout.h C 1999,2000,2001,2004,2005 ./bin/named/include/named/zoneconf.h C 1999,2000,2001,2002,2004,2005,2006 -./bin/named/interfacemgr.c C 1999,2000,2001,2002,2004,2005 +./bin/named/interfacemgr.c C 1999,2000,2001,2002,2004,2005,2006 ./bin/named/listenlist.c C 2000,2001,2004,2005 ./bin/named/log.c C 1999,2000,2001,2002,2004,2005,2006 ./bin/named/logconf.c C 1999,2000,2001,2004,2005,2006 @@ -1811,7 +1811,7 @@ ./lib/dns/include/dns/validator.h C 2000,2001,2002,2003,2004,2005 ./lib/dns/include/dns/version.h C 2001,2004,2005 ./lib/dns/include/dns/view.h C 1999,2000,2001,2002,2003,2004,2005,2006 -./lib/dns/include/dns/xfrin.h C 1999,2000,2001,2003,2004,2005 +./lib/dns/include/dns/xfrin.h C 1999,2000,2001,2003,2004,2005,2006 ./lib/dns/include/dns/zone.h C 1999,2000,2001,2002,2003,2004,2005,2006 ./lib/dns/include/dns/zonekey.h C 2001,2004,2005 ./lib/dns/include/dns/zt.h C 1999,2000,2001,2002,2004,2005 From d827ada5a9d8d86de1aa8d6c92f05d1510e0051f Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 20 Jul 2006 00:15:03 +0000 Subject: [PATCH 331/465] grammer --- doc/arm/Bv9ARM-book.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index edf896a37d..671bb0be80 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -18,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + BIND 9 Administrator Reference Manual @@ -56,7 +56,7 @@ The Berkeley Internet Name Domain - (BIND) implements an + (BIND) implements a domain name server for a number of operating systems. This document provides basic information about the installation and care of the Internet Systems Consortium (ISC) From 23bc584f7455533b1a48736477fa39d84c07cf93 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 20 Jul 2006 00:17:00 +0000 Subject: [PATCH 332/465] grammer --- doc/arm/Bv9ARM-book.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index d2d601b086..9a7065386c 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -18,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + BIND 9 Administrator Reference Manual @@ -51,7 +51,7 @@ Scope of Document - The Berkeley Internet Name Domain (BIND) implements an + The Berkeley Internet Name Domain (BIND) implements a domain name server for a number of operating systems. This document provides basic information about the installation and care of the Internet Software Consortium (ISC) From cd7812e4b1b3115fd600bb3c20f0e948a79f67cd Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 20 Jul 2006 01:10:31 +0000 Subject: [PATCH 333/465] update copyright notice --- bin/named/interfacemgr.c | 4 ++-- lib/dns/include/dns/xfrin.h | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c index b96b533c4c..ddece0bca2 100644 --- a/bin/named/interfacemgr.c +++ b/bin/named/interfacemgr.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: interfacemgr.c,v 1.84 2006/07/19 00:08:20 marka Exp $ */ +/* $Id: interfacemgr.c,v 1.85 2006/07/20 01:10:31 marka Exp $ */ /*! \file */ diff --git a/lib/dns/include/dns/xfrin.h b/lib/dns/include/dns/xfrin.h index 84122ed1f6..712aa7c787 100644 --- a/lib/dns/include/dns/xfrin.h +++ b/lib/dns/include/dns/xfrin.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001, 2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: xfrin.h,v 1.24 2006/07/19 01:04:08 marka Exp $ */ +/* $Id: xfrin.h,v 1.25 2006/07/20 01:10:31 marka Exp $ */ #ifndef DNS_XFRIN_H #define DNS_XFRIN_H 1 From dd3e2d2e7f8b53745c8f1436ffa41de53376c6d1 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 20 Jul 2006 02:33:01 +0000 Subject: [PATCH 334/465] regen --- doc/arm/Bv9ARM.ch01.html | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/arm/Bv9ARM.ch01.html b/doc/arm/Bv9ARM.ch01.html index 7c248b753a..e90dac64ae 100644 --- a/doc/arm/Bv9ARM.ch01.html +++ b/doc/arm/Bv9ARM.ch01.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -68,7 +68,7 @@

    Scope of Document

    -

    The Berkeley Internet Name Domain (BIND) implements an +

    The Berkeley Internet Name Domain (BIND) implements a domain name server for a number of operating systems. This document provides basic information about the installation and care of the Internet Software Consortium (ISC) From c48c7872a0e020a63a96faed166c6ae960e4c1e9 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 20 Jul 2006 02:33:53 +0000 Subject: [PATCH 335/465] regen --- doc/arm/Bv9ARM.ch01.html | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/arm/Bv9ARM.ch01.html b/doc/arm/Bv9ARM.ch01.html index daeb8b7ea8..d7f0607943 100644 --- a/doc/arm/Bv9ARM.ch01.html +++ b/doc/arm/Bv9ARM.ch01.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -74,7 +74,7 @@ Scope of Document

    The Berkeley Internet Name Domain - (BIND) implements an + (BIND) implements a domain name server for a number of operating systems. This document provides basic information about the installation and care of the Internet Systems Consortium (ISC) From cbef026164ceabccb2e85403434b722d77f7b5ee Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 20 Jul 2006 03:21:10 +0000 Subject: [PATCH 336/465] 2050. [bug] Parsing of NSAP records was not case insensitive. [RT #16287] --- CHANGES | 3 +++ lib/dns/rdata.c | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index 8ec9c9af80..34fc577cbe 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2050. [bug] Parsing of NSAP records was not case insensitive. + [RT #16287] + 2049. [bug] Restore SOA before AXFR when falling back from a attempted IXFR when transfering in a zone. Allow a initial SOA query before attempting diff --git a/lib/dns/rdata.c b/lib/dns/rdata.c index a6d1addf2e..8b46d04acf 100644 --- a/lib/dns/rdata.c +++ b/lib/dns/rdata.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rdata.c,v 1.191 2005/07/22 05:31:01 marka Exp $ */ +/* $Id: rdata.c,v 1.192 2006/07/20 03:21:10 marka Exp $ */ /*! \file */ @@ -1272,7 +1272,7 @@ hexvalue(char value) { return (-1); if (isupper(c)) c = tolower(c); - if ((s = strchr(hexdigits, value)) == NULL) + if ((s = strchr(hexdigits, c)) == NULL) return (-1); return (s - hexdigits); } From bd4f391ddbbf9f50b0f21be9b684afa432c1005f Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 20 Jul 2006 03:24:59 +0000 Subject: [PATCH 337/465] 2050. [bug] Parsing of NSAP records was not case insensitive. [RT #16287] --- CHANGES | 3 +++ lib/dns/rdata.c | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index daad2bb431..da1782ea29 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2050. [bug] Parsing of NSAP records was not case insensitive. + [RT #16287] + 2043. [port] nsupdate/nslookup: Force the flushing of the prompt for interactive sessions. [RT#16148] diff --git a/lib/dns/rdata.c b/lib/dns/rdata.c index 76d7008c67..0089f1e619 100644 --- a/lib/dns/rdata.c +++ b/lib/dns/rdata.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rdata.c,v 1.147.2.16 2005/07/22 05:26:44 marka Exp $ */ +/* $Id: rdata.c,v 1.147.2.17 2006/07/20 03:24:59 marka Exp $ */ #include #include @@ -1659,7 +1659,7 @@ hexvalue(char value) { return (-1); if (isupper(c)) c = tolower(c); - if ((s = strchr(hexdigits, value)) == NULL) + if ((s = strchr(hexdigits, c)) == NULL) return (-1); return (s - hexdigits); } From a34d19803a206febe10866394393ec1c09b28984 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 20 Jul 2006 03:31:11 +0000 Subject: [PATCH 338/465] 2051. [port] More strtol() fixes. [RT #16249] --- CHANGES | 2 ++ configure | 6 +++--- configure.in | 4 ++-- 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/CHANGES b/CHANGES index 34fc577cbe..a2b9658dd1 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +2051. [port] More strtol() fixes. [RT #16249] + 2050. [bug] Parsing of NSAP records was not case insensitive. [RT #16287] diff --git a/configure b/configure index 857c96c3e6..12211fa6ed 100755 --- a/configure +++ b/configure @@ -14,7 +14,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. # -# $Id: configure,v 1.396 2006/06/21 03:40:34 marka Exp $ +# $Id: configure,v 1.397 2006/07/20 03:31:11 marka Exp $ # # Portions Copyright (C) 1996-2001 Nominum, Inc. # @@ -29,7 +29,7 @@ # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT # OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -# From configure.in Revision: 1.408 . +# From configure.in Revision: 1.409 . # Guess values for system-dependent variables and create Makefiles. # Generated by GNU Autoconf 2.59. # @@ -25921,7 +25921,7 @@ if test $ac_cv_func_strtoul = yes; then else ISC_PLATFORM_NEEDSTRTOUL="#define ISC_PLATFORM_NEEDSTRTOUL 1" LWRES_PLATFORM_NEEDSTRTOUL="#define LWRES_PLATFORM_NEEDSTRTOUL 1" - GENRANDOMLIB="${ISCLIBS}" + GENRANDOMLIB='${ISCLIBS}' fi diff --git a/configure.in b/configure.in index aa7ccb12cd..28b1ebbd12 100644 --- a/configure.in +++ b/configure.in @@ -18,7 +18,7 @@ AC_DIVERT_PUSH(1)dnl esyscmd([sed "s/^/# /" COPYRIGHT])dnl AC_DIVERT_POP()dnl -AC_REVISION($Revision: 1.408 $) +AC_REVISION($Revision: 1.409 $) AC_INIT(lib/dns/name.c) AC_PREREQ(2.59) @@ -1593,7 +1593,7 @@ AC_CHECK_FUNC(strtoul, GENRANDOMLIB=""], [ISC_PLATFORM_NEEDSTRTOUL="#define ISC_PLATFORM_NEEDSTRTOUL 1" LWRES_PLATFORM_NEEDSTRTOUL="#define LWRES_PLATFORM_NEEDSTRTOUL 1" - GENRANDOMLIB="${ISCLIBS}"]) + GENRANDOMLIB='${ISCLIBS}']) AC_SUBST(ISC_PLATFORM_NEEDSTRTOUL) AC_SUBST(LWRES_PLATFORM_NEEDSTRTOUL) AC_SUBST(GENRANDOMLIB) From bcdf37e0ff7d73310b7bf247d755194a5718ba38 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 20 Jul 2006 03:41:57 +0000 Subject: [PATCH 339/465] 2052. [bug] 'rndc' improve connect failed message to report the failing address. [RT #15978] --- CHANGES | 3 +++ bin/rndc/rndc.c | 15 +++++++++------ 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/CHANGES b/CHANGES index a2b9658dd1..6db6a3ec0a 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2052. [bug] 'rndc' improve connect failed message to report + the failing address. [RT #15978] + 2051. [port] More strtol() fixes. [RT #16249] 2050. [bug] Parsing of NSAP records was not case insensitive. diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c index d4d37e416c..5456de314b 100644 --- a/bin/rndc/rndc.c +++ b/bin/rndc/rndc.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rndc.c,v 1.111 2006/03/09 23:39:00 marka Exp $ */ +/* $Id: rndc.c,v 1.112 2006/07/20 03:41:57 marka Exp $ */ /*! \file */ @@ -314,6 +314,7 @@ rndc_recvnonce(isc_task_t *task, isc_event_t *event) { static void rndc_connected(isc_task_t *task, isc_event_t *event) { + char socktext[ISC_SOCKADDR_FORMATSIZE]; isc_socketevent_t *sevent = (isc_socketevent_t *)event; isccc_sexpr_t *request = NULL; isccc_sexpr_t *data; @@ -327,17 +328,19 @@ rndc_connected(isc_task_t *task, isc_event_t *event) { connects--; if (sevent->result != ISC_R_SUCCESS) { + isc_sockaddr_format(&serveraddrs[currentaddr], socktext, + sizeof(socktext)); if (sevent->result != ISC_R_CANCELED && - currentaddr < nserveraddrs) + ++currentaddr < nserveraddrs) { - notify("connection failed: %s", + notify("connection failed: %s: %s", socktext, isc_result_totext(sevent->result)); isc_socket_detach(&sock); isc_event_free(&event); - rndc_startconnect(&serveraddrs[currentaddr++], task); + rndc_startconnect(&serveraddrs[currentaddr], task); return; } else - fatal("connect failed: %s", + fatal("connect failed: %s: %s", socktext, isc_result_totext(sevent->result)); } @@ -408,7 +411,7 @@ rndc_start(isc_task_t *task, isc_event_t *event) { isc_event_free(&event); currentaddr = 0; - rndc_startconnect(&serveraddrs[currentaddr++], task); + rndc_startconnect(&serveraddrs[currentaddr], task); } static void From 0b5d8941bb41edbe1296619485c16df536ecc05f Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 20 Jul 2006 03:55:45 +0000 Subject: [PATCH 340/465] 2053. [port] netbsd:libbind: silence compiler warnings. [RT #16220] --- CHANGES | 2 ++ lib/bind/config.h.in | 1 + lib/bind/port_after.h.in | 3 +++ 3 files changed, 6 insertions(+) diff --git a/CHANGES b/CHANGES index 6db6a3ec0a..7ba330c109 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +2053. [port] netbsd:libbind: silence compiler warnings. [RT #16220] + 2052. [bug] 'rndc' improve connect failed message to report the failing address. [RT #15978] diff --git a/lib/bind/config.h.in b/lib/bind/config.h.in index 82a1560d1f..c4d88d347e 100644 --- a/lib/bind/config.h.in +++ b/lib/bind/config.h.in @@ -4,6 +4,7 @@ #undef HAVE_INTTYPES_H #undef HAVE_STROPTS_H #undef HAVE_SYS_TIMERS_H +#undef HAVE_SYS_SELECT_H #undef SYS_CDEFS_H #undef _POSIX_PTHREAD_SEMANTICS #undef POSIX_GETPWUID_R diff --git a/lib/bind/port_after.h.in b/lib/bind/port_after.h.in index 12d8d2bc34..f248d23f56 100644 --- a/lib/bind/port_after.h.in +++ b/lib/bind/port_after.h.in @@ -12,6 +12,9 @@ #ifdef HAVE_INTTYPES_H #include #endif +#ifdef HAVE_SYS_SELECT_H +#include +#endif /* HAVE_SYS_SELECT_H */ @NEED_PSELECT@ @HAVE_SA_LEN@ From f752b603f6e95644ccc5e890bfaffdadd99c1fca Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 20 Jul 2006 03:58:50 +0000 Subject: [PATCH 341/465] 2053. [port] netbsd:libbind: silence compiler warnings. [RT #16220] --- CHANGES | 2 ++ lib/bind/config.h.in | 1 + lib/bind/port_after.h.in | 3 +++ 3 files changed, 6 insertions(+) diff --git a/CHANGES b/CHANGES index da1782ea29..0e82d1054d 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +2053. [port] netbsd:libbind: silence compiler warnings. [RT #16220] + 2050. [bug] Parsing of NSAP records was not case insensitive. [RT #16287] diff --git a/lib/bind/config.h.in b/lib/bind/config.h.in index 82a1560d1f..c4d88d347e 100644 --- a/lib/bind/config.h.in +++ b/lib/bind/config.h.in @@ -4,6 +4,7 @@ #undef HAVE_INTTYPES_H #undef HAVE_STROPTS_H #undef HAVE_SYS_TIMERS_H +#undef HAVE_SYS_SELECT_H #undef SYS_CDEFS_H #undef _POSIX_PTHREAD_SEMANTICS #undef POSIX_GETPWUID_R diff --git a/lib/bind/port_after.h.in b/lib/bind/port_after.h.in index 12d8d2bc34..f248d23f56 100644 --- a/lib/bind/port_after.h.in +++ b/lib/bind/port_after.h.in @@ -12,6 +12,9 @@ #ifdef HAVE_INTTYPES_H #include #endif +#ifdef HAVE_SYS_SELECT_H +#include +#endif /* HAVE_SYS_SELECT_H */ @NEED_PSELECT@ @HAVE_SA_LEN@ From c870001ae1bff0e38f622c4ed56872c7f1d2d336 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 20 Jul 2006 05:39:07 +0000 Subject: [PATCH 342/465] 2054. [port] freebsd: do not explicitly link against -lpthread. [RT #16170] --- CHANGES | 3 +++ config.h.in | 5 ++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 7ba330c109..aa39353f9c 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2054. [port] freebsd: do not explicitly link against -lpthread. + [RT #16170] + 2053. [port] netbsd:libbind: silence compiler warnings. [RT #16220] 2052. [bug] 'rndc' improve connect failed message to report diff --git a/config.h.in b/config.h.in index fdfa9cd329..ba8c299e96 100644 --- a/config.h.in +++ b/config.h.in @@ -16,7 +16,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: config.h.in,v 1.79 2006/03/01 02:32:46 marka Exp $ */ +/* $Id: config.h.in,v 1.82 2006/08/10 01:57:41 marka Exp $ */ /*! \file */ @@ -190,6 +190,9 @@ int sigwait(const unsigned int *set, int *sig); /* Define to 1 if you have the `socket' library (-lsocket). */ #undef HAVE_LIBSOCKET +/* Define to 1 if you have the `thr' library (-lthr). */ +#undef HAVE_LIBTHR + /* Define to 1 if you have the header file. */ #undef HAVE_LINUX_CAPABILITY_H From be515937febf025ec2a4c381bee58131ab0f32f4 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 20 Jul 2006 05:42:09 +0000 Subject: [PATCH 343/465] 2054. [port] freebsd: do not explicitly link against -lpthread. [RT #16170] --- bin/tests/Makefile.in | 4 +- config.threads.in | 25 ++ configure | 615 +++++++++++++++++++++++++++++++++++----- configure.in | 105 +++---- lib/bind/configure | 635 ++++++++++++++++++++++++++++++++++++------ lib/bind/configure.in | 120 ++++---- ltmain.sh | 14 +- 7 files changed, 1243 insertions(+), 275 deletions(-) diff --git a/bin/tests/Makefile.in b/bin/tests/Makefile.in index b600f1c0db..decd9ff8c8 100644 --- a/bin/tests/Makefile.in +++ b/bin/tests/Makefile.in @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.125 2005/06/08 02:06:57 marka Exp $ +# $Id: Makefile.in,v 1.126 2006/07/20 05:39:08 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ @@ -135,7 +135,7 @@ XSRCS = adb_test.c \ all_tests: ${XTARGETS} genrandom@EXEEXT@: genrandom.@O@ - ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ genrandom.@O@ @GENRANDOMLIB@ + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ genrandom.@O@ @GENRANDOMLIB@ ${LIBS} adb_test@EXEEXT@: adb_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ adb_test.@O@ \ diff --git a/config.threads.in b/config.threads.in index f2816c447f..c1c113b937 100644 --- a/config.threads.in +++ b/config.threads.in @@ -140,6 +140,31 @@ then fi fi ;; + *-freebsd*) + # We don't want to set -lpthread as that break + # the ability to choose threads library at final + # link time and is not valid for all architectures. + + PTHREAD= + if test "X$GCC" = "Xyes"; then + saved_cc="$CC" + CC="$CC -pthread" + AC_MSG_CHECKING(for gcc -pthread support); + AC_TRY_LINK([#include ], + [printf("%x\n", pthread_create);], + PTHREAD="yes" + AC_MSG_RESULT(yes), + AC_MSG_RESULT(no)) + CC="$saved_cc" + fi + if test "X$PTHREAD" != "Xyes"; then + AC_CHECK_LIB(pthread, pthread_create,, + AC_CHECK_LIB(thr, thread_create,, + AC_CHECK_LIB(c_r, pthread_create,, + AC_CHECK_LIB(c, pthread_create,, + AC_MSG_ERROR("could not find thread libraries"))))) + fi + ;; *) AC_CHECK_LIB(pthread, pthread_create,, AC_CHECK_LIB(pthread, __pthread_create,, diff --git a/configure b/configure index 12211fa6ed..20a88491cd 100755 --- a/configure +++ b/configure @@ -14,7 +14,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. # -# $Id: configure,v 1.397 2006/07/20 03:31:11 marka Exp $ +# $Id: configure,v 1.398 2006/07/20 05:42:08 marka Exp $ # # Portions Copyright (C) 1996-2001 Nominum, Inc. # @@ -29,7 +29,7 @@ # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT # OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -# From configure.in Revision: 1.409 . +# From configure.in Revision: 1.410 . # Guess values for system-dependent variables and create Makefiles. # Generated by GNU Autoconf 2.59. # @@ -5994,6 +5994,374 @@ echo "${ECHO_T}mit-pthreads/unproven-pthreads" >&6 fi fi ;; + *-freebsd*) + # We don't want to set -lpthread as that break + # the ability to choose threads library at final + # link time and is not valid for all architectures. + + PTHREAD= + if test "X$GCC" = "Xyes"; then + saved_cc="$CC" + CC="$CC -pthread" + echo "$as_me:$LINENO: checking for gcc -pthread support" >&5 +echo $ECHO_N "checking for gcc -pthread support... $ECHO_C" >&6; + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include +int +main () +{ +printf("%x\n", pthread_create); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + PTHREAD="yes" + echo "$as_me:$LINENO: result: yes" >&5 +echo "${ECHO_T}yes" >&6 +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +echo "$as_me:$LINENO: result: no" >&5 +echo "${ECHO_T}no" >&6 +fi +rm -f conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + CC="$saved_cc" + fi + if test "X$PTHREAD" != "Xyes"; then + +echo "$as_me:$LINENO: checking for pthread_create in -lpthread" >&5 +echo $ECHO_N "checking for pthread_create in -lpthread... $ECHO_C" >&6 +if test "${ac_cv_lib_pthread_pthread_create+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lpthread $LIBS" +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +/* Override any gcc2 internal prototype to avoid an error. */ +#ifdef __cplusplus +extern "C" +#endif +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char pthread_create (); +int +main () +{ +pthread_create (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_lib_pthread_pthread_create=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +ac_cv_lib_pthread_pthread_create=no +fi +rm -f conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +echo "$as_me:$LINENO: result: $ac_cv_lib_pthread_pthread_create" >&5 +echo "${ECHO_T}$ac_cv_lib_pthread_pthread_create" >&6 +if test $ac_cv_lib_pthread_pthread_create = yes; then + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBPTHREAD 1 +_ACEOF + + LIBS="-lpthread $LIBS" + +else + +echo "$as_me:$LINENO: checking for thread_create in -lthr" >&5 +echo $ECHO_N "checking for thread_create in -lthr... $ECHO_C" >&6 +if test "${ac_cv_lib_thr_thread_create+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lthr $LIBS" +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +/* Override any gcc2 internal prototype to avoid an error. */ +#ifdef __cplusplus +extern "C" +#endif +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char thread_create (); +int +main () +{ +thread_create (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_lib_thr_thread_create=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +ac_cv_lib_thr_thread_create=no +fi +rm -f conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +echo "$as_me:$LINENO: result: $ac_cv_lib_thr_thread_create" >&5 +echo "${ECHO_T}$ac_cv_lib_thr_thread_create" >&6 +if test $ac_cv_lib_thr_thread_create = yes; then + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBTHR 1 +_ACEOF + + LIBS="-lthr $LIBS" + +else + +echo "$as_me:$LINENO: checking for pthread_create in -lc_r" >&5 +echo $ECHO_N "checking for pthread_create in -lc_r... $ECHO_C" >&6 +if test "${ac_cv_lib_c_r_pthread_create+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lc_r $LIBS" +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +/* Override any gcc2 internal prototype to avoid an error. */ +#ifdef __cplusplus +extern "C" +#endif +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char pthread_create (); +int +main () +{ +pthread_create (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_lib_c_r_pthread_create=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +ac_cv_lib_c_r_pthread_create=no +fi +rm -f conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +echo "$as_me:$LINENO: result: $ac_cv_lib_c_r_pthread_create" >&5 +echo "${ECHO_T}$ac_cv_lib_c_r_pthread_create" >&6 +if test $ac_cv_lib_c_r_pthread_create = yes; then + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBC_R 1 +_ACEOF + + LIBS="-lc_r $LIBS" + +else + +echo "$as_me:$LINENO: checking for pthread_create in -lc" >&5 +echo $ECHO_N "checking for pthread_create in -lc... $ECHO_C" >&6 +if test "${ac_cv_lib_c_pthread_create+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lc $LIBS" +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +/* Override any gcc2 internal prototype to avoid an error. */ +#ifdef __cplusplus +extern "C" +#endif +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char pthread_create (); +int +main () +{ +pthread_create (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_lib_c_pthread_create=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +ac_cv_lib_c_pthread_create=no +fi +rm -f conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +echo "$as_me:$LINENO: result: $ac_cv_lib_c_pthread_create" >&5 +echo "${ECHO_T}$ac_cv_lib_c_pthread_create" >&6 +if test $ac_cv_lib_c_pthread_create = yes; then + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBC 1 +_ACEOF + + LIBS="-lc $LIBS" + +else + { { echo "$as_me:$LINENO: error: \"could not find thread libraries\"" >&5 +echo "$as_me: error: \"could not find thread libraries\"" >&2;} + { (exit 1); exit 1; }; } +fi + +fi + +fi + +fi + + fi + ;; *) echo "$as_me:$LINENO: checking for pthread_create in -lpthread" >&5 @@ -6379,10 +6747,150 @@ fi if $use_threads then + if test "X$GCC" = "Xyes"; then + case "$host" in + *-freebsd*) + CC="$CC -pthread" + CCOPT="$CCOPT -pthread" + STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE" + ;; + *-openbsd*) + CC="$CC -pthread" + CCOPT="$CCOPT -pthread" + ;; + *-solaris*) + LIBS="$LIBS -lthread" + ;; + *-ibm-aix*) + STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE" + ;; + esac + else + case $host in + *-dec-osf*) + CC="$CC -pthread" + CCOPT="$CCOPT -pthread" + ;; + *-solaris*) + CC="$CC -mt" + CCOPT="$CCOPT -mt" + ;; + *-ibm-aix*) + STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE" + ;; + *-sco-sysv*uw*|*-*-sysv*UnixWare*) + CC="$CC -Kthread" + CCOPT="$CCOPT -Kthread" + ;; + *-*-sysv*OpenUNIX*) + CC="$CC -Kpthread" + CCOPT="$CCOPT -Kpthread" + ;; + esac + fi + ALWAYS_DEFINES="-D_REENTRANT" + ISC_PLATFORM_USETHREADS="#define ISC_PLATFORM_USETHREADS 1" + thread_dir=pthreads # # We'd like to use sigwait() too # - echo "$as_me:$LINENO: checking for sigwait in -lc" >&5 + echo "$as_me:$LINENO: checking for sigwait" >&5 +echo $ECHO_N "checking for sigwait... $ECHO_C" >&6 +if test "${ac_cv_func_sigwait+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +/* Define sigwait to an innocuous variant, in case declares sigwait. + For example, HP-UX 11i declares gettimeofday. */ +#define sigwait innocuous_sigwait + +/* System header to define __stub macros and hopefully few prototypes, + which can conflict with char sigwait (); below. + Prefer to if __STDC__ is defined, since + exists even on freestanding compilers. */ + +#ifdef __STDC__ +# include +#else +# include +#endif + +#undef sigwait + +/* Override any gcc2 internal prototype to avoid an error. */ +#ifdef __cplusplus +extern "C" +{ +#endif +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char sigwait (); +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined (__stub_sigwait) || defined (__stub___sigwait) +choke me +#else +char (*f) () = sigwait; +#endif +#ifdef __cplusplus +} +#endif + +int +main () +{ +return f != sigwait; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_func_sigwait=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +ac_cv_func_sigwait=no +fi +rm -f conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +fi +echo "$as_me:$LINENO: result: $ac_cv_func_sigwait" >&5 +echo "${ECHO_T}$ac_cv_func_sigwait" >&6 +if test $ac_cv_func_sigwait = yes; then + cat >>confdefs.h <<\_ACEOF +#define HAVE_SIGWAIT 1 +_ACEOF + +else + echo "$as_me:$LINENO: checking for sigwait in -lc" >&5 echo $ECHO_N "checking for sigwait in -lc... $ECHO_C" >&6 if test "${ac_cv_lib_c_sigwait+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -6595,6 +7103,7 @@ fi fi +fi fi @@ -7130,50 +7639,6 @@ _ACEOF fi - if test "X$GCC" = "Xyes"; then - case "$host" in - *-freebsd*) - CC="$CC -pthread" - CCOPT="$CCOPT -pthread" - STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE" - ;; - *-openbsd*) - CC="$CC -pthread" - CCOPT="$CCOPT -pthread" - ;; - *-solaris*) - LIBS="$LIBS -lthread" - ;; - *-ibm-aix*) - STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE" - ;; - esac - else - case $host in - *-dec-osf*) - CC="$CC -pthread" - CCOPT="$CCOPT -pthread" - ;; - *-solaris*) - CC="$CC -mt" - CCOPT="$CCOPT -mt" - ;; - *-ibm-aix*) - STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE" - ;; - *-sco-sysv*uw*|*-*-sysv*UnixWare*) - CC="$CC -Kthread" - CCOPT="$CCOPT -Kthread" - ;; - *-*-sysv*OpenUNIX*) - CC="$CC -Kpthread" - CCOPT="$CCOPT -Kpthread" - ;; - esac - fi - ALWAYS_DEFINES="-D_REENTRANT" - ISC_PLATFORM_USETHREADS="#define ISC_PLATFORM_USETHREADS 1" - thread_dir=pthreads else ISC_PLATFORM_USETHREADS="#undef ISC_PLATFORM_USETHREADS" thread_dir=nothreads @@ -8465,7 +8930,7 @@ ia64-*-hpux*) ;; *-*-irix6*) # Find out which ABI we are using. - echo '#line 8468 "configure"' > conftest.$ac_ext + echo '#line 8933 "configure"' > conftest.$ac_ext if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -9462,7 +9927,7 @@ fi # Provide some information about the compiler. -echo "$as_me:9465:" \ +echo "$as_me:9930:" \ "checking for Fortran 77 compiler version" >&5 ac_compiler=`set X $ac_compile; echo $2` { (eval echo "$as_me:$LINENO: \"$ac_compiler --version &5\"") >&5 @@ -10523,11 +10988,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:10526: $lt_compile\"" >&5) + (eval echo "\"\$as_me:10991: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:10530: \$? = $ac_status" >&5 + echo "$as_me:10995: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -10766,11 +11231,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:10769: $lt_compile\"" >&5) + (eval echo "\"\$as_me:11234: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:10773: \$? = $ac_status" >&5 + echo "$as_me:11238: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -10826,11 +11291,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:10829: $lt_compile\"" >&5) + (eval echo "\"\$as_me:11294: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:10833: \$? = $ac_status" >&5 + echo "$as_me:11298: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -13011,7 +13476,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext < conftest.$ac_ext <&5) + (eval echo "\"\$as_me:15774: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:15313: \$? = $ac_status" >&5 + echo "$as_me:15778: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -15366,11 +15831,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:15369: $lt_compile\"" >&5) + (eval echo "\"\$as_me:15834: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:15373: \$? = $ac_status" >&5 + echo "$as_me:15838: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -16727,7 +17192,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext < conftest.$ac_ext <&5) + (eval echo "\"\$as_me:18130: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:17669: \$? = $ac_status" >&5 + echo "$as_me:18134: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -17722,11 +18187,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:17725: $lt_compile\"" >&5) + (eval echo "\"\$as_me:18190: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:17729: \$? = $ac_status" >&5 + echo "$as_me:18194: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -19761,11 +20226,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:19764: $lt_compile\"" >&5) + (eval echo "\"\$as_me:20229: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:19768: \$? = $ac_status" >&5 + echo "$as_me:20233: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -20004,11 +20469,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:20007: $lt_compile\"" >&5) + (eval echo "\"\$as_me:20472: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:20011: \$? = $ac_status" >&5 + echo "$as_me:20476: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -20064,11 +20529,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:20067: $lt_compile\"" >&5) + (eval echo "\"\$as_me:20532: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:20071: \$? = $ac_status" >&5 + echo "$as_me:20536: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -22249,7 +22714,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext < conftest.$ac_ext <&6 fi fi ;; + *-freebsd*) + # We don't want to set -lpthread as that break + # the ability to choose threads library at final + # link time and is not valid for all architectures. + + PTHREAD= + if test "X$GCC" = "Xyes"; then + saved_cc="$CC" + CC="$CC -pthread" + echo "$as_me:$LINENO: checking for gcc -pthread support" >&5 +echo $ECHO_N "checking for gcc -pthread support... $ECHO_C" >&6; + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include +int +main () +{ +printf("%x\n", pthread_create); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + PTHREAD="yes" + echo "$as_me:$LINENO: result: yes" >&5 +echo "${ECHO_T}yes" >&6 +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +echo "$as_me:$LINENO: result: no" >&5 +echo "${ECHO_T}no" >&6 +fi +rm -f conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + CC="$saved_cc" + fi + if test "X$PTHREAD" != "Xyes"; then + +echo "$as_me:$LINENO: checking for pthread_create in -lpthread" >&5 +echo $ECHO_N "checking for pthread_create in -lpthread... $ECHO_C" >&6 +if test "${ac_cv_lib_pthread_pthread_create+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lpthread $LIBS" +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +/* Override any gcc2 internal prototype to avoid an error. */ +#ifdef __cplusplus +extern "C" +#endif +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char pthread_create (); +int +main () +{ +pthread_create (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_lib_pthread_pthread_create=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +ac_cv_lib_pthread_pthread_create=no +fi +rm -f conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +echo "$as_me:$LINENO: result: $ac_cv_lib_pthread_pthread_create" >&5 +echo "${ECHO_T}$ac_cv_lib_pthread_pthread_create" >&6 +if test $ac_cv_lib_pthread_pthread_create = yes; then + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBPTHREAD 1 +_ACEOF + + LIBS="-lpthread $LIBS" + +else + +echo "$as_me:$LINENO: checking for thread_create in -lthr" >&5 +echo $ECHO_N "checking for thread_create in -lthr... $ECHO_C" >&6 +if test "${ac_cv_lib_thr_thread_create+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lthr $LIBS" +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +/* Override any gcc2 internal prototype to avoid an error. */ +#ifdef __cplusplus +extern "C" +#endif +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char thread_create (); +int +main () +{ +thread_create (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_lib_thr_thread_create=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +ac_cv_lib_thr_thread_create=no +fi +rm -f conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +echo "$as_me:$LINENO: result: $ac_cv_lib_thr_thread_create" >&5 +echo "${ECHO_T}$ac_cv_lib_thr_thread_create" >&6 +if test $ac_cv_lib_thr_thread_create = yes; then + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBTHR 1 +_ACEOF + + LIBS="-lthr $LIBS" + +else + +echo "$as_me:$LINENO: checking for pthread_create in -lc_r" >&5 +echo $ECHO_N "checking for pthread_create in -lc_r... $ECHO_C" >&6 +if test "${ac_cv_lib_c_r_pthread_create+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lc_r $LIBS" +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +/* Override any gcc2 internal prototype to avoid an error. */ +#ifdef __cplusplus +extern "C" +#endif +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char pthread_create (); +int +main () +{ +pthread_create (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_lib_c_r_pthread_create=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +ac_cv_lib_c_r_pthread_create=no +fi +rm -f conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +echo "$as_me:$LINENO: result: $ac_cv_lib_c_r_pthread_create" >&5 +echo "${ECHO_T}$ac_cv_lib_c_r_pthread_create" >&6 +if test $ac_cv_lib_c_r_pthread_create = yes; then + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBC_R 1 +_ACEOF + + LIBS="-lc_r $LIBS" + +else + +echo "$as_me:$LINENO: checking for pthread_create in -lc" >&5 +echo $ECHO_N "checking for pthread_create in -lc... $ECHO_C" >&6 +if test "${ac_cv_lib_c_pthread_create+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lc $LIBS" +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +/* Override any gcc2 internal prototype to avoid an error. */ +#ifdef __cplusplus +extern "C" +#endif +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char pthread_create (); +int +main () +{ +pthread_create (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_lib_c_pthread_create=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +ac_cv_lib_c_pthread_create=no +fi +rm -f conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +echo "$as_me:$LINENO: result: $ac_cv_lib_c_pthread_create" >&5 +echo "${ECHO_T}$ac_cv_lib_c_pthread_create" >&6 +if test $ac_cv_lib_c_pthread_create = yes; then + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBC 1 +_ACEOF + + LIBS="-lc $LIBS" + +else + { { echo "$as_me:$LINENO: error: \"could not find thread libraries\"" >&5 +echo "$as_me: error: \"could not find thread libraries\"" >&2;} + { (exit 1); exit 1; }; } +fi + +fi + +fi + +fi + + fi + ;; *) echo "$as_me:$LINENO: checking for pthread_create in -lpthread" >&5 @@ -5043,10 +5411,160 @@ fi if $use_threads then + if test "X$GCC" = "Xyes"; then + case "$host" in + *-freebsd*) + CC="$CC -pthread" + CCOPT="$CCOPT -pthread" + STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE" + ;; + *-openbsd*) + CC="$CC -pthread" + CCOPT="$CCOPT -pthread" + ;; + *-solaris*) + LIBS="$LIBS -lthread" + ;; + *-ibm-aix*) + STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE" + ;; + esac + else + case $host in + *-dec-osf*) + CC="$CC -pthread" + CCOPT="$CCOPT -pthread" + ;; + *-solaris*) + CC="$CC -mt" + CCOPT="$CCOPT -mt" + ;; + *-ibm-aix*) + STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE" + ;; + *-UnixWare*) + CC="$CC -Kthread" + CCOPT="$CCOPT -Kthread" + ;; + esac + fi + cat >>confdefs.h <<\_ACEOF +#define _REENTRANT 1 +_ACEOF + + ALWAYS_DEFINES="-D_REENTRANT" + DO_PTHREADS="#define DO_PTHREADS 1" + WANT_IRS_THREADSGR_OBJS="\${WANT_IRS_THREADSGR_OBJS}" + WANT_IRS_THREADSPW_OBJS="\${WANT_IRS_THREADSPW_OBJS}" + case $host in + ia64-hp-hpux11.*) + WANT_IRS_THREADS_OBJS="";; + *) + WANT_IRS_THREADS_OBJS="\${WANT_IRS_THREADS_OBJS}";; + esac + WANT_THREADS_OBJS="\${WANT_THREADS_OBJS}" + thread_dir=pthreads + # # We'd like to use sigwait() too # - echo "$as_me:$LINENO: checking for sigwait in -lc" >&5 + echo "$as_me:$LINENO: checking for sigwait" >&5 +echo $ECHO_N "checking for sigwait... $ECHO_C" >&6 +if test "${ac_cv_func_sigwait+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +/* Define sigwait to an innocuous variant, in case declares sigwait. + For example, HP-UX 11i declares gettimeofday. */ +#define sigwait innocuous_sigwait + +/* System header to define __stub macros and hopefully few prototypes, + which can conflict with char sigwait (); below. + Prefer to if __STDC__ is defined, since + exists even on freestanding compilers. */ + +#ifdef __STDC__ +# include +#else +# include +#endif + +#undef sigwait + +/* Override any gcc2 internal prototype to avoid an error. */ +#ifdef __cplusplus +extern "C" +{ +#endif +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char sigwait (); +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined (__stub_sigwait) || defined (__stub___sigwait) +choke me +#else +char (*f) () = sigwait; +#endif +#ifdef __cplusplus +} +#endif + +int +main () +{ +return f != sigwait; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_func_sigwait=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +ac_cv_func_sigwait=no +fi +rm -f conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +fi +echo "$as_me:$LINENO: result: $ac_cv_func_sigwait" >&5 +echo "${ECHO_T}$ac_cv_func_sigwait" >&6 +if test $ac_cv_func_sigwait = yes; then + cat >>confdefs.h <<\_ACEOF +#define HAVE_SIGWAIT 1 +_ACEOF + +else + echo "$as_me:$LINENO: checking for sigwait in -lc" >&5 echo $ECHO_N "checking for sigwait in -lc... $ECHO_C" >&6 if test "${ac_cv_lib_c_sigwait+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -5259,6 +5777,7 @@ fi fi +fi fi @@ -5707,59 +6226,6 @@ _ACEOF fi - if test "X$GCC" = "Xyes"; then - case "$host" in - *-freebsd*) - CC="$CC -pthread" - CCOPT="$CCOPT -pthread" - STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE" - ;; - *-openbsd*) - CC="$CC -pthread" - CCOPT="$CCOPT -pthread" - ;; - *-solaris*) - LIBS="$LIBS -lthread" - ;; - *-ibm-aix*) - STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE" - ;; - esac - else - case $host in - *-dec-osf*) - CC="$CC -pthread" - CCOPT="$CCOPT -pthread" - ;; - *-solaris*) - CC="$CC -mt" - CCOPT="$CCOPT -mt" - ;; - *-ibm-aix*) - STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE" - ;; - *-UnixWare*) - CC="$CC -Kthread" - CCOPT="$CCOPT -Kthread" - ;; - esac - fi - cat >>confdefs.h <<\_ACEOF -#define _REENTRANT 1 -_ACEOF - - ALWAYS_DEFINES="-D_REENTRANT" - DO_PTHREADS="#define DO_PTHREADS 1" - WANT_IRS_THREADSGR_OBJS="\${WANT_IRS_THREADSGR_OBJS}" - WANT_IRS_THREADSPW_OBJS="\${WANT_IRS_THREADSPW_OBJS}" - case $host in - ia64-hp-hpux11.*) - WANT_IRS_THREADS_OBJS="";; - *) - WANT_IRS_THREADS_OBJS="\${WANT_IRS_THREADS_OBJS}";; - esac - WANT_THREADS_OBJS="\${WANT_THREADS_OBJS}" - thread_dir=pthreads else ALWAYS_DEFINES="" DO_PTHREADS="#undef DO_PTHREADS" @@ -7602,7 +8068,7 @@ ia64-*-hpux*) ;; *-*-irix6*) # Find out which ABI we are using. - echo '#line 7605 "configure"' > conftest.$ac_ext + echo '#line 8071 "configure"' > conftest.$ac_ext if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -8599,7 +9065,7 @@ fi # Provide some information about the compiler. -echo "$as_me:8602:" \ +echo "$as_me:9068:" \ "checking for Fortran 77 compiler version" >&5 ac_compiler=`set X $ac_compile; echo $2` { (eval echo "$as_me:$LINENO: \"$ac_compiler --version &5\"") >&5 @@ -9660,11 +10126,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:9663: $lt_compile\"" >&5) + (eval echo "\"\$as_me:10129: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:9667: \$? = $ac_status" >&5 + echo "$as_me:10133: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -9903,11 +10369,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:9906: $lt_compile\"" >&5) + (eval echo "\"\$as_me:10372: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:9910: \$? = $ac_status" >&5 + echo "$as_me:10376: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -9963,11 +10429,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:9966: $lt_compile\"" >&5) + (eval echo "\"\$as_me:10432: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:9970: \$? = $ac_status" >&5 + echo "$as_me:10436: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -12148,7 +12614,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext < conftest.$ac_ext <&5) + (eval echo "\"\$as_me:14912: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:14450: \$? = $ac_status" >&5 + echo "$as_me:14916: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -14503,11 +14969,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:14506: $lt_compile\"" >&5) + (eval echo "\"\$as_me:14972: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:14510: \$? = $ac_status" >&5 + echo "$as_me:14976: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -15864,7 +16330,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext < conftest.$ac_ext <&5) + (eval echo "\"\$as_me:17268: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:16806: \$? = $ac_status" >&5 + echo "$as_me:17272: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -16859,11 +17325,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:16862: $lt_compile\"" >&5) + (eval echo "\"\$as_me:17328: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:16866: \$? = $ac_status" >&5 + echo "$as_me:17332: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -18898,11 +19364,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:18901: $lt_compile\"" >&5) + (eval echo "\"\$as_me:19367: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:18905: \$? = $ac_status" >&5 + echo "$as_me:19371: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -19141,11 +19607,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:19144: $lt_compile\"" >&5) + (eval echo "\"\$as_me:19610: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:19148: \$? = $ac_status" >&5 + echo "$as_me:19614: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -19201,11 +19667,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:19204: $lt_compile\"" >&5) + (eval echo "\"\$as_me:19670: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:19208: \$? = $ac_status" >&5 + echo "$as_me:19674: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -21386,7 +21852,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext < conftest.$ac_ext <>confdefs.h <<\_ACEOF + +cat >>confdefs.h <<\_ACEOF #define BROKEN_IN6ADDR_INIT_MACROS 1 _ACEOF diff --git a/lib/bind/configure.in b/lib/bind/configure.in index cc4c84f788..2e974be4a2 100644 --- a/lib/bind/configure.in +++ b/lib/bind/configure.in @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -AC_REVISION($Revision: 1.118 $) +AC_REVISION($Revision: 1.119 $) AC_INIT(resolv/herror.c) AC_PREREQ(2.13) @@ -319,16 +319,68 @@ sinclude(../../config.threads.in)dnl if $use_threads then + if test "X$GCC" = "Xyes"; then + case "$host" in + *-freebsd*) + CC="$CC -pthread" + CCOPT="$CCOPT -pthread" + STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE" + ;; + *-openbsd*) + CC="$CC -pthread" + CCOPT="$CCOPT -pthread" + ;; + *-solaris*) + LIBS="$LIBS -lthread" + ;; + *-ibm-aix*) + STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE" + ;; + esac + else + case $host in + *-dec-osf*) + CC="$CC -pthread" + CCOPT="$CCOPT -pthread" + ;; + *-solaris*) + CC="$CC -mt" + CCOPT="$CCOPT -mt" + ;; + *-ibm-aix*) + STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE" + ;; + *-UnixWare*) + CC="$CC -Kthread" + CCOPT="$CCOPT -Kthread" + ;; + esac + fi + AC_DEFINE(_REENTRANT) + ALWAYS_DEFINES="-D_REENTRANT" + DO_PTHREADS="#define DO_PTHREADS 1" + WANT_IRS_THREADSGR_OBJS="\${WANT_IRS_THREADSGR_OBJS}" + WANT_IRS_THREADSPW_OBJS="\${WANT_IRS_THREADSPW_OBJS}" + case $host in + ia64-hp-hpux11.*) + WANT_IRS_THREADS_OBJS="";; + *) + WANT_IRS_THREADS_OBJS="\${WANT_IRS_THREADS_OBJS}";; + esac + WANT_THREADS_OBJS="\${WANT_THREADS_OBJS}" + thread_dir=pthreads + # # We'd like to use sigwait() too # - AC_CHECK_LIB(c, sigwait, - AC_DEFINE(HAVE_SIGWAIT), - AC_CHECK_LIB(pthread, sigwait, - AC_DEFINE(HAVE_SIGWAIT), - AC_CHECK_LIB(pthread, _Psigwait, - AC_DEFINE(HAVE_SIGWAIT),)) - ) + AC_CHECK_FUNC(sigwait, + AC_DEFINE(HAVE_SIGWAIT), + AC_CHECK_LIB(c, sigwait, + AC_DEFINE(HAVE_SIGWAIT), + AC_CHECK_LIB(pthread, sigwait, + AC_DEFINE(HAVE_SIGWAIT), + AC_CHECK_LIB(pthread, _Psigwait, + AC_DEFINE(HAVE_SIGWAIT),)))) AC_CHECK_FUNC(pthread_attr_getstacksize, AC_DEFINE(HAVE_PTHREAD_ATTR_GETSTACKSIZE),) @@ -388,56 +440,6 @@ then # AC_CHECK_FUNC(sysconf, AC_DEFINE(HAVE_SYSCONF),) - if test "X$GCC" = "Xyes"; then - case "$host" in - *-freebsd*) - CC="$CC -pthread" - CCOPT="$CCOPT -pthread" - STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE" - ;; - *-openbsd*) - CC="$CC -pthread" - CCOPT="$CCOPT -pthread" - ;; - *-solaris*) - LIBS="$LIBS -lthread" - ;; - *-ibm-aix*) - STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE" - ;; - esac - else - case $host in - *-dec-osf*) - CC="$CC -pthread" - CCOPT="$CCOPT -pthread" - ;; - *-solaris*) - CC="$CC -mt" - CCOPT="$CCOPT -mt" - ;; - *-ibm-aix*) - STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE" - ;; - *-UnixWare*) - CC="$CC -Kthread" - CCOPT="$CCOPT -Kthread" - ;; - esac - fi - AC_DEFINE(_REENTRANT) - ALWAYS_DEFINES="-D_REENTRANT" - DO_PTHREADS="#define DO_PTHREADS 1" - WANT_IRS_THREADSGR_OBJS="\${WANT_IRS_THREADSGR_OBJS}" - WANT_IRS_THREADSPW_OBJS="\${WANT_IRS_THREADSPW_OBJS}" - case $host in - ia64-hp-hpux11.*) - WANT_IRS_THREADS_OBJS="";; - *) - WANT_IRS_THREADS_OBJS="\${WANT_IRS_THREADS_OBJS}";; - esac - WANT_THREADS_OBJS="\${WANT_THREADS_OBJS}" - thread_dir=pthreads else ALWAYS_DEFINES="" DO_PTHREADS="#undef DO_PTHREADS" @@ -2412,7 +2414,7 @@ esac case "$hack_shutup_in6addr_init_macros" in yes) - AC_DEFINE(BROKEN_IN6ADDR_INIT_MACROS) + AC_DEFINE(BROKEN_IN6ADDR_INIT_MACROS, 1, [Defined if IN6ADDR_ANY_INIT and IN6ADDR_LOOPBACK_INIT need to be redefined.] ) ;; esac diff --git a/ltmain.sh b/ltmain.sh index a6453bbad4..e032aff967 100644 --- a/ltmain.sh +++ b/ltmain.sh @@ -1488,9 +1488,17 @@ EOF ;; -mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe) - case "$archive_cmds" in - *"\$LD"*) ;; - *) deplibs="$deplibs $arg";; + case $host in + *-*-freebsd*) + compile_command="$compile_command $arg" + finalize_command="$finalize_command $arg" + ;; + *) + case "$archive_cmds" in + *"\$LD"*) ;; + *) deplibs="$deplibs $arg";; + esac + ;; esac continue ;; From bf8365fa16603136e91f9b68aeef272f4004f52e Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 20 Jul 2006 06:06:38 +0000 Subject: [PATCH 344/465] 2054. [port] freebsd: do not explicitly link against -lpthread. [RT #16170] --- CHANGES | 3 +++ config.h.in | 5 ++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 0e82d1054d..0910dc942f 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2054. [port] freebsd: do not explicitly link against -lpthread. + [RT #16170] + 2053. [port] netbsd:libbind: silence compiler warnings. [RT #16220] 2050. [bug] Parsing of NSAP records was not case insensitive. diff --git a/config.h.in b/config.h.in index b3d224e43d..01accfc1cc 100644 --- a/config.h.in +++ b/config.h.in @@ -16,7 +16,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: config.h.in,v 1.47.2.21 2006/03/01 02:49:40 marka Exp $ */ +/* $Id: config.h.in,v 1.47.2.22 2006/07/20 06:06:38 marka Exp $ */ /*** *** This file is not to be included by any public header files, because @@ -177,6 +177,9 @@ int sigwait(const unsigned int *set, int *sig); /* Define to 1 if you have the `socket' library (-lsocket). */ #undef HAVE_LIBSOCKET +/* Define to 1 if you have the `thr' library (-lthr). */ +#undef HAVE_LIBTHR + /* Define to 1 if you have the header file. */ #undef HAVE_LINUX_CAPABILITY_H From f5fb8bb249f5306190208e5bb9c5459e47e9844c Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 20 Jul 2006 06:08:30 +0000 Subject: [PATCH 345/465] 2054. [port] freebsd: do not explicitly link against -lpthread. [RT #16170] --- bin/tests/Makefile.in | 4 +- config.threads.in | 25 ++ configure | 605 +++++++++++++++++++++++++++++++++++----- configure.in | 97 +++---- lib/bind/configure | 635 ++++++++++++++++++++++++++++++++++++------ lib/bind/configure.in | 120 ++++---- ltmain.sh | 14 +- 7 files changed, 1234 insertions(+), 266 deletions(-) diff --git a/bin/tests/Makefile.in b/bin/tests/Makefile.in index 73ab2cd723..8ff7cad31f 100644 --- a/bin/tests/Makefile.in +++ b/bin/tests/Makefile.in @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.113.2.4 2004/07/20 07:00:12 marka Exp $ +# $Id: Makefile.in,v 1.113.2.5 2006/07/20 06:06:39 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ @@ -133,7 +133,7 @@ SRCS = adb_test.c \ all_tests: ${XTARGETS} genrandom: genrandom.@O@ - ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ genrandom.@O@ + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ genrandom.@O@ ${LIBS} adb_test: adb_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ adb_test.@O@ \ diff --git a/config.threads.in b/config.threads.in index f2816c447f..c1c113b937 100644 --- a/config.threads.in +++ b/config.threads.in @@ -140,6 +140,31 @@ then fi fi ;; + *-freebsd*) + # We don't want to set -lpthread as that break + # the ability to choose threads library at final + # link time and is not valid for all architectures. + + PTHREAD= + if test "X$GCC" = "Xyes"; then + saved_cc="$CC" + CC="$CC -pthread" + AC_MSG_CHECKING(for gcc -pthread support); + AC_TRY_LINK([#include ], + [printf("%x\n", pthread_create);], + PTHREAD="yes" + AC_MSG_RESULT(yes), + AC_MSG_RESULT(no)) + CC="$saved_cc" + fi + if test "X$PTHREAD" != "Xyes"; then + AC_CHECK_LIB(pthread, pthread_create,, + AC_CHECK_LIB(thr, thread_create,, + AC_CHECK_LIB(c_r, pthread_create,, + AC_CHECK_LIB(c, pthread_create,, + AC_MSG_ERROR("could not find thread libraries"))))) + fi + ;; *) AC_CHECK_LIB(pthread, pthread_create,, AC_CHECK_LIB(pthread, __pthread_create,, diff --git a/configure b/configure index 468f253fbf..d75da9cf86 100755 --- a/configure +++ b/configure @@ -1,5 +1,5 @@ #! /bin/sh -# From configure.in Revision: 1.294.2.63 . +# From configure.in Revision: 1.294.2.64 . # Guess values for system-dependent variables and create Makefiles. # Generated by GNU Autoconf 2.59. # @@ -5807,6 +5807,374 @@ echo "${ECHO_T}mit-pthreads/unproven-pthreads" >&6 fi fi ;; + *-freebsd*) + # We don't want to set -lpthread as that break + # the ability to choose threads library at final + # link time and is not valid for all architectures. + + PTHREAD= + if test "X$GCC" = "Xyes"; then + saved_cc="$CC" + CC="$CC -pthread" + echo "$as_me:$LINENO: checking for gcc -pthread support" >&5 +echo $ECHO_N "checking for gcc -pthread support... $ECHO_C" >&6; + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include +int +main () +{ +printf("%x\n", pthread_create); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + PTHREAD="yes" + echo "$as_me:$LINENO: result: yes" >&5 +echo "${ECHO_T}yes" >&6 +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +echo "$as_me:$LINENO: result: no" >&5 +echo "${ECHO_T}no" >&6 +fi +rm -f conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + CC="$saved_cc" + fi + if test "X$PTHREAD" != "Xyes"; then + +echo "$as_me:$LINENO: checking for pthread_create in -lpthread" >&5 +echo $ECHO_N "checking for pthread_create in -lpthread... $ECHO_C" >&6 +if test "${ac_cv_lib_pthread_pthread_create+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lpthread $LIBS" +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +/* Override any gcc2 internal prototype to avoid an error. */ +#ifdef __cplusplus +extern "C" +#endif +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char pthread_create (); +int +main () +{ +pthread_create (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_lib_pthread_pthread_create=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +ac_cv_lib_pthread_pthread_create=no +fi +rm -f conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +echo "$as_me:$LINENO: result: $ac_cv_lib_pthread_pthread_create" >&5 +echo "${ECHO_T}$ac_cv_lib_pthread_pthread_create" >&6 +if test $ac_cv_lib_pthread_pthread_create = yes; then + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBPTHREAD 1 +_ACEOF + + LIBS="-lpthread $LIBS" + +else + +echo "$as_me:$LINENO: checking for thread_create in -lthr" >&5 +echo $ECHO_N "checking for thread_create in -lthr... $ECHO_C" >&6 +if test "${ac_cv_lib_thr_thread_create+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lthr $LIBS" +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +/* Override any gcc2 internal prototype to avoid an error. */ +#ifdef __cplusplus +extern "C" +#endif +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char thread_create (); +int +main () +{ +thread_create (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_lib_thr_thread_create=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +ac_cv_lib_thr_thread_create=no +fi +rm -f conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +echo "$as_me:$LINENO: result: $ac_cv_lib_thr_thread_create" >&5 +echo "${ECHO_T}$ac_cv_lib_thr_thread_create" >&6 +if test $ac_cv_lib_thr_thread_create = yes; then + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBTHR 1 +_ACEOF + + LIBS="-lthr $LIBS" + +else + +echo "$as_me:$LINENO: checking for pthread_create in -lc_r" >&5 +echo $ECHO_N "checking for pthread_create in -lc_r... $ECHO_C" >&6 +if test "${ac_cv_lib_c_r_pthread_create+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lc_r $LIBS" +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +/* Override any gcc2 internal prototype to avoid an error. */ +#ifdef __cplusplus +extern "C" +#endif +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char pthread_create (); +int +main () +{ +pthread_create (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_lib_c_r_pthread_create=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +ac_cv_lib_c_r_pthread_create=no +fi +rm -f conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +echo "$as_me:$LINENO: result: $ac_cv_lib_c_r_pthread_create" >&5 +echo "${ECHO_T}$ac_cv_lib_c_r_pthread_create" >&6 +if test $ac_cv_lib_c_r_pthread_create = yes; then + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBC_R 1 +_ACEOF + + LIBS="-lc_r $LIBS" + +else + +echo "$as_me:$LINENO: checking for pthread_create in -lc" >&5 +echo $ECHO_N "checking for pthread_create in -lc... $ECHO_C" >&6 +if test "${ac_cv_lib_c_pthread_create+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lc $LIBS" +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +/* Override any gcc2 internal prototype to avoid an error. */ +#ifdef __cplusplus +extern "C" +#endif +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char pthread_create (); +int +main () +{ +pthread_create (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_lib_c_pthread_create=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +ac_cv_lib_c_pthread_create=no +fi +rm -f conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +echo "$as_me:$LINENO: result: $ac_cv_lib_c_pthread_create" >&5 +echo "${ECHO_T}$ac_cv_lib_c_pthread_create" >&6 +if test $ac_cv_lib_c_pthread_create = yes; then + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBC 1 +_ACEOF + + LIBS="-lc $LIBS" + +else + { { echo "$as_me:$LINENO: error: \"could not find thread libraries\"" >&5 +echo "$as_me: error: \"could not find thread libraries\"" >&2;} + { (exit 1); exit 1; }; } +fi + +fi + +fi + +fi + + fi + ;; *) echo "$as_me:$LINENO: checking for pthread_create in -lpthread" >&5 @@ -6192,10 +6560,146 @@ fi if $use_threads then + if test "X$GCC" = "Xyes"; then + case "$host" in + *-freebsd*) + CC="$CC -pthread" + CCOPT="$CCOPT -pthread" + STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE" + ;; + *-openbsd*) + CC="$CC -pthread" + CCOPT="$CCOPT -pthread" + ;; + *-solaris*) + LIBS="$LIBS -lthread" + ;; + *-ibm-aix*) + STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE" + ;; + esac + else + case $host in + *-dec-osf*) + CC="$CC -pthread" + CCOPT="$CCOPT -pthread" + ;; + *-solaris*) + CC="$CC -mt" + CCOPT="$CCOPT -mt" + ;; + *-ibm-aix*) + STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE" + ;; + *-sco-sysv*uw*) + CC="$CC -Kthread" + CCOPT="$CCOPT -Kthread" + ;; + esac + fi + ALWAYS_DEFINES="-D_REENTRANT" + ISC_PLATFORM_USETHREADS="#define ISC_PLATFORM_USETHREADS 1" + thread_dir=pthreads # # We'd like to use sigwait() too # - echo "$as_me:$LINENO: checking for sigwait in -lc" >&5 + echo "$as_me:$LINENO: checking for sigwait" >&5 +echo $ECHO_N "checking for sigwait... $ECHO_C" >&6 +if test "${ac_cv_func_sigwait+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +/* Define sigwait to an innocuous variant, in case declares sigwait. + For example, HP-UX 11i declares gettimeofday. */ +#define sigwait innocuous_sigwait + +/* System header to define __stub macros and hopefully few prototypes, + which can conflict with char sigwait (); below. + Prefer to if __STDC__ is defined, since + exists even on freestanding compilers. */ + +#ifdef __STDC__ +# include +#else +# include +#endif + +#undef sigwait + +/* Override any gcc2 internal prototype to avoid an error. */ +#ifdef __cplusplus +extern "C" +{ +#endif +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char sigwait (); +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined (__stub_sigwait) || defined (__stub___sigwait) +choke me +#else +char (*f) () = sigwait; +#endif +#ifdef __cplusplus +} +#endif + +int +main () +{ +return f != sigwait; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_func_sigwait=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +ac_cv_func_sigwait=no +fi +rm -f conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +fi +echo "$as_me:$LINENO: result: $ac_cv_func_sigwait" >&5 +echo "${ECHO_T}$ac_cv_func_sigwait" >&6 +if test $ac_cv_func_sigwait = yes; then + cat >>confdefs.h <<\_ACEOF +#define HAVE_SIGWAIT 1 +_ACEOF + +else + echo "$as_me:$LINENO: checking for sigwait in -lc" >&5 echo $ECHO_N "checking for sigwait in -lc... $ECHO_C" >&6 if test "${ac_cv_lib_c_sigwait+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -6408,6 +6912,7 @@ fi fi +fi fi @@ -6943,46 +7448,6 @@ _ACEOF fi - if test "X$GCC" = "Xyes"; then - case "$host" in - *-freebsd*) - CC="$CC -pthread" - CCOPT="$CCOPT -pthread" - STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE" - ;; - *-openbsd*) - CC="$CC -pthread" - CCOPT="$CCOPT -pthread" - ;; - *-solaris*) - LIBS="$LIBS -lthread" - ;; - *-ibm-aix*) - STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE" - ;; - esac - else - case $host in - *-dec-osf*) - CC="$CC -pthread" - CCOPT="$CCOPT -pthread" - ;; - *-solaris*) - CC="$CC -mt" - CCOPT="$CCOPT -mt" - ;; - *-ibm-aix*) - STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE" - ;; - *-sco-sysv*uw*) - CC="$CC -Kthread" - CCOPT="$CCOPT -Kthread" - ;; - esac - fi - ALWAYS_DEFINES="-D_REENTRANT" - ISC_PLATFORM_USETHREADS="#define ISC_PLATFORM_USETHREADS 1" - thread_dir=pthreads else ISC_PLATFORM_USETHREADS="#undef ISC_PLATFORM_USETHREADS" thread_dir=nothreads @@ -8267,7 +8732,7 @@ ia64-*-hpux*) ;; *-*-irix6*) # Find out which ABI we are using. - echo '#line 8270 "configure"' > conftest.$ac_ext + echo '#line 8735 "configure"' > conftest.$ac_ext if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -9264,7 +9729,7 @@ fi # Provide some information about the compiler. -echo "$as_me:9267:" \ +echo "$as_me:9732:" \ "checking for Fortran 77 compiler version" >&5 ac_compiler=`set X $ac_compile; echo $2` { (eval echo "$as_me:$LINENO: \"$ac_compiler --version &5\"") >&5 @@ -10325,11 +10790,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:10328: $lt_compile\"" >&5) + (eval echo "\"\$as_me:10793: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:10332: \$? = $ac_status" >&5 + echo "$as_me:10797: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -10568,11 +11033,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:10571: $lt_compile\"" >&5) + (eval echo "\"\$as_me:11036: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:10575: \$? = $ac_status" >&5 + echo "$as_me:11040: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -10628,11 +11093,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:10631: $lt_compile\"" >&5) + (eval echo "\"\$as_me:11096: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:10635: \$? = $ac_status" >&5 + echo "$as_me:11100: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -12813,7 +13278,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext < conftest.$ac_ext <&5) + (eval echo "\"\$as_me:15576: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:15115: \$? = $ac_status" >&5 + echo "$as_me:15580: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -15168,11 +15633,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:15171: $lt_compile\"" >&5) + (eval echo "\"\$as_me:15636: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:15175: \$? = $ac_status" >&5 + echo "$as_me:15640: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -16529,7 +16994,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext < conftest.$ac_ext <&5) + (eval echo "\"\$as_me:17932: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:17471: \$? = $ac_status" >&5 + echo "$as_me:17936: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -17524,11 +17989,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:17527: $lt_compile\"" >&5) + (eval echo "\"\$as_me:17992: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:17531: \$? = $ac_status" >&5 + echo "$as_me:17996: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -19563,11 +20028,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:19566: $lt_compile\"" >&5) + (eval echo "\"\$as_me:20031: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:19570: \$? = $ac_status" >&5 + echo "$as_me:20035: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -19806,11 +20271,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:19809: $lt_compile\"" >&5) + (eval echo "\"\$as_me:20274: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:19813: \$? = $ac_status" >&5 + echo "$as_me:20278: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -19866,11 +20331,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:19869: $lt_compile\"" >&5) + (eval echo "\"\$as_me:20334: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:19873: \$? = $ac_status" >&5 + echo "$as_me:20338: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -22051,7 +22516,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext < conftest.$ac_ext <&6 fi fi ;; + *-freebsd*) + # We don't want to set -lpthread as that break + # the ability to choose threads library at final + # link time and is not valid for all architectures. + + PTHREAD= + if test "X$GCC" = "Xyes"; then + saved_cc="$CC" + CC="$CC -pthread" + echo "$as_me:$LINENO: checking for gcc -pthread support" >&5 +echo $ECHO_N "checking for gcc -pthread support... $ECHO_C" >&6; + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include +int +main () +{ +printf("%x\n", pthread_create); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + PTHREAD="yes" + echo "$as_me:$LINENO: result: yes" >&5 +echo "${ECHO_T}yes" >&6 +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +echo "$as_me:$LINENO: result: no" >&5 +echo "${ECHO_T}no" >&6 +fi +rm -f conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + CC="$saved_cc" + fi + if test "X$PTHREAD" != "Xyes"; then + +echo "$as_me:$LINENO: checking for pthread_create in -lpthread" >&5 +echo $ECHO_N "checking for pthread_create in -lpthread... $ECHO_C" >&6 +if test "${ac_cv_lib_pthread_pthread_create+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lpthread $LIBS" +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +/* Override any gcc2 internal prototype to avoid an error. */ +#ifdef __cplusplus +extern "C" +#endif +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char pthread_create (); +int +main () +{ +pthread_create (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_lib_pthread_pthread_create=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +ac_cv_lib_pthread_pthread_create=no +fi +rm -f conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +echo "$as_me:$LINENO: result: $ac_cv_lib_pthread_pthread_create" >&5 +echo "${ECHO_T}$ac_cv_lib_pthread_pthread_create" >&6 +if test $ac_cv_lib_pthread_pthread_create = yes; then + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBPTHREAD 1 +_ACEOF + + LIBS="-lpthread $LIBS" + +else + +echo "$as_me:$LINENO: checking for thread_create in -lthr" >&5 +echo $ECHO_N "checking for thread_create in -lthr... $ECHO_C" >&6 +if test "${ac_cv_lib_thr_thread_create+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lthr $LIBS" +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +/* Override any gcc2 internal prototype to avoid an error. */ +#ifdef __cplusplus +extern "C" +#endif +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char thread_create (); +int +main () +{ +thread_create (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_lib_thr_thread_create=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +ac_cv_lib_thr_thread_create=no +fi +rm -f conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +echo "$as_me:$LINENO: result: $ac_cv_lib_thr_thread_create" >&5 +echo "${ECHO_T}$ac_cv_lib_thr_thread_create" >&6 +if test $ac_cv_lib_thr_thread_create = yes; then + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBTHR 1 +_ACEOF + + LIBS="-lthr $LIBS" + +else + +echo "$as_me:$LINENO: checking for pthread_create in -lc_r" >&5 +echo $ECHO_N "checking for pthread_create in -lc_r... $ECHO_C" >&6 +if test "${ac_cv_lib_c_r_pthread_create+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lc_r $LIBS" +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +/* Override any gcc2 internal prototype to avoid an error. */ +#ifdef __cplusplus +extern "C" +#endif +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char pthread_create (); +int +main () +{ +pthread_create (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_lib_c_r_pthread_create=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +ac_cv_lib_c_r_pthread_create=no +fi +rm -f conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +echo "$as_me:$LINENO: result: $ac_cv_lib_c_r_pthread_create" >&5 +echo "${ECHO_T}$ac_cv_lib_c_r_pthread_create" >&6 +if test $ac_cv_lib_c_r_pthread_create = yes; then + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBC_R 1 +_ACEOF + + LIBS="-lc_r $LIBS" + +else + +echo "$as_me:$LINENO: checking for pthread_create in -lc" >&5 +echo $ECHO_N "checking for pthread_create in -lc... $ECHO_C" >&6 +if test "${ac_cv_lib_c_pthread_create+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lc $LIBS" +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +/* Override any gcc2 internal prototype to avoid an error. */ +#ifdef __cplusplus +extern "C" +#endif +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char pthread_create (); +int +main () +{ +pthread_create (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_lib_c_pthread_create=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +ac_cv_lib_c_pthread_create=no +fi +rm -f conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +echo "$as_me:$LINENO: result: $ac_cv_lib_c_pthread_create" >&5 +echo "${ECHO_T}$ac_cv_lib_c_pthread_create" >&6 +if test $ac_cv_lib_c_pthread_create = yes; then + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBC 1 +_ACEOF + + LIBS="-lc $LIBS" + +else + { { echo "$as_me:$LINENO: error: \"could not find thread libraries\"" >&5 +echo "$as_me: error: \"could not find thread libraries\"" >&2;} + { (exit 1); exit 1; }; } +fi + +fi + +fi + +fi + + fi + ;; *) echo "$as_me:$LINENO: checking for pthread_create in -lpthread" >&5 @@ -5043,10 +5411,160 @@ fi if $use_threads then + if test "X$GCC" = "Xyes"; then + case "$host" in + *-freebsd*) + CC="$CC -pthread" + CCOPT="$CCOPT -pthread" + STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE" + ;; + *-openbsd*) + CC="$CC -pthread" + CCOPT="$CCOPT -pthread" + ;; + *-solaris*) + LIBS="$LIBS -lthread" + ;; + *-ibm-aix*) + STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE" + ;; + esac + else + case $host in + *-dec-osf*) + CC="$CC -pthread" + CCOPT="$CCOPT -pthread" + ;; + *-solaris*) + CC="$CC -mt" + CCOPT="$CCOPT -mt" + ;; + *-ibm-aix*) + STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE" + ;; + *-UnixWare*) + CC="$CC -Kthread" + CCOPT="$CCOPT -Kthread" + ;; + esac + fi + cat >>confdefs.h <<\_ACEOF +#define _REENTRANT 1 +_ACEOF + + ALWAYS_DEFINES="-D_REENTRANT" + DO_PTHREADS="#define DO_PTHREADS 1" + WANT_IRS_THREADSGR_OBJS="\${WANT_IRS_THREADSGR_OBJS}" + WANT_IRS_THREADSPW_OBJS="\${WANT_IRS_THREADSPW_OBJS}" + case $host in + ia64-hp-hpux11.*) + WANT_IRS_THREADS_OBJS="";; + *) + WANT_IRS_THREADS_OBJS="\${WANT_IRS_THREADS_OBJS}";; + esac + WANT_THREADS_OBJS="\${WANT_THREADS_OBJS}" + thread_dir=pthreads + # # We'd like to use sigwait() too # - echo "$as_me:$LINENO: checking for sigwait in -lc" >&5 + echo "$as_me:$LINENO: checking for sigwait" >&5 +echo $ECHO_N "checking for sigwait... $ECHO_C" >&6 +if test "${ac_cv_func_sigwait+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +/* Define sigwait to an innocuous variant, in case declares sigwait. + For example, HP-UX 11i declares gettimeofday. */ +#define sigwait innocuous_sigwait + +/* System header to define __stub macros and hopefully few prototypes, + which can conflict with char sigwait (); below. + Prefer to if __STDC__ is defined, since + exists even on freestanding compilers. */ + +#ifdef __STDC__ +# include +#else +# include +#endif + +#undef sigwait + +/* Override any gcc2 internal prototype to avoid an error. */ +#ifdef __cplusplus +extern "C" +{ +#endif +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char sigwait (); +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined (__stub_sigwait) || defined (__stub___sigwait) +choke me +#else +char (*f) () = sigwait; +#endif +#ifdef __cplusplus +} +#endif + +int +main () +{ +return f != sigwait; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_func_sigwait=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +ac_cv_func_sigwait=no +fi +rm -f conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +fi +echo "$as_me:$LINENO: result: $ac_cv_func_sigwait" >&5 +echo "${ECHO_T}$ac_cv_func_sigwait" >&6 +if test $ac_cv_func_sigwait = yes; then + cat >>confdefs.h <<\_ACEOF +#define HAVE_SIGWAIT 1 +_ACEOF + +else + echo "$as_me:$LINENO: checking for sigwait in -lc" >&5 echo $ECHO_N "checking for sigwait in -lc... $ECHO_C" >&6 if test "${ac_cv_lib_c_sigwait+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -5259,6 +5777,7 @@ fi fi +fi fi @@ -5707,59 +6226,6 @@ _ACEOF fi - if test "X$GCC" = "Xyes"; then - case "$host" in - *-freebsd*) - CC="$CC -pthread" - CCOPT="$CCOPT -pthread" - STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE" - ;; - *-openbsd*) - CC="$CC -pthread" - CCOPT="$CCOPT -pthread" - ;; - *-solaris*) - LIBS="$LIBS -lthread" - ;; - *-ibm-aix*) - STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE" - ;; - esac - else - case $host in - *-dec-osf*) - CC="$CC -pthread" - CCOPT="$CCOPT -pthread" - ;; - *-solaris*) - CC="$CC -mt" - CCOPT="$CCOPT -mt" - ;; - *-ibm-aix*) - STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE" - ;; - *-UnixWare*) - CC="$CC -Kthread" - CCOPT="$CCOPT -Kthread" - ;; - esac - fi - cat >>confdefs.h <<\_ACEOF -#define _REENTRANT 1 -_ACEOF - - ALWAYS_DEFINES="-D_REENTRANT" - DO_PTHREADS="#define DO_PTHREADS 1" - WANT_IRS_THREADSGR_OBJS="\${WANT_IRS_THREADSGR_OBJS}" - WANT_IRS_THREADSPW_OBJS="\${WANT_IRS_THREADSPW_OBJS}" - case $host in - ia64-hp-hpux11.*) - WANT_IRS_THREADS_OBJS="";; - *) - WANT_IRS_THREADS_OBJS="\${WANT_IRS_THREADS_OBJS}";; - esac - WANT_THREADS_OBJS="\${WANT_THREADS_OBJS}" - thread_dir=pthreads else ALWAYS_DEFINES="" DO_PTHREADS="#undef DO_PTHREADS" @@ -7602,7 +8068,7 @@ ia64-*-hpux*) ;; *-*-irix6*) # Find out which ABI we are using. - echo '#line 7605 "configure"' > conftest.$ac_ext + echo '#line 8071 "configure"' > conftest.$ac_ext if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -8599,7 +9065,7 @@ fi # Provide some information about the compiler. -echo "$as_me:8602:" \ +echo "$as_me:9068:" \ "checking for Fortran 77 compiler version" >&5 ac_compiler=`set X $ac_compile; echo $2` { (eval echo "$as_me:$LINENO: \"$ac_compiler --version &5\"") >&5 @@ -9660,11 +10126,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:9663: $lt_compile\"" >&5) + (eval echo "\"\$as_me:10129: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:9667: \$? = $ac_status" >&5 + echo "$as_me:10133: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -9903,11 +10369,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:9906: $lt_compile\"" >&5) + (eval echo "\"\$as_me:10372: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:9910: \$? = $ac_status" >&5 + echo "$as_me:10376: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -9963,11 +10429,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:9966: $lt_compile\"" >&5) + (eval echo "\"\$as_me:10432: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:9970: \$? = $ac_status" >&5 + echo "$as_me:10436: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -12148,7 +12614,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext < conftest.$ac_ext <&5) + (eval echo "\"\$as_me:14912: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:14450: \$? = $ac_status" >&5 + echo "$as_me:14916: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -14503,11 +14969,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:14506: $lt_compile\"" >&5) + (eval echo "\"\$as_me:14972: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:14510: \$? = $ac_status" >&5 + echo "$as_me:14976: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -15864,7 +16330,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext < conftest.$ac_ext <&5) + (eval echo "\"\$as_me:17268: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:16806: \$? = $ac_status" >&5 + echo "$as_me:17272: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -16859,11 +17325,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:16862: $lt_compile\"" >&5) + (eval echo "\"\$as_me:17328: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:16866: \$? = $ac_status" >&5 + echo "$as_me:17332: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -18898,11 +19364,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:18901: $lt_compile\"" >&5) + (eval echo "\"\$as_me:19367: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:18905: \$? = $ac_status" >&5 + echo "$as_me:19371: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -19141,11 +19607,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:19144: $lt_compile\"" >&5) + (eval echo "\"\$as_me:19610: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:19148: \$? = $ac_status" >&5 + echo "$as_me:19614: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -19201,11 +19667,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:19204: $lt_compile\"" >&5) + (eval echo "\"\$as_me:19670: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:19208: \$? = $ac_status" >&5 + echo "$as_me:19674: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -21386,7 +21852,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext < conftest.$ac_ext <>confdefs.h <<\_ACEOF + +cat >>confdefs.h <<\_ACEOF #define BROKEN_IN6ADDR_INIT_MACROS 1 _ACEOF diff --git a/lib/bind/configure.in b/lib/bind/configure.in index 4797d191e0..ad52d16ae9 100644 --- a/lib/bind/configure.in +++ b/lib/bind/configure.in @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -AC_REVISION($Revision: 1.83.2.31 $) +AC_REVISION($Revision: 1.83.2.32 $) AC_INIT(resolv/herror.c) AC_PREREQ(2.13) @@ -319,16 +319,68 @@ sinclude(../../config.threads.in)dnl if $use_threads then + if test "X$GCC" = "Xyes"; then + case "$host" in + *-freebsd*) + CC="$CC -pthread" + CCOPT="$CCOPT -pthread" + STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE" + ;; + *-openbsd*) + CC="$CC -pthread" + CCOPT="$CCOPT -pthread" + ;; + *-solaris*) + LIBS="$LIBS -lthread" + ;; + *-ibm-aix*) + STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE" + ;; + esac + else + case $host in + *-dec-osf*) + CC="$CC -pthread" + CCOPT="$CCOPT -pthread" + ;; + *-solaris*) + CC="$CC -mt" + CCOPT="$CCOPT -mt" + ;; + *-ibm-aix*) + STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE" + ;; + *-UnixWare*) + CC="$CC -Kthread" + CCOPT="$CCOPT -Kthread" + ;; + esac + fi + AC_DEFINE(_REENTRANT) + ALWAYS_DEFINES="-D_REENTRANT" + DO_PTHREADS="#define DO_PTHREADS 1" + WANT_IRS_THREADSGR_OBJS="\${WANT_IRS_THREADSGR_OBJS}" + WANT_IRS_THREADSPW_OBJS="\${WANT_IRS_THREADSPW_OBJS}" + case $host in + ia64-hp-hpux11.*) + WANT_IRS_THREADS_OBJS="";; + *) + WANT_IRS_THREADS_OBJS="\${WANT_IRS_THREADS_OBJS}";; + esac + WANT_THREADS_OBJS="\${WANT_THREADS_OBJS}" + thread_dir=pthreads + # # We'd like to use sigwait() too # - AC_CHECK_LIB(c, sigwait, - AC_DEFINE(HAVE_SIGWAIT), - AC_CHECK_LIB(pthread, sigwait, - AC_DEFINE(HAVE_SIGWAIT), - AC_CHECK_LIB(pthread, _Psigwait, - AC_DEFINE(HAVE_SIGWAIT),)) - ) + AC_CHECK_FUNC(sigwait, + AC_DEFINE(HAVE_SIGWAIT), + AC_CHECK_LIB(c, sigwait, + AC_DEFINE(HAVE_SIGWAIT), + AC_CHECK_LIB(pthread, sigwait, + AC_DEFINE(HAVE_SIGWAIT), + AC_CHECK_LIB(pthread, _Psigwait, + AC_DEFINE(HAVE_SIGWAIT),)))) AC_CHECK_FUNC(pthread_attr_getstacksize, AC_DEFINE(HAVE_PTHREAD_ATTR_GETSTACKSIZE),) @@ -388,56 +440,6 @@ then # AC_CHECK_FUNC(sysconf, AC_DEFINE(HAVE_SYSCONF),) - if test "X$GCC" = "Xyes"; then - case "$host" in - *-freebsd*) - CC="$CC -pthread" - CCOPT="$CCOPT -pthread" - STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE" - ;; - *-openbsd*) - CC="$CC -pthread" - CCOPT="$CCOPT -pthread" - ;; - *-solaris*) - LIBS="$LIBS -lthread" - ;; - *-ibm-aix*) - STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE" - ;; - esac - else - case $host in - *-dec-osf*) - CC="$CC -pthread" - CCOPT="$CCOPT -pthread" - ;; - *-solaris*) - CC="$CC -mt" - CCOPT="$CCOPT -mt" - ;; - *-ibm-aix*) - STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE" - ;; - *-UnixWare*) - CC="$CC -Kthread" - CCOPT="$CCOPT -Kthread" - ;; - esac - fi - AC_DEFINE(_REENTRANT) - ALWAYS_DEFINES="-D_REENTRANT" - DO_PTHREADS="#define DO_PTHREADS 1" - WANT_IRS_THREADSGR_OBJS="\${WANT_IRS_THREADSGR_OBJS}" - WANT_IRS_THREADSPW_OBJS="\${WANT_IRS_THREADSPW_OBJS}" - case $host in - ia64-hp-hpux11.*) - WANT_IRS_THREADS_OBJS="";; - *) - WANT_IRS_THREADS_OBJS="\${WANT_IRS_THREADS_OBJS}";; - esac - WANT_THREADS_OBJS="\${WANT_THREADS_OBJS}" - thread_dir=pthreads else ALWAYS_DEFINES="" DO_PTHREADS="#undef DO_PTHREADS" @@ -2412,7 +2414,7 @@ esac case "$hack_shutup_in6addr_init_macros" in yes) - AC_DEFINE(BROKEN_IN6ADDR_INIT_MACROS) + AC_DEFINE(BROKEN_IN6ADDR_INIT_MACROS, 1, [Defined if IN6ADDR_ANY_INIT and IN6ADDR_LOOPBACK_INIT need to be redefined.] ) ;; esac diff --git a/ltmain.sh b/ltmain.sh index 718b2103b4..48f55455cf 100644 --- a/ltmain.sh +++ b/ltmain.sh @@ -1488,9 +1488,17 @@ EOF ;; -mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe) - case "$archive_cmds" in - *"\$LD"*) ;; - *) deplibs="$deplibs $arg";; + case $host in + *-*-freebsd*) + compile_command="$compile_command $arg" + finalize_command="$finalize_command $arg" + ;; + *) + case "$archive_cmds" in + *"\$LD"*) ;; + *) deplibs="$deplibs $arg";; + esac + ;; esac continue ;; From e26753c761c6aa2f3ad940a4e75caefed9beb628 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 20 Jul 2006 23:17:49 +0000 Subject: [PATCH 346/465] auto update --- doc/private/branches | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/private/branches b/doc/private/branches index 3f2d41262f..b3f7bfa0eb 100644 --- a/doc/private/branches +++ b/doc/private/branches @@ -53,6 +53,7 @@ rt16218 new rt16219 new rt16220 new rt16220a new +rt16290 new rt1727 open // ixfr-from-differences workfile skan new skan-metazones1 private From 4362a33f2882b1a03ed14e31557f919ae8a01653 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 20 Jul 2006 23:30:04 +0000 Subject: [PATCH 347/465] newcopyrights --- util/copyrights | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/util/copyrights b/util/copyrights index 172d8731e8..19fd7d59f7 100644 --- a/util/copyrights +++ b/util/copyrights @@ -201,7 +201,7 @@ ./bin/tests/.cvsignore X 1999,2000,2001 ./bin/tests/Kchild.example.+003+04017.key X 2000,2001 ./bin/tests/Kchild.example.+003+04017.private X 2000,2001 -./bin/tests/Makefile.in MAKE 1998,1999,2000,2001,2002,2004 +./bin/tests/Makefile.in MAKE 1998,1999,2000,2001,2002,2004,2006 ./bin/tests/adb_test.c C 1999,2000,2001,2004,2005 ./bin/tests/b8t.mk MAKE 1999,2000,2001,2004 ./bin/tests/b9t.mk MAKE 1999,2000,2001,2004 @@ -776,7 +776,7 @@ ./config.h.in X 1999,2000,2001,2005,2006 ./config.h.win32 C 1999,2000,2001,2004,2006 ./config.sub X 1999,2000,2001 -./config.threads.in X 2005 +./config.threads.in X 2005,2006 ./configure X 1998,1999,2000,2001,2005,2006 ./configure.in SH 1998,1999,2000,2001,2002,2003,2004,2005,2006 ./conftools/perllib/dnsconf/DNSConf-macros.h C 2000,2001,2004 @@ -1170,7 +1170,7 @@ ./lib/bind/bsd/strtoul.c X 2001 ./lib/bind/bsd/utimes.c X 2001 ./lib/bind/bsd/writev.c X 2001 -./lib/bind/config.h.in X 2001,2005 +./lib/bind/config.h.in X 2001,2005,2006 ./lib/bind/configure X 2001,2005,2006 ./lib/bind/configure.in SH 2001,2004,2005,2006 ./lib/bind/dst/.cvsignore X 2001 @@ -1691,7 +1691,7 @@ ./lib/dns/rbtdb.h C 1999,2000,2001,2004 ./lib/dns/rbtdb64.c C 1999,2000,2001,2004 ./lib/dns/rbtdb64.h C 1999,2000,2001,2004 -./lib/dns/rdata.c C 1998,1999,2000,2001,2002,2003,2004,2005 +./lib/dns/rdata.c C 1998,1999,2000,2001,2002,2003,2004,2005,2006 ./lib/dns/rdata/any_255/tsig_250.c C 1999,2000,2001,2003,2004,2005 ./lib/dns/rdata/any_255/tsig_250.h C 1999,2000,2001,2004 ./lib/dns/rdata/generic/afsdb_18.c C 1999,2000,2001,2003,2004 @@ -2240,7 +2240,7 @@ ./lib/win32/bindevt/bindevt.mak X 2001 ./lib/win32/bindevt/bindevt.mc MC 2001,2004 ./libtool.m4 X 2000,2001,2006 -./ltmain.sh X 1999,2000,2001 +./ltmain.sh X 1999,2000,2001,2006 ./make/.cvsignore X 1999,2000,2001 ./make/Makefile.in MAKE 1998,1999,2000,2001,2004 ./make/includes.in MAKE 1999,2000,2001,2004 From 282e38d96feb488fddbbc0b0409491094786977f Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 20 Jul 2006 23:30:28 +0000 Subject: [PATCH 348/465] newcopyrights --- util/copyrights | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/util/copyrights b/util/copyrights index f3b6210eaf..b24ccb955c 100644 --- a/util/copyrights +++ b/util/copyrights @@ -187,7 +187,7 @@ ./bin/tests/.cvsignore X 1999,2000,2001 ./bin/tests/Kchild.example.+003+04017.key X 2000,2001 ./bin/tests/Kchild.example.+003+04017.private X 2000,2001 -./bin/tests/Makefile.in MAKE 1998,1999,2000,2001,2002,2003,2004,2005 +./bin/tests/Makefile.in MAKE 1998,1999,2000,2001,2002,2003,2004,2005,2006 ./bin/tests/adb_test.c C 1999,2000,2001,2004,2005 ./bin/tests/b8t.mk MAKE 1999,2000,2001,2004 ./bin/tests/b9t.mk MAKE 1999,2000,2001,2004 @@ -858,7 +858,7 @@ ./config.h.in X 1999,2000,2001,2005,2006 ./config.h.win32 C 1999,2000,2001,2004,2006 ./config.sub X 1999,2000,2001 -./config.threads.in X 2005 +./config.threads.in X 2005,2006 ./configure X 1998,1999,2000,2001,2005,2006 ./configure.in SH 1998,1999,2000,2001,2002,2003,2004,2005,2006 ./conftools/perllib/dnsconf/DNSConf-macros.h C 2000,2001,2004 @@ -1292,7 +1292,7 @@ ./lib/bind/bsd/strtoul.c X 2001,2005 ./lib/bind/bsd/utimes.c X 2001,2005 ./lib/bind/bsd/writev.c X 2001,2005 -./lib/bind/config.h.in X 2001,2005 +./lib/bind/config.h.in X 2001,2005,2006 ./lib/bind/configure X 2001,2005,2006 ./lib/bind/configure.in SH 2001,2004,2005,2006 ./lib/bind/dst/.cvsignore X 2001 @@ -1846,7 +1846,7 @@ ./lib/dns/rbtdb64.c C 1999,2000,2001,2004,2005 ./lib/dns/rbtdb64.h C 1999,2000,2001,2004,2005 ./lib/dns/rcode.c C 1998,1999,2000,2001,2002,2003,2004,2005,2006 -./lib/dns/rdata.c C 1998,1999,2000,2001,2002,2003,2004,2005 +./lib/dns/rdata.c C 1998,1999,2000,2001,2002,2003,2004,2005,2006 ./lib/dns/rdata/any_255/tsig_250.c C 1999,2000,2001,2002,2003,2004,2005 ./lib/dns/rdata/any_255/tsig_250.h C 1999,2000,2001,2004,2005 ./lib/dns/rdata/ch_3/a_1.c C 2005 @@ -2447,7 +2447,7 @@ ./lib/win32/bindevt/bindevt.mak X 2001 ./lib/win32/bindevt/bindevt.mc MC 2001,2004 ./libtool.m4 X 2000,2001,2006 -./ltmain.sh X 1999,2000,2001 +./ltmain.sh X 1999,2000,2001,2006 ./make/.cvsignore X 1999,2000,2001 ./make/Makefile.in MAKE 1998,1999,2000,2001,2004 ./make/includes.in MAKE 1999,2000,2001,2004,2005 From 60c4b0e960932596a87f0e456637c63778efd4d7 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 21 Jul 2006 02:05:55 +0000 Subject: [PATCH 349/465] update copyright notice --- bin/tests/Makefile.in | 4 ++-- lib/dns/rdata.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/bin/tests/Makefile.in b/bin/tests/Makefile.in index 8ff7cad31f..3a8bfab3cd 100644 --- a/bin/tests/Makefile.in +++ b/bin/tests/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 1998-2002 Internet Software Consortium. # # Permission to use, copy, modify, and distribute this software for any @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.113.2.5 2006/07/20 06:06:39 marka Exp $ +# $Id: Makefile.in,v 1.113.2.6 2006/07/21 02:05:55 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/lib/dns/rdata.c b/lib/dns/rdata.c index 0089f1e619..4114e2486d 100644 --- a/lib/dns/rdata.c +++ b/lib/dns/rdata.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1998-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rdata.c,v 1.147.2.17 2006/07/20 03:24:59 marka Exp $ */ +/* $Id: rdata.c,v 1.147.2.18 2006/07/21 02:05:55 marka Exp $ */ #include #include From 7ad89b5ecd8945a9d19e7980fe88348b4ecfa84a Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 21 Jul 2006 02:05:58 +0000 Subject: [PATCH 350/465] update copyright notice --- bin/tests/Makefile.in | 4 ++-- lib/dns/rdata.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/bin/tests/Makefile.in b/bin/tests/Makefile.in index decd9ff8c8..f071b71a6e 100644 --- a/bin/tests/Makefile.in +++ b/bin/tests/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 1998-2003 Internet Software Consortium. # # Permission to use, copy, modify, and distribute this software for any @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.126 2006/07/20 05:39:08 marka Exp $ +# $Id: Makefile.in,v 1.127 2006/07/21 02:05:58 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/lib/dns/rdata.c b/lib/dns/rdata.c index 8b46d04acf..69fca4dad6 100644 --- a/lib/dns/rdata.c +++ b/lib/dns/rdata.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1998-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rdata.c,v 1.192 2006/07/20 03:21:10 marka Exp $ */ +/* $Id: rdata.c,v 1.193 2006/07/21 02:05:58 marka Exp $ */ /*! \file */ From f3902e428c5c7b0c16874e0acf7ab6ade98d31f2 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 21 Jul 2006 07:11:56 +0000 Subject: [PATCH 351/465] add lib/isccfg/include --- bin/check/check-tool.c | 228 +++++++++++++++++++++-------- bin/check/win32/namedcheckconf.dsp | 4 +- bin/check/win32/namedcheckconf.mak | 4 +- bin/check/win32/namedcheckzone.dsp | 4 +- bin/check/win32/namedcheckzone.mak | 4 +- 5 files changed, 172 insertions(+), 72 deletions(-) diff --git a/bin/check/check-tool.c b/bin/check/check-tool.c index 998a1516a0..cb98066eed 100644 --- a/bin/check/check-tool.c +++ b/bin/check/check-tool.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: check-tool.c,v 1.25 2006/06/07 02:28:28 marka Exp $ */ +/* $Id: check-tool.c,v 1.26 2006/07/21 07:11:56 marka Exp $ */ /*! \file */ @@ -33,7 +33,9 @@ #include #include #include +#include #include +#include #include #include @@ -61,6 +63,15 @@ goto cleanup; \ } while (0) +#define ERR_IS_CNAME 1 +#define ERR_NO_ADDRESSES 2 +#define ERR_LOOKUP_FAILURE 3 +#define ERR_EXTRA_A 4 +#define ERR_EXTRA_AAAA 5 +#define ERR_MISSING_GLUE 5 +#define ERR_IS_MXCNAME 6 +#define ERR_IS_SRVCNAME 7 + static const char *dbtype[] = { "rbt" }; int debug = 0; @@ -91,6 +102,58 @@ static isc_logcategory_t categories[] = { { NULL, 0 } }; +static isc_symtab_t *symtab = NULL; +static isc_mem_t *sym_mctx; + +static void +freekey(char *key, unsigned int type, isc_symvalue_t value, void *userarg) { + UNUSED(type); + UNUSED(value); + isc_mem_free(userarg, key); +} + +static void +add(char *key, int value) { + isc_result_t result; + isc_symvalue_t symvalue; + + if (sym_mctx == NULL) { + result = isc_mem_create(0, 0, &sym_mctx); + if (result != ISC_R_SUCCESS) + return; + } + + if (symtab == NULL) { + result = isc_symtab_create(sym_mctx, 100, freekey, sym_mctx, + ISC_FALSE, &symtab); + if (result != ISC_R_SUCCESS) + return; + } + + key = isc_mem_strdup(sym_mctx, key); + if (key == NULL) + return; + + symvalue.as_pointer = NULL; + result = isc_symtab_define(symtab, key, value, symvalue, + isc_symexists_reject); + if (result != ISC_R_SUCCESS) + isc_mem_free(sym_mctx, key); +} + +static isc_boolean_t +logged(char *key, int value) { + isc_result_t result; + + if (symtab == NULL) + return (ISC_FALSE); + + result = isc_symtab_lookup(symtab, key, value, NULL); + if (result == ISC_R_SUCCESS) + return (ISC_TRUE); + return (ISC_FALSE); +} + static isc_boolean_t checkns(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner, dns_rdataset_t *a, dns_rdataset_t *aaaa) @@ -125,34 +188,43 @@ checkns(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner, if (dns_name_countlabels(name) > 1U) strcat(namebuf, "."); dns_name_format(owner, ownerbuf, sizeof(ownerbuf)); - + result = getaddrinfo(namebuf, NULL, &hints, &ai); dns_name_format(name, namebuf, sizeof(namebuf) - 1); switch (result) { case 0: - if (strcasecmp(ai->ai_canonname, namebuf) != 0) { + if (strcasecmp(ai->ai_canonname, namebuf) != 0 && + !logged(namebuf, ERR_IS_CNAME)) { dns_zone_log(zone, ISC_LOG_ERROR, "%s/NS '%s' (out of zone) " "is a CNAME (illegal)", ownerbuf, namebuf); /* XXX950 make fatal for 9.5.0 */ /* answer = ISC_FALSE; */ + add(namebuf, ERR_IS_CNAME); } break; case EAI_NONAME: #if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME) case EAI_NODATA: #endif - dns_zone_log(zone, ISC_LOG_ERROR, "%s/NS '%s' (out of zone) " - "has no addresses records (A or AAAA)", - ownerbuf, namebuf); + if (!logged(namebuf, ERR_NO_ADDRESSES)) { + dns_zone_log(zone, ISC_LOG_ERROR, + "%s/NS '%s' (out of zone) " + "has no addresses records (A or AAAA)", + ownerbuf, namebuf); + add(namebuf, ERR_NO_ADDRESSES); + } /* XXX950 make fatal for 9.5.0 */ return (ISC_TRUE); default: - dns_zone_log(zone, ISC_LOG_WARNING, - "getaddrinfo(%s) failed: %s", - namebuf, gai_strerror(result)); + if (!logged(namebuf, ERR_LOOKUP_FAILURE)) { + dns_zone_log(zone, ISC_LOG_WARNING, + "getaddrinfo(%s) failed: %s", + namebuf, gai_strerror(result)); + add(namebuf, ERR_LOOKUP_FAILURE); + } return (ISC_TRUE); } if (a == NULL || aaaa == NULL) @@ -175,12 +247,13 @@ checkns(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner, break; } } - if (!match) { + if (!match && !logged(namebuf, ERR_EXTRA_A)) { dns_zone_log(zone, ISC_LOG_ERROR, "%s/NS '%s' " "extra GLUE A record (%s)", ownerbuf, namebuf, inet_ntop(AF_INET, rdata.data, addrbuf, sizeof(addrbuf))); + add(namebuf, ERR_EXTRA_A); /* XXX950 make fatal for 9.5.0 */ /* answer = ISC_FALSE; */ } @@ -204,12 +277,13 @@ checkns(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner, break; } } - if (!match) { + if (!match && !logged(namebuf, ERR_EXTRA_AAAA)) { dns_zone_log(zone, ISC_LOG_ERROR, "%s/NS '%s' " "extra GLUE AAAA record (%s)", ownerbuf, namebuf, inet_ntop(AF_INET6, rdata.data, addrbuf, sizeof(addrbuf))); + add(namebuf, ERR_EXTRA_AAAA); /* XXX950 make fatal for 9.5.0. */ /* answer = ISC_FALSE; */ } @@ -221,42 +295,48 @@ checkns(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner, /* * Check that all addresses appear in the glue. */ - for (cur = ai; cur != NULL; cur = cur->ai_next) { - switch (cur->ai_family) { - case AF_INET: - rdataset = a; - ptr = &((struct sockaddr_in *)(cur->ai_addr))->sin_addr; - type = "A"; - break; - case AF_INET6: - rdataset = aaaa; - ptr = &((struct sockaddr_in6 *)(cur->ai_addr))->sin6_addr; - type = "AAAA"; - break; - default: - continue; - } - match = ISC_FALSE; - if (dns_rdataset_isassociated(rdataset)) - result = dns_rdataset_first(rdataset); - else - result = ISC_R_FAILURE; - while (result == ISC_R_SUCCESS && !match) { - dns_rdataset_current(rdataset, &rdata); - if (memcmp(ptr, rdata.data, rdata.length) == 0) - match = ISC_TRUE; - dns_rdata_reset(&rdata); - result = dns_rdataset_next(rdataset); - } - if (!match) { - dns_zone_log(zone, ISC_LOG_ERROR, "%s/NS '%s' " - "missing GLUE %s record (%s)", - ownerbuf, namebuf, type, - inet_ntop(cur->ai_family, ptr, - addrbuf, sizeof(addrbuf))); - /* XXX950 make fatal for 9.5.0. */ - /* answer = ISC_FALSE; */ + if (!logged(namebuf, ERR_MISSING_GLUE)) { + isc_boolean_t missing_glue = ISC_FALSE; + for (cur = ai; cur != NULL; cur = cur->ai_next) { + switch (cur->ai_family) { + case AF_INET: + rdataset = a; + ptr = &((struct sockaddr_in *)(cur->ai_addr))->sin_addr; + type = "A"; + break; + case AF_INET6: + rdataset = aaaa; + ptr = &((struct sockaddr_in6 *)(cur->ai_addr))->sin6_addr; + type = "AAAA"; + break; + default: + continue; + } + match = ISC_FALSE; + if (dns_rdataset_isassociated(rdataset)) + result = dns_rdataset_first(rdataset); + else + result = ISC_R_FAILURE; + while (result == ISC_R_SUCCESS && !match) { + dns_rdataset_current(rdataset, &rdata); + if (memcmp(ptr, rdata.data, rdata.length) == 0) + match = ISC_TRUE; + dns_rdata_reset(&rdata); + result = dns_rdataset_next(rdataset); + } + if (!match) { + dns_zone_log(zone, ISC_LOG_ERROR, "%s/NS '%s' " + "missing GLUE %s record (%s)", + ownerbuf, namebuf, type, + inet_ntop(cur->ai_family, ptr, + addrbuf, sizeof(addrbuf))); + /* XXX950 make fatal for 9.5.0. */ + /* answer = ISC_FALSE; */ + missing_glue = ISC_TRUE; + } } + if (missing_glue) + add(namebuf, ERR_MISSING_GLUE); } freeaddrinfo(ai); return (answer); @@ -297,10 +377,13 @@ checkmx(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner) { if ((zone_options & DNS_ZONEOPT_WARNMXCNAME) != 0) level = ISC_LOG_WARNING; if ((zone_options & DNS_ZONEOPT_IGNOREMXCNAME) == 0) { - dns_zone_log(zone, ISC_LOG_WARNING, - "%s/MX '%s' (out of zone) " - "is a CNAME (illegal)", - ownerbuf, namebuf); + if (!logged(namebuf, ERR_IS_MXCNAME)) { + dns_zone_log(zone, level, + "%s/MX '%s' (out of zone)" + " is a CNAME (illegal)", + ownerbuf, namebuf); + add(namebuf, ERR_IS_MXCNAME); + } if (level == ISC_LOG_ERROR) answer = ISC_FALSE; } @@ -312,16 +395,23 @@ checkmx(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner) { #if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME) case EAI_NODATA: #endif - dns_zone_log(zone, ISC_LOG_ERROR, "%s/MX '%s' (out of zone) " - "has no addresses records (A or AAAA)", - ownerbuf, namebuf); + if (!logged(namebuf, ERR_NO_ADDRESSES)) { + dns_zone_log(zone, ISC_LOG_ERROR, + "%s/MX '%s' (out of zone) " + "has no addresses records (A or AAAA)", + ownerbuf, namebuf); + add(namebuf, ERR_NO_ADDRESSES); + } /* XXX950 make fatal for 9.5.0. */ return (ISC_TRUE); default: - dns_zone_log(zone, ISC_LOG_WARNING, + if (!logged(namebuf, ERR_LOOKUP_FAILURE)) { + dns_zone_log(zone, ISC_LOG_WARNING, "getaddrinfo(%s) failed: %s", namebuf, gai_strerror(result)); + add(namebuf, ERR_LOOKUP_FAILURE); + } return (ISC_TRUE); } #else @@ -361,10 +451,13 @@ checksrv(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner) { if ((zone_options & DNS_ZONEOPT_WARNSRVCNAME) != 0) level = ISC_LOG_WARNING; if ((zone_options & DNS_ZONEOPT_IGNORESRVCNAME) == 0) { - dns_zone_log(zone, level, - "%s/SRV '%s' (out of zone) " - "is a CNAME (illegal)", - ownerbuf, namebuf); + if (!logged(namebuf, ERR_IS_SRVCNAME)) { + dns_zone_log(zone, level, "%s/SRV '%s'" + " (out of zone) is a " + "CNAME (illegal)", + ownerbuf, namebuf); + add(namebuf, ERR_IS_SRVCNAME); + } if (level == ISC_LOG_ERROR) answer = ISC_FALSE; } @@ -376,16 +469,23 @@ checksrv(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner) { #if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME) case EAI_NODATA: #endif - dns_zone_log(zone, ISC_LOG_ERROR, "%s/SRV '%s' (out of zone) " - "has no addresses records (A or AAAA)", - ownerbuf, namebuf); + if (!logged(namebuf, ERR_NO_ADDRESSES)) { + dns_zone_log(zone, ISC_LOG_ERROR, + "%s/SRV '%s' (out of zone) " + "has no addresses records (A or AAAA)", + ownerbuf, namebuf); + add(namebuf, ERR_NO_ADDRESSES); + } /* XXX950 make fatal for 9.5.0. */ return (ISC_TRUE); default: - dns_zone_log(zone, ISC_LOG_WARNING, - "getaddrinfo(%s) failed: %s", - namebuf, gai_strerror(result)); + if (!logged(namebuf, ERR_LOOKUP_FAILURE)) { + dns_zone_log(zone, ISC_LOG_WARNING, + "getaddrinfo(%s) failed: %s", + namebuf, gai_strerror(result)); + add(namebuf, ERR_LOOKUP_FAILURE); + } return (ISC_TRUE); } #else diff --git a/bin/check/win32/namedcheckconf.dsp b/bin/check/win32/namedcheckconf.dsp index d282fdb2f9..b8616f6962 100644 --- a/bin/check/win32/namedcheckconf.dsp +++ b/bin/check/win32/namedcheckconf.dsp @@ -42,7 +42,7 @@ RSC=rc.exe # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" # ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c -# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/isccfg/include" /I "../../../lib/bind9/include" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "__STDC__" /FR /YX /FD /c +# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/isccfg/include" /I "../../../lib/bind9/include" /I "../../../lib/isccfg/include" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "__STDC__" /FR /YX /FD /c # ADD BASE RSC /l 0x409 /d "NDEBUG" # ADD RSC /l 0x409 /d "NDEBUG" BSC32=bscmake.exe @@ -66,7 +66,7 @@ LINK32=link.exe # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" # ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c -# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/isccfg/include" /I "../../../lib/bind9/include" /D "_DEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/isccfg/include" /I "../../../lib/bind9/include" /I "../../../lib/isccfg/include" /D "_DEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c # SUBTRACT CPP /X /YX # ADD BASE RSC /l 0x409 /d "_DEBUG" # ADD RSC /l 0x409 /d "_DEBUG" diff --git a/bin/check/win32/namedcheckconf.mak b/bin/check/win32/namedcheckconf.mak index f4ccefc975..65fe67fa02 100644 --- a/bin/check/win32/namedcheckconf.mak +++ b/bin/check/win32/namedcheckconf.mak @@ -62,7 +62,7 @@ CLEAN : "$(OUTDIR)" : if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)" -CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/isccfg/include" /I "../../../lib/bind9/include" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "__STDC__" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\namedcheckconf.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c +CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/isccfg/include" /I "../../../lib/bind9/include" /I "../../../lib/isccfg/include" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "__STDC__" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\namedcheckconf.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c BSC32=bscmake.exe BSC32_FLAGS=/nologo /o"$(OUTDIR)\namedcheckconf.bsc" BSC32_SBRS= \ @@ -125,7 +125,7 @@ CLEAN : "$(OUTDIR)" : if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)" -CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/isccfg/include" /I "../../../lib/bind9/include" /D "_DEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c +CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/isccfg/include" /I "../../../lib/bind9/include" /I "../../../lib/isccfg/include" /D "_DEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c BSC32=bscmake.exe BSC32_FLAGS=/nologo /o"$(OUTDIR)\namedcheckconf.bsc" BSC32_SBRS= \ diff --git a/bin/check/win32/namedcheckzone.dsp b/bin/check/win32/namedcheckzone.dsp index c5aa91456f..c1c1166c6d 100644 --- a/bin/check/win32/namedcheckzone.dsp +++ b/bin/check/win32/namedcheckzone.dsp @@ -42,7 +42,7 @@ RSC=rc.exe # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" # ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c -# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "__STDC__" /YX /FD /c +# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/isccfg/include" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "__STDC__" /YX /FD /c # SUBTRACT CPP /Fr # ADD BASE RSC /l 0x409 /d "NDEBUG" # ADD RSC /l 0x409 /d "NDEBUG" @@ -67,7 +67,7 @@ LINK32=link.exe # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" # ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c -# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /D "_DEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/isccfg/include" /D "_DEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c # SUBTRACT CPP /X /YX # ADD BASE RSC /l 0x409 /d "_DEBUG" # ADD RSC /l 0x409 /d "_DEBUG" diff --git a/bin/check/win32/namedcheckzone.mak b/bin/check/win32/namedcheckzone.mak index 0e25c6ebf0..51bfda4cf1 100644 --- a/bin/check/win32/namedcheckzone.mak +++ b/bin/check/win32/namedcheckzone.mak @@ -54,7 +54,7 @@ CLEAN : if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)" CPP=cl.exe -CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "__STDC__" /Fp"$(INTDIR)\namedcheckzone.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c +CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/isccfg/include" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "__STDC__" /Fp"$(INTDIR)\namedcheckzone.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c .c{$(INTDIR)}.obj:: $(CPP) @<< @@ -142,7 +142,7 @@ CLEAN : if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)" CPP=cl.exe -CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /D "_DEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c +CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/isccfg/include" /D "_DEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c .c{$(INTDIR)}.obj:: $(CPP) @<< From 719d9230e4559387abb21c8fad7c0c2f84bdda8b Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 21 Jul 2006 07:43:11 +0000 Subject: [PATCH 352/465] add libisccfg.lib --- bin/check/win32/namedcheckconf.dsp | 4 ++-- bin/check/win32/namedcheckconf.mak | 4 ++-- bin/check/win32/namedcheckzone.dsp | 4 ++-- bin/check/win32/namedcheckzone.mak | 6 ++++-- 4 files changed, 10 insertions(+), 8 deletions(-) diff --git a/bin/check/win32/namedcheckconf.dsp b/bin/check/win32/namedcheckconf.dsp index b8616f6962..f0efd2df89 100644 --- a/bin/check/win32/namedcheckconf.dsp +++ b/bin/check/win32/namedcheckconf.dsp @@ -42,7 +42,7 @@ RSC=rc.exe # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" # ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c -# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/isccfg/include" /I "../../../lib/bind9/include" /I "../../../lib/isccfg/include" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "__STDC__" /FR /YX /FD /c +# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/isccfg/include" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "__STDC__" /FR /YX /FD /c # ADD BASE RSC /l 0x409 /d "NDEBUG" # ADD RSC /l 0x409 /d "NDEBUG" BSC32=bscmake.exe @@ -66,7 +66,7 @@ LINK32=link.exe # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" # ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c -# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/isccfg/include" /I "../../../lib/bind9/include" /I "../../../lib/isccfg/include" /D "_DEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/isccfg/include" /D "_DEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c # SUBTRACT CPP /X /YX # ADD BASE RSC /l 0x409 /d "_DEBUG" # ADD RSC /l 0x409 /d "_DEBUG" diff --git a/bin/check/win32/namedcheckconf.mak b/bin/check/win32/namedcheckconf.mak index 65fe67fa02..138dbe9bcf 100644 --- a/bin/check/win32/namedcheckconf.mak +++ b/bin/check/win32/namedcheckconf.mak @@ -62,7 +62,7 @@ CLEAN : "$(OUTDIR)" : if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)" -CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/isccfg/include" /I "../../../lib/bind9/include" /I "../../../lib/isccfg/include" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "__STDC__" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\namedcheckconf.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c +CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/isccfg/include" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "__STDC__" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\namedcheckconf.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c BSC32=bscmake.exe BSC32_FLAGS=/nologo /o"$(OUTDIR)\namedcheckconf.bsc" BSC32_SBRS= \ @@ -125,7 +125,7 @@ CLEAN : "$(OUTDIR)" : if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)" -CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/isccfg/include" /I "../../../lib/bind9/include" /I "../../../lib/isccfg/include" /D "_DEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c +CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/isccfg/include" /D "_DEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c BSC32=bscmake.exe BSC32_FLAGS=/nologo /o"$(OUTDIR)\namedcheckconf.bsc" BSC32_SBRS= \ diff --git a/bin/check/win32/namedcheckzone.dsp b/bin/check/win32/namedcheckzone.dsp index c1c1166c6d..0651f61bd6 100644 --- a/bin/check/win32/namedcheckzone.dsp +++ b/bin/check/win32/namedcheckzone.dsp @@ -51,7 +51,7 @@ BSC32=bscmake.exe # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386 -# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/named-checkzone.exe" +# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/isccfg/win32/Release/libisccfg.lib ../../../lib/dns/win32/Release/libdns.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/named-checkzone.exe" !ELSEIF "$(CFG)" == "namedcheckzone - Win32 Debug" @@ -76,7 +76,7 @@ BSC32=bscmake.exe # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept -# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/named-checkzone.exe" /pdbtype:sept +# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/isccfg/win32/Debug/libisccfg.lib ../../../lib/dns/win32/Debug/libdns.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/named-checkzone.exe" /pdbtype:sept !ENDIF diff --git a/bin/check/win32/namedcheckzone.mak b/bin/check/win32/namedcheckzone.mak index 51bfda4cf1..2adab88233 100644 --- a/bin/check/win32/namedcheckzone.mak +++ b/bin/check/win32/namedcheckzone.mak @@ -92,11 +92,12 @@ BSC32_FLAGS=/nologo /o"$(OUTDIR)\namedcheckzone.bsc" BSC32_SBRS= \ LINK32=link.exe -LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\named-checkzone.pdb" /machine:I386 /out:"../../../Build/Release/named-checkzone.exe" +LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/isccfg/win32/Release/libisccfg.lib ../../../lib/dns/win32/Release/libdns.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\named-checkzone.pdb" /machine:I386 /out:"../../../Build/Release/named-checkzone.exe" LINK32_OBJS= \ "$(INTDIR)\check-tool.obj" \ "$(INTDIR)\named-checkzone.obj" \ "..\..\..\lib\dns\win32\Release\libdns.lib" \ + "..\..\..\lib\isccfg\win32\Release\libisccfg.lib" \ "..\..\..\lib\isc\win32\Release\libisc.lib" "..\..\..\Build\Release\named-checkzone.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS) @@ -187,11 +188,12 @@ BSC32_SBRS= \ << LINK32=link.exe -LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\named-checkzone.pdb" /debug /machine:I386 /out:"../../../Build/Debug/named-checkzone.exe" /pdbtype:sept +LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/isccfg/win32/Debug/libisccfg.lib ../../../lib/dns/win32/Debug/libdns.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\named-checkzone.pdb" /debug /machine:I386 /out:"../../../Build/Debug/named-checkzone.exe" /pdbtype:sept LINK32_OBJS= \ "$(INTDIR)\check-tool.obj" \ "$(INTDIR)\named-checkzone.obj" \ "..\..\..\lib\dns\win32\Debug\libdns.lib" \ + "..\..\..\lib\isccfg\win32\Debug\libisccfg.lib" \ "..\..\..\lib\isc\win32\Debug\libisc.lib" "..\..\..\Build\Debug\named-checkzone.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS) From b6617c5adad7f12e5fcde1e873f7b982d247fe05 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 21 Jul 2006 23:30:25 +0000 Subject: [PATCH 353/465] newcopyrights --- util/copyrights | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/util/copyrights b/util/copyrights index b24ccb955c..eac79b6fbd 100644 --- a/util/copyrights +++ b/util/copyrights @@ -22,12 +22,12 @@ ./bin/check/named-checkzone.c C 1999,2000,2001,2002,2003,2004,2005,2006 ./bin/check/named-checkzone.docbook SGML 2000,2001,2002,2004,2005,2006 ./bin/check/named-checkzone.html HTML DOCBOOK -./bin/check/win32/namedcheckconf.dsp X 2001,2005 +./bin/check/win32/namedcheckconf.dsp X 2001,2005,2006 ./bin/check/win32/namedcheckconf.dsw X 2001 -./bin/check/win32/namedcheckconf.mak X 2001,2005 -./bin/check/win32/namedcheckzone.dsp X 2001,2005 +./bin/check/win32/namedcheckconf.mak X 2001,2005,2006 +./bin/check/win32/namedcheckzone.dsp X 2001,2005,2006 ./bin/check/win32/namedcheckzone.dsw X 2001 -./bin/check/win32/namedcheckzone.mak X 2001,2005 +./bin/check/win32/namedcheckzone.mak X 2001,2005,2006 ./bin/dig/.cvsignore X 2000,2001 ./bin/dig/Makefile.in MAKE 2000,2001,2002,2004,2005 ./bin/dig/dig.1 MAN DOCBOOK From f02b985650a6f1277a3a45f18561d519916c1890 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 21 Jul 2006 23:38:16 +0000 Subject: [PATCH 354/465] 2055. [bug] Missing goto after dropping multicast query. [RT #15944] --- CHANGES | 3 +++ bin/named/client.c | 3 ++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index aa39353f9c..430006a27e 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2055. [bug] Missing goto after dropping multicast query. + [RT #15944] + 2054. [port] freebsd: do not explicitly link against -lpthread. [RT #16170] diff --git a/bin/named/client.c b/bin/named/client.c index af518ff51a..25551c4b56 100644 --- a/bin/named/client.c +++ b/bin/named/client.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: client.c,v 1.237 2006/06/04 23:59:33 marka Exp $ */ +/* $Id: client.c,v 1.238 2006/07/21 23:38:16 marka Exp $ */ #include @@ -1409,6 +1409,7 @@ client_request(isc_task_t *task, isc_event_t *event) { NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(2), "dropping multicast request"); ns_client_next(client, DNS_R_REFUSED); + goto cleanup; } result = dns_message_peekheader(buffer, &id, &flags); From a76a23d97e0f450e1cea44fba01a2d72d455223d Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 21 Jul 2006 23:44:36 +0000 Subject: [PATCH 355/465] 2055. [bug] Missing goto after dropping multicast query. [RT #15944] --- CHANGES | 3 +++ bin/named/client.c | 7 +++---- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/CHANGES b/CHANGES index 0910dc942f..6cb8818259 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2055. [bug] Missing goto after dropping multicast query. + [RT #15944] + 2054. [port] freebsd: do not explicitly link against -lpthread. [RT #16170] diff --git a/bin/named/client.c b/bin/named/client.c index 49b4e2e91d..1528d8ff2f 100644 --- a/bin/named/client.c +++ b/bin/named/client.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: client.c,v 1.176.2.22 2006/01/04 23:50:16 marka Exp $ */ +/* $Id: client.c,v 1.176.2.23 2006/07/21 23:44:36 marka Exp $ */ #include @@ -1252,9 +1252,8 @@ client_request(isc_task_t *task, isc_event_t *event) { ns_client_log(client, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(2), "multicast request"); -#if 0 - ns_client_error(client, DNS_R_REFUSED); -#endif + ns_client_next(client, DNS_R_REFUSED); + goto cleanup; } result = dns_message_peekheader(buffer, &id, &flags); From 2b67af24fa02867fbc703e89277400b10d0c8b92 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 21 Jul 2006 23:50:15 +0000 Subject: [PATCH 356/465] 2056. [bug] dig: ixfr= was not being treated case insensitively at all times. [RT #15955] --- CHANGES | 3 +++ bin/dig/dig.c | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index 430006a27e..102d517c08 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2056. [bug] dig: ixfr= was not being treated case insensitively + at all times. [RT #15955] + 2055. [bug] Missing goto after dropping multicast query. [RT #15944] diff --git a/bin/dig/dig.c b/bin/dig/dig.c index ac35558212..bf371df41f 100644 --- a/bin/dig/dig.c +++ b/bin/dig/dig.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dig.c,v 1.212 2006/05/15 06:10:58 marka Exp $ */ +/* $Id: dig.c,v 1.213 2006/07/21 23:50:15 marka Exp $ */ /*! \file */ @@ -1571,7 +1571,7 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only, * Anything which isn't an option */ if (open_type_class) { - if (strncmp(rv[0], "ixfr=", 5) == 0) { + if (strncasecmp(rv[0], "ixfr=", 5) == 0) { rdtype = dns_rdatatype_ixfr; result = ISC_R_SUCCESS; } else { From f3b21f257d306bac4a1c234e8c20ec0f6a31c2c6 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 21 Jul 2006 23:53:16 +0000 Subject: [PATCH 357/465] 2056. [bug] dig: ixfr= was not being treated case insensitively at all times. [RT #15955] --- CHANGES | 3 +++ bin/dig/dig.c | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index 6cb8818259..9b94492f34 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2056. [bug] dig: ixfr= was not being treated case insensitively + at all times. [RT #15955] + 2055. [bug] Missing goto after dropping multicast query. [RT #15944] diff --git a/bin/dig/dig.c b/bin/dig/dig.c index 270a2c5ef7..20d61491e3 100644 --- a/bin/dig/dig.c +++ b/bin/dig/dig.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dig.c,v 1.157.2.20 2005/07/04 03:22:02 marka Exp $ */ +/* $Id: dig.c,v 1.157.2.21 2006/07/21 23:53:16 marka Exp $ */ #include #include @@ -1175,7 +1175,7 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only, * Anything which isn't an option */ if (open_type_class) { - if (strncmp(rv[0], "ixfr=", 5) == 0) { + if (strncasecmp(rv[0], "ixfr=", 5) == 0) { rdtype = dns_rdatatype_ixfr; result = ISC_R_SUCCESS; } else { From 6953fd6e20fddcb6389e642aa872cb7425a95f6d Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Sat, 22 Jul 2006 01:00:04 +0000 Subject: [PATCH 358/465] 2057. [bug] Make setting "ra" dependent on both allow-query-cache and allow-recursion. [RT #16290] --- CHANGES | 3 +++ bin/named/client.c | 7 +++++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index 102d517c08..0e3f3d8a66 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2057. [bug] Make setting "ra" dependent on both allow-query-cache + and allow-recursion. [RT #16290] + 2056. [bug] dig: ixfr= was not being treated case insensitively at all times. [RT #15955] diff --git a/bin/named/client.c b/bin/named/client.c index 25551c4b56..20f8b79d67 100644 --- a/bin/named/client.c +++ b/bin/named/client.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: client.c,v 1.238 2006/07/21 23:38:16 marka Exp $ */ +/* $Id: client.c,v 1.239 2006/07/22 01:00:04 marka Exp $ */ #include @@ -1700,12 +1700,15 @@ client_request(isc_task_t *task, isc_event_t *event) { * Decide whether recursive service is available to this client. * We do this here rather than in the query code so that we can * set the RA bit correctly on all kinds of responses, not just - * responses to ordinary queries. + * responses to ordinary queries. Note if you can't query the + * cache there is no point in setting RA. */ ra = ISC_FALSE; if (client->view->resolver != NULL && client->view->recursion == ISC_TRUE && ns_client_checkaclsilent(client, client->view->recursionacl, + ISC_TRUE) == ISC_R_SUCCESS && + ns_client_checkaclsilent(client, client->view->queryacl, ISC_TRUE) == ISC_R_SUCCESS) ra = ISC_TRUE; From 1f6482d821c12a2cbf97d268d7ea8848c50419a3 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Sat, 22 Jul 2006 01:09:04 +0000 Subject: [PATCH 359/465] 2057. [bug] Make setting "ra" dependent on both allow-query and allow-recursion. [RT #16290] --- CHANGES | 3 +++ bin/named/client.c | 6 ++++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index 9b94492f34..801224127c 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2057. [bug] Make setting "ra" dependent on both allow-query and + allow-recursion. [RT #16290] + 2056. [bug] dig: ixfr= was not being treated case insensitively at all times. [RT #15955] diff --git a/bin/named/client.c b/bin/named/client.c index 1528d8ff2f..e2fef58462 100644 --- a/bin/named/client.c +++ b/bin/named/client.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: client.c,v 1.176.2.23 2006/07/21 23:44:36 marka Exp $ */ +/* $Id: client.c,v 1.176.2.24 2006/07/22 01:09:04 marka Exp $ */ #include @@ -1501,7 +1501,9 @@ client_request(isc_task_t *task, isc_event_t *event) { /* XXX this will log too much too early */ ns_client_checkacl(client, "recursion available:", client->view->recursionacl, - ISC_TRUE, ISC_LOG_DEBUG(1)) == ISC_R_SUCCESS) + ISC_TRUE, ISC_LOG_DEBUG(1)) == ISC_R_SUCCESS && + ns_client_checkaclsilent(client, client->view->queryacl, + ISC_TRUE) == ISC_R_SUCCESS) ra = ISC_TRUE; if (ra == ISC_TRUE) From 84f5576c149ed0cf18555bcd7cf1ffbe491bb08f Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Sat, 22 Jul 2006 01:18:35 +0000 Subject: [PATCH 360/465] 2058. [bug] Adjust how we calculate rtt estimates in the presence of authoritative servers that drop EDNS and CD requests. Also fallback to EDNS/512 and plain DNS faster for zones with less than 3 servers. [RT #16187] --- CHANGES | 5 ++ lib/dns/resolver.c | 124 ++++++++++++++++++++++++++++++++++++++------- 2 files changed, 112 insertions(+), 17 deletions(-) diff --git a/CHANGES b/CHANGES index 0e3f3d8a66..58bdc9f50c 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,8 @@ +2058. [bug] Adjust how we calculate rtt estimates in the presence + of authoritative servers that drop EDNS and CD + requests. Also fallback to EDNS/512 and plain DNS + faster for zones with less than 3 servers. [RT #16187] + 2057. [bug] Make setting "ra" dependent on both allow-query-cache and allow-recursion. [RT #16290] diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index d8075a57db..483c159b23 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: resolver.c,v 1.331 2006/05/18 00:51:02 marka Exp $ */ +/* $Id: resolver.c,v 1.332 2006/07/22 01:18:35 marka Exp $ */ /*! \file */ @@ -190,6 +190,8 @@ struct fetchctx { isc_sockaddrlist_t forwarders; dns_fwdpolicy_t fwdpolicy; isc_sockaddrlist_t bad; + isc_sockaddrlist_t edns; + isc_sockaddrlist_t edns512; ISC_LIST(dns_validator_t) validators; dns_db_t * cache; dns_adb_t * adb; @@ -570,8 +572,7 @@ fctx_cancelquery(resquery_t **queryp, dns_dispatchevent_t **deventp, * slow. We don't know. Increase the RTT. */ INSIST(no_response); - rtt = query->addrinfo->srtt + - (200000 * fctx->restarts); + rtt = query->addrinfo->srtt + 200000; if (rtt > 10000000) rtt = 10000000; /* @@ -964,34 +965,37 @@ fctx_addopt(dns_message_t *message, unsigned int version, isc_uint16_t udpsize) static inline void fctx_setretryinterval(fetchctx_t *fctx, unsigned int rtt) { unsigned int seconds; + unsigned int us; /* - * We retry every 2 seconds the first two times through the address + * We retry every .5 seconds the first two times through the address * list, and then we do exponential back-off. */ if (fctx->restarts < 3) - seconds = 2; + us = 500000; else - seconds = (2 << (fctx->restarts - 1)); + us = (500000 << (fctx->restarts - 2)); /* - * Double the round-trip time and convert to seconds. + * Double the round-trip time. */ - rtt /= 500000; + rtt *= 2; /* * Always wait for at least the doubled round-trip time. */ - if (seconds < rtt) - seconds = rtt; + if (us < rtt) + us = rtt; /* - * But don't ever wait for more than 30 seconds. + * But don't ever wait for more than 10 seconds. */ - if (seconds > 30) - seconds = 30; + if (us > 10000000) + us = 10000000; - isc_interval_set(&fctx->interval, seconds, 0); + seconds = us / 1000000; + us -= seconds * 1000000; + isc_interval_set(&fctx->interval, seconds, us * 1000); } static isc_result_t @@ -1196,6 +1200,66 @@ fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, return (result); } +static isc_boolean_t +triededns(fetchctx_t *fctx, isc_sockaddr_t *address) { + isc_sockaddr_t *sa; + + for (sa = ISC_LIST_HEAD(fctx->edns); + sa != NULL; + sa = ISC_LIST_NEXT(sa, link)) { + if (isc_sockaddr_equal(sa, address)) + return (ISC_TRUE); + } + + return (ISC_FALSE); +} + +static void +add_triededns(fetchctx_t *fctx, isc_sockaddr_t *address) { + isc_sockaddr_t *sa; + + if (triededns(fctx, address)) + return; + + sa = isc_mem_get(fctx->res->buckets[fctx->bucketnum].mctx, + sizeof(*sa)); + if (sa == NULL) + return; + + *sa = *address; + ISC_LIST_INITANDAPPEND(fctx->edns, sa, link); +} + +static isc_boolean_t +triededns512(fetchctx_t *fctx, isc_sockaddr_t *address) { + isc_sockaddr_t *sa; + + for (sa = ISC_LIST_HEAD(fctx->edns512); + sa != NULL; + sa = ISC_LIST_NEXT(sa, link)) { + if (isc_sockaddr_equal(sa, address)) + return (ISC_TRUE); + } + + return (ISC_FALSE); +} + +static void +add_triededns512(fetchctx_t *fctx, isc_sockaddr_t *address) { + isc_sockaddr_t *sa; + + if (triededns512(fctx, address)) + return; + + sa = isc_mem_get(fctx->res->buckets[fctx->bucketnum].mctx, + sizeof(*sa)); + if (sa == NULL) + return; + + *sa = *address; + ISC_LIST_INITANDAPPEND(fctx->edns512, sa, link); +} + static isc_result_t resquery_send(resquery_t *query) { fetchctx_t *fctx; @@ -1346,12 +1410,14 @@ resquery_send(resquery_t *query) { * the remote server doesn't like it. */ - if (fctx->timeouts >= (MAX_EDNS0_TIMEOUTS * 2) && + if ((triededns512(fctx, &query->addrinfo->sockaddr) || + fctx->timeouts >= (MAX_EDNS0_TIMEOUTS * 2)) && (query->options & DNS_FETCHOPT_NOEDNS0) == 0) { query->options |= DNS_FETCHOPT_NOEDNS0; FCTXTRACE("too many timeouts, disabling EDNS0"); - } else if (fctx->timeouts >= MAX_EDNS0_TIMEOUTS && - (query->options & DNS_FETCHOPT_EDNS512) == 0) { + } else if ((triededns(fctx, &query->addrinfo->sockaddr) || + fctx->timeouts >= MAX_EDNS0_TIMEOUTS) && + (query->options & DNS_FETCHOPT_NOEDNS0) == 0) { query->options |= DNS_FETCHOPT_EDNS512; FCTXTRACE("too many timeouts, setting EDNS size to 512"); } @@ -1398,6 +1464,12 @@ resquery_send(resquery_t *query) { goto cleanup_message; } + if ((query->options & DNS_FETCHOPT_NOEDNS0) == 0) + add_triededns(fctx, &query->addrinfo->sockaddr); + + if ((query->options & DNS_FETCHOPT_EDNS512) != 0) + add_triededns512(fctx, &query->addrinfo->sockaddr); + /* * Clear CD if EDNS is not in use. */ @@ -2498,6 +2570,22 @@ fctx_destroy(fetchctx_t *fctx) { isc_mem_put(res->buckets[bucketnum].mctx, sa, sizeof(*sa)); } + for (sa = ISC_LIST_HEAD(fctx->edns); + sa != NULL; + sa = next_sa) { + next_sa = ISC_LIST_NEXT(sa, link); + ISC_LIST_UNLINK(fctx->edns, sa, link); + isc_mem_put(res->buckets[bucketnum].mctx, sa, sizeof(*sa)); + } + + for (sa = ISC_LIST_HEAD(fctx->edns512); + sa != NULL; + sa = next_sa) { + next_sa = ISC_LIST_NEXT(sa, link); + ISC_LIST_UNLINK(fctx->edns512, sa, link); + isc_mem_put(res->buckets[bucketnum].mctx, sa, sizeof(*sa)); + } + isc_timer_detach(&fctx->timer); dns_message_destroy(&fctx->rmessage); dns_message_destroy(&fctx->qmessage); @@ -2850,6 +2938,8 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type, ISC_LIST_INIT(fctx->forwarders); fctx->fwdpolicy = dns_fwdpolicy_none; ISC_LIST_INIT(fctx->bad); + ISC_LIST_INIT(fctx->edns); + ISC_LIST_INIT(fctx->edns512); ISC_LIST_INIT(fctx->validators); fctx->find = NULL; fctx->altfind = NULL; From 50d3f097d4c2779c8fb2397882d91e0cbca2c260 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Sat, 22 Jul 2006 01:24:44 +0000 Subject: [PATCH 361/465] and -> and/or --- CHANGES | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 58bdc9f50c..c3eb09db65 100644 --- a/CHANGES +++ b/CHANGES @@ -1,5 +1,5 @@ 2058. [bug] Adjust how we calculate rtt estimates in the presence - of authoritative servers that drop EDNS and CD + of authoritative servers that drop EDNS and/or CD requests. Also fallback to EDNS/512 and plain DNS faster for zones with less than 3 servers. [RT #16187] From 3b572928731d3595990fe360c80977a2d043eb02 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tatuya=20JINMEI=20=E7=A5=9E=E6=98=8E=E9=81=94=E5=93=89?= Date: Sat, 22 Jul 2006 11:32:12 +0000 Subject: [PATCH 362/465] 2059. [placeholder] rt16292 --- CHANGES | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGES b/CHANGES index c3eb09db65..e3bda1fae4 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +2059. [placeholder] rt16292 + 2058. [bug] Adjust how we calculate rtt estimates in the presence of authoritative servers that drop EDNS and/or CD requests. Also fallback to EDNS/512 and plain DNS From 26cde4b081220ddf3e209f8b14a8fd052fe701ca Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Sat, 22 Jul 2006 23:17:04 +0000 Subject: [PATCH 363/465] auto update --- doc/private/branches | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/private/branches b/doc/private/branches index b3f7bfa0eb..98161469e6 100644 --- a/doc/private/branches +++ b/doc/private/branches @@ -54,6 +54,7 @@ rt16219 new rt16220 new rt16220a new rt16290 new +rt16292 new rt1727 open // ixfr-from-differences workfile skan new skan-metazones1 private From ff9fda691af990397314d1f2dcdb3bb3e1e89008 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Sat, 22 Jul 2006 23:30:04 +0000 Subject: [PATCH 364/465] newcopyrights --- util/copyrights | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/util/copyrights b/util/copyrights index 19fd7d59f7..c9b1fee71f 100644 --- a/util/copyrights +++ b/util/copyrights @@ -31,7 +31,7 @@ ./bin/dig/.cvsignore X 2000,2001 ./bin/dig/Makefile.in MAKE 2000,2001,2004 ./bin/dig/dig.1 MAN DOCBOOK -./bin/dig/dig.c C 2000,2001,2002,2003,2004,2005 +./bin/dig/dig.c C 2000,2001,2002,2003,2004,2005,2006 ./bin/dig/dig.docbook SGML 2000,2001,2003,2004,2005 ./bin/dig/dig.html HTML DOCBOOK ./bin/dig/dighost.c C 2000,2001,2002,2003,2004,2005,2006 From baa1a9b9b96d363e6c123e2ea1f05b2f326d5cd0 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Sat, 22 Jul 2006 23:52:56 +0000 Subject: [PATCH 365/465] update copyright notice --- bin/dig/dig.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bin/dig/dig.c b/bin/dig/dig.c index 20d61491e3..322291186e 100644 --- a/bin/dig/dig.c +++ b/bin/dig/dig.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dig.c,v 1.157.2.21 2006/07/21 23:53:16 marka Exp $ */ +/* $Id: dig.c,v 1.157.2.22 2006/07/22 23:52:56 marka Exp $ */ #include #include From f22ef4dfb973c4714eedd3818050fde74fb20e48 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 24 Jul 2006 01:12:45 +0000 Subject: [PATCH 366/465] 2059. [bug] Search into cache rbtdb could trigger an INSIST failure while cleaning up a stale rdataset. [RT #16292] --- CHANGES | 8 ++++-- lib/dns/rbtdb.c | 73 +++++++++++++++++++++++++++++++------------------ 2 files changed, 52 insertions(+), 29 deletions(-) diff --git a/CHANGES b/CHANGES index e3bda1fae4..aeff473412 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,6 @@ -2059. [placeholder] rt16292 +2059. [bug] Search into cache rbtdb could trigger an INSIST + failure while cleaning up a stale rdataset. + [RT #16292] 2058. [bug] Adjust how we calculate rtt estimates in the presence of authoritative servers that drop EDNS and/or CD @@ -43,10 +45,10 @@ 2046. [bug] rbtdb.c:rdataset_setadditional() could cause duplicate cleanup [RT #16247]. -2045. [func] use lock buckets for acache entries to limit memory +2045. [func] Use lock buckets for acache entries to limit memory consumption. [RT #16183] -2044. [port] add support for atomic operations for Itanium. +2044. [port] Add support for atomic operations for Itanium. [RT #16179] 2043. [port] nsupdate/nslookup: Force the flushing of the prompt diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c index 5093d5d734..133b834364 100644 --- a/lib/dns/rbtdb.c +++ b/lib/dns/rbtdb.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rbtdb.c,v 1.236 2006/07/06 06:36:51 jinmei Exp $ */ +/* $Id: rbtdb.c,v 1.237 2006/07/24 01:12:45 marka Exp $ */ /*! \file */ @@ -944,9 +944,20 @@ rollback_node(dns_rbtnode_t *node, rbtdb_serial_t serial) { node->dirty = 1; } +static inline void +clean_stale_headers(isc_mem_t *mctx, rdatasetheader_t *top) { + rdatasetheader_t *d, *down_next; + + for (d = top->down; d != NULL; d = down_next) { + down_next = d->down; + free_rdataset(mctx, d); + } + top->down = NULL; +} + static inline void clean_cache_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) { - rdatasetheader_t *current, *dcurrent, *top_prev, *top_next, *down_next; + rdatasetheader_t *current, *top_prev, *top_next; isc_mem_t *mctx = rbtdb->common.mctx; /* @@ -956,15 +967,7 @@ clean_cache_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) { top_prev = NULL; for (current = node->data; current != NULL; current = top_next) { top_next = current->next; - dcurrent = current->down; - if (dcurrent != NULL) { - do { - down_next = dcurrent->down; - free_rdataset(mctx, dcurrent); - dcurrent = down_next; - } while (dcurrent != NULL); - current->down = NULL; - } + clean_stale_headers(mctx, current); /* * If current is nonexistent or stale, we can clean it up. */ @@ -3000,14 +3003,24 @@ cache_zonecut_callback(dns_rbtnode_t *node, dns_name_t *name, void *arg) { locktype = isc_rwlocktype_write; if (dns_rbtnode_refcurrent(node) == 0) { - INSIST(header->down == NULL); + isc_mem_t *mctx; + + /* + * header->down can be NULL if the + * refcount has just decremented to 0 + * but no_references() has not + * performed clean_cache_node(), in + * which case we need to purge the + * stale headers first. + */ + mctx = search->rbtdb->common.mctx; + clean_stale_headers(mctx, header); if (header_prev != NULL) header_prev->next = header->next; else node->data = header->next; - free_rdataset(search->rbtdb->common.mctx, - header); + free_rdataset(mctx, header); } else { header->attributes |= RDATASET_ATTR_STALE; @@ -3107,15 +3120,17 @@ find_deepest_zonecut(rbtdb_search_t *search, dns_rbtnode_t *node, if (dns_rbtnode_refcurrent(node) == 0) { - INSIST(header->down == NULL); + isc_mem_t *m; + + m = search->rbtdb->common.mctx; + clean_stale_headers(m, header); if (header_prev != NULL) header_prev->next = header->next; else node->data = header->next; - free_rdataset(search->rbtdb->common.mctx, - header); + free_rdataset(m, header); } else { header->attributes |= RDATASET_ATTR_STALE; @@ -3260,14 +3275,16 @@ find_coveringnsec(rbtdb_search_t *search, dns_dbnode_t **nodep, if (dns_rbtnode_refcurrent(node) == 0) { - INSIST(header->down == NULL); + isc_mem_t *m; + + m = search->rbtdb->common.mctx; + clean_stale_headers(m, header); if (header_prev != NULL) header_prev->next = header->next; else node->data = header->next; - free_rdataset(search->rbtdb->common.mctx, - header); + free_rdataset(m, header); } else { header->attributes |= RDATASET_ATTR_STALE; @@ -3431,14 +3448,16 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version, locktype = isc_rwlocktype_write; if (dns_rbtnode_refcurrent(node) == 0) { - INSIST(header->down == NULL); + isc_mem_t *mctx; + + mctx = search.rbtdb->common.mctx; + clean_stale_headers(mctx, header); if (header_prev != NULL) header_prev->next = header->next; else node->data = header->next; - free_rdataset(search.rbtdb->common.mctx, - header); + free_rdataset(mctx, header); } else { header->attributes |= RDATASET_ATTR_STALE; @@ -3720,14 +3739,16 @@ cache_findzonecut(dns_db_t *db, dns_name_t *name, unsigned int options, locktype = isc_rwlocktype_write; if (dns_rbtnode_refcurrent(node) == 0) { - INSIST(header->down == NULL); + isc_mem_t *mctx; + + mctx = search.rbtdb->common.mctx; + clean_stale_headers(mctx, header); if (header_prev != NULL) header_prev->next = header->next; else node->data = header->next; - free_rdataset(search.rbtdb->common.mctx, - header); + free_rdataset(mctx, header); } else { header->attributes |= RDATASET_ATTR_STALE; From 39ef7dddef12152afa3a2fc1c1962cdf6d30b5cb Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 24 Jul 2006 05:51:22 +0000 Subject: [PATCH 367/465] 2060. [bug] Enabling DLZ support could leave views partially configured. [RT #16295] --- CHANGES | 3 +++ bin/named/server.c | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index aeff473412..a3d3f55f70 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2060. [bug] Enabling DLZ support could leave views partially + configured. [RT #16295] + 2059. [bug] Search into cache rbtdb could trigger an INSIST failure while cleaning up a stale rdataset. [RT #16292] diff --git a/bin/named/server.c b/bin/named/server.c index 2f9ae8c5c0..3584c9663a 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: server.c,v 1.465 2006/05/24 04:23:15 marka Exp $ */ +/* $Id: server.c,v 1.466 2006/07/24 05:51:22 marka Exp $ */ /*! \file */ @@ -1062,7 +1062,7 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, &view->dlzdatabase); isc_mem_free(mctx, s); isc_mem_put(mctx, dlzargv, dlzargc * sizeof(*dlzargv)); - if (result == ISC_R_SUCCESS) + if (result != ISC_R_SUCCESS) goto cleanup; } } From cc7d91bd5c6b9be5a3c67a99112b885602c24873 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 24 Jul 2006 22:41:59 +0000 Subject: [PATCH 368/465] 2061. [bug] Accept expired wildcard message reversed. [RT #16296] --- CHANGES | 2 ++ lib/dns/validator.c | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index a3d3f55f70..e6f39f3fba 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +2061. [bug] Accept expired wildcard message reversed. [RT #16296] + 2060. [bug] Enabling DLZ support could leave views partially configured. [RT #16295] diff --git a/lib/dns/validator.c b/lib/dns/validator.c index 605f4282a9..3f940f17be 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: validator.c,v 1.144 2006/03/09 23:39:00 marka Exp $ */ +/* $Id: validator.c,v 1.145 2006/07/24 22:41:59 marka Exp $ */ /*! \file */ @@ -1267,7 +1267,7 @@ verify(dns_validator_t *val, dst_key_t *key, dns_rdata_t *rdata, validator_log(val, ISC_LOG_INFO, "accepted expired %sRRSIG (keyid=%u)", (result == DNS_R_FROMWILDCARD) ? - "" : "wildcard ", keyid); + "wildcard " : "", keyid); else validator_log(val, ISC_LOG_DEBUG(3), "verify rdataset (keyid=%u): %s", From 3a08964eeaeb10c5928fd9ebb70f520c288053fd Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 24 Jul 2006 23:17:46 +0000 Subject: [PATCH 369/465] auto update --- doc/private/branches | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/private/branches b/doc/private/branches index 98161469e6..06b702cd48 100644 --- a/doc/private/branches +++ b/doc/private/branches @@ -50,6 +50,7 @@ rt16182 new rt16183 new rt16187 new rt16218 new +rt16218a new rt16219 new rt16220 new rt16220a new From 121ed57a19bae7aa76f57d35ef8d631e19db9dad Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 26 Jul 2006 23:17:57 +0000 Subject: [PATCH 370/465] auto update --- doc/private/branches | 2 ++ 1 file changed, 2 insertions(+) diff --git a/doc/private/branches b/doc/private/branches index 06b702cd48..c93192d68f 100644 --- a/doc/private/branches +++ b/doc/private/branches @@ -56,11 +56,13 @@ rt16220 new rt16220a new rt16290 new rt16292 new +rt16300 new rt1727 open // ixfr-from-differences workfile skan new skan-metazones1 private skan_implicit_update1 new skan_stats1 new +skan_stats2 new stats_lidl new v6source new v9_1 active // security fixes only From d8092effcfa57ca11f7286af488161f766037b30 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 27 Jul 2006 05:07:24 +0000 Subject: [PATCH 371/465] 9.2.7rc1 --- CHANGES | 3 + doc/arm/Bv9ARM.pdf | 3111 ++++++++++++++++++++++---------------------- version | 4 +- 3 files changed, 1557 insertions(+), 1561 deletions(-) diff --git a/CHANGES b/CHANGES index 801224127c..3c628a6839 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ + + --- 9.2.7rc1 released --- + 2057. [bug] Make setting "ra" dependent on both allow-query and allow-recursion. [RT #16290] diff --git a/doc/arm/Bv9ARM.pdf b/doc/arm/Bv9ARM.pdf index 175bc71fbf..f349c580d2 100755 --- a/doc/arm/Bv9ARM.pdf +++ b/doc/arm/Bv9ARM.pdf @@ -891,11 +891,13 @@ endobj << /S /GoTo /D [598 0 R /FitH ] >> endobj 600 0 obj << -/Length 220 +/Length 221 /Filter /FlateDecode >> stream -xÚ=O1 †÷û[‰3þ¼$#© (êpj¯¨=¤£ ü{r½R!Á€2$¶ûu^*‡!:’&ƒ Øa½¯^Jí®âc®è¦Z‚?ªµ&Åh¡–ѽ‘ŸØ/œÍ0hLP;9¦2|Ĺº¼5(ìy l ƒÂ™Ë›çÙâþñz^‹Ó,M×Õf¿ëw=¼ Sê©ÛvCׯ»)\¶ýGû:_å‡"¡ÀŒÉ]Ž0P(«GÃ&Š%–íçÔ(~qz5cu“ÏùvNGoþíÛiÔP·endstream +xÚMk1†ïû+æ¨ÐL3_›ä¨ôƒ +í¡äV<,ºAWØê¡ÿ¾Y×J¡=”’É<ï¼ÌKàË!ˆ†^’BHŠæÉ`µ¯<¼—ÞcEFMÐT¤t$Á¨ÁqŒhVóOìNª$&pæ S>àó\Ý>(d2…¼Ò„½À•Ëë·ÉüéånêØü$×l½ßvÛcßýøõÚnÚ¾íVíX>7Ý©ÙM—yQ,ˆ0™ñÙ‚z +à¢bÙ΋Óîsr¸¹<¼¯}uŸ¯‹|''†C6ÿÎí ‚#Púendstream endobj 598 0 obj << /Type /Page @@ -936,17 +938,14 @@ endobj /ProcSet [ /PDF /Text ] >> endobj 619 0 obj << -/Length 2204 +/Length 2200 /Filter /FlateDecode >> stream -xÚÝYKã6¾ûWø¨ÆZ>ÄWn;3›Å‹Yìv9$9¨%¶-Œ,)ztÇùõ[d‘¶lË3ƒ6X4ЦJ,²XõÕWE›® üѵ)á&[+“¥‚P±.ö+²Þ»¿¯h˜“ žŠŒsxXx»\§B3µÞÌyû°úË÷[3’JÉÄúá鸗T:5<3ë‡òçäÝ.ïFÛßm˜ ½ûõáTËR¥uj¶©2D{…ÍØ·åTŒUÛ„é|mR#™Œ³肹nöÃÎÂÒZ:5Û7vħ÷í>¯Ì÷aÎýaíÇ¿AÞ¼‡ê*)Úf¨†qÀ×í~ŽqýáÐŒùïAØYg‹êép1³ý.V±ÍXJURÝѤÁ¡S‚3ºSQš!XôA8 g$qáŒ&9>î*ÛçýÕI±«Š¼Fé>op³Ê’7 àíqoú;LµÛÜ-2 ¶DùSÛã ´µÝæcÕlÃ>Ó¸kûj3(iŸm˜ëvÈ›°RØŠ‚“¼ƒÏNDý‰ª}WÛ=ø!÷qÝ00tÜå.\J$y1Ny]P¾Ï»GÑ•0ÅûD³8;Ųôž°Ã`‡ŒÐ<¨âÔ2sœV qå -,¨ç÷ì!â–ÁÇ­_«:”BôbSHúêqý"b)Nê6̽Uó4Ky&Y@qFR&9bž¦BJI³¸‚|¾o‹Éyn9˜N¥2ódÈhòÖöŸ ¨| -.ƒpŽ(£cžÀØeÄÛ߇”É1hÎ}€£¼œi5ǵÛ{˜¸™[N˜‡YÓþÑ‘?—ûì¬÷ÚfÉËŽLð*]jàŒ>˜ /£_üS‡±{®JÞƒ÷«‡Uí#ô@?¶SPļõ“†@8ŸÕ”8(0¾~b3Ó+ˆš¾æq ‚ÖOóø·áÕÓÔøúrI)uåž™vð>¯JÔEK"K 0$€qÀ7Ø°H|!Z36î¹sîqA"Úל…zî5ï’a<¡ÈÔuû§<–¢! ô{‚.8[W)W*f­wI^vPþªb‡jW® ðÛ·G6…§¼|Î!ëÊãLŸhmèX@|dæ-φR× Ÿ—²9ùºt“@¢4ÖwcêOñݱèb?’Âö£¯·î¡íÜé—ABSÍ%½f™ˆŒ`8_b©JÎØÈ  ®¶»ñźÿ&ˆH93ÙM mýŒm©«ßJ†E1Û¸¦d@¶[—Á‡%3ž]q°SKÁ‡!U‘ NeR]'ˆò°uVô} ¦?a{bøöXú`Œí( é6[bŒçk›m‹)åU¡ØM€‰ )ŒžgL“ãF,8AÆÈEÞ]{ p—eäšAU-9I¦R›X -Îzè°Ÿ-&¸Ð 3*¡ÉõÈs Ť窅p)ÀÕ|ɽd‰NµÒÑ’YZº[EèÆáî²k[Ÿˆ· ®¡ös¼ílÝ9ŒI0&uÚT©’Ƕ<àÈ;Wªà\ÌúHxòÄ$ψɩåÁšKÉgà–¬#PÿÚu¶)+WùO¡Oý²C^’*:à¦ö4Õ8¾F$z‚jà:)Ï=1ëvß8’ÞžÜ< ž+×—/•=à£D°ëmõXWí¶Ï»Ýa©îAÒ -#ˆ|ó@_4ç›Øæ¬ñv¯ñÐdÛ0ß%’›hF±ÓRHAêtKqBwÁ4‚º@…¼H#¼ã]‹ÉC‹ ù³#ܶ ýäC¼ÜUÍ·õšØ;GÝS¯é_BO ‘¾è²}á -D’­m<ìpҡèàíƵáGó¿sV­þöpüöÆHh5]S¡S"¡•+ö«ßV?ÿJÖ劬X‘”-Ö/ðÞ4@ -ûUÆaH„Ž’zu¿úש혵7-@=k…aõùR›x¦ Í$l©éñû¨ 8ó”r“J“…{ŽošÂ%Ö¼+·q&R˜§×ó-¾Íêã’_0›CØieÎÍþéñ&\†ñP_B¸ÎX -ñŠ‡È\:4W› û¿ƒãPé¡Kÿú3E›pbøÏðÓ×›|N®ÁÌmrǯÜÀÇû"ÄÑmÆáFOXm–üøï¼Á™»vg3×êX×.¾8¨H1ºa¾¿ú†Ë}c_l¿?:ÖÛˆžòÛ7Cô¥ç„ZDôÌsßW¿;Ž•@¿/U9înƒ÷Õìý7ú¹èI¾^ÊSÂY„Øx*+À*}¬yÝôüÌ6z5F¼4\·„Ÿ¹ñ3ýää‡oÛº¼ ¥W3ýÿJF¥ÄPó%$­lqú>õ%‘¦ñs šmñZº´úÍ­¾‚Ð-༚¹Ü0÷—¢Ò]!àÁ²ù/W¿2OÁ@¨0_k½ø3aüõoÃEê~L\D‡ äŒdë0ÉE_¹=þàxZ)îöUWendstream +xÚÝYKã6¾ûWø¨ÆZ>ÄWn;3›Å‹Yìv9$9¨%¶-Œ,)ztÇùõ[d‘¶lË3ƒ6X4ЦJUd±ê«E›® üѵ)á&[+“¥‚P±.ö+²Þ»¿¯hÐÉOEÆ9<,¼Ý®S¡™Zo擼}XýåûŒ­I¥dbýðt\K*ž™õCùsòn—w£íï6L„Þýúðše©ÒŠ:3KˆT¢½Á‡fìÛr*ƪm‚:_›ÔH&£¶[p×i?ì,L­¥3³}cG|zßîóªÁñÇ|tîÃh÷8þ…òþã=|P'PIÑ6C5Œ¾nŸðsŒó‡fÌÂ6È:[TO‡ ÍÖ»˜Å6c5V(UIuG“‡ÎöèvEij„`1a3œ‘Äm„3šäø¸«lŸ÷wT'Å®*ò¥û¼i Ì*KÞ€€kôǽéït2Õnq7É4ØåOmƒÒÖv›U³ ëLã®í«Ü< ¤}¶A×o.¬7a¦°… ùŸíˆúUû®¶{ˆCîóºaàè¸Ë]º”Hòbœòº> |ŸwŽb(AÅÇD³<;òô‘°Ã`‡œÐ<¬¢j™9ªUCœ¹ªÆ…À={ˆ¸iðqëçj§¥½…Ü”’¾zœF?‰Xʇ“ºÅsïUÄ<ÍRžIPœ‘”IŽ˜§)€B’û¢í,ÎàÁŸïÛbr‘[.¦S©ÌY1ä­í?AR}<ÍYiX ? ñåðöÃÇ÷¡àí1cjäøQF#PiBe‘d°½‡ˆ“z\E §5ímaAÀgg}Ä6KPd‚@ùÌRûó‰ycâŸ:ÌÛsUÚð"_8¬pha‚ü±‚!Ö¬WFà\«)qP`n½b’2³<wa#÷íÓø23'É; ™¶«iÏ.ìîß…¨ƒÀåGÏ!xCƒÃÕ„]^|Ê·á#ïô"ÑÁ8/÷Uã0›mhô~*àh uÄ ÆõbÑÀ°WÏ1SÄwÑö¡òº¶)ƒ¹/ÒÏì"e_W ,TÃ?ûmÞTÓròéäò×—ÇÇ£ÄñŽ³åDaô…œkšJ–Á>“Ï#oO–ÿ…T<¨Ë $áóÄëWµ¸hÀ¦“yªr2¤R`äœΣÂvcä3ß1©™ZòŽÝôŽu¨’,:ÒØNÈax m¸b© œ#u›*éáXõ›¦Á†ç€!טä9ï«v +v¶yÆÉÚÆÏ¥ž1¹šW-_Ç3™f\_ÅÁðå80atÌÒ°0%%)!1c>|ÚÀQŽÛ_Ï'²TnŽY®ŽÆ0ã4Fdç1ìBÀg‡¡foàøò¸AëÕ<þmxõ45~ƒþ¨¤”º£ž™Pvð>¯J´EO"K 0$€qÀ7HÄ,_ÈÖÌ"¦{îÁœ{\’ˆöçÍÂY5’ažÜ¡ÈÔuûUKÙz=A—œ-$„«”+«Ö‡Ç$/;èdªb‡fPW®ðÛ·G6…§¼|ΡêÊ£¦¯@ô6t+ 12óvgCN©k„ϲ9ùºr“@¢4ÖwbPêOñÝñÌÅ^ $…íGÞº‡¶s»_f 5—ôšd"n0‚á|‰d¤*9c#ƒ‚ºÚîÆëþš "åÌdK41´õ3¶¤îüV2ô'Šùز⃠lµ.“Sf<»â`g —’Cª"œŽIu]L ÊÃÒU˜Ñw+4¸þ„í‰àÛãÑclEY(·ÙcÜ_Ûl[,)o +ÇݘšrÁèyÅ49.ÄÂG#ȹ¨»ë(\S ˜ª¥ ÉTj‚³þ9¬g‹ šÿºáoE%4¸y® ˜ô\µ.˜¢š/y¢—<Ñ©V:z2+Kw£ø#Ü[vmëëñ–ÁÀ~Ž·­;‡1IƤNB›*UòØ–ùàJ‚ ƒY Ož˜ä19ó`Ÿj÷´¡™„%5=~ugžRî!`Ri²pÏñMS¸£Ä3ï*lœ‰ôôz¾Ä·y}œò nsh3­Ì¹Û?Ý#Þ„Ë0êëM×K!^qƒKæjlÿwpbNzèÒ¿~OÑâ&œþ3üôÕ&_„“k03d›Üñk7ðqç¾qt›q¸ÑVÛ£€%?þûoPs×ãLx­ŽçÚÅ5)f7èû«o¸Ü7ö%@ÀöûóW¡c½èÙ.¿-p3D_FN¨EDÏ"÷}õ»ãX ôûR•ãî6x_Íß?xc¢_‘ ‰˜ä à¥<%œEˆ§cX¥g^7}?³…^/‡Ð-ágîü @?yùáÛ¶.oCéÕ\ÿ¿†’Q)1Ô| I„@«Kœ¾ÏpmId£iüˆfK¼†.½¾AAs¯¯ t 8¯æîŸ7Ì}Å¥¨tW¸A°lþ«ßÕ¯ÌS0êÜ×Z/þDùÛp‘ºÑá9#Ù:(¹,ð«°ÇO3ÅÕþ«DÆendstream endobj 618 0 obj << /Type /Page @@ -1135,17 +1134,20 @@ endobj /ProcSet [ /PDF /Text ] >> endobj 666 0 obj << -/Length 2395 +/Length 2399 /Filter /FlateDecode >> stream -xڥ˒ã¶ñ>_¡[4UM|VNcï:;.ïl¼#RŽXK‚²HÎDùút£ )q*©Jé@ Ñh4úÝX…ð«$ Ò"*VYI(’UÙÜ…«XûÛ`œCÚL±~ØÞ}ÿS*VEP¤QºÚ&´ò Ìs±Úî_‹ îB¸Þ~úx¿‰’pýáËç‡Ç'?=|fèó?ž·?ÓøŸa~xz†¸ß‘fáúÇOß~üJë‚I>>m¿~ùðÛÛÇ/O÷l¾û¸õ\Oo&B‰,ÿy÷ûájüù. d‘'«7˜„(ŠhÕÜʼn ’XJ©ïžï~õ'«v뢤DD2DG+!‚"I¢™¬’"He$½¬¸pÂ}Uy¬Ì KI5š¥¤Ï¯úÜáe¤œH?\m¢8(b[ZÛ#îÈãõù^äkݵ5ì#H]íÎê\鎦'‹Ñ¾V{½'ÈîBߦízµ'}V=ñÓîÒõº±û“µ¢ˆ¥$°ey ò(Þ¥®v·<-Ý%I‚8Šïû6rÝhe<ýQõn¤™]Lj˜¶G«”2HC ¿ñ⚥:©]¸)Üî@_¸ä¡=7tHjIÓà0Ô5À*ià¯0ôUkx?I²Ô]G+H"Ôtn{ Wõ7Ú¾"še_»åöŠ5ôÇö\mìÍBw#r´ôóŠxY²îÐJîÅúÜ£HÆ£…©=J2Nd™»…=¶Ù{ÀWÑbÝ–ª&ˆ! %}&¨å/órcàQOiO$äO°7ª˜ÈNU}`>Ÿ‡ò8¿©K‘õûÃa\uôkk¸0V F˜GAžæ’m‰E<œ;Ö­åÉ"%ø%aïwtò_ùèž¾|ïnáT d±x¬Ý\·í·á´dý^Üí„>i¯\WÚô [2ð0â<†è#² QNþ_DkÐLóuÕ8×(ãÊ”L¢Ù5ƒ¸«ãPcw”ŽÞ™ -+x¨ûŽVÐp¡w¨îŽnßev<èÓ]Lk.M;t !Ä:ð*°æ”é ¥Öæ¥?ÒØ껵U ¯ZkÅÁÛ±*KÍ,¬µß=Áu! -;=EêUe4£Tfþ%Û*F‹ô|ø“¼ÀpB.Œ#¾’©¤{Ó‰ÂÄÆt’³õ¾µî‰ëmÏ^ Õ†u5Œ¹&,T Þ6§Z÷<»‰–)GW=äR›1¢bÌl úÄ8-%„YªN°JÍâ1΢l–RHE„¾ˆi­=UkêðUXXš¡tášÊ,œPÅ‚£ [VN8î {w‡ Md„ ‘t±îhìŒéµ|<Ð8ê³#éL_²éÛ‘F²tUYs¿ã´Ò6MkêËÔÖúL¶Õ¾u6ü~ÆqYȹd£¤Û¨ð‘ŽšÈó –"ºJhxIŠeŒ€B v h$¤Äh§øÄ…õHj˜õòˆR…$Cdrjº‰È86!îpæÑi¤¦CIçh¨ÖÌ¿£¯þ×Q ]ïÈ8öÈ&o -Ó½YeÆTá Òí`öØñd»°»á,£ñ]N–DZ£8 oGth„]Ú@û–d…1F¢îHKdÔq茹˜”xdÏh4}©^ñ®ês¸5×4ÂÔ ­DÙÓl^ó"„‚¡L¥«"" y Ѹüˆæefk‹8[?0. …1Jm 1?oí€q™X{ÅŽ„&Š˜0C³#˽Öy{L2–¸L¨?@ð(.˜Á²2˜ð 3ÌtÉ7»ím¥ïôì¾ÁP·‚ØäøPu«ŽWOªü¦{>«?Rô^Ž  m~ÌÒX‘”SA@Dž/Y-ð‘ßm;#ŒµvyÏøUáE¦\—!%<%áÏŽ¬Û]®N%†`jÃ<A©”ï•‘M‰ÄŸ ñï/(:‘Ž­H‚éÂS{ÛÓºÑ(ÄžV¬xè(ä -Ä,ÜøŃVýà}Up„°»¬?‰ÔíO ãC)B¬b¬Ã¨®—4¶×¯ºnO>ÛO3¸2bŒà}– ].¡ÂcÛî×lÕ£¸×±aVq∹꯫ý«2½zñgŒõÊä! ¨PD˜ú‚%åråöÕƒ™¤ïgh<ªSÍ(_ÛZÿÏÏ"Y¸þáñé\o;i/3w!V ¤Œ¦ -úp{¿pѦÁŒŸFAœgÔ¸!ÖÑÿ7ä(L=¾Ç†ÅZ½ê« œÏovP¯p“1æº/§ïFX‡ÎŠ©±"¶Ò¾Çômv?·‹÷zÏ«&áSû¦Ç’"ŽÀɸ·+„+Üá´Á”haM©xîmÃ=cà’«Ý‰Ûªä ESØÂwýþºy}o«˜¾U]˱n_|âÌqÛI¡FÇ‹ˆˆj¶œsrV¸V -AÞÎÁ@b#t† r‘›aGÝШ5ó×w'yèüÝ&1hVþˆaýr))÷–3yÕ³6š^ xú¬“ŽRB0šÍrÉŠ@DÒ=ÌÍ(nìÙ ¯IåEæÊg{ 6C8ŠÝ,õ²B 7DYzÓÞÃâ¾ê0rÅXPžGùU¨÷/}Áù©«R»ª®ú É”ÐPñS¼I _¢Ü£ñÅ Ñ8RÃÈ|©vBRWö ê†í1|žõç«£Ig8šélA»×}QOôVHJÑÅøp 1H1éu©`O KI>pxO¡€œ¥¡\R(œÁ= M= €Œ¶ÝÄÁsO‚ãø-PÆÞ(ÙاRz}C–Š«HÈQ«&/w‰‡êŽiŽÚñÊ©V¥kl*ÓØgaðº,{çH_ø¯ÀÂß¡Otÿ÷Ÿã0qÈ<Æÿ䬧 ƒ"“ž)Kzøû“â–óÿº¼ö_endstream +xڥ˒ã¶ñ>_¡[4UM|VNkï8;.ïl¼#RŽXK‚²HÎDùút£ )q*©Jé@ t7úÝX…ð«$ Ò"*VYI(’UÙÜ…«XûÛà=·i3ÝõÃöîûŸR±*‚"ÒÕö0Á•až‹ÕvÿûZqpÂõöÓÃý&JÂõÇ/Ÿ?<>ÑøéÃg†>ÿãyûð™Æÿ “ðãÓ3|ÄýFˆ4 ×?~úð÷íÃWZŒòñiûõËÇß~Ü>~yºÿcûóÝÃÖs=½™%²üçÝï„«=\ðç»0Ež¬Þ`¢(¢Us'2Hb)¤¾{¾ûÕ#œ¬Ú£‹’aÉ4ZU­„Š$‰f²JŠ •‘ô²JàÂa÷Uå±2/,%Õh–’>¿ês‡—”r"ýpµ‰â ˆElqmx"×ç{‘¯u×ÖpŽ uµ;«s¥;šžìŽöµÚë=Avú6m×Ó¨=é³ê‰˜v—®×=Ÿ¬Q –’tÂR”åÈ£xC–º~ØÝò´t—$ â(|î;8TÈu£•ñôGÕ»‘fv#vbÚ¯6RÊ ýÆ‹p–ê¤v5îMávúÂ%í¹!"©EMƒÃP×4«¤¿ÂÐW­áó$ÉRw¬ QÓi¸í5\Õß<µ}E8˾vËíjèí¹ÚØ›…îFäh=èç÷eɺC+¹ësŽ"A¦ö(É\8‘eî–³÷€¯¢Åº-UMC@‹úLPË_æåÆÀ£žâžHÈS°7ªÉNU}`>Ÿ‡ò8¿©K‘õ{â0®:úµ5\«#Ì£ OsɶÄ"Î +ëÖòd„ü’vïwDù¯Lº§/ß»[ * ¤‘,ÉÚÃuÛ~NKÖŸáÅÝI àö“6ðÊu¥Mº%ã Îcˆ>" +åäÿ÷E´ýÈ4_Wóq€Â1®L©Á$ š]3ˆ§:5öD áˆáý‘±°‚‡ºïhýz·ÕÝÑ»ÌȃÎÓ4Y?WÀÆxpÁ´'~e=Hä²q8åÛÚ,)³§µÒ‡P„úà“ÊôU£z2|ÜÙ~§­ƒÄ‚mz½¬^ ì…™|G»@-õV¹i@:sÚE^Œ§¢D¸=³k¼‹´˜E‘äWŽã¯ vÓzmh8tÎgº‹iÍ¥i‡¤!„X^Öœ²I:ÙºÖæ¥?ÒØ*Ѓ0y•¬oǪä]Š>,¤Ö~÷kÔ…0ìôtS¯*£yKeèÛ;ØñÑ÷FAÁ„]F>h ¶ŽN‚Â{2*<"Ž Ñ ¢ ƒí}’¬«ÆÏȽpü‹÷i¬[¶Û_¨n!@éÚE§®kË +ÌŽço•$Œ´*yä‚æ`¥žBìV4Ïþ焘T]I ¸–ø©=¿©óeó_놇W2‘”bn:‘*L\@L'¡8[ï[ë–¸Þö<Ðè­PeXÀ˜#`ÂBämsªuϳ›(™r¡qÕCµ™"*ÆŒ¶ ;ŒÏR‚ø”YªJ°:Íâ1¾¢l–RHE„¾xiñæˆM¿ +k À°']ØÀŸƒ¦ò +'T©àh–•Ž;ÈÚÝáB“™dCè`»Xw4váñµLpõÙ¡d%áÄ*ɦ†4‚¥óhÊšƒ,ü§“¶iZS_¦¶vÐg°­ö­³á÷3­ˆ‹@ÈBÎ%»­ ÍF…pœÈDž±ÑU"ÃKR “`6dà`Ç€ÖØABzÁít?qaý’f»<¢!Éš"òŒ@vïpæÑé£&¢¤s4Ô +ke»¿£¯þ×Q ]ïÐ8öÈ&o +Ó½YeÆTÙ Òí`öØéd»°»íYF㻜*,….´FñÞŽèл´ö-È +cŒDÝ‘–ȨãÐs1)dÏÛhúR½:ä]Õ/ænk®i„)Zˆ²§Ù¼ÖEC™JW=D.ò*.¢qù1ÍËÌ&Öq¶þÀ{I(¼£ÔóóÖ—‰µWìDh¢ˆ 34;²ÜkM‘·Çt!c‘Ë„úâ‚ Ù,+C€ Ï0Ãì@—|¹ÛžVúÏž u)¸›ªmÕñêI•ßtÏ´ú#Eáå蚶ÍÉ,݉…I9õDäù’Õ‚ù-жa0ÂXk—÷¼¿ê1¼È”ë1Ää7OQxÚ‘u»ËµQb¦öË3Ñ”*?ù^ù8Ñ”Hµ·ý0­BìiÅZ€‡ŽB®pa@ÌÂ_&Ä*Æ:ŒêzIc{ýªëö䣱ý4ƒ+#ÆÈÞgÙÐP¶ ä†ÆØv€û4[õ(îql@˜BÜ}8dî„úÆëjÿªL¯^<±^™<€`ÁŠS_°¤\®Ü¾v0“ôý GuªyË׶ÖÿósH®x|úH#×ÓNÚÊÌ]U„”ÑTCÿ aã.Ú4˜‘àáÓ(ˆóŒ€J`DÐ:üÿ†…©Ç÷Ö°X«W}u€óùÍ ³X ª¹îËé{Ö¡³bj¬H§-´ï-}{ÝÏí⽞óª9øԾ鱤ˆ#p2îé +î¥dÔS¢…u4µ^ëü¦áž/p‰4ƒ#ä¶*yBÑŽð]¿¿nZß;*¦oT×r¬ÛŸ8s> endobj 727 0 obj << -/Length 3424 +/Length 3427 /Filter /FlateDecode >> stream -xÚ¥Zmo7þî_aœ D¾syý”¤iê.í%nŠ¾á°–ÖÖ"«]W+Åõúßo†CR»eçp0Œå’Ãáp8/gÅÏüñóRL:un*4ãú|±>cç·0ö挚y$š©^^=ÿÚðsW8#ÌùÕ͈WY°²äçWË_f¯¾yñýÕëws¡ÙLsmØì틼~ZÏ>ıWß½ýúòÍï^\X5»ºüîíÅÜj§`ŽzdÖwß¿ÞÏxñÛÕ·g¯¯’äãÝq&QìßÏ~ù/a“ßž±BºRŸßà +¸sâ|}¦´,´’2ö´gïÏþ™ŽFýÔœ¶`¸0¼<ŸkQ”Æò,g -ô¦,èTñÂH¥’Nu9Ò)gÐVæ̨èQÿq×6‹&tú}ÄtÑw¿2&nwÄréÍ=ÌÏ -0?n çl饺ì@ÃÂÌ^^¾ý -[zæ -ñ,³cí -¥• ›ÙtËEnDz°ÜFµ »»»~³h…ªmi:UèYôë5(=Œ{kïE*3òpÇ ®$kååᔈ4»mÓ6Ûâ^ÿ±¨ïrGkx¡-s#¾ž,³Í,qÇj—x†öªg÷«f±"µK§ Uj3µºû*qÕýÁaµÕÁ›.·{n -Y -ùøîM¡5&…°UÕuuK/ë~Y'û›¶ÎEûp~Ö ØP9¶©jÛôh3%ŸaÏŸµ5½¢Õ"-™Ýï»&ØèDq9À·k¢ S€)h»®Y$¦lvßlWÔ"Cª‡±3.Rí`¸ÛâTT’ù™¸6Õõ²¹m¶nX -ⶃF¢¡F¤„…ª-Rwû@ý(öVô:¬ª°£Àª^Ðûöv˜@<ý;¡wgxv= ßWÔ± wäÊŸše˜%’£Eh¤÷¼£ØÝt¿„LHƒB*\žÚ^ g?— @†xÐ#žŸ×ö‹4AÍnú 5ð\Ž-„+„SOÄ@ÌDßÊÈ¥‚\Ônâ¡íÙBê2òx^oÏqµ¸Ýd–,´”F$ÿô¶®„àqà“×;Ü·rpŽÑ7}ÖÁ†Ý#ux$ÐQ÷uD wõ¢Aé½}À@8åö›lD@~P‚Eÿœg]XJ±èæý®gÆÙìòfÏü îG1a4©ÚÓ´7ý®[æ‚=j0sS ŽúʦXtßxïf<Ä6lµ}ÿ‘Z1šM4a}nŽŽôcý;Q@) ÒQÿÊ4CËDæ÷à65†Šã% äb™Ò×ð0 ¹,›M†¿(tŒè>R#óeºì|´ñkÕµ(NAÃ', -ú ”ævê˜×»¦EÛÀXåãyœ¬a;X1áòx#´m”’#G;¡'@s T›ô !Dj\ü¶îê Pì¾~ çæ¢œíº®éns™G@>ÓÌŽÖŸ£.oQ8{^ed\E/¤Í£J‡Å¦¹†õIkVNè£#‹™ ^©±¾S`¨ €³4¸¹=§Æ»1þôóñ„ þ=â‹ë¿¯{¯7…(Ô‘‘ç…Gª§¤8âæ!&©È€ò¹âÓí£·4>D¯1qH# N¬Ód²RE«@ŸZá94릭6azO„”‘°§¿ÉÅ2 .¬xBcÕp版 Hü«!&'(ø"ûV§”>Z½ï0'Ów›`-%7nêcxA©×€ LÊÆžÈV¦,ã“°:äÀ.ÁǹãCIx7 ³ös™°“‘…A~u‘ ±FÊ¥t.S9^MÅ#Øë S X9Ô€¡4¿Ãw€ ØÀà=ÁhUÃÐ/L•þllºNN=™2Ui¦ ¦´¨¸F<"Â'‘Ú Ž02*¶<Àö@ú@{Ùàe]W]`™^ÇåÃHË]€?@Ùûþ¥GX%]Iü„±€ŒpÉ!ÎÜxÀ˜ F؉ttëºÊ%œžvF?m•¶2rwr¶òÁÕ¡ÇÒ&kz]´Õn¨‡¿eCº-¸ÑœŸ´Dƒˆ=nÑüø¿YJÀuKèQ4<š·nÈ<ûmG®xUʱU…-U¡È…8 DnñÎ& -c±Ô5>ßÇ<ÓÈ_¶ÕG±pÖãogf«~ØRÆEjy0 cÕrî"qŽ½ÝŵáZ´Dxèƒ9:œÅÙtQBâp…€^dØòàðâÝm«å}ènn"j¡}Xu„ÈBºÓæC¹r®§!–ã–аË7|õó›n^»‡Ë7¯o—ÂáØßûyV¦?¿Ì•„b çôŽx®äâÉñsS‹¡&Ëy|Ë 5RßÓRY: âQÒñ>›þR¡éÀ/Û6ºC•ûBÇÁÂK•šÿù9ÎÞÖ+4¥üu-g_s¼éÒèiæýKbh@L)uy$K¬Û¾Zæ~C&L|‡òÝ»ä>)ÙÖÖüqº'Q€ÀÐ75ü¥ÓϧÀìg¯BÃßÓâçofÛð¡¤ÄŠ™àþ|<·Ü<ë#Ä„±·®œa/­Òí÷~ò³”Ñw!¥”ž¼= `}‰Š;íQ¬ >âgáíÆÏÜ{MDx_†¢_´Œ¯Á`hú¡3ù÷?éA…çÝÞ‰ˆ,8SvyÌý,OêK—ù -ÿÃÿý“½ý¯A:€."ÿ9 ¬Kñ6 -…’sytÙ”%¸Œ°Ñÿ hª}Åendstream +xÚ¥ZmÛ6þ¾¿Â(8/+|)^?%išn—ö’mŠ¾á µµ¶YÚZr¶{‡þ÷›á´dÓ»9 Qäp8ÎËÑùŒÁŸyƤU3cU–3žÏ–Û 6[ÃØ› îih1¦zy}ñükÍg6³ZèÙõíˆW‘±¢à³ëÕ/óWß¼øþúõ»Ë…ÈÙ\f—‹\³ùÛÿxý:ó|þ!Œ½úîí×Wo~x÷âÒ¨ùõÕwo/&· +æ¨Gf}÷ýëÃŒ÷—¿]{ñú:J>ÞgÅþýâ—ßØl›üö‚eÒùì^XÆ­³í…Êe–+)COsñþ⟑áhÔMMi †3Í‹Ù"Y¡ Oq¦@oÊ€NÏ´T*ê4/F:å ÚJÏ"êô¶Ù÷›ã½ri³BJ;3<]7P®«äx]¥²‚çbºð׸pÕ“ê‡ME¾Ú}ªvp\jþW?¶,—›*;1lÚp`Zpõ”jFd¨&P¡„ýPûþda•ÃnÀn_8P.<ÕMÎ2cE1]ù«º¿kÊØ?A ×înñ)½¾pôêÃ`âo»Á ›r-ßÕî·7¨]dA¬Äüß][yîu»lö«ðgÕíPíÚ²AM€øb$¾T&3† Ø4Ê}S·«ç¯¾ñ„ã}.¤Ö™F'XÀFmÖ€pq:å²]™Âªº-÷ÍXÕ +àÀr¿höüêmbENÇÀÖˆh› ¶‡%ëÛ¸âî’óÐíí®í† =«?îšzYû^7¥ëN¸.»öWÆÄzO¿ßÔË ©]ÚÀ¨µÁ>¬›õ6TŒmªêm¦àsì¹äó¦¢W4[¤%³û}_{û(.ç=8wEd +0-`ßÖËÈ”ÍïëaC-2  +!;Ã"å†Û§¢¢ÌÍÄ­°©®WõºJÜ°„pU¯[ˆf$jDʧ`”º›êG‘°·¤×~SúyVÕ’Þ‡gØ¡}q þ „ΟáÙv4|ï+t ¾ãŽ\ùS½ò3‚Dr´tŽw»î—@ +iPHE‚«ÓÃ2w‡×ÀÙ/$¼áBô†çæ5Ý2NPóÛnG <—S‹á2ÿOÄLßJÈ¥¼\Ô®{â‘›103™Ì‹Àãy5,Ÿãjp»M,Y~)´ˆþél] ÁãÈ'oö¸oec¸-—v\:ƒî‘:(h©û&‡»jY£ôÎ>`ÀŸ´¢Æ& ”`Á?IV™R,¸yw‡ëã™q6¿º=0?ŠûALê„ö4¯@Çm·oW©`Ú¸ÇìTC磾21Ý×λ÷± [M×}¤VˆfMâšë“#ýX=¤N ƒôEÔ¿²œ¡e"ó{p› +CÅé’±Œé«èÑ\Võ.Á_ @yˆè.R#óU…ºl]´qkU-µ(NAÃ%, +ú °TÎÍÔ1oöuƒ¶±ÊÅÿâ4YÃv8°Ôs´ÚÖJÉ‘£Ñ;Pª‰zò†à#5.¾®ÚjG»oè¹»,æû¶­Ûu*óÈg93£õ¨Ë5ªg/Ê„,p‚«à…´yTi¿ÜÕ7°>iÍÈÌŠüÈèÈb&X@êGØŸƒ)0Ô [Ü­gÔx7†Â~1ž€Â'|qý÷Õòàõ:™:‘Çä™ÔŒOä9äê))N¸9ŒI*Ò |®ø4G»è-µ Ñ[LRºÆ¾! ž¦p  +V.µÂ³¯·uSîüôŽ)#aOw›Še9¸°â•[Àg"2 Ið¯b„˜¬ à‹ìXRúhõ®ÅœL[Üï¼µ@l”\Û©á]¥Ú2è1)ks&[é"³ŒOÂjŸw¸çŽcT i$âÝ´ +Ó̘ÏeâÁNBùÕ2Ä)Pœ)Ó…¿M¥xip4Žà 3L-`å`P=† +Ðüa ßRD`ƒ÷S Uö}·¬1Uº³°éBX9õdÊT…ž‚šÂ âzqˆŸDj¼:ü¨Ï¨ØrÛQéudƒ—mU¶ž}`z–@#-·þeçúWat%qÆJ2Â%Ç8óàc:$aÈ"éèÖu4J8½Üêüi«4™ñ”£pxý–ó ®=–6YÑë²)÷}Õÿ-ÒMƵæà1àâ¬%jÌ@ìq‹†äÇøÉR®["EÀ£ië†ÌsØvàŠW¥[•™B²T€Aàîl"Ó«^ãó}Ì3µŒðe(?º‹…5[=ßtý@©åÀ4Œ•«•¿‹„9îu½'jüµh‰ðÎÓ{s´Æ;‹5ñ¢„Äþ +½È°åÀâÅ»Ê%å}è®oj¡}Yu +„ÈLÚÓ}¹ržOC,,Ç ¡xŽn=(×ó@A‚†¯ÐKS·Uê 9BmŠÏ37° Í-œÕxMFÜ»?wብ§­ß–¿Z@4Ì—|š–ÜL“A$¾:ÄÏ2eŸ&eÔñ™Üb3©ÌI$HiIAjà²øLï1Y.dXûp³ñ» ]AÃM§®Žž±òqR°Q SOÖD£°î¦Û7^S`²-1zqu3x’m‚áÊrìqÅ 7*¨­ëO•rÐnOÁÔàMÍÓíb†î„ITdxýœëߧ§…90²Ja»d¦`˜^µ €8¹-YBjg佯ZЃŒ\Æ$ -2s‰ùo‡—hLþ’ÏIx:ƤÚ×=ôIAˆzoüzCœ¢—ô8@º”í¯™-ì±SÈçŸÊ¦FžBÏWݶt'ݸEW˜ÁCîöë u»ê)¶• ]Þ†„Ä}ٸ꼹` „›îHNò%ØvÙ|ª/ûÞ³/‰0n&7õÇŠZ¿ +¡|-&¬ÈŠ‚ƒ;Œo9ƒ W’™»Q̪Ïùà#@ME‘þܳˆc–§ß"r¦!ÑÂå?’=bep02B·YRsï+-hÕ…1S×D™"žœ±î´Ð–l~Æä  yþd4,¸MX<¬E¸Vî;êyñŒ&°*›u··Ø&U†BÏ°S Ðo•ŠºBgdeÄ,N?njwm7¡Òƒ’]åü}@½‘ÇA°ÜõΩò"Ü‚¥»â·ë-ÛêŒö‹==}x´Ç°‡:?”ã.\H÷;òóvp®¤t}Cbϯ-fϺ\„ Hoáʶ\.¶«<}…ˆ€4°Ã2 Õµ­eøjû@>w£jÿíÈ<@Î@w¸sR>ù½Äjy‚‡©Øïñp +ÌŽ€îØÍÈÃzÓ´ ñ—ۻÆóØÖm½-›sß 3–”DZÑ?o»¦éîCr\!" +xƒc‹¶°ÐŒ9ü+¾ýÇI „æá)zˆéØQ~2Ã_¦>‡ùtK¤KùîáFäíÕ›ûù¡-_½ÜÞÈ«õOï_?ý¨Ö?µØÕ¾ùùÍ럷öáêÍëõJXû»g¿HÊôç—©’P¨áœßO•\9~nj0Ô$9o¹ ¡Fê{ZÊ##‹çáT8J:ÞgÓŸ*Ô-øeÓw(S_è8X˜e±Ró?¢#Ç9Øz‰¦”¾®¥ìk÷±¼Ðù4óþ%1r@L1u9$K¬š®\¥~Dâ'L|‡ò9¸ä!)™9ÖÖüqº'Q€ÀÐ75Ü¥ÓͧÀìfo|ÃÝÓÂço¦#[ÿ¡¤ÄŠ™àî|·Ô<ã"Ä„±³®”a/mâí÷~ò»”Ñw!¥”½=`}‰Š;MQ¨ >Âgáaçf¼& ¼£/CÁ¯GZÆWo04ýØ™ÜûŸô ÂóˆîàDDæ)¹< ¦~¡'ó V—ø +ÿžÃÿýë½ÃA:€."ý9 ¬Kñ&…’syrÙ”¸Œ0 Ñÿ {$€Áendstream endobj 726 0 obj << /Type /Page @@ -1558,22 +1563,21 @@ endobj /ProcSet [ /PDF /Text ] >> endobj 741 0 obj << -/Length 2198 +/Length 2206 /Filter /FlateDecode >> stream -xÚXI³ã6¾÷¯ðmäªX#’%Ímò²TÏ!‡î—JªÒ9Ð’ü¬´L9Zúµóë [¯2åƒÀ$Ö Å.‚ŸØeI©<Þ¥y&‘HvÅå]´{µß Þ'*Lb¥`°±zHT&™Lw‡å!ß>¿û÷±ÜÉ(ÔZ&»çÓt—NãP*™ížËß‚§³¹U·?È$ -âýïÏÿ#¶8L³T [´;è(Œs™;†ÿ–_Œ-ª’8žZ ¯C?1Š8T±–ž1 c­_ŠýADQ|w³æRtÀÏ×Ò ³«]æZjæV (¦µcŸ˜”’ÁHLŽ®{úg7¡ÐæÂÛz©SÛ­vÉÀë¦n¼Ñ–o(ªn0µ¥A­ŠúSI:GEkËz¨÷"hmÏ×µ|`Y~T"ƒK[Ö§­Â½ *#D˜'‰tÊ”US¡üh€n/² *Z÷-{šlÙ!>ôÕÀs(~ -H\L?yî¯Öò,ŠÛT}÷‹;[{³¹ÓøÔÓØ47"˪/ºúè]ëïûðÃR(zu¤ µŠ³ÿÏ7•5ÇÆû¢eãú ä‡ãí@àÌÑôuïl©‚#{¨¶E3–µ}a^;Ü1 -bO$:ñP*Ó4íëa|+¾´ -5hÄ›ÉOw -Ð1’¶ÐI‡kÛÔÅmãÀƒÊ!Mt¤Ö¾.qøèÂÇë’4”yìÅwöx¼3Js/S?€H—Êä—C&B•Ækï¸ #ËE:hOôí«b¤Ð£1^×ù)J¢Åpì'æï~úøñû'X8N ­ÐƼÏÅ *ŠÒÿì±”ÁÇ÷?Òœ±%?ýúLÄCÜ»m'ªb¨xÿñ¶•@ä áTÆëáãÐ^@ßÂP\Ã-¿T¶êŒ;'¼HÙD_u_\6Í*»ó,}[ÛÔ–·r²õ¹ºí…f[š{0ó‚œÛ®þ diùŒº_ë"œ.î>åZ±½)˜&úúŚƙëLJ}«¯WÍz`¯Ð³$é„ÔÞžk“(ÌTî‘zÂêg6´cgM³Ä˜7@[„Yœ¥T+`PYgc_\@ÁàbÊŠ(‡ð5ôaÊÇå.™šÁ™¦ð…A?P ¹°±Cp¼á\Ígÿ‹˜tÁéL…uë~9͇õ[1xiq$GL¸(‹sŽ2˜˜¼ôë¹²DMËxk×Ä4iŽ+vãvóÙ×Æcý³?ؘÂl_\OªoÄ¡×xª°êæŧ×Å\¯•%(^•£êëPÙCÖÅE’.‘z•MÐþa›-lÓ¡ÊSÉóp1«…yrZš&F87®íB6NTØ9yy6Ô"¨vJ0Fš©tíå«,`Ü°ajk:®¡h03Ü%hndžiÛòêÑ›  -o⋱£‹¦)SïK-‰®Ó9€~­1Ï2MßÕ…Agppâ®®˜þ“”q9^®ø%DÇ•ÁŸ_´—+7)ndÁ¹®Á³Ow›)8K°ÑuF„™Ú3úšvŸJ“w­}ª$ð_g3$Jî`éqYÃ¥Í&Ìi NCþgÞ?7& éúŠ­/‚‚*3ò gÃw¼’¯<òeCÛÑCµ£ý.w·@–§w€7 .Jz¶.Ÿ(vÿÁÄ“óÁyðÞB‹gJš›×4@¿­ÏƒŽÒÜüyÔ4é@$ô½Ôv„jéNɨ/âN*Ŷµ\œlaÂ\g1}Büp]!ôYÅ)Õ_Ûdâ’Dê9^%ù¿œ²ƒé(x¤vnÏt<¢}ýyÊö•ly±èL¤‚Œh3Aúö¼Ñ -Å*s!ƒÁ”ÝÀáÔCé, ÉµínÝ-iß·Ý;}n¾½-[mo¸³‡ˆ¤Ï Ó1Óijã'@kL?ÜwöèõMPxòÕu}›wlxLaÖ^<ˆAŠOH #ڎͤ/óóÕ®!9Uo=¦Ž „93œ6÷/㛘K‰á¯æQ.™:-xTñ³†¦Áä\!yoO󅱌³ -À™ß8’QW-PWRaƒ¹36î*|Óî:Df^¨­<Ëàe4`¡¢ã܃p#FAÝ»RJ_·€¸´ÎÍ2óí0XŸVfÕ`0µO88t—=Ÿ2ËhToDÑmÙ|Û"ô—1RlðwæD¶ô…â>./r¶¡éÃ÷oÒE힃¢\>Pg_jÇë{°~¥ÛC“´õ,”*sp[ÑÙ’oƒžñºÑ…Ä2T*Ê}«ÂÍAš†J¦b§ïñ1¥EpkG"Îæ B´–Á€ÿyqx‰Ës ×üÂ×Ðg®UZú‚Ó«–<ãðÁEz–ÃðJ ^Tåü´ƒiEGµÝgx™%JS7ÿšp8«täo™_*ɹ1ßx*GI˜@§¹2²c~ÃÈiE¹÷ ö#½o*‘Ë03>{ºÙýƒsoJ H Ó Φ¶$€Ž4NüCºæ°`b©T˜F©ß‚ ÿxŒÐ!ôµÓ{|tXŒ÷¢†\ÆÆ -RL«<øeŸ‚`¡B¡N^_R*ÖažÆɺÏïNDøV_ëᛩ¶‚gqÅ‘Š½ý²õbƒçZ” oµ©×æçÒc'R¦Z$ÿÜÈgy:y³Ÿ%Fà]½‰ò‡.w±hî^3l4¸³ÿ€jRQã5IÊ\Êu‚Ç‘‰Nîºÿ7ԋмùJ=¸QÐ^ðŽ, yßÓ«@,ë ¬‘ôBrjfa^îa`’J L™ãʦ * â…œÏdˆG -o9üs“l‚K -å^k=¶õ q¬Õʯõp¾kMoœ¿‰úξ゙þ°öC«$Ä?µ·þÒö[óú?{¹¤ž„(ãM(.t¼w·MÿŽ?^÷7|=äendstream +xÚXI³ã6¾÷¯ðmäªX#‘"%Ímò²TÏ!‡î—JªÒ9Ð’ü¬´L9Zúµóë [¯2åƒÀ$Ö€ã]¿x—©0’y²Kó$TQ¬vÅå]´{µßż'Q2T‰”0ØX=(™…*éî°<äÛçwÿþ!;…Z µ{>Mwé4 …Ùî¹ü-x:›ëPuûƒPQìþ±%aš¥1²E»ƒŽÂ$¹cøoùÅØ¢*‰ã©ú:ôcœ„2ÑÂ3fa¢¥ãKÂxˆ£( +¾»Ys© :àçki†ŠÙå.s-4sKŠiíØ'&)E0“£ëž¾ÃÙMÈ´¹ð¶ÅDêÔv«]"0Ǻ©‡o´eÅŠªLmiÐ_«¢þE‚ΑAÑÚ²ê}´¶çëZ>°,¿J‰àÒ–õéF«p/¨†ÊÄq˜+%œ2eÕT(? ÛÇYP­û–=M¶ìújà9 +¿N$.¦Ÿ<÷WkyÅmª>„ûã;[{³¹ÓøÔÓØ47"˪/ºúè]ëïûðÃ"–:ôêj™dÿŸo*kŽ÷EËÆ5ôAÉÇÛ4À™£éëÞÙRGöPm‹f,kû¼v +¸9b$Ä^¬tâ¡T¦iÚ×ÃøV|ijЈ7“ŸîŒAÇ HÚB'®mS·2‡4Ñ‘\ûºh Äᣠ¯Si(òÄ‹ïìñx $f”æ^¦~‘.•È/‡,eš¬½ã2Œ,é =Ñ·¯Š‘BÆx]Oä§HE‹áØOÌßýôñã÷O°ãXAZ¡yŸ‹$d¥ÿÙ!‚ï¤9cK"~úõ™ˆ‡¸wÛN8:UÅPñþãm+È© Œ×à ơ½€¾…¡¸†)Z~©lÕw.Ny‘² ˆ¾ê¾¸lšUvçYú¶¶©-oådêsuÛÇq`¶¥¹3/ȹíê¿@––Ϩûµ.±ÓÂݧ\ëã£3¶7sÂD_¿X3°Ã8sI‰ oõõ +¡YÌâõšc–$ÚÛÓa­ŠÂLæ©'¬~ö`óG;vÖ4KŒy´ã0K²”ÞŠd–ÅÙØP0¸˜²"Êa'| }€ò1d9K&gpA¦)|aÐH.l`ìo8WóÙÿb&]p@º€ÓX€ºu¿œæÃú­¼´$ +’£ &\”%9GLL^úõ\Y¢¦e¼µëbš4Ç• »q»ùì‚ÈkcŠŠ±þÙŸlLa¶/.È'Õ7âÐk<½°ÞÍ‹N¯‹¹^+KP¼zŽª¯Ce{ Y*]")Ô2› 9üÃ6[ئC™§’18æ àbV óä´4+LŒpn\Û…lœ¨°sòòl¨EP;ì`Œ4“éÚËVYÀ¸aÃÔÖtü†¢ÁÌp— ý¹¦mË«Go6((¼‰/ÆŽ.š¦L½jItÎôky†”iú–¨¶( :ƒƒwuõÀ̈ðŸ„HÊñrÅ/!:® þü¢½\¹Hq# Îu•ž}ºÛLÁYÒ€®3ò ÌԞѿi÷©4yGiísPªÀÍ(¹F€¥ Äe —67š0§J8 ùWœyÿ\˜(ÒÕ)Z? +z™‘g8¾ã•|…ä‘/Ú–ˆ^;Úïrw h¹!pzqx“੤g‹áò‰b÷ÏL<9l‘ï-”x¦d¡¹xMôÛú<¨(ÍÍŸGE“bEßKmGx-Ý)ÕE\I¥X¶Öƒ‹“-L˜ßYLDŸ?ü®ú¬â”Þ_Û„rI"ô¯‚üŠ_NÙÁt ÝìþĹ7%1Hº—àlšaK(Jå{éšÿÄ‚‰¥Ra¥~ æüã1±¡´ZòÑõ°ïE 錵¤˜–yðË>Á· +…:yuü«r‰ó4Që7xnrŠtøV_ëᛩ¶‚gI%‘Š±½ý²Õ´AÇe±·ÚTnsÇôX̃”LêŸkù,O'ïbö³Äˆ½«¶((Ôy'2‹Jᮡaë¤IÀÅýT“Þ5¾áQ¡òPäB¬<ˆTZÝ5o¨¡yó•zpcLÿyA+Xó¾§Æ ^>)°FÒÇ‚S›h4 ór“ôÊÀÔ‘9®l +z(`ÁA|,æ3âÑ„±·þ¿I6AŽ%… +¶+{†8Öje€×z8ßÁú¢XÀù›¨ïìûîûçé?kÿO´T!þ¯½õ¯¶ßr˜÷Ð_Ú«È õ—ýA(.½w·M?^÷7b/?endstream endobj 740 0 obj << /Type /Page @@ -1667,15 +1671,14 @@ endobj /ProcSet [ /PDF /Text ] >> endobj 757 0 obj << -/Length 1925 +/Length 1929 /Filter /FlateDecode >> stream xÚåYKsÛ6¾ëWhr©Ô a€ H0>¥‰Ó8“ºI¬ét&É–`K E*"eEéä¿wñ"A -’œtzª=c.ÁÅ>¿]ÞÄÃøñj€M9ná#’¦áp9ˆE,¢ÔŽäƒëÁÛF óUMõ„QŽODXâ‹K‡‘Ÿ¥ âTÚKPQ¦>\^ƒãÑoê'Áú)¾Ôb]d9AâK¶\åMË%’RÎ^DÔQX¡IPš&©{UnÇ¥lTϳÚRb§©l:+3ºÌ¹¦ÊB>£Ñ˜gù­3ϬØÕóEq§ßE#Ñhcõ[!êm¹þôÞXÜ2ÝdU½(ÍÔyYÕ•&·‹¼™(f*Nœ!(e,TÎÔ%|ÇéèS¡¼jn ý‰f"_Ü‹µ4>5ŸS×@5”Ð". =V®ÇDŠ1"nKC€ÛUW–ôMS+5§\‰u>&£B·ô:ŒŒ×À£XDUæ`TV´èz«‹§‰“¿‰“$uœ$¥â¤(i“|Þýœ–ŌûVÛãZ•‡î²Sm„”†l)*±Ö6Ë[ŠhÛHkQ㉷±^)S#‡®&–*mú£q>(—`$+ª­hÝ‘_vú©mß“hì†D„)†éfÖçÖ˜ÐC›2k |´vÒ`ƒ¶™‰øM6ý¤©rs(âM$;¶‰oØöáЋµn0Ç!´PÇòU;J ‚•Õ$6€VT©ŸÐ’ZŒ[L7€CêƧùBµ‘c"B˜¦#[ÅHNØfÃÅTnvº·±Øém”SD94Z¬|,‹|çé€$E<–½[7‹¹QÙX,£D˜¢0Š¸'¯Çqnpí‚<šèè©RÛä&ÛY^õêP·:S‹ˆûEf³‹i ÍJ¿Ê¨ä`¨j®^˜vê­°Ë[£<°Zá$«¬A¢°z WûÞ<Å‹F EõB¯Aµ„Ëbê[‰C! C3å§Ê×XZàt;šìçn³›\غyrhùC‚8€óøþÅåR«5‰£S 9udIÛ?`’ô•Á¤(9®µáÚWÛÅ,:Š»j_—¥é›• C±k ßiB $:yî„P†`e+¢ZÔ‚xòECDn‹K6J¨Q–DŽ¤ÐÝøªË=Y›)_ËBèŽåÍ T%‡²<‘A‡ëH-×é Óêd°¯ÖŸAWí™Aä6´ž1«!ONÄÊá:+Ëu:VÇ´:±ê«õÇÊU{ñe:ÏŠ;ã¾Þ|ëö^Ï}kÀÓ+süs6_r]¥ì*z¹Á ¹è¬v/ÛÍðÁ¨Ú¤=hAaº1=±ž8LGòb˜N§åˆJ'+=þ¤8:ÿK #Ї)œ¡Ž'Ïá:’=Ëu:}Ç´:ùë«õ'ÐU{ºª £‘e‘…vtɃ²÷*òƒY¡?„2OÓ^™›ãx”D#µß†gVè§Q¦_šc…<¸dæœãzŸ˜s¸$`û«*È­úkSÕšš‰jº^ܨ½ºTuSÞ ¹áçdtUÖŠÊjKY£ìSLº¾³}c£JX¹Tç½Ã‡ó©ÛîævŸlO“½s•Ü•#èkuÎÕc{}HG„#Q>ŒàÐÅy¨°ª?®ï†šx瀻áÜ ûàÞ—+q-Ï@Ö+ŠÈž51ô´kÌ^}Y¦SôeI,9FŒñÞBsÙY¯zõnàŸxjËè°¹>dfÓ\ßéÙe°Ò¯›¿Š3FðŸ…ѹLå GÄüvn1eïü:âírÚoî‚Ū -îÊ`.Öâ€8½…-W’½‘á^[v ŒòÝ”Öw$3-UV˹¯< —: @œéŽY®ßúÍç[ã®)Þ€èM‡ý›×Ò,ÏËmP¯³¢º•p^@͵†Y‘ã@eš—¤}2>`†‹Ò†IÀ+ñ…SOÕ×&®îaç=H8Ñرg-ªz½˜ÖúÍ(ê°îµ˜nÖ•*á#ú¥¾„Ô× -ñ„øÀ‚*ûÙrKD·A©ñ‘>J9+Ö£j4<©%@ÆfHÉ’:¬ÚîUõnÕ™ã‡ù -~´<Û7èüH¹¥Ñ Œ»•†°‚ØÆ–dêÎIUE"·%¼wædÈÜ鶈leÖ:là™©¯J~¦ç­9î”YÖ˜ïÇHèÅÈò^åÙ½8•öêl_‡×g¢C í¸ëÛÃö=òŸ.pãÈ¿þïY»½ŽDa‰õ¯ÃÇphLk”ôokÝü›mßôf-dendstream +’œtzª=c.ÁÅ>¿]ÞÄÃøñj€M9ná#’¦áp9ˆE,¢ÔŽäƒëÁÛF óUMõ„QŽODXâ‹K‡‘Ÿ¥ âTÚKPQ¦>\^ƒãÑoê'Áú)¾Ôb]d9AâK¶\åMË%’RÎ^DÔQX¡IPš&©{UnÇ¥lTϳÚRb§©l:+3ºÌ¹¦ÊB>£Ñ˜gù­3ϬØÕóEq§ßE#Ñhcõ[!êm¹þôÞXÜ2ÝdU½(ÍÔyYÕ•&·‹¼™(f*Nœ!(e,TÎÔ%|ÇéèS¡¼jn ý‰f"_Ü‹µ4>5ŸS×@5”Ð". =V®ÇDŠ1"nKC€ÛUW–ôMS+5§\‰u>&£B·ô:ŒŒ×À£XDUæ`TV´èz«‹§‰“¿‰“$uœ$¥â¤(i“|Þýœ–ŌûVÛãZ•‡î²Sm„”†l)*±Ö6Ë[ŠhÛHkQ㉷±^)S#‡®&–*mú£q>(—`$+ª­hÝ‘_vú©mß“hì†D„)†éfÖçÖ˜ÐC›2k |´vÒ`ƒ¶™‰øM6ý¤©rs(âM$;¶‰oØöáЋµn0Ç!´PÇòU;J ‚•Õ$6€VT©ŸÐ’ZŒ[L7€CêƧùBµ‘c"B˜¦#[ÅHNØfÃÅTnvº·±Øém”SD94Z¬|,‹|çé€$E<–½[7‹¹QÙX,£D˜¢0Š¸'¯Çqnpí‚<šèè©RÛä&ÛY^õêP·:S‹ˆûEf³‹i ÍJ¿Ê¨ä`¨j®^˜vê­°Ë[£<°Zá$«¬A¢°z WûÞ<Å‹F EõB¯Aµ„Ëbê[‰C! C3å§Ê×XZàt;šìçn³›\غyrhùC‚8€óøþÅåR«5‰£S 9udIÛ?`’ô•Á¤(9®µáÚWÛÅ,:Š»j_—¥é›• C±k ßiB $:yî„P†`e+¢ZÔ‚xòECDn‹K6J¨Q–DŽ¤ÐÝøªË=Y›)_ËBèŽåÍ T%‡²<‘A‡ëH-×é Óêd°¯ÖŸAWí™Aä6´ž1«!ONÄÊá:+Ëu:VÇ´:±ê«õÇÊU{ñe:ÏŠ;ã¾Þ|ëö^ÏMW/-Õ] ž^™ƒ ³ “+”(eÑ w–aÈJgÝ{Ùn‹ÆÿÐvíAK £Ð—鉕Åa:’!Ãt:AGT:ùééô§ÇÑùÿ[TŽLá4ukZ0hÇ]ß®¶ï‘ÿtGþõÿÑÚíu” +K¬¦8†ãcšX£¤û[ëænû¦ÿ¸´0&endstream endobj 756 0 obj << /Type /Page @@ -1722,18 +1725,24 @@ endobj /ProcSet [ /PDF /Text ] >> endobj 766 0 obj << -/Length 2332 +/Length 2327 /Filter /FlateDecode >> stream -xÚ¥ÉvÛ8òî¯Ð‘z‰‚àš~}Pì,î´O¬×—$˜„%&\.v«¿~ªPEÊô$3c¿g -…B¡vÀ|áÂ/_ÄsEâ/¢Äg˃EZž¹‹-̽=ã†fe‰VcªW›³oB¾HXzábs7â37Žùb“}vÎß­¯7¯?-W^à:>[®‚ÐuÖ-9çÎúÃùë š:ÿðõæFBø1ZâÍÍåÛå×Íg¯7ƒHc±¹+PžgŸ¿º‹ ¤ÿãÌe"‰ƒÅ \Æ“Ä[”g~ Xà a1ÅÙÍÙ¿†£Y½tN ˆY{ÑŒ‚hNAÂBá ­‡J–ªUͽj–«ÐuyŒ‡ þ -<ì°âœ%Aàý„ÜGòo|oÁ}&üÐÃ-au³ˆ'´(o¹â®{T,#^p_“ovy zCÇ~%}Ú]ÝtζÏ3EØ®6³ªëòjKƒ~OßÍ2qFV­L»¼® BT²ë›%e¶øâ®–Ž#È y+[•™]N™´*훼;I öÕå‡ Fàe7§ÉLµi“ßⶂNº“ÕÖð$ú»Sf¶®¾¸®·íI#1…!fåƒ*ŠÌNv3[H:4 þÑçd„½«²üñwŠ¦+ÃïNu÷|zDŠ±¼J‹>#S@(éÓ °×‹êTµ-!ê;ú¦ÄMvÇ5mâ»:˜E²ÊèÛ§ÉÛ|;µ0àònGÉJž°8 -Irœ’(YóR6yq aÛï÷à{È) -É‹5^ëJ˜à@X;dj¸¡C0fYöUžjS‚ˆ8°®…FiZV`ñO])à †&ˆ|ç9 bÏ©ê.¿;èŒõ|ÎÅHC±kì nÚæ÷ŠP?zÕ„ˆn%8ˆâ»Üù¤Úº€3´4k]@­TøVêAŸ@¤ƒSZmÇصê(¦ÏNÚ}‹¼Ì;bȵ6A1Ì0F-ÎøªyÖLFÿB8e¾ÝuÞ*ƒª[ƒé[uד¡ÈËòÔPì3Ù)´…ë;k‘å4Ì:f!g8ƒá’]ÝÙ Y’j¯Ÿ1„xGq •F'?z#-¸ZZ:5ã„öªaû<¨ÝJ·Á—Æ—dz¾~«T’ÛÝMΉK¥R©Tw)|áÃ/_Ȉù" I²ÈçÑ"+/üÅæ^_pK³rD«1Õ‹õųßc¾HYñb}7â%™/%_¬·Ÿ¼«7—7ëW—« ò½-WQì{—/ÿµäœ{—ï¯^½¤©«߬oa$D(Ô¯o¯_/¿¬ÿ¸xµD‹Í}ò|¿øôÅ_lAú?.|&R-`à3ž¦Á¢¼#Á¢P‡).n/þ90Íš¥sjˆ„d‘ ’=DÉœ¢”Å"F•*u«›{Ý,W±ï{< üx8ØaÅ9K£(ø yˆäÏ~ƒ™ã·„Õ‘d Oi3PÞrÅ}ÿ¤/œ< XÈx…KC?ÁF“ÍnAÀÇQÍèWã¦æM +Êc¾(Ó§:Á¡&ßCﶃh¡¤¸m¿œ‹ˆ„I?™Š÷¨T?ê17ÊxŸ„L ‡J:Z²Îû˜*Ü’ÌTÐjl’&–ÐfÚ]£J:æ(…ÂÅàïsE@綟´\¤,¡w ¶«o3;cÙÇ.ÄrÏ `“Â*ËæøS6˜+-«d'XÎS9 œ"¯l]©˜Q[vêD™é,BÎbaÜö"¯u¥Ô¦ar»W¶•åíPl(æx¥2['ÃZÇnÐ:g$§>E­Ý>ªòÍ +€»ÐUn¥è»/U¶*·‘ÅnìE/aÉß|¸]ۣțwæIÏfLº€Àh:åtuJ]`/8ËH* „Üf–·cžð(yâãƒî~¾Hr¸ + púSj +G‡ÙSp¥hÛ4w…z¸Ö èD& ±=ÛP¶JàfÎáR?鈰±ZÅ!™LWY½uöo»f¸ÊŒƒ†˜Òæ +jªHDìT¡Ïç2±`)>GøC¶´÷-ç¢Îõ_“³ÁïÈéʳäè.žg·0·Jµ(3êÜó™­x’0.E:õs0ãmªg¯¢«¯¯ÓOê–ýî«àëöò·ß~ÕóÎÔü½F ¤pû/öä¡`øøñSU?ÖשøüPcsUα$ŒÄ\õ lõy§ª^ÿcéÉT$Ošœ7ø¼<˜€œ¢Ü[·Æ…Ì2¸wV™ejú&Àbf5Wƒq8û–t6`Lƒyïì½.ñ.o¯®¯-ccÒÖnÖô"Û­ÙfõAŽ^obïåû[F“—„0/œÎ#qñ’›§Ôƒ}¸‰½RããbÞ–v{ú0»Ý -OÑð]ÓÒÅÝh³wþ}}³äAjzFÌŒíÞB.ôa_WÚŽu—±½Î‹ˆá“úÌÞÌø¿ÜŸþ;&p£•Áü[€ðc&¸°[¡ð<=—|xâ,ú¿ŠNxýendstream endobj 765 0 obj << /Type /Page @@ -1852,16 +1861,16 @@ endobj /ProcSet [ /PDF /Text ] >> endobj 787 0 obj << -/Length 3102 +/Length 3106 /Filter /FlateDecode >> stream -xÚ¥ZKsÛ8¾ûWøº*bH‚à£rJlg’ÙÚLv¢Ý­­É( ²°¡HF¤ìx~ýö |™OÕ–  ÑèLJ–ÃËþÂËLûÊãË4}„úr{¼.ï`짋PxVŽi5æz»¾xõ. /s?O¢är½­•ùA–…—ëÝoÞõû7ŸÖ·¿^­"x±µÒIཹù×U†Þ›×·7 ›mVŸ¸»­w†ÙZÓÉ5ß¾¹Á{Gy}¦á[ð ·E8Ñ t{ B{¦A˜VðÀ Aè (–·'/ºs¿GÀA ”7H½]M+­ª…t_”vWtõ¢”à‰žaŠèÆ6BéõLTŒ6”EäØ@iècÍ hP³“C±_’žcz†}îŠã„”]Ù ZcC·W1´g*f*†Žœ—b¦Îe¨>w­Ý¹Îž¿|^d/Ëú “NEuGj… —5Ur¤´(9R ))NÅ<Š‚á(m‰$>6’#}¤b첊‘ŒI¨Tü‚R×þ~û’‡‹JÜᑶrF½=táhÅî¿ç¶#i²Èkq¯L‰)"…—‡ÆL@Ùb@@îÚóv ÷³?—å#SàBí— ˆÌŒ!ÃùPñ@Q=ò\¼ÙgX·5-3‡íåâ_´#iDY°Šm—Ì‘Uy€Tß¿¬¯ÒØ{óÏõ{&| t@.†â »UÝ‚›í`$ôqQˆÃÑeû`*bØ#N|•ª˜ö€˜}µ -ƒ`H)4aÜÀ¯B_%ó¸Æá=Ê}¥ã¸‘Éâ)£Í:Šœ}{(*Û™º'c:\ ˜cw¦2' UwÂÂäö ®¶crk¶Üïx|cºc*ìj¦ê¶kÑ‹¾㜕$:¸ÜsQÒ¬ÜI&7ñæá¶Zl ÛÅxñO•¥c?Ë’PÔð]©À×:ˆ…I¢&¬Ø6fk÷˜¬b²?0Uœ^Q¦"Šmù+ºâ8 8ʹhÙ•)€¾ýðñ†ì±)Í,Dæ×U)›Õ•ŠÀM¬=u5gâyî‘.0æ„‘‹Âwc÷¨Tò—Õ{S–Gr0`gÑL|h w½IgÞÛšâ pÐU1Ïp5@çö·³í¯YÈpVq/{LXä*–#㶦/E¤Œœª(»C}¾£(ˆaÕ^AåÎÒ2xø²/ª%¹q˜Ca&17ó Jp'<ÍV{vˆÝzœr-ù,´d³Ð’»T-Îx T%Ç¥‹Ø)a$ÕÂódjnNc°%ÍjÆmþÂùRq?{¼$ÌÜý³”˜ÊVÒÉ _‘w”Pv¦4ŒNý^"®hZV¾‡BxÅïm}n)”­O>k$Œ”Ÿ$`:«0÷áÀY¶é(ð#­“gãhèxɤ•Î9Lâ·²•0©ÙU˜ºÛÒ’÷a›"(|{$ç؉Ví(+æ2?w ‚¿$¿¦ogs’½Ð'lµ-ϲ#o°'jxo%I>CA¿9áQ10§òZô,oÁ’)¼Õņ©;;  ÌaÈ9¡v¦ ,žÂL  1íy̓¾ 2#­,ÀðJ˜æ}[W]‘Å[„ ãÃþØ Bh‹:ŸDé Ì (ŽÑRæzÃQÈVˆàÅí½ÙwÅ|Rà€–KböBÀ¥œÄ`bSœÌئ ‹¬œ pÌT’N€j+€@|êªÇ$ú“Çæ´xèéh+ɈŒ(óYàÂ~ﯯñ¥Nó½ØvÜœ~Z½Ë–NMù:sψ¹Ug9 ý¬Q‡vLˆ(ק޿FÐÀ¹ex7&›&n±tyÌ@ˆKêOÅ‹#?DÇxN¼Lgj$ÞKöÉøš¶ô€Lì¬`' qáã!`_õG™­,»ƒGƽ‘Ùo€HVEzH•D:šªaljó•ÀüD`þ8ç.(h÷=F©òrüD¼±àu ¶ç¦©Odî0xóñóçÛk™ìC”^ª-X¢%3öI ¡e¦B–"0ÌO/ hß_ß]3G¤VÃTš-ì©®]Â{ÍySÚí+p÷ûÂ%>¾à!-†“—¸Äbn+C¾Ø«JÉŽ2Иú¹Ë§tíž„˜`‹£[½¨*Š3˜¶[f#´´ð(Di_»¬kïmiz<ѧ~—ðï@ãÛ¿>¹œ_YGÛ=$¨+—åµp£9ý^ÊÝlTâÒJ3^ç÷0©*ÄCí1ÇãJÉénúôw/¤1rŽGsYn?©&Ä"ýh#©ù‘´•H÷–y®|€«?«,¾Ç1¾žéÉåEFt¥Áð*ï:slfù²L ¤yåîÆUÉ®‚‹~ ·0S:JJç‹÷º$mḮçõ'™Ã6lŠc;µâþ âêÏS'ør1³ÚŠ&è†Õ4È¥¡á¢t¶vp6™P´A+´Û“ݘvfô’,‹“ý–2SãîÏÌ&ðÝ.Ú뇊ßÔ Ø\¬D2—Þpn˜Pp×mÄ<ÛQý[ÓfCy{®b¾7% }^*é—:Öc&À»…í€sâ3…NšÉ­¥X_ -ЮòªTÿKN@µ;q“t\ª ü8ÉÝëquXð§Ä ¯òŠuÃ6‰mÈÁ\P‹øY…Ö™PZº¹ˆ •Ø‹dSôˆ$40¬;ãl¦èÆ?ŽDƒYQîš³âïÚOB€ ?o¬’È£xV„`¤¸‚ç"¾%›¤GPbrJö)ï¡>}åç)tv"ʶ«OÃïia2ìåìj´BouŠL´1ÂêŒ4ê Чøß¹9²(E¹eÁä] ŸàÙ±Âav’z†Hsæ1¸ GXèQc\EÖ‰«šiÝ[ä÷?6çjHºÿYE»ŸUpÞ^v`%äêS˃ÔFLM1/!Øæ`˳ýAe\š)²â>ÚEɳ&8¤àµ;Åã` i O`fÂÅ_´ÂRg""t0MV“h•K´Š+츻‘Ilùôxn+f¡_ -HDî¹ì©ç7EÅr€ºìq™Ã]ð¹2–ä€\Å"¶zÇEõÈ«¹œ©b÷SjËtþÅ0-Œ,¸ÓÉmâÐEK ¸,‘Ì|äaQ »Â)¶7 dÃMÔ°ûûðè@w½;/̸ÿÍå™ì÷bñç%g/#¨ïphïK<{—E)S¾bSß÷øÕ%ü~ÔÎ_Œmøjð$üÒXú·…¿I¨¥BúHýÿËÃðoqê«,‹–ÿ›ò”ŸEyê„BuFá\òþ#žŠþ?}­Sendstream +xÚ¥ZKsÛ8¾ûWøº*b@‚à£rrœd’ÙÚLv¬Ý­­É( ²¸¡HF¤ìx~ýö |™OÕ–  ÑèLJ–ƒKÁej|¥³è2É"ߨÀ\nêòÆ~º„gå˜Vc®7ë‹Wïãà2ó³8Œ/×ûÑZ©¯Ò4¸\ï~ón>\^¿ûõjåEþÕÊÄÊ»~û¯« ¼ëO7ïÞòÐÍ/Ðþ¼¾…^˜Å°a^ÿíÝ®~_ÿ|ñnÝ‹4;PåùvñÛïêrÒÿ|¡|¥æò:ʲ,¼<^DFû&ÒÚQÊ‹Û‹ô ŽFiê’ŒN}“†É‚"½¤“ù±5éáãþj¥ÃÔËù³¾ýø¶/ÈOWAêYhíéÞž¸Íô­-îm;šxGÛ¶ù›QÜUvÇíÍ£ðUü=W_«ú¡âY_í#iý%t£Ôë–é¼MÛÔU+K>e) Z·lÚXŸÒÑŠî\:%¡!ÇÓʳß;[íH> ÛmVŸ¸»­w–ÙZÛÉ5ß\¿Å{Gy}¦á›ó ·E0Ñ t{ B{¦A˜–óÀ Aè ȗ·'Ï»s¿‡Šá 9Ê«oWÓÊ@«j!Ýçe±Ë;‹z•(E=Ñ3L=ÃØF(½ž‰*‚ц²ˆH#Í}¬YÍÂjvr(öKÒsdPÏ°¢ÏRq“’ +{Ak¬bèö*†öLÅÃìAÅБ“àRÌÔGªÏ][ì\gÏ_>/²—eý@‡„I§¼º#µB€@Ž…Ëš*9ÔF”ꘔŒ§bEÁp”¶DIƒŠ‘>R1vYÅÈFÆ‹$T*~A©ë÷’‡óJÜᑶrF½=táhùî¿ç¶#iÒÐkq¯T‹)"…—‡ÆL@Ùb@@îÚóv ÷³?—å#SàB‹/J…vÆá|¬x ¯y.Þì3¬ÛÚ™Ãörñ/Ú‘4¢,X¥h—Ì‘Uy€TßO¿¬¯’È»þçú¾(£ÈÅ°“Ÿa·ª+¶àf; |\âpxD>˜Jˆöˆb_':¢= f_­¥†”B†À ü:ðu2ÿˆkÞÃÌ×&Ê€™ +´„;‹ÞdRïMMq8誘g¸ sûÛ¹è¯YÈpV~/{çLXä*–#㶦/E¤”œ*/»C}¾£(ˆaµ¸‚Ê¥)dððe_ÔKrã0‡ÂTbnê5”àNxZQñ@Ο?àbØ‘)­9ºÏlN‰e:ùs£³p– +o\c´ãŽDY„s+° æ?¥M½BbÅ:­‡ fž… bOÜÞo;x‡”ZF€€ÊVý5‘ÆD5粓9KþFÆOT<{vˆÝfœ2-Ù,´¤³Ð’¹T-Îx T%Ç¥‹Ø)a$1³xjnNc°%ÍÆmþÂùR«(Žž=^¤îþYJLe+iƒä…¯È;J(;[ÚNF'ŠÀ~¯W4­B¾‡\xÅï‹úÜR(Zž|ÖHj?ŽÁtVAæÃ3€5²lÓ¡òCcâgãh¢L´dÒÚd&ñ[]!aÒ°5ê˜1/t·eAÞ‡mŠ ðí‘œc'Zµ£¬4š;xÈ\üÜE©¿$¿¦og{’½Ð'Šj[žeG !Þ`O4ðÞŠãl†‚9~s£b`N0äµèYÜ#l ßœ?$Sz«1Š wv@˜?‚€r4BíLAX<…™@CbÚó(š}AeFZY€á•0 Ìú¶®º#‹·AƇý±Ðu>‰Ò*Ì (ŽÑRæzÃQÈVˆàÅí]ï;Šb +_†8 å’†½p)'1˜Øä'3E“SŠEVNP8f+I'@-*€@|êªÇ$ú“Çæ´xèéXT’Qf³À…ýÞ__ãKœö{¾í¸9 ü´z–-šòuêžs«N3@7æY£”qLˆ(×'Þ¿VÐÀ¹ex7&&n±tY¦f Ä%õ§âE¡ c<'^jR=ï%ûøGÈüÍ[f@&HvV°“ȸp€ñ°/ˆú£Ì‚Œ…,»ƒGƽ•Ùo€HVEzH´¯BNÕ06µ?‡ùZ`~,0œs4ƒûŒÃD{~BÞXð:PÛsÓÔ'2w|ûéööÝ Lö!J/Õ,± 3öI ¡e¦\–"0ÌO/ hß_ßß0Gh4VÃt’.ì©®]Â{ÍySÛWàî÷¹K||ÁCZ &/)q‰7ÄÝV<†0|±W•’e ±'ôs—OéÆ= 1ÁæG·z^Ug0m·ÌFhiáQˆÒ¾vY·¸/JÛã‰>õ»„ïÜþõÉåüªp´MÞC‚ºrY~P 7*ÓïE¡ÜÍF%.­ ãÕh~“ªB4Ô>p€s4®”ì^ +˜î¦O÷RA#çhô0—åö“jB$Ò6’šI[‰Dpo©çʸúã°Êâ{3à뙞\^dDWŠ ¯ò®³Çfö/ëÁ´Xh¼šÞ“«˜-\ ndv(\‡[\z/ö¨º€Çàj¸¡7ŸeÛ³ÍíÔ¢ûC‰Û;l§¦˜N‚ðebrµ}²Â¡hæ(˜Ó2©©.Ÿ€N‡'¹·|Rg̃»þ•Ð˜Hh”ðõlP¼9=6] ÎÕŠ­Ôƒ†ˆÁámT‚e¥ÊƒyÓqÄTHA¨©áÙ¾)­«_qDaÈ0.cõ‹ÝÚíùTtR¨B]°à€šGé)<$ßýð€:óá)ïžQ¢SXÖ~—déÈÒPÏ*¶já$ô¤È‚.YMž’ˆ ±°µƒ³)ÈŠ¢ Z¡ÝžŠmgF/‰38{¯á÷êȸû$4³ |L·‹öú±â÷µ€E¹Š —Hæ2<Î rg;ª…Úl(uGòqÉ\V‚R¸Š9{‘ÖÙFH`f¦ò;‰Yo_s1aV’¸r0d‹e{p;·j_Gwõ/*‹ï úñTh~F"oQ9ÆB¦Œð¥¿>™®b¿7% ~^*î—:Öc&À¾yÑÿçÄ' 4•[K°¾¬]VëþWEu<@Ð]ïÎÃk3ê¿Ey&û½Xü©ÉÙËö;Ú»ÆÏÞecQÊ”/ßÔ÷=~u ¿-æ/Æ6|5x~u,ý‹ƒÆß'ôÒ?$¨>Rÿßÿþ0ü‹G”ø:MÃåÿl€<å§a–8¡Pa0—¼ÿ?‰§¢ÿøœ}endstream endobj 786 0 obj << /Type /Page @@ -1896,20 +1905,24 @@ endobj /ProcSet [ /PDF /Text ] >> endobj 794 0 obj << -/Length 2706 +/Length 2707 /Filter /FlateDecode >> stream xÚµ]sÛ¸ñÝ¿B‰<‰X 2}ò9¹»ÜÝ$×Xmgîãa‹‰Ô‰”]õ×w»I™v’~Œ°\,‹Å~BbÃOÌt¥¹Ìg&O" =[ï.âÙÌ}w!˜fá‰Cªo–þ6³<ÊS™Î–·^Yg™˜-Ë_çId¢KàÏß¼¿¹y{}¹"b~ýýÕÏË·áSÇ@D$Woþ~)`òêýõÛ74uýàŸ—7—¿/¸x» B ±B‰þ¸øõ÷xV‚ü?\Ä‘Ê3={€8y.g»‹D«H'JyÌöâæâ¯á`Ö-T„ˆ#©R9¡‰D΄ˆr­åH:R%UP…¸\ˆ8ŽçßÙÚŠ®ªïè˜?ÚS‹GFj Òx¶i¤b‘:Ëe"9 y$R“1Ò”uÛÚõâ“=ÝÙz‚ešGI’ ¦Þ.E6oîÅŽ©Z­- êïHdK_À¿ýl‘eQ*Ìl!²(Ó™q|¯€JÆsäèv°ôý¯¦fhwl;‚ÖMÝUMa¾90]3½žö_(Ð%jeb– ‡j»eYª;Þ¤ð¨¦ÛXÞ‡vYÓn¥[,æ^ªn¸Ã+wj¸™pßpÞV¨DÍ,òV‰ ·’!’‰š[Âõ‰€¡Âð»´[{J/‰yà±u–Ïa~2ðS¬U„6Ž çm±cT ¡”Ç¢ó.d–Î LÎKêN{†à­2×og¿|xÿvÂe)™gLôŠØuIÛ@+ÞéØ«-÷ÎDþÒ×]µjj4ŠÜÌßñJgÏ0úûÝíl]ZÞ ÛLƦÐ'öDP„L¢D¨Ü«„8ì TˆRj¾>œö:Ð~S­yf{תn³#ŠÒ¢éñ%âtKãoR&;8lÑ¡ÕÍO„EwñÚí·„íŒ­<‰»Q@¼{»üö/„³¡#Öݶ'k'oµ.Žüñæêæû+A¿Å:~€slÆÁ n:N–ö¸ß7‡ÎÇç(0~óî=Çí<’ÀŒÙÒðææ* - ¹0Ü6ÛmóÂ"ÞWXÌ®ü(4˜4#`Uua·¬<û5Iµšc&£,K½Ñ®7Õ¶Œì? ¼Š ëÍ8‘ÄÁW^3Ól@µP©WÐj|äqœ^¤ÈNn‡XÑèŽæLéÜÉA#£é2Òôešt6Ž{ìöG0ðêc¹µ-MªZY9Q”ǵ-_O¨N¤q”ËÄg¡Çr½ŒcõRH•èïⱔ¤‘Q±×%ÞùÄõ@öMÒ§¶ §UÚD9ð|¿ûþPÝ£áLH'°0ówOž`C,VñÜq °ji,jÅÜÛˆCº ®b -l|tź†o-ÈäGótc˜å=B~t<†«(Jy¹GQŠÃtbÜA&t©ÀvUl¦,}ÊŠ2¥½cà10X'Ù0ÖùÝ͸à(°æW‰ñÄGžwë(ð4.Oy0äÀˆ)îúøBðÓ ·Âs_­eu«8÷¥jIE™H³±…x»X@yÇ»)ÚÄqätÄ€€¡¡jd½ˆÓr"M'¹k¹/*C ˆP÷öP!_ŸÏ§òÅeÅ&ìl¨!W<ø¢¦èìãY·!éP-2™m{{è*Ëå*ku„¬Ü3à:¨¬nqÕ­õY÷lGvvWöÖ—,p[5÷,äºÅT¶ÆøLÒÌ“þºs_["¶Ý4ÇmI°«Ÿ`¶ª[ËY°Uí¬,çŠ ¸”F?T¨‰ÍD•'¡ÁsøÀð§wï¯úÛ›©ROë(É/õÚn «4bke½=–”øsõ„ -‘ÀñxÞBÁø°ëRãˆÈù- -‡´k X•E2†&Ê7j’µëƒ´iEß­A%ô¿ì×vÅ'ûé)¶y%&$ǯèÙÖdxç¥R¨‡Z_ÏÝOfHF ¹ Ó£.lÜû‰Uí²ÏÀ2?Ôk×0iß9%¡7Ó¡7K¸GAÜÊÚšpÞ›KÜHb@“Ä@IÆ7šŒ0«cµe…ÜÿPÔí®j[´à¦fds&\Qj¸ó ©§9÷Eö[ˆ°ÅÐïÓ¾Q¿kå› ãW¥g«Lè:0[ÕDÂ]j¿Êx…Á¤Bï:F5õ9/ŽA©o¤€{ÃÍÁÚ5ŽA]bÃdŸ=¥ëF«Ž— Ï[‚±Æ¡pZµýþ®÷ólÜm´ ¡PZùèDÄ:V[Øt[µÝp“^Ý`VÖŸ£†åc†ó^ËåO´ðü:Åà Êû -' V~jo×.±I&>ßb1§c2lòHǃ™xÕâ -®Q†«÷¾ÞÒ¾ÖÔX§îªmqØž"à N8>Ú»¿ÛŒ29°fQAÓ{ö¨P<]Iö_Ááì3+‹ßD¹CŸðÇy±n°ðŒ&ºüàQéDý;t -‡±4¾ÌÒ$öÈ'»çÉé)º%¸"ýü“Àço© Ï2U}ùxâ÷Ù7 ýCj<:øâ³½¥:ÒPôùªß# toü¶CQBQ øã8Çw‹`ÂE"œpŒ‚÷y×y“Ä·~eÄYÚkhg÷ä‘P*Æ€ :î=‘¯Z"å·U -UXÉÁOª&<§3îÞ®u ª!/¦·¡("ÊÕélwÿ´lú×ËÇ™n×Úí½k“XÎù•Ï 9àƒ‚•2’Ô¾õ{&€‚ÃÚMµ'*÷ØaËl!-º’¿ùq÷©™³­×MiGëÄ8"UpÞ ó&WþÒZ^q-úž¢ì5Úç‹K µåÿ­ºÇ›ŸnVŒY3óõ¥=ŠÃjÝyÚ‹¶/ÒmÇé#‘2i:öûwpu"ò-4ÁÆÎ|áS¨6ÿëŸB‰÷m÷ütö<Ö舼%âGÿW&0YWÔã ‹ñjRj…°W?(šçÏ OBÚ„ÿ*^ñF*¢Dù¸6žˆ|:2Ú¤_¡¬$ oãæCä:D9½7·4éó ÂáÑ)oýr[Bõèï$$i+®Ó%ä±¥ûƒ 0%W“Ñ@ÇëlH|QCÁ‘ “w)o®¸É‹|Þ7þ'Ïÿ¸c{æ»çÖÕöåĨ¦ê¥yý\&7Sì0g¶ ëÍ -ùÅ|*´–„ >õ×·‚ûQjêê8ÄÿúoñþÏÿi–ÉþïÑ« É¢$&,žDÊG’ûÿÏ‹þoBx·endstream + ¹0Ü6ÛmóÂ"ÞWXÌ®ü(4˜4[¬ª.lâ”ç|àx惨6CKÌTd„ôQt½©¶edÿYà-Lnærˆbj´ž×Ì4P-Tª¢\H9>í8D/Rˆa‹‚F'·C¬h„S1‚)'9h$c4=FJ¾ÌA‰Î¼ÀgÝþèbÞz,·¶¥ Ò2B+K#çˆò¸¶åë Õ‰4Žr™xÕý8–ëe«—BªDGx¥&ŒŠ%/Ç랸H¼IúÔä¯J›(åØÖûÝ÷‡êmfB‚8…™Uä6„aÏ«–Æ¢ÆQ̽8¤‹ç*¦ØÀƇ@WÜ¡7`äÖ‚¬}4O7@0FXÞ#¤FÇc¸Š”—{ 8B'ÆdB— +lWÅfÊÒ§¬#ÍÒrÆé$†9¿›¢7ÖüŠ 1žøÈ ànž†#à)å†1Å]¿_~ºØãVxî뢵¬nç¾jB-©(i6¶o ¨ìx7E›8΀œŽ™Œ4Œ¬—gÌKƒ¾6AxÕ¹6ä‚ ·khD9˜§ÂÅA‹êR>U²ˆŽl\m1 “cž +)Ôì:ñ‡™öT(EeªÕÓqZN¤‰âbãHË}=ñèD„º·‡ +ùúT>•*.s¨›0WgC ¹ºÁ×s0Eg7Ϻ ¡HG€j¹†É|hÛÛCWY®PY«#$ä@eu‹«n­O¸g;²³»ºIsá±·¾Ò`)€Ûª¹g Í-¦5æ¾gòežô×û²±í¦9nK‚]é³UÝZNØ€­jge9HÀ% |4Bø¡BMl& +< ½ œÃ†?½{ýÓßÞLUyZGIn|•×vpcXØ «Xƒ,ëí±¤œŸ«' TˆŽoÄó +Ƈ —GDÎoQ8Ä SŪ,’1ôO¾G“Ü£]ì C+úF Š ÿe«¶+>ÙOO±Íã(1!9~E»¶&Ã;¯’B=ÔúRî–x2C2Í ˜5`ã¶OĨj—}–ù¡^»^Iû¦) m™mYÂí âVÖÖ„óÞ\ºàFš$J’0¾wÔdÜ€Y«-£(¼àþ‡¢nwUÛ¢75#›3áŠrWÕU Ä_Hí̹/²ßB„-†~Ÿö=ø]C(ßW¿*=[eBÃÙª&nPûUÆ+ &}‚|×1ªy¨Ïyq J}Üî Ö®/p ê{%ûì)]#Zu¼}öØŒ5…Óªí÷wm—˜ÿcãn¦]…Ò‚ÈGÏ "îбÚ¦۪톛ô +Èèæ³²þ5,3œ7ðZ.¢…ç×)UÞdè6µòS{»véˆM2ñù‹18“aG:æÉóĨûb[•¤NØ +òMÕ0±;©/ïè-åEKäüvʼnd댎¤ž¸ÐÁžÉ$IÐ}ºO‚îrºORRŒ+¹B.q_4om†µ Œ œŒnx×M½`Cí½çŠ‡<tg›uÍ~,ø3ÑT"K#݇دÊt4îB³ÂrÁÑÖ—(:úÃþ¹ó}p€õTœLvÌfÜ1§ÃŽÙ„ˆÚÒ\AXN©OÆ÷ÌÄ«Wp2\¸÷õ–öµ¦Æ:uWm‹Ãö4op²ÀñÑÞu÷Ýf”©È5{Œ +šÞ³÷„âéJ²w8ø +7`'˜YYœø Êú„?΋uó€…g4ÑåJŸ0 êßy¤S8Œ¥ñe–&±G>Ù=ONOéÔ-ÁéçŸ>8Kex©êË?À»¸Ï¾HèâPãÑÁŸí-…Ô‘–á“øïrã·ŠŠZÀ¯Ç9¾£X.ᄳ`¼Ï»Î›$>ó+#ÎÒ^C;»'„R1LйpO‰ˆäxÕ)?«R¨ÂJÖ~M5á8 ˜q÷F8p­Q y1½íEQ®Ng»ûWeÓ?\>Ît»Önï]Ó˜ÄrÎ|NàðȬ”‘¤Àð­ß3öÐnª=Q¹Ç#X@` iÑ•œøÍïÒ¸OÍœm½nJ;Z'Æ ©‚óN˜7¹ò—ÖòŠkùÐðìe¯Ñ>_\j¨-ÿoÕ=Þüt³b$Èš™¯/í¹PVëÎÓ^´}‘n;N¹ˆ”Iӱ߿ƒ«ù“o¡ 6væ ŸB ´øOXÿJ¼7hû¸?7à?3 ³ç¶DGä-?úA09€Éº¢gXŒW“R+„½úA‘Ð<Nx|Ò&üMñŠŸ0R%ÂÈǵñDäÓ‘Ñ&ý +e%Yxë7"×!Ê è½¹p·Õ½¥IŸO¶Hyë—Û‚ªGÿ$!I{\q.!-Ý)‘¸ +˜Œ:öXgã@â‹ +Ž\蜼KysÅM^ àó¾ñ?yùÇÛ3ß=·ø³®¶/'F5U/Íëç2¹™ò`—€9³MXhVÈ/ÎàS¡m´$dð©½ÜRSÿQÇ! þ×ÿˆ÷ÿû'H³Löv^M%0a¡ð$R>’ÜÿuþXôÞ~Ëendstream endobj 793 0 obj << /Type /Page @@ -2111,19 +2124,29 @@ endobj /ProcSet [ /PDF ] >> endobj 830 0 obj << -/Length 3323 +/Length 3322 /Filter /FlateDecode >> stream -xÚÍÙrã¸ñÝ_¡·È©÷1yÚkR³›dÇo»[Z¢-ÖP¤V¤Æã|}ºqP¤D‰N¬©šr¹‚@£Ñè-6£ðÇfV*œœ'‰¢LÍ–›:{„o¿aqŒT‚()¼Œ|](a‰²ÜÌ} ßßݼ}/ùŒS¢5W³»‡n-m,qBºÙÝê·ùëlÛæ»ÛWt®oÿ¸û9L“ÄXÃp…%1ŽZ?áû¿üF»ðø¡®~§”?îwY[ÔUèü5ÈwyµÌ#D1sÄi®#@ XÅû­ñ­/ûoÙÜÄþ¢ Ãîw·ÌÎëlU>‡Ž¦Øe¶ £Ú:tÀZòåo· Aõ|]?åŸa³FÎßÀ7gæí:÷Ðò04¼„ÇCþ W¡ÑÊ">õÃ Þ Ü6n”1âTÜ(R—ÕlÞì—k$”›{ ðü\äO 4E‡:ôꡱ<%²›cO™Gͺޗ«Ð~ªwŸb«hãBa¸b çí¡Ä™EwXÖy49¨ë±ÝlêŽVF~›m™#²†#Û„!‚0â>N pïyüâ®óå§ÐU<„.8«ç¸@V…®§ Ÿçø‚(,‹¼j=›À QÜ@¬5ØóÚ7Eõ¸V -päÐxȳvÖhbO½¯V¡YD¦ï‰éV0 k|(:|.ñ!¡€Çû+ú›6«"Ñ”'/0që)ƒ=Å ;"ÍÒPÜm²6Œêv×جó²ŒÍå®Ø¶AX•é «ÐŽXePÛà`ívWÜ¿­²M¾ -\¾è† Èy_×-Œ~ˆCÓ+iÖ#*†‘Ìð¸ -éô“DHÍqÌ¢´”p-Q5a· FéEô¾(ãYþ¿×HÜ‚Frƒ|_—eýÔqCO< ²hÚÐò‚Ï&è§åúEgˆ–öš8&ˆHJ -Ž‰ é%þô´80©£.‘» '´ÊQt+Ôøzÿ å>)µÞ‰ASؤö"ã-*ÀÃ,ÚßÔW;ä˜| -ãàôÍúÂó:yDÉÈû5D\£¯iõ„ˆ k*.ñ6“ਠ^7øÕbž .ú GДpFZ°!š£ÜÍàй„¯‡d‚8…¤å„ £‡Hžán­‰f 5¿»… ÀFÛ‡-TDþYå±± ÏÎ;ÕO ø—[š|‰b{"ø Á´eW<¿âi„Q`ÿ);e³1Á÷-ã6ÞŒìÔ{ðfN÷)!*sŠêëí³ƒ8±O‰¸c8Øçv—?_Fv*¹ÎÝ©ˆ>ƒ~¼U j_Atz½­&ˆS[u0_²#ÍQ¬ÆìnÔ«i› -2ôévÑ—FY“Ce<ârp°w ˜k Å_½ñâ¢òtãÜhbž†]p9ÀVÈN"“#û&øMžŸH¨2„£Ñë£>îg¡ñk/9Ñ?ÅùˆÑŽá">óåÁ#G\ýcö‚SPÌ°>')’nԧкhdÜÀöL×u ¬¼¦…pÉ˧ ¬V;^Õ›¬¨N —÷ßi“F¾Úl%x‹À1ËÊÆj€ß9÷™jBÑÅìl—zþçsH!\†×âWÙI5Z>ÝO……¡Ó‡ÙÐã8èñ9èÉÂãÇ_>†~DãMè{@ó‡üK¶ÍþlS4÷;çrD³@<ÁMªvóLÚ¼iÉá$ŽöjØ5a^`Ó|Ã~ ƒÄàSl*8QԙȨmÌæŒ3j{EVí¼Ä¬,óe±ÉÊiŽý:S˜xóÜÏ^^ ÞŠªÍó]Þ>gåÞs(´)>D?áú¹R¡ÑäÛl—µi|]ù¤´îŸÇ˜èÚ¤<„¢ÿ&KV!æ.)ÊÅHHƒ³JŒ íض%qR¸¡[1€Ðk $úfc¶ FQ­ã¨d¯pFé*¹jÖ ±ÏÁS˜»Cë‚<õ8õÛ•'î¡ÊLÆUÔåbæ«Øʳ©“nàõR'}R'ÏøäG©“ïÀi€.6ÿðÏÏ26ýLŸÁmbOÈŽC“¢Þ^úL±ÿðPïw±yHîù×b,ñr*=#Z‰[EczÆሴ”ìõa‚¸èƒq-x3|ŠnØe­$%²F -ýª:$ÏËCŸÓ®%‰ž/™fœ• –r9!ÜJ°¬.Šƒ>+iÜõ¤¡ñ‚0ôñ{¹, ºQÐQq$áeJ1GÝ%ª8¥ìÝêÞ¾{Kɱä$ÒX>©Iûgòºcþªœ£ÁnH3å@sÆ_Äk‰Ó Ÿ1¦­–‡q¯fqÑ9‚!ƒ(£™†g™ÚF°óŒ$r4Þ$›.¿!OuXYfÕõöÚAœØ+·Ðñ¢½‚ßÑxè?Œè!áTòëí´ƒ8±S!!"v/ÜhT·“òØãôkÉ£4ÄòK9üiÆYy•)¸VSò¨)¸¢OÉcwEyì¼$} ·õ®}‘<.„‘ ÌÃó0k°¸²†ªäÊVûÍ}¾›Ìï‘@3¶jŽ#Ýbx]Š˜•Å¦ð¾à%µ0ÿÚT°êM¸OfÂpRÜЩŠ• L‡ÀÃf X/ë§Ðv$t¶Ïño‹eVú(z¢µƒÐb ïïÍÓ·ºnõS•¾mCçb¬N` V3÷¥ZÍ? mÕvÞÔ¤¹ù2kJõÏlä<¥ 7@g/á(¤¤zƬ#Tš×ÛÅâ¢rÄ£sºËÃÊ—NÔMuri6ÙsØq FTÊIÝ£O÷/ÇVÐ>tÛ:oûÖæuìk¦ѻҒN¥A˜„YÎÎÝëvi‹nàõ!}2!Çïu!cÖˆw3Œ_|q¼h±ñZ{í Nì•; "†[=“«O|¹mt|óª —^¡Œ64BUﻎ¶YªÔÍ® ¼ãñ3Æ|Í´q]‰î}T}4c¯ü“ÇjÚäH†«1ôGÁël²Þn“/÷»¢ À/ÈUc¿Ý[VÆ„áSRpÃì´T¥W”ªÈKRÕGñLmЉ\×$cq¶|•"–Pà}–ïØ…ç…â n ú|% „[‹rq=Út'hƒÕð•is¡’$y w4Uÿö ©ÜLìÞ˺ôòØ 0êh†•C‰Ê«UW’|0sY¥ê‚u z-!JÙƒ—ƒL3Î ‘QË©Ä£Š ÎÅœ–î)&{ÕRòyUW‹*ÌÚâszÇ'¨3Š6´÷US<úlŽˆ÷®á}þ‚äŽV:OœÐ9÷ëôGóíSŽ1§Î_×ú"ÞUx’J§ XT± Eµ,÷  ˆ¡ÁŸªèù% £³å2߶ٽ/(0>>m –oÇ⃇ýÎÿÔÅ3Ë}ž*Ùc†Æw>¨c©þ¥þÄ!UL`W;,Gžûz'û:^‘|A®1±È‰ã?™Z¤ß:!âO§Æ‹Ž(øìÜaA‹äÝAs²…ôûª¨´Ü[.3endstream +xÚÍÙrãÆñ]_Á·P©ÅìÜÇæÉצì'±õf»* ‰¨%šW«|}ºç$”ˆ®r©T fzzzúž&›Qøc3«NÎŒ“DQ¦fËí=Á·¿ß±8F*A”^F¾fJX¢,7³¬ä뇻÷%ŸqJ´æjöðØ­¥%NH7{Xý2ÿfïÚbŸqEçúþ·‡Â4IŒ5 §QXBã¨õ¾þþÇoÃhßÔÕ¯”ò§Ã>o˺ +?ž¨–E„(fŽ8Íu¨+£x 5 µóeà=›{˜Ð_6aØbÏì¼ÎW›—ÐÑ”Ûr“ïè¶G°–|ùÛ}&¨ž¯ëçâ3lÖÈù;øæ̼]Z†æƒ—ðx,žä*4ºQyħ~<Ã;ÃmãF#NÅ"upYÍæÍa¹FB¹¹ÏÏeñÜ@St¨C/ Ës"»9ölŠ YׇÍ*´Ÿëý§Ø*Û¸PØ®¸óöPâÌ2‚;.ë<š‡Ô§õØn¶uG+#¿ínS ²†Ÿ"Û„!‚0b§¸÷"~ñLJ×ÅòSè*CœÕK\ ¯BW‚ÓG†Ï‹G|A–eQµžM`P‰(n¡Ölˆù š²z +Ü +…F8rh<y{k4±§>T«Ð,#Ó÷Dƒt+5>>—ø‰PÀãýƒýƒM›U‘hÊ“˜¸õƒÁžbБæ i(î·yFu»ë lÖÅf›Ë}¹kƒ°*ÓV¡±Ê ¶Á-ÀÚí¾\¼¯òm± +\žuCä\Ôu £ãÐôJšõˆJ` a$3<®B:=Ä$Rs“uƒ2I ×"UvŸ1J/(¢å&žåwáð›qÄ-h$'<ÈõfS?wÜPÆÏÃcS6mhyÁ‡g‘ û·CS¬MTÚÖ:2Ër ïÀ¡½ª—\Àþ€øß}÷ЧèFÎ$ãDSÇQûÿ~÷Ëot¶cñÃ%ÂY5{†J˜ƒÛ;É1ÔˆÔ³¹ûùî_ÿ笄QǨ¸ŒA˜GVl¦CPYÚS&,œ‹³®3iæ„™D¡f’JÂ%5þøòåæ”FŒ3bµpǯ 'ÎZ;¾Ù¬ƒ˜õAŽ –Ô*PQ&ÆÄÉÅàyEP†û²œ`À‹Õˆ¬N¬•6ÎÎW«}Ñ4§¤Z†ìr+J$€„Ú¦O úi¹>CÑ¢¥½%Ž â’’‚c"€ÃHz‰??-Lê¨Kän ­ +Ý +u¾.^¡Ü'¥Ö;1h +›Ô^dÜ“e@Xb˜eCûÛ€:ðj‡œ’Obœ¾Y_xÞ&(ù‚yÿ×èkZ=!â‚Šk¼Í$8ª¨× ~³˜'ˆYäšÎH 6Ds”»:—°âíL§´œpaôÉ Ü­5Ñ  °æW÷Øhû°…ŠÈ?«"6öáÙ¹bçú‰ÿrK“/QîÎ4˜¶ì†ç×Aœ 0 +ì?eçl6&øž£eÜÆ»‘ZbÞÌù>%DeNQ}»}v'ö)w ûÜí‹ÇòËÈN…#×Ù£‹;qÀ'pÐO·jAí+ˆNo·Õqj«æKv¢9ÊÕ˜Ýz5m3ÓB!CŸo}i”59TÆ#.{' Š¹¶ÐPüÍï f}çç@kó4ìŠË¶Bv™ÙwÁïlŠâLB•!^…ðqÿ4 Ÿzɉnü9Î'Œv +ñù¹X=bpôÁÕ?e/8Å às–"éFM`q­‹FÆ lÏtÝÖÀÊ[X—¬±|ÊÀ*`…°ãU½ÍËêÌp pÿ6iä›ÍV‚—ŽYV4Vü.¹ÏTŠ.fg³¸ÔóߘC +á2¼6¿úÈNªùóºôyè~.}( >̆žÇAÏÑ@OßþøsèG4Þ…¾G4Ø(¾äÛÑìÏ.Es¿r.G4 ÄLФj·/¤-š–Oâd¯V€]ÓIpæ6í1ÀŸØdЂ|ŠM'Š:µÙœqFMcoȪ=טu€e±,·ùfšcÿÎ&Þ<7Á³—ׂ·²j‹§bß„·Ïùæà9Ú¢Ÿpý\©ÐhŠ]¾ÏÛ4¾®|R Z‹—1fº6)¡è¿É_àÁ’Uˆ¹KŠr1ҠìcBD;¶mIœnèV  ÀôÚ‰¾Ù˜í‚QTë8*Ùë†QºJ®šuCìKðæîк"O=NýóÊw‚Pe&ã*j‰r1óUîäÅÔI7ðv©“>È+©“Š|ò“ÔÉWà4@›ÿÏÏ26ýLŸÁmbOÈŽC“¢Þ^úL±ÿðXö±yLîù×r,ñr.=#Z‰[EczÆሴ”ìía‚˜õAŽ8„¼ +>E7ìºV’Y#…~U—å¡Ïi·’‡DÏ׃L3.ʃ K¹œn%XVÅA_‡4îvÒЃxEúø½^P]ƒ(訸’ð:¥Î‡£îUœRöaµ°>ÀRr,y ‰4–OjÒþ™¼í˜ÿPÎÑ`7¤™r ¹ã/âµÄyÐÏÓVËã¸7³N‚˜õAŽ`È JÇhf€áEæ¶ìÈ<#‰7ɦËoÈs]V–Yu»½v'öÊ-´F¼j¯ƒàw4Þú#ú@HA8•üv;í NìTHˆˆÝ+7Õí¤<ö8ýVò( ±üZÿ dšqQAe +®Õ”àÀ¼¤F` â_û +vB½ ÷ÉLNŠ:U±’éø`x ë›ú9t£ í Dü»r™o|”=ÑÚAè¿ 1Œ÷÷æé[]·Yý\¥o»Ð™Õ ,Áj¾TƒMEÛ*í¼©·>màæ˾¾ msϦ-öeó)¼ùê¯>¤ŠSÖ›-CÀZ¦i‹2e"\4Χþf¼˜Þmòe±®7«TÎ*0·)–íà{ŸW«zÚëòiÅ£E2ÅÛkä¬+š¢'ƒo룦PCGû?€L3.i +¦QêâÝl§)À½qjÚpÇa7ÔGˆ×ÔD½‹©ú1=!hÐÜÍ«¢ UAØÙìÀ÷ÇkJ/žé¡äyQ~EY"!±&H +ß[…._ñ(bþ3^ŸaߢÄÈ[XD'ÆáE»Í›O h,(…‡{‡R[n0y9¢þ„·öÊׇ©þ™œ§4á +èâ-”TϘu„JóvÃØAÌú G\8G »<®|íD ÑT'Ÿf›¿„×`u@ÇÙ4Ø›˜IÃnÌËî6ÅX® %‡!·¥”•yoÇEeŽ——‘Ðñ^†É_b©àCc‘Äî|U0™š¹Þ¢„â߸qu]VêXÐùc´ãoX:`®Ôuж+a¨Vcäq`UJQ2GDè{>F"‰(ÆöHÍ v¥üDˆ.ˆ+b˜ÃuÇÎÅᢧô¡×飜Ô=útÿrlmàC·­Ë6±omÞfÀþȼ ºWZÒ©<S‚0ËÙ¥‹Ý.oÑ ¼]&¤òJ*d€âøÅîI&d̺QOb†ñ›/î€-–#Þj¯ĉ½rgAÄp«—¯rµàI`‚/·‹žoQµáÖ+ÔцF(+ãà~×±Ä6O¥ºùÑ„w<~Ƙ/š6®«Ñ]DÕg@3öê?y,§MŽd¸C¼Î&ï]é6Åò°/ÛüŠ\õ8öÏ{Íʘ€8|Jªn˜–ª4ð†RÕyMªú(^(:“+ðšd¬–/SÄ +¼Ðòûð¼RäÀ-¡B_.%´åâv´é NÐËà+ÒæJ)IòïhªþõR!¸™Ø½-—õÆ—Èc4À¨£–z %ª¨V]MòÑÌåI”"¨+bÔ1è­„(¥^2͸$DbD-§2;Œ*"4x8W“X»§˜ì•H8Šª®²ªxÊÛò3:ÚJÏÏÀ _US>ù4~‰®áúú%))Øx¤»—œz¾(Fís±§ÎßÓúêÝUxRJ§ XT­ eµÜ@ C +‚¿QÑóïý],ŒÎ—Ëb×æ _I`|"$|ÚB ߎŇ½ÿ‹g’E‘JØcjÆw¾œT¦cñ¥þ¶!•J`W;¬‹GM™ëz'ú6‘|@®1£È‰ã¿•ÊÒœ7ñ7SãÕF|uî°’Åòn 9ÛBúaÕTZÍ1Üendstream endobj 829 0 obj << /Type /Page @@ -2413,37 +2436,19 @@ endobj /ProcSet [ /PDF /Text ] >> endobj 877 0 obj << -/Length 2823 +/Length 2808 /Filter /FlateDecode >> stream -xÚµ]oãFî=¿Â -°žÎ§¤¹}Ú¶Ù½ô®Û»l -Üa[²%ÇÂÚ’kÉ›æ>þû‘CŽ,Û -6ÀâQŠCrHIGÍ$ü©™KE굟eÞ -'•›-·Wrökï®ÓÌ#Ñ|LõíýÕ7oS5ó§:ݯF¼r!ó\ÍîËI*´¸2ùî§÷ooßý|÷æ:³ÉýíOï¯çÚÉäíí_ozw÷æÇßÜ]ÏUîTòÝŸßüíþ掖Ræñííûï ãéñ Ó»›·7w7ï¿»¹þõþ‡«›ûA—±¾JTä÷«¿ÊY jÿp%…ñ¹›=‹Ê{=Û^Yg„³ÆDÌæêÃÕ߆£Õðé¤ý”Ú¤z€ÖLÐy‘m‚?ÔͲºž©“~]¡>ß¼uÙè+«…wVÃVH¾oÊ¥øT=á){)rY&\UEØ_«`6U÷ -Þ¬APzÄŸ¨…ˆ²­ÂRž4mO¨uñ™ ZY×k¦®èãŠVP`ă|Q†E½©û§k¥T"Pø4ùçµÕLY4¼p)ºðë¢yàmù á$N´Äc›àÛ[4˜’I»' Y]ý¯ŠPÁ–JÆ%•tÕ’dïÁ*F§I×ÅÊ(ÖíaSr[|âïŠ §Ò.ƒ–ùØ«À«)·JEîµcÊǺ_[ØuÏJ<6„beR¯B<ÖÝšÎß(#|Ŧ¡4‚Χsy´bŽŠ·]Ñ®[b:B˜s²‹Ç"†™ ¥ù.¼ÜRüüþöáv$Ê&dˆ¦ÚÐjÿ´ã/BH¥ñæAÂœáâ€'%mºÃn×îûp\@†þ6þP';xí¤nÄÌ u†C:MP…µ“ÄO6õ„«„BDëŒKç$2W -šR1+Cœ ~·¯?‡ª_°Ä…Â?ÊRð·—]9ù¬ pC±ê$™#ÒàçŸÁS ý/ ;t_“bƒ”8ýV—ÿ;èÕ™ÇþþD³bóÐÂa­·D þGózêBÆV -Ë÷s²ù$ßÿ>—Öl© -ɨyþÍÿ)M¥YŒúé®h¤ÏÍD(âÅK‚UÝÉñwëâxñãûЀÒû æ -ûä>¦6¡û·ï^Åï«óyqPEep*Ð7-M˜œÐâþaFÀÝhÔ2ÐÏÇ\ŽZ.ù†YKµ<šÞ -{.•©À˜ùŸg ú‚ —܆K>µPšÔžCÓÇ›‹LÉ//#VM¯´Ô¶!Ð.—Ø´#XðeEÈ1}»#̦úêk¤_Ù‰ì È¡…Æ/˜=\uɸbB'Èjzx½~®«Ç©rÇ -èܹVOµwÉ_ª§Žv(+ž.™4Ð)O4ÒMðbc©²†'è;'U'úg¸Fí0"xÖâÞÊ ‹wÄLÀ¢¢'„Ɖ;\B ò]hlÔ)ÅéSˆŸS=¦¬ ®u@f^Pïæ"G3ûM°¦U -RçέéäD(gSðvír<4ÿ…HŽäó1ýe]p½ˆcL¼‘¬ Hî=‘æ"’ª/qÉí H„í¡ã”¸¨N*gÎØ<= vFèœ2#r©Ý3)!MϜϤg:6οS© ‚¤6Ï^2 ×Âçy>=ŸG†ó1Gú‘`,˜‡ŠÏæþ¸o(§¦OÑ¥H…Ð|ª8ƒ¶óSÆŠ܉r/œñÅ£ÓP Ä¶•‰ -Z)ÛmQó÷4nEèÐÔ¿ªPí`g[‚§×«'ªuzºÁ0ÖÉ-·ØÔ,"¿ŽkP:‚*¥ÏÚ_œeÑÚX™ü¢µ¥r -!Z×|89né¹,BœãWtå‚Ø]è7ð› r.ü,Þ±¡\;Y]0§ZùЙŽç¸áÛšùF­±.Å‘ -³ ZÀçEYò”¢›ª©¶Eæ Ú$›:ÈŠ`˜†Á„K3Ž†IÛ(hîÙüæLS0QœÁÚ¢ -#7€¢s™PAö CÒ œù÷€¢Çh,_M•ÉCev¬z¦çÓñéE®‡¡ù±0HS^) ñ µBª¾:J†óÇË(U8ú…5ìû|”:%­ψUZ9. Å.б `|ÅGÝ?}Sp€Ú×K®!Çh"ü%Pf4 -Äþ¹ -ÙŒ­ I #¡€895Ø«éÃgÖŒç}øÊŽou¨L w! ÍòÄÏ&p®YfbÞ]o‹å|[º »Akk™ “š¹Ëý3¾¢sam69Ôšœ×É9”ø>Éð‡M—µ§ çc–—®bÀÎà%þ¸3 -{ù]ÎÏt>Ô¡Á_lœyàaŒZˆ°ÐÒY,ø‡›d™;kÁ¹v5¨ÃE: -âÓ†*Žûa ïâÓ&gQtÕ<µ<>„|TíNÐñ¥]¯çÞG”w¾¢ó˜;^•Á¯ÏÜý#Q 3ñÑËotë°A/j¹ã ]‚P`ql·íé©ðæÙùW1|;2lÛÞDÿ‡‡fSoëpL«úõ¹ßñÁÊøãûDñ&‡óøêßøÿQkò\OWЭ› -m`ô…äñŸ.EÿúgxÁendstream +xÚµksãÆí»…>Ò3§½}ñÕ|º$¾«ÓäÒúœ™v’L†)™s©ˆÔ9îã¿X`W¤H÷<ÉtüÐ.Ä{Ðj!áO-âD$¹ÎinE,U¼Xï¯äb {ï®ã,=ÒrˆõåýÕë·‰Zä"Ot²¸ß heBf™ZÜ—?F‰Ðâ(Èè«ïß¿½}÷ÃÝ›ëÔF÷·ß¿¿^êXFoo¿½!èÝÝ›ï¾{sw½TY¬¢¯þüæ¯÷7w´•0/oßM+9=ž!zwóöæîæýW7×?ßsusdÊ«¤AA~½úñg¹(Aìo®¤0y/á‡*Ïõbec#bkŒ_Ù]}¸ú[ 8ØuGgõ§¤Ð&Ñ3 +´fNq.£Sà‡ºYW×K#uÔ?T(Ïë·q:8eµÈc«áUˆ~lʵøX=☼™N-#nª¢?¯U1õº£gÛìžRQÝôUSV%¿½¥g±Ûµg†æªX|,µr¹n÷‡¢¯W;&|êŠ-ƒí†ždG<™Ñºm–Èòb™‘f*Y,•¹bí˜ýIJ½=jÛ€…MîVvU÷ +~Y Œ ÷¸> ʶr[YÔ´=-=Ÿx³ ‡zûÀØÕ–W´ƒ ã:ðçyXÕ»ººVJE™O¢\ç Ú‰1‹†_TŠ®Feºõ‡¢ÙòkÙ`‰‘”h6pß8jŠ}EP{¤§Ó4]ýO¿µmÙ¨«ÖÄ{Z‰Ó¨k ãÉñ†íiWÒâ¾øÈ„Š§Ò6©±éЫ@›9·J„1#>ÖýCx)óÞ>6ùê͈±ŽuÄ"x™sЫ©N½†(›%:¹Û.€u³íÐ:Žîg£D) lõ¢0Xõˆäg¬¨×èCѱ$=‡ê¸¯»ü“ºªgà´v²%ÀfÁkc#–ªã¬ecÏ„SŒJ4d 𘋉%£8¢dé$¢ˆ˜H‘këEDo+ga ³©Ì»€ 0 ~¼Î¢SÓ€ÂéEïV´¾Ï‹ëuÕñºw†QÑí†Øê‚­«C¨Â)½¢'ö ÊmªßjŽ8‡S7´å²3a¢dg‘QøŽS‰Öêl¬)Lc:Ï<‹SåX%’$ÏŽ2£m€´ô„Œ·/š³‘Q˜ª†^B¢æiÔT˜FqÉ¿„e~æœ6ÉEœŽxùQ˜&±½ôZ$Üð›9⛺§Rx{:ÐOæ¨,VþìêiÀÜ@%,Æâ((‡Tb¼\bÒì‹šBzo–l!>>´œ3“ôé ²‘¹2Jóµxï¨%:úáýíß Â×+;\0.[4ÕŽvû§Ÿpá•øK3Zp.OÊßt§Ã¡=öÎt€æ|opPG¹˜k“x@,êb ñ4d Àr{£;€”™ ãnCá¢ÙX:#îày 3uUÓ3BC¤`Šà3]~¶'6´»§Í‚Ì-lgÌŽ ‹äY( Ñ¬'Û¦%îJ&Ý”£w@à2ÇÌåW³KìÚí¶*/lN(÷îž%´²îØM‡®ÅÈ?Èü¯‚×±S5ô¬ö‡þi&þ5p¥â$„6èõ8“ÁúÊøÂ+¨øOs9%ƒœ’ä³4•}–æ†8ÝÎP„ë JOï_Ì¥(aséÅDÐù.ÙX‹4‡â ‘Z‡’=†*\J ¾µÞJÖ܇a½~,@ÛÇ™¼vÓ±Ð*OÉ´žH7õ®Âç‹9Žä”“äœ|]¡[65»©32;Á®øœjç‚ÅP4Œ•œãUëÍæ9˜ñ„TÒô Ø0Ž!VǾ£\1›¨;T빦òÚ„”pÑ_`Úº kÃÝ÷µ±ˆóؼéü¦™ßªY·§/dÕ‚‹3pÓÜÈ|ÁÏê06:y ;ué”AÂ*ÖXÀf‰,ሇ¢Ü×MÝõ!GÁ¦Kð°7M`°Éa¸û ž®zë{ª'†äý•vÚ#©{µ,7ãäýx¬‰vÔë@ý×î+Z¡2•VW§žÝeƒ+®†Á"Ö¦iô \­~+ö—p–Þ!â±¹ÔÝž¸â×Çú“«0ð–»*êÃÄ”ëA ûSÇ)qU*gNß<‡ž†‚ ;#ô@Î ©™Ôñ3)!I.œÏ$:TŽÂ© ‚¤6K_2×"ϲl~$¾ô—CŠô½`ÈXŸÍòó{]87‰ò.E"¸æSùi´1Xp'ʽpÊN\âÛVF*h§l÷EÍçyò +Щ©=U®ÚÁζO¯7OTêdü‚0 ÖÑ-·ØÔ¬<½Ž†lP:‚*u1ÀC M¤•ÑOZ[*§¢­a͇Cä–žëÂÅ9ž¢+Øî\¿g&è\øY¼c]¹6Ú]1¥Zy×™À]Ðt¶fº^j¬Kq¤Âdœp¼(KžRts5Õ¾èÝLT›hW;^t“1xS i^£a’Æ6 +š{V¿¹Tä§F°·ªÜø /Â\fTЃ=Ã72JÈ{ŒÎÏå⫹29Tfçªg~~1Ÿ¹È´ö×¹0IS¹Râj…Dýá( —ŠÓ(Uê\HPá½ÏGi, ¤ób£çÐ*æÒ™–Ø:wÁ¡¼^AñQ÷O¯‹SûzÍ5„£èU„eJ£@Üà/WHf¨EHHZ™^ ‚á d¬¦wǬÎûð';¾Õ®2¥µ CÖ5Ë3_PÀ®ij|Þ}Øë後gô­A¦e&5Ë8ËŸñ kÓPäPkrY'gPâçxLŠß8ãì{J ¸’œºŠ=ƒ—äç7S¡pä‘ßt~¦³P‡:±~æÆ´n£%[¬øCˆ—¤i|Ñ‚sí4hPÃE:âqCåG}Éû»xÜ䬊®Z&–LJÊÐî8_ÚõæÜûᨓ?aüþÎ79w¼*…ÿò»Ç„f⃿Э7 À +ÔrçA‡#!GâÜnÛ±UøåÙù þ:lNûÞDÿ›§fWïkg ÆUýüÜ'}Ð2~‡Ÿ)Þd°ÇþÜþ_ˆZ“ez¾ +„nEØ ˆ0S¨£'œûÿ ˜²þ_è|’endstream endobj 876 0 obj << /Type /Page @@ -2505,17 +2510,17 @@ endobj /ProcSet [ /PDF /Text ] >> endobj 888 0 obj << -/Length 2688 +/Length 2682 /Filter /FlateDecode >> stream -xÚ¥]“Û¶ñý~…ÆO¼‹Æ7ÉúÉqîÜË4vz¹L§c{<I¬%R)+×6ÿ½»X€/¹™Œ,‹Å~/Äg ~|–ê˜ÉLÍ’LÅšq=+vWl¶†µwWÜãÌÒ|ˆõÝÃÕ«[ÃgYœaf«­4fiÊgËÑÛ¿¾ùéáæþz.4‹L|=׆Eßݽÿž }Þ~x{÷î—û7׉Šî>¼'ðýÍíÍýÍû·7×sžjû…§ðĆۻ¿ÝÐèÝý›|sýùᇫ›‡î.Ãûr&ñ"ÿ¾úø™Í–pí®X,³TÏN0a1Ï21Û])-c­¤ íÕÏWïVÝÖ)ùi™Æ:É„u2 ¼T&f–è,6RH'Á×sÃXÔ”ÿ±£½-hô/:›sgZó0ŽÀÿ<òc³­×Ãñ—U^”Û²}t›Ùô®vi‡1"TÇí–FŸ˜æ¯‡|ˆ1ÅpûÍðа‰0-‹Ü“ñtáÔú0‚œòCUV묪a§ <;áq"Ï$PV«z´miGOÈsµ®¶A–#ÔÇ*ß•ÅðŠC‰ãËîeÕ΋¼µëúà¯ûh„»Uõˆ›Q îÏPjË}•sMÒ{ÆIã{‡Ù¦?ú¿n󤥛¼ªìv€üz¤¬'×ã8þ“Ü#ښęDŸ®þæìûÕ­ãà·@Bó˜+C‹QŠ3Y íª^¯ÑbPú¹1ìlÕÒô{û‰1Qñ×AòjIƒ_š|mýYr"à(aÀâ¤rG=llÇP$X,T¢q—Ä Ü(ðšž9©Ó¨¨+än}<\ó4B3‘:‹rZ<•KK£où¡´h“¸Z¯Ø]'õïç÷¯ÐÎÚn<Ôac`ÚÊQ}ÒDwm3q/@!¯Ï°·‚‰‹ÍhO'©ko¿9ä +$Hºiꢄ78çQ}l÷Ç–Öv¶ÝÔËæ%β¼ËýJwÜBʒȆ3I<Ê©¼æpUOëd´8j7D—ƒ{TdýhaiéØØ唡žJGW»=SÂÊb¦eUpÆKY)›4ñx„lMßÆnmá-vSŸh€j¯ MŠ-HÓú Ú~A«hÚ“ÑÍÃ.½Ÿ%Yœ@iÁ³˜kä¸øPmQ–JEu5u5%âLu<ÿŽ}'±ä*½´o$]"gJ“|Ä] KrKKÐÜãíòÊ3åíÎÃÉ -L2.mXh<îê<åU‹WŸK–Fw+‚{Ç™“L -nl¤«½ª'ÂeœˆT=K &ÓçyÙÛQ§Ÿ.fõq ïãԩĤ£…ý 4ªd0²,ÉÆzíèöá_dàÑoþG©ãűÿ+6vù"ì$8V/|,§À|î#g„–v•·íýB5Q Ø]©pvÌüŒm>Ng[Bn`Iêpî@€ _ã(éCåè"úà “ é#M¿µóYÐåb[6´eœ\ÁQG]3{’4B¶a“ûsˆMˆwŸgÌš%t3®Ã͸‰R¼™QÙÒÊÉу…1· 5µãc™Žm «ígd8&äD‚ƒ#NáŒÑ5þA‚ƒõB·“Œ}‚"Ý':V‚Ÿù¥Ó d 8äÐ’ú`vÜ£ 4ô)å@»°ÜÇHœ‘rÖ/–RóXµù¯4ÆRëƒßRVô%%ùK¥Âj§T¯k¿£íT‘·÷©J?<'0…D 1ÐsMŽMš–«³óI55¸±ÉÒ ¯ù”FƒÌ Å"¦öƒè”û¬ƒýQ‰·÷ÙæÌŒ ÆS±ÑbÁ x)¥¯ßbî+¸‡Àu¨7Üä'Ê”X¡½ Òõ^ŽÓPiÀx]‡„YWv,å]í–äe†²ÐØÄ2>®‡š)?€¶W‡Døš?ÖG¯ÜËm—õ‡ú¤7Hë Ãݧ£ƒ¹-Ï)†ý”‡øO‚½Br&ÈÒ˜pC Ë»cÓÒZYÛ#›Î~.–÷èP€]Ù‹¾¨h“?6ƒhèr,Ñî DrÕ__ÀU¨8ð¡ç gœT;oÂoë¿È`j¼Ã¡»dj¼æ¢ ´¬Çm~ yhËqÜõãœóèl;9n»7t7‡@“ï<‰°ÐW"0Y–M᩸ৠÞµD-b"Þ“A(s•.¨cÛ s -þrW¶$>æåLÐa‰œ†f›Ð©NCM°…ß”…Ý·®<ƒõÅãÙ½&ŠïÝJˆen¥l&KÈ4θμK¸‚‰`ýï$lþ_’}+•€‹Ÿ?´¸RPò¤·7œ¸H ßÎ’q’OUq\Ç© -I Û„å”+³8ˤéb¤­,ÄzëO¦ÎG`&;—}º À¾ Âu"ŽjùªöüöªÂ™WƒˆÉÕ‰S™š±sô‚Ç°ïDU·ã×û´kyQ°qgpƒ€1ÝÞr|cAuîýéRL‚lj ™d02ÓŒ er¤æà.M#p$2Lÿ®kÈH™!Sˆ ¡5Ã|äcv¥`.e…¼ 4+°#¨Ù‰q(qd6å^®«.Of¨Q˵³9¾máZg’6¿ÿ ¸I;ûweĤ›p¡Í”°e¢;aË%B\mC‹dšˆxG4ç3‰‹™ø9~¥â_ Rã•ۚW´Ú»@]LÊÃÛ5v̈8ÃvÖ h•PcaoI‚.„î¥ ƒPNáØÙ8|Ápê“‹TˆYÓwa‹zçÒ€Q¾O(õÐ0ðÉFàp×+Ì\ª}ê@%uú6ù·p°Í‹ßëâ€0âI¶'ã;“å¤}¸V5Q>Ù'2"÷IÔº‘±L»Ö»»ßäóCÆE_ÈÑŽW8‰l¥˜ú÷‘Ëã ÜPZÿaè„6¹ç^’I(¼Ûܹ&œè]V¼Š¶È‹¯Ç=AêBþV½  g^aÒ¢¦A$±J¸ œÆ÷eWì3áË+ùF¨@À µÌ­‹ÓLFöWð®ÊÀ&klDv -ÂA±©kçuHµ¦ïWk÷4’žôvIƒþJ¼ê¸¡ÁÐõG%»‚ë$Œ…@»É|„™ûµ³×WÔñd¸Ö¢«d[ß½²è_®ÄÑ®ê¾}eÔUæ›aæwª«€ŒiT—1=‹ÀTø—Œ@s'y÷”ˆwŠ¢þÚ¥²Ë“ŒŽµ4òò 1uýq@¸/§¨ÅR qIŒ=ɵî¹öUŠN•‰'ŒÎÝEˆé»@kÁLÆŸ)´ñ]æRÑSö%Y¡ÉÎÉN…f0KU6Ô0û<îŠãò™ÂrÏÂDÿ¼ÎÀ Žtå!±£˜ŠupX_· cúhF›³4~¬\ršà’ Ýg"½) -*¢pàKmúÜ ‹ÇÝ•›‰÷ݤÏ)˜+!åÝ­hy²ðLÓ8Ѽ{Äÿ']T±4ðúm¤étƒ´Ã›ú’æôD=âÔExd¯k‘“]TŸú§ZWü{uâUÖ=üéqû¿¸¡°—i*º?hÏjo(z¡d L¡ ¤<ç¼û»÷’õÿ†>(±endstream +xÚ­]“Û¶ñý~…&O¼‹&$ê'ǹs/ÓØéå2ŽíñP$±–HE¤¬\Ûü÷îb”x±gÜÑ°ØïˆÍø±Y.ãDèt–é4– “³rw•ÌÖ°öúŠ¹=s¿i>ÜõýÃÕó[Åf:ÖŠ«ÙÃj€+“$³%°ýãU ËÙ &IÌ´æ³ÝU*E,S!ÖÅ®*‡,%>¾Ž ݪº›—EgÖÍÁ±ûhZxÞêf„/™a î[0uÕÎ|–sMƒ|ÅMc¾ýì#Ó]ý{xÒRÊMQ×f;Øüb¤¬'×ã8þFêÍb-Ðg‡«Xû~~›ò@8ø- ,f©"‡Å(ÅY ÚU³^[£Å ôKbØ™º£éæ}’ðŒ¿© RÔKüÚkãîƒWq'R{ÕÃÆ‚úM<‰yšIØŒ{<—È Ü¤)D4Ú×öÄ ™GeS#uëãášåš‰:*hñT- >‡Ê Mâj³"``'ÍùsçWhgí6ê°50m å¨>¡¢»®à ¶ÇW”#ØYÁcó´'³\Œµ·ßŠ®å$ݶMYÇ-ÎYÔ»ý±£µé6Ͳ}†³IÞn%ð‚GHYbÑpf#‰Ûrª®°êöÓ:-Žº áeàµ7ZZ:¶f9e¨§Êâ•öÌ”°tœHáEåñRVi«üs m÷ Ãÿ(u|w¬ÁÿÊY~çO+ï\,§À|î#gˆ–fU·ÝýH5‘GÀ¶T8»f~F6'‡³€- 7$Yn÷ÜA®Æ‘éCåè"úà “ é#M¿õÐåb[µ´eœlÁQÀ Š®¼™=‰![·aS¸{Mˆw_ZkÌ2Ɉ3&=gLE9r&xTu´r²ø`aL-hAFmcé@¦cGCÆjû+2\ÂÅD‚ƒ+NþŽÿ ÁÁz¡ÛÊÆ.A‘î3§œù¥Õ d ¸äБú`vÜ£ $ô!Ä@»°ÜÇHœ‘rÖ/–aSûXwÅï4ÆR›ƒ;RÕô%%úK¥ÂjP*Œ×;ÑŒN¦‘³÷©Jß<'0…D1ÐQM@&M«ÕY€yÏy:5˜â±Ò¹××|J£^æ´Å""¢öƒèT¸¬ƒýQ…Ü»lsfFP㥱’bÁ ˜†”Ò×o1s܃§Ú×vò3eÊ/Vh/} ´½—¥ÔW0^7>Aza6µKy×8§%y©¡,$6± ×Cí”@Û+}"|Aˆ›£ã«prÛŸÜå^€.é Ò:èp7Þð`nóÅsŽa?g>þ“`oÀ‡Ê²TÊ'\_ÃòîØv´VÕåöˆÅ&‚ ¿¿+úíP€mÙ‹®¨h[<¶ƒhhs,áî Üd«¾¾$€­PqàBÏÎ{ri½ ¿û"¹r‡î¢Óñš6в·Åæ¾-ÇqèÇcÑÙqr<0v7¸nènvYL±s(üB_‰ÀdYµ¥Ãbƒ_ +‘ð®#„hñž| B™­tAÛ‰PðW»ª# Ñ 0'g‚KäÜ7Û´jàÜ×[¸CEYš}gË3X_<ž]Ðk øŽV|,³+U;YBæ±fR;—°Áú $lþŸ‘}§i.~þÐbKAÁ²ÞÞpb#-|ƒ%㤘ªâ˜ŒóÔ'5l–S®œÄZ b¤© Äzãn¦ÎG`&;›}B`_áŒ:KN½|Þ8z{UáÌ© +‡^Ääá©Šs‘«±sô‚Ç°ïDÝtã×û´myQ°q0¸AÀ˜no>Ž%^uöýéRLœÅ™ò™d0´ê†F™©y¸MÓ éßv š”‰25= dmh æ#ƒ°+xbS6a(:O@‹±;‚Æš ™ƒGè)tr]…D<™¡F-×Îøv¶¶Î$­þü!!e*öoˈI7a\ª)a‹La‹ %BT•]K‹dš¸ËÓŽÛ¬Ïd6fâäø‰ˆ|%È• WöhQÓjïbµ1©ðoX4Ø1ã>O¶³VØø@›òt,ì-IІ0Åœ”aàË)[‡/Ns²‘ +w6ô]˜²ÙÙ4 R×'”zh¸ä +#p¸Öéf6Õ>u¡‹’;}Û⳿ØåƵq€+þ$Ù“ñ‚ÉrÒ>°U©¦d/À H£©~¢BW*Ná-'ð7ñüÀb¥Ô —'¬¡d ¥zH–ÒÉå}*G%ø—bg§™ð‘ƒD‰·‘Mv…-§¥˜ÁÒŽEù鸧õ^_¸Ò¬zIØåÞQ „Ò‹'™Ks™È¸»˜mµŸqW_áȵp0B½À´ú,‹nm °ù"¼-3@Ô¶ÈF(iå¦iÈí¸ó'}2fï݆f»¤Á€5¯U8£0ªÝϪ¤-hàÐƨÏK5HgY(GQ±iæ^¾Ï£ÙâG ³jBË +óÊÁm³Åsg°ShZeIx Ô@UItZgÞ=ò ›[Ð57©4–ÙÄ=|êú¯À³}‰L‚™#óÙ΂ìÏ"\”LÙ9‡a¨,C‰>c(yš!h)øWJn̈IØ@w‰–Kè´$»@;ºÀ\²ÿ3õÉ—¨ÇrÊ?¯5˜ý‘î¤Äh%¦úGaGƒñŽµ2ˆæ9ŽµMD˜ÿ/)Ð ÿðsP¥Ï]½”‹PUç>Š¬>ÉÉ;æ/Dð%Æ'kÌ êÞðˆ$N”NI,aŸÛk¸Ðf;ÄìÏ—woÑ°âèä®ÝÍEè…žø#Â#þ{:ñ·izýoþ“¶ÿêv‘ç<üÿzVZCM ™' +Ùâœòðoî%éÿi%!Éendstream endobj 887 0 obj << /Type /Page @@ -2544,30 +2549,36 @@ endobj /ProcSet [ /PDF /Text ] >> endobj 894 0 obj << -/Length 3899 +/Length 3904 /Filter /FlateDecode >> stream -xÚ­Ù’ÛÆñ}¿bË/¡ª–æÄÀzRÉ–+‰¢<Å)–I”H€À¥6©ü{º§{pPÃÕ*qmmq.Ìô5}Ž¸MáOÜ›Ø\æ·Y®“ -s»:ܤ·[˜ûþFðšeX´œ®ú݇›ß¾±â6Or+íí‡Íd/—¤Î‰Ûë¿/l"“°CºøîOïÞ¼ýþoï_½ÈôâÃÛ?½{±”&]¼yûÇ×Ôúþý«Ÿ~zõþÅR8#ßýðêÏ^¿§)Ë{üîí»ßÓHN?W6}ÿúÍë÷¯ß}÷úÅ?>üxóúÀË_‘*DäŸ7ÿGz»´¼I•;s{†Nšˆ<—·‡mTb´Radó×›¿ Nfý§Qú‰4‘ÊʵŠÐä‰URy¶/„[”uq¨ê- —§‹ªƒ_—/šzÿH#ë¦.©uÞ•5µú]IË~NS¹çéûrØ¥9–u¹¦%å§UY®»é‡xN½®VEuÕ¿J`ƒVéâ]CC÷ÅêãéH«ʶ«šš7)l$?Ð`)D’#=BËcO\º¤ßu¹)Nûþ%õŠš‡ËOU×¼ÐÛ7Üð1L -øíªÃqÏŸGÀl]®“áð®ôîÕM‚ü­ ÐÕ1Œ¼o"Ýs)N`ü¯ól”®2Wº„({î>ûc”¾*y¡¥aM tf -þ@Lc‚ZÈòô)L"„r{:­Ž±]dbv_Ú%8«6Ê,œ\šç‚‚¼•÷ãzŽÎ‡~îN›þxΩxî&ûfUìÓm@m*¿jñ¿ïc¦ûÈ_ õ+í£%¼Ì¯í“Cœ“é/9$Ú*7Ý*{HKiÕbל}ÌFÁSš'Y¦ÕÜâ“'—ƒS¿ßScªéýÄp@§;MK tɸûð¾-8ÃåÞ`vÞPªÅÍ9‚ seòÑw{ʾ»CòÑñ °Øë=ƒw7ÌCÞ±lÉÑ9®Øʪ43kõ…OE¸û^±·«§Æ××ô7¾Bï³!b't’USo"8P‰RÌL0îÌ&XÉ”B€á±9Ѹã% 408%Ð>ïªÕŽfÁdv4Èë@iªÙ¯‡¡Ž$è4›˜†Ö%.¿žâ‘Ìm¡Çœ3ò}É1DæØaê6uó°â -‰-&¶»)%ççÔ¤ðÓgm ,Ù@LÅ1"ŸQ‡Vˆogq–ìÙ€j[sLÉ ™øÏ™«.­C$Òá%E©‹Ô%Fˆ`™Å¹i?²|î«Q7Ð+¡å×y -¿éhûŸ¥Ô`òšÖk‚;ìÒa˜ú¡Lšì“,4¶"!6 º†&ïdÊIa«šKõ4«aÆ4Ž'«°:ɾ‹œO[TÛž.søEIW“T 6¤-ÛyØ uêxÿÏ|W——}¥wås7jñÓ¨|àˆpe>MÙ„ÐGùw_7}Œ«Bœ ƒdðÊš@s[=”ŒË˜ó¦Í/tګ߇¸¼ÜCäC¬H)8 Î9â¼èD¥N¢ð¿lÃ~˜ @ y5+éÉÙÅ -¥ç2KÊwu9I6Âaç±Ò¶¤+9fRŸë/µ|ýñ€¸²‰pV™ç©s“¨l0Qãõ¡ý‰/54à¶.û²=T5ãxö -[@ź?]}¤þ±èPs’¦ö*­Íe‚‡2y§-&s­‹7>“”áõùÄ85p&^ÚiˆÓ| ¡/vFCˆ=J]ÁÒ‘Õ~¸‹åíR‘ˆÔÉ/…K:Åèóiß‚!“§cHºÇšÔyê :²95plÉV?×àM¥”ÛÆ¥ -"Ìåù ‘ä\´õ¸| -†„¤2GU<‹œ©ôó„IO´“T `½ P©œÜMœÀ»‰£æd®ßÄ`:lZÕ›&›;5ˆüU·kmiP1Õ*–qS)úl&”¬TœU•‹5 ìñ8ØPå²$WÎÍ}TŸ>NMHPp5¸Ýó˜UN-çSѵ)×wT¡ð‰öÚb¨37!çËé´¬R0+ÄÛCܶ|U‘ |ª›~]¶í•HJË,šü3ùÄqÊ/’v.Ÿ$ÿ û&g»²õõ/`ÀoøË®‡ËAFjM‹:Ä»åoz:«8   Iîd¾~ëÞ× 9HŸ-•ú‰L´“ Â4;×[]ÈM:9€‡m*Õbi ¤éqܸ¥#ágÃ,WOõš>;R¬¾£°n€ ²ó3(¼jÞŽçÐ(6´4ÛS[,cÙfäÏ5IàŽqȯä4T ËO@¼®zàõS0 ‹ê­= 9à±L-Hpñ· EçÈ íÍšŠÏT¥ò8’‡H’|»oî ”&gÙvA3¼8%>Y.ÖEO Ì‚§ -Sÿ"ÝÖxF˜¬À’É­‡”&ΘTö×:Þï‚é"ž -(¢/ÌF!´#„¾œa\Wö¤XËŠ¼k¬þbYÇàR´¬!¹8S…"8õ¬:p>DI-ןY¡…êÏk.Y -ÌdÛÃt™Ýrª -yÓì÷Í™êž#Zý0>ÕWÇñòµ·£^VfêòáËÉ-ŒØÜ¥ÝEµ¤­×+Ö?m5­Z'$b‚(jxùÈYTxÌYã΢²+X7’kSÍ7=ËU_\8•¿8njÐœ#=à‚Öwn¢VózqŽœï Çfþ’:¦ÌQRd-¸%ååò±FMžã0»w-Õ>˜ØæÔO=Wo¿#Ûò'Cæ¥;–«jÞ¨LÆP3¯BÁ—dË !w"+ÿX‘3}¢¸I T«_ü9¿x쿪¼¹išo^ÆõPGp£á žÿo%’#W‹w»'žÊL}šòQ±Ãõ²¾äêWµÔå×&þ=²Û᫬Ò“‚þD6˖ɲe²sËdÉ2ùË¥ÙùÚ²N¡ -/C®™'17&‚MT‚ÂœOKØ«žt&@ y“õ#>[Å][m†šÒ$s@O–¨Aô€Ó.].‘Í äÆOš€ÈOc×ÇÓ3ƒq—‘ßÜ› YGï÷^ËPDÞ€rJ™“ -z{—¸lÿ轑ÆW&Þ¨ëtÔ sëÈ_­‚Í×ÁS…¹5¸ -Ô"]£q‚!–]MÏWð"€-ÇX—1®qIª‡è+ ?ÓC&Z% €zƒt™Õøˆí"ЈÅÇYñ‘yF%@iüV6wlÍü+Eþ5JgQpðØ~|C >X«Wñ3X¢Ë8ý‹€„„gFdìèHŽ²À3ì !¡½åVqÉTR>„5¯.>‡ÇÚ$kE¡Ô¡µlRyáax­ñÏ„J>NF‡ž%-³ u†éÜðÆ{^¥dfœæ D±àÁð=O“àQÛK{†Ñúu‹Gó iÈ›`l0t‰ÑAi™81äˆOdÍAÞ2á&t àë»!fªCM $3‡ó¸dÇÅ&é.豺ñÝ6ônX9Ð;œ«ñàøS¾€KÛ+®Ty¢ä#¯Dºéà÷ñ»#¢xœJz0"ØúàÀª9Üsˆ|Ç…^ùúÅô–ÖÃcEÏ\p2‹ý¹xä׈žÑ0æÁ ï+~ïÈ//-{ÔÃËLrt ’ÿ–òAx ü+F7Š[ åæ>IBIžÊé3È*¼¬é¼1JEÀw“µÖg2¢ÏãhQ”5 ¾”5_ä ÐßQ_pf,q…—luô™˜Q˜ÄÖsƒ#ÝòMy¿”iš’g#Ì·©ùbgùU׶¬Ë¶Ø-!žI9zíèmÇÞ£+“à#òÈëqøgêüßoÕLJü:KÀÉ—ñgèëU6a }¥?ƒ<½ÿó‡WKeÅâÝûÿ|K­?¾ùùç7_-¥·rñÃOoþòéíGšr¼Çßøw)èçʦß¾{ûñí‡Þ¾úÛ§?ݼý4â2ÇW +ˆüý毷k@ûO7"Ó…··'èˆL…ºÝß«3k´Ž#»›ÿ¾ù¯qÃÙlø4I?)2¥JÐèm‘9­t àðP5ˆ”[t¯¤_TM¹¯›-ŽØEÝÓLÛ잨µn›ŠæNãw°5~Bíxú¾â]àëCÕTk®~[UÕº¿ø°nÖõª⢾þG Ñ*_|hiÅ}¹ú|òeÇ觩NÔD%m«àÎo `e +ËR¥ÆédŲ +ß·)Q‘>“¹w/ ¸ÌT¡äÁïHc4-°oçç®Ë¡$ZiP~&ù¹@vH@‚~Q°TqØ  +x–®4ŽÍPó—}»çÙö8,ÛÍòž¨ûjõP6u¿§.A¶êöüAÇûw¯ ˜áLåàОQo®ŒM>ý¦/Cn3g +óU‚© <¨œ—íKÞóW.C–ºÅ4í‰G Ü¡ªúÑ„$ØelVèñ +}®º&ue&t¼=w‰mÀ——2œë›àeu¹zé.û²Þ¥Õ‚Á½ºI”¿u º:…QðM”)0åŒÿ5`^ŒÒUæ*Ÿå/ÝgwHÒWgÏ"´4 ¬ÂBçLXÁHiLP y!žÉfRš(·ÇãêÚEeÎÿµ]¢ó¸ê’ÌÉ)”})(È+Py)®è|˜—î´×è,äK7Ùµ«r'R´tB}Ó>òÿ¿ï£~'xôï´ùð²¿<.µOqNn¾æ§ý|«ü -•Ó‹‡öb6 +žD‘å¹ÑçŸ<¹œúÝŽsM&Æ€:ýñph;Š` KÆuüX`xß•ƒáò`0û`(õâ§ö”@P¹²Åä»=gßýˆ!ùèxXìõŽÁÛƒ æ‹!ïÙK¶äè×leµÈÁÌ:sáSî!¤×ìíš¹ñ à ý¦¯”Àû|ŒØ lÕ6›NT¢’g&wf¬• €`xj4îxEC% ŒN ´OõêfÁdö4Èë@žhªÝ­Ç¡ž$è´›”†—Îg¾¸žã‘ÊGm¡Ç1g$F°À‘?qì0w›úó°â +‰¦¸F»)%çaü§ô™A[ç"K6SqŒÈg4±ã›ÑY³|îêÏI7Ѓ+aÔ·y +èiû_”2`òÚ.h‚;ìÒa˜ú¡Lš’,O4¶"!¶ ú–&ïdÊI…\â¹TϳvJã²Jg²á»Èùte½}ÀÓUAâ¿(éz–ªƒ!ÐF˜t e6h{Þÿ ßÕgÒçßè]…Ü^ü<)8"^EUÌS61tÆQþÝUeÏÍãê'ÃÀ(¼ò1„&ÐÜÖã2¥ÇB éŠ 6Æê÷1.¯vù+¥Ï‚sŽ8/:S©³(üˆ_uq¿HÌ ¼š•ôììr…Òs™%廂ºÎÈ‚¤#á°s„Xé +Û@Òµš2©/õ‰—ÆI¾þx@ZÙ€Dx§íËÔ¹Ít>š¨éúÐþD€W¸p[WCÕíë†q<… …- b3Á®>QÿPö¨9IÓ{µ1ö2ÁC™¼ã“¹ÎËÅ»IÊñΆüb,,œ‰¤ Fâ´ÅƒEcè‹ÉbRW°tbuîSy;!3)¼úZ¸dFŸÏû> ÙBL!ýýñJk…:òþ8tdsjàØ’­~aÀ›”Û¦¥ +"ÜÅ"Ù©ìšiù )3fŽêt9³J›— “™h1'©AÁ …šÝMœÀ»‰£æä\¿IˆÁLÜ´n6m:6÷zù«n)VÝDT1õ*•qÓ}¶HJVjΪªÅšöpm¨öyVhïÏ}Ô>6¦?±&Wƒ+!Ð=MYe+WèÚTë;ªP„D{ m9Öž©F=zàcOž3À2,I^Ê34YnMÔë’„ m5&f(l£ÊÉX×j,à°—ž.K¡…ú's¹¹0§ö¸cÓ²|¬·£"?71çËé´ +¬R4+ÄÛ}Ú¶|S‘ |ª›a]uÝ•Hʨ<™ü³ÅÌq*.’n®˜%ÿ,û¶˜fûª õ/`ÀøË~€ËAFjM‹:Ä»ão:«Ü£ = Iîd±›!Ô 9HŸM¨ ýD&Ú«ášë­>æ&½ÁÃvØÛci ¤éq<¸<¥#ágÃ,W¨åñ³õWÀê; +ëFª1;EPÍÛéúņ–f{ìÊe*ÛŒü¹& À1Nù•‚/¼ÀZ-¯¯yý è¢zëöcXD€qŠCJÐ +Šé.wio×U^©2J!äp$‰$ùv×Þ—(MÞ±í‚f>zq0J|r\†­Ê˜GO¦þAº­ Œ°1X%g$wRš8aR9\Wè¿ ¦Kˆx* 8ˆ¾0›„ÐM†rr‚q}5b­jò®±ú‹euƒKѱ†äâpJ*ˆàô‹êÀÅ%u\f…>ª¿¬¹ä,˜>È2µ7†éJDÝrªKyÓîví‰êžZ%ýZ0>õ#WÇñòµ·“^ÖvëòñËÙ-LØ +ÜmüEµ¤kÖ+Ö?]™4­Æd$b‚hkxÅÄYTxÌYëG΢²+Y7’ksÍ7=ÇU_\8—Ã?zodð•I0êFLÔ`nùkt´ù&zª0·WZ¤kÌ(N0IJkèù +þB°åë2Ƶ>f ¾ú}ù4?d¦U"¨7H—9ƒØ.T|œgÙT´qÑ/`esÇÖ,ÜI°Rä_£Tq-àÇ7Ä⃵f•N0ƒ%ºŒÓ¿ +HLxæDÆžŽäø!<³Ñ>À:Xn–,i@%cXsñêâKxœËò©VKÆ8ÀF¨ #h¿!T +q2:ô,iy|™c:7¾ñÀ^P)¹¦ùÑG,x¹%™€_ñkÄÀh àÆw5¿wä——Ž=êñe&9:ÉOù ¼á£ŸÄ-Š„öç>IFIžŸªù3È:¾lè¼)JÕámò´Ö…LFòy-J²Ô—vö«œúá‹ê ÎL%®ø’­I>³“ØæÜà(¿|WÝ/•‚<i¿ö{ˆ¼ãW]Ûª©ºr´„xFp..öºÉÛN½L×6Ãçä‰wäðÏÔù—_­OOúMž“¯ÒÒÖ«> endobj 932 0 obj << -/Length 3484 +/Length 3482 /Filter /FlateDecode >> stream -xÚ¥]sÛ¸ñÝ¿Bs/•g"„øNž|‰su{q®ŽÓéÍõh’’ØH¤N¤ì¸þ÷îbIQÎÝ4™1ÀX,ö›’³þËY‹8Ué,IC2šåÛ‹`¶‚¹.$ã,Ò¢õýýÅë÷±œ¥"U<»_öö2"0FÎî‹_æ±Pâvæo?Þ¾¿ùáóÝÕeÎïo>Þ^.TÌßßüxMÐwW>\Ý].¤‰äüퟯ~º¿¾£©˜÷øþæö¤ÔœÙôîúýõÝõíÛëË_ïÿrq}ïïÒ¿¯ 4^ä·‹_~ f\û/Щ‰fOÐ „LS5Û^„‘Q¨µÙ\|ºø›ß°7k—Nñ/ŒŒˆT'•H#£§¹,E"% %¡Ä-•çr¨¦¸ì°Ëm—uUÛUy»øg¨M9¾·”ZÄ‘IfýÍOHðX4è R‡q¿./:绬[×Ù–{ÍÛhÞ¹i¦ÐÂ~°-÷åž0³Ý®¬‹–'üÕxECíÓº¬ ½ªÛni懼+‹!RÁmÛê¡­êòfÄÔ…ND²^(¢ íë"‡u1Ñòº>#BЇ(M{ˆBƒäÞ,iQÝt¼zWæÞº,^ÁHªøÚ0U”Ëì°±xz^ñQÒçuƒ¤Jwòµçè‰S¡“D1nUÓ!|šöL]ùSKsùa¿¿”f^ÖLlQQ?ïšýó¥”Ò] ŸNœ-Tˆ@§ŽW¤çËf¿Í:Ò>|qlí¹¸G.iÛ¢ló}õ€/f‡ë±È*šÿf‰LD¬AäAir¿šp×^¿è/8ÞÓ}‘þOp᪩¹QB‚ˆNhJ#¡d¬4¨‘Çú%'»‘m†Ø$"2 /Z>Öyëá±ðÄ]³ïƇ&‘ˆ¤’/ê&íßÓ"Lu8<”­…™~÷Óëû·?QÇ’P2¯Û2ÆY Ó³ îmÙ*È ±ä–Õ#ª¹ÊêÂ-­ ?úîö-ÝÙ%M×ä͆ÏÚgKC™ÍAôCzÑ— ‰± ¯Á*JX¸Íœì¦¬¤¡dÞìœ|™¹ÛfU½y決 -IøJ¸#JW‚¬Wo ËyvŠ@æÍó,ñç`"ïÙ­³ÚÑiï uù©ÚlH¬ Càµ7{pzŒ&Û¼Ùnu•gO]¿%S°ƒ&J|³+÷ -s‹ÞLªy{Èר< -µ÷½þ™ P§ºÍ¬mE¡OS§‘àžÁ™U9u»ÂJÂ1À½ªU]2ò¿›ºlQ£”•Êbîxc‹Žnv1%ÐÖ÷"–tÎP¢ëµÂ°„(°FDºðF$õ—ÄÊ-õžÖ•½,,²A ‘ÕÉ -êõ’½'„ÌØã+&ĵ™#EŽê Çâþ¿ª=™°Ñ9ƒ+«¾'ð°YÅ…L*‘¬™IÏ3¼Æ×ÃÙ‡K9/jùuZˆ¬Ð¢%tÄ&Ó£èF%‘Û]öl#à=f›Ÿ4èè07!4/¯á}^“ÞN:F„Pü¼öõHbe$Ò0ErÈ:8xFïªÂÔq r%xˆîXE ±#ÈÚϧª-‘Aê|ÂÈú(e„ÑÊQvbwF×HEBFöNë²/(°–Ö-!>¡~q !°h>&K!ò3q<”ûª®ºÊÞ¼©ñ•V’,Ü4`.x;ú“ÃÞ}wر5¯¶Î ÔÅ0–=mˆ‡<á¶o-ðÞ—Ø'$<´=ë ŸF~Ë ô±Î;e£i:xŠM¹² X4è{Ǿ -„u|™ -5AÆÀDà©xHÇý%šó=²b Ë*>/‰‡ù–Øe(u¹1Ñv²â…÷?¾ki„Þ†È04¼‹54Á¾ÙâÒ Ȉ£\–Ô£§üšo¿ýr1á &úµÞ6Îÿ·“¦ %†ž:·ï] -à®å¤†‚¡Àjt)V¨jzJ…ï®ñï+žðÇKÈ£þ>üü ÿŽ¤‡>|þtýùBhÄ„ùëhÈkÂPõ”ÈÁ³ü‡¢¿D¤Z™QŽ8%Tv‘gí`›ïŠò»7 n=xh=¸?غîßлLM“ãL”4@CBpžÆ¾ƒù 8øvý¾i6eÆLÿÈ=£NŠ ÕßÐÆ>ÖymôXHSvèÖ‹ú+˜Çì4÷¡’òåã=ÖÄù5ÔR„ -‡€##)0=TˆÝtèríçr*ÇvoA8è°•u¨õ1W9}x &’]]MíkDK‡òPqTq’“mž²g†Û²£Ãššnÿñî㇫›[ê±;ÛÁ³–-X>–Œ[-©HªöÌÀÚP -•`%¨/qäó øǼ;d²D©}ÊfCRÒUè!C•PÌ‹óÇ0À˜£ï7ƒ»+‘˜È¹Íº™âB(o·­‚C\›Q“CŽ³*éÈc‡3\CÈXBc -i ÿÜxo® ã’*ØØôÌüI!3ô·Í¦ðIŽ3†Ëc;E§°ÍØÚa>Lªì[ÏÚù‰ ®a9ÖýÄõ¬×ÕJ ©Ï0zÞÃzAÏåÇ ( ¦‡`å×ê¤Ô 5~I¾LƒÇš bpßP‰0†—Páòð —‡C@l#ÞHrrÅu(Û+͆PPºËú˜çë2ÿÂYwàÒvxÛr‹å3‹¶öK;Œ‹ Ö¹I:ÈÊTK5©taµ£Üºïòœ±@R ,Î×YÂÏGaÊHà^ª^–‡>ÖyyðXV …rt¬‰E”ÉËÇ:¤‰cûJª•;ií!VBù;Ô'9Z{å­½rÙ¤’ÇÒª䌰k©ŸÙT \$†cÜ¢5æž éh|0ImH¶$…q„asêe¹w[ådßZ×'¬‚"É!¦Íx·(!VØ4¼Iõ¨–Eo³ÐQ^ý}‡Q>ç…Ñð,¡£xþ@gVëŽ&Üz¬R`;¨§Ñð«ªÎ:Êe§—bã -J‘6àA\æS6YÅÍŠŠó#_ƞȆ9”Kºóœô©ð µKç‰ÏväyÇÕ,d„ITŽ™7˜³q=á¸#šŒDó@Û8\̲lòÏ­ Öö£‡+ ÔtZ6UÌh×\ÓS¶f¸‡¼öu{ B¥óT#”†Ê§§ëò»Ô…ÛiB ¤.‘ϵÙĨùºÙ•ËÅÐõYi¤œA‚ÈážÖÞ³eÚ³MËæ´=ì\Þ–.þH ÄÉH>©ÅÉ'†¿?p¦Ëšb]lï%,þ¨º‹éŽۣWÊ ¦ãk‘$æ÷‡)‚Óó$‚ÀR«AÊ4]A©ˆ±äŒ¬åè­„ Óh\:H ‡Xh#íÞBÛ+ÕЀõviz&h•‘WªÝ!Uù4A‰Š„ |Ù† Ì饌öŠ}Ÿ‰ š‰gjñW‰©0UO+[#$?ÏZ¾™“ mÉ,˜ïøé!Æ a³Uʼnåõ)é ì„Éïx›á{ðãËßêøø>ýX¨˜ÃpXjcþ<S ?Ưmg]Ë ãrC±9nâÝÀ\´£Vkc4ÔÝ`oÈÅoÞÿL°+2–-ãØhenŸã1›ìÑ–cuÌß8Î~FÀrfeS Í,×Z:ƒ©mÍÉ:+„ýwÍ1 -Ö$jéVDX-à9tM±³Åû&³¥ noöÒ\á…! PŸøÃðØsxáóúQ:pºZ>éh|@PýÇu5uÝÿÒè¢R¬câtZX!9qF'ŠåDÑ[JO!ŒØ0Ú¶;<W¡›ˆ#½ô÷<Šòb34Ì£4¼:l2^…¥•#e¶fˆø µXÛçÊ âÂ{Ñ‹)–/ùÌ5×jAÞ@(÷UéÔ‚„9qõ"€8ÆõRÊ—xYr'ªµrèü!wŠ pz^~ÝUÇ°Ωø¼¬(*~e¯H‰ÿÉ%ÛL£†—÷ -é«¥V!Û)Ñx_ÕVSTŠrÅŸ6<`5XI²|]AXPðè3µ½D SË$*•÷tJú„ÙK… Cç] ÓÛ Ôòo9t—Cx B•­°>1uz ´ ãÁélÒ5dIªã!ÛvYÛ‚MýD#JGrDaxºBy¤+ <]4C_Œƒ;I¶(<8HH^† åwê®Byϱ‡¥¸ìô"'7—ý)™œÐ¨ Üòq‘LNIÃA6œ9¬áT#f “Þqœ[{TKXÄÊ&Ï)~ßQ©ÒDÙ~Ѩ"ÝW;N|OYi¡ñ[Á·D$Zëd("¸í¿-GƒEÕbÎßž›§ŒÁœ{ÀTqîWh:øÓ±‰\7ðqäÿý µãÏ÷€—Ú˜3Y³J Ø3° …¬ƒÓò~ù‹yJúÿç®0endstream +xÚ¥]sÛ¸ñÝ¿Bs/•g"„øNž|‰su{q®ŽÓéÍõh’’ØH¤N¤ì¸þ÷îbIQÎÝ4™1—À»Xì7%gü—³(qªÒY’†" +d4Ë·Áls?\HÆY8¤Eëûû‹×ïc9KE«xv¿ìíeD`ŒœÝ¿Ìc¡Ä%ìÌß~¼}óÃ绫Ë$œßß|¼½\¨(˜¿¿ùñš î®>|¸º»\HÉùÛ?_ýt}GS1ïñýÍí;IéqfÓ»ë÷×w×·o¯/½ÿËÅõ½?Kÿ¼2Ðxß.~ù5˜pì¿\B§&š=ÁK dšªÙö"Œ´ˆB­ÝÈæâÓÅßü†½Y»tJ~adD¤Â$©D=-e))) %n©¼”C5%e‡…Rn»¬«Ú®ÊÛÅ?ƒ@mÊñ¹¥Ô"ŽL2ëo~‚ǚàA÷xÒˆ8 ä‰ûuy¹ÐA8ßeݺζüÖ,ñÍ;7ÍZضåþ±Üf¶Û•uÑò„?¯hèù´.kB¯ê¶Û_šù!ïÊbˆTð³mõÐVõ +e3êB'"ƒE7Ñöu‘ú˜˜hy]_!ØC”¦ =Ä%Aso–´¨n:^½+ó +O]¯`$U|l˜*ÊevØX<=¯˜D”ôeÆ ©ÒÑ@¹â?q*t’(Æ­j"ÂÔ´2ØÊŸZšËûý¥4ó²ff‹ŠÞó®Ù?_J)ݱðzâl¡â@:u²";_6ûmÖ‘õáãÓÒEÀÝ8ÂpHû,Ê6ßWxcv¸«¬R`Yðo–ÈDÄTt‘&÷«w=åõø‹þ‚Så=Ýùÿ®šÚ¹%$8ˆè„§4JÆjÀÓ‰y¬oqr²iÑØg±cˆM""Öù¢÷èc÷ )îš}7&šD"’J¾LÔ!MíŸÓ"Lu8$ÊÞÂÌ?¿ûéõýÛŸèŲP2¯ÛrÆy Óó`îmÙ*è ±æ–Õ#š¹ÊêÂ-­ ?úîö-ÝÙ%M×ä͆ií³%Ž¡Îæ ú¡ ½êK°ÄX„·`%¬ÜfAvÓ +VÒP2ovN¿ÌÜm³ªÞ<óX݇d|$܉¥+ÁÖ«7ðËyvŠ@îÍó,Éç"ïÙ­³ÚñiÏ mù©ÚlȬ Cà­7{pvŒ.Ÿy³Ýê*Ï:žxªºõÈþW›æ!ã-Aôç5\CüÑ¡ü††÷°^Ðp‡e=9¨A³]åc•ŸÆFŠ$NäËä=ÖýAlT©H@i† Xm—i‘è`U.çwô•øÿKª¸{¦”/>Ô½à‡á÷$¯Z§`àz¼*>wûj›í« ×eY¸]­Æ!ôéú-¹úЀ4éPã›]¹ÏP™[ŒfRÍÛC¾Fãõhéyÿ×ëŸ sªÛÌúVTú4u à‚Y•ÓËaWX B˜28WµªKFþwS—-šc”²QYÌolÑ1Ì.¦ÚÆ^Ä’.J ½VÖ€Ö‰H—žÀˆ¤÷%‰rKoOëÊÙ$†Èëd½õ/’£'¤Ì”Xò3âž™cÉ¢DuÐqŸÄo‡jO.lDgpdÕ·á.6«¢”I%’-3éEf€×x{8ûp)ç¥C-¿®³C ™z´„‚Øä’`”ݨ$r»Ëžo¼Çls`J“‰ŽBSòòîç5ÙíT¢cD uÀ×ko4VF" ÃQ&‡¢ú 3ºW¦NQ(!Bt¯hÄê(5¨AÖ>Um‰rRFÞG)#ŒVŽ³¿3:F@*2²@­Ë¾ Â"XÚp´„ü„Þ‹)Eó9Y +™Ÿ‰ã¡ÞWuÕUÎñæM·´:fÑà¦É8sÉÛ1ž˜öî»ÃŽ½yµuA .†¹ØiC2ä ·}{xhAö6¹ÄwBB¢íÙ õ„0ò[A u>x,{MÓÁUlÊ•À¢ÁØ;ŽQ ˜ãË\x¬ 6± ÂOÅC>î/ÑïQD[XQ™ìyI2Ì·$.C¥Ι¶“/¼ÿñ]K#t/0DŽ¡á]¬ë¤ ŽÍ—FHé@G¬%²¤e8å×|s(øî7P‹ ïp°Ð§¬õ¶qñ¿mœž0g¨1tñ£¤âx,§5” Ö¢K±BS“ð¦Tøîÿ¾âi¼„:êï£ÁÏŸðïHKqèÃçOן? „@L¸8Ž†º& UÏý"Ë(ûKDª•ÕˆSJey±Ñöñ]Q~÷†ÁÍ£­·ç[÷úß7t/“¤ir\ÉBš’èBHÎÓØ7a°žÀ®ß7ͦÌXèù g¬ÊI¤úÖØÇ:o yÊÝzQ÷˜Ö~`3"TR¾LÞcMИ¡–" T8dié¡Bî¦CWk?—S5¶» ÂÁ€­l@­µÊéµÀe¨0‘¼èêjj_#¢X:”‡Šë Š‹œló”=3Ü–kj¸ýÇ»®nnéÃÙ®µl™Áò±dÜjIω¢*áÈ ¢ ¥P v‚úG–k >æÝ!Û'JíU6{`Š’®zĪ„r^œ?¦Æc¿œ]‰ÄD.lÖÍ”|˜Byã¤mcqÏŒ9Ô8«’H38œá"@Æ2SJïÏÍ÷ðî +^\Q˜žY>)Ta`†ñ¶Ù¾ÈqÎpÙ=ñv질 +ÛŒ½¦áâÊ^°¬Ÿ˜¶cÑ@]ÏF]­´úLóhç=¬ìÜaQ} ŠÒ`y¾qQ~­NZ RCâ—¤áËÉÑÛ+°·—iÊâ Ži³䊰ki.ÃR '\&Æ•2¡7ÆwØè™FŽÎkäÆê–[̸XS/Ë=o‘åäßZ·5 £ ÑäŠr‹zaULƒÁˆF,º‘…Ž"Hïê/1Œò•.Œæ˜, €ÍÅó¢xX­;špë±7ÏAÖ@„XUuÖQ 8½ÂWPa Р×àê}˜²%*nVT\ùæõD |¬œ\©çdE…/£]OÒµ#Ï;†¨S!#,r¬·Á‰»Çu˜ÇtàêœÚÆábmeK~~Z…@`m?u¸†@MÔ²©F»æNž²Â=T³¯èµ±*]|Ù¡„Ü/T^‰×%Tu ž ·Ó„Þ(X"_a³cQóu³+—ŠüðêkÑH9Ï‚ 1Ã9­—ƒ˼g›–h{عº»-]Ö‘È:=¼ÆcAqòa¡Æ¯\ß²}ØÀÚ» ‹?êébQqïöè5pƒéìDÅZ$‰ùýɉà¢<‰ ÔjP(M÷ d*bl´#9"£•0a©ád½I†lÏž½ Ø—¦gRU Úy¬Ê§ NT$dà›5ì`Ne´OOìýLl9L8ÝÄ[%ÀÔ[ <¯ìýáöR!ÃÐD—(ÂÆt7µü ÝáÞ‚Re+ìJLQ„6a< Î.]C:Šm—µ-ÐÔ3"¡t$G†ç+”G¾ÂÀóE3”ø…Á8I±“ä‹Âcòƒ„äu˜X§Îªñ‡3‘{XŠËNrrrÙ?‘’É +Ò-ŸÉä”5dÇ™ÃJà`Y˜ôãÜÚ£YÂ"66yÎØð«ŽJ•þ#ƶð‹F}è¾Ùq¹{*ÚH ¿Ó +¾¥"¡ÐZ'CÁmÿuh]ƒºj±ÒoO“ÍSÁ`¥=ª8÷Û3 üÁØD…ø<òÿþ]ÚñG{ KmÌ™ZY%ìØ„™BQ„ÁiS¿w€Ç> endobj 953 0 obj << -/Length 3442 +/Length 3444 /Filter /FlateDecode >> stream -xÚ­]sã6î=¿ÂoufÖ,¿ôõ¸íe{éô¶Ûmîá¦íƒb+‰&¶”ZrÒܯ?€eR’훹›LF0 ˆOJj!áO-òDHSØEVX‘H•,Ö»+¹x„±®Ó¬<Ñ*¤úîîêÛO©Z¢Huº¸{ÖÊ…Ìsµ¸Ûü¶üþï¿ÜÝ|½^éD.Sq½JR¹üîöóßSÐãûŸ?ºýáŸ_?^gvywûógB½ùtóõæó÷7×+•' -æk^áÄ„O·?ÝôÃ×ÿøÇǯ×Üýxus7ì%ܯ’7òçÕoÈŶý㕦ȓÅüB…^ì®lbDbñ˜íÕ¯W¿ £nêœþl’‹DÛt±2Vä)¬1«e)dZ[eI!R£Í e«ç´ì©PË»²_?­våËKµY•›Í¾êºªo^K)ÒÜ‹ÃDŽjF¢e"Ò45±$·ÈõÛOI*)´Iay¤x'ÁF«©LFgLóázer»ìŸª $_–î™-o¿¼ZÞ' "¥!ÜöµÊ—°uB¼ÕÛ-9õ0UóÎ+ŽÉ‰$[¬”6"ÏAJ‰"I´“i[w=PJµ¬š~_W8Mj±d´ç N£ëvÏ\^ÚfS74ŽÛ ‚@ 0m›ÚåMSÞoÊþ©fFíK­–uÛÐOB«e×Þyq]õpغmÈX~œ¨3Ç;]UÈuˆ˜ŸêæðÝ{×W»îþJ—}KØ·vÿLPé„m O-éñ\í›jKðŸ‡ÚS“nZ—4H/€%èîû/<Ü6Mµîas],:‘ÕÊŽžÿn›Š ~_6ÝCµwšDô=—ëuõÒ»Â/§Äò“¬çuíú¹ê {èœúô¦æ&ªrJh_LåÜxûH3gK›ª«gÎðë¡ÝÀîÈ •õ–1`Œtk‚á¤)hÓ AÕ´<Œ1/=YPÈ‹|GÁn÷rØ¿´~zv?›º[·‡}ùXm{t¨VÚŠB¦õ´Kµn†pe…†ˆ.%ìvÿVîcLc‚¤5,O¥ýÉ#Cô•€vÖõ¶î߉bíâ ïy -¨dC§N$¡£*{¦(ixK ?2¶«ûjõVo*]—k/DËJ–©zãÕþ¬#˜*–ÄdsX³ )Úë"—R¯gýôÕA‚VÒ£àÕöË.e…kx$Z%"Óƒ¶ÍÌI*2¨Ü˜È96JùR­kTMµÁb¡0—6@‰hRüþý(»;\mµ°°Ž¢k|"§=æ(™æ<< :ãáž*ðp´†±“c»‡w–µ'ša¹¸»7èâ!ï_£Ò½Ïjð°Û/„ˆŠ6¦i‰Ä•ˆ…℈™ Av@ 1–êœÈîD¤õ˜3¹¿ÃQ@èw™È†ù"XyŇêüÙĦ0‡™Jøóç‚Šš%RÁ8‘iPöG€²?Bn³8Ô6¨¯ÇW&„m===^*’pÓîÊš‡îË®vU/T®`¸‘Ö´w2·í=Ö(<:‘âqdzڹšÁÉ›W íëÍÆù6tGNÀ—ôx-!õ:uÖ»ˆ„Tõ¬÷¯kŒ¶“Z€°s•>`^Ê}_¯Xô¹ß´áŽ¨œÒ•Ón´v•Ûiº@¢‹UQÐé§5pɉ}²ä´¶™ÈéËO¨n:†Œo9üΦ\‹ÔšgÞW VG™]~àùûQUì…k -_l·|Sݤ9^‚è…M2(õé„÷ ¾>?Я S§Ÿ®ëœž:E¥¤…Vc '¢Î²H é½Œ§º Æt5c¶çd&2¥ÌlÓc¸éùÈõ¯»ùj›~ßn/w?Ã$NÐÚú˜ˆ!¡LVn¹Ç¿~_¯©x3ÜûŒ€ VÅ7$8àüëH©xeÊÙηQwƒ€î'38ª‰­ØÜ -k -³°’N -éö¼­ ô«pÂÌ!MÖmDK¤Ž±<‰ËuÉ31•ê‚>Cš<JÉÄ»,{{ÕCßyßåB{/WÇ·ì`˜ÔÞé‡; ô¿è0á®Nf{“äBkél¶©NgûÊÅ- ý+ˆ(á8ß[%lž]à>PÍ°2¾M…Móÿ8ãCqíû,HÐÐ’õŒ¥VÞÉìÌÝPÿHÞ‚Ãu[ˆÒá‘J…ð“/š±~*›G^Ñe!$Úlj¶¯`iò@¸É.uhP´¶ã !p.ÙÆ1_bÝ©8r•>ÒTRJ¿º+]ݨ}òÏ EÀ%)!Ü>rãKÌ‘J»ê×/ìw3®~Áï¤Ê™¨ƒþµÚA"s5¯8øcÊ1@u,OÝÓ 'yw¹>! Z=øNt]2Ôþ¤O+ªHÄò‰¨‚nrðîÄ®·ªÇáÃGÈ¡‘_`?G{ñë= –FÀ¨#0¹·;””ÎX¼˜QAäï |”x¡›Øc& à`ËǪ;V œÞiÒŽc -=Päo˜”L+„“¡JXðËK/1BªÓ¡e :Z95“È"…É•=Ï| šáG–D˜‚yÄ>Š,xëÉ&‹ GwYê#‹ûá# 6¾þ¢¶ìžù:Õ—½åž/X}{;ëóÐgŠ,Í‹ÈéuŒ}>E‘ÙÐçI Ž¥¸÷‘'³Bå£þ"ƒ›'\/“¨/u9d&›1(Ž×b…â@Aq0Q8%ŒÊ4Œ~çG÷/ä•9·ÒÙŒ÷[]pÿú‚Z "_¬°¡@ùpxývl ƒë=ï®|Ç:½/Œ=Òݸ¢à\v‡Ð!ÒL\0 :ã‚žêhsû -ïAù&rÃR²¾ÀßÍðœ0…2@j §w›ö OïÓ»M‚ônù•„×OYØH–“À“^³åƒÝXh= - ?³É26@³Ù¬ ^~n{žé_Ãa,ê‚Þ1Ÿ™>­Ô Ñùyöžh†}´ãÄ --¡¥øGVkõ`µ²ÕZ¤«ƒaéÂÑ=#FõzŽäøQ®u SÖ_s"¦‡ib’D¤ø±TXÎqQ"Om>z¿¨t|–ÁÑ•!ux¦ð@®Ãƒg\Ø®»ÌÉZJ0]£/TvF™Rs•U‡¡/|eg%Uv€ +»ÓÒdÐè'y2)íÜVõ¥ u¦²8SW_!‡b9êû”¤¤^‚þj¼è«”ˆâ¿©ï²L@Û­.|&v$:ó•¹ûßm¹~~j·Õ4v¢9žgëi¦lã·4VäVÇ|ãÆJkW=è᪦‹E7¿¬Ag}íßêãe'Âü—ö¯_q÷ÅÁÇê~Åòäècmø³‚ẴݾV^\ÿö%/R;-†w½hL¿œ.î1ÑW“ÛÃ.©x)©hIšäH¢Kî༇D~€1÷e›·åËç®Ì±ª‹¡¸svx(„ïÝð?[îèBWŒðƒŽ(‰™È+È$”:L:)ôåêj¨Wi%¢De—wRš{àAÇ"Š„õT?RÕËô©êejÞñh³-ò +b·M×R®‰O! Œ ÞPÑ@0 ¥0Ší®íb-1Ñü#ñßòÍG¬=JJ‚Y˜g›1Z—{Ð0.Š:hÒIA–XL‰J¼…•€½X–~¥.Öùaƒ)¥`t{qÌsD¢ MdÖôÄÀ>䆾@–24–~hEÑ :”ÉYã¹ú¦õr¶¡ÐÝà¢}˜N>”J£“Õ î!—`#RT"°•ò’‰èÔB+dI±Y#SöaÃÅÑ*‰îüî¢gbqb‘†c!—âhå®X–è¤b…K™k ØD +Ü›ýþx²Ý-³¶ZØT÷êlmÎç:ôQ2N¯äz u!×½TëÃtǃ,ÞEÕ^hBu/Ù d€ÁduÿÚùî³WC®Ý%F¾±LM",fŠ·F¤(\25À!ÆÁŽœX$Z5S!p<*Hý.#Y±^Ô#/xQ]f›~¨Ê¡§~ýZѱ‰\0ÜÒ´Ž A8)7Ylª+ô×ó1 +qk/O]A®êm^rÓSÞ”ÿÞpСÓF^Ó>É€xÞÔOˆV¸udUæ†{ÕSèÁÙ‡‹öåjårʘ3ø9=ÞrØ„»¡­^6}DFö¿ßbÝ=ŸÜ‚ÃüÀÙåû¶\þ¹ß4ᆤ¨ Ö®µtnMÞó ÉõЕ[Š{j£#Z᜷øÑcHm‘DÒ—¿µºîX2¾õ…x\˜R-b›iîùT€1ˆ“;ÿÀý÷|Ì…Ñ…Ç)›ÍgŠa¢›8Åë=³Q Ÿ.D¨qÿ<#â!ÈùN~v'ýx\—ôtfô—KZh54vGôYÒ3h|C㥮˜1 ͘<ý(щRfòøcøøó‘‘°»««v_o®ŸƒºN–»Ö×`t +Ðå–ÃÀàú×îË%‰ÙL$ŸŽqP?˜+VõïJ°Áå×IRñÈ´i»ÜFSÜ]¦ŸL`©F±bS+¬ÉÌÌJØtbØn/ÇJ'¿;L,ÒhÜ~¬€i±€­chOd ÆRôì…J'uÅ +¿Cš4JÉȧ,g{ÑÂq¾ñ¹ËOaÑל`¸©­ôÃ-æ_o1€á.Îîö&J…Ö`ÓÅÝ>”:¿ÛwR®naé_@½@ ‡û½U¦ÉíÔ„úÞŽocaãt ¿¿ãÌö'.Ø ápÖ2—jXA|g³ wC7Èä)8^³*Ýß¹¡­~ò•0–/yõÌ#º]…V«’ã+šò®³Ûº U´¶Ã«!H†lÚ/w*®ÜC§<eBÇÒß´ns‡µßüSC•8$%†›Gj<Ä¡´C¿~`?›!ú…¼“*e¡N²Å62‡ye§Á/SŠªa{Ê–y“wKê3Ö`ÔCNaàô.N:,áWú¼£²H@-™*èNoQÜâúH <ëž±…õñsŠ?Þº‹4"'“úH±¤tÁâÍì"sà«ÄŽîdO;IÐ@o›?Í %ðöN¶\Sè&â’ˆΖ€°—×^g„RçKK'uŠr:~Ž*‹&Uö²òNjB{¿²DÂÄPÌ{ê{•ï?9d‘äÊâ®M}eq?|e1qÜ]ÙæÍ+_¬zØ›ïùªÕŸo'sΙ"‰Ó¬—ô;†9ŸŠ,Kl˜ódPÃV<ùÊ“X¡ÒÁù¢_º4ÍΤ^"Ñ_êzHL2Y2R.È2ÙÕŒêpzuàœ1*Up`ô3?¥&¯¸Ì¥•N&²ßêŒÏÿè/ÀjPùúëò ‡Ã‹¸Ó±0¸èóéÊ·­ã›Ã~Fº» +.íîP:DœÈìJ +RRÐKbn_àhIW ½4Œ`KÖWô{¡ ý½$ŒHmúô·wwñ¤ßÞÙTˆ¥c\xràžÀ ™´å2lÇ÷ßÝwåׯ*ÌCTÃO(ÿË}ùT¬(Ãb°<µƒr\VS¯”1Ô‰Ó6WŽ•ü"ì0õ’a8îäœî•Ùð"ÉlÒ³i¼†^êš%£Ñº[ˆÉØ5 +ß Ø+±H]ˆ]/uŠ]ÿ~ŒÔà0¢ÓËê½Ð„úÞŒ#+´„#}O/j­î¢IŽZ«ƒ-Âê`‹°táèž½FõœÈéóëT¦¬¿æD"ÜÆ8ÅD‘ˆñ³©Î1ÆÈ2‘Æ6¼ß\:¼K`é;dH'<“ùPî„Ï>°3Œ»ÌY,¥ „®ÑWY¢Ô²³ªÓÐÄ3ì¬$dœÙ·&ƒ~”F#h禸/«•ôwªËîËd–{ç>%iS/Aÿ¯÷}JOâ¿ÁwI"àØ­®|0vºð½ ¹ûßM¾|}©7Ÿvb8^VëeÆjûoi¬H­îëí¬´vèAw/S5],º†þËdñ®¯µÿVàtÙ‰4í¥ý‹XÄ}ûCô ½Àl N>›Ñ†?0è®KëÍ[áÍõo_Ò,¶cxÔ½õÅ`úå<¸Ç¾ÝæyY~ÆáKß’+P¬ïñ\dŽ¿Ç36‘þTOvüFRžÙ^ºKAß?N„ +üsQûŸ?³<}ƒj8Ù§gÎóFÆ"ÕYâBí9{Ñ;6ý?ž×Sendstream endobj 952 0 obj << /Type /Page @@ -3300,24 +3310,18 @@ endobj /ProcSet [ /PDF /Text ] >> endobj 997 0 obj << -/Length 3049 +/Length 3045 /Filter /FlateDecode >> stream -xÚ½]oÜ6òÝ¿bßN² -?% -}JsNë¢MZׇ{hû ïjm!Zi+iãEÿûÍpH-õ±±qÉ Cü‡3Ãùâòƒ?¾2:f2S«4S±f\¯6û ¶º‡¹ï.¸ƒY{ uõííÅË7 _eq–ˆdu» p™˜ÃW·Ûߢ×ß¿úùöêær-4‹’ør­}{ýöŸ4’Ñçõ»·o®¿û×Í«ËTE·×ïÞÒðÍÕ›«›«·¯¯.×Ühë…ÃpfÁ›ë¯¨õÝÍ«Ÿ~zusùÇíW·ÃYÂór&ñ ^üö[máØ?\°XfF¯¡Ãbžebµ¿PZÆZIéGª‹_/~³véÿ´4±6"]` ’K ÔYœH!-on:;Ýû:ßD$©##¡Zªj‘@ Ç#21Oµ±ˆn ?\\7$Q -€=/«²ë`x§$\8°°‡³w²dÑïL³®(¨sWTÍ#Œp )ƒ •¿/:šá,P—ÚdYâ0#W£S{#9˜‡Ô¤«”éXgü9GÄ™1fÙܬ„ë#™’:É“X'©öE÷y¿y˜Q¨Tl$_Bð -UÁøˆÂ3Bäi,É=«ë-É¥¬û¢u©w²*{X”šFöÍÉ -ÀÅ9›uî*è:*ÜZ8‰’f|AÁ¢âEJ¸Wñé@þ*KQ}shªæþÓõJÆL?f*ˆ¸·½[‰°Ê8ŽYÌ”JWI&Á%À•^Òd{¿¢ÆMàiøu¸`îiæx‘´_Á4–;4úZŽNr®Ò,6ÜŒHš¹<ô3\HÞA´LJEW9(,É 9P£ÉVı +ËÏŠ‹ƒ¾ÉŒëg™ .Û²?vßÕŽTF1ÀÆ”=´Þ2‘õL)Š‡ªÜ”ý9‰Š€~Þzp£âLBp‘'†¥_|9Œëåüvr“Æ™â´óY"ÀÔ€…;‘Æ'ˆàxŠZyΆ@PŠv“þXö$«¦.HX6h€þ±¡FQYåB/ –Ô:" ˆÖ£E¥€üŒfåÆ¡Þ矨qçV’^ˆèúgÒ"®E,¸ÛÀ?c8dZ,³_gòŽW¯¤ú_jÙsÁ£ˆÔê¢ë!R˜k¤,ÖRë'šâ¤rày’Å©Ðú+ø ‡q¢\r -ì(Ó§Ïû´øj@ü_Hñ)"S‹\ÕˆÈs*©b€ÏÃ)ô°ÛÑ·°Ö[ÖúaÃY?Û,/ydÕ:6*…ïæ¡Ø¼'ñ®0JŽ!ÊX¿îó²îúi@ÙP¼)fQ¢‹*w“‹Ö‹Çº/]L—Ó‡ÄB±«C°kŽõvâÑ}gÓÐBŽ©Ä˜°< -W8rø!w@w…  eé)¶x[•ãÅÂñW ÞÅ’ĊЅзGƹím ŒKÑ~,e4dpC‘¸ ÔÎ7ýÑ& œÃ5.÷e_~(¨{²$œ¹t‡åÔðŒøcþÀ€UŠ:¤@Š:BY4~k-£_Åø‰bt ˜ÐËéã4LrËM‹Ý*`qsAÃq¥N½NŽËº¶ïʸr^1ÆÂîj+Æ6HÑé­ 4|AcyX¤Ö³ê©@(?ñüY ÿÄ-M¹¥G×ø”ð8na\]Óˆ#,vWnwŸ,-€è)4íYh|DxJÏ33Ç̵šãGµÛ²¥æ¶ ËÖ® -;Ü`,¬†{ù åÉ?MŠ©CÕÜ*‹þ²D gø2bô_a 2𼌠F^¾¤™ë7ø&Ãœé`©iY¾€›ÏpíÝ7ˆ) pß~õ–Z»²õÄîJ×@%ìTx¦=&^4¼ˆ_{ü–æÀgà8±¤mŽÐP}¿ÉÓÐßó/UŠl™3]dÁ”ÊL,qØxSåèɱùz²þIANwJÌ"¿fÌ_8n·n@Lúò<óÿo|_È7ñl¾‰çòMLùÆÿk¾ñÿßäòM>›oò¹|“OñM| ßÄ—ñm²šo Ç¤áq±Ú` &GÒî̇–œYµ¼¬Ò’Qòô.rŸ&'9Ê$‚¾¥À> ­ v]äLòkغ· -l¹|·kêüÎÃÝù‡Ò†W£kô~ÿ– MòÃØr© - uÔ¤g‡dêí`ääíÎÇ3ö%S˜èÚ–µWsJ£®Ü—UÞÒ ½Q{âôˆxèQ.LOJ`‰õžásx2ü!‰TœÅ7AË( (²Ä5- ‚‹ë²ámš>ú‚ OþÁF.0HÉ‹tUD™pŒY‹#A Ý04M“ð8KÇ°úž’*è„‘*Q± .ÿó#ÙA²‡¡œ>€0à€Ş©Æ]Ý$¼‚!ÚIøF¨V`Å<ˆe“ËiíðkŠ”yšÂGﻡÎÚöÅö³¡Zz6TKtœj©ž Õ¦áU`çØùÅsàõdC>62bL½Ò±1 áõ¯‡5Ø°ñæ¦+'ÞµÛÂ泋–JèXdFY$ô; ‘@.z¬úr0NN=è]wÛÈ) úcëj&ÚÕ>è¡Ä‚×Ý£•Î9»dßkpàΡ÷´;V4fïn2ûÍÈÈÞÙ_ž M…³ƒÖ¦$úd§¤/ÜùC•o,ÕJâ 7n«”ÃC³"©9÷ Éc06¾ÜÕ¶ uƒÌ_à¼f±NE¶ðF [Šv_ÚË -„œÎŸ»Çb€°ç„ï@åÀr/°n²Ä -¸Üp–ŽµÔÿüÅ?.œ´a(yA/<›1Žßîíïìèöñ))J$±ÄwööÙÓýóY¦˜†øÜ¯í¤Žñ'r »Á¿“óÿïô3E|é7FœáKHÃQH¸Ê¦”?Ù›“þð;üendstream +xÚ½]sÛ6òÝ¿BoGÏD >Ipò”æìÄ6ißÜCÛZ¢lN(R©8™Nÿûíb +üPì¹øn<€Àb±Ø]ìÄ þøÂè˜ÉL-ÒLÅšq½XmÏØâæÞžq³ô@Ëꇛ³—— _dq–ˆdq³ p™˜Ã7ëߢ7ï^ÿrsq}¾šEI|¾Ô ‹~¸zÿOɨyóáýåÕÛ]¿>OUtsõá= __\^\_¼sq¾äFsX/† .¯~º ÞÛë×?ÿüúúü›Ï.nú³„çåLâAþ<ûí¶XñžýÚ# fíÒ9þiibmD:Ã@%稳8‘BZ^_·x¢4Ê}»ÛíϹ‰šÝ¾Ì»âŽfQwŸwØ3QÙº¡C[ÖwnMýÕuÖk»¸hÛÂákjj»û‚TÍ*¯h¬.:ꔈ¶.6µõÊ­é‡ °ìg¶±I)¢wÍÃE|YrgZ {Èâ3¬Iå’™¨npÛ,‰òª¢ŽÃÔTØÒÐ*¯©³n¨íîK7Õ @Ë|³§ÏUW}õCõ»M¬J¥Lôïû¡Î\Uµ#‰öH{î¡<ß Ûûቹ3çn›}ç„ÄÜ s‹«,ÚûM³ßk.Ý´î‚ nóÖ7c`:Ã?Zú +„ƒ¢á,º!î–¦¶ü(ùóP:X‡©çZOúäxtùë|[‘¤“ÌI °’äxD&æ©6Ñ á‡û"‚ûÂáš$J°çeU¶ /–„[Ävpm¶V ’±èw¦Y[ôq[TÍŒp”#ܪüžg@83ÀÍ6Y–8ÌÈUàèØèH6"5é"e:ÖŠÕqfŒ™·9Ëá2ÀHö$¤Nò$ÖIªû}‘ÆmÞ­î'*ÉÅóQè>B¡Jc#PxBˆ>È_e©#ªkvMÕÜ}¡^ɘ àÇD÷º±w+VÇÂ2‹™Ré"É$ø¸ÀKšÜß-¨s¸›~.˜º›)^$í#ØDzq‡F‡ËÑSNUšÅ†›I¿ç¡c‚ ÉÀ;ˆ–I©è"…%4;êT ÙŠ86beùMqqÐ7™qý$“Áeo[¶‡ÖãïÚ¢ÚÊ(ؘÒC£‡Ö[¦ ´<*¾ìªrUv3ä$*VúmëÁŠ3 Fbxœ–~÷åì1.C”ÓÛÉMgBˆãÎ' ˆS6{>"{Œ)À ðµ8$ò” Èí&1ü¡ìîIVM]°0rÀî¡¡NQYåB/ –Ô:" ˆÖcJùÍîË•C½Í¿RçÖ­$½ÑÕ/¤E\‹Xp5´;ÆÂ$´ ¢:Xf[gòŽ/#×o~¢ú_êÙsA›cVÑv)L5Rk©õ#MqˆT9ð<ÉâThý þÂa\†(ç†;ÊôqçÓ>-¾ÿóé1>Fdªc‘‚«yJ%U ð™c8…Vbj ký°g­vœõ³ÝòœGV á8lW÷Åꉈf*N„(CýºË˺íÆeC‘ðª˜D‰.ªÜŒVüy(ö.X<Ô]ébºœ Å®Á¦9ÔëQˆG7öƒÍ%@9vBr¤CrÀò(\áÈAàûÜÝ6€ž¥§XãmITT Ç_Õ{KB+Â'„¾2Îmoe\Šöc.­!»€ŠÄm¡v¾ê˜)HÎá—Û²+?ôy´$œ¹œ‡åôÑãð&†ü«xhûµ µàÄÀÏûmN®¯çNE™OÊvMݺ›B»m>FúE·Å]Y×”9RóÁ|ˆ&£«1Lèóé=¶95ö¢ ‘?8*¼5ÇlD*DXQÏ$0m·¬3¡hŒã,äuDnÞƒSÏLµd{¡—{ØùĘ8UL>bqY ÐÚEÂ$˜”çˆÐ=Æeˆr.‰£'@ô=Ø7²+“=#ác$Bp­ÒÔ I¬öϳÐuJ>[Åñö¾y¨©{ ø(ê)jeÐ ø­µŒ~íàGŠ ÐbÂWNÓ0É-7-v«|€aÀÍyôÇ•:õ:9¬íÚoWË•Ó²1¦vW[6¶AŠN‡hm á«ÊØÊÃ"µžUBù‰çÏ ùGnélÌ-=¸ÆÇ„Çq ãêšFaY¿»r»ûdiD ¤iÏBã#Âcz昙9fΨդ"?¨Ý–{ê®ËA횪°ý ÆÂjȱ——`(þiTLí«àVYô—%JÈ8Ã÷£ÿ"k8¯ð22yù’f®.ña†9ÓÝÃRײ|7ŸàÚÛWˆ) pß¼»xO½M¹÷ÄnJ×A%ìXx¦=F^4¼ˆ_{ü–æÀgà81§mŽÐP}_ ‡äqèïiK•"[æLgY0¦2sö^U9zrì¾­Tã3ËïCë„óŽÛ{7 Fßò4óÿo|ßÉ7ñd¾‰§òMŒùÆÿk¾ñÿßäwòM>™oò©|“ñM|ßÄ÷ñm´šn ‡¤áq±Ú` FGÒîÌ»=9 ²jy×[¥9£äéå>MŽr”Q}C}ZAüt‘3}_ÃÞ-P`Ïå»mSç·Ï?—6¼²]§ó{ø‡Qè’ÆžKUh¨¥.=;$co—$·;ÏØ—La¢+[Ör/µ^´å¶¬ò= ÒCµ'Nˆ‡/ÊE‚éQ ,±Þ3|Oú_3$‘Š³ø‹£â:ãq¥s}6‚¸ú e&Bpq]æùˆ]ýõÁ‡„À'ÿl#¤äEº*¢ÌŽ8†¬Å‘ ÀÏ04M“ð8KÇ°jI|„‘*Q1#.ÿ#{ÙA²‡¡œš‘ +@ðÀ1f‡§©Æ]Ý(¼‚!ÚIøF¨V`Å<ˆ e“óimÿ“Š”yšÂGï۾κïŠõ7Cµôd¨–è8ÕR=ªÃ«ÀαӋ§ÀËц|hdÄz¥ccÂë_!j°aãõu[8N|د ›ÏÎZ*¡c‘e‘¸c$‹ª®ì“Sz×]·rÌF{ˆî°w5íjôPbÁëöÁÊçœ]²ï58pëЀ{Ú*³w7Ñ㎠ìŽM…³ƒÖ¦$úhǤÏÜù]•¯,ÕJâ 7n«”ÃC“"©9õ Éc06¾Üµßƒ– 2†óšÅ:ÙÌ5l¹+öÛÒ^V äxþÜ=„='´=•=ȽÀº È+àppÃY:ÔRÿóÿ¸pÔ†¾däñÌ•‘l©ûcá_6ª¶üteæéS+õ´‡b&&ïú/&µQ­bü)\&)ø#/øxy„žy6b¾ÝÛÛÑíãcR”Hb‰ïìG쓧ûæ›$Œ1! ñ©ŸÜIãïäfvƒ'çïþ9Þñ·ŠøÒoŒ8Á;–†9¢p•)ï·7%ý?r=xendstream endobj 996 0 obj << /Type /Page @@ -3355,28 +3359,23 @@ endobj /ProcSet [ /PDF /Text ] >> endobj 1004 0 obj << -/Length 3010 +/Length 3019 /Filter /FlateDecode >> stream -xÚÅZmoãÆþî_!ä]D›}çnî“{ñ¥çêSQIPÐ}&J‹Š(ÙQŠþ÷ÎììR$M¿$—¢w€9Ü—ÙÙÙÙ™g†3ÿÅÌXf½ô³Ükf¸0³åÝ Ÿ}„¾¯OD3OƒæýQ^œ|ñΊ™gÞJ;[Üôx9ƳÅê‡Ì2ÉNÏÞ~ùîâë¿]æ:[\|y:—†gï.¾='ê뫳ï¾;»: gDöö/gïçWÔe#?_\~E-žO0½:w~u~ùöüô§Å7'ç‹n/ýý -®p#?ŸüðŸ­`Ûßœp¦¼3³xáLx/gw'Ú(f´R©¥>ùpò׎a¯7LÔŸàL*+'¨Õ”gVIx¶Æ=ÀHÙ),ãÊçÀ‡4ÛU¹ïÔçÌ:—™½b«’yçÜôFç‰á¼Ï‘61sfóÜ wÑnÊeÜGÇR2Íû¨Z:½Uù#çr]®èµˆÍ7M]7í—ÄÇä=>sË™h¢"g^Iø-뢅¹–s"ÿ¹.îJ0/ »Ã¦¤.¤ú=DbÏg«æ®¨Ö¡ó3\u&=à2‚ycDOýaF «õlj­Î•aÎ3›&$áÅÍ)´ûlÝàÓ%‰±©:Y$Qyª¤\}-Îf»Û’&¬Ê›b_ïâ”vÒT36wQÇg—ÿ˜>ëu²'FìH8…ó (iSvk…Î'eó}ÙܲåŠi©Í+d³ÏËF‡v\Ôír¦œ°Ã³Š‹VÄ%«‹ââK2Å¥ÔS‚sgþƒ„úÓ„Øv¦t€lÉ%„bŠ«|hª‹$E]~,j"ï‹z_v¶¿Ã9à`Tß LŸ,GÏB‹í©pYùåØe?3k4sÜè×ø ¥Ëy>r¿oV„Ã%QÌ?ë i^‘L3Fn«ÛÔÜ*ÎœC˜ö[Â0 îÍjË´²žÎ ,åðC5j •Œ½*—MPê -ÏKó¤b|Ñ»ý–\tWkz’ñÁ8ýHl?ë¡1"éz¾:ÇGðìöM ÔS‚ýçÍ„Uó om-1|¨jŒàÖfËbß–DëdÖí¦Y·!¸Û<÷ÐG{Dê¬?¸K 1˜9r'%!‰JBN»ÛbG-·Å}du„0ƒÃ‘^‚­ˆÆ*œØ¦7Ìjч4qkQˆ‚íþ¥ ¡1V.²]“0d†BæCõCqˆàúÅËÿŒ£…Së¨#|j ,nûÜ~Ÿ³‰¾ì Ç2²q„¥8ð€dšœÀlüªÕ Ž÷/ÅcH¥”Oð¸Ý»ò®\ïÒ6›²¢¡ìaboë&‚Z8Vð‘iƒp€ùƒAÅ¡$Ò"uU¶ì©DZs͸—¯ry¡1ïV>ú<¤¿)xÅ #wÜÕ+ÀÐdévgy °3åþ$ÇvÙ;“ î3£d²üïÁYˆleö¨ÀH0{@QbÌÛ ÕÙ¦©‚>@²» J‚æ˜Uëìêª-c?,Fm[ô\x_³u;R¡Û[ÅÖÄ,îû'$(v‰PÙD0xv—=Ю7›0[Š-B2¢Ia@”©¥¹õÄí Yžu¹,Û¶ €?Ÿq€t¤ónÖ¿âŸä4Ð9yßoÀpÏ;´¡’ú‰‚Y%s؉5ª+› -Í„kä €‡5¨l—ÑÅû{W%&q‰Ì™4žj ß ¢8b¶ªç͘ÀþšÚ#6iêûrÛRݪ¤e±ù«ËDÔMó¯ý¦¥þ"Nêå©ØÌš¯Þ½ÎY¬ •íÛ(ÄløGCÇ‘zâÎZ≠-th\¢' ö†Ë^ïuu}]—ô^×eÝÆK/b ‡ö]r’C˜Ä%ËM‡z.Þ[vq¹˜*±@B,óTb¡Êa''­D›CÝ&QH`¼K"Ï®÷;·j¨›7é‚ó“ &÷#ﺕ.×óvw¨S4ïÔÑž5Ž¯gö9d´ŽÐB±=$l€jb£'T怖ÞöTvvõþlß(Ñé–t‚ŠX*S¯ ¬wk7¨F$n›HTímì-Ëf †¾/‡­û4³Ý/ãºH.Ah*KÒºÅ:Nÿ¼¼ *í3® ŠbHyzÔÕÇÛÝC‰§üjáˆê ™KÁPç!j—m(ݽ¯V[°£ €ÑôŽ¢„öýt -^£¨ë…ûõÇ ™Œû÷úÁÏ7Ô<4¯‰[90¶Î€Ž°z„4ã^&·Ã"?ÞË69»xIMòÞïW“6<…Ë·ˆM´ÙMY`¬$tŒ ©cUµøˆ¾åbk* -ãKX‰%šבI¹îæ -@Ä£ ×M–›ÔH)Ì+Ú´nZ©X­‚)z*o€âU× -ü2¿·sº*]ïE¶©ö.úHËœ]Eø†X×/.3'x·Üj‘¦}T16€Är%gBkfyî>ù+SÇqÞgIûÒ “3ü¤ÖB)ÁÖá>et€„5@â?NÆÄñ%1¯PÖ …¬!öNœDêü˜ë}œ²©ËקêXÎJ'º¬©ö œ&wàÌÑ]ØZÁç&Hßlvà‰ îÊ"á¢ûØ0õYD1ÉUá¾*¦¾ç í8ƒäŸ(øûm¹&¡« ’ -xWìóyiÌä‘…d¡­Bõ#Ï“ãêç}¹­Œ™*3yž hŽ¨þ>€yħ µ!ŽÙ†¤G†X^¢(¼“óK}+"ªêqþMQÕ!ØÃvˆÅQ¾Îó²©Ðp‰âx‹¾£|ÃBÔ«0x!IÙºÇÚËrY–+\Dñ´5oG®·+~øXÒIi“Í¢ãB7±¡Gá5nÂÛǾx®!z|¨îªºØB àÝ>ŸŠ££SFƒWà໓ÃVü.ºž@€#7R½ Ô SªûžHÅ:dMBQ[Ò±*‚<krH‡mn^t ™ -ß ú b©b…°oSrǃáÈ.ã×ÌXk‡6ÒYW’½êWgOoCÆ5îeÕ ð{J?Å"ËÅÓ1ýù -[ -ù±œßSœ'Âû3Û*‡–>bWË0“~y@%~ž÷#Ô€ö ¢)éƒfCW¤ -µX|Kïxi°áW 9´ÇêÃù[r_ÔÕª@ÏKCÔÑŠkÇ8²ŠËÇš ¥’0¬+—Œk”L”«7&£ 7Íãó:Ö© i@è]1:1H剈ð~é1–£ûðì«”™pU$ŽåîÉJ£2 g3ñ>{ñcãkÎsÌÙ5þ|ÀÉéO"ñÓ‰JB¡^ $yúÝÏcÑÿ ”h)Íendstream +xÚÅZmoÛFþî_!ô}¨¶ûNnóÉMœœ‹ÖÍ9:mq %:&J‹ªHÙU÷ßofg—"iÊv›.Ìá¾ÌÎÎÎÎ<3”˜qø/fÆ2뤛¥N3Ã…™-ïNøì#ô½;aÌ<š÷G}³8ùê­3Çœ•v¶¸éñÊÏ21[¬~L,“ì8ðäõ—o/Þýýêì4ÕÉââ‡ËÓ¹4ʆNoUüĹ\+zÍCóM]UõCó5ñ1iÏÜr¦š¨H™S2óü–UÞÀ\Ë9‘ÿZçw˜—„†v¿)¨ ©~‘ØóŪ¾Ë˵ïüWIÇ@¸Œ`ÎÑS¿ŸáÉrýqb«seXf™Í=’ðâæÚ]²®ñ™E‰±©<I Qy%ª¤X} -™MÚÛ‚&¬Š›|WµaJ3i*36Í‚ŽÏ.ÿ9}ÖéhOŒØ‘pY΢@¤MÑ­å;Êæú²eGdKÓR›ÈfŸ–í°¨;K™Ê„žÕP\´*/.Y]_¢)þ$¥žœgp†à?H¨¿Lˆ­agJ‡ž 1ä†çM VÒü´`$­Š)®Ò¡/¢lUñ1¯ˆ¼Ï«]Ñ݈í„pYŒê;‡i“Ô‚¥èoh`¾=YR|=v$‚;&àÏÌÍ2nôK<‰ÒKy:ršnV„ÃÕQÌ=é¶i^Œ3FάÛÔÜ*Î2æ1íÍ„aœžÕ–ie&ØÏoàkÔ454zU,k¯Ôž—æQÅø"¢ÛÝ–t—kz’IÂ0½Khß?b4t—0iÄ…'¿×ëÂ[wAvÛ¨ +6>omRð¥\úšù4mã¹*€‡õ_Î2Î8~€íݹg܈‘Öøoó5¸ö?x~¦¯vxŸ çϦ¾‹ch!O ÊZïmçÓT4Öºø¬ZçÀ‚ΞÑ: “ +ÂËý²*—ÿ3­ç½õn½šuû_ªÿÞÆ>—þØðÿá7…uL¥ÄæJ°L(Ù©ÀªL38:47©fiªÄÓ`ÕÃ$Ü.voë-)»ø-¿ÛTÅVC/䘷ۦhç=õoïªb8¬ž»¸<€7¢ÎèÑCo·uÓ² [Öw_ô0‘t=_ ã#PGvû*ê)Áþójª¹×·¶–>”Fpk“e¾k +"óõž2ëfS¯Ümꃻï£="uÖÜ¿%Ðè͹“’D%!§ö6o©å6¿¬Àfp8ÒI°ÁÃX…Ût†Y-F@·„ÈéÑìnPZ:y¥"iëˆÔ _2ê4¯ò}ð×Ï^þ'-œXGàS aqÛçöçœMðeGËÈƬâÀ;€—%hr³ið«VGÞ¿5n ÁR.‚æ¦ÍÛâ®X·q›M‘{Qw?±·u .+øȸA8ÀtŒÁ ÂPq‘ª,v,½Ö\3îä‹\ämÌ9€•Ç@Ÿƒ$á¯0a䎻*Øšì ï,¢‘¿v¦ÀŸèØ.{ç``2%Ì(-ÿp"YÀ_™<*;Ož‚…+-Yf2\f¿ÎãÚ9Eƒz´ßêA¾á«‹;9{SÃŽf½MEÆó>g¿©L÷/)Ä™Âú6eYšÉ.»ð»Êlß@&*ÓYâ©0 Yã©äIg‘öFaZœ-®ž’”)ÂÓ{dTÄ^t-8 Ð7¬éI¥¤¸í·Ðc¹Ûnafµ'?áJYp]7Òì6t¤ˆñ†8V\í‰Bßä´wZ°O0kt"sºÛÁ“áx + H£ðR9—<€)¨›î‰C-Á(Ú©4‰w2ÐxàK‹êdy[×ää½±$Ƽ ²ZlêÒëÓ$í­W4‡\['WWMúa1jÛ¢çÂûš¬›Áp +ÝÞ*´FfaŸØ?!AÞF@Md^BïÙ³äv½ÙøÙØ’o’M +¢ˆ-õͨ'lÉ2ô­‹eÑ49©xüùˆ¤#3—ÍúWü“œ:'ã ïûîi‡6ôCR)£ÅQ2…X£ºbªÐL(°F +ø°_ƒÊÚˆ.ÞßÛ¸:(1‰KdʤqTcøÞcų•M8o.Àv×Ô°I]ÝÛ†šèVµ4’–Åæ7—ˆ¨êú—ݦ¡þ#ÇçdļBY3²‚Ø;q©ÓC®÷qÊ@¦._ŸªC`9+žè²¢ÚƒÊ4¹ƒÌÜõ€­ pn„ôõ¦-OLpW .º SK“\EîËâaê+ÒŽ3@þ)€‚ÜkºlIhŸTÀ{¸b_†ÐÈK[o&<($ Mé«iP¿îŠméÑ8`ÌX™IÓESDõ÷Ì#>­© qÌÖ'Å8ÒÇB ðúã(Eáœ_ì[QvP7óoò²òÁ¶C,òuž—M…†KÇY4ð–ò Q¯Äà…$eëk/ËeQ¬pÅãÖœ¹[h8ºÞ®øáBI'¦M6!ˆŽ Ý„†…×° gû⹆èñ¡¼+«| 1H€wûr*~ŒŽNA^ƒïN[ñkézuŽ`ÜHõHöª_u߆Œk²çU'Àï)qø@‹,ÇcúÓ¶òC9¿¦8GÂûÛ*…?m—Ë0“~~@%~´w#Ô€ö ¢)éƒfCW¤rµX|Gïxi°áw59´ÃêÃùkrŸWå*GÏKCý”ÑŠkÇ8² ˇš ÷¥?¬+—Œk”L«W&£ 7õãó:Ô© i@è]1:1Hå‰ð~é1”£ûðìMÌL¸Ê#Ç¢=ZiT†á¯o&~vÃgÏ~l|é|9»Ædrú“Høt¢¢P¨WÃI ôXôÿ0+endstream endobj 1003 0 obj << /Type /Page @@ -3406,24 +3405,19 @@ endobj /ProcSet [ /PDF /Text ] >> endobj 1010 0 obj << -/Length 2784 +/Length 2789 /Filter /FlateDecode >> stream -xÚ­]sÛ6òÝ¿BoGÍ„(>Ià1Mœ\:WçÎQŸÚ>Ðms"‘IÙqýíbŠ”h%fôš XJ®š>¸$ˆmìQYí¶%dÐÁ¼G›I÷²N¡ãQY®¿¡ÓÖF¬è=/'Ÿ>¥=Ï~Àšá?M2P¸J-¦„ªÊdAY08(˘?LñO÷Õú~²ÇB%®×̆² †”M6U]´ÏÁpóÐtU_®KªjpaH.©’Ö‡R¯U âçö( lŽ* ÿmêžÊò3ÙÈñÏ–šCËù·”=Â:£ìˆå•]ÕiÛ4}wZ>;¦*úëk†÷DÑÐ=€‹ˆ)ó’,JÕë¾ ÞM¨5 -Ò.h¶£¥ÐÙÁˆîÚ…”ûe_… -…Vƒ­X -¡¬²ë‚¹ W{ĵ!”›` RƒÁ[B±^C(€òø\ilÇ*ÂÛT.ä%9“¹ syãs0!8BóÉDnóïi•õoJöå×Á ÷5§‰ ;Ž:Î(IÁLN}ñÌkˆ†ePü-”Æ Vÿˆ÷$ª@s È -Ì -Ê/?äEd œŽIÓ›ˆž;8¢å 4æ“?–7¯Ü&ÏKÉ“2L¦™5}13¸—_Æ7ûÏ”¥,t\ý‡ó¦jg¸˜Jw¢å™X8YÎ$wßx°|áXÝ¥PU›ªN+¸ºf'f–[+c§a-bÍÈ1 k nžÁêDOãšCñP½ã †6chÃ/}Šc§Qe²ávßï)PÑü龬iôöêÓ§Ë74†“×ED <‹}ßìŠ><`åœY©ÌQù±.¶X›blº+ë²¥ÂT ‘ šÊ>x!ØËðÍs]ì°&Bàþa:ZÁäv|÷JÂ%)¼{c˜4ä'´ØÞ/»iaÀOÇNµpJ—ªˆ5µ\(T_'Ò@%iÔðcâ'–0`}K†jáå <‹P‚7S~}‰ kD'( úÛŒù7Ì?^HˆŒ"‹ •šë¦ qmc7…ÖÅb±q -£ÓÄ(K95"A£ù+ô­rè[eè…%63ЫUˆB¦4j‡eèe¨}`€-nÊÛfÌ©R¬÷-Áëþ˜i$6)’-hÛæéÐFãù´ã ½Ò¶ÚUC…]ìš}Rpš¬õ¶Y‡š¬û\>áÇ‹…˜ä‚i.åùBlŒu&zE¬¡+oÛ²»Oñ̯Â{ãs`ݷϧ¸xbïøÚg T;{„kæ {wš9(ñ§‡XÑ3†pp¹Þp:š€•ôTLm àõƒX¤ç:ùWJ) ¤}ðÛéMy_}كєísÀÒ¡â¼O_Ó`}_Ôwô¼µcFý°Œ®€æ~Cã¾…á64ÐuþÖ!«ƒ¡>¿>ô GvJÜ£&¾£1Éæb5 -pƒëÀߣ^Q¹Ù÷‹ÏIG4GûlpS€Þ<›h°+:|W•ºwÕ#»mñð† IoÒéÑ«†ÆKÓvÑ¡« ½ÐÄ,¼G>Æ÷ ¦jXøCä`Y6¶8¨}§2íjz"8%S„mFℵ†¾þ2<͇†ÄÃðáÒCcŠ“#Ó;Bì…àÑ!溺@:N… ¸)E=¿¢6‚«ò‰¨GÑÉݶ¹ñ!W€~|[Êã]àòp¸ç v˜ø -‰Bãšpë÷7ByºW“e 1³Ø=Ìshžx°jœ\”Ãõf¼Ú·ñ .ª›>y o9›Ñ£×ü‹/ôcŽƒ¤JAãiÕäg+¶d^°ÂÝàÚ3©•cÀ¸äfܾò¤;ÚŽ2FVþeðùä…gúPÐA¶ÚÑûü–}ÈWá‘p7øœ ÕÛ«ã›*úïäjÙK¿ß+Ãðõ™äÀ‡&íÿ¶øõQçLa°ŸÏ2<ƒºÕåQ(¼usRÉe™±2Ÿýÿú-endstream +xÚ­]sÛ6òÝ¿BoGÍ„(>Ià1M^:WçÎqŸÚ>Ðms"‘IÙuýíbŠ”h%vÞL\NDJ57Ìë é>Åžn-l¯ÚíªfSmÜ&à^ªàabSÝûí@“x¿É§ÓâÐw¸þ粤u¬ÕMI{‹¾"zú¶ÛMY½Aˆ Â…¥ÑHà„~hicOkMu&ó0‹¦®ºž-Ø@ªá1™Qs×~ÊÎ#d–ebÔJoeR%ûÞGŒ\bhP…Q<@ãûjï`tç HXxMêf\wE~ÄEMž¼Â†Q›ŸYs°Ù|´ÙS>Až%®â[ø㌔þœš„F«óhl|ÙÚ”ïìLÀ:øQ ÕÛ ZÝ£áÛ DA®å_£<xY4M;Ð-Õeåå ã<ð«x Ô  +{+FŒ)Ôs½Ý’›¸ .¨¯· xŸÐ ÇêÖâ'øù*ú°–¾yð¦á&ð]wá€j˜cô¹4x]ˆ~ïU—¤!¡“™Vç]Òëu—4bá“Ú~HûÌ°ê²Oó'~ 2!Áãž%bÄZ bæ—r,YSøk}IWî‚zÀµ‡ôù“TOiï¾ìAiªî%`éûÞ§oiP>ÍýØvÄ‹ºéEø”®€"C㡃Rá.” +Ü$¿ôxÕAQ_è¾!TGzJ·;GÅ|Oc¢Íż á10*FÓ ö¥Þ¹Ý‹m¥£3'ûl0S€Þ¾Œ›h°+zì/€H¹÷õ=ûmñðÆR Þ¤ó§Z 4–¶ë£5B}2â™Zx‹|Š} ¦îXø[/ÈA?²lªqXu§2íz&8S„m&䄵–¾ž‡æciâaØÁôÐXâäHõŽPG}!x4ÈcþT5Pçß©°Š›R”ó*f#è©®ž ‰ªÜoÛ[ïrÈǨ<ò—G^àžƒØaâ3$B +¥ejb·aÃþ–@HOÿf¶¬Ág»Ç%eÛó¤Õ08aÔ¬?a”—;0ªŸ·¾Æ=ͤùµÜù…ÊÌqБT)(A­šý²eâ/[#­ÓFþ¦½Z9fŒKn¦…,Ÿ÷‰|ÏeÔñIbå;„/'½žyË ‡hµ-¢õù-û¯B³p7ØV†ìíÍ1§ŠáoµìµŸø•aø›ûBpàc‘ö·þ?ü@©s¦ÐÙ/G,ˆ¥Ë#QÈus’Ée™±2_ ýÿ£ |endstream endobj 1009 0 obj << /Type /Page @@ -3564,19 +3558,19 @@ endobj /ProcSet [ /PDF /Text ] >> endobj 1030 0 obj << -/Length 2834 +/Length 2836 /Filter /FlateDecode >> stream -xÚ­Z_sÛ6÷§Ðäåä !‚'Oië´î4nÏqïf®ídh Š9•HU¤ìúnòÝo» HŠ’iGàb±øí?Pr’ÀONL&²B“¼H…I¤™Ì×gÉäŒ}{&yÎ,Lš g}u{öòM&'…(2•Mn—^V$ÖÊÉíâ—i&”8Éôë¯ß\}ûóÍëó<Þ^ýx}>S&™¾¹úá’ZßÞ¼~ûöõÍùLZ#§_÷ú§ÛËʘÇWW×ߥ Ç¦7—o.o.¯¿¾<ÿíöû³ËÛ~/ÃýÊDãFþ8ûå·d²€m–]X3y„N"dQ¨Éú,5Z˜Të@Y½;ûgÏp0ê_êO&BéLE˜ª‰”¢0F4h -‘i¥{ JØ®L’dúP¹GÚâ»®ìÜÚÕ+o[®×å÷ûòÉÇ’L`‚0ÆæžqȘ×ûº\;êÎWeÛRóÈf¢°™1“Y/!¼¾.»ùýl¾ª`å~¶”‹ÅÖµí{?ãýªj;¢¤Ç+Ï3‰q[¸¶«ê²«šú¯°”–[7ßmÛêÁÍšzõDÓŸ\û¾Ù¾¯›áÛFyž¥òŠi6(Ï+š+„ˆ‰ÿߦv³$«æí'–9_|߆Z·}p[¢–uûHí~â7×ï¨ÿÇÎmŸø„Ra“ý Ñ¡.ª%Ê´t$ZÝ!ðt–NnãêEU .*Ÿ÷ 6 íeû;LW—5½êƃ›r Û­Êm`»kéÚËfKj½Yy…ö˵›Użh+HsÝnÓÆ ýXu÷ÍŽr_>x6ØîznÏítÇ°YïV]ëQôØî-Å -mȇ]–óû`T -NӜċJeÁ‹T Yd‡:’ÒŸP øØòÀˆGÒ€¤ão7åœé h=V«M¹ã±Ö¹šZwO£uÚÝ(r¼{F8Ä´0Ó× tçY1Ö4ÍÕÙœœî;%>ìôáìÁ[0tZ~¬êxRÛà°õ¿ .ÓïméÍë.Øí(B(“ ©t°Iöº‡¡SCt‚™C$ žà3‚§…µ6:g=ÇÙ¥‹#ù4„C•fû…{?ÿLF[ˆ\Ëìo”1p<%c¡D®’t,¤YLg"G—Mún–ûÃñ Äï?Úˆ½€ò,±üE:F¬jLack#h-ðÌ B?8°¥P€ 5l Â3k~êkH豆#XA­éW>Š5#•åL¤ÕÙ߀5æ8²Œa ’Wi²ýÊŸ›ÅdNýBŽ§„,¤H‹±ˆÇ –‹$/äjál|ã(Ô²DdÈús¡6Êáž‹È•…MGxÃœÞÓ+”IëiÝtÔh7n^¡_w‹  ˜tz×t±ðyiåHÈã˜Ï åÏŠž Î# 5jÆOl­ÀWúµpË¢"íc&>=Œ¤^`w"UZXú°“˜¡U9Gò âˆâÀ­y‰¶˜dðZÛɇ+xÔÇ ÛèFÑ÷B‰‘Ïš#{…—lð?x8²€4¦Ûð+­]Y·$Wȼ̔plѶx ÖE`J¡eR4ò­Ö‡;M—žÔ¬±göúôc}1‚C¾‘L6뛄R/v¼ 5$Ô­÷º@oü Ìþ‘÷Êøn4ÕÕI* ôËNä.0ɦò0wá=U,r[}¨ýÁ¡²Œ¿*•Ó`ÉzRV:Ϥ>/ëuFÖ´îÜpJÛ¬§û'rz 1oêÎýɼ -†£(ä¶w3ãLNœR}R™Êƒï'ˆx1øÉñƒË ðÖ¬ÛŽ2Éÿ4”íÙ' êbæŠûÁvó pI“ôdº™i°Íçé¦_©áÜž ÏÁr«»÷½@Í”z"Y´¥DŒ!Må¹P29•%cÒ‘ËÄBêéW¡Zh¯URzlª½)ëÓNUøÒ”þø j}É„¤ºoyÁØ PVÚ D°~^Ñ”°N1]”]I4ïÕ°qÇCÀQ0É×ðŒ²+‚z/bÕ¶/Ž_îÏË£ F³RipßÖå -Û¥0’À†÷Îf`>%@Tiùë *Š ÒŠ•DoËú §h63Ì ¾ -ÁNP4«z?1‚ï4Ò¤Á%&‘Ü/V«Ä‘74(°`ëŽÅ‚½ V05?/& -$Q¹ÍÕio`ì3ïèO' çàw[‡À™‰T«ƒ‹‘r³ATEÁÖˆ­Ç{¯4hí!HXÈW¾$™°lÙà€6©É§ÿî™á¥N˜0ë휉åjç¨Y1sxƒôp^Ãë‘ó…¢!ÍŠÓÇ þ"r½¢Š”ÅJÃIxåÀOzpö‚ûNÕô5@à‚¢$[+LÙƒ:„hÜ—nÄ‚:~«éÆèñÜŠŸ»J¦Ãá«ëñ4Ø­Ý‚ù^7¯ÎÖäSÔUX¬ž…×öB¯w>eA) û(m‚­œo¤ªï "Ù‘·ÕþxÈ “–«ëà¹iþ^« éÎzS­ÜbNp^^ìà:K^¯>ƒ×F®×8Æþ}G¡j#e•†#N>Ã1¦iK/‰ü @kx´¨‡MqŠ´¦†»Rýµ°ì05¸$—(0ÉAz©è¸qp×50»šÃ©rzEkšš¯<'U€è˜ž¼tÑC IW×D£; àÒ±:O -ûpâ}Q4s3‰Õ­!çqUTð-lÁQ ]³!ÊÊ=¸5}½Ì.Ê‚®wÛpDR9o…!à5# d°êð -ðh«gA6Ò±úX }¼í%ŠÏ|A,nšÉ¨šÚ5!Œ»?!)™WÇröÔJyŒÒ¦y ŒhÛC‡Ãþ²å ~M?rž2…²ù‰óÔtiúlaÊi±~Åïã?»Pý4s¨3ƒwFuGä° $ ™ù’še/{eÈÌ¡$;åïN!aËÁÄr”„ŽK,voÝÓ-ëD:É|ÃM(æv-_1žsjò¿°Íƒë'¨FµHljF»ÞX|²êÃω¶Y¦*Ø—/iÊ­G7¶Úûf·ZP›‹#lâu·oÞÔ«]÷Øl§9C^Xû"ûd)á/-‚ûÈ=õ§mó€xòþÆ„…wÛ‡jή‰I<’ÃÕHôƒ5™=:þ´P°äUDKçö_~Y€%ËzÏCŒN1Ç»$ë< Èa5ˆ½«}Ü|²uí˜ÿX9uí§öMé¦ÇÒ@ Ÿø:Í™óÓÆè´°bô£ó²Z0ŸñÄâîÅ+N·b_¿?Æåp0‰d¬aµˆY|éWöúé“XCáÆ-ýÅþçB5H8‚ê´n^ûÇìÿ&ùDÒÐþËÿÆØÿU%Í…¶Víÿh1¾h …;1é3ÉÃß6ž‹þDZ5endstream +xÚ­Z_sÛ6÷§Ðäåä !‚/Oië´î´nÎqïf®ídh Š9•HU¤ìúnòÝo» HŠÒkGàb±øí?Pr’ÀONL&²B“¼H…I¤™Ì×gÉäŒ}}&yÎ,Lš g}q{öòM&'…(2•Mn—^V$ÖÊÉíâ§i&”8ÉôË®ß\}ýãÍëó<Þ^ýp}>S&™¾¹úî’Z_ß¼þþû×7ç3iœ~ùÍë··—74”1/®®¿"JA#Lo.ß\Þ\^yyþËí·g—·ý^†û•‰ÆüvöÓ/ÉdÛþö,º°fòDÈ¢P“õYj´0©Ö²:{wöžá`Ô¿ÕŸL„Ò™Š(0U)EaŒiÐ"ÓJ÷”°]™$Éô¡r´Åw]Ù¹µ«;VÞ¶\¯Ë-î÷å“Ž%™ÀaŒÍ=;â1¯÷u¹vԯʶ¥æ‘ÍDa3c&³^Bx}]vóûÙ|UÁÊýlÿ(‹­kÛ÷~ÆûUÕvDÿHWžgã¶pmWÕeW5õŸa),·n¾Û¶Õƒ›5õꉦ?¹ö}³}_7÷(ò<KåÓlPžW4Wÿ?Míf-HVÍÛO,s $¾ø¾ 'x°È,•Â¦ZŽ×úøŠÎvŒà›Z‘æ©€•œÂÊWîç$Qu…$JY/¨ñc[~p¼>¢Û{×K³Ÿ$µ¹Ìar´çœ€Ô2åIí^2ÈiÕâä¡î¦ytÛånEÄ·ƒä¥+»Ýö\Ú©£‘fIäR¡»/™óÊucÞ|$´nûà¶D-ëö‘Úýį®ßQÿ·Û>ñ ¥Â&û¢C]TK”iéH´ºCàé,.ÜÆÕ‹ªþ@]T:>ïlÚ5ÊöW˜®.3jzÕ7å0¶[•ÛÀv×:Ò ´—Í–Õz³ò +í—k7«ŠyÑVæºÝ¦Aú±êî›å¾|ðl°Ý5ôÜžÛéŽa³Þ­º +Ö£é±Ý[ŠÚ»,ç÷À¨œ¦9‰•Ê"‚©@³Éu$¥?1 ð±å!Ž¤IÇßnÊ9Ó(Ðz¬V+šrÇc­s5µîžFë´»;Päx%öŒpˆia¦¯.èγb¬iš ª³99-ÜvJ|ØéÃ9؃·`è´üXÕñ¤¶! À `ÿê-¿ .ÓïméÍë.Øí(B(“ ©t°Iöº‡¡SCt‚™C$ žà3‚§…µ6:g=ÇÙ¥‹#ù4„C•fû…{?ÿLF[ˆ\Ëì/”1p<%c¡D®’t,¤YLg"G—Mún–ûÃñ ÄïßÚˆ½€ò,±üE:F¬jLack#h-ðÌ B?8°¥P€ 5l Â3k~êkH豆#XA­éW>Š5#•åL¤ÕÙ_€5æ8²Œa ’Wi²ýÊŸ›ÅdNý…BŽ§„,¤H‹±ˆÇ –‹$/äjál|ã(Ô²DdÈús¡6Êáž‹È•…MGxÃœÞÓ+”IëiÝtÔh7n^¡_w‹  ˜tz×t±ðyiåHÈã˜Ï åÏŠž Î# 5jÆOl­ÀWúµpË¢"íc&>=Œ¤^`w"UZXú°“˜¡U9Gò âˆâÀ­y‰¶˜dðZÛɇ+xÔÇ ÛèFÑ÷B‰‘Ïš#{…—lð?x8²€4¦Ûð+­]Y·$Wȼ̔plѶx ÖE`J¡eR4ò­Ö‡;M—žÔ¬±göúôc}1‚C¾‘L6뛄R/v¼ 5$Ô­÷º@oü Ìþ‘÷Êøn4ÕÕI* ôËNä.0ɦò0wá=U,r[}¨ýÁ¡²Œ?+•Ó`ÉzRV:Ϥ>/ëuFÖ´îÜpJÛ¬§û'rz 1oêÎýμ +†£(ä¶w3ãLNœR}R™Êƒï'ˆx1øÉñƒË ðÖ¬ÛŽ2É7”íÙ' êbæŠûÁvó pI“ôdº™i°Íçé¦_©áÜž ÏÁr«»÷½@Í”z"Y´¥DŒ!Må¹P29•%cÒ‘ËÄBêé¡Zh¯URzlª½)ëÓNUøÒ”þø j}É„¤ºoyÁØ PVÚ D°~^Ñ”°N1]”]I4ïÕ°qÇCÀQ0É×ðŒ²+‚z/bÕ¶/Ž_î÷Ë£ F³RipßÖå +Û¥0’À†÷Îf`>%@Tiùë *Š ÒŠ•Dß—õNÑlf:˜6|‚ hVõ~bßi&¤IƒK +L"¹_&¬Vˆ#o:hP`ÁÖ‹!{A­`j~^LH¢r›«ÓÞÀØgÞÑŸNÎÁï¶3©V#åfƒ6¨Š‚­[÷^iÐÚ;=B:°¯|I„3a/زÁm"R“OÿÕ3ÃK0aÖÚ9ËÕÎQ³bæþð.5èá¼:†×#ç ECš§üEäzE)‹•†“,ðÊŸôàì÷ªék€ÀEI¶V˜²'t-и/܈uüVyî(/ñÒð»ñíÎŒ†Tù°hþ¬À2¼XãøÕr{~p@d‘Ù¨»òWž¼á„Å-\=gZ㯊ˆk¸Ãh$WPX¤ê³ 3éïÏú]p8ÔV +‹UúЋüóܼ%@Ù1Õ ·bØá ]5Ì çun|ÒÐã¹?v•L‡ÃW×ãi0°[»ó½n:^­É§¨«°X= ¯?ì…^ï|Ê‚R@öQÚ[9ßHU!ßAD²#o«ýñ&-W×ÁsÓü½VÒõ¦Z¹Å,œà½¼ØÁu–*¼4^}¯\¯qŒýûŽBÕFÊ* Gœ|†cLÓ"–6_5ø €Öðh?P›âiM w¥úkaÙ'`jpI„/Q`’ƒôRÑqãà®k`v5‡SåôŠÖ45^yNªÑ1=+(x颇’®®/ˆFw@Á¥cužZöáÄû¢hæf«#ZCÎ㪨à[Ø‚£.ºfC”•{p+júz™]”']ï¶á>ˆ¤rÞ +CÀkFÈ`Õá'àÑV ΂l¤c;ô±úxÛKŸø‚*XÜþ4“Q53´k:Cw¿CR2¯Žåì©•ò$¥MóѶ‡‡ýeËAüš~ä> endobj 1045 0 obj << -/Length 3481 +/Length 3487 /Filter /FlateDecode >> stream -xÚ¥Ërã6òî¯ÐQ®Š8xòQ9M&ö¬³›Ivƹl’-R7©ˆ”§*ÿ¾ýIÑôÌd§\.4Ðè' ½P𧩔ÍÜ"É\ä•ö‹õþB-î¡ïí…šU Z©¾¹½xuëEe±‰·›¯4Riª·ÅÏË7ÿxýãíÕûË•ñjG—+«å77ï¾eLÆÍ›Þ]ß¼ýéýëËÄ-oo~xÇè÷W×Wï¯Þ½¹º\éÔko„à ®oþuÅÐÛ÷¯¿ÿþõûË_o¿»¸ºí÷2Þ¯V7òûÅÏ¿ªEÛþîBE6Kýâ>T¤³Ì,öÎÛÈ;kfwñáâß=ÃQ/ “Ÿ·iäS“ÌÐ'sôY[cI€}{xuíÌBë(óÞ ©Z¬\©Ø§D„‚1¤¤”ZþÙÔ% áC—w徬;þü¶üE)SW]ÕÔŒÉë‚ŸÚü¾ì'–óeN»Ñ<‘–™þÓÏt{™©åÓ¡l§×†ûÄ-âØG±6éçˆÜf6JT2ùÿ7*,wb£ì£‡Îãð0Œ8gµê7µŠ†9Í ªŽ¬µ~û$2$‹BÜçmWEØvDž$@ Ê¡ˆìv‹²u~Ù–Ç 8^nó–‘97‹àusxbªfØ.°(ò.ç®Msœô‰º OÒ z¬v;FÝ…®»©Š±WCXd×ðùŽ—:]6U! -‘Ÿºms¬@«‡€ªÛÇòØò¯€ª‹¦:ãU™86‹±t¿ìÄP7,8%Pe#c“ìïð C^TîbJ ¬E #ѵ»ü¡ü¤¼¾\Yå…ÀXÎ ‘UËmÎ AyØUëœ)Q FýAWp¥.‰IÏž¾Ñœ¸‘UðÐvfµ6‰2¥b¡ÛUm' >”ë -Ý »t#0(…Agúú¾ƒÔÚ}ÃÛÀ/½¼ù‘±yQ0ºmËVld@°€ÙRZÛmóŽÑ¬êØÏRDpÝÔ]¾î„¨ñ™rsì:Àn>ŽAM[ÄÊâ„Wf÷Bµ>[~óĨ¢Üä§]÷|%0Íl`Ã+y¿U Üç…@¶¥=šc7gyÞÂL±_¢+·±ãU B„ð5œ®1€&-‚u^3Á])ˆm^ß—#ÉÈÑô±»&y$ë橪ïçÖ„Šf7ØbŠHZQÖÜÇ+×ï=4)ÌÜZÁ»wÄœ "ñ¢nˆéð#LWò6’0eÒG@…A¢’¸ÊÔH<4¯m×€‰<´·‘™ó•5èlXƒQ¤/ˆËùsk&ìÛ.?vtÖ˜…Q›³Qƒt3^3àxôºÙC¢Uˆ„Á -«z-<ªŽ4׌$á|Ê‚$`‡u!Œ+:øC„aAÕ¾ªÁ1Ɉœ›xì@[ñË,«Á¥&ÿý´hï€ÑcUtÛhn)ïtxÖ)qŸ±k`Çë^(ظ[þøEyUÕahàQÖÒXlOµØUz6aPsjam-pÒsÇÊ„i ŽÅ¬ƒ,p"5¨ÐK@ƒ2G -r~@pW¶‚AMEÌ©-Èÿ(;ÐÔãê|žŽ§Xo!•f%2#<Ñç4ô``R¢±:Њk -s€,ÿÈ÷‡]‰Ê’¥t„€ á Á i&© ÙpøSÜÇ$Ï0ÞG)ä>‹eŠH¯ô-xÍ4 é­Äʆd_ÝoQtqº<ìò5ÅŽ,D›4d#€Âˆ -þ±e|U“ c–o<ˆá5°ä™è3¿¤ß«É. ÝH!#<׌·a2¶.H‚ÏóY­Š’³I?ÉÔÊ&ËÿžH­bXÞç±Ç’R°+»ŽmÅr․2& B•K\0a´¨ï›–ƒÿ*ÌÑëd’=@4B5üüŸ}Ëwå–µ `P%ÌG,æ‘ÍãՆۧæÄÀáÔ1ÅÝ?âS–|¦È&— «z5g÷;Iù‹J¼c×À -´ÖË(˜÷lÂ?Σ¿09eü±”¶Éßa†¼˜ñëÄGΫì¿ÝRYÌn¾;Ý}N¾oŒcZ€lp*€ã€}àÿÑÓˆá(€}âBÄŒ2Péuyè˜PÒbÃ>ÛQäç ¸¦&-!úÙèÿîª€í£µĬãXcyQð9$EývªjÀæÅùI¤Ü3­>=–q—X6‚leªÁº§£nºsuf˜¾àŽC~YÐ:LXß¾ûðµHz[ŠH†¼}`º)óî4Æ÷I×úü zÎt 6#Ù -ý^ÚPž9¥YÖõÀĘó{ÀQ~ˆpc8æ¹!uôV(1w`”Äz&|*þ9 -Á„ÍS˜çøÄݘ+½Pž¤ ÄVœÂ(Í’²Ó ]R=<©9qowjë>ŽÀÌC ŒÌŠ‚áfÆÖ}%‰O…ô9dü–K4˜òD·pV2%*/‡> *vç[š$Ÿœ¯s ñ\ËAU¼?I©Zò ZrJè— Y’1¢=°Škɬ^1/¼‰õµ¬£ÅÀÇc.ŽŸµè¦f´Ì{•ârb|àÎ -e#•¶üÇŠ…ßÃ8Hºw§¢œ=}‰¶ž򼍨 ;‡â¿DÏ,ËÕNô¡æ>Žâ>$ÊÖåa+r¦Ð½/s2¡ÄüÔûgò“B Ù‹sXç\ñ¢÷;&A º9í -ö'÷eðj(aBIõHtá¼99@n`.Âpðóó'ÊBÓv¸<ÒC‚0; °ÔÄg–¯{çí \åsGdƆ4GõÖ+­0l`‹Ûò#™6Z=ßl"4:9pd7ð¹)Ç>h(¤j…œP%9ëHU!Ä‹1î-ðì [¯6#_ÔïÆgsKíƒ_ÂW*| ð‘ss¦ÌIoPãò]oâú£Kú¼@èBÚ\YQù¬ø&ûŸ…p=º€\•.ÎT¨7”¸g£Òó5ªàt’« €8†Ð0Ál{öÂæ!O‹ì Îz'CBj4wÎra<ÝäÇ£wC•h%0Ž‹( -‘¾‘€É[¡áO²)ü&+÷¬ç0ïš#‘÷m>d@m³;ñ½ÐxT>'÷ûê®MÀË F8†IlJ¤*Ää¤ZŸ8ã á òŠH7¹jïãW:T ä³éz_Š†[9ƒ;ÍáˆHWu*/1MAc«¹Í¹9«¾0Õ¨PüãžSÛ³zýFg:]Çq‰ª0Ÿ'ðÈ°êcÙõ!Ä⤪j)û´Ú Õ$‡c­"¨gp­6óã!Ÿ+©rÕ‹ ¥XÓ&}ÅD‡'5 ÔTå±ÎwŒ9a3–L²ãþÈÁ‚úS·ý©Ëâe=gî_]¤ -ÀTðå7˜q¡ó…ÕÓP’iEËÙÏgÚy±$äüxE¦ã6lÇc~,>«*KÔòˆž<$ ?·bñM¦bï®ØÐÕÃíD}9â)áAî+Fá>X<ÆŒõÜåm…ŸeÖûüEÇÅQbuPöá -iªÅÖ¥NˆÚáýØ%œ/»<ÕÓaîÉ(õQg!~Y´Ž®R„Œœ32§™ªæòöxnA|’=>­@Í­õÄlëâUðg|-È%Ií9ßùÇ.ï" ™J\§Wfù¸­Ö脼‘»sç!e=0ÃB$ª¶¿ŸJ2]rND )é*Ó°tåç2W7„ „%ŠXóãŒK:I\Ÿ+E„jf„ ³8ŠÓ,ý,)Xð Iò\G{5~îóÉd'ñïœI` &‘‰žJð^tèžäg!„6³ç¦‹ŒN>kÅ&Š“ÌŽ.ï-In`“ð B¯hb“´)Äàbb{®Y|ØV+N+ ,Xþ:Üëp'N}pôxŒ_ñÀêrJ+:Y'ç¯ôF‰)§ÐøŒþÔó+ ^z•@?óÐ!œ>ñ&‘7>Ts Êpî‰6­ãg> :•Î‰24Ã÷‰0ß'¢bçüËy' ‡CZQ%£È™ŽB"`ÂïWtx–]Å`wÎL/¯é­++j;Ë·ž Ý)ÑÂE îwÍÄÚe¥Nµþ¤s±Y”‚YŸÉŒYãum(¡š¢çJȧ!ƒõaì㉇êoŽñ']ƒ#Q;]´ÐÏ#Øq=uÂ6´½@³‚\zïN2ƒœŽ“ÌÓ…d%8ÄP¾>W¨öÙ þ®CZÎm`)Úðª—0¢*T òƒ­x~WÉI9fÔÿ`d¤í/ç+£,à 3 иȘ˜~39ä=óã.Õÿ*ë‹J6üÎÎAò‘¦C&s®‚ -ì|ÖÂBbf9ñÉ3y„ßœ ÕhéÿÄ-6ðendstream +xÚ¥Ërã6òî¯ÐQ®Š8xòQ9M&ö¬³›Ivƹl’-R7©ˆ”§*ÿ¾ýIÑôÌd§\.6@èwÒ z‘úHÙÌ-’ÌE^i¿Xï/ÔâúÞ^h³ +ƒVãQßÜ^¼ºŽõ"‹²ØÄ‹Û͈V©4Õ‹Ûâç囼þñöêýåÊxµŒ£Ë•Õò››wß2&ãÏ›Þ]ß¼ýéýëËÄ-oo~xÇè÷W×Wï¯Þ½¹º\éÔk˜o„ ®oþuÅÐÛ÷¯¿ÿþõûË_o¿»¸ºíÏ2>¯VòûÅÏ¿ªEÇþîBE6Kýâ*ÒYfû çmäµ³»øpñïžà¨—¦ÎñÏÛ4ò©Ifè“9ú,Š­±ÄÀ¿¾Æ3¼ºvf¡u”yop¨Z¬\©Ø§4c pI)µü³©Kf‡.ïÊ}YwÜü¶üE)SW]ÕÔŒÉë‚ŸÚü¾ì¶ëeN»Ñ:‘–•þÓ¯t{™©åÓ¡l§ צûÄ-âØG±6éç°Üf6JT2aùÿ7+lOb£ì£Bçy +h fœ“Zõ‡ZÅNÚæj£#k­_Ä>‰ŒÎ"÷yÛ•Ga¶ O Ê¡hØíyëü²-0àx¹Í[FæüZ¯›Ãj6Œé‰"ïrîÚ4ÇIŸ¨ Ò$m€AÕnǨ»Ðu·#õ@6öj›ì–ÿáx©ÓeóP¢ù©Û6Ç +°z¨º},-7xT]4Õ¯ÒÈıYŒ¹ûeCÝ°à”@ ”ŒM²¿C3LyQ X¸‹]ü)5°ŒX×îò‡ò“Zðúre•—ÁÆ"/DV-sþÊîZç<Õ`Ôt%Wê’˜ôì¹ámÀ‰ÙOmgvk“(S*–q»ªídÇr]¡»a—€n&¥0éLX÷Àw:Àwßð1°¥—7?26/ +F·mÙÊ„L0[JËs»mÞ1šUû™‹®›ºË×5>SnŽ]§Ø ŽcPÓ–±²8á†ÉÇ=S­Ï–ß<1ª(7ùi×}­–9‚ lx‡@ ï +#÷y!ІmiÏ­Csìæ,Ï[X)öKtå6v¼ D¾éhÒ°ÎkpW +b›×÷eÁH²Gr4}ìî™Isž‰bÝ5'§Ž(íþÉKMH²L‘L. VõjÎîw’ð•øÆ®h­—Q0îÙtœEaj>Ê÷c)m“¿C4Ly1ß׉œWÙ'ò}º¥²˜|wºûœlßÇc²Á©ŽÃ ô÷GGL ’ˆá€}âBĉŠ2Péuyèx $ÅHO¾£¸Ï!pMMZBãgcÿ»¨¶}ô¥fGË›‚æõǨª›ç3$rK̳úäXæE\X|`Þ²•¥랆ºéÎyÔAáñwò£ð‚öaÂ>øö݇¯…ÓÛRX2díÑM™w§1¾O¹Öç‚ê)ÓØ g+ôwxeCYælŒfX×sÓbÎîGÙ= ¾Œ!W ˜>qôVFbæÀ(‰ôLø$£PÒˆ9—4÷UõÃsvüáSÝMCåC…¸ûÇri“‡„ï>Ÿÿ…‡`Âæˆ(¬s|ânÌ”^(NÒb+.a”VIÙé†.©žTœ8;µuG`æ¡FbEÁp3cë>‹’ħ2ô9Tü– 4XòDwpV²$*/‡> *vçGš¤žœ­s Q®Œí *ÞŸŽ¤T-ù-%ôËu,LÉÑžXõŒäüÕ¯€˜—obÈ @Ë:Ú 4sqü¬E75£eE€Ü«·»àwV&©³u ?V,ló åÞŠrVúm=+´uÏ]v¥7¶DÏ,–ÊÕNô¡æ>Žâ>¤ÉÖåá("SèÞ—9€ŒÄìÔûgü“2 Ù‹sXç\ï¢÷;&F º9í +ö'÷eðjÈaBIíHゼ99@`.Bpðóóe¦i;\é¡BA˜Xh„Ág–¯{çí Xe¹#2ã”…´FõV+­làˆÛò#™6Z=ßk"4’¸€²hnʱÊz Õ*ä„*ÉYGª +é ^‹ñäpk²ƒl½ÚŒ|Q"˜ŸÍmµ~ _¨°@ ‘óçL™“Þ Âå›ÞÄõ¢Kú¼@Æ…þ^Ú\WQñ¬øûŸ…p=º~\•®ÍT¨7”¸g£Òó=ªàt’‹ €8†Ð4Ál{òBÖ!O‹œ k-™R£99Ëuñô ŒÞ 5¢•À8Þ,¢(Dú>D&oe 7ɦ°Í5'ë9¬»–z0ܶùµÍîÄ·BãYùß﫺4/_4á&¶Q(ª““j}âŒ/„/È+â¸ÉE{ǸêÔ¡êL œM×ûR4ÜÉ„ØBœTU-#¥`ŸV›¡šäp¬Uõ nâ£Õf~<äs"U®Zhq¡‹0mÒWL$<©¥¦*u¾c¬ð™>ãd)À$;îEÔKÝöR—ÍË~Î8Ü¿¹H€%©àË/0ãBç «§¡$Ó:‹<–³ŸO´ŸòbI†78ò㙎|Ö°ù±ø¬ª,QË_ zò”P<$üØŠÜâ{LÅÞ]±¡‹ÿ†¿õe䈦„¹­…Û`ñ3Ös—·Z|–YØïó÷G‰ÕAÙ‡+¤©[—:Ô¯Ç.á|Ù%à©žsF©â8 yðˬut•"ÃÈ9#qzŽ©j^!Ÿ!rƒ â“äñajn­'f[¯‚8£k/IjÏéÎ?uyÍ”;à:½2ËÇmµF'äÜœ;¼[<0ÃB$ª~?•dºäœh0¤ ,ÒU¦aëÊÏe®nK±.槗 ã$=rý}R¬=ª™a‚Îâ(N³ô³¸`Á3$ÉsAêÕø±Ï'““Ä¿s&%˜D&z(Á{Ñý¡{b…ÚÌÊM|ÖŽM'™]Þ!Yâ ÝÀ&á9„ +.ÞÑÄ&éP:‰ÁÅÄö\³XØV+N+ ,˜ÿ:Üœëp#N} zãWü°†ºœÒŠaœ‚¬“óWz¡Ä‰”Sh|Dêi‡¯?½J yèNx“È ª9Pe8÷À ‡Öñ3Ÿ€ÆJçDšáûDXïQ±sþ݉¼’†Ã!í¨’YäLG!0á×+:<Ê®b°;g¦—×ôR„•• µå[ÏŠ˜n”há¢÷»æbíŒ2R§ZÒ¹Ø,JÁ¬ÏxƤñº6”‚PMÑc%d€ÓÁz0öñÄCÉͱćOj¨. Ú ¨çl‹8ìøJšòK‘‡ŠÞŸƒYA.½wtÉ‹?ñ`é8É<]HV‚#A åës…jŸà¯:ä˹ ÌeØ^õFTB…*Á«þw#âøU9$'å˜Pÿs‘‘¶¿œ¯Œ²€/Ì,@ã"cbúÅHäöÌO»Tÿ›¬/þ!Ùð+;ÉGš™Ì¹ +*°GðY ‰™å<Æ'Ïø~q&£F[ÿº96Sendstream endobj 1044 0 obj << /Type /Page @@ -3798,25 +3789,22 @@ endobj /ProcSet [ /PDF /Text ] >> endobj 1065 0 obj << -/Length 3260 +/Length 3259 /Filter /FlateDecode >> stream -xÚµZÝoã6Ï_aôå`ÍŠ¤(’¸§í6ÛKqݽ˦¸Ú>(¶œ¨‘%×’7Íýõ7Ã!e}YnÑA`Šq>ô›áÌH|Á_Å"iã…¶1SW‹õî*Z<ÂÚ7WÜÓ¬ѪKõÕýÕ—ï¾°Ì&"YÜo;{Ã÷›–ïþñö_÷7w×+¡¢e®W*‰–_Ý~øšf,ý¼ûøáýí7ßß½½Öñòþöãš¾»yswóáÝÍõŠÅá~áw8sÃûÛÞÐè›»·ß}÷öîú§ûo¯nî[]ºúòH¢"¿\ýðS´Ø€Úß^ELZ£/p1n­Xì®b%™Š¥ 3ÅÕ§«·vVÝ­SöSÒ0e„ž0`,;äŒãd¡•e‰Òð%ož®W22Ë,]?¡>p—èÜ'Lj¡€’§E]­ÊªÉ·¯ž¶ËA &E¢ífs¸æ°q]‡¦Â_»¬³rãgž2ø-ÝònH³ÞMf™Òâ¾:44QÁ͇°MZÒr»á&Û¦Ç"niŒ9¡á -• éWœ3«”ø-šr¦c{MóšPä4Øei™—ÛcA×Ûê@ƒº9>ÐèU™Õ7É£å=J“­ÔxvmÂj¶Û7¯4,òºa#ôE,Ràšk&´ÓÞæ‰V]*‹˜ò¶@…z®Ÿ²õóªLá yóX²ÄØ Ì[ª î=¨ÆðHt4`ÿ”;P¨eµoòª¤ñKê'u¶¡Qî—(àÈÐI-=.›C¾nü -GŽé!]7-Xõ„!µÜT»4ìO–è±Ü¥5Þ ÖY¬À/µˆã>®~Œ"Qà]"áË´Ü|é 1çëŸhÒ ·¯Êšè"?µÎòϨ"mÝTµ£+‚–YóRžW±,ýlªìš/=sB뉡·nã÷ã]kà%ZU‹‚N…Ñ6¾Þ6ÎÈ68LÑÝi=zJ¾ÛÙ.+›ÖÇ*¢˜YnCÀp€„3GÁ5 )g]%I$ã¨g]¥KuÞUZ*ä»I›ô!­³‘Ÿˆ˜8Âæ9·T¬{~",3 }ÞŸöÙš¢i쥔_÷M9(Ão+#­W4û੼;Å>z!IÝTkÝcŠd´Žâ j|H£{N·l«¢¨^z;L„cc®Db]{Œ1…G‘ñü9{@D£ôB»0ê~K€ñž°Þ8Õœ*~1¥ «4r6‚—§¼_L×Ùj“ù.÷·êeà‚A\³‘Æ°€~û dÙÒó…‡ ÷(<8'±Ú{! NÊMÃ|CyÌ¥å+ êãCýr$‡²)=éOû´vÏØ-ôè’AŒj^¿üõCé3²ºsz#RúyIý©V#pÑk ªÁ ØáŒÓ`Ö25LJãÏ $ˆyç8…‹Ü eºÁ2…Œå‹ÃCóÅÂÐËÀ=ÕÜO†à -;Û¿ù  -ã2m H{Žåj—íªÃ+]’6«‡"…ðÕÐeÔ+†;Òþ¤=ud@c -ÞEV@Þh’¾Õ›ôÙÛ¨÷<§ŒõѧQ2^~N‹£;Ϥ<öU]çEFKù–f!¿Ë1¸¦ÍwÃI¼ÜÀ¿ÛSúÙO?dYIsE^>;_‚Y@IE³>\ÅpÔà~Ì¿]NΗŸª]6uøÔ)!éIõ,@n]7€”õö¡•c¤z8Rb30‡U™Mlè"úáµ—È=w”LX,Õ…s§KuþÜi©\œÌá!îG§ÇT‹y¾-ÕãÞ©Ú`5Òãü)ˆ&Íêõ!ߟ, -Auï­f‘ˆƒsä0•à©‰ )Ø{ "¤-,ÖV÷T¤ÅÃã‚we[ú ÊŽ÷%e×'µ°nÓñ¡HñWö‚Õ[ª ‚ŒwCAÎ#,J@(!/ ¬C5ƒ°@åžPVd)j¿ªÊâu5•0kì<ÿ@4Á¿4Èå,–=è …ÓN -™>Ò؉B…â~_ä”–Û¶ä|Ê˦sd"•b8J±ØèåíÖ¯fM»ÃøØ€È ã8䯓‰¨à,Šày xE¿Fµ!qn/yQxñ ì¤‘?O¡@”ÌZ3(#üñ‘¶gjê£^îsñ|PEÒÆSwøÛ#õTŸžW 馱—*Ì.ÕypµT¨¤š/éa3Κ9SšÛyÆ-Õç~Öœ0¥¤ì³þH’ªW½»ÓiKóþlRmÆÃÁVÓTJ?$¿Ë¸üáûZΰØAw¢¼QÓQÛ7 ^5„ÈÊ5÷Dî¬&žëôXgžW+bQUÏGIi^¦„…"IrÞ?IÓ-zppxuiºÐ¡¸ÔÑH9\¤ ³¦io)+šLËú…qLšt‚ét1mÎc¤×.¤ÐVp°`…—êXxþ)–^&š)«Ãsœ -æpºU4LhÁ"“Œ,Ï6ç ²,±‘ºàªT@û}@BMÂͲD¬{ á—è]ÞßS5À}NýȦP´øÙ'? 2 G®òdz¨œ­a®†Õuqs£ KÜøFL´¹Á¥TÜ5þð’|îÄ“ê  (Ie™Iˆ»ˆ2Ç.Õy8¶T.Ïú•M«s½ gð<û–j‚ÿ°—‘@„ë ðŸk+ÜÙÆmèðq;pà a82´€ÈÅË:ô@ðÂÙW±gDS¢Î ¬RŸÕ!mQ=ÒÊ‘Š~®Ž(t`ÈÃ$¶ñˆÒ=oœÜ¼ƒ|í…ÝCAäC $ÌZ*=è0—¾—wûß÷wŒ† Ô’ý¦]þXV¾E7èö…6¨o%ú– ²³<®›á ¤?N9':-ñ¥×è‚v¸àJd°ßg¥‡=\þ(Dì3#ÝmÆÁeC€fÁ«ülï¼ù¹,&Ü’kf¥©•c3Ý ðÊP]1ö7‘&ç’+!¡|žwœÕŒãªžã4»ýÊ›sÔ2ÇW>â‚-Õ„ý–¹b\Ë­ûPÖ‡’rS­]G $U§H ¥ìé-šñ¯)n[ nΑڳ–F0« 'f—ê¼¥[*Tq—þºrλͼÅó]¶ˆ\fEÏKÒRMˆÒ3·¬<Ò¦/Ë«æç4ˆañíœÖg«bi ‹­=¥gªâ–þ‚úã}ÏUÅÉP$  ‚̳ϡ¥º Èx·ÙªX( D—ªâ.Õ -Õä3Ë7Å4 -!¿P‰—¤¥š¥BÌãñ1teùs:1s Q(Y1ƒBx6غèj3‹BOAýñ¾¿…1¾‡(9ûZª ‚Œw›G!‡Ãyv¨fP¨ÎGŽêØŒ`hb'*™¥¥š¥C ‚º+Ì_îJ£/ »à‰=Dk™Ò‰ê©=Ä@Áã};X¹ô Ñ1F{Í¢² -%RŸÑy ¢óac‚PòÛd^Ž–h,H€ K´îKòÆ]}†qÐÂ#Öñ üb0˜V]•gÑçÉç•íú;°1 ×Ü4ó2 wš^™ÖâÏ#¯C5½@Eezø\§ÿòC€lJÎóm©&÷_~hDdÒçüç`íìçFj€$IοüP ‹´2=ç^~ú ÊŽ÷ý/?Àžê’Õ[ª ‚Œw›G˜äøÒæRlëPÍ ,P!Çýñá9›@Ü5Ï·¥š`Üo„ÄÌkúœoÑÞ:µŒ öT –ð®3mc÷Yð |Io>µò½)˜ö ß²©i£‚v0pì«h¸ uvSíퟳ½©OO,]ÔuþX¦þ#|¥KÓ/ü›ã©Ÿ!¨™ƒ¿_øôéæq'³ 9<é‹{‹‚#p´Wúe»6é&Ü×ùF -®6yí¾‹Šx°!LZ¿VÔo¤àöõ$Lzzâ3‡à È¾í ¶ß=õ;8Ý(qáó$­™ÐÉ…<±C4óŸ'BaÑž«º'W7ùzâS>˦ósÜ[¢1û–„cUÿívâ•$ÐBοPëw†ÞЧþ«”$|0àÆô> GÏY¶÷ëAáÔ/ååßxüÂÞ£`„¦zãßÑ=åë'š]§þŽÏ{sÜí³ !^sf¢hÐêê6¯&Þ~h›$¼Û>=™Nãhøý)$ܪ½c“!a9lË´(kMsj5³sŸ.KÅð{ã‰gÿñø³æÓ7ß1~ßiÄ™¨%Ì«ƒP¨«²CÉÛïŸÇ¢ÿ -"÷endstream +xÚµZÝoã6Ï_aôå fEJ¤ÈÇí6ÛKqÝíeSÜm[NÔÈ’kÉ›¦ýÍpHZ_–Ûk‹ 0EŽ8úÍpf$¾ˆà/´dQl’Ej&#.ëÝU´x„µ¯¯¸£Yy¢U—êËû«/Þ)¾0Ì(¡÷ÛÎ^šEZóÅýæ‡åÛ¾ùîþæîz%d´Tìz%U´üòöýW4cèçí‡÷ïn¿þþîÍuš,ïo?¼§é»›w7w7ïßÞ\¯¸–în‡37¼»ý× ¾¾{óí·oÿæêæ>èÒÕ—G1*òËÕ?E‹ ¨ýÍUÄb£åâ."Æ‹ÝU"c&“8ö3åÕÇ«‡ ;«öÖ)ûÉX3©E:aÀ$îG0NÔ"•†©XÄÖ€/Eût½Š#½Ì³õêw‰Î]‰bq*$°Bò¬lêUU·ÅöÕÑv9HÁb¡RO»Ù®9lÜ4Ä¡­ñ×,›¼Ú¸™§œnK»¼ƒ²Ç¼w“^f´¸¯-MÔpóÁo“U´6ÜäÛìXzÒ-­‚1'4\ š~Å93RŠß£)gi"§iÑ*€œ»<«Šêq{,éz[hдÇýVWyp‹y´¼G©q2H~×Ö¯æ»}ûJòhZ6B_Ä" Ž‘ò”Å:6ÓÞæˆV]*‹˜ò6O…z®ŸòõóªÊà yó$fJ› ÌÕ÷Tx$i4`ÿTXPÈe½o‹º¢ñKæ&M¾¡Qá–(àHÓI..ÛC±nÝ +G‚ŽÙ![·- Xu„!¹ÜÔ»ÌïO–è±Üe Þ ÖY¬À/S‘$}\ýE¢Ä»„âˬÚ|a¡1ç«÷iÒ ·¯«†è"7µÎ‹O¨"míT½£+‚VyûRžW‰ð ýlêüš/sB뉡³nãöã]kà%ZU‹¼N…Ñ6¾Î6ÖÈ68ÌÐÝi=zJ±Û—ù.¯ÚÖÇ*¢„n|Àp€ÅO"ïš„”³®¢T̸êYWéRw•@…|7Y›=dM>ò‘0 GØ<ç@5Áºç'Â0­¸èóþ¸Ï×M÷(ãBãë>§) eø 2ÒzM³ŽÊ¹S⢒4m}€°ÖÝ8¡HFë¸!ž Ú…4ºçt˶.Ëú¥·ÃD8æ0æRô!ÖµçÀSxi÷ÀŸóWðD4J/RFío0ÞÖ[«š€SÅ-fôƒa•FÖF@ðòT´à‹Ù:_mò²ØîÖté¹`—àl¤1, ‡ü>Y6€ôbEáÁË= +ÖIL꼧e§áA~NyÌeÕ+ šãC“ÿr$‡2)éOû¬±ÏØ.ôè’^Œz^·ü÷Cé3²ºuz#2úyÉÜ©Ö pÑk êÁ ØáŒÓ`˜jÇÚHðÎq +… Rwƒd,<òËg‡‡ö³ „¡—;:ªÏq¿ØWØÙüÃUWY AÚq¬V»|W^é’Œ°Y=”„¯–.½¤N1 ÜQêN:ÑóQKF4¡àmQdäZõ­ÞfÏÎF½ç9e¬.Š“姬<Úó,ŽO@Á…}Ý4ÅC™ÓR±¥YÈï + ®YIóÝp’,7°ÃÁíö”}rÓy^Ñ\YTÏÖ—`PRÓ¬ W 5¸óo›“óåÇz—O>M†GˆÃ‡gzR=÷[—Ç e½}h©Ž”Xà ŒýaUå[zºˆ~xí%rgÏ+–Äò¹ӥ:î*' xˆûÑ©ÃñMÅ<ß@5Á¸wê@„ÖXô8Ìó¡Ióf}(ö'‹BPÇ{“²H$Þ¹Nò˜Æà©Jûì=PÒ–¤&í©H‹‡Ç î:Êú ÊŽ÷%e×'µ°nÓñ¡Hñ—æ‚ÕÕAÆ»¡ ç)JÄÖ¡šA˜§²O(/óÇ µ_ÕUù:‚šTÌh3ÏßMðï r9ƒe@O +ïFáYg8†ôE±³Ù~_t„*w8©åSA¢ôG¦ò¥Œ|)–$éòvëVsG;Œ ‡+‡Æ×ÉDJ)ÄéÔÀÈÎQ9Ѽ”?!¯—¢,P}ÒÈ«xܳÈèAºàN‘,­™ ~…KÉ‹A1é6>¾ÃÇNÖS™zc dÚ\*4»Tç1¨P-È8_²Ãfœì0EÁ)o«[MsÞÁD*X¤U2t°"ßœwpJe"yÁ:T3à©:€öú@ ¥!7ËÚM°îy„1£tyOEw©=¶ ©:@íâfŸÜ€ª%Ùæ™eý`m s}˜0Œf†Â+,îF–¸vý˜%€—ÁfVÜöÿðÒËÀ“Ê¡ (ÅÒ°T(á Ò‰(Ãs¢@,TÓT› ƒ\(©6õÚ6|Ywj6_Ùž^ªi÷Öâ6qsŽÔœµ´Ð‚™D^89»Tç-¨PÅ]öëÊ:ï6w/vùj\/òT3#T2/I š¥gn3¥º/ËŸ+‰=æç4ˆaðe]šž-’c­Yb´è)=S$ú ê÷=W$«¡H@ @™gŸC º Èx·Ù"YH D—Šä.Õ +=Õä3+6å4 +!ÏÊÌK¨&Dé£óy| ]YþšÆÌœFCÆLEZÌ ž v2ºÚÌ¢ÐÑ_P¼ïïGa‚ïÄ!JÎ>‡@uAñnó(„ã0Æãp…ªzªó‘£>¶#ê„%JªyQÕ„,}ÈØÔ]aþ&vU}ðÙWæ<a2U²§ö=ýŒ÷ýý@T°réAx¢ bŒöšE!d,RRŸÑy z¢óac‚Pú5/G  Ò b*Mû’üM‡qWŸaÄ&ašÌÀ/ƒ¥²«ò,úù¼ò£]ÿö"–BÅ5÷<ͼ Ãæ§8KSHñç‘סšž§¢rݽÓ"@6Ïó TŒûïBRD¤êsþk°vöë£j¥Ôùw!R±(•º§âÜ»OAÙñ¾à]ØS^²z º Èx·y„Åßá\Šmª„y*ä¸?><çƒÛ"-çùª ÆýFH´6ºÏùí&¾Ö‚‘ÆÞªÆÞ¶¢`&”q0¶_Iá_ÈWô"4•®GÓ®AâZ· 5OT°ÄŽ] w¡Îv*Üþ)?ЋûìÄÒ–á@ÝUæ¾yÀ7ŒI¬û…{<õ35sð÷«÷?Þ¼¥1îae$‡#}¡·)Âv¼_itê— ìÚd_ç“)¸ÚýL*âÞ†0iÜZíP¿M‚Ûד0ÙI良¼7 ûÐ! =¿~§%.|­”¦L¤êBžØ!šù¬Ï¡°hÏUÓ“kÚb=ñeŸaÓù9îh̾‡e ¡AÙã»xà ´ˆõÿõ~Í¿À³ßØñé½Úsžïýë?§pæ–Šj‹o +~a‚ÀmßÔÍéUÝçôMéËS±~¢ÙuV…wuöwsÜíó !>åLGÑ ÕÕm^M¼IY¢•Õ}z2ÆÑðsTH¸e¸c“#a5l˔ӜZÍìܗ̱døùñÄ3‡‡ø?ý•óéð?÷ÔâLÔÓ¤^(ÔUš¡äásè±èÿt&˜endstream endobj 1064 0 obj << /Type /Page @@ -3960,21 +3948,22 @@ endobj /ProcSet [ /PDF /Text ] >> endobj 1087 0 obj << -/Length 3071 +/Length 3064 /Filter /FlateDecode >> stream -xÚÝZYsã8~ϯð£S5æðÒµo™ÄéÎIÖöÔ3ó ËL¬YòJrÒÙ_¿ AÊ´c[ÝÛéÚÔ¦«Zx|€Ìþ±A*9ˆIÊ‚A¶:£ƒGèûpÆ옑4òGý0;ûþ:dƒ„$!³o­˜Ð8fƒÙâ·áåÇ‹ûÙxr>â†ä|„tøÃÍíR|\ÞÝ^ß|øurqÉáìæîÉ“ñõx2¾½Ÿ˜‡„]âŸw·ct}óóøüÙgãYDz,F…æ÷_g¿ýA 8Ýg”ˆ$ÏðB K>XÉ@@ -á(ÅÙôì¯Ý‚^¯™zHLˆIó耜$0I„ ùŽ ‚„ð8âFPp48%¥p´ªTöhy¡ôÑpF’ 0 ÐÁHPF,vS ³“gç ¾¬Uƒ+TV’ª©6u¦Ü[VÕ ;$-ØøÛR•Øj+|þÚØ ³¥ZYF„§qàƒK’H& ³ekŠ 6*kóªüÞâpX¤õ9‹‡ªxÑÝÉp^Õ†R=«NxÀ÷öO®/‘ º“v‘…j²:Ÿ+»C»T86«ÊL­[¤êãjbŠ¯xj½rfG›“k‚Ý÷wÐÉþgv"ΩOÖÉN¦>­‹4/õÞŒŸ C•fK¤å¶oÓ¨˜¨L¢á4/Ͷ@EnaÂz3/ò,ÕÂÁÃ1<ñÈÐpGæZŠOªN ¤—ê—˜LìVËôÉ.?WŽ¡|¡Ê6ÿR®ö‚×±Sv¾Zjƒ•#8Ý/­Î¯n§¤Ó¾3Ô¤{)šÊMΊÍBŸÜY뎑°Of‚1ÖÎ\Ûe¯¥]Àtð¢Z¥šoÝ.ӕ–'ƒ)©R-”>R"†c£8GÄÖ2ÝÞ¨ZGú‰g÷MÊlW>Tõ*µöÎi ö‘»ÕWé 6æv´Z­Û—sÆØÐrÂ=dqfsμÁð|½9Ô߇¥MSeyŠj…÷ç¼]Úœ±Në6Ï6úN2ÊM·´ ëgV­ÖUc´Û¿Q0ÖÅ70Bà_PäÅ{¥ênÞcãå2DsƒgŠ<®¦›~­KhòÇÒ(3KKKB#†F©”k¹áZÎú¹¶òRõ“3±cáĆ^7ßáfN¶…G«j]Á…°M-:˾‘ -Œj÷µ‡FnïNȆÁÇÁª:®é…C1l*P@ù¨_¬taØjS´9ÜH¤¢”€œÛçZÕ«üœ [Ô+P ШÖm¾ÊÿíLf¯7µÖ_c÷ëFªO©¾ô–l|vlÞK•ÖFªÐF‰b{nïs[çνh ÖM«†ÑáT©ýÍ“ˆAå ˆ‰ca‚'vÖlL¼hÛù0ÚúžãõºúhS P–pá™±}žD“$a|‡§Wq¿ÕɈ‘1Kv9±ggÛ„’X$üsEÑïcàÕºGEÁ÷yèB‚ÓrÀ!=<ì­£0ANED†4ŒHñÏb -kKÆ+•àÙ÷MêœÎ5º`bC½ºþ²2&`ß ‘”Dq}Z2&öÐâ7Ë1âݾ£à< -kÙ¦›±»Ô¨;Ô(à1(Q“ Š'’%辪çÒ]eâ$Ú"v½~h=k?¹Ýè‰ÿ¹UÜCµ)(ìØ€â(|ìóûu2ÐÒˆ@+ q|É’nÆQ±Ê„ƒ£>©r -6-t§ËÏG¡ ¸ôáÉ¡*3€‹ò`ÈB$ÎóOi±Q؇®X¿vàF[ê1f}M2 ÒïBÅŒÌE‹Æ©]¸áãd™ð¬Ÿ-Bzzül©î¢ià3?ÙŽyÐê0G“ÓyÓÖiÖúƒF‡‚évÏæ¸Ùxúø:o­FF$æôK–t3Ž[ À½†¢Çld ùcÛ¬jö3XMØ+eD˜¯L+±ÂŒ‡EþdûŒîu<™lØô úŒù $#169ô Ž¯h…ºr„GT^¢í⨠mÊÜ8gˆY?!¬ÊB*—i9·ÃÖu¾Jë\§…úucAg„PMì3$™ä뀕Ày_Ñd€í6-L•ÜÆ qꆗPê×eõŒð©¨œ1ZÌ"nÝóƒˆÝl»pè¡òanqT³¬6Åb$-ò&K-v>á}Óù:sÜZ85ž,¼ZÒÍ8náœ.Â>!‰àW@Ò&.¤DÇ(„ç…DÇD4Ih8Ç}- bôð²›ùé‘)>0¨Ú*« -ú®´Ý0fk—Ù6mZ:L±:üeOhn+’¯“ò7UœÐ8™}M2n3B×4¹Â‚þïB=BstŒÃp$C›¯iRS­”ö] ÒâG µªRëé‹´MíFµ†v2zuÙû븆ü³¿•Š¶…Âÿ–daBDĘJDh´[±|ÁÐ{Y5®¨±XXqWú;¾U:ò-C!µ£>`)¨$2²ùÈ„Õëi(›û§ðKDãíù¶¢ao)ǺœÀ{DÃ!XŒäþ î@°ÞY¯à’W]mÝÅvTj>;ïØ xë>N -¦$Û¡]O¯~©qÇ;æ¾yø‚ƒ CÀŸ§îƒ­ÍÚRáØx^púè|›£Çñ{–k1”³¸O°aLBj3ÀËñä2Ÿ™AXڃݷ;—B<æ­ ™ª[[0oO`Ÿ‘÷,¯@†} BáàåíÅ/c°žP&{)Á>„|®*·1y[ÉêP~é¾såé ?hYŒÞyÅŠ³ˆpÊzý ”$Lb÷%Ä¿#ˆH/Ô£û„ÙjÐÑõé««à¹C]º…1$Ój]¤™IÏ`)` [RÔ*’>*GRêÕ¿HÀ/\ºúÄ5úe;C×Hôsnß‹ªúÓMÞ¬¯.ÕÕ‘Ú“É,ö>‘šoµºÁÈŸ° OàoU“ú7ŒP@ŸYPS–EOÿáþnªK}€¦~9rçz=ÕÜÝ­uÕäÚ`ÜçŸIùÀP]ÅÄ~Fúùîò„D·¬¾c—ÅAxBû\A§Ô}!Xñ›àì=P§vAI"ñ¹~ÇÙÔ -bÚ—T±ÈTØÑ/þ4þÈ6àà[[éÜ…$øClÿ©œIú?Nœëöf]ÝN·Áø„`=Žß³ÕÐtÐ'ØÊ&e?ýâ$ì€H÷¤©>eËt['xp%Küfó%âôø|Ïâ”$¯”õ‰S&„!&rNÀNÁ­îû€NZ¦0cjVðòá~êBýCåýVa7ìC–¾rÐNúù·’ñ7¨3ÎH$½± &0Ê ü&$ì•ÉÆXs`»[Îfñ • púW~ ­äŠ’£aÉíÌ£`q¡ZØðb÷OùVõÞoað4$°š1&`A†g¿½¸ŸM4¶~F“nÚ%˜yûâà˜þ¨g~”tBHÞîï8z%<¯7xQó ƒ×íôâDÅ]Q°TísUÿ¹­?äî‹Ošeºš³Ûqyœ¼c/ -܆‰ì‹I±þe2M¬¸tH -ã- uæ¸éIm#Œÿ°m4Òèv~8r\‚o_w\HíHÄC`@ ‡xzèKtÐ+ÞÏýyøö'ò2dI²»ï,çéµÌïa_ýê¬û¹å±þt’øEendstream +xÚÝZYsã6~÷¯Ð£\!¸Hûæø˜8‡í•”Ú#É%Á+©%©ñxý6ÐÉ’˜ÙñÔºÖS5š8Ýb +ÿØ ‰©¨T’ˆ²h0_ÑÁ¼ûpÆܘ‘4 +G}7=ûö&fƒ”¤1ÓÇ`­„Ð$aƒéâ×áå÷ÓëñùˆGt“óQÓáw·wWHIñqywsûá—ñŹ’Ãéíý’Ç×7×ãë»Ëëó2â°€pKüóþîÝÜþt}þûô‡³ëiÇrx,F…á÷_g¿þN 8Ýg”ˆ4‰ÏС„¥)¬Îd$H$…ð”âlrö×nÁà­zHL‘HH”pu@N’˜$BÆ|GPQJx¢¸ NI)­*µ;Z^hs4\€‘4Šìt0”ÄŠ%~*anòô<¥Ã—µnp…êÑIR7Õ¦žkß›Wõ ÉÊ6þ¶Ô%¶Ú +Ÿ¿4nÂt©WŽhøà’¤’IËÇt™Ãš"J†ž·yU~½$Y}Î’á“.^Ìët8«jK©žõ'|¶‚L u6_"-wï6^€‰ÊT 'yi·*r Ö›Y‘Ï3#|c9†'þÈÜHñ£®³é¥~Æ%Æc·Õ2ûè–ŸiÏP¾Ðe›ÿF)×{ÁëØ);_­ ½‚ÁÚ¼î—NçWwÒißjÒwŠ¦ò“çÅfaNî­uÇHØ'sÁkg®‡í²×Ò.`:HxQ­2÷i—ÙJc+Aƒ”Ì ©Ú)Ãk«8OÄÖ2ÛÞèFGæ‰gMÊnW>Võ*söÎiö‘ûÕWÙ 6fn´^­Û—sÆØÐqÂ=dqvsÎS¼Áð|½94܇eMSÍó Õ +ýç¼]º78cÕm>ߘ;iÉ(7Ó2&lžójµ®»€ Ýþ†™°.öÀA‘dï•®»yŽe—ËÍ ž>ð¸†nßµ8B“?•V™ó¬t$4bh”Zû–nälžk'/]ôcf/n,œØÒëæÜÌ˶hU£+¸®iDçØ·RQí¾öÐÈÝ݉Ùð{ðq°ª‰kfáX › +P>™Ž“. [mŠ6‡‰T”s÷\ëz•Ÿ³a‹zÊ£åÕºÍWù¿½ Àìõ¦6úkÜ~ÝHý)3—Þ‘­j³Öóüñå²ÚeÖº›ŽÛ~©³ÚJÚ(QlÏÜ}nëÜ»£ÁºiÑ0:œh½²yªˆT"%H’<ñeý4ÀÆ8ˆ¶ÝøQ8£mè9^¯kŽ6Áåa 'žÛçIÄ ISÆwxz÷»Q=œňLXºË‰‹8;Û¦”$"åVÝø>^­{T|Ÿ'€.$:-ÒÃÃÞ:†4àJÓlP‘âŸÃΖ¬W*Á³ï!›,8kôÁÄ…ú týeÿdLÀ¾‘‘”¨D©?ƒ…Lˆ¢j-þw³<#Áí;ÊΣ°–kú»KºC"ž€Òùu0 Š ˆHp"YŠî«z.ýUvá!IÕø°¼‡Ö³ñ“[pÐ;ðŸ;Å=V›ÂŽ}(V1àãß/“‘¶€DZIâès–ô3ŽŠU¦„¨ú¤Ê)Ø´HÑ,?Å2ŽàÒ„'‡ÛXöÂÂ`è³x4Ë –åbø1+6Éèˆ Ñzkmð•Æ7¸º!YHi(KG@µŒì5KF©]°¢dªlp6Ï==}¶TÍ ìMX˜lÇ<{eØ°cÈÙ¬iëlÞ†ƒF‡BévÏæ¸ÑÚø2omF*’pú9KúÇmFFà\cÑc42ì1M\N5ý l&JÝ…’‰|¥Gm5*r‹ÿ)CSŸfa<&Hq)´¬Ñ |ï‰vwf¤R‚'Ô–é7šM™[_, ›'¤}U¹@åK çnغÎWY›,Ðt7c*Dfb‡!ÉæZÌŽú‚fP^cÓ¡RÉ]Ø’•Ÿiù£é.«gDKE…XŒÙHbñë–ؘèvÛ…Ç;Uèûr›šeµ)»˜h‘7óÌAån0´•/³¿­IsPãÉjÈ«%ýŒã&Íá"î³h(¸r°i!%úAyté œ Ø:A!¼„» žy—áAÕVóªÀ¡ÙÊØÛ#v‘®ö lÓf¥‡{Ø"\ö„ƶ¢ø2é~U… ‡yÔ¸$ãàú ñÖå̦¶»¸cBÆ»´Ìšj¥“jn>Zè5Ä:]Ý!}‘µ™[êÖÒN†©î‡øb?4×Pxö·RѶø¿€Œ,N‰P\€©(BÕnaòu¢Bcð©2)KJ™±_ŸŸEiÄE +ø­(ªgÌ`å¶"dk6Q,£`àˆvàçPa,™bn¦ÕÔ\{0–|=W4 ¶ZgŒ ñƒ[WžR‘7!ÛøÁ­hÁÿ>-ñ•«ÀåžA€Ñ­Íƒ% *ZðN‚L;7e1Sv3ÓÌ–Ÿ°>h'ט¬€M€ð=oÁ¶­ê|n'GÈïÒM+­¥+›™Ø£ëÝúÛ“.±èg:"Íôã9 À;¢Òÿ·œEï#{sÁb"¹ËYÀ1¿Š½Ï^V¯],ÎEœáŽo•u| ÁPÈàÕ‡ •D*—v\Ä ,›¡@n>ÆŸ#š`Ï· {KÑð$1UÞ#™BÄ„"ðq‚ÝðÞyŸ£š¢ê.8(¶£R ÙyÇÅULœû8%´„’(lc…v3¹ú¤Äïhý™ÿ´ +&8è –ùO ®ë*‚×Öó‚ÓGç{ÜŽß³\cˆ¡œ%}‚S—ê]^Ï!ã™Z„e}F#( Ï,¨­¾¢§ÿðp?15=À“°î¸s½žŠjæïÖºjrc0þ+ÏƦ|`(‹®Râ¾ýtyB¢[Vß±Ëb© <¥}.ž¥t)—I{ws"e ?å².~ÙËî']B°'Éï—hÈë{iÂȬÏHY¾ƒst·“«»óQD#µFÐ)u‚V¼Æ&8{Ôé]PÒ‡HB®ß1@¶µ‚„ö%ULÙR:úůÿ²8øãÖU8w! þžÛho’áo"ﺃYWw“m0>!Ø€ã÷lµ´ô 6f„2†IÙ‡8É;à²=iêOóe¶­<ú’%~œùq|¾gqÊ’WÊúÄ)SB£9'`§àV÷}@'-[˜±5+è|x˜øPÿX?IØ û%Ư´“¾ `þ­düªÀŒ3Eioì‚ Œ2D?ƒÉF){e² Ö\àØ®À–·Yì¡ Îü˜Ïâ@b#¡“7Õœ­ØŽ ,àä{Qà6Ne_LJÌiêÄeBRœla¨7'ÀMõ6„¿ôÚF#pŒ»¿9.Á€·/;.¤vDñ$QÂ!žú]ôŠ÷Ïþ +|ûKx©™$G’ìî; äyf-û³×W?.ë~.îF¬ÿÇióYendstream endobj 1086 0 obj << /Type /Page @@ -4036,18 +4025,21 @@ endobj /ProcSet [ /PDF /Text ] >> endobj 1100 0 obj << -/Length 3265 +/Length 3262 /Filter /FlateDecode >> stream -xÚåksã¶ñ»…¾•š‰¼I´Ÿœ‹/qšø®²ÚÜ4ÉZ¢-N(Q©³_ß], QïKO7½Içf `‰Çjß»À‰‡¢g,³Nº^ê43\˜ÞhzÁ{ðí› æ\ÆI—ÝY_ /¾|mEÏ1g¥í :{eŒg™è Ç?%–)Ö‡xòï7·×ýKixòúæ{è ¥L^}{õvx= 6Lýêæök‚8j^½¹}}óÍ?WýT'Û7·\¿¾\ß¾ºîÿ2üîâz¸B¹û³Wˆïo?ýÂ{cøuß]p¦\fzO0àL8'{Ó m3Z©©.î.þ±Ú°óÕ/ÝG&ÍÒ( “fJŠ#ÇÒŽ ]²LòtëÔKÁð¶”03ãrEz­:¤Â0¥½Ô8f•Tžô·ï†@N-T²lŠ1ty–”3j¿¾½»»~Eý¶ÆÖ%M1Z.ú"KŠê%Η£¼-è{;É[‚ užÊvBóò ¿Ü#sAD¤~š‹þ¥–"™åÓ{Òc‚œšQ±hs‚ÉÕ,³Úbñ>¯>®Ã.uKâ¹lÚíý¾‰Áïõ 6TÆžcꬎžüoÃÞ`@mû2/ì¦INT!øœM1 êEÜšZÔå&¤ åì‘ Ⱥ<¹+Š ̯_QDÈPÏoqÄ©¶-çÚ¤L ŒïˆÇljœÒS ¾k~ø–qÅa)æ“ÒœbØ&Âz’½Ð&(‡‚‚¤˜×^&h€¢‹m1‰Ày¾h©W?„i“@ãq=õBy@½fžú LGÈ»ÆûãHñI©keÒºì8y­s,3Vyßõ/-\ëú}9F©GªLóù6Œî‹ö©(f[¢šI0¦Î;¦9°ñ8èJSÝ.Öç"®T̵û;[Ƈ‰›J¦Œ;!»6K™ã‚ ðà­'®L~æ†?ÄIS0 ØÓ¼-ëb;/M=khh7@y_$‹ièH£1q2¹~¾¡f‘èÏ«¡àÇ¿ß¡¶&÷w}ÆmRËR‘ð<&ƒ3¸ÎüOú<Ì*‘´ÅsÚ`ãkߎ(z÷¼sI¥2,³æøø¸â0YÀòfFžPtcíl” ‹L•—¢I ²íðÈEÅoO“r4!(É*ö‚¬â÷µWLÝJV¿8,–ÍÒog!{k¨½ûaø¶/¤K¾ 19w?ƒšUaA–óy½h½Ë5Yò-$~`jFy…‹ÓÈf¯ã} áýKtæO1{„ZHTZDåˆxtèþq¼ü¤™‰‘Ë\z"x6JB«‰4ï¤A÷ éw7z+š®Óð()`ݽ͇öÃÕ8{-Þ“¤K?0Lêþ€s©áº”tª6…kRžnÕ¦þ»UaS©Tà¤RÆÓÍšÖNm t X£@{ LK~€•±ðs‘¥)Àè¶ꪪŸ0–:ùÚØÎJ«ËLÃq¸dTåÈ#š·q‚tL*àÍ‹N>°µ¦@lTìµ²a4 r£á¬­‚.¾Ï«2$³±T°Š; Œû붌¬¤\£u“:ý_q”ÕÕÀReOå½ÚÌXRÝ›[Œ} -ÒíK6 Š!z{iÚbzXÙºG~Æå­5à«Eb`g¯³œ‡,ôuŒð7Šepr¹úZVª½ Âq5ŽÞ!êÅF„;4afSÛTU)è«Vv K=ê :š¾šÙ]°ûûv÷õ¡&ä­«ŸtÅ$;\Kª•SøìÖÒã¬Xìî†X­Ïþ¿í¸†¤Ë©t-½Ö8ÚqåUSÄ6øú -c’aßÉäjiÆÈÂLs¹´aEýr\Ì‹ÙØϽwåzû#¥á´GaE3Z”÷;á¶8l¦¸&2ÌŸËL£:f™=‘BÇt*IK ϶©¶ëªÃÚ\ßv¸òÅF~­BÁ÷¾ ¹y»S‚:¬~],?ãZ¯Ò)s©=AK«˜!Ĺ²XYbNó9æÆ\"ÁW«tûtå€=¼¸ÀÖßÁä›·ïm€¬éøòl¸dóߨYÕê4µs›‡µ¯YWÆyõµ*òñêb -«b!´ÆÂË3ŽW ?ÆØ5ÅΛ¼ŸWI”e\òUD¥³<¥ ’W·W?\Ù­^Ý@m_"¡Jç¼s‰{¼¶;ãݲÌ2&9'ÈþÅë™D“é­«#åt’WîÑå* HT?‡¾|œ2£K|«ëU7Ëû–Æ€AŽr†ŒÆõ‘;Ž kX ]Ã2ÀÒoÐ%ÉcN÷„§æz¤RÏ`6€mU„mê1ÞÔZg“›–@£|R“ít¾©ý•"œÓ,ðGxꦦdGaøÛ²N,)û$•®"ì/4^·ÑÈÑ´e»lãT2>™í¬Ýsåý@\™îd0žq»ÙÑ_‚GE',ðÏÕaÑîÊ̹.œ?A]JÉ”Ò'L¹LË„H¸Þõ/ V2[<‚}|(Bæè³M˜‰ã² )X²€L×GíðŇB¾/ZPŒPÊ8åÞµxÀ ÍÊiˆLûD-ˆ·E‰¨*R/KâÊîx}„,kù–ЊzÅóäÿ1lB×Z°Ô áÑv£Æñ]];" ÊÆ•)©auêô Ñà­,EÁ·w`„Í¢;xXV±tðÛ2¯èÂbüG]Eóæ¼g-KÌ·¤>f‚3.B2¶ó‚ãLë`ò $¤YÚº¾UJθ1éÖ XS¼/øøɇfH¦êØ]A÷¬?]rë˜1ô¾é’[‘Yf$×Ç‹”¦,µ*[)•\>ý2öЂû->‚ñ é¼*Ge‹QºÊÖ‘…ä1²Þ®†ØGò$ñÓ£ç+Žè¹m—‡SF_6ÂNñœÃ±E8sšÏ^öYfÄ/?Š…ÏEèDȼÞáÑ¢^'Ø┎c;É› õ˜%ËQ¼6oV„õ“°4Ä0no)¡Âs;ø Ά² N¯ýi>Fzë!К¼‡ƒ¼Øó³4”¯hA·%Zz"6Z×wupg8µ§/’goh`<¬Ç»g˜„Þ‹˜éjµÎz¡?~Ü5Ì‹—O°¼ ‡ðuNÓRÉÆ”UÁ„Ü_Ny ã^ôFJS`SÞç‹2Ç—={"Éõ6Dn#& ølTEð×µÛ%‘YQŒ›áö×Ëï‹U"ë,c¶BÕØNE_6Ó"'fàÝ°—_’L¨G`»hàu ïÃìr¦Wå´l HwÓ‚ §ð­¦SBæÿPÆ£<̽ÛüZÌÃ.ålã¤Q>šø`>ÆN"têŒkºæïMU -<Ÿ{JEÈÖÏ ò¶ôO}àÕ­°GЫ„æo Ü -`mø6Ï«&l…”°^¢]Ñ\$÷Ëpö}<˜¨yøX9 lɼF»qG‰Ü£K«t -Qš¤ —Ã#¾¹À*¢ÛàÛ@=&N¯÷ÈÇ`ä@ Àz» 2°tã ê=MŠnÊf¨H7Lúåc‰ dãQ“É“²Úk >*A&ë†z^$°ãÓ(hé4ö|‚-"<-/â‚Ò5sAQ3RTh~'tëÕ1Ô yï¤ÄÒȾ}HÛnUeëÙ‚ ¯‘ЮnFöbá/ |†¡¤„lðñ±hZ„Wg¾Ö>tA„š0yR/½ÊIIª­W+Z”ü‘ã’ÁIàÄKØ…øØ]–o¸i€I ->Ú—‡µ95!»8ð0B}Mo=¶½8ïŒÂ>ôÑþú?.@ꩲC6BØ "Rþ¿-ÈÌgRY¹õÿ}Âm/endstream +xÚåksÛÆñ»~¿œ±{×~R)QšÈ.Å6ž&ùˆ HÐhIùõݽ½#Á·SÓSO:žÑÝ-î±Ü÷îyÁ?ÞÓ&6VØ^bU¬×½ñô‚õáÛ·ÜϹ “.»³¾^|ucxÏÆÖÓ>töJc–¦¼7ÌŽL,ã>ìÀ¢¿¹»î_ +Í¢›Û Ç¥Ò"zýÝÕÛáõ€>?õëÛ»ob©yýæîæöÛ®ú‰Š†·oî<¸¾¹\ß½¾îÿ:üþâz¸B¹û³8“ˆïû‹Ÿe½~Ý÷,–6Õ½'°˜[+zÓ ¥e¬•”R]Ü_ücµaç«[ºLŠñ˜ -N*–‚9–Ž`p¬ïª$NK¶N½äÌÆþÀ–f¦L¬H¯d‡ôœëX¥I/Ñ66RHGú»wC §â2Z6E]–FåŒÚoîîï¯_S¿­±µQSŒ—‹>O£¢z ³órœµ}o'YKðÁ ¡ÎSÙNèc6Côà—[­`ΩƒˆÔO³bÑ¿T‚G³lZ`O8L’Q3.mF0±šÅaV[,>dÁóÚïR·Ô)žË¦ÝÞñ`›ü^Ï`C© à™SgýÛpôä~öjÛ—yÑ`7‰2¢ +Áç4hŠ™_ðP/ÂÖÔ:¤.7Ñ e(g$¸øAÖ%gÑ}Qxa¾yM!M=·5vòˆS5ñ¶œ+ÄŠ[`|G<>Mä¤Jc ê»&àÇoV–b–ÆBèB Û¤œG²·ÃÚiQPóÚÉ Pt±Í@"&8Ï-õê?mâiœ×S'dÔkæÙ¸Ât„¼k¼?Ÿ•ºÆšX›'¯±6NµQDÞwýKçźþPæ(õH•i6ŸƒÀúѨhŸŠb¶%ª©9uÞÅŠ1Ës¯+MqDt»XŸ‹¸BÆö¨ÝßÙ2¬8LÜDÄRÛ²kÒ$¶Œ“¼uÄÑ/L³gøÃ0If{šµe=#@hçÅ¢©g <íæ(GUA@²Ð!‘†‰4+¢ëçËÃfv/§`¶²ê3:¿òÓ(÷y™›+eOxCc` ó3ú2‰†È”u"µ&R×˶¸l'¾ÿaB_Gè*ÐrãÀ[{Mê¦m¨Ûz硃ÂÖ9(7+ûP„IE¹8ê#½‰*‰ñcoÞ@#½>Ñog õâ·½ªæËõóG1¼CÉó2\•á"O™ž2mŠAäÉÈsÜß~ ž#µÖqû!TS>βÖÇ8 0,‰Æõ ÃGi”gmF½l |›µ.RÈ „þ[§ØYÇM‡Ù ñVL¬:¿ïÒã\l ‘Ê9=±Ner‚mÜÄç<:BÒ®çõCgÕ¦±I¤>¬8L°¼©']@AY$È"é¤h£t;<²A@ñÛÓ¤OJ²Š=/«ø}í»’ÕW‡Å²Yºí do µ÷?ßö¹°Ñ+“sw3¨Yå´a9Ÿ×‹Ö¹\FßAâ¦fœU¸8 lvº‘ïKG/Á™?…ìeàk!Ai•#âÑ¡û§ñò³f&Z¤qj“Á³–ZE¤y'4ºoH¿»Ñ3_Ñt†Iëîl>´ïb\³×àí0IØä#äî8—®KI§jS¸&aÉVmê¿[áÆÆ2œT³d³¦µSÛÝÖHÐÍx¬;ÀÊPxƒ¹ÈÒ„ `pÛuUÕOK¿ºÑ¦³Ò(À2Up.Wòˆæmœ l,$p„æ'ïÙZS 6.öZÙ0š¹ÑpÖV^?dUé“ÙP*XÅÆýu[FVR®Ðº •ü¯8Ê>‹ê*`©4§ò^¥¦ ©îíÆ®†èv‹%PE½½4m1=¬lÝ#¿àr‹R +ðU‡"1°³ÖÕÙÆ|z"üM'‡béF®®–•(ç‚p\åÁ;½ØˆpƒÆÏlŠb›ª2}UÒ¬ñtéãâ±GAGÓWó/» vßî¾.Ô„¼uõ“®bó.ƒ%UÒÊ |vkéaÖ ,vwC,ŽˆV‡gÿßv\AÒee²–Þ k츴Ȫ(b|s…1É°oEtµÇ4cdaµô¦¹ÜNÚ°¢~™ób–»â¹á®\o¤4œöȬhÆ‹r´“n;€ÃfZ‚k‚ Cÿ¹Ì4ªcšši!dp±Ji äÙ&Qf]uX›ë»W^mä×R\ŽJÏ‹Û·;էÚ×Eð .óJ•Ä61'Èhd¬¹n® ŽÓlŽi1H+Éä*SÀ>Ý6`ï,°u×E0ùöíã!k:¾Âžñ÷kî5«2}ƒVö`Zó°v3ëzâÊ.¯¾VE–¯î¤° æ£j¬¹<ãØ×þËöc×;oÞ~^ý&f‚( Jicúy}wõã5ݨÕåÓöýѪtÎ;—¸‡»3^+‹4cüYÀµ-B)“È¢Sµuk$­Š² +#=ºW…!‰JçÐw‚SfÔbuou³ +ãf9jiìßH«É.! ¯\ox]Ã"éVæyƒ.)Ì3º"D8ø?×!•8ã°l«ÂoSçxIk¬‰n[³¥ÏJ¶3ù¦v·‰pN³|Àát¨›•’ …áû%$œXMvù)ÝBØÝer¼i£1£iËvÙ†©d \ÛY»ç¶û¸2ÝI^ãv£¿xgŠþßWàŸ«Ã¢Ý•™sÝ5†’”Ð"–R0å"±q*!@Âýø®©­'°7ÞÙ‰`y‹‡Âç‹.Ç„9.. š‚… +Èo]¬Ž/ŠtÂ0NY°ã*~}!hFC¼VÚ'ã$e^² +CU‘fº—ÐÆK#`1˵ԀjTÔ+žÇ ú~ºÌ‚…¤añO5°”íªÙÙèý ®G ««NȆGe(ö½»KÀM<Áò +ƒ÷ˬ¢kŠüz‰.çÍtÏZô˜e u"¸RÄŒûlçÝÆ™ÖÁä . H®”±'ܪ,fZ'[÷^Mñ¡Xà“'•!™ªc7ݳþt)­µ¦WM‘ÒòÔÄZ0u¼4ÉM'F¦ëÒ¤kÃ'‚KÆZp÷ñ¡Å§/4Wå¸l1@—é:¨,ÂÙUö >[zt|Å=R¢ÍÃrê`SÇ‹°Sƒ³¡ˆÑ›Awš üzˆ±°¯Àá /öü, ¥*ŠÓ‰Žˆ ÖU]åÝN@íéóèÙO áqî&¡·Æ’æ·J®s]è‡?xw ó•“ò@c|“Ó´T¨€1%T0!sWRð½ŒRS(Œe†ïyö‘ë—kˆÜF8æñÙ¨…à¯k· !³¢È›ÏßöWÉGÅ* Õ•<^¡ŠªM§Ž/›i‘3ðFØÉ/I&Ô#ˆ·]4pº„·Í~v9õÓ«rZ¶¤iAГÿVÓ)>iˆ{ž ãqæçŽü6¿s¿K9Û8iœ'.ŽO±“€º‡yM—Ûþ•©L@ƒçs§B ÷éÂúQAÖ–î|¢jöz‹Ðü „[¬õßüæYÕø­9ë%ÚÅx4Zú³Gá`¢nàáƒgåijGóíRÀ%r.­2)D h’€\Œøf=«,ˆnƒ/fru˜XµÞ#ËÁÈ€ tv@d `éÆAÔ{šÝlÏÏn˜ï-ÊÇsÇÆ¡&¢Ÿ&eµ×&4@|T‚”#Ö õœH`ÇePÐÒ³gì¹Ü +ZDxZþ^„c¤*jj½¢¦¤¨ÐüNèÖ«c¨ãSÞI‰U‘}û¶Ø?תÊÖ±AN#¡]݇ì3ÅÂ] ¸ CBfÐ,‹¦¥kæz`í}D¨ñ“'õÒ©ôGþ³S+Zá”÷‘ãÞ àÄ‹ß…øØ]–ïµi€I +>Õûµ5>»8ðB}E/<¶½8ëŒÂ>ö©þú¿+@Ö)ÓCO5|Ø Rî?+ˆÌ9‹…4bêÿa,kTendstream endobj 1099 0 obj << /Type /Page @@ -4084,18 +4076,21 @@ endobj /ProcSet [ /PDF /Text ] >> endobj 1110 0 obj << -/Length 2901 +/Length 2902 /Filter /FlateDecode >> stream -xÚÍ]sã6î=¿ÂÎLÂ?ôuoÛݤ—N/íeÓ›kû HJÌ«,¹–œ¬ï×@€2mË›½vgn'3‚ ‚ZÎ"ø“³,‘ÎÍ,͈#ÏÊåY4{‚¾oÏ$Ó\z¢Ëê›û³¿\'r–‹=èÁ­>—´ 7`4@‚¨×[ V`¶õÀ38¹à;öÂò‰ž&ꆮì<Ë‘æ †¾=¹6=¬ºÙ~RH'ÆÄ©[ا…š™9×®räÐ`ùz¡#˜Å`l» -êq+ƒoAg:õúÙí1´;þ²,]ƒ=pBÀ©ç7<šVŽó,–«ÆY´xù϶:œîîú-É>Ú\LYvêR ﶩÿÔkj8·…ßE1 $Ù’‡“àwY€ÿbú_¢H9¹°ñR0Pƒ°Ýöpi¨ª÷¦’ó~ѽøIY$p’à!æ†v€_0=ÔO’8ýÐÛOmîP1 ÃTñ|Ùõ°S“íÊ<°øàü-îD`?÷€ÿhjB5¶uXÁž6âÛ<-¨eµíÆ;#†¤=ÁD::8t O»éÉ×b“µ €>ôHǾVÃÎë@òzÚ;[ífFH͟쳓!ì…e:û›yw'¸áž‚øxŽ"â“m™å‹t6Eûª6‡ãÒ‰™-³(ú~³ ™0Qïê÷×Ã)Úwªd¦¡‰ùœ?ÛnÓ{ÿ&ø¥%ÐïÕ¡Oï‡ º6›Ê»óÇŽÝ4Gܪx°¶ÎËNîÜõ.°ê$e#€”‡=XžÌ_ßX´×=RÈO.µ]ÕLï<âÊ”É<Fº5#ðvG4DfÁ!?¸lëe×Ú²ŸÚ¡ªÆsߎÑù¡{v‡#ñ~‚«Ë©\J0†`ðp¶ŸÈp»QïaÞ@²!„SÕM…ë0’\#Fü3qä¡‹çÎz© GxÚàÖìe&pØð䱸nš BËÐÆ+ÁJ\sg/Шlÿo îÈVg¸ø)*^zï¨ÒÝ$´jhÕÁdØŠI‡È­y)¶ ƒ`*%2ì€îæ6”úäºÀ|i{| -øÊè–vÆ@Ñg铉12Me,.ß¡ çóORAÆõ‰ƒ“†.o%7(ë“NŽ¦ð=Ê5M˜köz^Ý8àŽ¾»uC]'ð>ÀßÚ«§ú+Ø9[º k8È4(:LGªá²&ÕqíIYå|xáqKHWØRDÝãJ¡/Óê`»8ß„¥/žFû×ÃK ÔR¸ŒÎLšÂrÐϸê$I¢âýkàå ÜÑI h\¼ôjßgu9. -2‹X(Ëñ’§A,u*²8Îg&ÉD¦bÚ”›÷7âêÝOpEó¿8¿Luª ÿ dßÿ¼º½º{#F²š\ŠÔhÐh0÷Ÿ[jlpgf_RCpiW™Î§5¤L.”¨gâDdi; «ä͇Q!§õÌôëÃHa>}Íb \ dLu‰}‹€³–‚Ý€·JsÔ‘ÊD.@$uZ34gö•kFåB§:yÍR´dD¾pTL:ˆ?¡ƒ€ûW¬ðÞFfæ5ëP°Z>,{g²¼Ð4@PЊJOk%˜ï+ÖJ “hõšeDpLží[†?ú´ö_H » -åÿ#ÖÉ4Úäù <…ˆÒýRéQÉTGàzUž1:Ïõé’)ÎÅ:Þ%\n¸è³ñë²ųëÒs*åZˆs-l¼,l¹ KžÌÊ]Q”«Œ ?™PóÁ´›åƒ+(Ã5I*½É6iÆÒœ7C1•_…¼¢ª8ë2"w÷ ² ¸`·e„œ&Ýüx‚Õö+yX(+pçt£µC·õpÄ÷D"lû½Ôo—æ1¾·ÇUù¼îè(ÙKw°d/s]”‹Ãë3Irªü9yÃ}O$_ûœÊHëú8›T‰ÈÑ%€¹Š(ÉÓÏ;aù:aù§³I¥!@êYãÈiø‡~Î/ -N«2ÎOz-4zˆä"$Yë‡âû·ïÅßoîÇlñРᆇX)!Fé,ì‚c˜i¸LA¤À?cŽdÎœd(ÛŸ[/jö GŠ)TdÔkLŒHó(ã×1,{§iÌÚPóQ™.ù„ØVK0áŸùÿ;¾¼eË4™ZFò3c‡Ýš;”„P›Õçù¨Ñ î®Þ9RzzØßâT ©U⟎‰§ŠL‹$K$“_œòqì”+ûˆR<Ö¾ø:–%Ø »W–ñ€=‚ZâXd´©!$'Y>¾¶ø·–w¶/7/+O®Ën]zeµÆ†WªSóªî˵}p‹k\hÓùÎ5#žžxÌøA}¶¥(E‘ú ¦+Ʊ¶f•õDÁ{ [rå­wrHÖo8šBÿÔ;&…FW¿’n´«Ç ¶Ü¸׶µ«ðh~ÕÓr nèC·ÁíÒ‘çâ‹6Ž1KÓ A¿DqÄ9‰cÉBø",B]P íXÃàŽªº|N‘z¾èúfø>‘§œH¾·®8†©Ä÷‘-¡ÝÓ‡tïXˆF”SžTž!V¦°‰rb»ð_¸]9›Ìª°kB í*Hô4Í䣭@/©!Ð(¨CÎ='Êh–‰Ý£íoêçÂã*p›%jÍÄ\XäÞK´9ÁžÎm@à,—íËžÆl5 \ZßEݬ˜Í¶êeÏ"ÔH-é‘ÂŒrÆœzJ¿ãNxg.jo3¸åùX¾Ð`ÆOȱn¨õøPÛ^M© Kê¨êìßA5›7~kØœ…k¶$uÕM„úîQi]œgp›©¹\~,y)éã~¹àÊáÙV¾wBM£Á˜”sk=I:À¼L®³§þÁ†o~Ð$žÉx;”[=z¶'Úb€í^ñ¯6RéÍ4œ/ pÈ&âoX”G®¹fžÐC—Î9,A7¯É9Cl•ûÌWèszƒ"_a؇eóñi,/Á'KÊækÐv·l|­;˜?/ÃŒ½wsü¥ÏèÝòæOü@Bþªfâç4ÑìÕís¼³û“¼"ËN\2Ç„‚…ráòèê>þÊçXôÿ·«èendstream +xÚÍ]sã6î=¿ÂÎLÂ?ôuoû‘ôÒi³½lz³sÝ>È’ëV–\KŽ×ýõ LÛr²×Ý™ÛÉL‚$€ ‚–“þä$ E S3‰S#Â@†“|qL¡ï‡3Éc.Ý KÔëû³¿]Gr’Š4RÑäþÁ£•ˆ Iää¾ømúæ¯~¹¿º;¿Ta0ÄùeÓ×7·o “ÒçÍ»Ûë›~½{u›éýÍ»[Bß]]_Ý]ݾ¹:¿”Ú„ +h&ñïw·W4èú槫óßï<»ºXöÅ’F~ÿ8ûí÷`R€t?žB§I8Ù@#2MÕdqfB-B£µÃÔgïÏþ9ôzíÔ15…:a¢â==¦§0‘VÚê)ÏšóK­Ò鬤oÖôU^-³¾,.c’i?ç®ûûŸ8š´:—É´,ÖyYb¹ªÚ}‹_L>ÏšÇÒïL§‹ª©ÕŸŒ­š¼mºªëË&ߪX¯ªæ‘'%PqeDj¤±ÄiŸRå©/éÓ¬ô©$`À°1£D½ÎZ±³-{^Áòß¡ħñ´PÛ·y[ãY4o0ôíñµî@êzû,“–‘S7¯çvjb¦p\Û‡óІŽ`‚±µì*¨ÇJߌ>ÖtÊÕ“Ých·üe^Ú{à„€/6ROox6IŽëÎËÚZ´Xü§ª8\îîú ñ>Ú\ŒYv†êRÀï¶.ÿTg+jX·…ßyÖ#$Ù’‡‹àw‘ÿâñƒ@Y¾°±É(Ùv{84T”{KÉi7o7nQf œ$xÈž©¡àLõEV?4¡êƶw(ëÑaªpºh;EÁÒd»2õl>¸~C =ØÏ=à?ê’PuÕX¬`Oë~Þ®çÔ¼VÍÚ9#˜†C;½… t´pèf5/»îÈ×bk@ï‘Ž}­†ËV=äõ´s¶Ú®Œš>VO–¿Ä´ö76óîNpÃ=Ñq5DÄǪa’›ªŸ{à³ÎšO¨ØŽK'V®˜DÖuëXȈ‰:Ÿ8+Ü_§hß©’™úNlÌçü©j×óo‚€×È-n¯}zûÐ{ѵ^Î?´ì¦9âÙ¬ª«~k½ìèÎ]ï«Žb6rH)pèу¥ÑtÃøºB{Ý +ùÉ£¶Ë’Ç[‡¸¼e2͇ƒ™VfÞì ‘ApÈ&.šrÑ6UÞíPQâ¹o†è[+CY"æÙwQô(×®!×ÂÆf^åsÊ%O&e¯(ÊÞ±SF—³ª'T³^Ìlu`*GRÕÕLg[o’ªrØ…¥1–Z 5¼¬(8ë’!{íñ ¸[7%ƒœ!Ýür‚•ö‹xX +Èr*­H¾!nÊþˆä3éoÈ׫½Ôo—æ17]õyÍå…tGGö6íÜŽñ2Ëç‡×gâéTùsô†ûž*H®ö9–‘–åq6©"‘¢KsA”Æ_vÂÒ¿tÂÒç³I¥!@?÷¬qä4ÜŒC?ç„‚Óª… Ó“Þ_ Þ"¹ˆI&ûáƒøéÍ{ñóÍý-Z5Üð+%DÀ žø]p  —)ˆøg̱“ŒÀ¹‚“ôyû:yQ³ß8Rì4I¡£^Ò`dDœ ¿ŽaÙ;ŽCÖ†šÊ´É'Ä–à´Z¼¿6v¤ÿ{ìøö–-ãT$.vhÈ/Œ +tkÒ0z>v( ¡6Qä­ªîy5¸!Ïñ•;oJOû[+!µJ½ãÓ1òT‘h%‘äá§|{æ¢z@.JW|Êìí+ËpÀ@-a( ÚÔ’£$^[Ü[ËÛªË×#/+O­.óvUœzeµ††[ªSÓ¢ìòU5³a‹k\hÓéÎ5#žžxÎðA}UC¡Š"3ôg<.æV%£¨|¨G +.ØKØœ+oåC²~ýÙúÇÞ1)>Úú•´Û m=®¯òµ}°íª´ͯzZî‹`§ÎÚ5n—W´pˆYš^øú„ç$–$3ሰuA5´‘†É-Tu;ùœ"!?j»Vø>‘ÆœH¾«lq ó‰ï#[BÛ§iß/°(«<©A¬LaùÄvæ¾eö¨[[/Pk&äÂ" ÷^ Íyö´v3PánÚz™Ñ®ìiÌÁVÂæVð—õ’Él»¾\tÌB )Õ‚)Ìð gÌ©§ô;þá„sV¾P»x›À…,M‡ò…80~BuC­‡‡2€ìöjÊ©XZSGQÖ`§øªÙ¼ñ[ÂæÔø+ŒP³åàP[ÝD¨[âå•­ƒó +v35—ËÙãAŽKúØ_.Ør¸E6…ëQÓ`0&æÛFOâp-ùrvÔß»þ›4‰f4Üe¥'ÐSŽíhlÖÃv/ùW±tfꯂ78d#‚¸+åQ+®™GôÐ¥SKÐÍ2Ygˆm¯rŸ¸ +}JoPä+ û°d:<퀊§çàÈ%%Óh»]Ô®Öí­Ÿ€—a·۵{þÒgðnéNó'~ ¡ U3òsš`òbŽö¥?ÞÙý€É@^‘$'.™CBÁLÙpytu~åsÌúÎh¸endstream endobj 1109 0 obj << /Type /Page @@ -4136,26 +4131,22 @@ endobj /ProcSet [ /PDF /Text ] >> endobj 1120 0 obj << -/Length 2891 +/Length 2885 /Filter /FlateDecode >> stream -xÚÍZÝsÛ6÷_¡‡>Ð3ŠO’è››:9w;§èf:—ä–(‰s©©8î_ ì‚¢$ÊI.î4£€Àb,ö㷀ĈÃOŒLÌb+í(±š.Ìh¶¾à£%ô½ºD3Dã>Õ/Ó‹Ÿ^Æbd™e<š.z¼RÆÓTŒ¦ówQÌ»<ú÷ÝíõåX½¼ùjBi#£ÿ¸z3½ž`GL¤¿ÜÜþŠ-‹w·/o^ýkru™èhzsw‹Í“ë—דëÛ×—¦¿]\O»%÷·%¸rëýïÅ»|4‡ÝývÁ™²©=ÀgÂZ9Z_h£˜ÑJ…–òâíÅ?;†½^?tPL‚3©b9 '­†äd,‹•T^NÙöR¤QûJU„õfSWó¢ZþVFíÊ÷êh%ÒµÛ¬ªm‹ŸÙ2¯Z¤y(J¢YdXÓÑ}6û«© ,«üñ(q!˼!N›mQo‹öñRÁùhÁ£7¡Í©vëû|Û ù¼vg Á¬1Òﮪ7™F«ì£›RÚ(«±)»oêr×æøµÎ³ -öŒ4ï¥L°VÈ;AÖËücVÑuUab>k‹0©ß¸£~[¬¾þ£ÏjVûrÞ`ç¢Þ†ù³éæ5È¿Üd¶ÎA@±”ÑÔ V¨}Ýõcm ¢Æ¢Á² #ÖÙlUTôáÖëʇU1[:5ð½þ°]í>L›—0niNkºiÝ¢ziâž.*ÐT® {q[Xï¢:ÐX DÜÆD„gè¦ÉP `ñ&Nƒ<Ðô³¦©gEÖæs´Ö+,mtÐÎÒo¯^“›p¢q%*TšÝÂyϹœ ê¬;…„Y%S?ëKd1( -$kWÅÃpæ”ȨX`£×Ò(øô“By*âjI১;p³U]K¯W'Ä49ÞYªþR’¨ ŽùÖ÷ 8AÏHùiT‘Ìßr¯®,–U½× Š|S5mž¹)΃+°Á»ÀS&j…MèJ,‡†&ß~ô¶åê`|…;®@í·b{³ùýÛ¥€¶M]Tmožƒ}¢ŠÝ?¢f ¿ >ì8Ä)‹“4ÅqÌ’˜Ç_¤e&Éa<øÿF…uôNéì -p^T #YÞƱÑ,åFwÁÆ$=ÓM X¦NG±Ia -ÔŽüS¶Þ”9›Õkç”ÖÑ DT%9TÒHðËqÂÉÏ°ƒ!GÒÕ6a©vÔ_É·mΉQ$JîOûå¥%,AÁ©¼@ 8ëQ¬c¦Ul½ÄŽÅcƒx”üBùôf~^ù<«>)ÎR‹"J>J3‚¦ËGöåÃôØmX½]>!޼߱t ÔYeíg¬MJfdl0¨žÐXõl.uQ¥^§˜û‰ó"êMþAE@ -O‹v žRu":2"oOÈHž—Qoöç’ÑôÿQÙ\ʵHO³“,D&)Ø¥[µI€+Ð?…˜XÀܦ‡ ŒÒIü|°ÐÖ_#@DIpÀãmà´{¸eÖ¶ùzƒ!>1„©ƒ02´Xzd+`Ô4`”Ð1W ‚Š{<åg˜B’ÈR™üžÛEE$p’o¡WüHÙᯱJKc!q˜™ÂæeðQ/h©›< ÛÙ,Ï=:4¼/WÃψ-†³U î=±íìÔ$tˆ÷ñ¡!hewVŒïÍFþ,Ná˜÷3Ö%÷ -2yòmÞ¶˜¸·éô÷f` IJX-´>EœDm±µËS6¨yi¹ž@<™`éqe9'ŒÜô@)‰å}Ñ ÝæKð`sC bN ³CÚI´«Š¶9œ¾pZÍ»Åí—"¢©!Q^gÛ§ŸŽG“BsYã.ǯ˘;CÓà -3Ò]¨Í ̱:™4.tè4N99cež7³mqŸ§Uý€•²öGµ,0 |iªû¼7Ñ<´-ê}R¤"”¢ŠšU½+;š!@>/šYFvâ %8­´bQ—eýÐ)I»Â9¨·}ÜäÍ¡…àöœvv«Ù!8¸’lÄ “ÆŠF`ñg]Ñ(§.`þÇq#7(¸i;üN^YÅž¨¯sòãz©Ç&yò+Œ8 -\aO15K´à,„k )¬Âã{{qVƒc ‡¦£2ó7A€äö(g2/…C%Ýh¸†6p¨òeFW0õŒTÀë/C¢é*Œ;k1Ñ-ìsÚìt-6hFöDnLw©ULBýð¸sv¦3&¨Võœîj.h\›óú·üz÷úêæÖùxlÝ_Æ5y3¤ó \íõì±Þ±!»ï¬`}*Ö;¢&ÏçcbÅ^\¼/®ýˆÂ¬qÛ톼bå} -°Xa“QO¾M¿œ&+ž¦àÍ°þª„&Œ8«²1d -­à¬Îª"O"1Šüངv7‘xíaÛ±€C¢«©ët7y -­7ØâüŽo|Ð}¸ºìvÂî»Èf`¨;®Õ]>54ëyžç‹lW¶G>¯Sˆ|&tQþp¢Þµ®®»l™1jòö ¥èÉûÛŽðX+ôsj…P/{9û VÉt,Ñ(ƒ¤<˜¨è:sw¨R씆‚ Tµ´ñ„…ç¾,Ñ›IC@ë{EuD9™x‡Û[×@²é»¹óšq¶¼ß{9Þ÷rœöB#?º+žÒ€žlŸK¾È‘ß¼ù¨?ŸCLrâ£,/,©Ý£ë][Ôö:·ï8Ž¢@|D+3¢ƒž}M÷ô¨°†@IoÒZÅt¹×~aÃoÙrx×»7û@×SÞæ>—I ȤcnÕߘI?Ûµ@…ä,6úÌ£PIj -v?ÜMn^¹ëk#¡óჀ¬?×·-Èþ‰ððPjŸ–ˆL¦±¸ 4Y8¡Äà༸ʢ®Ÿ~@ë$Ó›ó¹$ó½@U K¬~ªJÁËá«tèoH|ôÙ³þÒ?=íÿø¥¦ÒTã@Ös¼<ÔÓ'É -ÿŽ"ªÞÒÿIã-Qendstream +xÚÍZÝsÛ6÷_¡‡>Ð3Šo‚}sS'çNcçÝLç’<ÐmqŽ"u"Çýëo]P”L;ÉÅfôX,€Å~ü˜pø‰‰±Ìf2›¤™f† 3Y¬Oøäú^¢™F¢éê—ùÉO/­˜d,³ÒNæ7^ŽqçÄd¾|—X¦Ø)pàÉ¿¯.ÏO§ÒðäåÅïPJ™¼øÇÙ›ùù ;,‘þrqù+¶dX¼¸º|yñê_³³ÓT'ó‹«Klž¿<Ÿ_¾8?ý0ÿíä|Þ/y¸-Á•_ïOÞ}à“%ìî·ÎTæÌä>8Y&'ëm3Z©ØR¼=ùgÏpІŽŠIp&••#rÒjLN&cVIä”oO…K +Ø—S ÖÛMS/ËúöGhÌdÒ­B¯NÖyY!]·Ík Úvø™ßu‡4weE479Ötr/þCã*#˺øD<*\ÈmѧͶl¶ew*„Hà|´àɛ؆Իõu±m‘|Ùø³L…`™12ì®n<7é’UþÑO)³$¯ï±)¿n›j×øµ.òöŒ4ï¥L±VÉ{AÖ«âc^ÓM]ab±èÊ8iظ§~[¬¾þcÈjÑ„rÙbçM³óçÒ-=ºÉ|]€€¬”ÉÜ V©CÝ÷cíDe‹eG¬óŪ¬éïחw«r±z@èÕ ô†Ãöµë8mQÁ¸¥%­é¢ó‹þ饱]T ©\§öâ·°ÞµDu ±ˆxf‰ÏÐO“£@'ÀâuQhúyÛ6‹2ïŠ%Z뇂Æ6:hoé—g¯ÉMxÑø•*íîÆyϹ\” ê¬?…”eJº0ëËpd ’µ¯âaxsJeRÞ`cÐÒ(ø “By *âkiäfÝÃøÙ꾂eЫÄ49Þ£TÃ¥¤II‹mèp‚‘ +ÓŽ¨"™ƃFø²¼­›½>hP䋺íŠÜ¯Hq]A½ yÈä@­° ]IFã¡¡-¶ƒmù:_é+R‡­dƒÙÂþ³¥€¶MSÖÝ`žƒ}¢Š]ߣf ¿¨>ì8XÇlêÒ‰µ–¥–Û/Š2c&éa<øÿFÅu NéÑà8¼¨G²šÆ=M­ÑÌq£û`cÒé¦,S»‰5¦@í(>åëMU°E³ö¾Ai\@DU’ã@Å%‚ŸNSN~† 9’®ÎRæŒÈ&Õ|Ûæ¼Eªäþ´ŸQ^ZÂr<”È€g=±Ú2­l$v,ž,ŠGñÈ/”Ï`æç•Ï³ê“âÌe(ò§ä£4Ó4}\>r(æ¡ÇnÚííÒÌûKB]¦²ì3Ö&%3Ò ª hª6ç|`T.èó?ñ¸ˆ“ÇÆ-¨HáiÁnÁSª^DGFáí ÉÇe4˜ý¹d´ýGÔð&ç¸6 ãéaöñ ‘©»ô«6)pú§³cÌmØ Â(Äχ mý5@”Þ.@{€ Pæ]W¬7ÂáCø‘:# C³:Ð#[£á y£€Ž¹f (;à)?Ã’D椋8ø=7<`¿‹š6Hà¤ØB¯ø‘²Â_S• +欇8,€La‹’2øhn"hiÚ""ÛÅ¢(:4|(WÛ…³U î±íì˜Ô$tˆñ¡!heVŒïÍFþÌ:8&ÀýLÀõɽ‚Lž€|[t&nÀm>ÿ½Yh¤™: Ÿ#j³IW®‹i×L+LÔ e”F`g“٠ˀ&«%~`†€>•œ^—ut¼E‰[B—Ê B• +ìê²k‡3[À± H¿Ûp$Þ÷SZŸ¯óm’MÏ -Fx¨¶Ïè›ê#fÊÐt·Â¼DÅäj Hþ +¬Îf­Ú‘˜  ¤Š•eÑ.¶åuAœVÍVª&ÔòÈ$ò¥©®‹ÁDËØvÓìS •BÙ®š]ÕÓŒÁïeÙ.r² +ŸV(Áã¡rÈ«ª¹ëU¢[áÔÛÝoŠöÐp{^ûÕÀÇb‡iœZE„)bM#°ø³©i”W0öã(áÀé žM´‚ølÁá~KW™b)OÕ×¹ôñQƒD@ƒ“<ýŠ0G…©¸'ˆš¥ZŒ»{°ÿ ‚³û™Âã{{QUƒ‰‡¦“*÷>€Û†¦HÎ:š£Â¡’î/|C9ÔÅmN.õŒT è/C¢ù*Ž#ë0­­ZìóÚìuÍ4£{" 7¦¿Â*¦œd˜Ñµ™Þ˜ Z7Sp±«i¼ŽñmÞÇ_þñëÕ볋KïѱuõÖí˜Îßàjרg÷ÍŽÙ}oëüS¹Þµ÷sÑ8¶12ìÅŇâÚß(,À·mÔnÈ"V~Ñá4ýLdéd  ߦ_^“w|·Ö_•¾Äª¬̯Р+ÕY•BœI%ÆŒ‚—ÐþÞ/Ù càpHt‘€"õþÞNá "ÒtÍ[¼ß ‘º_C÷Ý^ØCyÀ ìuÇ·ú«¦–f}\…—ÅM¾«º#Ÿ×+D±ü3º¿ðÐìºW×_­,ŽµE÷„R äýmGx¬ú9µB„—ƒ }T+ŒdÚJ4Ê(©€;§*9Ïý©”;¥¡ •x m‚0¡@áùïKôfÒ +ÀúÞ#ÂGYQÎfÚxWëÛ"$6C7÷¸f`‡mD/Ç÷^Ž½§½Ç(Ž.Áʧ4` ÛçÒ€/OþŠX*2@Þ©T_›)H«´Òy2=’ÀÝŽùÑY¸gϺ|“ñÞ7¡êùÆeq*²ñ@Ô Lß„ãÅdêàˆšÝíêˆXàYûQ×4UñiS•‹2à!ß>¸f œ,zßEYÏ#)ÄQ\+ÅÇ2#HMKc¢ñHv@4”¤}r )9¸¨½ê’z¾Î7›}#=¾xóQ>c˜ÄGe<¾§¸l®w]ÙÔØëÝ6¾ÚxŠelðɬʉzöñܺxƒ­ùrIL[ì‡~Ròø†è@a–¶ÄVú}«Ë¢áxàh£_aŽŽ¢¬§aþT',ßnò¹¦`bºÚ¿2¹3ålòf>ÃÊÑË@°TòäR•Ã'OŠq-4-!tÌÓÇCèXçËâSU’ô9ݺÁ'¥É4®ùÀçµåmq ŸðœÜçÙñT'Ë—HQ7Ýð%S&ÛòvÕù‡ žFp ­XöïœÀz³iÚ²£gÖýD¡3ò"jÈÐò{lñZáËVÄzðn+!1ÙåUEÏ¢wÛ²›Žaî¨ÃŒÏìv-½¿äñõ…^ÿð&¼Ayý¢w\È‘zJÒ/ß!ÀE2é“òÀ€8è ˜—õ3>>3ǚプ¤õýD# XÁœþ‡w²Çû.r‚”¹O/Mÿ,Sy‡Êë¿£iïBeQ`÷Ã7Äâ.]§@KÞåØ8Èb\]@r¸ÌA]´Ïã#‹Ü?À)î5Ê»’pêþ<´ªd οÜT47•‡oÌ=DöïûP “A‰ó­r¢\ïÓô@Zkˆ”ô­•¥«¼a ¹î‘ûÁ-ÙºŒ +6ÿóc™´€LÚòLý™ô³]ò÷THάÑ<˜¤¦`÷ÃÕìâ•¿¬6BñäÐz> +Ȇs}Ûò÷€ì/w€‡\ö´D„dÒÄJà‚\ +²ðB±àà‚øÊMÓ<ý\ÖKf0çsIæ{ª$–fúi¨*K3®_¹±?ñÉgÏúKÿâ´ÿ›—N™rNŽã@Öó¼ÔÓþ€ÿ ETƒ¥ÿ½)ãendstream endobj 1119 0 obj << /Type /Page @@ -4256,17 +4247,19 @@ endobj /ProcSet [ /PDF /Text ] >> endobj 1143 0 obj << -/Length 2569 +/Length 2570 /Filter /FlateDecode >> stream -xÚÅËrÛ8òî¯ÐÁºÊBð"@ÎM“(YO%NÖÑnMm6J¤mÖR¤F¤’x¾~»Ñ DIìÙÖ> ôû1âð/F±a&•éȦšÅ\Ä£Åò‚àÛ» áaÆ=ÐxõëìâÕ[#F)K4£ÙýWÂx’ˆÑ,ÿ¦Ø`àÑ¿>ÞN¯Æ2æÑÛ›÷0JÇ2zý·É§ÙôŽ>úëÍíZIixýñöíÍ»ÜM®¬Žf7oiùnúvz7½}=½ú:ûíb:Û^yH–à -ïûÇÅ—¯|”u¿]p¦Ò$}‡œ‰4•£å…Ž‹µRýJuñùâï[„ƒ¯nkM‚3©Œ ðIËŸâ”%•ãÓålö©X5€•†%nÃPÙÝyñoÎe]äô³¬=;Þ¾¦‰TáGZücSÒdïµ›ÕªYwãfN“WR7+Ö­³  Þ²G}^TÅCÖIn½C»X—ó3ÞAXo½¯«¬m«¢õ;onÇ“7oîØäî2sÒãëð"‰í¾!ï©íÇ»›w7àŸ 8ÎЙJ6À;q8Ü®c ¢ãÀ}b,=n?Óøyz÷ÏéÝ%›þ>ùðéýô•£ÒÒô’†×·“þã%ãa×D%{N¥ø-«ÐÊɃ4ÏspÌ‚QâQò B$Ï"ç 8CpÏJX._ˆT¾ )Ý”±0Ò¾”yâ¼aº@D<é4†¤Ò—ä *UÌr{/üo»ú{p—ǧo@û8àòÓ~Ç>ªqOÓXàMt8Ö¤‰éIJØÆj/ Ãj’ùÑÙ£³ “GÅ zT›ÚM,EXè¾74¹oÖˇ×eënÜvÍÊïZÓ¸[È -S£¢›Õ£?S uÛ…”OA§œñâè}¼Ðn¿ˆjúø÷Á¯ÓÄùh椠N“ª¢çï¯y s™FD®fu~ˆz¹i=Îy2ŸUÓ–˜%©¥¶À{‘‚t"ü9­@ýƒä0Ä1ÓÂÊ¿€s»å”ª)®™1BžWµX€ ¤ä\]>f„2nHÃ$S:õ×6Uì5'Í÷ -œÖÙ²_D1ÅvuœÝìV‡Q174Î=Ð.‡ÊÉ)¡“V&ûj7©!gÐT£¬ª"¿@a\A¡*D0°z›-¶OËySµ„ô{Ù=b,×R:¢Ž±³¸2}Jf¨€Ú ÜPæaψDúáç"ZUÙ çž8ÇPœ`²†€ãž% _pºûÊí²¹±0ˆÐñqÆ1Ãô¢¡õ´8œd4\ÒàH^~¸ÐlºÕƃ>5šÔ…»ž ™i'áE¶ò[Âl’ Ú@œœ—‚Þ:ºMë)”À`ÐÞ}¡ƒ¨á0­ÜõµŽæÙâ?-¤U„ê›×èÞ:T-€‰ˆ^?À¹@­ì)é¶4¬C5ÓÙås§¡hRn=Ä3…”ËóŠ jÕ,³'bJ³Â¼1«ª'Ï‚Öj¾;Ùi§Z¤BP·©T¤÷Ë&/ÑÙC|…2ˆ¾?–®–€éâÑ×v©ô‘‹êçÊñ÷ ‚•õ Ú@GÎ¥ *E•ûsʼóç [¸îyÖ¢Jk.¢{·LÄ΢d‚IxG—È7ΠÀ?ð- W€ÇO„ìuô>™µÛ‚¸„ò3/ÁAU)1Ø)'ž¶!9ÓΈu –¯©a6Õæ ¥PåôMÐtRcwbüríDñåùýõks* ð@&N;^ ë1£·è›”ˆ£âG¶\UÅuàJ&aVjþOP5–üZ]ç<LH¡ aBlíÝÛ^ -Çn-\= -?%÷ÞJB­¬cÔÀ´ö¶ ãh±Y“ººê¾8o}s­Ö ¾íÞ݇ÓMÕ†Ìd4äÅ¢\f}s%hÿ-Žþ¤¸ÑÐâ*Ëó"h];c4‰O%íÖ(aI¹ÔëT°ÐoYYeóªÏ@}°À.ç¤åMÂúîŠ.›Œy(V(ñRö.;uOl/@#k¼Ð¢#äörÈÑtºS÷î˜Å*âödxo4ÆP&b~à0AwÄñ“ÄI•é­ÿGÐú9ÔDý×!"˜Ö²ÏÐ~ª­82—äÕ6«iÁL)cèhc~@^Üg¤\ðcð·Ål=p“2kRûœ©ªçLµ·e~ÍÆ -Õ±Úö“^âlÀEbã³…ݾ»<á ±MÓóÀ˜aò«ºéh’ÍÛ¦ÚtÎ’¥ðÖ ëC{ Õ‚;M¶qÁ÷tt @ɃÓ3m»0‡WãÇþlÌÑû4BG¬Dºo÷Î-K%±«ºÊºr^Ve÷DK˜Ó¬ÈÖUYxHl’¹X€Ë¡<Ù6ƒ/CQNH&m,†tÒ¶+±èÃi_&<Ô%uXa-ó`e—‹¬ëÓàD‚xȱk”ù>´ëtV¾u¾ß¨Û¶Ôɉ. ‡åÖO–p»ºP*@~îÉäg¿ãTUé³1OÏV…˜D@¢eÈ°9ÿ\ÿaâŠj щ"‘ ]Jôu!|¡Ö4.ùF+õ¬ÃßÒ—mDÀõO³»kZv}¤kZ}³'Ñä:Ôo˜ÀŸoí»®·ŸOËmÈŸãñ œ÷×ù ªàwœf>)äTgÅEŸJüVø%å@j¾§Ü,³^ßɸ~ôï­ö=W’m³(Ú¶og·åýÚå¹Ô…ívÎ0|@ÊÏqgÇðÝCàÿ£S( á…¬Cc8wcÓá‹äÑˤ´ Ó $—`Ý ÍS;¡ªÀˤ„º ¶&ö}¾`d‚ÙØôô{Ü~ŽäÞãú¸šû×zܸw»WÈ¢o<°/Šp¨"ÙÚÏ\†8ôŸmàdà~ןԙ„fý›&&ˆÙ±Ÿí¹išR¡'_>zÖì^úÀ¼{d×,*‘a m%é/åžoÍÑÍû—èã«ÿ»ÛŸøendstream +xÚÅËrÛ8òî¯ÐÁ¹ÊBð @rnGÉz*q²Žvkj39P"m³–"5"ÇóõÓ$J‚dg}Xûl4ÐïĀÿhÃL*ÓAœFLs¡óÅÜ÷÷gÂÁŒ<ШõëôìÍ;#)K4ƒé]WÂx’ˆÁ4ÿ:4L± ÀÀ‡ÿùt3¹I͇ï®?ÀL¨HËáÕ?ÆŸ§“[ú`è¯×7oi%¥áêÓÍ»ë÷ÿº_ÄÑpzý醖o'ï&·“›«ÉÅ·éog“éæÊ}²Wxß?Ͼ~ヨûíŒ3•&zð?8i*‹³H+¦#¥üJuöå쟄½¯vkM‚3©Œ ð)’!>é”%•åÓùtú©XÕƒ•†%܆[ ²%ºóâÎe]äô³¬;Þ]ÑD*ž0‡M„`©ÖÑ<¾‘ÒLodd@ œ÷Yÿ1k»bå$VVÍ&?º¢n˦þåb¤vîÃùûÉÍ”ÊáÔÉùm¹*æ]ù½Æá.K#Ù+0Âöå©î²¿l®¾…ã@…cÄîaÚ˜´QŒså¡WY}ïnY=8vOK·´‚¥Ãû¥ i"‡ákà Å”ˆýóf±(ê.€.žDJ8¸oÒ€ K3‰˜¥JÆÇHÜÁk$‹µQ}Íz¸n­RÀ¬kp4ÃùêB$Ã"ë +ZÏhh‹UY¸MÍÙ6k;™„€Vçs·¥{È:·¹®žh–—wrg•~ßÙÍ‚ÐÙüÁíq 3·5«i,A㲎3g!VyªG¥~ «À áE0ÇÔ1ÃYcìx†+È3‹¬-‘*œß5ÞÉÁZuÇå¶èZš!÷ðÓŸð#-þ¹.i²sNþøùÃd•£2¦é9 W7ãîã9ãa×D%;N¥ø=«ÐÊɃ4ÏspÈ‚QâQòB$O"§õ8CpÏJX._ˆT¾ )Ý”±02~) òÈyýt!ˆ,x:ˆR !I¥/ÉTªXÌã½|áÛåïÁm\NŒÖÇo@û8àrS¿cÕÈÓ4Š ð N¢p2¬I“x%1Ó±V½xyhqDr ?:}°–aò¨8AŠcSÛIL‘ºÇ†&wÍjÑ¢ó‰ÀáuÙªµ]³t»V4n×ß@²ÄÔÀ¨áµGõàÁhÕv!%ÁS(MÉxaD‰>O ¼nŠË]0ðê4±ÑF§GÚ ÇUE –"„ÄK:ŒŽÀ˜Õ¹ÿìQ/Ö­Ã9+BƳlÚs¤¥Œbà¼HA6=¾N'Pû 5LàZ³HÄò'pn¶S4Å#fŒ§M 0€”\«ÍÆŒPÆÎI˜d*J¾ù°†‘U;=ÀIóXc:Ó:[øE Ê:ÞBæ6ÛÕ~ÌFÌ 3´Í rrIèâ•É®ÒkLf4Ⱦ¬ï«"½hàn’xzÎCƴщøƒkž7U•­<ÞûÖª?¶O‹YSµôé±ìlœ7”‘ž-"Èñ ÷¸Ãü$,}NÛ–yAè3âá§ù²Êæ”a¤˜ÅY¶H…ŸLvõ›$ Ómn¿’!DÒuå8‚)& AÝ£"@F¿ÏÝæšV7Øšu·\w4jÖôµ.l†%É~qÉ–Åvï!c‡X' û>.•ÑfGàk4 N¸½, ³lþßRªBµÍI¦— +ï<ëP¥"|B®%jX°{@&¡`ˆÕ>2y Ùù±Ó|}‚ˆ!dNƒ’0U*>+a±I<À"{"n4K̳ªr¿­=Áx:Ý>”¶Ž€éüÁÕu0§¨€jD5ˆsä²_„ôÁʺWi çÒ”¢ÊÝ9eÞ¹sЩ÷,kQ#.†wn Dm &Á¼£Käk2¢Ú~ËÂàïÈ^?ï‚~"†2È×~Pzæ%¸§Ê!%[åijŽ8ÉY¤x|ÒÁ)Þdm°tM ‹ÓHï¥óªvòî9ÝŠñë¥Å×Kä÷·o̩Ϧ=!÷ÏY:®‡ï¬'zXüÈ˪¸ \É€b í²èT$¿T—yÈ S¦Ô +&Ħ äl/Ec·Ê涅Ÿ’;O,¡NVûªg Ê…FœÌ×+RW[ÙÀ‚õÍ—8O‡Ë¨o»·ÃÓuå6dÀØÞüÌ‹y¹È*úaÃÂÐðWA—-³‡RÈ_pò‚E‘ô©Ìïᘠ¤?äÎæöp¥õrI +0kFÊúXm#È‹»Œô +~l½?þŽ1M\Ť~ÒøÕVêíœ_ò°B 6m¤—øðŽX·Ì ÷N³g’G|3–¡iz:WÓïþ‰hX7M²YÛTëαÎpa½oê!¡ÆàI/4ßÊ Ði€%÷NÏ@¶un#ü²ŽþlLÎ}þ QC+‘îÚ=yd%±™ºÌºrVVe÷DK˜àÒ¬ÈVUY8Hìaã+ä¼Eœ0¹5ÑóP„ŠI¨Fz„ Ö¶+±Üé/îë’º„°–9°²ÎË‘'H0­“½Î܈°AXÛ ÑöŸm\¹–ùnƒnÓJ'/v¼ ìZ¯,Þ¶¡T˜~©ŸÀéw«!a±æéÉzH² Y6åŸë;Œ1ë1D&ŠB6l)ákøB-i\r V+9ø€ø[ú² ¸þyz{I˶tI«o7ód8¾ õÆðçÄ[»nëÍ—ãrë3äu<îòî:?¡ +nÇQ±aÖ“B>uRl1”æ‰{» +¿ ìIÍõ’›Eæõ‚íC_»žªïµ’l›yѶ¾Ý– ˆô+›ãR÷Õ?èœ`x”×qgËðíàÿ£CˆŽ|Z„ñÂIœö_"^$%¸À(Ĭ;a yj+Tx‘”PèØh×ß †¦” §Çßáv“$ûçkî^AèMpGàÎ=n_ ÿθg_âPE²•›Ù±ï?ÛÀÉÀÝ®¿¨# 3L'ü[&fˆÙ¡ŸõÜÀ®G1v‡dXBIºKÙg[spsÿ}xõ¿lç¡nendstream endobj 1142 0 obj << /Type /Page @@ -4295,16 +4288,16 @@ endobj /ProcSet [ /PDF /Text ] >> endobj 1150 0 obj << -/Length 1534 +/Length 1552 /Filter /FlateDecode >> stream -xÚ•XYÛ6~÷¯öI"Z¤î¤(°Ù$í¦AÑf7OId™¶…•EE¢Öq‹þ÷9¤|H9‹…†ä𛓜¡©ãÃuÒˆøA:I’ȧ‘Sìf¾³µßfÔð„Q@¢0`0±êEAJ¢”%Žw -òò~¶x2‡ù$ŽYäܯYq‘(cÎýê£{³ÍÉÛ¹Ç"ßMæŸïßâ®$iBÕ.$d„A¢7¼¼ýórgø¹ãEß–ò€£Qw劷¹,ðhH‚0f/NõƒTã9÷¨ïûîuQð®`d+*¼+;i¡'#YÌbƒ€g2sÜáî9M]D ‚^ûäGþõÍ»¾ô™šŠÝ\ór\ÏW+"XèîrYlq­:ÂÈm.qý zœ*ò‰Ž›¥¾1˜õ -‰º,ê|gD­E‹|ë^ö§:ô!Êzðà™Ù”’,Š0‚yU‰½W Y®NŠb†I»ó³ ¼d) ¢}éy; A}X«¤ƒt˜L( Rÿ,à²Ê‹‡­¨øT’”Ñ'*Û¼îÖÿc¼8$4MªéTä² Š22Hâ8s•koÕ¾$Ô6¤¡»/åVôÒT½„ó¯´Vf]ä&°o¥”’)²âæÌ*\¤¶ý†#5œßküÞþ…ß“ƒÆ;b¥£3ñª¹ƒ(pË¿9F \}ŒË‹! -¥+³gÅó©$¡$Í›ÀR ³>oŠP1/I†g6€Ãi™Î¡Õ1.W42…ÆQjæèv2÷bšÁ´+¥ÎÅ8ÞŒ7kzyÀ„ƒ£BãÐƇj Œê¶E‡6y+K sA,xe‚Ø »y-q¢k„Ðg¢i®)ß}%îÌŒ”pà d¾É˺“—qjèDçÇ›ÍסDQæ<}ÍwMÅÏ3d+öH(Ç5 o+Sfò¦±¤ŠÙs“ɨ:°ÀÇ:³X@|U®$*·ÕW©¢¾€ƒ„:4+$¯–bÓw5—ÝN൯¨}YUH-+Q< ùþÍ ÍhŠƒ®É þlêXY]öÛR•E*Ǩo!v;Q+Û´ŽÕ¤¬-¨kEZwŒ™’V?kÿÅOôß"}cz1f—뙚ÿ - t ÈX¦j·d¬§(;A¢qŠ“±™üïÅ<É ;xbÐ -¸d­¯ 5=e/1Aá ” nh=×ΙŖçÆgê’Ò¹Ðï–¼ýƒ­¼3ÿ~%úïè­a‚ŽL>;Ò vNKqØå3é„L*5š¦£²~ª¥Uý*±É2þd€o(u¬æ§ˆCºþ¤7éœélúGÔFÔ•¹w·«ºZ³o—wP,'ã¶.­W»Å)üw\:ŽG^ÎÍþž}“íðpáÝëLh0ôŠÆËXGR5jJi¡ë†¨;8 !ž 51”" ×xïp4° UH úºÂÂv.L¥šÚæfmÉy¢l]*´D}§î>5½*;oÒuK8襛¯7ØOSw'Ž5‡ÁÕ öN?Hp¿ÌÖjê ³}7µ½Láµ%HòBâ‚-€Ô=o°`©ãF²òиe Ü¢~hÑëw7¯ßÏ¡Û¿ŸjX’ÁKÅ6­«Ç²íC)Ò(=mÑÁUI˜š ¿(ŽÙëûáµÁK,N<8p\LñE‰«Ž¥þ8y]Ú ÞÉý¸<«¶#\}&dó³8„>-†ìÙ‘Y,€ä}WðVÑn€^4ýra¦ÖÜÅõ;oîEªtd™òYáÛòÔ²Å$’ȉá‘´š_f?ûÎ - |;óI¥‘³‡O‡9»ƒAšÚq5»›ý}4|ÀóŽ€c»•ai}™aRv­ÄX9ˆc’dôD¹Ñ;~à¹xßK$%ð×Kqö¥DDýn0%ͲxGüÉà4û|À²Ä)aq2Ê)ûÄXÜÿ¡EAendstream +xÚ•XYoÜ6~ß_!øI d¹"u'EÇIZ§AÑÆÎS’­–»+X+*:ì¸Eÿ{g8¤ör†¡!9üf8g¸Üñà;IÈ~öœ5ðíÌc~š„Î <8ÂÙϼ’ÄŽËÙÍìïÃÁ¼Åp|n> endobj 1159 0 obj << -/Length 3198 +/Length 3218 /Filter /FlateDecode >> stream -xÚ¥ZKsã6¾ûWè¶tÕˆ& ÷6Éxç0“kv7•ä‘°ÄŠÔòaGùõÛnP¤D—Sµö`hî¯T¸ -à?\ʼnŸdQ¶J3éÇA¯òÃM°ÚAß7!Y»Aëé¨ï67w“p•ùY%«ÍÓ„—ò¥ÂÕ¦øÕKýÈ¿ý}óÓÝÇ,˜Œ?Ž°Ç1ßÿøåóç šq”Ê—¡ŠxØûO–8%~$BÉcï7_>,± -aXÌ£~ âàãç/·ë(¼¯ŸþM­Çû/·qìýóþË#Œoa‚„ͽÿysÏcSÿ¤xß=À^,%sS¿ÿúåaó ½}ÿùÓãÇû/ïoSémà wts¿e:•{èo~ý=X þŸn_d*^½ÀKà‡Y­72~,…p”êæñæ#ÃI¯ºxaBH¢…‹”Ñ*”¾Ð9½É8ó#•Fî&o×a^¾o›¦§£êº Fgú¡ä6Ê÷©i/åÛ™öÙ´•­½!)&7¬Ö‘ò“4v¹Ï5N -Çé¡›þŽÞÊžŸ=MוÛÊÐ[ßг½UÞÀœÜ¥Á¦hÚFœLõ)¾’Ð&U³Þ†ÊƒóšbaÓ´/–!6õsIÃ냩yƒ( žMf&X@ž—%pè+Ò1˜B¢Î -÷퉅s4yùt*ë `Ï’ø-Š$3ðSÊ“Ñ´ÖýÂ’aègqì†8>«µ”8´È ÀîæØ—Mæ!#o³Ç[Qê度ÆÞTGl)¯<IFφººS×›·M>´e¢·í‰¦+Û“!‘®[%óÖ4 -wØ>n›?ÞÙÝÚΗ}™ï¹YVµªò€úƒ³PPx¬À‡p«Ð½3¤·ESs«|b­Ÿ*4wuôÌw¾Cٙ™§~ë’Õ ,‹¥ô†Î< ¶…÷dt?ØÙ†:­¦B]'Ø …+ýƒÔé½y¢'«9L²[ -OžÞ–•®¥6ôMdºL¡Í¡a¢f6šuSÛò¹¬ÌŽLâ,:R8P{ÆÝ‹JDêÀx=0\O­ÀHÊØ©»åx­ ý2'&ê'ÂÀû×my|cÝ°Û™ŽÁŠŽZ³‘t²óuÎOfIç³¼ìMíh#Vž ÓŽR4V9·í%›Ÿ”Ž^pr÷¤4k‘J?MƒÔ)OjÇýhFQ ðD;çùCŽw‚. U:_3ÙÞ<<«FÔbQ j„Æù¹„Àk«¿ŒYÊÂØÏ™æc X(çÃïžu{WëÃ"àÂ%ƒGr<ѨŒÐx2wÑ +ÅÒÏÒFÇEÔ"ÜC–ÎU™ÚÂÑ? dÊ|ÈÛLµ% -¢¿³æ«É´µ›7»Ñ»¡kïª&×Õݶ¬ùèë<-؆};&ôô¼’Q4Â5¹R¸ª0 Ò1 ÙwoölS'~~‹}Ö²c±F[n !0´±jXà‰Á]zÖßK‹Æ Î.õUFo„ðE¯yS䎢Æå^šöQm¦­NÔWÖn'4@·}™•æÄÕä}ÓžhÈ°à ›Ð»ä‚Íù*ˆ¦ŠêÔGøI˹yM‰£ÌW*Í&ÈŠ,ÒÈ;5páB*窠UTláÑñ JI=ªL­íãû•À쬽æVYçÕP˜Žƒÿ8õ{r«ðÎnØáŠÝ|I²'uOzÙ½ÑÉÝYfvƒÌþ†È”e˜•v/ |ÖEé¹4/ˆÑK"Î2?UYøW°B¨4Nl”¼žõa¸š ܈ìÖ&ß‚ ª p2ð6Þ/¸)¼ìç+FtvrCO]ügèú‹õžu5˜n\ÍJ'L,´ÅKÁ;Ÿªüf&­kãIá˜Qâ$ÚËš{-)Àk&α"*^s 3_œ…v,‹5 b9æLTrq:Ï›¡fàƒ|P¤Ž½V˜D‡Éâ¾Ö|L‚`û=¶Ïè¶*) -1žéX*’UE’gzGMkØG7ƒ¤þt,6«ÓR /aûYèö_/"NcÒÑðEKv$’¢¹²zåV ~¿ò$׈&²ÀYz×ëž÷kW©­ø`™²†.8¹}@ËHÅÉ…+Úk‚-Üaš²l[Ý–VáÀã µEbì! W¨·/Dq–€ñQ¦¼›´~LN­MŦ.(¬ñ6ò qæ‰ð -{· ƒ¬ÆNNø^€zÐ'ÍrÈq!¸¶fæqTŸz×]ZÁ Rp!¡s¸w…y¾ûÓ´ÍR„ ü43›%ˆg¦ÆŠeÕ‚­ ]BL #ä[ÌÄ”YÕì–l]`NΞâcÈÄÅhxw¦Ï):èËÃ’™*fêì/ SÂ1ð¹ - \RÿuÕ^åô‡:GÔz;@ø¹-›vjFÑ<ð–á+qsøà -“¿bR™3üAD*ɪW –/ÓÌù8•š—5ßôb^ TâpþO®Þ©sR¬PÉÓ·Á4ÈP7]¡(àssÞ£Ý54ÄuÌ/Wti@ø"‰Õ%\ñ¼a´ å}ý€¢1mÍ¿Qœ¤ÆmÝ•6x„ö%à;«¬Bï}Õ5,ª‹§ÙæSºÂù¦ /cåK%0Åæ×nFd€’ÑèŽß¸™õ8|!"@ã,õ ß3É¡a€×ôè*ýÌCGìŠÎ¾« u¦¡¤¡ùB!5¾®#¢à Æ~wáyK 1p»¤õ¶èÅ‚<‹Åª"‡ý@Ö}w[Pç–©ÝÇÎÆzV ®ØÆÎ^`OýŽÚî¨ÐÏ®ˆ“3R}5Y`ŧáù6AjÙwK†qù‰™¬SÁ¥!@¥‡…øò¼hpÎ/“ÏÖÿp®€»j~!Cc^(¯DØUŸÎ&çÎ-êpñ-~†þSÍdg}À8‹§Ý,q²U”`ÔzÙ2÷¼=ûf×êãÞåwØ­ØA)_o˜Ñ–×8]/C&ª`!,ä$ÎÙ0¬ôïê±BÜÑ Œß6?pñ‡mÈ⡳´*›È×05K|yþÐõ6¦fáhæ£ÁÂ2Χââè+ˆj}möG´oæDú ÌëÐ; QÒ6c—¡¯Z-#9WºÝ2¬]® -1q3×ÉǘŽ? ¼¯@á@Œå³ý…aè2±Q'1Zˆ´eæ‰pEÓúØTe~ZNãT$—Ò²†À­kÆ…«÷C0•@ö?/<6ã4 §‹ÇêmÓtL¶–ÏoÆ©W[ûãChã ûð鑇é^S˺ᄾˆàŠÃòb]² -R>Ý…€–p 7À*Çã×KÁL„â¸>³K¬fuK¬à µO–ÂFb¼ä®Jº«X;®+7yžK­¼©{Xß!ÈD)Ð4>-®=P&¢(r®v«mâÚ;Š±¶wqÀã°­\Œûb¶_ÇáøÕì#¸S6÷¡©?¨£òwÇiÜ­ˆk"Q'¾Élï>¾Ÿ“ùRšyžV_ßω +€-d®_E(>|úr»”¡ð¾~|ü7ž¾Ü†¡÷χ/OÀÜ ›{÷yõÀ¼± ÚÞw°KIÝÔï¿~y\ýLoßúøôøþáË»ÛX{«GxÃÝ<¬Žõ… +ýýæ—ßÄbêÿéFø*MÂÅ^„¤©\ìot¨üP+å(åÍÓÍ?£¯vêì=”É™‹Ôrh_iø8¾É0õeKw“·Ë@á廦®;:jVmhК®/xŒú}®›Ký¶¦y1MkukoH«Ñ ‰ÅR&~§Ê.÷©‚IIè¦'‘›~o©öŠŽ¨EK|‡ºm‹uiˆÚÕDmn¯¯ˆÆ—Ô‚eg´0ÛSû±p6G½ Žk63{V‘¦±c6ÕKAìÕÞT­ºèÛ¢ÚòÆv†åÈ‘œ@D~¢‡ ãÌWt¥_F"eöç¾Ê»¢®,³]t}ÂI‹¥JS_ ©Ë ðÓ0¤›l&/žOvOJ)»'HïW)5«$­ ?‘qÄ«-»™ ‘øÀùʱ¢ën ½&L¼Õ/ ʳŠ¾ïLy Q±?î^ ÚSÛ™=ñ·&;Ñ—5?e–ó!$ß®•Ä²³ó¡Z0ÓuýÇ;àb™H?†C9ÅP°:îŠ|G¶z,Ê’Fe±/ØØ­¢p°ÉöÙÖëŠGÅ3ûÄØÜùSKϼvÇÜ­ÙØЈ–F—*™Pœ«jX'jíõ­yîq'ZyÏ&ëz;ÛÐGkÇš/ ì,0•¯åÓ{ýLOv˜d·ž úZ¥Õ±¥Öôh¼Ì&3ûš‰‹ÉèQÕÕ¡)^ŠÒlÉcìéFÆjÎQbÆÚ$»P½ì9˜}B•Ö¡3+ñÚ$!1hœ#~V¨áýë6•ßXÛo·¦åÛ¥£Väªxíä:§'³¤óYŽ;S9Ú `Þ×eBVÓWŸsqHX±tl£«÷ÙµcíDZHœíÄ–ïGãìC©½b|Zoƒ§ù#ÛJþ¦¸·Ñ_Ê¢b2^¼¥ÔcϱËÉ接RHZý…s¥aê®×9æŒ@­|!…“wÿ’5÷U¶Ÿ Ãp·¦ëú}ä gs'bS¾^ Ò]˜$nú°Èb©¥„¤šÆá“2ÝÌÑd³ëA#‘Bþ >M[ºy“›¼ïÛ澬ó¬¼_}Aú—°OÇ„ŽžW:’‹aß6¿ªÐÀ,à„¾rqmœÙ0›q&›ÏÖÚOÑQÚ#X†–±W[óÛà‰µŒ< >g1Q i%Þ4°5¤Æ«‹ÒQոܱn¾…ƒìÁ4剾•Û 1dMWä}™ñN7$Õä]Ýœˆe@1ø®s7°XI2 { Î|”…¡ž&™×ŒX¦~’Äé(`¡!ÇÒ;ÕpáJ'œ“pT4Yã†'% z̧:&Ÿ‡÷+…ÙY»ŒGE•—ýÆ´Ì iãÔí(©Â;»>ˆÃÛé’äO>Úžö>pV£“»³Lü…ý cjšZ+ì^ÀølfÒKaŽšçT 0&NÒà¯Ä‚{»¸Yðzqy‚sDvkSfƒÁ¯BÈÒô€“i@-?ã¦ð +ð;_¢+°“kzf›ÿômw±ÞKVö¦V³Ú " +Q8UA¥ÖŽof4ºvžŽ)#§°^¶Ük…@Õ¸qbTœÁŸ©¯ÎJ;›%)bÎC?J¢‹—åyÝW8ä†Ôr¶ +bÑA4 q_+>¦@±"/-<“5eAð'@Ó²V4› +PÑ’îhh¿1`Rw:6ËӺװý4pû¯f#N<ñNø¢QpMK!ˆ+ÊWn%”ÜÅÿôtˆh*Ð{Ûeï×®RYõÁ2EŸàP”î!Z².RÑ.£°…;Œ1¯›¬)¬Á%z*‰ñ Yx‚v{$Šó„EiâýXÑû±bEÕ&1Dñƒ©6„f€ß>g™^aïTÚìwTçнuŸˆ›õ$Ðã.­rÂ< æSmÛK/˜V&B—pï7æåþOÓÔsAùq:tæB $³d@eVT¾Bí2Ä„b”~K˜ +ëíœob +ñ¸¸’zCy®Ç»7]Nè +ösnš(tSw`€M)?ˆ£ä¸JÿëÌ^ú¸ò| |nŠº»‘œâm¤ÏÂåTø +£¿âR©s<ªOî¨@üEëÍË 0ïÐz¨g’3\T$\í»¡R +,LpGÊwYµ5Žn#¨¥C|4mKtê˜q_o +dʳŽË4ÐÜæÐ  J05¥Ã©§XEªðÕúr¯NXUç®Gaý;¸Îù@*<HE씼–¥0œ’5Ú÷nK[Š*Ö…áS±áž|²G§XËë¸ÊH9–U¼8­Šû:@96Eg0r‰ÐûXw†Ô ?‚ÓIXG†³õ¹|­£µ/’0|ÛÐä¹s9Â(½%é³FÀÙò“\FBq>T’@µZåЫ$5·ÐRR³ÓøkCŸ2êu1úµ_ +kY2(ëa@I¢íš"ï\q±S©8™*ëP7];ífŒÿºŸA‚±VäfÆe+€¾ŒTÂÁEqhy9÷›¬ãež\¯çÍá;ö*(.ò\/+ÞÆÉGjÏòqüœålìøÖîê¾ÜÐxÍSIO%sØþžn©Ã=VDP +N8£ü„(ŸŒRF»‚oÁ’Ë®ÈÑfÉT1˜ÔÞ¦æ÷AX ,-‘ÖYKÐS‘O¥®‡„ÇÏDÈ6¾sžDH×õp€cWVU|‡¿Lå\>f#Íá1ä¯y“e1°j[h¼¶ôLš'pˆ%LGåš ¡w Iþ ¢ín…É«-ÓØ×qê2¥ú¸ä{ž­ +’$rQþOnÙ%çþ¤‚ BýI$ïM·«7¼ ¦CËtí7 @rÌÍy–»­‰Å}˜^®èŠ€Xø* +“Ë`ÅóúÁ#ïë{TmˆEkþPR2lËdma¡#ŒŸ©üÞZkÅ軲­YÝu7l5s"ž'›é +§›6¼ŒÕ/õ½²ƒWoF¥#åŒß¸™åÀ>S Q8ãõ¼)N4 „šÃ{F¶Ì^˜uˆ\òœi°VgPÚžC4 ¨öŽ¤ñ_è4ö§œ·´Ï7sVoÞ2¤#CðXl%2èrÖux·ú¸fj;àïÐùx¨F¦ÁmÚÐù+ì©ïh<´³ÕÐÎÖã3Ò'jnψâÓð|[ž…ø»K;ÀeP–˜8€`›—ŽUTÖÏ Ëó¢â\]F? ØìÓ¹&=¸iÏ/ÀЙgzê0ì(aͧµ¥¹KŠY ã›y†˜ PÇdk“ÀÀ‹-ScÛŠV’í¡ˆÁèeÍÒóætèêm“v®ºÃÏY;¨°àë Zó{“Uó!M0 I›åì¶÷·ÕÐn‰ ÑÛêéñîx#ÛŠ<>Öd#ýZLM#_ë ¿SÓ`póÁaa—TqqÌDµ¹6û#Ú7s¢A¾Žx{tJÚfèêó†Vˆ–—?dÍØ–aër=ˆQšÜ¤cZþ=à] j,^ ì/W‡ 6‰0jgëÔ‘r-RÓòP—E~š/ÃXE—Ú²ŽÀƒµ:Æ×å(Aí?mœ<Õ{Ë +–Zttâ‘~Ý2™<'õšQ2òÿ!Ž¡EòÕnèÃûOÌ‘u(‡¿¶ý +⌨‘ûé&@²’¢!¿0ÿr.Z°•0 Oí +Û˜‡¬!Qð†yÚ''áÜ œ•Ü-iwK +Ûp‡eiàÏsi”×UëQ¬Áw@—¨šÆ§Åµ{*A‚ìÊ5M€` M]'F54õ.xè×¥·G³¾ø­Ž_N~wvæ~Xª†Ÿ×ÑùwÆ1`îG€9;óú¯ýøøÇ3 †–Àÿý7ç?Ñ€ó“Džÿ¼`ZK'¾N@o +õ%W;w¬p½õÿ 0 Nendstream endobj 1158 0 obj << /Type /Page @@ -4495,22 +4491,20 @@ endobj /ProcSet [ /PDF ] >> endobj 1184 0 obj << -/Length 2589 +/Length 2580 /Filter /FlateDecode >> stream -xÚ}YKsã8¾÷¯È­•ªØ­§%í-qú‘îI6§wªvg´ÄØÜH¢Z”’öüúPVÜš©LâA‚øT‚3þ‚³,YúQŸ¥y¼Lü 9+êwþÙxŸß,'Ñ2‰£&3ÜEeË$ Ó³Åt‘«Çw>ÅáYè/W«09{|÷Z¥é2L²³Çò?ÞeÛʦT?Ïaâ{—çÿ}üJjñ2ÍÒÕ|Ø"]Æ«t5Õ(¤…ƒxÅ«…WÉ2ŽÒ”„—Áù"ð}Xºxnôk%ˬeÓO”ƒež$N9Š–A”Nù¨N^uJ>Ñð‹2½î4ÑLì÷’×wˆ¦dÕ›»kÞ4:Ë—ù*\ñž!œÎÙàªßëa·(çå`ðGÆ°Gyø~X(Q!…xÛóÀ“;Õ4ªÙÅZ3U¿ÖµP ïDÍÔÍÁô²f•¢º7ho”yN>È3ÞèUõ§vµÃ¶R…è•nÆ­áŒx*ò+yòáÓ{yè_Ј={…¦mq±#Gvä5ò•(ÆY ÄWaˆXJStjkmºµÈ`sD#¢Dh«dYH$Ž R¢åù" -}ï“5E×ã*1[£I(©µ?±¾9iHñ{¸?ÏCﲑ=dNC¼ß'-\màÔ–„KÓo)ï Nï¦éeK€r@ì­,lÜp,XCšÞž'è7ü•?[Ù)Ìp -ŸÜf¥|‘•nm¢Ø%È°Äzyæ4¨Aöƒ(K2Ü«­RÏ{‰áŒ¿‚;Ѫ²:Ð,Oƒ8.ÊWž­m¢"8ç«îžYºyQ„qY­ï“Ù6Œ3 ö*Ç$ŠSïµS}/šP˜a`sÕì%Oó1¦4ê÷¢§Q­K…ÍÉR6Â@w -nZÆ™Wêb+áþõ†(6QìâÖ­†ƒ²¢ª)öúå?§ÞÞ -ƒÆ7¹(狆ôù¨`ž¬À5i’ÓÕBbàG1¸ Ï¢…»ò¨ŒWÞ,Öº)d‹–¢¸u 2?‰BUªWÒ\¦ ÑrQÌ.X>¹˜³zºY­x³›º­ä$ £(áEAdÓÊÂú—ƒ¶EÆ1Œ(? 2GuwPÆ:‰¦¾°ê¥!ÒÐÂÎsɲWŞѹªNðZ½1Ü°Ø¢|o;¨ -Ó-œ/W~N¥é‘@+µ Ý™ž&cè æAÊ0£!$†‘‘Ý ==‹.¹W€ajͯn® ]”pšë cvbs:Zd,º=Ðï½*ÝêâY´²ï”!=ˆ™ÐŽW•¤èªÉÇ5êtk¡O„Z{ÕHCr•†øÒ)2Ï^­Ä• |oœÙ¨þÀ«?‘ÀF ÓñžkQ)°®Qâ=ÛzÓÀ¼Í…B-欗Ma-‰sÐ1½ê‡ž#ˆ˜ü}³^ÜlnaQ†qÖ{¸!1Ba0<ð,\½çl¸s€EKOÍÂZ¢Úq#Xnqw³Æ–$qI?cÊqôg2ÕwXgý¤‘sñÅ4ÿ~%»gYÉÍ\¡•|Õv‰M ¹)­€¼ØI^Ú¦’ÇÉњGâÉž3 -r›b–4‡ßÐÂiý€â ¿»N”á£ÂõJ‹‹–g“~)Y`ð&YÆEÂIz¼UÖºnÊc S§Èûž(Ÿ'N)±Ö›‡Ï|·@Â2“ÝßFV«c°ðˆØ‰­á•Å8°8#»Ž$"ÓÀ»ö -ûs„Oà]‹UóAívjåZ nt³ƒœihöoè¸I ¥$š=ËÊU~ @Üze ?P]/ší1â„´½5ž(‚Ø>1,P£Á@­•rÍ+4ÒvEB?õ¯“J”ºûJ¸8V„R7ò-ò?ˆªÝÓp-êv+«Šú&_T3w’ë¡©Dk ì¥Á ½O/¸`~ü1¨ë$‰¬¹ÝÓZBÕɈKÔJ‚`>µÔÁñÅ„ÃûY'ô©[’(‘Òü i.fôx»¡÷„º˜à(¡í‰’‚/bhÑnEs ¦ÆDüVêÖ¦EeX«Ð Ïí@Õ ´\âL -·Úì!`•CG]ŠS§‰v@¯þì°B›òs¡øjðÔl–3€¼N(ìLüÌ( ±³ÈÛÔZ÷ÄZ‹®ZܪºôªbÍ[õ,‰{; Æ°ÒWUñªÒš‡Ôj¡à¨²)ö|ýŸØ‘‡Ù_Þ ,²A\¤qZB•¶FþÀ?š÷°MåàsËDÚGß8×+sò’þç’˜L—,¹÷rDM˜ÅËœo-g)øÌÇá$aÆÛKjË‘BFæÓ›¿½ ùéMÈ-6úÕqëVü8Ž-ÆÎäídîbxr —gPà ª~*z߶U qýP“–§ãEDÁÀ›g”AÙ¦ÄZx5 -û9»¾Ï„«¿ìOaÅíàMhðÌ=hp¹,ñî÷ª¢ÑeUƒ·ŒE?x>è­ìÐoÙÊûXýÉÔËÊ‚ˆ_ þ&Ñ; ¶À.µU½S¹ê£Ž”ÅþX p½†Ÿ¯¯lä±hŽÌ°Þsô›ÙvÒ؈ՅÚÞšJÁoªÆwUU)Ë ±šõ{]•Ä¾ö«Í„rÏêŸ{ù±ŒˆN¸E/êH€üm€HŒÕ *GÇŒ/_¬ð»Í€†8`’Ïù -Õ™õ®5s“¯j×û?cµ„·G«žöÃNV'÷΢ù›Ûeñ›F)‰½_!1©¥š§™Ñã÷&äÙXcfÓô£-í槑½Ë‚_¤ŸIå²é Ýª¬åÚ—ù‡Cåû—rhëÚÝ¿†ÀÑ ÌÀlRw`{tAD Ýp /i¾/’„¶Ò^a qí,B€Á›®]†tª¡08¶ý8Û¼m@a­Os;àÜîz5Xð÷ù3_eÕ -€POä­¤ï0tŸ2Tiƒ’6xødÚ¬­Ëï)IJUIÌäB/F͉§mYJ!zzKKÁ§ða.Ncbº—­?Mœž"øäíä‰>¨ -Ü©‰’KÒ‹Ëæé—^W_NØEàé­à5‚à ÐCäú,CóT ®‰V>ß, ¾ˆÀÅ",ÆŸÑïkSçªÁ­qAë|”¹.u¯U÷Ž åŒ;]>þuùÓi³Ûª)Õ$ E˜ñ¢0Ø4*·þ%ààm1fé4`gêî*à˜ƒ®¾´êEG¤¡q;ö:ßó*e9—2#\ë3Ã;ÆðBùÞvÐ%$¦[$[®üŒ*ÓaVb1ºízšœBƒm.,À¨ ˆaÔ©öŽžDž—ÌËÁL´ĺû‹‚‹ëd%L&¹3dÇ6§Å"eÑí‘~äPÒèÎäße£úVw¤‡ø0—…ýB1ù°&Â"iºEè¡’ù^ת#¹Ò@|é©g¯Vì*¾ÕÎÜéþÈ«?“ÀÆ ÓòžkYj°®Öò-Ûz[üÍ…\/æ¬Wun-‰2ÐézÝ=G!ùÛf½¸ÝÜÀ¢ á 6·$F †ž…«·œ ÷#`Ù¥§æa­Pí´,·¸¿]ãFK’¸¢Ÿ1å8ú3Yiq[ÖY?iä\ŒwQÄœÿ@¿VíwUª#Í\ý U|9T¶‘ˆ}ìIÈHi$äÅNñÒ6Å<¦N:cx$Ÿí9`ú–·•sqØð œÖ(Îð»ke1>ú!\ß¡`\žMø¥dÁY²Œ‹„“ô8Ww#_tAÌG½Û•x¨UÂWˆSï gjšýn¨d¡ˆfÏrÈ +Û¨‘¶êÕµò¯3¢9Eœ¶W²Â ˆí3ÃBb zè¬ôØ q± ‘©°+æ¹?L*Qâî+áâX +S«sä”e³§áZVÍV•%õU½ÌWñ›¡.ec ì¥Á'Þéž õ½?Ý`$‘5·;cZ+¨£æ¨q‰@I̧Ž:8=˜0cx?ë„€"0uKr¢Åâ"’Bš!!çôt»¡„ºã(¦í‰’`'AU”õ‘˜ ñe›>@–eÇZ¹©¡xnªn÷} Â&…;mö°Š¡ånì4ÑhÕÿû#Ò@ÊÏ…â+¨ÁK³FXNòZ©acâ·`FAˆ +oSÓk-Ûrq§{hÒË’5ïôwEÜ»aè:Vú¢+"^—ÆðZ-U6ù’¯ÿœµ +Ó¿¼XT¸Hâ´„*7l;õc”üfÞÃ6¥ƒÏ-iG}å\/»Wé.Y` YÀtÉ’y/'Ô„Y´ÌøæÑr–‚¯|N@f¼½²Mº¥‘Ùô&dç7!{}2 ‡µ98nÕȧ±ÅØ™¼¬ÂC ¸F-œ Ôx‚êŸÚ†>¶À]GÒmÒpà.¢œ4Ï‚` ›7ðh”ø5'9»¾—ß WyÿϬH­n®ŸÃXg¥±÷°×%®Ê +|ÕYìƒÇç£Ùª½–®¼åŸL½*-D€øµä½ÓàÖ.µÕ½S¹n£ŽRùþT p½šß®6²XÖ'æ‘ Xï9öõl3ÙÙû‡µ…šÞŠ +ÁoºÂWUYjË ±–õ{SÄ~ö“Í3rÏê{õ±ˆÈVºE¯jêG€üu€8Œµ êFËŒÏ߬ð»M0Éçl…ÚÌz7†¹¿©ƒžÇõ¾ÅoXƒàßíÑÊçý°Så»W·Î‚b÷7wM¤‰»k8IíÅ +iH ¼É:3~gBžmÓIJùÖtÈÊNÁ¦‹$.ûs:ä4ÐA»Îu#Kšº¦eþ¹ÐCÑ~ÏÚêr™ÿ×àè9˜MªMÙó b˜š+wAó½|Q$´Uöñ4®ŠEÈñ08ëÕPãHtªœ085û8Ûœ·  ÿÅ\ø!½,äûümO@1토§'òVÙ¢…C÷C6r i#‡¥ÍÚºQžâ‹![¼LÎÍbô>:º{åi[Œ¸¾fKKÆðq.NcBº÷¬?Mœ¾ÆíÉWÙÉÃ|AD®–} áºRà5ðvkû Û/†4´9!ÜWS ¸8ìuCú$ دµ¥ &ù©Ê`BázäWKÎ]íÜÜq}v­+ô~„zDݹûê¡RüVèœË + 5@oeõæÃÓø‡÷çßóÅ쟜Èâ$Cw˜~aþj™†YâBó“àõnã_1~Ýîÿ®pÏendstream endobj 1183 0 obj << /Type /Page @@ -5081,7 +5075,7 @@ endobj stream xÚíte\Ôí¶6Ò ˆtÃÐÝÝÝÝ¡Ä0 00Ì ÝÝÝÝ’‚R"‚´t ÒÈ‹>ïÞûüž³?³?½¿w¾Ìÿ^×Z׺î7¶‡Œ5Ü ¬‡¹rðpr‹ t´P(ÐWç…C­fL9g0ЇÉ]Á¢#°5@ ðòxDDD0rp'/gˆ­+€ù‘ƒ…ý_–ß.+¯ ‘.[€ññà …;9‚a®ÿã@=0àjØ@ `€œ–¶‰Š¦€YIÓ †P€¶›¨C@`˜ ˜`w@ÿ:@p˜5ä÷Õ\8¹d\@€‹y {‚ÀN¿!v€ØÙââòø €¸l0×ǸÂêfý[À£ÝþG“3üÑÃñ{$Ó†»¸º€œ!N®€Ç¬ÚòŠétµºþÎíy„p›GOk8Èí÷•þ`4¨+s¸‚=]粬!.NP ×cîG2'gÈn.˜í¿°œÁ¶@gk(ØÅå‘æ‘ûwuþuOÀ¹=ÐÉ êõ'þÇëŸ ®.`¨ '&ïcNëcn[ “ë÷¨¨Àlàî¿ìÖnNÿÀÜÁÎ -Äü{fXE­á0¨ÀlƒÉ¥ w}L `þŸu™ó?×äÿ@‹ÿ# þ´÷×Ü¿÷è¿,ñÿvŸÿN­è…jÁ‚ÿxcê€ßÌs:B ^ÿÎýïžFà¿4þ;Wàc!d`¶Íàáäæù €¸(B<ÁÖÚWÀ}¬Ô»Ìì …ÀÀýSL7÷ß0};Èö»ôA`˜õßå?6éx.5ccE¶ÿöªrèA§Ë‚GPè¯íÇ9pÕ÷rþo:# ¸õ?¿ùdeáž^7Ïãú=*áðû7¹ÿñüë¬tu†x^psr?Fr~ÿsÿÎýOÀìo4 +Äü{fXE­á0¨ÀlƒÉ¥ w}L `þŸu™ó?×äÿ@‹ÿ# þ´÷×Ü¿÷è¿,ñÿvŸÿN­è…jÁ‚ÿxcê€ßÌs:B ^ÿÎýïžFà¿4þ;Wàc!d`¶Íàáäæù €¸(B<ÁÖÚWÀ}¬Ô»Ìì …ÀÀýSL7÷ß0};Èö»ôA`˜õßå?6éx.cY}Y¶ÿöªrèA§Ë‚GPè¯íÇ9pÕ÷rþo:# ¸õ?¿ùdeáž^7Ïãú=*áðû7¹ÿñüë¬tu†x^psr?Fr~ÿsÿÎýOÀìo4 0Üú÷äè¹aÖÃöOÃoäæìüØã?ûÿxýœÿŒ=ì a.ÌÁAb¡ö™9Y® Ä£ò/z{xÂœ*Þè—ÖÁ»2#×Dj,ïêÃ8›ÇEµyÍî;Ýoª²n öA™ºÓÁß‹(üèX>ã.3v±ms™W`gÅúϨ¯"› rn­êèš—ß¡RŽwð9£_²Ò¹Ð_8=óe4%v>oFÀk(Ù?`LÙ½¼`êú4ð±ûåÃ&9[~ƒ˜;26cLà«|r)Sƒj…×Íl(ßÛ b¬Å7ÎßÊçÏVð™h9Žù,¢I‚°RÊ• e®äß·RÆ%=²ìÙ êt›œ(†Ì%³LÇî)®Ž>1Ù¥‘„µ…^Ñ2¼éˆO£Ý %õ‰>•pjÕr{2–ÂwÍ<–g¬™-j—!3cäáakIè,AŒ$ÁLˆÇÆ‹J¯³nöùU»Ïm›Þ‰D3 @@ -5104,7 +5098,7 @@ $O t‡Í=žÝbóÆÃwî6ß"£“˵?”JËOP2RÐ oQo+†â1)©w†¦ÜèådîI½ÈZ¿VÍ­(e÷åû È"QÔüFØs(úF$'‘qL ®/¶!õÔ ¤HvkÖ‰Œh¼È‰¬ê؉á¶o?Ùa:Šÿ±qêcŒ° gã!_QÇ~ÏWê¡1üaœ¯UÝGmã§Yñmn%ìRãr9÷¬ß0qˆ5†/‚E…(êÚ“†,W‚˜$Ù½ï¶åçLxËÎÔ|ú奕£w†Z|ÂV€ãž÷,éOd ÞyŠGÝ ŽÎ¨Ý3lÍ4©¿Î\×T2Zª½Ag—.7Ù#ÏPæï™v¼eŦQLÞ»±Oþ¼Ô\’ ¬ÿĵJÅñ¾(š3Ç].Å*,MÎ>ÛBx(ÃSÃó|D³uû‚Þ¡ï†{:Ò‘Á¨2G9¡Cê{É•<|?ÒK áéá@F)Ø,êw÷ó?È ¸¢Ëa„Çh%Ù±o^Œñ{‹6™Ý @¥-«ä%Å~jÉwXjz1îi´·î¬%uÕ3^¿±g¸`d+ÎK[ŽDe—„]âò†YèÖýÇ?Ï>£³HjË,èkѸÍhÔ8Š” ™v_Å [ªJÖ®²9m=·âú?\‹k>¼à¬‡¤*³Ñ³ž,Y ê<‹ý¹uÓ Z/ZV$S·é#ƒmNOš¨5M@¿§rãÝ0Hõ7¬&7[àçŽAØñêOõƧÈêÚ5±pE6~d»Ž^.x¨T1¬µ¤$£Í7¿ÿ4òÆêüj§‹G1¬èípoóÌ3³QýÐZ:œNÍÆéç,0½‹Š‡Zg‹ðâ£à)‹Q©¯³‹X""œÛÆ0ÏÁ¾äBvFA‚)Y9(ÎYÖý…ì¬S…|¸Ôü¾“qbæÇN.LÔX§…_ï‚¿œ%%½¥åŒìé|°D>W²7}C–Í#—ZR¸­$º`bÛGο…a¿9gÝS%\”Á/œîñhC|?s§ Ø…šg¯ÎÙÈ)ª¬m}ÐvÖËk†Ÿ.bÉ&O üõí+uqfº`Îa‡„°£â,I§ã¯½/‘˜÷ÇÝ›Á¤'P6ߢH‚Ú?÷›½šÙ¹˜Žà9¦ŠmHr7:pMRYŸ#£ 'æW¥¿ðKCß|-¡mWÝ躖nᲶË0–«ÞÐ3äÛÙ=j’¸Ë-,n–³e±€¢üb½iÙ;‘˜Hâ°l<)žL.ßÐYÖÿ°Ú·)wL=(‚Œ£± L|)=å'ÀÆ-Å@²öò¾µ<ÃNrä³6îµEôʃ3±d¶kÓ»¬ÿ‹%ôµøü·(kD~ô(¬_yñ‡Í; ¯åä²fùOî{&*‰äyÒ¯9ÛB±T¨d>è.òY[a-³ZyÏ•px9ÝØÜ>穾„»*|,4°ç Žð=Ï añŽ©{ZwLVqžCÅo, H;ç_7Gg[åGx d½DŽ…*~ÂJSÛ/ *ûÎÔF‹µëújQ‹jw Ý]_-Òq;Œ,1t³õ2ߥÆíËòê{:Ö§Ùo$<×ð¬žôôJ©Àëóüλì„b›F=ÍçåcT”u;ÐuË›÷#³»Z1q“ÒYÖgHŠ^fiyv|‰¢,PkŠA±¢FH£s^…EËRôƇnQWEÛt%Ú·y3™{æÈŒõFbKã<%Æ)â"-L+{墒zS'“#é²ÊòZÃ+•÷U­Á׎#Ç©ÃCcæHŸ,êä;÷=íÏô .óYäg:¯jÔn¹¶Æô×êS:c¤¬UºW¹Þ/Ëf¹ŠšcO¥ÛøŒM¯lD‰Á¦9²ú:­ÈùÈßÛ˜ìÑËr6½õx§ç±2ú]úS¹‘ p7O¼,j1îöÐËÚ{ž$ªS7O–xYŽróæs÷â»ì(è˜Ýš‹ÏD‚@§­Y#žC²L%¯íáž›1A•Ã¸©3¾~M+ÖAîDí>¤¶¯cãµã-Nˆ¥”ûÚÔß ÄÖtzâ"¹tãØ'>(˜“”hSðÕœM]ˆÎÛ…0ìŽ ñâSPÓKD³—dOj nÌó®|KHtÞ‘Ñ+㢟S'÷@6„iõ“¨C,÷ág3B½žpÖáΡÄêφÖÑn‰Ü;ɦc“ _7T,Q1çTiHøBÕWL8­¡¾  ,œ²£.±ß u2†)¶=–Oš ¹ÿêÚ´­Ùê², Aq¨¿râ^T!1í¢ëç2)áN\§‹¬‚)æÄËR…Ëbž÷ž6Cb5ü´çêÞ›Ô;ð¶¹mH“üÅL¸^Ȭü¤Ý¸Ê {>«m@Ë›ðzéN‹›´×»ÔÌÃBÿ]¬—š@)õp[jÊâá…6붡²BSHQøר.öØ«N÷Ž`ðG¿§zŽ^n)?ìû±«892ÉÿxÈÌÄ÷Ù%¼­Ø3ÕÎZJðô]\ÿ^¸Äé„SXA㣅¸r}[(â0Ò@¥elöÉmi¶ö­EWÕ9úQѲ´ˆC¶Û¯µAñ=°g>MF{Q’= †*Ëk¨+™×Øõµk¤i@ïħÕW:x<›ó"Í}<=<²šC½Q¤4Æð÷i©UµSöA-ÒiMÛk×qnñÔÆèO“¦R<)D¾€÷/ÇT#î¡ÍM© Æ$ÖžåÔ3³Ð¿Á¢\ç{Uª÷Þ<UW=ˆ$®&<ƒªZ€0óØÒgÒR*¹ÉÒO¦1‘'£ùŽŠj*5wË-·‰ûùT j4ÝióÍu``òh߯µ“K…ݻʔÑk‡‡A›”ôÈÔDôìtk¯ö2ÅÛö÷ú—¨§$ÌöZ¥ï@Î^ùÝêõ^E~§”Üúí¨u4߉<*ôŽ±§¸KJßùy/žn•C*}…ÃåLgI£J·8jŽ[“Þ³ ”ØT7%JÈOïä,Á!ØžÈ+ÌÁ¯f—ÉȘs‡h`Úq¢O”1£<ƒ3(©dØOfBOŸ º'"p=Q£B¿âäpJ}ÝØü™ŸZ®¤!p{òëÈa}÷qÑ¥³äƒ£DKXôžòxÇ(žÏÑã ©¨“{ÏçÉšj¿dqX·ã·ŸP¦Üv£ä£Ï€³i¬¾AÕ;³@øyŠ*œoLœOœÕøë…ú¾›ºxOÛÝËc -@YšUʳªø;žBiäMÖð.•\rž;ùU´¾Rø'î…ç)眄š˜ …@ƒi/_ A®ÉéÙêr«0áFx<×Er;¾zÇ´UÏšøSÂö²Ù„.¥mô÷Œhâæ¨É2Ø’ç/{I;õŠjÑm÷¬ -*s"}Y ;Ò‰¢ú{YÌÝÇí]p¶Òݯ€Ž¶Xo³êÙ}U¹ôZø: hÁ‚)8f÷EµÔëÛDäµsüð¢ qTMŠ:ù‘ɸX!±l®ûÔ”Ëû ΄,ñº17ýbŸgûŸ&fܽ×Y'jeAt ]ôÛïwV^þ%ÑåµÛR¼”tμ‡Ël¥¿é˜¦j¹„‚øϸ3èm>YjŸÖCƒÕ¸ÄžÄÈÊjbÆn“ªŒUý©?ô‹ïðu«ÈÃWøìý#ë,M€¾ߥJBQlŽ‰âXè-ebtxÃ]€s<—ÿ¢:XÝQ…¸w¶²-N;N¾?Vl¤‘vG‰…,Å%ë9êçöË'bìη9|1.…±!]¹¶DšÏó=RԌݬ¤Iˆg‰=Åh_ìŸ5rÿ/˜ÿŸàÿ  tv…;0ÿFdõ·endstream +*s"}Y ;Ò‰¢ú{YÌÝÇí]p¶Òݯ€Ž¶Xo³êÙ}U¹ôZø: hÁ‚)8f÷EµÔëÛDäµsüð¢ qTMŠ:ù‘ɸX!±l®ûÔ”Ëû ΄,ñº17ýbŸgûŸ&fܽ×Y'jeAt ]ôÛïwV^þ%ÑåµÛR¼”tμ‡Ël¥¿é˜¦j¹„‚øϸ3èm>YjŸÖCƒÕ¸ÄžÄÈÊjbÆn“ªŒUý©?ô‹ïðu«ÈÃWøìý#ë,M€¾ߥJBQlŽ‰âXè-ebtxÃ]€s<—ÿ¢:XÝQ…¸w¶²-N;N¾?Vl¤‘vG‰…,Å%ë9êçöË'bìη9|1.…±!]¹¶DšÏó=RԌݬ¤Iˆg‰=Åh_ìŸ5rÿ/˜ÿŸàÿ  tv…;0ÿüÚõ¦endstream endobj 1163 0 obj << /Type /Font @@ -5113,14 +5107,14 @@ endobj /FirstChar 67 /LastChar 85 /Widths 1321 0 R -/BaseFont /KXEYXF+URWPalladioL-Bold-Slant_167 +/BaseFont /XYEBTB+URWPalladioL-Bold-Slant_167 /FontDescriptor 1161 0 R >> endobj 1161 0 obj << /Ascent 708 /CapHeight 672 /Descent -266 -/FontName /KXEYXF+URWPalladioL-Bold-Slant_167 +/FontName /XYEBTB+URWPalladioL-Bold-Slant_167 /ItalicAngle -9 /StemV 123 /XHeight 471 @@ -5136,22 +5130,21 @@ endobj /Length1 771 /Length2 1151 /Length3 532 -/Length 1712 +/Length 1711 /Filter /FlateDecode >> stream -xÚíRkTSW‘ª¡¬òRIÕzX%2yj   B,žò˜{CnIH@Ä•TeYÄF—ì?ØS1ç˜4 Gt ‘Íd³9$‘ÜïNÉÓš‰Q!hàò|€Çåz -9DdÄ@PÖXG*f1QŒ ¯Ò™\ ÄpÊä¿ú°K gfN¢o.`¥MÎéÞ$öקa:c0¸<²{¥/àóع"*´8£ÄÔø½‹•é) ë`ÅrSømýtßéíµyâê®cöôÌ…¦#[;Îo;eòc÷ù¹\Ç›~Š†?úÍy›ó§Èq§Ò‘ˆoX’×O=-Ê1d¬m½ÎfG7zå~Ù¬‡Šá¤”—ËÛÛ>ÐÜqϲؚÑäýðgÏgw³ÎÛ×GÞçð«¨#E3koÝ|õ$/}Sg¿ÅákÈs¨”’\~&r/ûÏ»ÅW'„aÕ˜¥æòü¤ýÏ\_[¨mwzÒo;šÆr©Ý “ÿË9lºN9ÐIáH_l‰/¬– g/ô¹[a6ú{˜âZš#¤¿Îì¦ =Lï÷H -rKÃã$1£ ŽUº(j¨ýÃj¨¶pCÛúVMz±ÐÚ°¶À%½¡‹ë_ÂÉhÚK[—:þŠöÛ’3Ÿ&¿xÑ÷ü‘ÚúPað°q?1#ÎÛ÷@`–—÷0½ƒMµ¿ö…Ù#A®úê! - ïsXel×ü=p §eL -â7òÝnýÂÓ¥܎köUüMºÞûÛfóž$±ÎFp ýx êÑ¿.µpSBƒûRÏFßò¾\×x¡:ĵ®pf²¹94´zIól¬w0h¾G€ëB¿¹N¢$k4Pí²\ìÑ?PËqáMŒ/:.ô9ØóÒoè§ÒsÓÈŸEyöC[¤ïb>ˆ^nðýÕî|D]ª¾Ë·î¤ùÇyËöAÑ9ŒµûÒ×FÔn×è æì=&hxı«È9÷TÔüƒ²/õ^›ž-§·Ó6\©{L8G½¨Jeâ g[ÛPµž7dqÏ~²ç—”öº'àȺC5†Ý›>¾µrÑŽ ¡Ã@ï €š!þ¼4ïÍÖÑÞ0­ƒ³¸¹#Ñ‚Þ;fºóc?"Ürî³ÖÓ?þ›¥­Ôú ÿ[µ–ÁuVFØêï"Û ÔR¥©s£AnÖËAò4/‹»Yêú½ä©;jnÉ0n%h‡_¬.eåY{Wòñ "Ǫ„¨l©ä´z¹ÍŒ;3Çž”º[Ÿá›^ ç7Vì‚oWF­­œð¿Û=¡Íw½2RÔùË™R¥ôM¢loê|e¶^×5/»¹»lS….˜áµõÌ'†/¹_66m¶™‡¯‘DAßÙª:¶_w½ë¨ál‰è¸ÏÆwؽŸ[´šJý 5.­Óí¯/³öÝy);æÃBó]¯X÷2qékÛ„Øú¡Ûò¤Ã\¡K“¢©Á¸çbU‰ãDZê`¼,º@Ñ~;eËêai}ã‰Ý;8‡T9%Ýs [f-ܹùg·Ç˲d•_¯8Ï/ÈŠ=Êëœó½çâb¥äž*×L»'î ÏyøÃÐ{ö!£KžÄ5¾°ªúÎøV”H†¯t‰nµí¡Õu«›kÊ -÷HçÖºlx/ÌépÇá5'ÿÝ%¼ÏÚǩˈ—¯O-wûVŸZÌ é1> -k̆Ð#­Xˆãš¾&—ö@f~¾¨,¨ûÆ®UJcçõòü_ÐY#u¢½zÿNL>+ }¾X`7ëþGW>ÿ.µ†?8vAÜš|­÷Ëѵ;ù/-É,zr1CN¬êáͳl|šu¸ šZ7Àþåÿþ' -(Ô°'0O§üt¯Œ³endstream +xÚíRiTSבª¡¬2©¤j=,Œ)In4„„†9B £ soÈ-ɽôrIˆ8P¡*Ë"6ºd¥Âª"P”ZbZÀ‰´ŠP²©Z§^°®®ÒŸïýzëóçìogïï|g3\"¤"߀ãé± !HÄPg‡Æ`ˆŒDq,PF"B ž`¥F¸Ë‡/ä-òø4ÀÓtš¢$[s‚Ä"5B r$2R‰¨©r™ +Hq9Š:©T`íÄt°IGˆ fÑ À¨œ£±'4‰1øo`X“ö6•é”(à6)“ (‘0Ž©tF4ö*œê†PZþ²¦Ö¨T«dê‰ò“Ný+/S£*Ý_ \¦!Hp!°©Ôä8 £õÔ¬˜”©P¹KQ!ÀZÎâ,ƒ£éÁ¨#PR® +™*™Ä žª„òoR;”AocJyŠ ZDN3ÝÀåÞ[>Þ{j[MNPUçQkfú|Ãá-í綞4x³†z½®?F"üa¿Õþcô˜]ÉpØWlXÁ룟eõRöÖ{£­³bŸtÆùPBÒ´Kem­ï©l¿kZhNktð“ëÓ;ç¬ëÂïAüJúpÁôš›7^>ÎIÝØÑg²ùv,¡%–߃Dÿz§èÊøý¼ +7U_š›°ï©ã+½õvwê-[ƒ °LbuÝàób‡©UôwРý© M±¥‚•RáÌùž×¢Ë Àâ}C¬osS˜ä÷™]LÁ€‹áÝnq^vIhŒ8jdÞÑ +yÍ<•OH5Ý©o]×¢öÅ.ä›ë×ä9¤Öwr}Š¡´Æ=ŒµÉc/,Ú1ýIâóç½Ï^Ò[Èõ.ÎǧŸ{í÷Ëpsb¶sèÖW?3ºÄÉ”_Ü%E~¡½6+ +ÛÔ?øõg5J@¬àz®Ó#Ÿ¹š¸´{Â1õÞò%ëÜ¿n2îNÒZâ.bõW>üíbKá~nRp@|oò™È›î—jÎW:ÖæOO46W-jš‰÷ øÏuñuœï=ÛN”`Žʦ ÝÚ¢ûʳY¼ñ±Ç„žº_xþXel>ì¹ Çzpó¼Ô¬û‘Kõ^¿[ «MÖuzÕž0~?gÉ^82ËcÍÞÔc5a5ÛÔºG‚Y{Ž +êBVåYgŸˆš¾S”E Î-lãÓ¥Ì6Æú˵H»¢ˆç•É,"ÎïLK+F`æãcú î™ÕëyÞ )¯º}¯=X­ßµñÁ£›Ël_OÚô÷ èiAŸ–ä¼Þ2Ò¢±±jj7awn߇ +6Ÿ=h¯qõ‰ýj±o ½îü/£+Öxpí‘zŽ*νÀ²œ7Wªk°“ù’¿,ÅÍäl”8~+~âŒ›Ó +·“ŒC/OT•D³sÌ=+Nzºá£•BLºX|JµÔbÚíé£KœÍO‰M®†òÊwÂ~·*"ÖTŒûÜé×ä:^.èøùô2‰Bò:^º'y®"S§íœ“ÙÔU:Ï®\àá¶åôjýçÜ/N6n²˜C¬GÀßX*Û·]s¼m«†6Ç´ÜgGb;ò¬ÞÍ.XI§‚.®Õî« -5÷Ùq13êý|ã·hçÒ ’W–qÑuƒí–e ‡¸B‡Fyc}áî •Å¶E«ˆÒÈ1XT} ånPOhÖ3¿ïރ߱Yô8挡 ÿ¹YÙ{Ú«¼X> endobj 1136 0 obj << /Ascent 694 /CapHeight 683 /Descent -194 -/FontName /ILPSXS+CMMI10 +/FontName /LGOXXV+CMMI10 /ItalicAngle -14.04 /StemV 72 /XHeight 431 @@ -5191,41 +5184,34 @@ endobj /Filter /FlateDecode >> stream -xÚíwgPTݶ-’$)¹ɱ‰’sRrƒ(Qèn ¡é†î&JÎ’³$%JÎ*9J’“d‰‚dúÝsέï_÷ž_¯Þ®ÚU{Í9טcÎ1תÚì,z ~EÒª†D`øBR˜£µ d…ÐâWBÂ!€£;»2 -j…!*V¨À -¨@ÁaaPRR’ˆ Œtò@Álí0.#cn^^¾Y~‡¬=þá¹Ù‰†Ù"7®P8ÒÉŠÀÜ@ü7‚ PÆ -°Á¡e]½gš:ê.u#€:EYÁz.Öp Ch(7À‰ÀÿZÀHö»4´À –"`@;AÁ°›mPw0Ôé·‹àE9ÂÐè›o °EY!07=À 0îùMàÆnƒüCÈ …¼‰p¼ñÝ€é!Ñ4sÂn²ê©¨ýÅcg…ù »q67‘$ØåwI|707^Œ ` î˜ß¹¬¡ í·ò¸É}æ„‚ý¡á‚†!lÿÅ€€‚ÚZ¡ p(}sƒý»;ÿªðߪ·rr‚{üÙüõO0  -·  -ßäcnrÛÂD‚¿Eaƒ…þ²C\œþás…¢þ4ˆë÷Ìpß°‚ pjC$¨ƒÄܤpýÏTøωüø?"ðDÞÿ¸×è¿âÿíyþ;´š ®cåx3]0€› Ðü¾cþ¯X+GÜãßDÿ=Ðú≱ºiƒ"ÂöF -!¡¿Œ0´Ì -уaÀv+øMþØ( -C@o´üÓF?PLìo>C;Øñ»éâ’\PäïÌoäùÃ[P_ÙHÉ@÷ï·éŸ(½Õ1†N7Äþ«m$䟋ßJJHwÀ ~ „€_DHâæ° ‰$E%½ÿM¾?@À­µ­0(˜;Àô¦h!àŸÒÿëý×Êüo0ª0ò{N@+äf´þiøí» P7Šþ9í7%ÿcýgÈ¡Pw(˜hz –²ONKÁ”ß{ÓÕ¯bÚÖÄé -vʯ2ÌËñ+E6û&‡-I?¿( ¨”ºjðøòÝérõÏZO œ³9º“ÍàÍÆÝšswžãƒïZ€ E>iÊ–qä‹Ýq­E\q¡'k_ûõ ,Þ]à1~AìþâöcsÍñ£zpìtÇœTMý‘¼‹¢<÷ûGÜæ¯cÎŽÞî®ÎæýÛ­«ô¼™Ñ„ìÒ®¸¤~Ιôò&FÅ/^Y¿Æu”Æ·„´q‰ÌOíÓÔ,ŠL6«ŠÀ3/¶* µ(ÿ€ç³?°³ß¶¸ëvz‹†Î¼M4ÎЯœ'%ؤ<fXýi3%ïÕ¦ùhÇoyÞSã]ÝQÃ^Ñ#ÁårÑäïŸÒ%» -V2ñ>”[ ´ûå -œ ×Å$=®é—-#ŒU§z’ˆ¶v[õ—ç,þ‡}âP=—ëdãã+{µ:ômäë[Tdi «ài¡¦r`ëûùg'êì°p†—Sï”:*‚*>º¾›XaÚïÓ^ô“ìœ÷‰ŽcÒd"_ÁPƒxõo‹VJ -™™yïÙÑ¥÷Šœ¸põ¦òbÛUKÉdúJOû ðÑŸÒðsš±†ŒÞYFŸ¡ó£@ß{·ÛH™ã¸éûÙµ•Ìpx¥©o“*ÎP]­šÚÉã"4¹õ ˜<~¢Y)ù>Ã㧞 ¶sÙ9 ·¯ è‹ótJ·í†åZoiûfà;'Žˆ<ì~ý>»µo„ž™]”ÐÁÓ…‘Ò!¾am±š÷€h焳º÷ 1Òл´Ú;ì4 i9ø·–§ÑJ’” _÷ª3õFIÑÚ%´(fbaážÉ¬:}Uùð_X¹/:¢€;r}SY9±2áÄ\Ç ™Ü%ÒÚ³îï¤cQƒ¢Y< -µµŠ+ñDÊ/ #‡š;o«4è–\fx.¥ƒÔ'Œ‚nŽ~y­Œ¶S… pÊž­Åm¦aE2m{$¿Gß4?½ŠôŽ=Ù'g_Õ”¼ûØaÈ8‡ºSP&ûc[YkVÃùK‰RÁ6²qm˶2´ï°H>©á:›BŸÁÆ|õéÙ}~‡O‚Ïs¦ž†UPe¦ºÂ« «—s"÷OúièºÄIâ¯|Ï\†jX€Ê ¡Wo.ÚN!ŒœáŠ:ö£­ææ3ú?sUex-ûñKÛä%eÉ;(3[Â!‚̪…r¡bO‚·í=$µ~V‡M¹ë\~íhÕfýl„`çó¸þ->ØпÿÓ­¬ñmQf÷©i@´?$ÈçpЙ_·ŒÑ\ñ™‚ýpŽ)"H>A¬°~“¹VN2GçvB3­ÒùÁ™”¹e=¨é¯ã.RÄ”õ…)ïHo•](]û”ß„=5u°¯SSÃ<œfüµ#2:3 2º¡B™éYnÊ)þ¬yøñ-³ üSTõÁ6ˆs‰åíêmQ&½=dq§–‚®\#U";l3¿N1¶ ËŸþ \Œp¯á4`™ÎT0Ôwå³ZÛ²v’O,+}%`µJ]m¤/(]+K9R°#šŠ/#pñ>+ÉTú×ÙT¸MÜÙÇÙì¢65àƒšT™Ô¾˜ˆLâIJs³ýµ-«€2H1€¿nØçê,• Äã–<Ͷ_»û%\ž®¸>ÑšÆà›Ñ¸š˜W½TÇŸÒ¦!Í7r˜ñÀøøA“Ñ°Údãƒ:ÀZŽ×iˆË¾ü©RÖmÙ÷«¹‹é?Ý%±ß •³£N;L@Ò¹œ™XHlbOJ°Ì"Ï:¦2lcÆNt8ŸÝ‘Ñ4«£òdS |˜?\V#Z•Ù}kLÖ/xk “­%Ò×ÓÐÆÂàÇ®ÎÎ=¹7lJ¡Á0?r剞ӾÏðŒ& ε+}$âzf0}'»½œéé8ù§¬Jÿšó# ;£2$ëÿÝl0Én”IºêóÓèö ¡Å/‰ a‹ÛeƒiðQ*àPyZæpØ[­«èÙÛÏ!¸aõV¦e¥;b ‘Q¶ž¬²¹óW¥v—eæå‚*ÐÄ¢ -c(©^ŸX·FùÝIóA‡;i®d%ÖØ•³±ÞxxÖ"ìŽQã‚Š -T•ï<“r,žì®Ï˜~p˪ÆÄ&o<&.Žz‰Â•ƒ´‰UzË}»ì'¨š·½-F,Ÿ‘×ØÇxG?àAÔ¶_<¼j<¬¿ð®·É™¥õÆS±Íºõä ƒ´6˜#ÿµ’áüJ§sCWù B«—eÇß>e4XuïVL¼ix8@ß cwÄ•DãÁµàŽ‡öcZ· -#FÚ“H8Q`¿ó1nÖ¤¡Ž¥:rŸîŠ䳩jl¦WåñòHÀóÇjKít ›©šBÙ­«wZ&†ˆ{±Ž+/WF– é’8¦XïD?í6[]ÉutýñGyÒpixümå3#±¸‹ƒS½|²JÉ…—Æ*¥lÇ„›~‚ˆÅèa/¸Û¿Ë©ëZ‡M<+mÞŽO *§r»™ýë]ŠV{ EœöíÒD‘ÖÆa7•þ<‰J}NBÞ¸<¸/gzRŸ#°»I+0 E5#*f;†c¼v˹[Z?ñë¥Z³Î° éØ Ïuo2nP·¹è½°]9àzÊrtf¿¶Î®"‚pÚž)6a?^•­·—§´-tD$Á›£¦m›a·‹§3'2̃æä¢XañéÖ<ô”æ§ó[áDäçT¿•)Ü­š´‰ëYóã/{Ah¦Ðž‘©ýXD‹®S)%è“jYâù«o÷%³ŽÖØ[D±ëËé¤IÛ›D>±)l+jôh(`®;ã~2JµJ…i¨[ áŒKåQ2“‚P¶©á¾fW”}NCrí!–£È!¯}ÿò!¾;ÅzÑüë9'/`ø5{dæHïDùw†o§XÉûuÅVz -ç !c^-\Úé/r¯ïµŠ -°èdhãšõ|oM)V]Kã¦D¾IºÏHÄÆ\ÓZ7ãR×Ã%"«½3{e©ùF"yM‘4åkMýÀªo|‰ÿŽ9–BZ_!wþ‡xàóiJQiNŠÓ+ãÝÚšS›¶¨ØoœRª¬FYë^ö¸2ë£ÏfÕëˆD[ljüúRûx'öu+!CŒHºã–/¯;ÔÈk¢ŒMí»õbÙ{>íµmoTK-\UÜc°vÀz?IšÇÐ,8ò¹àaÎ;Û‡Žï‰›ÏÇ4qgû8E-fW,¬Kü©OŠ­…XÎÜf÷înì]ÂÓä’Ý£¥ª{Ÿê\u´ô­2”úD·å»œQ¾±ýa‡ß¤RÙTz.Ø}|í¹æF¤3•g&›±ÍœáÕLü¡lx–*ÆcÏÏ4Ö­äÜéÉg{®ÔÇ5ÕZ ©‚:õöxm]7¡˜1öÏò9¶úxA-EÕÔxd@òÈoÚX¦çŠ€»ýõ½_ƒ»> °Ú¾do©K¯pqÒV Ñ×’´ofÙ‡c;¼¸sZM)3ñçõJzi¦Cø%ªmâª;NŸ­çª¨¥bãïÛ=Š­¾ï݈©å8aóÀ ÐºT¨iÁ¥$7² ìÖë¢þÑ׿øp¬ ^šºnúݸŒ Ñ¥@u±A yˆ 7ÿtý]½(,”®¨Ûþ±Ôþ:•ZŸs˜š!]äÌCôdì`í/ÓHÔÜÜçôßvxšk±àø<&d®€vñ3QϹ‰ÀÝŒ/B9•_'é]…¢=½'·ÃVXqJˆ,=1U¾çùG-Ý.m&׺zK&¡ê%Fdlñ1É_–iM"û}ç8¸œVµä̸ë±³g¿ØhAaßþö#‹WÑoh4uÍ+Ρ\|ÛTŽg;F.‹ÿŒ'¢¹7yñê´3`tT•tþ½«ÿ…Õ ãW¼D$A™Õ㘅_¬ôºÁÒéÑCÅŸÆyéŒ!KÄþ LAô|Jr†¿¯ä 9™£ÛR©:%íÐs«ÅjÊ$3‰9Þ­yùmOc´»ZjÎ ÈgûÈú}Ë×*+UIÃ'¸Ïêzý>* I¯;zDª,—Ñÿžý~˜’x§š}Ì;q‡r‘­*p%‰b˜=]kœ‰˜›Lݶß<úC’> ´Š÷ušzrí•›7ˆ^3}ë6”Yf¼ïu&GÃ!ŒU*‹% ÜV­«ô—c%€Ò'¹…x%<³¨( èRl0æ}®ȇœšahÔn‹cÇ~°]5¯Î«P,ݳ¯ûÁ˜3dSëÉNvtÜ…„~áÖÈ´ý#Ù{äFE͹­Qz²òF¹*˜ýñ&”óe™ž÷âÏ0Pʬ_‰[Ö—pý á)óÌc¶>”"j5,ëjm.ùÁìÊâšB•‹³:p_2Ü/œyqŠÝ6KjÙño ¯~]Ú…gD²å¼â~`òèR -v»ìT' -J4ã4à;³ºÜt|†bžD¨´|¾¥ºˆ|ñ¸h"jj‹îë/ß/ƒv£a ¦Jö’¡Áž— —C+fAÚ,»GmüÒëgô2@£Ž¶ÞéZw-¿»éuÞICßbŸ[‹öç¡ßåËYBÑ–×ã8¯ÎõD ¬#¼ÏkÊ­"`ËÇÞC¯fñÅèÂ>†OØ<*¯Žq§hññR²®$¯æÞ\”Î'±¿ÖÅ'Ç™”;pW¢“âœú’tÐE§›)nó^0îýM¤ñ ¥Ý„gÖ‰ÄVL§Æk¼lÍT3ŸÑ¼à¨HÖð'xWV"^ïUì쯬GsSC˜¨ÎýAÝš»¤ëÛ¡‘ßÚã€;4|Îd–äMøÕ9ð¾pìÃÕ‚Åû=ƒ íTË×] ÚOKGÚûÝ»r8ÊÏȽv¶'*&%™’{¯?‰ô®=¾»5ý±Vèrž¤¤ð­¸íªÂLjQ¹³‡^"U²ÍXÈ„b:~ZJßlÃÄ'Ùâ¯]Dìº*‰Eb­Éƒ³éÕ¯u™|][æ¾±°ú»> 2 *»L²áÓ¡NôðyTª·)ÅmôÅ#™u4ÉD;,[Ãd=¨ÐfŽé¦Öenkøâ>s„=]®w‹8«ÐŽ³×Tw𰨵F–Á{™&jY/sôïú.¹™-ÜS^1‹“"’íï·A<9»ü*^ÖW‹éF€Ô^ÎI<ê«X¡k~‘€ÕÅlè!­/ŸXùÝdXH6¢v0 -ŸµÔQ¨‘B®U¯v+ùí²ýF¨+a¬¶h샫ŽêªrꡉÆT·7­ óƬB|u”G†žqž%çÉËŸ:«ãÆôÊnïÕíη‡4÷’%Ä*.ÅoËñsyÊ嘕÷¼eçÚ²Õi@Ü=à¸g†ÑšGæ¹ËÑð•‚Ÿ}–iR£bXOŸ gŒ]×Å«ØP³:Šî•ëá@ã -ظ{Óu·Qs}áíù9’õk¬Sq¦D³§ÓC)úÁLæBü‰œžSçVËûè‡.Vþ•– ”8™È¶ØŸt…ŸÚÛS¹‹¸mÀxó­¸IŸAAçøV §L /‘d!Ó¥ƒ_Ö¸½Y^>{™N¹œ—èòæ'w,|.ûIçQÌC°u6Ãâ8s¬œÃ¿)@YQøE=rÆFú#»>Öløû‚}x†®BntNH€x.­vÙf…•m@®yËUКÁöoc¬—niçäñÒ5^ÆX8…ùŒµIàí§¼ú­î*;ž3¸Ç14ÃmóÃOyȼ’˜´ÜÒ­òûisÿpìç°Á’˜تdŠïUwqbïwÍ|>þXÒ–ËpñÝ;ÜýKýJA§žª¸zäéT?ˆòØçáç½ûnžëË÷Êu× ùt¥Ú9"bé+þÐÖaÍÛúiå=´dÙžÓSÛ Œ¹´Y:øbZ×½?¢_Wèè‘Öæ.²éÏe¯ƒ­>~V&žÞm> -µ>ûî—£òÆÿº 9íæ5±} ‡kOͬTä©í£ùæܯ¦n®Ó}VÑâ—#ÅÉF®ªš‚n -ïPa§«ºK¸Ó[œ6~jè îe²okõŽtž:“É|¾d¾)£m0™Q? ´\5jN^Î}4G“ïlÄ@ñ–âµ0bf÷@Þ§”œ£Õ~©X¾aª §•!`G8z /¶­Zv,ÂŒ*Ár²nÒÇÄ ±u­ø0H1ŒøK&’\Å~äª]ݬ¼éôÞÓWo;''Õ÷¹ž­<œ¶ê~ÿŽB vµÒ‘q' v¦£­á…Z²…Øãv/];ï:7ñlÞô¦ŠJc"ýÊÞÖ>³ªóa“A´ßœgEÖ"GŸÿ2p£!Š^tV¾ÇÃyÓ›³~7òcšòÓége!Lh| -ÖS ™B•)b…“/Ñ|TÆÓ½ånÒ¶UÍ0ÉmhN¾Ò,é(qÅÌâ–õtbÙ Q«(.ô-¾•½XѸÒæ0Ռج8#]yš¥jVB}F ¬²©Ýìî~ÆVqáÚ'TÉÊ%‘¸®#\ í-ÀîÊwˆ{5Hß«p+DçRqÈ¢%¡Ú!ÕÙbÚ‘Sx™  >×ÂSá)ªy'm„(ê Ùe–í›]f|½>;¦µˆ±ŽñN8ÅõŒ¡óW£l¯4ç맢Ý"j -¤?—ÞqØ<­7£º¾ðV(|§ù™ùãá -ãÊÝvÂQšM×*o¹&Ô+rÁýÇ‹¯nµBŽ.>w×2_YDéž|².e_È”™yI@”âFg†óyE‹(>xHšþô-hÏ„%Ê\U=—uXt<^~à1RÒë¤_ŽIÝ… `Äß1N¯9ÌÑ«Û0raÕï´lï|Σí -C<^âyÓ%W©@"H'O½X’X>¯ô -6ö½Åj‘×¹eO=°ù%%µ—yVàÂ’Ebß“Ó?¢à›é;×*Ñl׸ị̆Xº²¤“þL`n!Ùë­„ê¸R·zó“ˆô<ð`¹lÒdvÿ¸QdUà/e|E£äã‘€sKÆÇ49ŠR e©’ÞŽ*Ë/—©*äo,ˆè±N_FèeÈëÑKuGTIF/°ŽçÑÑÉNL°ù’Keøñݧ20ó(üðxOÎõQýàøæ \GÑ•_r!çÉdWQbË"2o=\õïª1Ä.8Kí(¼p¹3€ÞPS4¼ïÿ†;{"ħ\Ø3þ‰%]®¢­Óݤڇ–vóZv®¦3EJN«+®ÊG¿Pk½Þ‡…̪¸îÎç´„X‰5ÌŠÄéx3þo‡VŽç8ïl)›SðqbV1˜÷åm:ÑHÔf¤sÀkYOÍc†®#ÕCÝ÷ÌmÔôŠT¡Xvߧp¥`߆H™CWÌ£€ŠXJ’~>ºÞ÷‰+8áa¶^JûÔ³ù5Â5ƒsÿËQÃiyÁýA?å÷¬qÊ_?‰šªÿªý^™£PW7ïºýžlvyì\½wÝ02Cº.1KÊ¥‹©qŒ;¸ˆ• ¹‚ûãÈ–>džòÀ³÷½‘ÿA$–B“Y©»¤cøuž†¯yôsGt’,¸ÚüÀuoɹlƒš‘)ZÜ™ÒhÚˆš6hÚñ¬_G+$2‹îs³¿¿'+yy0ç%:çúÔ.ã{~@j(%tÁ˜Æ|.}M4æLÑÆ@Gòª=B¸Uɵ‚É@‘̶Mž¥ö®h6t-…z9sHŠ–ûõÍ}xL¬ÅÓ¿Ð<\xKŒi#žx%3ø®Á'„¬3tyêù»Á¤¢|ƒR*¯ Ž‰ãX¶Ÿ½¸±×JÄ Ï´ºy/2ýßH¯UÔ$Ž/TÕÇä$ñ|d”`Sät-lº"àªVù¢Ý“E>â6Dû«ÄÐk³½O0Þ²ÂQvÏÍxL¦ÁU],2 óî-_©\ôêrm_ù®£CO„–-Xöi•}š}S•k°Ó÷ ÞEnºB¡54BjVŠn ïn†R€M[Ó†¶§¾mdòºªÎÖÚ7þxžÅêã|Û¾Ñdz’!ïÑím@Nîš‹ÝKÎ…Êl€L;H{³O9Î*ù.xëÍ›_+Îóf¹;òÁ»1ÔG×·jµÝ«žßö¤å>¶(^4¸Ü(.ˆÕ”ªùz…|‚K-¥7~6lû†óJ,ðqßO›âžg|þœœªýGÄàvù\,·mqñnƒËëS5I¿Ä¹.»©¬ÑÄÍÖðs›Ë>f¬_ñÜ /NåxU›oaŧ‰¥·ý8ip¢Ò±„BåõL¼x˜9%ç"SsÆ‚4aãûÑÎÚ£R5•™ì¸ú‹O³7Ã’Xß‹ÿýTÅ»–ÍÁ^ ú_>Dÿàÿ 0j… ­PDÿÙvkendstream +xÚíwgPTݶ-’$)¹ɱ‰’sRr Bw M7t7QrF$Y’’sF%GÉAr’¬ QÌC¿{ιõ½óëÞóëÕÛU»j¯9çsÌ9æZU›•IGŸWŒ°¨ àh^ Ÿ€@ êdãŠÒ·†kð* ``À­Q„€•U ±FCp%k4D`” €  (..NÀ +PD8{"¡vöh‡¡ž'77Ï¿,¿C6žÿðÜîDAíà¶Û7 áì£o!þÇõ!Ú°… Emu-U‡ª–!@‡ ­aWЀ‚ p„`‹@`-  ý]ŠïK° œ! èí6ˆâüÛÅp†  (Ôí7ŠØ!­áèÛ (sÿ&pk·Eü!äŒDÜF8ÝúnÁt(4 +„„:£·Yu”Tþ≶·Fÿ΂޺ÛÛH0äú»¤?¾[˜[/Ú +GÐôï\6Šr†Y{Þæ¾sFBÿÐpEAávÿbÀ@B쬑`…º…¹ÅþÝÕ øoÕ[;;Ã<ÿìFü‰ú'(Ùòos‚з¹í pþ߃¢·E€ÙÁ®Îÿð¹AÄñ{f8oIXƒp˜' ±%à×B oS8þg*óýçDþHüø?"ïÿNÜ¿kôßñÿö<ÿZÅÓ²vº€¿.Àí ƒh~ß1ÿW¬µæùo¢ÿhù‹á¿QG[߶Anw+…ŸÀ_F(Jêë@Ñ {€­5ì¶Gì†p0 ƒÂ!·Zþi#€("ò7Ÿ=äÿÝtQñ?.üwæ·òüáÍo¬-obbÈý÷ÛôO”έêhOç[bÿU‡&üÏÅo „à/PLÀ+$ v{Ø„âÂâ>ÿ&ß à¿ÖšÖh$Ô`v[´ðOéÿõþkeñ7e8þ='úhk8øv´þiøí¹"‘·Šþ9í·%ÿcýgÈ!ˆ`f’ vHNKAWqʶQÔ‹½ %lSQgë_tõ,ß_âÐ}BâíýâôgqËñ§xtâ|Ïô¦*†ò#i YEî÷m¶ø­_'ì}=Ý]-wÛÖh¹3cðY%Ý°‰Ù"ý]2ieM ‹_¼²yŒï,Kh m3äZ˜> ª]˜nâWf_lWBê/Ô.,ç~`f¿kõÐîò›}—hš¥]½x“h›òHní§í`´¬ot»ú“]ÿ•/µ÷¡4ÇûEOøW*„“¿tLï.8\ÍÄùPa=Ì×áŸËw>Rûæií€t9~œ*ų$”û¢p€,{ñ·xÌSÇš±ø\¿`[_?éëµáo£ïÝÞ!£Êj™ù‰ }ÑUƒÛ¿X/>;Sf‡Gнs̘~¯ÐY\ùáèÈíýä*ÃA¯ˆæ’¿x?༸_x&õ +ŠªÄixW´Z&WÈÈÈ}ßО&½OèÔ•£/•Ó¾FB&0ÓOrÔ¯—ˆ‹ú”† œW3 ÷ÙÌ2ü Yú=¸ÛNÌÏI;ÀªÑÔ¤`ŽÅ-Iy—X~–âækõdðn¾éoÀä‰Sõ*ñÒ ÏŸ:ü˜.åDœ~üÂ/.ÒÉÝÁpŒ;†[ƒ•iÜÛÁïìXB²Ð‡ ¬6~‘:æöчƋ£eÃ<¡?ÃÛãÔ ðQ.‰çõ¥ Ð’“ûÔš»¬T‰i9¸wVfP +ß(¼>éSeè+Œ£4K¨‘Œ„‚J‚½SYõºÊ²¿0"s_tFãweú§³râ&¥.#9N39K$5ç<Þ‡KÆ!‡„³È +¸[ëêäW_âG ·tÝUjÔ.¹ÊðZN(OéùÝ/üóøÚèí¦ éÄ`佫JK‹š\ #Lò$šZoüŸ|SÿôZ a ˆ×7ü쀔ueL]üþSÇa£T,Ê.~©ìí¡$mY/ÅÊøÛ‰H&4™¬ÚËQ~#Bi¸Ä`L29\:[‹µÄçyµ? ¹Ï™6¯¤ÈLuƒÕá׬4åDœPÑt‹%\ûº×2îß^¶ŸéÙ#äµ,ÆÚ,,fuæ*K%r[ à–µËŠK“4u’g¶F€ù• eÂDž…‡ì8xŠküª" ŸöÑ*¸úÚÙ¦ÉüÙÎ2Áãyó+Ft¨qàà§{yÓ»¢Ì,Î3³À˜p°;3ÖÑ ¯v9½…¼‰œÃ¡`Ž™>˜ŸtXió6s½‚hžÆý”jF)\_ëSd|Tnpæ¶Íz€–‡PCZô†¼c dv¡d11.®)kjêP—ºšEÕÄkzDLf8xlS‰<Û»ÒœSüYýèã;FSاè ÊÃ}öe¦wkwùÆt>ô’ÄŸYñ?¹Æs‹RŠê´Ëü:Mßñ-<æƒb1Ü´ŽÕˆa6[I×Ðm˜Ïb`cÇÜE:¹¢ðÙ:il­‰¶Œ¯HÿFQ¢È‰ŒP—‰óYAª* Þ¶Ò}òÞÖV7¥™ÄB¯úÜ´îÅdÔv {·y»_›1ÒrH#¾D}:Ð×M‡\­å¤hü²—ùÎk7à€˜«ñªÛ34®9•›…žEõKU¬‰iMÚ’<£GŒN5Ž¨L5=ª,¢d¸–‡9*Œõ²îJ—Z®å.¥ÿôÇ,ý@-cO™v”ˆ q=7µÛÂœcšƒ'wNgØÅŽŸj±›Ü“R7¯§ðbQ zœ?R^+\Ùsg\Ú?d{­!ÔßÛØÎDçÏ¡ÊÊ9µ?bF¦F·0zí…š×|HgBãØ“<r;×›¹—Ý10Á`2ß®ðª§EíîŠÊfä5õÓßÓ |½ãŸ«žˆénÂ}lsæhÃ|p”ì²î<ûB'©É%âÄ{£`°°ÚåÒØ]ñßúeùÉ·O–ú€úÉ÷«¦>T\lúßä âvE„‡@uz ÎÇãw +#G;Þ±#AþãœÌo†;?”iÉ|J¼-’ͦ¨µY“ÅgÈ"ÏŸª,wÐèÛöJÔJo_¿×05€?ˆsZ}¹:º IÂ2Ãx/üi¯©ØúDª¥€;Æ•†MÅ`'›…ÁY’êí›UF*д<^¹$a7.ØüSŸP„ú‚³c黌ª¶MØð¤IYËNB"A…ûý¨ì_ïSü1:‚È‚e4ï–%1 µ5¸+ ä‰Ué²ã+qÇïâÀüØÓßô;‘{š5‚²³Â"vÓáXFëw\z$u“¾^©´h¸ŸrÝÔú%c÷X?ß“n¤¬Äd êêí+#ñgââ`ÕÙ:ûy +;ÁbÜ9*švö{8ZóB#\(v²U&ßõc@oY~:¯5Vd~NÍë1©Â½:)ÛøÞuÞòøær™Z1O…41hºR‚?)—']¼úöP<ëxµU³¡<ˆŸF’¸£Yè‹ÜŽ¼Ú@ šú¦+þ'½D›D¸šª% +F¿\-5Åa™éoqC:ä4&×a8 -ãs;4ò®áê±’m-¼N‘qöFÜ°°FeŽöMV|§ûv†‘|P_lM¦#w±È:îÝÊ¡™Þô"÷æA›0“V†&¶yï÷¶”båõ4.A*pÔÛ7é XØ€ëæª:˜Â$•a—ã毬ԿQ‰%¯Ë§|­m\óK( صÀËCñóÊå.ü z>C.,ÉNvvm´—B]{fÛþ÷]B™Ù0kÃÛ¡[jcÌd6Iµž@°Í¢Â«ë)q€sêP¿::L 9iýòºS…´6ÚÈÌ¡G'Žµ÷Ó~ûÎfÄâuå:GŒÒ‘Ñ‚ #*¶šSùGb¯ÓzÛF}€N{Æõ«E}¦Å€‚dåïöº¢.z/Ÿ«¥>[óÍþ8S¯¥bÞ½ƒEu N‘:èV_L/±¸Ü¸ÌMbКàHBcã¿ ÈZY¸`Ô¨­5Ôd¢íË_Õ_ÊOWK\: }z=½JÑ/Nõ’C<ç?ÊyÏ—h÷Ø©”°åqB~€UÔjþtÕÒ¦Œ/€ò´ØF€é¼Ñ}nÿþæþ,M&Ù#æH¢¦ÏX뺳µ®Ì7¦=ß ïœü­Ý{Üf¥ªæ² þž“¯uw­é¤xséŒÆ ïÂå#s±žû8fqî%Î߈>;p„"ß:­+×YJÔ«v$hj»{ÇŽ°~W̳4$ðkÈóy®¥¢“GýÒÆ3½Vù,YnüÚóÕyó¦ˆ÷•¹ö ¿Ùn%øšÃF”öÍ<ûh|—{^£™ì2e6á‚M­AA'Íl·$R¹½@LqÏù³Í|5¥d`\ÂÃbû'q5}šÐul§,žØ‘dWrµ­Ø䤆öAC=:Ý”?ú–Ï€äTËR7̾•sÀ»å(.7ÉÁ᤟n¾«…‡Ñõ8œ2öš_¦SrNéS3$‹\¸žÍ€m¤šZZúßâ0BÎr-žÇ†nÐP/}&è½0廟ñE §êë­›@Œ—ÏÔNø*3¶s`‰#•º²Úï"ÿ¸µÇµÝôF[gÙ4Lµ¤rÒ„%!6ùË +µiÔ€ß<‡óš†Œ9g=>föìÓ›­HÌ»ßÃdqËû¥®{Ç;Vˆî˜ÉpíÄÊdñžsE¶ô%/]Ÿu)/”*0\ZÏÒÅIBàU’8S<]üÅL«"¹™3\Œ÷i‚NºL°ÈLË£ cð+èZæ©À¸³ª}0•¢KÜ5¿†–¯!cŽ?9Ͻ½ »ãå9k„òÐSImÆÃz¡/ôÙ!ªáÀêµÒ*\ÙVmÊà¶I}ß’ÿG¹"É 'Ï(%¼•rÚïß³KGÈ wkXÇÝ0“vÉ—XªƒVß°¦kL0r’¨Ú !BÆ~ˆÓfé¯á|¡œZåî£O «¹sÂ(5Ñÿ:“­qÊ,‘ÅôÔ^£­ð›‡m5Ü7± x%8»$/ÐÇÓ&Û¤Ïû\Ç—û8=7K×ñ¤ÃËž3ýp§zA•!"2N®X²÷@ûƒ{Ñ–8ƳÝ~̘øK1ÝÂíÑoÚ'ÒøH ‹ZrÛ¢;u¤e sÅ”ÐÍH—«rŸ¥Ÿáú)sö<%îY_"tƒ§M-1ŽÛù’ ©Ô25m¨´»æ„°*Šª T-ÍiÁüH°¿°çÆË÷Ø.«dw&¼5¸þuew‘Å’óŠó‘é“+ èÝò3­hÁ¬ó ßLÎÚJóyÈ9’q +®ØúùŽòâÅÓ¢ ²èémšGn¿ü¾ Ùw‚M …“Ñ™)8ˆ‡…tz]=Æ_ «œÓ×dÚ#;nç•Ü8§•v¶÷ÍÔyhøßO¯÷y3ü-î¹%©ð@ê}¾Œeu3õJî¢IGXÈ<Êý¼¶"È:ºxâ3üjW„&âçSØ¤í“ +ÑÚ‘X²V_oÕ`›~Òέ%É|"‡m\R¬… ™C öé¡o»i´³£DmKù#`>ß„šža‘ÛOúòveŠ]bÄ&~jºÁÉVO5÷Ë )ŒŽbŽxæ‰sm-ä]ªdïpm3–›Ê@q ß£¾G¼±õ­#)¸KųéBbEÚ|ˆ[“ë€B?\/Z–îëk¦Z½î^Ô4.íðèÎa«p9§"ö;X>ž*™–dŠï¿ú$<Ø·þôþöÌÇ:Gˆ¢’Âw¢vkr#ÇdÎ{ UVK·` ‹ix©=«ür0 ’že‹¾Zr²ï®<"Š³! ɦU½Ñ:bðskã›ÿÆÄŠàö8X¢,Ræ*iØ–G‹2ÉÓ÷I™Î–§áÏd*äñ{0õˆL\-ƒÍ\»º‡R›±½ñ‹Çì1æL…Î.àœ\c:Ö~sýáãb0½Æ:I÷Uš°=x£Ü) û»ø2x®p_9fÕ<^‚@z`À…÷ìüŠÿ«hy'Nº®¯òr^ìypå*MË‹DŒnF[z5I…Ù¤ªï¦#Ò‘uCѸÌEú‘ Aj)¤ *w°ß®:ž ºÇû©‹Æ?¸i)¯)¦ñ©M÷øP›2nÎÉ%ôjÑPF{fèXæY°ž½ü©Å·6gD«è^ªj±½4쨾Ÿ,Þ(Ry™$zW†{„ÃK +(è¸ï#½°(מ­J¥ÏÙ Š71ˆQ?¶È]‰é„­üì·ºL“Á06Ì¿©OP²¥dvÞ5¬ÐÁ‚ÄÓ °pö¥kï Ẃ; ‡2D7g¢L IæÆ3Ã)ºM! |¼Iì^ÓÖ+¨Ç®ÖéV +äX™à¨ö¸Ÿ4…Ÿ::R9‹8íA¹ó­9‰M ú¸ÖúÆx ‚/$A¡3eC_Ö9}˜^š¼L'_ÉKr}û“3ºþ¤õ$ö1È&›ni”Ç>^ÁШ(/ø¢1k+ù‘Õc.â’uÑ!"C[.7&'4P4—Z³|«ÒÚ.0×¢Àõ:hC0ý‚³9ÞG³¼û ütù'c<‚ÌbÖÆ4è®1·n™‡Ò®×,öI,ÕHû‚åˆ1‰wòÑq8ƒ†ûcš5^MÎNl¶bs;¥LÑýJÂnv̽îÙÏ'‚JÚsé.¿ìDx|iX-èrÄQU:›îäÕ'?ñ}<Èþà¡»×ÆÊƒÄ +í£m:xY—fŽHúj¤mDý®nZE/5I¶×ÌôN#}.u–®ˆ˜ÆMßŘוZ:Ä C¹K,ºóÙ ëŸ g¶Nµ^—~b¸1´ÚWmŠ8°):}ö°œFŽoWÚŸÐBB^jËë8ÊLR,ôðû°åÛV ½Þý¨©®‹ì-gS1KJSw9ýŠr8¶i¦f3àôؼ FÔm›X¯@²Â¼Àœ§jj—JÞ•{ÞÇEe‡ÑÒPƒ‡Aú 3„I;·×±c÷±Ïb|ýÄ™´alC|zŸŽø ÿøPû«žúbäòAî1ËêKç¦BFKJ üX×6¿èý#³ìÁÖ™GL÷°[.¢Ãlοûç(½ ¸iG̸{Oîê`;P2*d{iúª¿½ð¯­ŸïòGW¶úçH°³j……i‡¥ š#:•XiªïãïÜ¥N˜>Œ™ì×V³+Ù£Ê`º/žoFoBb8@©PŽž‚UpÏSå»ò’½„¦x/ŽšÛ?’õ-#eksX.–mœnÆj£ ÜŒÙƉ+B)—ß$ 1"KÐüìLG[´±±Ã,Ç«¾tt£âID×q9êFÂÖ¶ªn;½oüê]×Ô”ê‡ÉêãAñKžÒ÷d +ÐëÕæÈŒ{q³í/T’-EžvxkÛûÔ»‹–`r§7W6’èV…öµõ›W_Œ˜vò£üç½*³–xØúV€›Ñ´ÂëÔ²½ž.¼[>ì {QÓgLÊ7CP¸dÌgjR±zøJÓ„r§_bx(‚ŒfúËÜ=¢5h%©ž d—ÙTŸz¥^ÒY↞?;Â.ïí°¦T’_ì_z'}¹ªv­É=6i¦¹Uy$B¼jœ¥l^ByNê¬$¬¶ ªÛêé1a©¼të¨b戋ÝÔã/…õ`vç;Ɖ¼¢í“»ʇu%?lÙšXã˜êb9ãÄ»%<ŒÊP\hà(qU†¾—4Äõ‡î1J÷ϭпޘ×Ø B[ Æú'ã‚{ÇQùkÑv×ê Ó1’NÊî9n5˜SÜ<<|'±Ûbbñt¤•Ì¨j g´zóM§ÒÛ ŽIÕÊ\ÐÀÉÒ«;mÁ¾ËÏ=uŒ×–ÑÚ§ŸlÊX3¥¦ô½ÅÀ +ñc³#ùÜÂEd<ÅÍ~ðûtdB“¤®«ŸK{D.9¬¼ô-ésÖ­@§è߇¢EßÓϬ;ÎÒªÚÒs`4ì¶îì~Σî‡?]æzÛ-S%GÄO#K¹T’T± ð +:ò»Ãf™×µí@9¸õ%%µqŽïÒŠIl3€‡=0*ç—é7ß&Öbß´Ì©È%_¶º¬•n¢°µŒ÷ÕóC´Ü(Û|x‰„zy2]5«³Æ¸M|Ü,².ˆ6º¦RpŒõLĺ‹NÄb›„)²”‰ïF—çWHUòv DöZ ‡f®"uƒ3duŽi%z"kŠÄcVð˜'¾sii†f'¥€YüH%2üyRè™Í{~xº/ãö¤á^HBË%¶“ðê/™Ð‹d’ëh‘5G¡N©Íwžnº +Uèâ]$ðä^¸ÞDmªÈ< xË™¿3ê[!è•ðÌœ&WÞÎùþ›ºÇVö önf³E| +ÎkkŽAò'¿ë}>G…ŒÊdØ.dÔøIµŒò„é8³ï†WæÙïm+Zñ°£×žÐYôçm9Sñ‰Õe¤³Áê˜Ï~- ‡o¢TÃ<öÍŸlÖö U#™öJS8R0ï‚%, «Ñ@y …Hq_í Ÿ‡„•^sÓ‡+_ã, +ÔÎIÙ™p¼™ý[&¥™’†ØÇ +¶¦‹}ÍMÄU5μÙ¸‚|èkäÝ=4…‚Ž:W–êae0ª¸âæ!–å+D— +ÑË>æxpOnQ¢Vgq速D#%ñi-OÏ!Ž‡0ƒÎMWùDó3g yïühÁèHž;Z$Tk[ +Fî‡ý i¤G%XRp'?õãñ1ËX„õ Ô*lZÖŽŠÃ¿ ¬Õ6I;u\¢äxߧ[JÀµ§*†jYm\†2Oˆ=]1@kîQ`iØnZûÞL£i¿¡U 'ÿ ‹2˜OÑÜ)!¬“+ÞŠ¾ÑæŸô<0“ÂûéÕrSÝm5œkìq {±2`™÷IÍ +£éée…sêõÕÑÝU+ ZÀà 3Û$h$Í0aqÍðU–u“ä˵«Yr²¨¡–Å$¯·RÏÇ‚&=Í—#ʨ½Z^ÃÝ2Ø~07žU”ã=òW,eŽïTüúIØLõWÝ÷¨¹úú·°R’¹•ñ Õ¾ ƒ¨ M8ŽþM±yrp.Ml­Sü!ÀU¤dØ 4O²ü!ó\?4÷(iß‹[Iêq볟K)×92¬[2_zô™ô;3B½ƒY› öz‚ñ‹€¥]+ÄGDúÏ{üÞ˜{^U ,{úÏ–NFÙM¥_bß@h‘ò´Š2­ªp*ÉLå˜@)¿ÓïæF}îòAâ +äbµ½Ã‹°/;û¼¹2<ÔÌŠ› O\ùJ]–kz¢Ì/f 6…6Ò|ÖÊd®~>¢KFkp…!×l^æ!îNŸz§ægóÜ õFRcqh‰¼‡³ìR¾É;CÏ#êBn8cHIì¸ÂEnþËÁÌ€·’땵I‹Õ ±9o¸>Ò‹±È³»6_ãqÔ(}ÑìÍ"u¦þUbà=‰ÞYÌÇœh]e+àn´"Qã¨)š”zÿŽ§L&fm¥®Ÿ§bÏɱ7RÃË$m\íæÐÜkíâü}’{‰S¦P`…—˜“ ÙƹŸ¡h[ÎÒ¼©é¥k•¼¡¬µ½þ7k©æ$Ë®,™–hØglVs“»îjÿ’}±*`/Õ¡¯¹Õ¯o€x²ýöí¯UËóÜ]Ù½XÊÊã›;ušÕÏïzQsžX/é]íÄ©KÔ~½ÆL 9ʼn£”ÐŒŸ8±{Ë~-ôž°ÿ§mñ)— O;»òäÀ1!¨C6Ã}GN¸×èúúLEÜ?i¾ÿ>X"kl~ûŸ5òÜöªŸãWB%çâ‹3nå–; i"éí?N)´¬ ySo.FvñùÈ!Àô¼c†Ñ‡`uèÄAŒ‹æ˜DmU&«¶î’qöÉVøæRÑŸú?•qn¤s0Wƒþ—ÁÿøƒX#Ñ'k¤#Áÿ:…vendstream endobj 971 0 obj << /Type /Font @@ -5234,14 +5220,14 @@ endobj /FirstChar 36 /LastChar 121 /Widths 1324 0 R -/BaseFont /QCUBRP+NimbusSanL-Bold +/BaseFont /XOAYYU+NimbusSanL-Bold /FontDescriptor 969 0 R >> endobj 969 0 obj << /Ascent 722 /CapHeight 722 /Descent -217 -/FontName /QCUBRP+NimbusSanL-Bold +/FontName /XOAYYU+NimbusSanL-Bold /ItalicAngle 0 /StemV 141 /XHeight 532 @@ -5265,7 +5251,8 @@ x ù¸9ž×@®¿ U(ÄÎÁ  †¡¶ûgJÊÁÜÅlÓpqt´…€Aê`g¨9ØY`ñ\ÙfH:8z@!–V0£–ºÎff–!üüü3¿€Øbi ^¸‚mÿÈô,! ¶CŸ‹ý«ja* ‚ÀþhÀhƒ9 °³;Z˜‚Ÿ16g 6{0ŒýÍs¡Òö I»?œÑþðL -›?7åÁþwßlìÜì½þ¶€Øƒþl äâÈ®eqrËKýOð3„ö/Ì p9ü@NØ v7·bÿ#¥¦‡#øO’ãØÔäãåèà°0µuû@,ÀÏ4/gSW0uûxýïÄ¿ïÐ88 ˆ9 `¶|>†©?Ã`‹ì•MaPˆ;à= äÿøþseø|  {[…«˜Úì’j²šòZÌïýŸQÏ’¬¼o¬œ|ÜÏ“ò¬ÈÏÍõwÅzñ—¢ª¦ÿ©ø/Iy{ ÿ?Úyöñ¯–\ÁPççÙ0þ9Æoÿ®¯âƒ˜ƒŒÿ 7ðyjž/ÿu¤þÿ¯ƒõ÷2.¶¶ºÂø;Ï~8”8bk +›?7åÁþwßlìÜì½þ¶€Øƒþl äâÈ®eqrËKýOð3„ö/Ì p9ü@NØ v7·bÿ#¥¦‡#øO’ãØÔäãåèà°0µuû@,ÀÏ4/gSW0uûxýïÄ¿ïÐ88 ˆ9 `¶|>†©?Ã`‹ì•MaPˆ;à= äÿøþseø|  {[…«˜Úì +Új’ÚêÌïýŸQÏ’¬¼o¬œ|ÜÏ“ò¬ÈÏÍõwÅzñ—¢ª¦ÿ©ø/Iy{ ÿ?Úyöñ¯–\ÁPççÙ0þ9Æoÿ®¯âƒ˜ƒŒÿ 7ðyjž/ÿu¤þÿ¯ƒõ÷2.¶¶ºÂø;Ï~8”8bk ýpS;ˆ­Ç¹áï:àLÿÿAGfj 1··´ý§Mgˆ;¤ ™[ýc\þrôçsVup†üñ$X9¸9þÆiZAÌmìÁÎÎÏgñ'¶ý-¥´½¹bo Ѐ=O¥)ôOàÚÜ }¶çÏz¾÷¯½ä¹@0ØlŽ¶4ï`.d]ÔvS%Nêƺ=ÎÕË£uõäBù-ÚöÅ&| @@ -5303,7 +5290,7 @@ N16ȉ Áí!Ù‚m vžÊÜ1|úNÄîîÙüé ÉÔÝ¢Å,(7Çy$‰ÝS]æYÁÒ?À’/8#ÙÏÌñ¹Š6žvvdR6&Ûÿµít¤»Ò%šï=dË]¾¥-,¾µ‹XmI·§—ð`dã I¦&@ÎÕ cÿ.i¥gYñ‚OËà û%UîË´7’¤¯ý'ÉkÕåue¬£r‚÷Ç)ÚJ~\ë³³sqŒLÏ{KKQøvOÈÄï.BRœ,£­6ëM‹ñŒ¦ÒOÔéìœjªjL/I¯üi¯IRÒÜÛÉ4Þx¸’ô»¨t.ô›7É w^ÑØ=ˆˆêÞ®'ÔMò(¾ËqçAÏnû˜Õ<&hŠ\©Å{¡gz :-Õ« ‰+ï—Û¿hů–Ë’¹u¡ ½[ð®Ù©m8:y‹pU72_ò-|g$e™.¤Fo Â¯êŠ~8¼´ˆgjtÆ:ºHNÆÉ䓸j2›¬¡gŒ·WEhíŒh×zSL7qòÃËÍ”¾GEYA|µ,ƒ Ø'Ù×È*f²¦=ÇЋu¹¡Bn½x)þ“sìbµ¥¥¤Ü/©¹QsÏ?½u7ÓdšbÛk9cµª§·­oXaY²mÞí4G¯eŸ-M ³MGé®d0ûÐ`8WÔ=Ý+w}`ï.®áãb“)éaõ ¼y±ö¦äYÇò”·b}5gwø4í®ÔVÀŒ× |X‘Å눈qñã³L¤®&<…+÷+Sùb µÇ[ñnX‘¥BFú³×ßhKmÊ»‹Q½WíÉ/>i§¿RPßUܤè3¬oÄFÊúÑv~=M‰h^"vÝ_ÝÍ^ÕçÞU°nëRarïŒAV0Ç`ɨ'lµÍv»\Åÿ‚„GÑ^ÔŒKVP×çl"ûXykÛ¸ͳÞíCÂÛßyæ æªùE»xj'ï ™îò¬‘2šèY…,±Æ;®‡ Û`’oEdÑë9jÏ4‘¿¬"žr°™µ¶Öò£=XT÷^Š>åNbd®ê€ïA5º`,q=ßþÕaU£ïú:×-õôŽå½(InO-ÑŒÑZfƒùˆÐf› Ìà¤O‡¡æK›ºtƒÕÞa{,|Aҥו-F­g©ji¼Ô9/ƒT´ž›·%Z‰Ëçø"Q ÁUÛŽ¹§ýbntû¼Ž)¦7µ£iir(Ð}È zïB<¡¨Ò¢´Bún:ªPßÅ£ùÎ;¶ÌˆóÅ7cŸ¬éFb‰Läª_ÝÄÜzô¡¹FzŠâJ‚ J¦Sñ‘A9VBvÜÈs-8×SÓ½j!vÇþ}¶u*Ä„eË<›to¢V÷Oß|Ûz6‚ÊQTe Ùèâäá òtÞê!H3j.þj5°ˆìÎV†É8Ý}sa½††^+Ô8Ñ (lAÏ\øŠ6T‘]vF¼Úºè×ô˜q.‡”ý²n¶Úƒ^kT~§jßë•›¦9ÓÆƱ÷³’£mÌcØ$iq\¥@”±>OÝ:^ß!î&ʇfx?J…Eôá­~šµûΦPsA ’${òˆ”JÿÍöC™X¡`ALç+_ŒÆîüô„¶nè;|ÃÉÝ}Eö>Y©™«wlsŒŽ‘PXüXÚMãX@>à-ÎnâZq¡8å2§™qÕ„ÈBËx ®´×ܼҢÄ*pÙúV©ùà¾ã½‹²Œ‡òFN”´V %;â â›>Ÿ“ÂbÇöò»B—¾lò«=z7ÎÔ]$ÕÍÛo ûÏ<™-22UJö³ªCeEÇ6ÀDWìrtÙ3/Ëö²ÐdÉý°i)U´.í‡õl†™g°U’âÒj­öâ¥Ét#— a#ØÛý‚e>ú¾VˆòçOV$ñ‹)ce¶B…žqí¶3(xùpLÝAõ¯©ÓKÇÿ—´ÿ/ðÿ„€¹-Ø -s°3…Ú yAÁÎ0èÿòAû_@ï}endstream +s°3…Ú yAÁÎ0èÿòAû_V}endstream endobj 858 0 obj << /Type /Font @@ -5312,14 +5299,14 @@ endobj /FirstChar 2 /LastChar 148 /Widths 1325 0 R -/BaseFont /CQGTIU+NimbusSanL-Regu +/BaseFont /JVQCVR+NimbusSanL-Regu /FontDescriptor 856 0 R >> endobj 856 0 obj << /Ascent 712 /CapHeight 712 /Descent -213 -/FontName /CQGTIU+NimbusSanL-Regu +/FontName /JVQCVR+NimbusSanL-Regu /ItalicAngle 0 /StemV 85 /XHeight 523 @@ -5339,31 +5326,38 @@ endobj /Filter /FlateDecode >> stream -xÚíteT”ÿÖ6ˆJHKK Ý0„Hw+%Ò ÃÃÌ03tw#%„4H—t7Ò) *©(úÏ9Ïú¿çÓóœOïzïµî{Ý¿}í}íümvf]}~„5DÇð %ÚP'k´þ„_³Ñ±†A7ÀCvv%„"àÊ D`±(CÀaa€„„;@ ô@Aíì1.ƒ§Fܼ¼|ÿ’üVX{ü¹±DCíàŽ›W t‚À17ÿcC}€±‡l¡0@IG×DC[ À¥¦mPƒÀ!(  ër“ -ð -†ÀÑn€-€ýu€pèïÔÐ7\ -h€FBÀÐ3ˆ;‚ü ñ”¾ù@Ñ;Ž¹©€ÂÁ0›ßÜÈmB¢7N7Ø ™.AƒQP$pãUWYõ¯81ö Ìoßhè @ØÞhÚ À.¿SúƒÝÐÜ Ž` î˜ß¾¬!( yÜø¾!C¢ ÂpACávÿŠ€€‚ØP60}CsÃý»:ÿÊðß²!‘0?Öˆ?ZÿŒŠAC`¶BÂ7>Á˜ßvP8àïaÑ€Û"BÀ¿ä6.È`®ÔŸqýžî› @68Ì`±%ÔF`n\¸þg]øÏ5ù?ÐâÿHƒÿ#íýß5÷ï=úo—ø{ŸÿN­êƒiƒœnà¯%¸Ù2ÀÀï=ø½hœ] ÿ— È -óø7VW4‚üéo²¿cÐM9àv7-áþ%†¢U¡î](l°ÁnªõGn· `P8䦫 -zcþ {f;—ÿá_nó÷Øoõ'rAeu}}cÞ·[ÿhêÞÌæ™ø?nŒ´6ÿ<üæQTD¸¼øÅ„üÂÄâ¢@€ø#!ŸãñпÎZ -ê0 -B€›ï?ÞžÿFFØüž} ns3fÿü†Á.(ÔMwÿÜü›¤ÿqþ3ðˆ;L0ÿ– -vHÍHÃTQg÷*›uw -áô‡ ‹jŸåçùW :üRÃ×$ʬ®*CêÞIþzë1³ü¹©É³5ØIãìH†åÒû°rwå‘-s´<âÝ -´("J;0Šöú<ýdõ¶©Ðpk}Tï©EáÕ]†w-"(¼ÏçÜþ¬®yþlgHb_pJÍ ÊVÒ:,òª×û‰»çgœ½Cý}_îtm>à}õŸ]Êõ6G”¿ó«r¦e^l²*C#d÷ÌÞ±,zùF¸J`3-Šê園M–0Â*’ã#×îãÊ’šëpµª?8Áb[#™úÏx+……O¹€~mnËs\ª«PËÇD-×–|~Åí— µÀ#â&mõî2)]S ôyìXpÿ겎Äëçè0u«¦G¶'I‰’N¬Çždöõ1áIi°õÇÜœ¥­ŽbðéàHoTÕ‹Ò¾ õ8ڎ纥%Zѹ͟ðEh·êI›‡É­wAs¹ÎƒD~ç1q¶i#™eœ)o+d–rçu׎µ)&ãsžOtóP3%y1.t9Á%nÁú54’ùÎøá‹L¡Ø-O­ôËû:¯­ïÖ¼”NÔÝr5ªEç+]ÙUUÝÖ'sö–”÷ Ü–Ù¾w_š4{â.M'²Xÿhm/0ÂY³¿M£â¸'ø°û˜}VRZ¤Aí;è$èæè8Û¡õÓGû3–%]£*ÜßåܤlMWï›BÊë…¨!iô¿L¬¼òÚÃîDîî£ü !–YY¹oZ[hú¾ÎQE¿Ú`o¨Ø3f°Âø‰½»®ÝBª-õ½²[M»Eº”Sœ$ÿ\“S“ûH°“ž=^ªW Z[)¸1V´PsµYÅ´¢äŸëð™—Pw¸Î‹ÁÐF²ª%B1’ªŒÔVÿ^îàËvõ6Dí°nŒÅS<\ƒÙ2é=Ï“Eh¦:ψZcä ‡¡—ØÃîUþH7tçŽq]F ý²™põ’…·ÀdÑ¡ 4fIÉøÙx¶ÁËz‡8qBá Ó„_P›»OÍJµM€+U³mŠ]yt¬n¬Îé乡 Güù¯úí[­Îãou–r–ÀŽxS«óNÎ.},â —û”ŽŠáU×Æf†¦Žö{v[^¶ÑC’[-"úTˆí—ûhNW†’eB°FŒæèÍôM†,DúÈÝLIyÌ "m}=ÀÎo©Õ³kÔ<.J­M%û:Xͳc9eƒ9)?néG¥evm¡[)eÍlIW©™”àÜÁý§g65›‚/Xß7ªs$ìöªû2ž˜¥kè¤èœêÔQ¿[KU óÍ}áŽñÇ3pr­ºiø\³²§<®KÁKÜÈË Ë¤Ùx¸…buÈ0P¢MÒ^º03÷fdŠMHIT(ñ¶Vt’¼ïX€‘ ôtj ¨hÝ’ä}þÙ9å¥V,øÔ}1€¹[ãûêèWn§l”’Æ¢¶A8!cƬé©cÛ†~MµØ›[ U½R<ð1k¶¯ú®‡öW#üþâcóøû¼x;§Ѿcöß>úZŠ6;M˜JaWg©56kw|¦u0ÀÓéÔÂ6È5`Ž¯¨›>DJ˜€âî9“j‹&g» kÓæ#è¼–8¸+w›/•,šw€ïZ¾'¾Ÿù”ço¶P£¾¤}·e~ÕØ_$n8ñvø¥$X,5báâõq™*:ËÞòMC­CEnÐÎ+©&ÇÎñÓÄífÈbqÒ¿NŠÏ5UäÂn®³ã(ùÝ´½Mì¨ü|Þ;bY9¯NH¹k½=¬ù4›~—EéMígð^Qöú"âËØq©M+o2jÑ—X†\cS%áÔ«üÉ¡?¿“ó„;I~;_®ÇépÛM×x‘ù†×k¹V7ŽßÞÊÕ¼;[2¨™ÐŽÞ_Õ¯¿ÅÕc5Æå¤Í¡rVëéø> zIË)šT¬K“Ç'÷ ¬»z–]ÚWá×dïQn—°K®H}÷èÕÈù³mÊ ÞDkmžrG¼øÁà8êí/ -Mâªí`¬~¤÷êyÚK£ÛñYu»V·j™ª¾&•‚¨coÝŸñ–QúI÷²àCœX·4­¤}=rø= œ¶`Þ.æ}ÿQì‡ÑEì›fŒ¦ qFïV%›€OPd€[;§Ž7]¡‚¸ƒ^| FÇ˨ñ±JÊc#•[*ümêO;Ï£Ýá>¹Òì®Sü`;wqùši\œ7ߣÞìºÂéžÆ¢œNÚRf‹*ØBß"¾$º½ðP¤ÒóÈó˜êo-„i?u•2ÊRy8ò¹`(-ƒã“ 0½_÷W¥Ôr”"›çAtÎ`ÞÆt‡¸ilûK¬òáµhÊq‡UïR½õ›ºGCPM°-—÷P_~ðÂÜW‚¤ÌÞpÊgÚÄÍ!Ú$²†àéBó9ŽyHªÓVúö[É›[©†K+ÛǪCìrRʲ–Ö•q-É?ši„éŒkœ\Úðu#®WÞ WÞŸò&«{ɯOsû²ÄYàÃÔòZ§)º{{ÇÅÏ2 ³NŽî”òXâ>7šûNG^b'´•PëœÇj9;\ø6¹ïïƒûo€3r0'E-ãð™Sì‘Y½$€$É)bÆÄú©Ù¬®å¡Ÿ8zñF·“kaÕUÞó MU*¹Ìy/Ì%-Ù¹}âý¡çNà÷žrèUkn® !^…Cäk—¬ ZÂkösõ5“I•bKQû½LC±Eï­§ £˜þìÏ},qtybËßîúŸš/¼h óZ±ÛiXSvPïÏQÏ;ËõVªfÍéOŒ¦ÓoŒ³ä ~h€tû¡’?Ó='[ÒM2jzw·SÁzžœ¬[œ(æ¬å>ú4m†¶É¶–ò"Lû±ß?Œ´ÚQøÐýõõaZÁù®*ºÓ1ýðþ@ó¬Îy—ñD»‘„ÏdeçÓì|Þñ+¦¹¨ìnÝ8fFPÚ':þYÓ4®®JQî$e>6Ë6u«òŠcÞ­ˆ>½æºç­)Kíø,’ñdËø–Ï\žg,“ ÚÍßu× w¨H~Å×ÍËHàzž9uà³ôy¾°ÿ‡Gê ¼ªÏ/ uáï19G†e´tLx•w7V’ñÿXç=Tùäm!2ü$ÕJ¶—eÙŸÅÄF¨ÝOçÞ¥ÃoãýázÙ39Ò±‚@÷‹å±ëu‹õìê{ ª1Æ‹Tc~:Å5‘ý,,;{Œ+°9l'ÈZ’a]ËlÚܪÀLêã©ýú’–ŸÐ—E™™ïö¡&ݵH]WÜzJô±–q†¼u©’b‹zÂÙUØ3î*"{``´ÿiBxÝKàk -“Î#Šf‚,z¼ýYCy ¸z 5ËœBÒ²fmáVìüð9¾z¾oj¨³`Àš¸nÕzO'˜[“^7ݔۃƒ2‚Øš9ßQÀî -à˜Ä}6c]âͬ¾tü‚K¼ 6cgä>®>é‰lŽiZ†›)œ.½ØO6~|›ë£Ý§¤rè@Gr=ÁèÂèç½Âѧ$ßzÍ–Kj©¨hªÚì¹+ 8²” bdÚ‹¦òíRO/]ž"¯L$S¶äÌå ¯Ø9zWòÉXFazØUb”ëO^”ã]*wæÃh¥>©…ãß^¶X•­.¢Ð@pì9¾êzõ6ì,¿®Rr O¾xÃBmkÎýìER˜÷ƒª!ú™ÜE>`€ôë‚(ŠÚT AnxÜ.¤!¿gtÊž[Úu­åZ©Ç–ûØ¡:^ú~ƒñ;úš”CÔVÃÌÝ^="E‹ÏË/¶Ýoevr-ª¹ ÁC¾á…VöVïÈRÔ‚(¬—ôÛwøµ˜Õ>eÞÏ¥$B†.¥F9“–uè¥TKÚÎ).J¯Ÿ¼.çlåÎSGÔuÏÂXŸÚÃgÖ=Ôšå{®Y -ÝdÌ]BKo›}v\™Œ[]ÐNˆ¿¤ Ÿåv}½•H0Ìá»EJ©ç2˜dÌc»iŸáRè ŸEŠ*r‡6 ,1iâ•u¯½u? r¢üøî˜èíY`¬Ÿ»OEºFkZA÷LH»Ñ) "Vo„ûÌzhûÉoš0ƒžÚLT©Åö0[d#åK äDýLq¿O_þ.6,Sΰ~r;l†¡[ÛGIË0P…¸ÅI£=ÅH¼8ÝZíÌ Ñ¥…÷Ý-³Ú€‚©¹€U§Qð½f×ÆjÊ@Ætzæ°wO-®3^–[>ÒÅîÉú±ŒÛé‹}p…tôû±¯Bîq¨Ëœó “—_qÀK9GfÿÞ~Û.Œß7lJ‚>"é,Ô××¢x8f“[#²ÆÐÖ;4Ê1¬éÛXõ?ö„Ü.Ó%>žL—tÕ¥ZŽö§ö—5³nÙILƒ¥ŒL^á’£™ ¥ÇèøŽ¾? ¹ÛÞxH³¦ÁψæÝŸ€½˜¯ä --Vº0'/ï\æ&Øqeí1·»¡â»°ƒsˆºÔí.®ãœ/àrƨæ.´Œï\ħuè8¯ŸEùV)0€y¹}zÒÄDXK’<¹Š›!¹Ú²B ÊL?Ý;\Ì^3º/sDÚ~Ž/åÚ5†3¦ï¸×qÔï~c1Û¨ûå·öñÓËs(úѤìÆ›~þòªn±Á7IÕLiÎÙ-异¯.ë¹C• ”"£Ï[œÏ…œ:8®ÅY!ù÷ýò8Üc¥>$ÌÕmïo&'ë¨EéûD°Ó áI9éè¥ûÊÌʽ’2”±%to oçË<âÓéÎ$œëŒ/]¡eæsœ.üé}üQú XC\–£“®—‚Ÿ/30du¦Ñ£+w¹á¯YœÇŽ‚î«÷›• ¸ZÏ£(õ&¨bÈÓ†…š]laÄîÂô™õwñAÌÇ/¨cú¦#›ÏΗ¿ûÃFW9’ÅöšW+~´dø…Ÿž“Ÿ<­çUý<½ o‹a“QY‹(Ç–¼'Š3ªé­¹æí@¿Ïtå2Ì–Ù<Ù I?le­úL]*ÙvGÝÔ*a/âU¤ù롱ãak‰ÎA_Øýï¨ÂVÚV扷zi#™OìÝ—ô&m¯J$‘é*ô·Òµ¿; (IZã’‡V’ÖÎiÇÿHÄÏ# rz|ˆŸ1}ˆ•oäWtÒ¶µ'd¦y•ÐíâZž<ä+ úùåGôûu%®ç õ" ¥£g‡Q¹kŽ»x¹}·ÌsØy C -ƒÅ. „&ÄI·É1Øç»ìïÀª¹í]‘ 3 -+Û›~fÍrMú«“- c«»Ø·ïÚ  סM™<ôÝ`5+rzB¥F71eâr×ÁŽ[a0ýhl«´ð“á“]ÙγÀY7‡ÎèÔgæi»žå6 Rú=²Ò‰æø*…peJ‡ý¯b.è”D•úaZ|Ì—>±SÑý8l \}E×;aâÞ% ¡’éÑÙÅã^-–»!Š”£û–›ã®Œ >Ü lÖj<ÀL÷Œ)—põJ8HemypÔwRòÁì,>òÚœaØ "—8h ‚í²fSa€ZþF_†¼Kê’í–»$LñBM1Wé•&Ñáï¾æ>w¼ÿÖ0¡[ÕwIûÂ}ž>"g´¢T¾£ñûQëH¤/(£ûl¡Aú½ -gN¡1Cö£@Nÿy›Ù36ó;&·Íã×)ÜÑò$kŒÍgë€a9ÌÌÿ·{_#¡Îë“ ŽÌº‡žŠ-k˜‹žèbÕXÝý'UI¢nï×E’¸œºêj’Oe‡ L5\‘:¹¤g±¾ÇËh½„ÍË‹yÝÑão¥Êý œ>ì5VCb—ÜíÞÞÁ’㲨³–6rUl/BÝ•£^¼›7˜/´žõLåûwbMû\§GU'ad»NÈñàf1½(Ùì+gã2͵^ÉáÈ·J5÷îq^øNÀ&””M÷¾Š»§ðã– ‚É*Á»…¬¼Ì%¾Ü+°Å㋪1ó}ªãiOÆw ¢Ä­áQÛ&Áo}~ò˜}eJI-ÊB#‡ïgY×ðØ0¾i &ê©apŸNûÐœ˜¸;þF˜i»;Œ˜_{V¨EÙ ž¼›Š ‰^Á‘ò#¡yÕR©aå“e%ŸØ÷ÄÈ\¥°8Ïcøø$ïÓt¹M™ ÊaULµçJÁùâÐID§‘™uôÛaªKƒ2¡@Ê"úNa6Þ¡hÓλ8SUšÅ&5aØ).ŒcîH{¬õzŒ«œõ—wG=e‰LX"-®ª_·&ãeÔ !&G êÌ°» ¿±4¿_°“æªÃrr[EqßáSuA ˯#žÁ¹£9x<Ðg¨æ€+r\•h2±j_,½tÔ*t›å8×FÞ¤ž¹²ÛÊ"þLB‹ÊÂmGžj}¸”|t7pæ6ÌFûô:å>›/dø*·©ò…í½÷àñ_hÝ'D/Ž3jÖ¦]‹ž†a^AËp ±UUÀÂ"O|^:÷O.½BçPZM8e’³¹6¦è - T®Ì‘_»ï~´LpÚ0hc½tX²›1”×y=áQ¼ë…¨p%f"@‹ÎÙW=éJÁ°ŒôoI…‡Š8µEá5 -Æ&M¸÷¸VR‹Umõ§³ß‚«ÐJ4αã©Öß -崙aßÎ?ÁPÍpPjš€æù†SáË0q:ïÌÏgï‚_'•?Ì’ ø`çL[“­ -D±àg›?Ë#›;nðmêŸp}Î07 ÿ¼¶eÌ€m@IÆKw½èeQ=?"ÉrvÉNä‰ìzÓÛñe‡yMbYO„ÍŠÈäþeS䇒Q£q?•x8 v0h¤‘Át‡öý”Ÿ—÷¡¡ßÔó®CNt¥z9¿­"µ¸—+{”&†DMî²½¹)|Öf¹¹a HyZ`”*&³4tÍÚŽ2UÂïº\èû1–ƒYkŽtA $ù_¿¦f9$¡žf¯¹†˜ª Px®´²+3›#s…,›‚õÜu²³ôéûnã‘óݺN¿›^~Û¿ÓÂ,iú™D¶°÷KÎÇS?Of}×KÍÈZ™6½¶”ƒléá•8ºKµÜ]8Öö´\R½¿k5‘‹÷Õúø |e¡·Y’´|,tj;‚7Oi_¦Plß)×ôakŽÙ“Í‘6½6ñžà&\窴Wµv´aA\Ç,«ªªR²°Æ=€ï‚4®Q¦ÑÒÆ×\´öó•»Ôù/MJt5ÞsãðfÔüÒ -Î}N×C„¿sˆ?“¯ò -]LÐÃäZd4¢a»ûMÅYÁ]1—¬2ÍÂ}ªuÝü®QDHx£ºOتjØ ¢FÞ>-œ×7X¢+sÞ튧÷èíå§\‚fÖk$›ãül+¨‚ïÄ©p”ÆLkA"Ôb9kPôi•q¯› Š™ù…,bTç{ܪH»ue¾§'ç„êr+TåyÓ,.m@/ u©='Ò[¸èúmÂ.yÅVñY ~/ê 3—a#%eêCÏžÚ ÞÆ/3Y¹5.ÏjÈm€6­mB<«íöØx Þ$»-—=;&(—4)v1ë¨×½·où9^ÑÃ×ü_>ÿŸàÿ 0 BaN ”#Á§Uendstream +xÚíteT”ÿÖ6ˆJÒC7 !ÒÝ’"À0 00Ì 3Cw7RÒHHƒtIw# Ò¢’Šò ÿ÷œó¬ÿ{>=Ïùô®÷^ë¾×ýÛ×Þ×ÎßfcÒÕç“·AXCTp Ÿ ?P  u²vAk!àš| +˜Ž5 +¸°±)¢ Wa #ˆ @  ÅÅÅ ØŠ¤ +jgp<5ââááý—ä· +ÀÚãÈ%j°ßü¸B`¤Ž¹¡øêC Œ=` …AŠ:º&êÚªNUm€*A`]—›TÀM(GC¸¶ö×FÀm ¿SCóßpÉ£  CoÌ î`ò7Ä @BPNP4úæEìP 8æ¦ +Ã\l~p#·Eü ‰BÜh8Ý`7dº4 FA‘ÀW]%•¿âÄ؃0¿}£¡70a{£iƒ»üNévCsƒb@P8€¸c~û²†l h$ äqãû† ‰‚þ à …Ûý+^ +bBÙÀ hô Í ÷ïêü+OÀË„DÂ<þX#þhý3( Ùò +Ýøcn|ÛAῇEn‹ÿ’Û¸ ÿ¹BP +Äù{f¸n‚Ù à0€ Ä–@@¹q àüŸu™ÿ?×äÿ@‹ÿ# þ´÷×Ü¿÷è¿]âÿí}þ;µŠ ¦ rº€¿– àfË š€ß{ð{Ñ8»@þ/æño¬þ®hù+ÒßdÇÔ1 ›rÈÃínZÂ'(ÄüK E«@Ý!6ºP Ø` ‚ÝTëÜnAÁ pÈMWÿôÆüöÌ +v„ÿ.ÿ£¿ Üæï±ß4êOäšjzz&š<ÿn·þÑÔ½™Ì3$ðÜi!lþyøÍ£ €pxñ‰ +ø„‹ÄD€±Ç‚>ÿÆãÁµ@Ô`ä7ß¼ÿ:=ÿ2Œ°ù=3úÜæfÌþ)ø ƒ]P¨›îþ¹ù7Iÿãügà!w˜`þ,ìš‘†©¢ÊîU2ëîÄéAÕ>ËÏó¯@tø¥†¯‰—Y]U†ð×½“øõÖcfùsSƒ{k°“ÆÑ‘ 9Ê¥óaáêÊ#]foy̳(`QD”v`íõyZsõ¶©(Ðpk}Tï©EáÕ]úw-Â(¼Ïç\þ,®yþä¬gÈû¾à”š­$uXdU¯÷ØwÏÏ8z‡úû:¾ÜéÚ|Èóê>›¤ëm"ö(çWeM ʼ"Xe”‡FHï™'Ê¿c^ô"òpÇf\ÑË9%,a€U$ÇG®=À•!1ÖálT{x‚źF2õŸñV Ÿr9ýÚÜ<–c¿TS¦’‹‰Z®-ùüŠË/jGÄE$Òê;ÝeRº¦èóÄ)°àÁÕeˆÇÏÑaêVMLO’"­h=ñìë«û„'A$ÁÖóÕf-Z…9¯ã«CŒ™Ý‰«¾ñÅN=ìSËú¢–eøÅGAø§¤vqaòÏñ@¿ë$ã<¡RŒA¥¨ïõŒÃf%­zÃùáÞÏÈïéÕ8Í•¹2 Ðó{/ð;3¹¨^ñPÑW±š‚öKŠºå§ÒZ&Kû‹Ê2ãM`+W;Ì?”{ÊXÓÒAOµcdCî*änBhEÞ´¸C¡`«j«¤=­Rº:NW¥ÞýÕBÃ.ë¨îñãºæò¥ rýgex­¡éü$t; µdçl t³Æ†A¨N‚3Û4œŸ=u4Iñ1%JT !6G¸GQ)®Ÿ¿zë=M +Z+}Ý-v|^Ë0b§›VÙ´8eå9)ƒåkjiIøAì]sK[…–i8ÂáËZÖKÊ«ËÏK‚ÌJ3´Ÿ+ú}¢››Š1!È‹a¡Ë .A Ö¯®žÌ{žÀ'XdôÅnyj¥_Þ×ym}·æ¥T¢î–«Q-:_ñòÈ®r¨ê¶>©³·„œá¶Èö½ûÒ¤™¦»­ðbýãµ½ÀdÍþ6µ²ãždà£îc¶Y )áÕïÜ"?’ ›£ã¬‡ÖOïÏX–tò+s}—u“´5]=~` +)¯¤‚¤Ñý2±òÊk»C¹»ò7„Xfeå¾im¡îû:Gýjƒ­¡bϘÞ"ã'úîºv y¨ºÔ÷Ên5íÉRN}p’Üs B ®#N:¶xÉ^-hm¥ÀÆX}ÐBÍÕfãŠ|®ÃgBÝá:/zC‰ª–…HÊ2[ý{¹ƒ/CÚÕÚe4Ãò¸1Oñp fˤö<7N¡™jÜ#ª‘3ì†^¢ºWù"ÝüÑ;Æu%tËfBÕKÞü“E‡.И%EãgãÙ/ëâÄ…20Œ~Amî>5+Õ6®”Í^4)våѱº±V88§“ç†ñç¿ê·oµ:¿eÐYÊAZ;âM­Î;9ºô±î§X¸<˜ pT¯º663|8u´ß³Ûò²’Üjѧ|ß~¹úte(Y:kÄhŽî×LßdÈB¤¿ì”Ô˜' ’Ö×Ùl|–Z=»FÍã"„ÑÚ”r¸¯ƒU=;–S6˜’òã–~TŠSd×J²–RÔÌ–t•jáJ +Ì…ýV¢ÄæVªáÒÊö±Ê›¬¤’Œ¥ue\Kòfj!Zã'—6|݈ë•7è•÷§†<Éj^rëÓ\¾Ìqø0Õ<„ÖiŠnÆÞÞq±Ç³Ì¬“£;¥Ü–¸Ïæ¾ÓÒáƒW†Ø­DÄU;ç±ZÎξMîûûà~ÇàŒÌIRI;|fÃ{dV/ñ#‰sŠ˜0±~ª6«kyhMG/žèv2-¬ºÊÀ{$©Š%—9ï…x£¤$:·O¼?ôàÜ üÞS½jÍÍ•&Ä«pˆœbé’q¢F‹{Í~®¾f4©Rh)"j¿—i(ºè½õdÓý¹9Ž6OtYýà[Â]ÿSó…­a^+v»# kJjý9jyg¹ÞŠÕ,9]b‰ÑäcúãqÖÜáQB n?”3rgºàdKÚIíBïîvª XæɺʼnBÎZîãOCÑö`h›Lk)"Á´ûý£«ùÝ__ßñ’§˜ïª¢=ÓÏñç 4ÏêœwO´IøLZq>ÍÆë¿bš‹ÊèÖcb¥}¢å›5Mãìªáú@\æc³lS'´*§0æÝŠèÓk®{Þš²ÔŽÏ,OºŒoùüÀåyÆ21¢Ýü]wÝp‡²øáW|‘¼ŒÎç É‘S>KŸç ûx¤ÊÙ¨øüWú³‘sdøHZKÇ„GAiwc%ù1ñužCåOÞÖÂsÁš©V2½ÌãaëÑdp¡ÛO[â<ДR ÍQÍ–>ìqMx O¦yÞ&ØpªãÑuu~ŠÞÅdñ,ê¡,yuÏ—#ÙÃý{TgÊ´ú“ûd~c v?{—¿÷‡ëeÏäHÅ +Ý/–Ç®×-Ö³«ï$¨Ä?)R‰ù5ê×tF6ö³°ìì .ÿæT°D KI†u-°is«z3©§úëKZ~B_Ef¾Û‡št×"5]1ë)‘'ZÆrÖ¥Š +-j gWa?vθ(‰ìÑþc$ ubu/¯ÉM:È› ²èðög© ]ä,àj-TÌsòI˵…[±óÃçøjùê<©¡ÎkbºM”ë=`. :ÝtS.vŠˆûÎÐÌùŽ6GPû$î³ëo&íð¥ãœbµ;#ðÑpµIOdsLÓ2ÜLþtéÅ~²ñ“Ûœí>%•C‡ø“Ø“ë FF?ìŽ>%þÖk¶\RKII]ÕfÏUYÀž¥h#3Ð^4•o—zzéòye"‘²%k.gxÅÆÞ»’OÊ< +Óî¥X×|QŽw©Ôi˜£‘ü¤Ž{ÙbU¦ºˆB Á±gÿªëÕÛ°³üºJÑ%<ùâ 3•­9×ÒIaÞ«†èfryR¯ ¢ÈkSåÕ¸àq»Ô†|žÑ){¬i×µ–k¥[îc†jxéû ÆïèjRvQY 3u{õ¨ ->/c`¸Øv¿•Ùɹ¨êv€ù†ZÙ[©¿#JR  °^Òm;ÜáÓbRý”ù —‚º”åLRÖ¡—R-a;§°(¾ +Ô|]ÎÑÊ+”§†¨éž…±<µ‡Ï¬{¨6ËõËå,òz+‘`˜Ýw‹„BÏe0ɘÛv=Ò>!Â¥Ð>‹Qà +mXbÔ*Ä+'ê^{ë~6@éDññÝ1ÑÛ³À>X?WŸ²TÖ´¼î™ v£SD´Þ÷'˜åÐö“ß4`=µ™¨\‹ía¶ÈJ›@Èûÿ˜âzŸ¾ü5.\$lXºœ~ýävØ }·¶¢*§a òý'õö#±âtkÕ37D—Þ76·ÌjrÆæ6iœF5Â÷]«)kiÓé™ÃÞ=Õ¸Îxl¹H;Íõci·Ó)fûà +©è÷cy~x_ç’Ï›ÚlCŽ¥ìç&+JÉnK<§zXY“^–¬‹ˆ'êx¥2²­.‹&±íšÕãnXG”€%§[ãZJ÷íðFìÚSôŽ¨.®Ä!’¨C²M™ m†K±ø+êä‚ïÛ~%¼^…\1bP—9çF/Þ‗²ŽLþ½ý¶]¿oØ}DRY¨¯¯EðpÌ&·FdŒ¡­w¨•bXÒ·±Äëì7º]¦‹=™. èªK!±$*íOí/ jfÙ²ŸK™¼Â%C3JÑò}r=¶½ñˆfMŸͳ?z1_;1ÈZZ ¥xaNVÞ¹ÌE°ãÊÒcn÷CÉ{agq©Û]\Ç9¹¿€ËS ’»Ð2¾sŸÖ¡ã¼~å?Xe$OæáòéIwf)Iòà,n†äjË ‚(2ýtï¨s2yÍè¾Ìnû9¾”k×ξã^Ç^¿ûÙl£î—ßÚÇO/Ï¡èÇ“62ozøøÊ«ºE Þ$U3¦‰8g·”óx¼º¬ç +U4PŒŒ>oq>Zpê`¿Vc8ä?ðËcw ”ü0W·½¿™œ`x¬£6¤ïÁF;„'餣—î+=+ûJÒPÚ–Ð9¼¬7óˆW§;“p®3V¬t…†‰×qºð§÷ñG©3`Íý²t½ü|é!«3õ]Ù{È â<6t_­ß¬œßÕ +|FE¡7AC–6,Øìb »ï.D—Yïn(Ätü‚r0¦o:²ùì|ù»?lt•=Yt¯yp5°âGK†_øé9ÙÉÓz•¯ÁÓËð¶Vi嵈rì`‰{r¡8C¡Þ‹`žôûLWNÃlé}€æfHúÙ`+KÕgªR‰¶;:è¦ÆPq{~x-È'X[KtúÂæ/pG°zж2«—&’éÄÞ}IoBÁöªD™®Lw+]+Pá»3¿¢„5.YHØi…>iíœfüÉDü<Ò §'‡øÓ‡XùF~E'm[{‚fW ýÑ.®åÉC¾ü"ŸS|D¿_Wä|ÞPP/L_:zv5[±Vซ—Ûw;À<‡Û0¤0XôÂ@pBŒd› ƒ}¾Ëö¬’ÛÞEÙà0#¿²½égÖl Û¤¿ª>ÙB?6± +±‹}ûΡ +rúÑt‘ÉM× Vµ"£#”WltUº_î:¸Â~+ F¬m•~2|²+Óy¶8ëf×úÌ4Ml׳ܦNBÀõ(¶GF*Ñ_¹®Dá°ÿõaÌ­¢ˆb"L‹—éÒÁ'v*º_‡µ³¯èz'LÌ»„>T"=:»xÜ«År7Dbtßr³sÜ•!Þ‡+á€ÕÚ@õƒ˜ñž1Å®^ ;‰Œ-7ŽÚAJ>˜ÙGN›€# ›^øò‰;A°]ÖlÊ! PË×èKŸ·qÉ_A¼Ýr—€˜1^°)&ð*½Ò$:üÝ×ÜçŽÞ&t«ø.i_¸ÏÓEäáŒV”Êu4~?jɃôetŸ-4H½WæÈ)4¦Ï~Èá?ï`bb3{Æj~Çä¶yü:¹;ZŽx¡ùlb0,‹™ãûvïËb$Ôy}²Á‘I÷ÐS¡e sÑ]¬ ²û¢¯Ye‘$Ráö~p]8‰Ó©«®&ùTfÊÎXé“Krë p¼Œö±ÑKؼ¼XÓ=þVªÔÿÐÀéÃ^c5$vÉÝÞèí,YŽ!‹:k)ó W…ö"Ô]YªÅ»ùwƒyCëÉQÏ”¿¿¯aŸëô¸Êâ$,t× 9Ü,ªE/“}eàl\¦±Ö+1ùV±æÞ=Ž ßéØ„2éÞWq÷äÜ7Y%x·•—™‡,¡f`æ}Y§aÉö VÿXK3Wß6í=ÈÎQCÐm9ƒGš-âgƒxç˜ÐXWOgñ÷–ò'–w£ªç¬Pà˾[<¹¨ƒ1= ¦<žödx(nq· JÌúµ-nüÖç'·ÙWÆTáÔ¢,4røA–u · ÛÆ`¢ž² æ÷éıõ‰‰;Ѹã`„™¶»Ãˆùµg…j4ܘÉ@³àÝTqô +Ž¤1õ«–Ju+Ÿ,+¹Ä¾oÄž@¦*ùÅynÃ''yŸ¦ËmÊ”÷«bª=8VچȇN" 8L,£ßS]”ùS~Ñu +±ò E›vÞÅ™ªzÜ,:©ŽTÃNqasGÚcŨmÔëd\åି¼ûÄ8ê±sdÂIqUýº5)ƒvñ}2”€Î ›ÛðKó;i®:|''·•ö>åP´Ð2a÷:Âáœ;ê…Ç}†j8c!ÇÁU‰&«öÅRKG­‚·™s}`dMj™+»­ÌRéÏÄ5°(-Üæpä©Ö‡K‰ÇwgnÃl„°O¯S°úB†¯r›*_ØÞ{~q!ÿ…ÆqÒHôâ8£fmÚµèi`†þÑõ‡´4GÁkU,,òÄçE ÃýþÉ¥Wè +K¢ g¢L2Ö#×Æ]AþÊ•9²k÷Ý– N»üM¢,±—Kv3†r:¯'<*ƒw½®÷ À¢s¶UÚÒ_0,#ý[’á¡ÂNmQxMC‹ñ£Iî=®•T¢UÛ@=Àéì·à*´"µsGìxEªõ·ÂieØ·óO0”3ì& yÞáTø2LŒÖ;ósÅÙ»à×IåòdE>Ø9ÓÔd«QÌøÙæÏòHçŽ|›ú'\ŸÓÏ è?¯m3`P”öÒ]/zYTÏ·H²œ]²Ö”Yoz;¾ì0£Nl"퉰YžÜ¿lŠüP2êbT"æ§"§ÁN-bƒÔ3øîоŸrór>Ô4à›‚zÞuȉ®T+ç³U óòca‹ÒÀ«ʾ@¶77…ÏÚ,77 © O ’Ť–†®YÛQ¦Šø]— }?ÆrP`@#KÍ‘.¨¸1ÿë“×ṪÄTóÃl5×SµrÏ•V6%&sd® eS°Þ‚»Nv–>]ßm<2Þ[×éwÓËoûwZ˜%M?Ïò~Éñdêçi¬ïz©i+ã¦×–R’5=¼Gw©–« ÇÚž†S²÷WbÍ¡rñj/„·,ô6sòÖ/ƒ…NÍaGðæ)íËô +b;å>¬Í1{29R£×&¾ÀÓÜ„ë\åöªÖ.ƒ6,ˆë˜eUUUJÖ¸ð]ú5Ê4ZÊøš“Æ~¾r—*ÿ¥I‰®ú{.žŒš_ZÁ¹Ïi{ˆðwñgò•_¡‹ïô0ºhEÇî~Sev–wWÈ%­Ló€pj]7¿kڨ6$¨¨‘³O çñ ïÊœw»âî½z{ùi— ™å‰Çê8?Û +ªà=q*¥§6ÓZµXÎÅùEReÜëfƒbb@~!չ÷*Ün]™ïéÉ1¡²ÄU~Þ4‹KÐKB]jÏ ÷.º~›°K^±Uxˆß‹Òdâ4l¤ H}äÙS{ÁÓÀðe&+·ÆåùOuiÒ Ð¦µMˆgµÝ+Á›d·å²gÇå&Å.fõºwàöí£1?Ç+zxûÿˇàÿü?A†A@(  „r$ø/7?endstream endobj 724 0 obj << /Type /Font @@ -5372,14 +5366,14 @@ endobj /FirstChar 97 /LastChar 122 /Widths 1326 0 R -/BaseFont /DHSSUX+NimbusMonL-BoldObli +/BaseFont /LHQQYL+NimbusMonL-BoldObli /FontDescriptor 722 0 R >> endobj 722 0 obj << /Ascent 624 /CapHeight 552 /Descent -126 -/FontName /DHSSUX+NimbusMonL-BoldObli +/FontName /LHQQYL+NimbusMonL-BoldObli /ItalicAngle -12 /StemV 103 /XHeight 439 @@ -5399,44 +5393,44 @@ endobj /Filter /FlateDecode >> stream -xÚíwePœÝ².îä~ ƒÂÀÊð‚ƒÝÿUrÂì]ApøÍ÷ïÝùWŸ€ÿÖ= -uõý ùãõÏÀžp«ÿCN;χ܎`wœ§¿‡EÍÝàãýËnïýæ ‚ýÙ ¶ß3ÃþPÐâîê °9à<Õ†x>¤°ýÏTæùωüø?"ðDÞÿ¸×è¿âÿíyþ;µ²—««6Ðíaþºd·   ø}ϸa€ßw‡èÿ -º]}ÿMàßAû_|‡Õ<›"çîø 7?ï_f0\ì²×{Ú9€®{öÇnän‚¹‚ÝAÚþÙÖ‡ ^Þ¿a†N`;÷ß"ýÜíÿ^þƒ\ŠjúLMSE‹óßÝ°?na>7¿€@DD ÊÇðo2þ¡áû×Z è ûÌyyxyù¿ÿøþkeù7%w;ˆýïÉ1ðºÛ? Û? ¿a;/ìAã?çÿ¡é¬ÿŒ=ä²Ã™›†ØI„;gædyÖQä÷+š÷tñ¡öG@Ë ‹ß×@:ƒ2£VÄ*mnj#xÞŠß}ôÚÞn¨slv‘»²v¦ƒö iÙ»ß}ciáÜ }jU†ŸõÓ8Öï`RsÍL˜÷Ùæê°ž¾Ué íh« ëàœ=˜ÑûM0)Ó” Ð.£!¬íÑ;$⺢Ÿ,)?ÎÏX?!úû:л7¨9ó°™%¼ÑðYb‚=ò¨eÌŒ*ý^q®£ÔoÒÅw'ç ‰ö•/ÓÂÉGB2'+ -ôÜŒ …Ûòü_kˆ –¦µëoa•ZýÊu&kÍy,w]ûâÓs3éa³«ÈNÙÍÑr-¥ò[,!Ô€Œ{µyŠ_¹M(¿nsn+<ûZ×c,“¯+–§_SPkèyŠl®H> -ŠäX­1;M±öa"~˜¥ 8õ‡×Ç8-±žöì|zóò}ÉØ·N+÷•kÙGâ±ðhŠØVPkã]¡BÆMijýYœû«y¥î±fÍ“šú`ÆçÀx‰ãdƒ0uç¬#[ñŠìm¥K/™d[Ës5¹W4í_K`ù=‚­%MÔ¦åo,ÀŸµf e?m¬D“< -“õ‹HR¯3bšñ>Ôm] -£~Ußé+ ÃN“¹)Ÿ”ÙhLƾáÐØòÓm0èVÞ -MËmÇ€_îd{š„K–"[!ëëù÷í@#äŸ\E_¤kY#“ê»}·>á‚'1ÖOÞ¼3>œùŠ~Ò‹M2&¼‡ÏJw¶ì}a¡Æ÷ócîùÈý{gi[(+‘Í£ÖLèØÇIx|žÑºM+²V S¶‡s?4œ þŽ£1j<Ó·³ØŠ6¹ëíÔ†ˆÚÞÙ²Aê°Ã9Ýù¯'{áOzö €.%}ÏX´çÙÉ&ïO’Ö; óùfÓ. -&!ë +6\ÀÔlk䧅Vu.UìÆ5'™n*Ñ8ßenKÔuKJµd&U¯oE³¯6W.ƒM1Î6¤†…νȴo¿z¿ñ\ÏÂ?¶ŒÂð[¸óúÅ à®51/öšÕds‹h9ZT–,2µnÄå6–B–¡¢q 9{D¤òÃ’÷mØ-iŠŒÑ0÷–òùv‹1£0ùÓ›ã“wC;)l\a\Í„‘]KϘ‚élšéõ•)ºü‡‡,ùxâqe}ª‚S‚ýï4·ê9Ržx³¸ ‡¡vpà|©ð°šª#çwì@}5Dî³’›ËÓ.¢1¾v¡Ékª:¹þåâ›ÂƬ4AáþŠÖYö/͵dyyL8‹ãËyetÆ-.©rùMtöxUl0Áðûl2÷îýkjš-da¦·WsžWíñ MëoÂ$UD8VæF+Çå— -´T1M€‹àÇŠ¤q4Šïr¤í2WÑié"€ñ}û^#ñ›lJþ¤ÍBµjÕé§|vjˆz­Íc¼‘hôus1&uF!‰‚¹“ŽÔq*n†'Rö㪣‚Ïp;‘?׊?¤¿öøFxñi4í˜F“æ5?&¬Žµo¢¼Îe,'¬:B¨¸ É -ª^æ?ß0kÂ[Öýxnc'ÚB¯úÞ½â§HÒÄ*uÔU¬3|]ìóÝ=.(› -½dþÝ'øð3PY'5¹dN#¬–v›TB÷"™O·Ý ¿\¡¨ÅïÍÜ”¬cÝî–Áqˆ¢CP霕Ã6_œ‡´>häß¼W²95&M˜úÛP/^(Ùž{˜tvT‹7§¿ú·)ïù¤€?Ö0b?Òp°éÿùmŸlÊž£«¥˜¼Brm·bïd -îÞ~c>ùåC0–žs”Y_Þa®4mÏ(7[Å5ÔÏÑtªFw¦äµ?–[éÎ-š<åXnàû~5À¶R,çëÒñj‘æ yŒ÷l¸V¦ŠÆs|ì‰su»ŒÇ_fôQ'Ð5U¶Ïl¾&}›,€œÉ6ðÙG·›2›ëcy÷®=ÕQäçNÇºÏ Ë‡Ïòßµ>½ø)ñ©ëmìMO¬IÛMxñ¹|Ùîó=²wsgdŒ£ív “Ù£S k®”õ%-zjŸEU`9¶ÞAQ§@¸zôMÅS®LI4|/J&¯^:NòaeÜoB“M_Ž„žOpb0ô@£!:½?pngö÷ИÁM›ìÃ|½M}ظyÚ²ÂK°\²9×[÷†_|Ô›H_p3OéÆu!9~L›¸N*ÞZ:É®þFÿ4àW­*Œ Ý^U6Ò,¹Ìúú¤HËV:Ž¬×_uN©CRA¶Â¤@sÌÈÑF(BÌcå*sø…ä¼<Ì6ɳÅè{Na™ ‚ªÙŽ¢Äé¤hÍ[dò%laF'1ß2`D‰Q »E?¸Ip|i÷#µ7’+…/\¶™ƒjŽ2¸«`+"׊=‰h®xó]áÐfØ&:9/ÈÔcmålÈŸŠ—täUx3Êwè&‡xpÅ€N€ÁmvÑÀŸôËÙ…ÖuÃd¢nc¼o+(Db˜õ;X‘ñPQ®7©û»äÁÞÄŽhÇ{|´òh>ÙÛÍS¶cñq&U§”?ÎÎ'ÊÜ•l`è{B¤·:<… '=ä¨Éy±â¬DÉïéì¼È>;uPTö@]›„ ýú˜€wR’XÇ(`¢p¾b,õÇk~uR/Ó’=<í„pŒ ìD¡^îxyÿJe•gí™,ÉüKå_Š{ õ¶½¾jaåè\ô±Ý¥ z5í¿îg8ØŒ¢Ç c( oŒLî’.9.Îé˜á† MLæ[óÕ¦¹´1YÛŸ ,›»ÔwÑÐìzÈ,×l ½â,uOU«Z~'ÅØGòÀÁKëÅÚ|lpÉËûÙû 3¾U‡ÒÔ|Ò³~®ãô÷B[Tñ.Üó0—Š[2ðBCŠïÀZPúGDFo†ê‰¦RuqzÙf„–Ùa ýüÓH|ëü =FHšÛI‘}”jù›°šŸÑn4h¼Ç;CE‹î••7©ä_ß}?«:xá.‡l!µ·ÁJê:†Ü^‘^-%¿¶—ЗñÎG:v‚i£%1R½àþ‹‰u¥…Mð¾Úýðo¸ò¨w>"àªGÞ‹á{56GOùUoñòGÓ«X+ßîíGÈØ8ê³Ô±4d•: -O/•A–7+À_;Èœ¹ù•ÅV?4‰Hë¼dÛí÷iï·H£ >xit¯ÿ¢y[ûöønØR¶ÞÞ›„êöªh¹t¾Ò+fæ* üµ š€ëNb4•.ê\KrEøB/°ÎK´Þ®ºŒ`%\ACŸª'%£x{ÿÜ¿à£>â‰}EëßM¥Ù¨M"äEšê#N>¹U¥é…‡õ“’„äÆì.s[„žrq\R§M]¾½4ŸnÉY_ÃÌa¸öq›F»”Ó²ö´{n›™õyj3|{íò=)½ÈK6b\Šî81åž,ÒÇ8ZVñ¨8 »ŠobdöKóÅiÞ¿}< -À0 P¿6mçpmZí¦]Â1À~ÄŠzúœ_z šfM•þUÝrŒÉ9LÅ…1>Ð÷¢GŠº­ï=ÀÛò-ã{ºÌÞ;WbEþ-5†ôµjW Ë»©T±‘z$’ͪ§Öxçg²1ðD'̶÷Œ—F9³Ñ’»)a}u£g-c$HÀÁd›ÝªÐVÔ°îâÌ`y7e-On{™ éætRðþH߬ÖE˜Ïïqem¾ZÔ¶{™ MÏ*Ézô‚°glú¸$kkv©n&w$ƒGUzùœÚ z- Áä[Ô¦²¦³ððÒ5Ý÷—’(Ù_3ïžÖž u«é ™X]pämË“Ô*o'o$Kï—³«13†‘3NÙemÁxc>à¸ֲةVÆ܉4IJõš’ãšæÜÀÛ W¼ó­xוY_Ëm©ÚŠKž`~tYl9½00/ïbâaõÇ~q-kùHuz_g‰â¾àó<ÑQ€Œ› zÒÂE×Ónó~õàý+žQÝ°ÜÆT¹1¼q&wf|vbMúu3ÂBУë|7и2B¦t¾&ÒóYc(@~òÈÞõ+Ýßk>,þÒ Mš`7{L)GCp§²îÑ \Oj ³i®¼ŸC´Ùuº“CÚû9w,ß³ík•"+Q÷…Öq¬ P¶á@4õ)CÝge ʼ6wö1Éc…îÚ†fN~ŠÄÂ)ú•*t&qüor- ÈÍ,ô.-XõÖL¶/‹äÙñ?‘®¾ë”l˜qÛü¾Š+¯é¿€e'¡±GóŸ´}ƒôdŒÏYüªåÛ*!‚jh” -DÊ%%¸¹µ˜zËŒáq[CáÛ±ÑPHUrvŸ×)¿UqÎj{Gô8ÎÉ?èз•<â‘^_°H¡¡ÖÇ“<Ûæ*å9n;e/¯´t‚.MSͺié~[¨Î6ÅŠ’§©ms¢hh½©|,AÓÌU¦rñ>ëÕ‡¯;Ö+°Ul|Ðàé)Ú0ѧŸãeëv~šªÛÌ' »p Túk]–̇L‰Taÿm&Íz1‚$ne>ß‘šV‘¨5ìZjrubÿvµ.ýü2¬ 8½ Mh^–ÐK°<¦â`=uÈ) -Ÿ6J³?Ûxbù)Nq$9¬±Ø.ãÊ°÷íRêjÅ}X¹LäÔ9¿€MÿZŽ9·,=”`˜šVÄ–¤[Xs=ÀÝ>dÕäÆm!þa¥åXŠùd!§ÜþÊ ç§69÷.ÈÀá©„SÐL%ŠýH¸Ìx”Ö³6F#ÇàðÞ<+L8‡¸Ÿ.K7V`oë˜øA -Y°¥å*˜æ•Î/Ë\‚M1¡e›Gê!z{ýý -1öìxuŸ=¦æwÇzÙ}j^ e´¼äõhfq:~õ©K)³÷Ð1˜r3…ä¥d}µöK Û›à9Ò¸ª‘ çYY¼´O·u“ì)„—ÕRhã(N¬Æ›nÏÝæ»Þ(¾K¦°Ðÿ,øšx+-AMoq¼‰$ºi,¬N ãlêÄКbP4ܼä¹0ãÄNfJu5sâg‡`¦t$Å ™x#"ÓCgP[±_Ÿž_íðj ªd¤3Ô¿¸Ó!»;d¯ë{b‘*)‡¶î0å€#Pît š˜0'iå¢*9´ipØŠPÓ‡ÕÐäÙ¾¦§Ã¨«¥ÙlõFQÌÌE³ØK@ñﺵâ'¯NYÓÕNƒd]buÜ „_:ô—¾\,† -eá¹;¿# Ù?θô5Y»hW›F"nŒ¼U˜|ãºÔ2C¿D‚‘Ž¬R¸Õ”öƒÕB3ÚòàsÕ½„¦÷Œ®¢áF…ͺ˹Z}°´ä“Sî«kõŸýÏ"ÔT¡O¾(]Z0C!=öÀÆKÎNx½)S$,óBóâ —Uë·ŸC³½jÊë´'1䚈e ×XUÃRse)Í^\͹"ä\Ek8“¿âµujZœ°;yvN«t*âˆÖÛžL’#öÌéC™»ñHq×Ò*õ‚w,üUº -ý¿¢–ÅŸ.,Ǒ°y‹\BT@MtR@¹ ¥6¾µ‹‘` ¢´”Ú¤ä–×ÏÔÙèkû^…ízÂMµ¸úV.ïF”|I}àÊül®Ô ·<ž3ñ´ôjלśô@%éÒªìRIد¿Ë³\ñ‘D…T%„Þ_6Úèñ†…ã,gqÐÓ[¥äŽNÏ‘é0Ù)?Úæ{Šf–záË•+V)Ùqç.¿geøÌ#¬(B<šoIu¥íHqSVp¦}Â5ËG2Ý ÀO8ÂÊ·ôŒ©¹ãgþýÐ÷¦ Ç8‡Jœ“<Çz[Æ!¡¥¡èÄÙ)z‡~†ôóZ¬MP¢ОJÃ¥5nL胘Ç{Ï׉ø »Ùº¦Ctb—ëÛ$)èܤçTŽS¯†àlVG* ³Cn>}áhÙ«^‘èΧlÐ|O5(\àl“¯Š’7}r ¿T÷+?ïþh›Sƒ¥mBç¥^葳é#§ûC m 6ÞË»ØùÏSSj -/G0õ -Þ†8M,*û¾l -›kk«˜^\ÆŒúœÿ 'G˜3zh8’õ¸k·9A3\3awz» mc4P‡8–˜°ciÏò¥áè^Öwv¢÷"*Ë"ƒ~Ýì¼TŸˆ–ô!1â?µòüœjr¾ TEǧ'+PÞÚ\*—æ«Ë´ç“õ}x&ý¶–XäA$*Je[¶‚åÐR#¶¼úpO_xÄwl±í?ÙJxíG¸áâUÿ@¶Û=‘í[½K>x霜ZŒ:\kôý³×À“†—ï P‰Píë¢ÌW¨®o\Týé+²h9ÛÚv…ø¥?f°9êi¾‚70u‹tÆ#t¹øû«êò‡ÉP—Ï·]Ÿ½ùŒ’ñá­Ïxöd ÷µEã[6TöÜscT‰'Î=îåáÅ„K\üÕ»^í\üÂvØIW›¨U‚Ñ7Ü|,~ 9ÞWÑ„×/ö#Þ::a¼ìbâ–K¬RåQâ‘HÎØbów«ibzŽÆ»¤Š…áùØÇËOa­GŸN—y®=àg5„X3)â4;ߘ·ò×£Rm…²ªžÌBM×2O+ȹ“GDZ‰N\­ÂN)Ý*²þŠúù+Tý‰{Û9é‚€†É®l♬)üyç ¼WĉéÐ ‚=‘Ö®çÊnJ Ú&AeÊfðȧ3¨‘I~&Í‹—Ưuo‡Cq>œS|1wÓðþz!N^ŒL/>û”‘$ƒlIà@ÆÔFcW±¸x‰ „0ëhÆTº úx³¤ך=Î1G‚R&]ƒM‹‹¿óþ/?8ÿŸàÿ ;Wæ qÂ\pþQH¦ñendstream +xÚíwePœÝ².î^q€6ØÍÖ¦åá®É­rôÖ±u!ff(èöpWzÄÆ {€"ÈÀÏàÃa(x@ü `G'/›‘¾1;''׿,¿]¶~ÿ@"a`GwËÃÈÕâr÷z ø€@/'Àì +(è蚪i«ØT´* wè +Ðõ~hÅ  ¶¹Ã@ì(Àõ¯ÀÎÃÝü»5Ï— À ;ðCÈ×ù q ¨{x€aG(ÐÝëa¼<`w;Woûß<Ø<þzþ‡œv^¹Áî8O‹š»ƒ€÷/»½7ä˜úgƒØ~Ï ûC@{wW?€=È究‡×CJÛÿLežÿœÈÿ‰ÿ#ÿGäý߉ûwþÛ!þßžç¿S+{»ºjÝà¯KðpËx4¿ïW ðû®ñôý_a@7°«ß¿ ü»£1è¯bÿ‹ïï°šðaSäÜ„áæãçáýË †)ƒ}Aöº`/;'€ÐõaÏþØÜíAPW°;èAÛ?ÛúÄËû7ÌÐ lçâþ[¡¿ »ýßËëOñOµ Õuôå9ÿÝ ûÇS÷a¼ ý À¥1Öò°ÿçâ7¼¼‡/ÀŸ[˜ÀÍ/ ˆòñþ›ŒhøþµÖzAÁ¾s^^^>ÀÃï?¾ÿZYþFÉÝÎÃþ÷äxÝí†íŸ†ß°7ú ñŸóÿÐô?ÖÆòÙáÌM{ØID8gåd{ÕQä÷+š÷tñ¡öGBÊ ‹ß„ÔxtgE¯ˆUÚÜÔFò¼¿ûè7µ¹ÝPçØì"weíÌíÒ2²w¿!úÆÒ*¹öÔª ?û§qœÿÁ¤æ2š™0ï³ÍÕa=}«Ò ÚÑV(ÖÁ9{£Ï›R¦3A]fC"YÛ£wHÄuE;?YRœŸ±~B ô÷u¡woPsæ%b3Kø á³Ä†xæQ˘Uú¿â\G©ß¤KèNÉ;ì+_¦G„fMVè¹ µå¼ÖA-Mo×ßÂ*µú•ëLÖšóXî$¦öŧ5ægÒÃfW‘œ²›£åZJå·X2B¨™÷:kó¿r›P~ÝæÜ:Vxõµ®ÇZ&?^W,O ¹¦ ÖÐóÙ]‘|ɱ;8«Ñ˜þŒ}á;©å§Û`"Ñ­¼š–ÛŽ¿ÜÉ<ö4 —,\!ëëù÷í #äŸ\E_¤kY£’ë»ý¶>á‚'1ÖOÞ¼3>œùŠ~Ò‹M2&¼‡ÏJw¶psa¡Î÷ócîùÈý{gi[+‘ͳÖLèØ×Ix|žÑºM+ªV S¶‡s?,‚ öŽ£1z<Ó¯³ØŠ +6¹ëíÔ†ÈÚÞÙ²AêðÃ9Ýù¯'{Ozö €.%}¯8´çžð“÷'Éë„ù|3Ié ˆÐõ†.`Üùi¡UK»±g`ÍI–›Š@ Îw™ÛuÝ’RGm™IÕë[QøÕæÊe0¢)ÖÙÆ€ô°й™öíWŸ7^ëÙøÇ–Ñ£c wÞ¿¸üõ&æÅÞ³šln‘Í#‡'ªå‘2¸ë­ÁÒÍN\_N’¶{ù°VC¤Š0täòwºÝB¥–ï…*çxHª/¬Ëš9ntˆ炧ÖÊ3l—vÜ/Y×èÑ E´ãÅbÚ€I,XÀÜÜí›Þæ]hd^ªSýR˜šžÏ:ì )â?/§È»²ÃD¥Õµ/4ýªV®sý ŸÇu@»Â™îÜ®ßdj. Ž1¸«.ß?’UHsÊ 3?êËôhà8—˜$36¯½3ÛÔF‹rò’Ñ¥~‡³¿‹9•in†¶ì¸Ô6i’„]†xOgñƒJJJ.‰R0©T¿mÎѪ<í ò4)¾®ÂRÁ*j™àØ¢ˆƒ»í€Ò4ò²];MýoÒ«‘!¤-åâ,kɸ!gë~çÕîN¬É¬Ô—©íâÞoÎ ÄTÏ‘úćŅl8µƒçK…§ÕTÕ9¿cê«!rß•Ü\žvñµ M^SÕÉõ/ß6f¥ +÷ßP´žÈ²i®%ËËc"ÀY_Î+£›0nqI“ËçPï_Åâë[Eä™n½·ÕéÞ ôm¢³Ç«bƒ +FÜÃÉÜ»÷¯©i¶…™Þ^Íyu^µ'0,]4­¿I ?TAàX™­|—_*ÐRÅ|4.‚7*’ÆÓ(¾Ë‘¶ËZE§¥‹&ôí{$l²)6 ÕªUgœòÙ© êµF4ñFbÐ×ÍŘÔ…$æN:ÒÆ©¸žHÙ«Ž +>ÃíDþ\+þñÚóáÅs¤ÑôcMš×ü@¨°:Ö + ¼‰>ð:—±œ°>ø¡â&$+¨z]˜ÿ|ì oY÷ã¹5Žh ½ê{÷Šoœ"É«ÔÑWqΰt±Ïw÷¸ 8zÉü»O°ág "²NjrÉœFh-í6ÿ¨„î!E2Ÿn»1*@¹BQ‹ß‡¹)EDzÝ-ƒãM‡ Ò9;*‡n¾8m}ÙÈ;¾;y ®dsjLž0 °¡^¼P²=÷4éì¨oÎxõ fSÞóI¬aÄ~¤á`3àóÛ>Ù†=GWK1y_…”ÚnÅÞÉX"Ü%¼ý:Æ|òyªÕ¹(Ñ›ž[s´µ³na_²Rû*¼Žç,âÍ °.ÁXŽŽª84Bin’~õ·©GDÇ/›“\UË’{geö åˆ<&Š’•¼x³¬݈Ŋ—SάˆdÝ/4t-Zer€ÿ¨öÌ&d<Ȅϵ\,:7¬j:1Îr +!‹^Câ©å’-²‹ÈáÒHR×P«~•Þö «)EJ§œL³Ú¥ö2šûC˜cŠžÊiÂMì×F¤,›6CÖ;ŸÇ¿–ñøn£÷[#ðLW†×V뿺lúnú#ñ*“ú¨fB +Šr4ûNt©e¢gÒ@®ÍàÙݵ½µKÐÛˆîBÏ26‚ÄÓ*|Íúì¢ÀL¼L&d}Éjy•³‘m;ªÜ¸V¦ÿb[-Þ˜%Ã÷ç÷Ójè2_S£r‰õu{— ‚áh£Üjâ?ê†`cwÖþ;±™° Ì)“/²AnãkÌ<Œù††ý•ýV‡B·qÝuŠFL¾éŒ­ÔÕ‡°µSVÄ…òÏhI¡™P4ɽXÜôMž£„o|ʇ`,=çh³¾¼ÃD\iÚžQn¶Škˆ¿£éTîL?È{,·Ò;áZ4eʱ2ÂÀïýj m¥XÎ×¥ãÕ¢€¬AóxþXŸÙ­,çøØçêv™¿Ìè£N +  j$«l?žÙ|Mú6E9‹m೯n6%œëcy÷®=ÕQÔçNÇºÏ Ë‡Ïòßµ>½ø)ñ©ëmÜMOœIÛMDñ¹|Ùîó=²wsgdŒ£ív “Ù£S k®Ôõ%-zjßEU9¶ÞAQ§@„zÌM6ÅSÏ®,I4|oJ&ï^:NòaeÜoB“M_Ž„žOpb0ô@£¡:½?pngö÷ИÁM›ìÃ|½M}ظyÚ²#J°\àœ€ë­{Ã/¾êM¤/¸™§tã»?¦O\'o-À«¿Ñ? üU« +åB·W•2K)³~£>iÒ²•Ž'ë PSêT­0)Ð3²A´ŠóX¹Ê~¡9/³Mòl1:ÆSX&ª j¶£(q:)ZóÄ™|‰›DšÑIÌ· QbTBoÑn_ÚýHë"ÂJå‹mæ š£ é*XàŠÌãµ€`AN"›+Þ|W8´¶‰ÉÁEÎ 6õ\[9 + â%yQ`ãŒrÇ ºÉ!\1 `ðC›]4 ýÄrv¡õAÝ0…¨ÛïÛÁ +Jä‘fýVTD”ëãÍEÚþ.yˆ±#Úãñ_­<šOövó”íXFc|œÉÕÇåáùäÑY»²`‚â }OˆôV‡g¢1a⤇59/Vœ•(ù½œÙg§ª€Êžè¯ká©ÁÒ¯Ù x'%‰ÕipŒ' +ç+ÆÒ~¼æWg!õ6-ÙÃcÐÑNŒÀ†' õr'pÈìP*«’w^ZoÖæcƒK^ÞÏ&ØY ­:”¦æë”^õs§¿¸Ú¢‹wa^‡¹„TÜ’AR|Ö‚Ò?"3{3ÒNä0•ª‹3Ê6#¶Ì¡èçŸFZÇ`Oè1zDÒÝ6HŠì£}UËß „×üŒq» Aã=Þ*Zt¯¬¼I#ÿú†ìûYÕÁ w9d‹H©½ þ0R×1äöŠŒj)ùµ½Ä¾Ìw¾Ò‰ôЛPü(Íh‰‘ê÷_L¬+-l‚Ç°Õ¾˜‡ÕGý»ó‘=ò^ ¿Ãè±9zʯz³ˆ—?š^ÅYùuo?BÆÆQœ¥Ž£!«ÔQÈ|zi¬ ²¼YþÚAæÌͯœ(æ°ú¡IDZ§à-Ûn¿O{¿ESðÁ[£ë€xý}ìÛÚ/ÐÇwÖ²…ôöØ$TÇÐWEË¥ó•Þ±3Wå¯]Ð\Çp’b¨tQçZ‘+"zu¶X¢õvåQ{Ôجº¶gB$\’néË~ÛÀ|}ù&̹‚­R.e£+ë#k°^<üè2’•p }ªž”ŒâíýWpÿ‚¯úˆöm@7•f£6Q¨7uZš¯8ùäV•¦7ÖOJ’³»¬mzÊÅq :mêòí¥ù KÎúfÃ5°¯Û4ÒØ¥œ–µ_”Ý;pÛ̬ïS›áÛH—ßìIé,ÙˆqA*ºãÄ”{f°HëhYÅ£â€î*¾‰‘Õ/Í;¯Ixÿ>îñ<*Ã,PýڴõiµO˜"l Çû+êés~|éš]4ýTúWuȱ&çžLPÆ„ _hlü‹)궾÷Ë·Œïé²zï\‰ù·Ô2Öª]5,ï>¦QÅEM<ê‘H1«žvX㟠„cà‰N˜mïÿ/7rf£%wS +ÆúþêFÏZ*ÖH€ƒÉÞªÐVÔ°îâÌ`y7e-On{™¨éætRðþH߬ÖE˜Ïžàyem±ZÔ¶{ ‡dd—d?K8zAØ36}\’†µ5»T7“;’É£Š*½|Ní ¹–öÀä[Ô¦²¦³ðôÖ5Ý’(Ù_3ïžÖž s«é ™X]pämË“Õ*o'o$Kï—áÕ˜Y ÃÈÀ'xY[Þ˜/8~€µ,nª•1·F"ݱl½¦ä¸&†97ð6øïRÞ×Y¢¸/ø&yÌ Ð][ÀÐìÉÉO‘T8E¿R%Á$€ÿM®¥¹™…Þ¥«ÞšÉöe‘<;Þá'ÒÕw’ 3n›ßWqå5ð!ì$4Öãh“¶ožŒñ9‹_µÜb[%FR RC€H¹¤×#·So™1Òë )4ÔÚâxò‚gÛ\¥<Çm§ìå•6ƒNð¥išYW#-=BÀ ÕÙ¦XQò4­bN ­×3%xšy¢ÊT.Áw½úðuÇz¶Š/Ú,#Uª3úôs‚lÝÎO³Cu›ùnJÿq­Ë’™âÐé1‘*ì²í¤Ù/AI[YÏ·Ce„¦U$jÍ»–…\Ø¿]­KA>¿Ì…(N/H›—%ô’1l©8XOrŠ"æ„ÒíÏß6žX~ŠWI o,¶Ë¼2ì}»D‡ºZq^.5uŽÁ/àFlÆ¿–cÎ-‹A!Ø&„¤±%ëÖ\p·Y5„†s[ˆ?EXi9–b>YÈ)·¿2Èù©Mν‹€D1px©a4SIb?/3¥÷¬ÑßÈ18¼7ÏÎ!î§ËÖØÛ:æ}ПBli¹ +¡y¥óË2— USLhÙæ‘z¨Þ^¿B¬=;GÝgÏ©ùݱ^vßšWB™-/y=›YœŽ_GêRÊjÁ=t ¡ÜL%y)Y_­ýƒÄö&d†DŽô#®jTâyvv#/íÓ-BÝd{ÊáeµTÀ8Š«ñ¦Ûs·ù®7ŠïR(,ô? þ„$ÝJKPÓ[ïE!‰n «ÓB9›:1´¦ 7/y.Ìø0!“YR]Íœ¸ÆðPÌÔŽä¸Ã@4“@DTF˜à j+ökâÓó«^­A•Ì †úw:äñw‡ìu}O,Ò$åÐÖ¦pÊÎ"qAæ$­\T%‡6 [‘júК|"Û×ôtuµô±›­>(ªâ‚pÁ\4‹½Dÿ®›áP+~Êê”5]ít1HÖ%vPÇÝ™@ø¥CéËÅbˆP6ž»ó;²ÐýãÌK?“Õ±‹vu±i$âVÁ¨[…É7®K¡3ôK$ÈÚ(…[Mé?X-ô1c,>WÑKhú̸á*nTÔ¬»œ«Õ‡HK>9åNµºVÿÙÿ,R}Aòä‹Ò¥õ3ÒcOl¼xâëM™"a™š¿ßH¸Œ¨Z¿ýšýè]S^§=‰y$×D,¹Æª–š+HmöæjÎ!ç*ZÙü• ­S;Ðâ„ÝɳsZ ëèTG´Þöd‘ɨ°gMÊ܇~DŠ¿–V©¼cá¯ÚÐUèÿ½,þté`9ŽŽÍ[äêªj¢ó ” Rjóá[» !JK©MJnyýMí¾¶ïUØŽ 'NPÑT‹«oåònDË—Ñ­ÌÏæJÝpËã9OK¯vÍY¼ÉR’.­‚—J²@ü\žåzŽ$)¤¡(é ô6øàh£ÇŽ³œ¡ÄÁO l•R::½F¦Ãe§xHüi›ï)˜Yê…,W®X¥dÇ»üŸ–á3°¢ñh¾% JÒ•¶#ÅñL”ZŠË{®õÚáÎ$ù]ħ“Ýј¸eŒÔ—÷ +HzºùNz°²€RvâxÕ-.²U’0Ýš±üÏ[FlZy½·ãB©š†¡›æO•Ö^1/RêßÈmÄ"l7ø’ÒQîxO*J&ÛÔڅǽʣ"0vò¹tñçÀѪvŸÃ0({ ê¨(¦QðYyç½¼.áŒêÚûý醘höÚ%Y…¹Sš@Õ:ÍC³çñãدKª?î':¯ÅnAc¦ÎÑ\ËÜöÞ©I¼ˆãùxKïÒÓþ6@!QbE‰C#ÝuÂCÚõx4µXxºå9Ým€ŒÐ!pué˜ýYÎESp³øWŸÃg”‰hIÞâULl]õ¢Ð&´'s3ÑíÌæ 79BÄ%Ùsƒo…Î/†vÕƺJõS¤¡“ý²ÜšÔVá²ìlSÑ8ô¥ë*kþ"\Pv›÷±ÿä/¸ÅÀL,Ø5dN’òƒøÙ¶±P¬kÈS%…9Å ÒÌgI«g?Ê0˜nHñ‰¹¼Ù*Ù¦ñ“Â(µF_Ì ³Égš›= ,ï‘1\öÂ'Û¾Œ¿Œ8B.4¼ûA- ¼>Ž›t)l…óí ”t#·òzšbð[­¦Ùi©S’ÞÕ1žH·¬÷3c,wZIPc©þ PKÆûĉ@ÈLÈy'¡ Á5!#mÝêú×ÿJþŽ(0^ÁP ¹…Ö¬_¦ö‘O l={uCu×-Ñä) +êPü® +»ëdó[艡¯d³²Qlol^ùU°v¤ShÝØ1røü½çDc;›QS ’HŽæ8.H1¶Ç`ŸÉøû8®ü +Tm&E×ÔÄê'Ö(DáZäðá[ö/áxH +8¿$ìð\hm*tà-Ü,wè°/Toá^“¶M5Ëj™~_Ék§U-Í°ß²ìthßl_Ã(¿ï覈† ¾3õð3ñ¶oP]}ÌyJMÑÁâI”Yé槱d~…Yï3¶’¡Zý⛃b: Ïô‡4þw=SÛÅ’ÓoLbò(¤‰·»ªâh(dOösGzžrëÙßXUð¼6 Ñ¢6ì!´‚46µŠ’Ó}ÙYÉìž™‹¿Wûô‰ÓwuÔ³õ€Ð×ê ¬µ1"íƒÀðÈl•Yg@Íú!ÊáIŠÁÀ¨'µvoºó“¡ðf‡´…ÜU}¼öe¡ÈãAé96Cø‰ãkéÖ;‘gÐ2ýçFpuB†M/xL6B1ÆàÞßôEʉ8ìWÈ-GÌ,µDʳ±fh2ÌcW_SS†y×leðú®gÕøL`¾ÒípŸ%+8Ó>áší+™aà'aå[zÆÔ\€ñ3ÿ~è{Ó…c¼C%ÎIžc½-ãÐÒPLÒ샽C?CÆy-Ö&(IhO¥áÒ?&tŽA +Ìã½çëD|†ÞÆn]HÓ!:±Ëõm’tn2rªFÇÆ©WCq6«£”…Ù=n>}álÙ«^‘èΧlÐ|–@5(\àl“¯Š’ +7}r ¿T÷/?ïþh›Sƒ¥mBç¥^Ø‘³é#§ûC m 6ÞË»¸ùÏSSj +/’F0õ +Þ†:M,*û½l +Ÿkk«˜^\ÆŒþœÿ 'G˜3fh8Šõ¸k·9Q3B3qwz» mc4H‡8Ž˜°ciÏò¥áè^öwv¢÷"*Ë"ƒþÝì¼TŸˆ–ô=bÅjåù;Õä|¨ŠIH%NV ¤¼µ¹T.ÍW—iÏ'ëûðLúm-±1È“H$L”ʶl#Ê¡¥Fly÷áž¾ðLèØbÚ5~² ’ðùÚpÃÅ«þl3¿{"Û·z—rð2<Ê9%­)l¹Öèûgï' /ß ¢ÚÕE 0˜¯P]߸8¨ÐWdÓr¶µí +ñK$ÌdsÔÓ|k`êéL@èrñ÷WÕå96“¡.9žo»>{ó%ó;ÂGŸñìÉî)j‹Æ78DöÜs_cT‰'Î=îåÅ„K\žüÕ»Þí\üÃwØIW›¨U‚Ñ7Ü|,~ =ÞWÑ„Õ/ö#Þ::a¼ìbâ–OªRåQâ‘HÉÜb p«ibzŽÆ»¤Š…áõØ×Û_a­GŸN—y®=ðgµ±f*Rä)<ߘ·ò×£Rm…²Ðªž¬BM×2/+s'Žã’œ:¸Z…RyäˆÞ©X圳‘}=S¡Î(6²%1nü‘Ýv»©Ó¯á²Ÿ»ý*¬Ê)¤‡m0h˜yÕÇø–4gç×r̲ð—È<éѧÏØëyÏÓ;«KÞ+ÍmgToè‡ÊVË¥Çì4™“ÄÕ;$ÈZ‰Ì^‰ìÅ^–+’ †‹9g4²ëÉü˜k +ZܼÐÉ*ŒÌ_×úøºd_Ñsl[°`ºÝW$ô®Æj4@²QÒ:fX.†óé\+»Ø/„pãÎßžO÷Ò¤ö'ÛÏG˧OWP$ñ~j·¸L"CúržÆñç¨Ê’˜¼©p«:gó.\}*ñ”‰`þÚ%ÓÙH›L-q»Fµ4„Î¥gÓ9Síð†oÙ3Ë„0!ù°ä ðÇå”|õò +²Ÿô<`HÂ^ê+Dy‰ñ‚Ã*ªþŠúù+Tý‰{Û9é‚À†É.8ñ‡,ÖTþ¼ó†Þ+b‰¤ H¨ÁžHk×senJ Ú&ÁeÊf°¨§3¨QÉþ&Í‹—Ưuo‡Cq>œS|1wÓðùz!N^ŒL/>û”™,ƒlIà@ÆÔNcW¹¸x‰ ô`ÖÑŒ­ uôõa L3®5{ 1GR']CL‹‹¿óþ/?8ÿŸàÿ ;Wêåᄺàü$¥¦èendstream endobj 714 0 obj << /Type /Font @@ -5445,14 +5439,14 @@ endobj /FirstChar 45 /LastChar 122 /Widths 1327 0 R -/BaseFont /YVILGM+NimbusMonL-ReguObli +/BaseFont /NTJORB+NimbusMonL-ReguObli /FontDescriptor 712 0 R >> endobj 712 0 obj << /Ascent 625 /CapHeight 557 /Descent -147 -/FontName /YVILGM+NimbusMonL-ReguObli +/FontName /NTJORB+NimbusMonL-ReguObli /ItalicAngle -12 /StemV 43 /XHeight 426 @@ -5474,7 +5468,7 @@ endobj stream xÚí¹UT¤]“%Œ»kቻ;îîîNâZ¸»»;…»»»;…»Z¸ÃÔûõt÷¬ž¹šé«ýy“ω±#Nì8çY¹’œXQ…^ÈÔÞØLÜÞÎ…ž™‰ ¦¬¡hdccd ´—¥W¶·5ü5³Ã‘“‹8™¹ííD\Ìxf¦Q3 €™››Ž bïàá´°tPýå ¦¥¥ûOË?.cGþF:-ì~˜ÙØ;ØšÙ¹ü¥ø¿T13¸XšÌ6fE-)y •„¼@ÂÌÎÌÉÈ èjl4ÈMÌìœÍ¨æöN›[LìíLÿlÍ™á/—3Ààì`füfænbæðDp0s²:;ÿ}NFv.{àbڙظšþSÀ_»¹ý¿ -rp²ÿëaûûK¦hïìâlâtpüͪ(*þouºX¹ü“ÛøØ›ÿõ4µ7qýgKÿÂþÒüE]Œ€vÎ3w—r›LÎ6Fsÿ%spþ« Wg ÅV@p2³0r2µ1svþKó—ûŸîüç>ÿËîl<þmÿ/¯ÿ¨èâlfcÎÇÌò7§‰ËßÜ@;8ÆFEÊÎÜÀÌôovSW‡Ç~˜9ý«ATÿÌ õß"ŒLííl<¦fæpŒòö.S¨þïTføïù¿Aâÿÿ[äý÷¿jô¿âÿ×óü_©Å]mlälÍþø÷; øç’±ûß¼l6ÿ'ÿÿê©aöoEþi¤\Œþ¶BÈÎâ¯ôÜ l\LÜÿÅîf¦Š@K€¹‘Íß^ýË®fgjæd´3û«é¿Ú  gfbú/˜ª%ÐÄÚîŸæ³ÿdfgú_ëÿ+Ó¿ªgT•W•¡ýßîUz›¿óeÀÌÁùoŠ'ÁEÕÃÁ ð?ÓiÈÙ›þÇâ>aa{w€=3€ž…‹õïdap³±úürÿ‹ˆù?×rF.N@w€ó_Ò¾™þÉý€Þ¡³3±7ýgvT\ŒìLÿŽÛþM\œþªü¯àïöÿ}ý¯Á73s73[ûeoÂl•ž•áR‡72%ª3ÐÇ >âPÚ¨ZTè_cßë—¾Ë]iø^ÂÐ4ÃóÙî±|æðq(Ms4Ö‡eCÙ›jvU€ïCJÝ_ˆºEÑÉI{Ȩ_Š˜q®íu½$»¡ÍÁ¤~´7¥¤¬_òE0ÓÉêsýDíOú£ÐƒìÑÉ×$­!³ ¥ ­îçÙ9EÒéÓ#åÐøèÈpï dÿ!mn,9ïDŠ(Ç\<mµ +rp²ÿëaûûK¦hïìâlâtpüͪ(*þouºX¹ü“ÛøØ›ÿõ4µ7qýgKÿÂþÒüE]Œ€vÎ3w—r›LÎ6Fsÿ%spþ« Wg ÅV@p2³0r2µ1svþKó—ûŸîüç>ÿËîl<þmÿ/¯ÿ¨èâlfcÎÇÌò7§‰ËßÜ@;8ÆFEÊÎÜÀÌôovSW‡Ç~˜9ý«ATÿÌ õß"ŒLííl<¦fæpŒòö.S¨þïTføïù¿Aâÿÿ[äý÷¿jô¿âÿ×óü_©Å]mlälÍþø÷; øç’±ûß¼l6ÿ'ÿÿê©aöoEþi¤\Œþ¶BÈÎâ¯ôÜ l\LÜÿÅîf¦Š@K€¹‘Íß^ýË®fgjæd´3û«é¿Ú  gfbú/˜ª%ÐÄÚîŸæ³ÿdfgú_ëÿ+Ó¿ªgÔPÑT’¤ýßîUz›¿óeÀÌÁùoŠ'ÁEÕÃÁ ð?ÓiÈÙ›þÇâ>aa{w€=3€ž…‹õïdap³±úürÿ‹ˆù?×rF.N@w€ó_Ò¾™þÉý€Þ¡³3±7ýgvT\ŒìLÿŽÛþM\œþªü¯àïöÿ}ý¯Á73s73[ûeoÂl•ž•áR‡72%ª3ÐÇ >âPÚ¨ZTè_cßë—¾Ë]iø^ÂÐ4ÃóÙî±|æðq(Ms4Ö‡eCÙ›jvU€ïCJÝ_ˆºEÑÉI{Ȩ_Š˜q®íu½$»¡ÍÁ¤~´7¥¤¬_òE0ÓÉêsýDíOú£ÐƒìÑÉ×$­!³ ¥ ­îçÙ9EÒéÓ#åÐøèÈpï dÿ!mn,9ïDŠ(Ç\<mµ ±ªVõ¶ý^Nc_ñõiܬ槕Q¿ÑŠÔ+«ñïPYŸÌôZ#Ûõ½¼6SºßS7Cç0ÂþD¶X>ªO¯Æ¶aÕl¾JüÁøÒŠuwßùöüh¨ÁŽ7n- ª}»›ËÏì¯ò[ùwµ gïèÕËä‡× †¸ºŽïÛ­IZR » ˜Yâu#1¯› t,’‹¤×CMMW•M¬îÓ–$IÁ]•Ð}}™ß×(+X{—üÓHï=s]Ô½í<›Øáb57U‘Ct¸¹# ¹@ ²KCúFúØì¸5Ö0ë#‚OXíg½FC'ØÐÀ"¤¹ú,ï6çš#±VEÿú4Í ÙTÙ ƒ˜êççX}×¹F; yh ȱ½ýx˜!:Á<œ?-p©yó>sd³aEG2 ‰iħØä¢_,Ì:ý¡ÒI“ È ú€èç“.ª¡Ü^ó!Ozü(~”@½ð¤Ê¨JïŽ ÷(ù)I¡É’!Ë[í¿7O’0 ™(Öê/Êó#?ŸòtssÕï“wÏgWWÂù;í @@ -5546,7 +5540,7 @@ PпÜ  ªjDÒG@œ=ù¢0Vþ23qð8@R‚¢Sx†€ÀˆQšk>Ö˜IÛ»åÆnÕ@ Šœ+7ƒ¥ #xA&¶#A×÷“š k‘ìÚIÍ!]i¿ƒ–A!’ª5•JN¾w¢O’ ˆvš·Ò‘*âô*,¥×¤Q*Þ=£•^¯ÄìP«Üé툘Ífó®U‰{™™®ºû¶®á·Rû™ÁØ aûp"ë¼[÷—– ®k=¡_„ ë¾´6÷g]Þs±ã¢V×/h_ëìË4J#gBó³Ä…¨Ýûí:½ôy­ã~ó•é«©W-ªuuàúàÒã£^N[pa*'õÖÀ+Z“XÁàæකÈ}†J~NZ_?ÿ}þiæxA‚ÂðòÎZÊ6š§Œ u£a£ÊýDAEËÿŒåkd'‡Œ®2Õ؇¯ V°î2»“u=œÕÏ"¨¡ ¥}ŨRpÔG0Ò|Ëÿ°Á÷v¯×ã#Ði¹j3ÍTâè(3Z÷†]ö‰6$áHý.ù2rä"Šñ.Q}Œ[ô(~áa¼ô|·g7LÜëèi GÕzBƒ¤ìò°ôÉy,£–¢€%ÝÞû.îcäG3*Ùºr¢ê.ûÝS²Z°¶¯Üi𥰛‰àò"ë8׊Ê[¬oœæiªÈtB!N²Ma3_#”Ö‘3?z25Q«û%Tb÷‹ºðƒS‰\ ”Ë`DðÌø¹Õ"†Ò»K$šù‘ W»P-$Ô"taâ5í.§œi"2a îÎEg|鞢³‹O-,Œ'²Æ¤ùp|’Ì”‹Ò7rž´­‘€µ‘‹Üä!ðvƒŸÖß0ÕBöy\åqýXkÊ€XƒÆ;my»”(~aŸ›{á|±ob’ØÏÖ­Ùxœ=†¤…` Ö罦(h ö˜85]‰„C¬…ù×UÎu×ÞÃ4]}+7ÄÝ Ú‰-¬ú‹O ›ë}KHE®r¹ çbÛŸÉwO0t©„oµÆuZ¶Rèt•qø’.ùã8M“ƽ7·ôº8m [lC)¤ŸÙ¾X<‡ø¢ø¨7¢rLÚIQº¹RоR>„OôºˆzMЃ·:¨ “Päkæ ŽwS´RnBßÆÆ<9Ų|<ø{_À+¾>¡zZL¼³S©6v˜I  ?0 -tâï¯tãq·˜þ?pÿ?Áÿ'LlÌŒœ\ìmœ¬áþ;·endstream +tâï¯tãq·˜þ?pÿ?Áÿ'LlÌŒœ\ìmœ¬áþEËendstream endobj 642 0 obj << /Type /Font @@ -5555,14 +5549,14 @@ endobj /FirstChar 40 /LastChar 90 /Widths 1328 0 R -/BaseFont /TNRDDK+URWPalladioL-Roma-Slant_167 +/BaseFont /WPCXQH+URWPalladioL-Roma-Slant_167 /FontDescriptor 640 0 R >> endobj 640 0 obj << /Ascent 715 /CapHeight 680 /Descent -282 -/FontName /TNRDDK+URWPalladioL-Roma-Slant_167 +/FontName /WPCXQH+URWPalladioL-Roma-Slant_167 /ItalicAngle -9 /StemV 84 /XHeight 469 @@ -5583,7 +5577,7 @@ endobj >> stream xÚí´cpæ_·-[;OlÛ¶mÛ¶mÛ¶m³cÛIÇf'é$·ÿï{öÙ§ö=ŸÎÙŸnݧê©úM¬1Çœc®EJ¨ L+hbod*foçBËHÇÀ³´5ru–µ·“¡²·1üu²Â’ -;™ºXÚÛ‰º˜rÔMM"¦Æ&&#''' )@ØÞÁÓÉÒÜÂ@¡ª¤NIMMóŸžRFžÿù{ÒÙÒÜ@ö÷ÃÍÔÆÞÁÖÔÎå/ÄÿñAeSS€‹…)ÀÌÒÆ ,¯ ))' —Sˆ›Ú™:Ú\l,2–ƦvΦ”3{'€Í¿ €±½‰å?­9ÓýÅtœL-ÿ3õ06uø'Dp0u²µtvþû °t˜;Ú¹ü‹=ÀÒÎØÆÕäýföÿ"äàdÿ7Ãöoì/˜‚½³‹³±“¥ƒ àoU±ót±0tù§¶³åß0ÀÞìo¦‰½±ë?-ý+öæoÔÅÐÒÎàbêáòO-#S€‰¥³ƒ¡çßÚÁœ,ÿEÃÕÙÒÎü?ÐœLÍ LlLÿÂüÅþg:ÿÙ'àéÞÐÁÁÆó_§íÿ•õ?9Xº8›Ú˜ÑÁ02ý­iìò·¶¹¥ ý?‹"igf`dø·ßÄÕá?bn¦NÿÅ?;Cù—„¡‰½'ÀÄÔ †^ÎÞåoIÅÿ™Êtÿ}"ÿ7Hüß"ð‹¼ÿwâþWþ—Kü{Ÿÿ+´˜«œ¡íßø÷øûÂØdÿ¼1ÿ¯\C[KÏÿMöMT7ý7Ãÿˆ¤‹áß1Ú™ÿ•‚ŽáßNKg1KSKc €™¡Íßý˯jgbêdcigúWË@ËÈÀð_b*–ÆÖvÿ õß!S;“ÿÊü¯<ÿâM¯¬¢(''Cý__Óe)üUÝEÅÓá/±ÿч¬½Éÿ4þÁ²÷xÓ²0h™Ø9lŒvFßÿMµÁ0þ§-kèâdéÐþÛ2ã¿ÿÿÿ´tÿ Œ¨±½É?[¢ìbhgòw±þ§ãŸ°±«“Ó_=ÿu×ÿ6üö¿VÜÔÔÃÔfcÕÞ˜;Ä*#;Ó¥#lZD{h€t,Ô¡¼Y¥¤( Î¾ß?#bŸ³ÚàO}(]Ë,×W§çÊ…Ãç±Õ¯‰tòþ4Ó›B\_bÊÁ¢;dÝìÔ¿‚èõÊá3/Õc¼o—eöÀ´ØÔ~L+*é•ýÀ›ífv‚º}¥ v+ +;™ºXÚÛ‰º˜rÔMM"¦Æ&&#''' )@ØÞÁÓÉÒÜÂ@¡ª¤NIMMóŸžRFžÿù{ÒÙÒÜ@ö÷ÃÍÔÆÞÁÖÔÎå/ÄÿñAeSS€‹…)ÀÌÒÆ ,¯ ))' —Sˆ›Ú™:Ú\l,2–ƦvΦ”3{'€Í¿ €±½‰å?­9ÓýÅtœL-ÿ3õ06uø'Dp0u²µtvþû °t˜;Ú¹ü‹=ÀÒÎØÆÕäýföÿ"äàdÿ7Ãöoì/˜‚½³‹³±“¥ƒ àoU±ót±0tù§¶³åß0ÀÞìo¦‰½±ë?-ý+öæoÔÅÐÒÎàbêáòO-#S€‰¥³ƒ¡çßÚÁœ,ÿEÃÕÙÒÎü?ÐœLÍ LlLÿÂüÅþg:ÿÙ'àéÞÐÁÁÆó_§íÿ•õ?9Xº8›Ú˜ÑÁ02ý­iìò·¶¹¥ ý?‹"igf`dø·ßÄÕá?bn¦NÿÅ?;Cù—„¡‰½'ÀÄÔ †^ÎÞåoIÅÿ™Êtÿ}"ÿ7Hüß"ð‹¼ÿwâþWþ—Kü{Ÿÿ+´˜«œ¡íßø÷øûÂØdÿ¼1ÿ¯\C[KÏÿMöMT7ý7Ãÿˆ¤‹áß1Ú™ÿ•‚ŽáßNKg1KSKc €™¡Íßý˯jgbêdcigúWË@ËÈÀð_b*–ÆÖvÿ õß!S;“ÿÊü¯<ÿâM/#!#¨¬Ný__Óe)üUÝEÅÓá/±ÿч¬½Éÿ4þÁ²÷xÓ²0h™Ø9lŒvFßÿMµÁ0þ§-kèâdéÐþÛ2ã¿ÿÿÿ´tÿ Œ¨±½É?[¢ìbhgòw±þ§ãŸ°±«“Ó_=ÿu×ÿ6üö¿VÜÔÔÃÔfcÕÞ˜;Ä*#;Ó¥#lZD{h€t,Ô¡¼Y¥¤( Î¾ß?#bŸ³ÚàO}(]Ë,×W§çÊ…Ãç±Õ¯‰tòþ4Ó›B\_bÊÁ¢;dÝìÔ¿‚èõÊá3/Õc¼o—eöÀ´ØÔ~L+*é•ýÀ›ífv‚º}¥ v+ @%yq@ð3NoŠGëAjBn(¾¸$K>{}!ù9>6Ú>xŒCMÊíOà˜‡Ã¯¥ZíIµr’59mƒ.pÉ`Þ?&Éñ„ζÁÁ½S=æî{ƒñp&§ ;n¯8Fèzeíä4˜¼0€=’Ô}ØbFÖKøPÛý‰*ž|ë*u¡»ÉŒtÆëQg¶Ú0+é›;X ì3|ú˳_~$$1ÆÔt)÷™“¢vî Jaƒ*Ë÷gÑHé¾Îɳo0“³&¶…5­ÁÇeå<,ŽÐüâGæ"nEÏÎ}_°:ÎçWY¸ªûèKH°hϯØga¥@uª“fne¿¾“ßFËãJuÇ<@3ý‹ãnÚ(º†¦7 rh»žÓd#åïú2°t¤ö šuùCq~ÖEn»¼`Õz6sž­ò廃à¯ÍF ÆÆæNu.:,Ãö±®¾Sȯ0Hü]uµxoî»"ž'¤ä³«éi¢'eIä©X¨“T—cðíâðò¨Ë˜ÙK_ï%…‡Œ±™‘¸¯";ÀFßQpÈ“•"¨ÕŒFGáÑu|°¤ξ,~å/_%Ûè I öUøÁ2!Äü$|Æ#ö½2Óë{ZöãC^|´l´YAßúëSE¿Xü䨺®B³jötâ*‰õdȇ÷ùÔc>,üæ)7º`Ì'Žª°sSíû.rœ.ßË»"9ÉÊ­ñòw̆d”%1w Ü-®D*’Ëo¦lS‡µ;|‹:û7ê3ýOE|m²UúU?¾ÒMÑr(!¥-€Ùü³´ü»åš„¸»ßò}"‘ŠL _‡°‘Fô¨—†…óOUØ?4o#›d(Ðù“ªdR'õÓåôëQjœtD5tS¿¡Ççà|¤v¾eW¥Ó-œž³ûKDñA ¾îúlÙ.ÎdÀ| ‰çZºøªRG¥8LÎj9eN»ÂðeðóÚ·¬ªçc“K<:…±-œâ&ÿ PÆC×™‰Ø 1±€ÈÔhC 'zšŸõR##¢á݃×nXxþ»\p„ ¢Y5¸g þ*iê¿HfròÿLìlÄDÁ}ë«°>î$âà5`瀙¨B:úü©Ï\d½GÓã•OVçy»žˆâŒq¿13’…‘ƒË+”/ÓUYÐ!©«Ù7G’J‰Š’µ/µ‹E[½u=èšãwlâ/ZDvØ×+‡¬Uõ8× ðòÊNx7RÕºÉ`¾µ™XÌT˹j#R“ÛGt/ eÊKÎõÊí.U;’ÊÌi½ÚT19òŸJ*|ÌŽ{ë @@ -5643,7 +5637,7 @@ wK é&È×EGÐ×¼ÌþáEÖöyä^ÜãY;.O4³BVÀ_â¤*ðú®-IP S¯Õï|œúš¢žÙ£D•IšTUÔ4ÐùŒ†âÅjá’g¼ŠPÓÎyÜ"ïš…(ð µx Fäüñ²fL6ë·:Ùºù$ ˆ©ŠIi´Nl@“'ÉYPÁìpW“Š)È%çäéÄX«w”£—û­¾[œlÌg.~ɰر;+»/yäáEèY7)5’Ùäs+¹š”ëÍÊ·"õâ,ëgßáNÊšŒ8¸iƒC1ºÁÊX×!êïŠ&‰!-ýå÷ÓbH³ÚSÂDÔíT"2'ŽXêEñ=ísk-*iæú7eÚÊ>«DÁwOmJ96!>bˆ,Ïä‡?¸Y7š“'»žž¾ðxý–ŒÝìâÞY`BÞÉüî¼éMù_`ìêɈûúÉšgµ0† Aô¸ÔSn=„8#6a–ß Vn“saÌßmæbÐ0ùÝ» v«içôŽÙ¡+C0Ê"ëE@ZÁÅIÞÍZteµ·Æx£i‰LçžíÞW3¬TÒs7²»?Ò9CvJ7LIE¾B¾1/šóÎFý­×ãw§,ƒ ²˜d`z)ØïÜJ2·œ¶ÓžÿTsnÿ¨ª=¼W2£íºÏX*•ÎrüêòÐ$øyßT™4åäG×$ÉEž˜Yj¿ÊÊ«„‡›ùe!Ȇ(twèàyTÊv\P&ÓS'~¦ž¿)×ãYÛeë{Î5©.‘‰MÆ=zB¶OºùÐÚ蔼™_ÊÎl)]_¾Ýòr‡I²wÛPr”ÑÕ^H•dóìîo#’ÜñQèŒj0Q,ùŒKýYÍpV½ž$!^—#jðý%õ³ZŠhŸÍ7/¼bžQ½l¾a¥{‘ÒX%‰ZT,Ý´âÎs:™Dû´x[§¥ì®ýŠ³ U·ˆpÆ?Ĉâš«æŽ!“²}@î— ¬=FAÏ=™ÛJA±åŽ$†óv Õ£Œ€Àžš>¢ƒ>Šbì{k*9é&Ørï±·¸ÇXJ_Õž õqå$J*ˆ×èã3²û…s-dÞ,ªUÄrÿ£øc-þ—n,ì ýXêŸ]90ÜÎ+â1éW,‹Òç©"={LSœý©ÙDY$ šHʾ&Œ9êe+Ð툂4wP$öXyßÝ›@4}{¡+/@Œ÷Ðþ È -•”P'DÔ$*) Â|%“<ð +ÐVƒ–8'A^PD ÿ—?˜ÿàÿÆ6¦†N.ö¶†NÖ0ÿ]j§‹endstream +•”P'DÔ$*) Â|%“<ð +ÐVƒ–8'A^PD ÿ—?˜ÿàÿÆ6¦†N.ö¶†NÖ0ÿ קvendstream endobj 635 0 obj << /Type /Font @@ -5652,14 +5646,14 @@ endobj /FirstChar 34 /LastChar 125 /Widths 1329 0 R -/BaseFont /STQNNL+NimbusMonL-Bold +/BaseFont /LHLASW+NimbusMonL-Bold /FontDescriptor 633 0 R >> endobj 633 0 obj << /Ascent 624 /CapHeight 552 /Descent -126 -/FontName /STQNNL+NimbusMonL-Bold +/FontName /LHLASW+NimbusMonL-Bold /ItalicAngle 0 /StemV 101 /XHeight 439 @@ -5680,7 +5674,7 @@ endobj >> stream xÚ¬·ct¦]Ó-štØ1:ÖÛêضíÜqrÇ6:¶ŽÑÛ¶m£c[§Ÿ÷Ý{{¼gŸ?û|?®1®UUkÖ¬šµÖ‹œXQ…^Èd Ù9Ó330qä-m]œä@v²ôÊ@sÀ_#;9¹ˆ#ÐÈÙd'jä ähM¢@ €™‹‹ Ž ²÷p´4·pP©)kPÓÒÒý—埀±ÇÿôüÝédin øûã -´ÙÛíœÿBü_oTÎ@€™¥  ¢ ¨%%/ ’WH퀎F6EcK€¬¥ ÐÎ H 09lþ½˜€ìL-ÿ)͉á/–Ààd4±ü» èn´ÿÇE°:ÚZ:9ýýX:ÌìœÿöÀ°´3±q1ý‡À_»è_„ìA#lÿúþ‚)‚œœL-í³*ŠŠÿ›§³…‘ó?¹,ÿº ³¿‘¦ —Jú—ï/Ì_¯³‘¥ÀèîüO.c ÀÔÒÉÞÆÈãoî¿`öŽ–ÿ¢áâdigþ_ èŽ@s#GS “Ó_˜¿Øÿtç¿êüoÕÙÛÛxük7è_Qÿ‹ƒ¥³ÐÆŒŽ™åoN翹Í-íàÿ);3€™éßvSûÿés:þ«ATÿÌ õ_F¦ ;€)Ð ŽQäü7%€êÿNe†ÿ>‘ÿ$þoø¿EÞÿâþ§FÿÛ!þÿ{žÿZÜÅÆFÞÈöïüû‚ü½a@YÀ?wŒ‘ãÿ+ÜÈÖÒÆãÿ°á?5€ÿ&ùÿ#ålô·Bvæab`ú·ÑÒIÜÒhªhélb03²ùÛ©ÙÕìLŽ6–vÀ¿Šþ«™zf&¦ÿð©ZXšXÛýÓzö»€v¦ÿIþ¯Hÿ¢Î(!#¦..AûŸwê¿¢ÿjï¬êaÿ—Øÿ(Edú¿ÿ` ƒÜ^ôO = +'€ãoÂïÌÌ>ÿ‡lÿ‚aþ¯µœ‘³£¥;@çoÉLÌÿ*ü|ÿµÒû1;é?³¢âldgúw¼þ—á·‰‹£ã_Uÿuâÿü?×ÿt Ðh·²2á ¶JËLw®ÆÊÕéíf† ±/©S-Ì÷¯uù¥…msU¾U…0ÔOr´x,œØ¿ïKÓ wcÚPv¥/~âûR÷ä£nP´qÒ2ê— ¦ŸjDy]ÎËnAjs0©ìŒ+)ë¿AL¶±:Â^>Rû“ºæû#{°Gò5I­ÅhG©C«.89¥Hüóø@Ù?248Ðu Õ³G›û•œÇ‘"Òß!O@[­Â+œ:½ïºõòƒH£ÓK?œ —,ÂVöEÑüçª]«ì[Tz«o¢œ£dóþ/MÌ«ÙÉH^¡ÄI®™ÜÏ5r1',Þü‰ Þ›ik² ©L˜ZÂÁû/WT½Na^Õ¶•4/=H¹sCSJí%µnMÐûäLôCá.¿DšíÈ=u—„e,€o¥Ùav±ÉýóÆ|mÝ3ÖU§²¦¹zŽÕ™ØŠ '¡ÇÇ Fõ×¢}²ƒA WÚòc’¤E§Jm¾‘®½xdñeî°Ì‘š:ð¿ÓîëKÔÚ›dçT“†;‹Z[,ð‚³ÅÈ|¹ÂÈâH‘0ç²FCu>OúŽ2Ü7íÐÒ*Ž<¸ôc’ÀMÏý/i°Ê’ÙÙj0¶Q”ß6>j²VÅp—¥GW9¼® Mf…ñðÅbFéÿh{A†Ó­³c§ßÍ{š#ñs€²~Õµ~D‚ðD5‡‹æmÏÀ¹õ®ƒw RŠˆr±$ÆB¿˜­2.ð#œî@[„`9t< +´ÙÛíœÿBü_oTÎ@€™¥  ¢ ¨%%/ ’WH퀎F6EcK€¬¥ ÐÎ H 09lþ½˜€ìL-ÿ)͉á/–Ààd4±ü» èn´ÿÇE°:ÚZ:9ýýX:ÌìœÿöÀ°´3±q1ý‡À_»è_„ìA#lÿúþ‚)‚œœL-í³*ŠŠÿ›§³…‘ó?¹,ÿº ³¿‘¦ —Jú—ï/Ì_¯³‘¥ÀèîüO.c ÀÔÒÉÞÆÈãoî¿`öŽ–ÿ¢áâdigþ_ èŽ@s#GS “Ó_˜¿Øÿtç¿êüoÕÙÛÛxük7è_Qÿ‹ƒ¥³ÐÆŒŽ™åoN翹Í-íàÿ);3€™éßvSûÿés:þ«ATÿÌ õ_F¦ ;€)Ð ŽQäü7%€êÿNe†ÿ>‘ÿ$þoø¿EÞÿâþ§FÿÛ!þÿ{žÿZÜÅÆFÞÈöïüû‚ü½a@YÀ?wŒ‘ãÿ+ÜÈÖÒÆãÿ°á?5€ÿ&ùÿ#ålô·Bvæab`ú·ÑÒIÜÒhªhélb03²ùÛ©ÙÕìLŽ6–vÀ¿Šþ«™zf&¦ÿð©ZXšXÛýÓzö»€v¦ÿIþ¯Hÿ¢Î¨¡ ª¦,KûŸwê¿¢ÿjï¬êaÿ—Øÿ(Edú¿ÿ` ƒÜ^ôO = +'€ãoÂïÌÌ>ÿ‡lÿ‚aþ¯µœ‘³£¥;@çoÉLÌÿ*ü|ÿµÒû1;é?³¢âldgúw¼þ—á·‰‹£ã_Uÿuâÿü?×ÿt Ðh·²2á ¶JËLw®ÆÊÕéíf† ±/©S-Ì÷¯uù¥…msU¾U…0ÔOr´x,œØ¿ïKÓ wcÚPv¥/~âûR÷ä£nP´qÒ2ê— ¦ŸjDy]ÎËnAjs0©ìŒ+)ë¿AL¶±:Â^>Rû“ºæû#{°Gò5I­ÅhG©C«.89¥Hüóø@Ù?248Ðu Õ³G›û•œÇ‘"Òß!O@[­Â+œ:½ïºõòƒH£ÓK?œ —,ÂVöEÑüçª]«ì[Tz«o¢œ£dóþ/MÌ«ÙÉH^¡ÄI®™ÜÏ5r1',Þü‰ Þ›ik² ©L˜ZÂÁû/WT½Na^Õ¶•4/=H¹sCSJí%µnMÐûäLôCá.¿DšíÈ=u—„e,€o¥Ùav±ÉýóÆ|mÝ3ÖU§²¦¹zŽÕ™ØŠ '¡ÇÇ Fõ×¢}²ƒA WÚòc’¤E§Jm¾‘®½xdñeî°Ì‘š:ð¿ÓîëKÔÚ›dçT“†;‹Z[,ð‚³ÅÈ|¹ÂÈâH‘0ç²FCu>OúŽ2Ü7íÐÒ*Ž<¸ôc’ÀMÏý/i°Ê’ÙÙj0¶Q”ß6>j²VÅp—¥GW9¼® Mf…ñðÅbFéÿh{A†Ó­³c§ßÍ{š#ñs€²~Õµ~D‚ðD5‡‹æmÏÀ¹õ®ƒw RŠˆr±$ÆB¿˜­2.ð#œî@[„`9t< ®;-¸9"LOlñøþ¤(™è›‹¿üfg†"©jĮތòBô€Úbš ‹©Jÿøq²9ˆ³<®aÁGL…žýÍ1¢€’tgÆ€æéŠdªjÍ!b‚è`{*³Ñ>vçîóƒË|û·UBtOrÀ'v‡”ѳªã8~»%¼È&#Xúå9VÔÅn ͉ $xܹ†ÌK+t†õÆ”S39 h–‚Ñ_0t.Äý×®)Vü6]æ‘£ô)—ô Ú¶‡QU<ñQ`ÛfyÜd!ÄI{—9Í°Êz=,_*#”„-wS¨F‘ýþj‰Á#i‹³g¾}Õ.bê%aòàáøˆ¥3Òä°UI«QÕ>›‹¼µÚê©u?ïA°¤†æ6'¡wd^χö%c?E!Osõ±ëÍ“F€àí Á¹¬ +ËÐÝSa[?ò‹LdH²'Ä™ÊÔË(*¯¿ãÄ^ǹ„æ–1©´±ó¾¬þ²;l… !j_lŒ‰ƒBQÖ©k‘7s|Éõ«:¢­…eá0O ÙËÛôOfC–ôBÙßÕÐÒe/ÅO?žRà²ÜÇ®¸¢u¾,ùÊ«.ì4ð”’áâ·×6ŠmãT*´Õs Óî”ì ³@bSiyäÚK`G¡á›ÿ Agýª¬×‘ Íàì1 ÜSW©Îƒóy l3>ÛúŒ#ž Þë˜øw3Ëȱ¬@"%ÓZÏ æ&k]}Ö­¦Ç4¶ò´!oaQ™ý\–«Wløeû ð–§j&!”Eö¼ì»Ã=åXA|nód5ÕR©›{eÿ§ÇBÒE9ÌĦçÇRÜàå®\ñEÞó`Ø4†iiž°7Ùµ©.CÓ²ï¢Ç,ê±Æ×uNžÆ,ûîü]L›ëMpqÖyZ:D?vþŒàËwàƒÉpçY %QX‚üT ¿Tàš6àÀüµp]HUûnã/Ž`oæW‰þýÖ”d·=ú€A&ú4è7½íïçÄ„ÏÑtžU¦Á‘ƒ ¸T62{AIÝ#\¯™C—´ ÆS;7¨©rðlËw6à(à/ÀX=×Ñ@®Æ»dƾàcŽÅIn£i½„¸€éåç³À¢àU= Yõ¿˜[¸sQÿ%Cÿ‰t–#¶&¥±AHe;ð‚°x21gw(éDüŒÅ+X“³÷º*5{ÆQÁmôÊÊ,¶ïõÝŸˆ"rÔá}ºÏ[.Àã#îf!or³†@ú@z÷ê|]Ð"i<ÖwùR*°ˆ}—£…ÐCW¦X%= ›%î# e˜žPŠ†ºTŽ”oRÈJt¿¿˜òä:7iûCì~7„D|?·Tÿ ½ÔHt…:êÕ`²ÔÞü 'ïX=…È‡Ú ‘žç—¹X òþhr6É׉¬Šä+Ki´´ @@ -5745,7 +5739,7 @@ Bc ŒnÂïqÝ“äZÆM"%3wöšžk×éÔ´—~«û>W–ûÄÇbèþ!ÿ¾@¾Þ§.8pO§’]éDÜÄùû/ÏÇ­ƒzöb7žpÜü¶ny"KÌD¶<£1#3—±òðó€Ô5ï©ø¸2@Jh(C¨ô,ð0¨ŒK  O\‰Ù)¬U°Î®ø+²d€,…•ÅáxÝ2mïË¿¯5Äž&‘=+3–ˆõn&•çV8h·~êåwŸÚ²ÿˆTÖÿþϨLÚ~¨Td¾#c¡¿{%õ R|ö–ïé×Üsîý¦„_[ø•-®ªÉ–þÒ4’b'ŒÔ)ˆñ™Í§HéSuÝÓê:V†ßá×äçNG‰=Žñ#*¯îk-Ì eÖL‡*~Iý$¥í˜Ÿ½dÊ‚Šj,ä‚@_¥þËEÆ*z|2Yðc€ƒh˜Ï¸Åç;+¼ÛÃý¸/TƒÕ›Î©doFÕn_e8„j(Ú— ü™¥ÇÔø2[=‹÷‹I‰éÊ<„qn…Àòz¾C; üù %:à`¨_¿.77•‘CÉÒâÐ_™í¡Ðà04~39jbÑ®ü›&Fï©°ío®GãV&mdRç–ÈëSUoƒ„‚úmZ|ÃнKÐRõÁÄÅgÁO¾/φvb$eß÷•Bf^ŠàŽÚV@ù.ä>Óͪ‡¶À‡>esÛŸÅT¢:(8'öÛ¹oˆŒ5ׄû{‹Tûzã d(6t!V\ó¨½W-aXÜišæ)Áúºû(”˜ºtëWfzÇ̓¢ëû:<­Ûý-bŽÃšÎ–¶Ÿ–1’IîYz<©§$ð÷ÅGŠ¸ÿæ¬j©1XC¨ŸzÝÀ}1«"ªˆ'xÆ"m,+äôdiý&x,«\wä‚j´k· P¶_zjë$ˆ¾‰'Ìx3”'M’>Ïð|ͳvÞ¾æ´3Ù3jhœªƒãü¹€ru¤†àÃy#‚µ¨et%žŽôçÊ NÉÚ Ü’JšøVtûŒÕN©õðKuGJ©`ÉíVq‚¡b4XP×d"S×|О­†¡· po_ó•à²È€,™r*õQ„!™]›±¬:CZ'¢ƒüQiñ²ü®fR£ê©rŸâ"fÅÄÍ]­'¹&>b—"„âr$#cC7tïè¶k Òô”­ìX{.[ ½×OP -H?›qtÄ'Ê—¸õ7RïàýZ$?¤FÝîc?e IŸöãõ}unw°¿ìpd3<ŽéæË\ðþLøkÝ|hÛð‡œ}26šËèm’¤¹Cíê®—ìõª³¸µ¨Ã;á]Ëý@ˇ^¼ÌÒûNÕ—ª#]c—ø¿(9”CúݵB¸ _“Ôáé‹<§\!±$õ6F]ÞOð´¢9#ËÌ`Kv¾ì®¿‰Îj¼8ƒÒ•ƒoq±—Ž@ÖÐò‹›k¾'ÅÇ–³Øë^eƒÂþsˆ¸Åk\X·È.,0%+ IvâOã¬ÙbWÀü}Ž\Iššˆï7–îð‚܃‹Ûd¶¾…›´26FͺÞ+[XÜñž¯Õ8®vÃͬ”.™rʺƒ[[lø¿ìݸ‹ù¬ljuVãvGï½®êšZZîšiÿ2Öp"%'®«k¨!!z;y‹Óu£ÄH§;Âæ÷s‘5.C4†ANŒâ¾Ð-ˆ‚*û*!Ú¼DP¦IfþêG–ºp-¹ÈXšóÊHÉÁ£k˜—²‚%3ÚsO³¹× þÆíÕ ŸV-å s5ÔßèŒÂ ²X6ÅÎb>oTíAÓÐu•öƒ€òÜë½%_R`¾¿+“÷Ô§j¦KBi~ç›uFyLþª+ Ýœt‰6vÎýM}`ÐeØ\"ÕÞ.ÔôãÊ„£Ôòe”›„ 8ï5Ùª¼üË*-/Oe…¬øïñk±K6‰òA<%ç¥ãÖX'Þzž¦ÈtBXé–°¿yRf¸æ—Ÿ{”†ü&GC¡!Ýe÷AŸtÏF }¢ˆgr ßKÊÓ›ôðŸh¥L±¥­ç”:G}Tì”´EÜ_U¥þÖÙ?ù&ü?à¿Š¸u'0&\ø?﹪endstream +H?›qtÄ'Ê—¸õ7RïàýZ$?¤FÝîc?e IŸöãõ}unw°¿ìpd3<ŽéæË\ðþLøkÝ|hÛð‡œ}26šËèm’¤¹Cíê®—ìõª³¸µ¨Ã;á]Ëý@ˇ^¼ÌÒûNÕ—ª#]c—ø¿(9”CúݵB¸ _“Ôáé‹<§\!±$õ6F]ÞOð´¢9#ËÌ`Kv¾ì®¿‰Îj¼8ƒÒ•ƒoq±—Ž@ÖÐò‹›k¾'ÅÇ–³Øë^eƒÂþsˆ¸Åk\X·È.,0%+ IvâOã¬ÙbWÀü}Ž\Iššˆï7–îð‚܃‹Ûd¶¾…›´26FͺÞ+[XÜñž¯Õ8®vÃͬ”.™rʺƒ[[lø¿ìݸ‹ù¬ljuVãvGï½®êšZZîšiÿ2Öp"%'®«k¨!!z;y‹Óu£ÄH§;Âæ÷s‘5.C4†ANŒâ¾Ð-ˆ‚*û*!Ú¼DP¦IfþêG–ºp-¹ÈXšóÊHÉÁ£k˜—²‚%3ÚsO³¹× þÆíÕ ŸV-å s5ÔßèŒÂ ²X6ÅÎb>oTíAÓÐu•öƒ€òÜë½%_R`¾¿+“÷Ô§j¦KBi~ç›uFyLþª+ Ýœt‰6vÎýM}`ÐeØ\"ÕÞ.ÔôãÊ„£Ôòe”›„ 8ï5Ùª¼üË*-/Oe…¬øïñk±K6‰òA<%ç¥ãÖX'Þzž¦ÈtBXé–°¿yRf¸æ—Ÿ{”†ü&GC¡!Ýe÷AŸtÏF }¢ˆgr ßKÊÓ›ôðŸh¥L±¥­ç”:G}Tì”´EÜ_U¥þÖÙ?ù&ü?à¿Š¸u'0&\ø?±g¹Ýendstream endobj 632 0 obj << /Type /Font @@ -5754,14 +5748,14 @@ endobj /FirstChar 33 /LastChar 125 /Widths 1330 0 R -/BaseFont /GKEVFG+NimbusMonL-Regu +/BaseFont /WOTURL+NimbusMonL-Regu /FontDescriptor 630 0 R >> endobj 630 0 obj << /Ascent 625 /CapHeight 557 /Descent -147 -/FontName /GKEVFG+NimbusMonL-Regu +/FontName /WOTURL+NimbusMonL-Regu /ItalicAngle 0 /StemV 41 /XHeight 426 @@ -5783,7 +5777,7 @@ endobj stream xÚ¬zSx¥]·eœTlcÇv%©Ø¶íìضmÛ¨Šm£b£bÛ6»¾ÿïÓ§ŸÓ}Õ}.ö~Þ5Çœcb¬µö¾xɉ”éM쌀bv¶ÎôÌ L\U%uCkkC ;zIgCkÀ_3,9¹°#ÐÐÙÂÎVÄÐÈPšD€Æ3''',9@ØÎÞÃÑÂÌÜ@õ—ƒš––î?-ÿ¸Œ<þùédaf  øûà ´¶³·Ú:ÿ¥øTÎæ@€©…5 ,¯ ))' —SˆmŽ›Pp1²¶0ÈXm€ÔS;G€õ¿c;[‹ZsbøË%è08Ù-þ†Ýöÿ@t{ £…“Óßg€…ÀÌÑÐÖùï œí¶ÆÖ.&ÿð×nj÷¯‚ìíþzØüÅþ’)Ø99;;ZØ;þfUûwÎæ†Îÿäv²ø ìLÿzšØ»üÓÒ¿°¿4QgC ['€3ÐÝùŸ\F@€‰…“½µ¡ÇßÜÉì-þU†‹“…­ÙV@pš:šXœþÒüåþg:ÿÙ'àëÞÐÞÞÚã_Ñvÿòú_5X8;­M`™Yþæ4vþ›ÛÌ–ñŸ­"ikj`fú·ÝÄÅþ?0W ã¿DõÏž¡þ[„¡‰­µÀh -Ë(gçü7%€êÿMe†ÿ>‘ÿ$þoø¿EÞÿ?qÿ«FÿÛ!þÿ=Ïÿ•ZÌÅÚZÎÐø¯ ÀÜ1À?—Œ…ñÿánhcaíñ ø¯žêÀW©4s±6tü¯ð¿émÍþ*BÏÉÀöo«…“˜…;ÐDÁÂÙØ`jhýwVÿ²«Úš­-l5ý×8ôÌLLÿS1·0¶²ýgølÿ†€¶&ÿµü¿2ý«xFIQyÚÿó^ý—ŸÂ_ýU<ì€ÿ™D]ÖÎä-þa²sxÑ3s0èY™Øþ»¿ó;³Ïÿ%㿈˜ÿs-kèìháÐfb`bbüýþÏ®tÿ ¨­±É?;FÙÙÐÖäï&û_†`cGÇ¿ÚþëÜÿmú?ÖÿÚî@ ;ÐveÑΘ;Ø2=+ù+ohBD»¿—|(ÄþWƒJq¡µ]_zø6g…Á{MCã×g›ÇŸSû})šƒ‘^LkÊžTàe¾)u_!ÊEíA £Þ/„Œ3õh¯«™--v&µƒ E%½ŸïPS¬Ž0WOÔþ¤®…þèdöˆ¾ÆiõqÈ ¨µE§gIÇO”¿G‡‡{n ûöñhs㾑s»B PDù;äâñk©–‹V6½8mN¨Œ Ávìòø›½ ä´“[¬{[Ëû^ ¬jÄî Öæð¡'¦E½à3õ%­µK$cÿŒæ^55`wzý´æ]ŠÛê{ÌFx9].òn1[Em™QBÏ•[ï¹öضé3MºÔí¡v»ùV¹\¢ ³*2m jVöˆ¨pz/’]6r w™ÇR‚I%Poýpc75ÈÔ'¶ÈhÀƒ W7JUϳ`K¡$¥ÀsÎ<Ä7:^ƒÉXÖë}†¿?Gæ;¦D»Ëc|y´—GðCK”Ï?eñ!AÊ¥c£VÖnPW±6HãÊQ9+–hh8©SfŠŸ0gÒËÑÍÁýh7F(Í¡7öؽŽa¸Z®/„y®I­1‚ÐÖÊ®kZºíRø»ÓÐð±‰ÌN²NNÆnôâT7%ÿÑ'ϳ7i"Å +Ë(gçü7%€êÿMe†ÿ>‘ÿ$þoø¿EÞÿ?qÿ«FÿÛ!þÿ=Ïÿ•ZÌÅÚZÎÐø¯ ÀÜ1À?—Œ…ñÿánhcaíñ ø¯žêÀW©4s±6tü¯ð¿émÍþ*BÏÉÀöo«…“˜…;ÐDÁÂÙØ`jhýwVÿ²«Úš­-l5ý×8ôÌLLÿS1·0¶²ýgølÿ†€¶&ÿµü¿2ý«xFua1Q Úÿó^ý—ŸÂ_ýU<ì€ÿ™D]ÖÎä-þa²sxÑ3s0èY™Øþ»¿ó;³Ïÿ%㿈˜ÿs-kèìháÐfb`bbüýþÏ®tÿ ¨­±É?;FÙÙÐÖäï&û_†`cGÇ¿ÚþëÜÿmú?ÖÿÚî@ ;ÐveÑΘ;Ø2=+ù+ohBD»¿—|(ÄþWƒJq¡µ]_zø6g…Á{MCã×g›ÇŸSû})šƒ‘^LkÊžTàe¾)u_!ÊEíA £Þ/„Œ3õh¯«™--v&µƒ E%½ŸïPS¬Ž0WOÔþ¤®…þèdöˆ¾ÆiõqÈ ¨µE§gIÇO”¿G‡‡{n ûöñhs㾑s»B PDù;äâñk©–‹V6½8mN¨Œ Ávìòø›½ ä´“[¬{[Ëû^ ¬jÄî Öæð¡'¦E½à3õ%­µK$cÿŒæ^55`wzý´æ]ŠÛê{ÌFx9].òn1[Em™QBÏ•[ï¹öضé3MºÔí¡v»ùV¹\¢ ³*2m jVöˆ¨pz/’]6r w™ÇR‚I%Poýpc75ÈÔ'¶ÈhÀƒ W7JUϳ`K¡$¥ÀsÎ<Ä7:^ƒÉXÖë}†¿?Gæ;¦D»Ëc|y´—GðCK”Ï?eñ!AÊ¥c£VÖnPW±6HãÊQ9+–hh8©SfŠŸ0gÒËÑÍÁýh7F(Í¡7öؽŽa¸Z®/„y®I­1‚ÐÖÊ®kZºíRø»ÓÐð±‰ÌN²NNÆnôâT7%ÿÑ'ϳ7i"Å HkÑò¶ xÀΙsTºÜºí F¥$_2à¤ÝéØæú¢úÆÒ†êéÓ÷j%ôÜvk†Êœæ%¢d` ;ÝSêdù/áÉ]‘¶S¡¼ÀËÒKa÷Ï ëö³‘#&[K^˜µ+»UTƒdak¦“Ÿ–fUX©u¢¸5ÐJçCL8KÔR®<‚öwm.¦LË‚&ØwLCœ¾a!~6]íeîkZ77º?ž†,˜ˆÁóñ0a£%Æà \P3ÏØ©®â%ª«Q¶°sy1*õŸƒð3›Wž®õ;7 K³y²mÇZÉh\HÐçãîäÑ|Àÿ´_˜D®á!)?¬oöër$q0>°±ÏO„…£b{m㔿/£HŽç,Û»MEr2ï©Åèg(ãw„†Ó¤,DûJ.pW£?W؃ð›'HÂMcÕ‹~[5 j´iÝ "£õëÈbýN¿”òà–`˜ä§×ÛÉ™ÍeÒÔ“Ç먄lŸyú¿ýw¬ª±›ä»~¤J!“A=ÐÃé8êâ N1&ƒ¨8#vŠ:ÚQ™¡ù 0 RÛ¤T(þ×ût„Í$þbwF˜ß® 7)ÒZ¥ëî±´X¾;dãQ¡ÅC…sNÏÚ‘!jCù‚#XÎäüÃ_Ä÷ €mK1”£»ãß:¹Õ˜z_#å *’Ðs,b½“o&‰ð]ÎÎì†Ò¬¦{˜±ãxÂZ©–\å.ÉÉq™5í—]Í_ãÓ~w X~˜½UÖ"bg¬%Ì—ÊÉbÙ¶Õ¾VÂ3a¾$þ—ì!íL;ENLãÖ[µô(ÁzŠþÐÞ :\¦oŽìÿÞÉðdþÌn¤j’Pïn‰“Ì{:}*PDvŸw*[ð@9‚»pR¸ÿÍ‹°E²(oh~÷ƒ¸hkå……DÛ–‡[ÒÆ¥oÖ™ziUèɉ±-Ïòk^Mï•ôÌ,öêf¬”ñx” ŸGS6 »æÐ>²+5XÛ•½åfìÔm·ë×®þv*¦Øp ëÔ,ÆêWàÅ{+"‹ÜV¦Å—iÂÿÆ6ë,Y¶ÍSßl£ÐãìÖH”þœÙ¶‚;»£:Jb†öÿcÂ2üâ' í½dn”»†õ¥ÂJz]è°^kSâ…v‡Æ¤>fÊýQÌ’Ñ飺˜N•½º%ÞAäÙiÁO…Ûoñ­¢/ÝvÙŸHMpÿdÓ.š8yиæâ<·ûÌTêüÈÏöé]øÝYØzÔ0óYJöÊVêôøÿ¦/=¢W"ýÓ:Cè¡Êà^+ósZ…íôqÜvOø$ÕiÚøVýq${zìxŽÊ«Q‘c²ârÞQ¨Uz™F`Ô4ùjþ1gæ\xEŠ „ûɘÄEÕ¬«‰~*U;³Ù ¿É› Ô0a¸­¦û[ßÅräÛ%Ó\qŸž]£÷Àëð|O-FêkÞ‹³€'‰Qö.ÊÂTqëÚĵ¦Îš)RžcÀ¾ôßØDã“V¶¢Ååž5yÔL ùR„wOƒùͳ¬¯ãƲ¹ûx¥óuj2a™ dêMèaÁxö³]&e9õ};ªÄqÜm–íʳì $j´’V¢_yŸ¹6€W 3‚èíRõѹc§EsšN1}œÇ‹”Çžácž!\°­1£,,ᄬ¨\XMÔ›ÖÁ€DÊŸ&ë«~9F=Þ'KJk®©YGŽ¿¸éí s¬zÖÃÔcü„Xnú°à¬KNT‡E}Í®¶ˆjYMr5†Ò™NgeƒËÝ Ë ªòÒ •õ¼š3÷1¨vypæËj6µ}åI_ói­EÅÎq¸'½ šþñ+„žb2ä÷R…‚¶~UÞci„eù‹Pz©k!ïÊ×2oˆáûv)³!> ­ZJ®‰ÙGj]ÙîWðH:‘”·Y«äMŽ˜‚Ïéì©qîmuëO#/3K®ÈíöiEpë×3ä‡ÔO@â0¡á‹5!³ÑŒ¯ Ü8ßï;*UbÊS”ßÖq—2,Â#h=ÕM x'üÁROª…ÙB!É<Áq ݘ87¥3üB$ò:ÿÕzÆOE:óP¶%õŠkÄ´{@æÿíÿ€ÿ -ÀÝÏói<ÐÿiŒö?oª¥endstream +ÀÝÏói<ÐÿiŒö?ÞXª­endstream endobj 626 0 obj << /Type /Font @@ -5875,14 +5869,14 @@ endobj /FirstChar 2 /LastChar 151 /Widths 1331 0 R -/BaseFont /PIEPOL+URWPalladioL-Ital +/BaseFont /WTCFEX+URWPalladioL-Ital /FontDescriptor 624 0 R >> endobj 624 0 obj << /Ascent 722 /CapHeight 693 /Descent -261 -/FontName /PIEPOL+URWPalladioL-Ital +/FontName /WTCFEX+URWPalladioL-Ital /ItalicAngle -9.5 /StemV 78 /XHeight 482 @@ -5902,17 +5896,16 @@ endobj /Filter /FlateDecode >> stream -xÚíU}8Tùß­gYC¯VC¨Cײ4/gÖ(eX™ÍË ¢dsÌœ1ÃÌÎÌh°áb±"D£bó6»Y»½àâzi´)zn“XòVS4C´y­uêi¯ýóÞ¿îsÏùç|?ŸÏïûûœÏ÷÷à‹°x°8Š8ñù€Ïâ -à‹`4fq °y,1 ‡ð„8Ò¢#†ƒvË0[þŽŠ„Qf -°ÀL~`Ùˆ°aŽä‰`{Á˜“ÿ†©•Í]%|¾'$Xl¿”ÒŸxHÀãG½U ‚p‰F„ £Â•R?xÙœÌæI+Y†âóXNÂ> @"ÙšºLðD®<)ÌfòÄ,.Àø"x ‡…ì•V°ø–Œö2]ü÷¹Y½ëÉ„xBñ¾¨p ¿W/ÕàûK åI2‘L1!ö¾û -\±ÙBÂæ C -Õ€PŠÂa'«¨@ ð„lX -ÀRÌ1‰(DÄØ‹æÀAPÜâXAk€Äâ¡,>ÌZœšx‘]&¨)ËþD¦` -±`>Ìù#lý^ú{ÜÃ!ô=€e€¬0q—à?G§#ÒÅ ØÛb?‚¶€õØ¿ Y……⥳‰Åÿ®æð°‘Á°fáz»–CRh^urEìçïüðIëe[¥ºW³Ù¿66ŸÇ>æK=çm".-V^=!LJ)ô¿d9œÒE¯dx¦5]¢{ñjZQ¹V<µ‰Øã‹JL“­yme>ÊG8]ðÒÖ„>:ûí¶í½ÓÛâÚtαUôCç绵7Zúœ´4Ýl×{AsàÃMø¨'['kãònìdMܾïÎ`âE®iæ -Ž£vð44ûȉT(¬¼GœZî©”GõÙóë½Ò›¤OSMSÌž·ú–KgÒb c~»®‰¿›:–Q<󵗮ɘ~}àŽ<醒”¿§ÑØݨí‘5÷Õæ6+OÙ'!äAëU—Fj ÚCïÿ¥ -Ly£ÒÜ\û¢ -+¨É5vyñ}ýιýøŒcĽէ>+­—kw×뺻îõ:g¾,ÔòìÐH£xH®ÎÊj¹'ÆHøáq›Žî;{JÅ >Ð1øîkïÀ\†äúZ#£exðøõpŠ–©¬ËÎÈü«¯«Ë׊J,6‰J.Å%Òú‚U7;»ÀªñŒÃ9±ŒIFš^nȵGŽ·¯²lÞ(«Óë©9+“÷ékö+³¢õ&²JqsF{63=ƒèéí¿W#îps^R WàsµºïEų2ä쎱- c~êdƉ֗ƒVS¢q_mÚ¥®RÿCó(øRƒ£ÍL¦SùÙõ*†Éi¿I÷¿¸¯‹[˜œÍžJ=÷Ó—qƒ¿O~¿±(”ðSŒåЄrË-{&nÄÃàd÷¹Ò«Î¡ºÌØ„Øk?n—Ô‰sDeIíÊ5Oñ7­ƒ:¹= GÄe‰3ajèz•Ë®8h'$Ô\÷-”…Ìî°‰°œV*¦…­FÔO™àšÞ­;\&?Ö¾\à3rjÇOjŠ¥¤õ»š}ì ÓÕû7½É<𼃮ŸûIØßtgýÕ¯"òæ ««¼d}ò˸ó¥?~ÿËPédÄúük·ä×äDWBëDkÿ­"[ªâèÃIåõÊc’†›æ2’ò6e™,v@ižßÅÕ^Q¬+*‹ÇUM=uó)Aƒ¢…p螢êSÚ<Êyæ:^á0YY@ûÜ×í×8ª˜sÒéÅßO‘Þ$v¿Ð¨k••ùÑ«R¦¦K´Zßlefµy êÉæ¬,é”ê5·ff¿»ßp‡ gîÂoRû–uã~ŠÄ{ŸFgœåÇ:O¾Û¼û57ÿÙq˜ùpŸ¸.à¾j•J}Ú(œv_X1F¬+L»ð«ç®BeJò|ä–ü¡ë»ä1š}[Úß0Ûô*ÑBõmfÓtµqqßBI%@ß6\¬.øˆ$Þ^6à¡O¥±&>/Jhèˆ`ÌuIrrr<åW¢É™OJ‘bÿVr|qOÌeQ÷8Ú¨­¦!ðÎ_Sv­›¹{N­/”¹«VÅhöèÞít-Õm]¨eïn¹=ê:ätMKÌoÓüyAv¨)$òËKל±Ùˆ˜ä¤Žwl×7\—m´‡ÄáàÛæñO¨g·zÚŽOeÓœò›3Š'!1çM~ü&úˆj$`mÄè/}-úªºº#§;»’ýbÝMçÚ¥)g”Sw¶wNìÊözÌ8Ù÷%ÝýŒFÿœ\kuRy,»#´Þ;(é9–í£Ñ+㬠êÍ­à| CþÜÿüO4À®n# Ãý ”°þhendstream +xÚíUkTgnõJÀ+Å€€¸ +æ2@ Š, „‹ŠT†dBI& (— +A@0¨P¹TZ)­`åb°¢àY#BAn¬\uÝôØ¥?wíÙ™?ó>Ïó½ß3Ïûó™™xxœØHì‚ÅÒg7ïC ‰dœ™™3 +Cb"܉aÚÛƒ€“$©ÙŽF!Ó¨v83À ‹DyÁ\1`áüÙ¢ÈpÀ( 7HÌ…XļG'>ðZ\!¼`ŒFÀl"6%‚à`žGZtÄrÀnfKÂÞQ0*ÂL˜ÉÏÌ"ò#6ÌÁ‘Ül/sòß0µ²¹‹„Ïw‡‹í—Rú xüÈ· +D&Ã(à†°aT¸Rê /›sƒÙ<‰`%ËC|ËİhC$[S— žÈ…'…Ù<1‹ p ¾^Âa!{¥,¾%#$ŸCîû]=­ÞÎu‰ô€xBñÈ0 ¿W/ÕàûK åI2‘L1!ö¾û +X±ÙBÂæ ƒ +Õ€PŠÄa'«¨@4ð„lX +ÀRÌ1‰(DÄØ‹&à (nq¬ 5@bñPf-NM¼È.T€„eÿ"S0 …X0æü¶~ /ý=n‹áúÀ2ÀV¨ˆ‰¸K🃣Ói4bìm±A[ÀÎŽóoB–Ea¡xélbñ¿«9ß87Ø­½ÑÒ뤥éf»Þ šnÂG<éÜ:Y—wc'kâö}W†^ä’f®à8jMC³qœ…ÂÊsÄ©åžJyLŸ=¿ž™Þä/}jœjšbö¼Õ»\:“kýÛ­0MüÝÔ±Œâ™¯™Z¸&cúõ;ò¤JRfüÞFcW£¶GÖÜW›Û¬ÜeŸ“­W]©5hy|ð—*0åJssYì‹r(´ &×xÏÓ¨ðïëwÎÄgÄ¿¬>}èYi½\»»^ÔÝu¯×9óe¡–{‡FÅMruVVË=1FÂÛttßÙ[ú(^ðŽÁw_{Ôà2˜ËkŒ–áÁã×Ã(Z¦².;#ó¯|^1V—¯•Xl•\ŠK¤õ«nvvTãGrb“Œ4½Üàk 0Žo_eÙ¼QV§×SsV&ïÓ1ÖìWfEé)Ld•â@çŒölfz†G€»§ß—qGšó’˜ÏÕê¾Ïʳ;ƶ$Œùª“'Z_NXM‰Æ½µi—ºJýR Í#áK Ž63šNåg׫ +$§ý&Ýïâ.nar67j*õÜ?L_Æ þ>ùýÆ¢ÂOÑ–CÈ­}Ù3q#n'˸ϕÌ:‡ê2cb¯ý¸]ROHΕ%µ+×<Åß´ì<¼ïÅ8<.ëhø˜‰‡†.³\vÅA;!A æºn¡,dv‡N„æü³R1-l5¢~ê‘®éݺcÏäÇÚ— ¼FNíøIM±”´~Ws€ø`ºúà¦7™>Ï;èú¹Ÿ„þMwÖOý*úK_‹¾ª®îèéήdßXWÓ¹viÊåÔÆíÝ„»²™'ûöÓ]ÏhôÏɵV'•Ç²;BêmиC’ž˜l/^·`m`onçòøàþßà¢vuC¨@h(î_$/þyendstream endobj 616 0 obj << /Type /Font @@ -5921,14 +5914,14 @@ endobj /FirstChar 13 /LastChar 110 /Widths 1333 0 R -/BaseFont /KPDXTH+CMSY10 +/BaseFont /VYNJLQ+CMSY10 /FontDescriptor 614 0 R >> endobj 614 0 obj << /Ascent 750 /CapHeight 683 /Descent -194 -/FontName /KPDXTH+CMSY10 +/FontName /VYNJLQ+CMSY10 /ItalicAngle -14.035 /StemV 85 /XHeight 431 @@ -5952,7 +5945,7 @@ endobj /Filter /FlateDecode >> stream -xÚ¬¸c”$Z°%\]¶Í,Ûv—m›Y¶­.Û¶m»»lwÙÕeÛõõ½oÞ¼Yoæ×|ó#×ÊgÇŽØqb­LrbEz!S{c ¸½ =3@MYCÑÈÆÆÈÔÒ^–^ÙÞÖð×ÌKN.â4r±´·5rò4€¦Q  €…ÀÌÍÍ K±wðt²4·pPýÅ ¦¥¥û/Ë?!cÏÿôü½élin øûÅ hcï` ´sù ñ}Q¸Xf–6@€ˆ‚¢–”¼€JB^ ´:Ù]m,M²–&@;g 5ÀÌÞ `󀉽©å?¥93üÅrœ€&–¯=L€ÿ¸è@'[Kgç¿ß–Îs'#;—¿=p±XڙظšþCà¯ÝÌþ_BNö#lÿúþ‚)Ú;»8›8Y:¸þfUÿž.F.ÿäv¶üëØ›ý4µ7qý§¤}aþz]Œ,íœ.@—r¦–Î6Fžsÿsp²ü—†«³¥ù1 8ÍœLm€ÎÎaþbÿÓÿªð¿Toäà`ãùïmû£þ'Kg ,3Ëßœ&.s›[ÚÁ2þ3*Rvföf¦ÿ°›º:ü§Ï èôoƒ¨þ™ê¿$ŒLííl<¦@3XFy{—¿)Tÿw*3ü¿ùÿÄÿOþ"ïÿ?qÿ»FÿË#þÿûžÿ;´¸«¼‘-ðßK€ÿÜ1YÀ?KÆî‹6²µ´ñü?Åÿ÷H àü?ÂH¹ým…ù_9˜˜þÃhé,né4U´t1±˜ÙüíÓ¿v5;S “¥ð¯žÿ¶@ÏÌÄôß|ª–&Övÿ4žý?\@;ÓÿÎý¯Dÿ2gTU–“¤ýßwê¿qŠµwQõtøKí”"goú?ÿ  Û{¼é™98ô,\¬Ÿ 3€›Õ÷ÿñ_ æÿ:˹8Yztþ–ÍÄüoñÿãó_'½ÿ#fgboúÏ´¨¸Ù™þ°ÿiøÇmâêäôW×ßüߢÿóüï¨@ØÕßö&¼ÁVéY.õXyÓ¢:¿ú™Á†CÊšT‹ jíûüÓÃw¸« ßëBš§y>;<—N>¤iþŒöcÚPö¥/ ð}I©¢lRtqÒþ bÔ/CÈ8Óˆö¾Z”Ý×æ`Rÿ³;©¤¬_úI0ÝÅê}õD@êV€Nöè€èg’Ö‡ÑÜ ‚Z_tzF‘tüôH9862<Ôwñó67†œ× "*À1OP[­R¬ºM½}¯O‡ÓØO|íCZÁ7$«åiyĤ2õÒjŒr<(+ð“yŸ^kx«¡×fR—/1u#t=ì:²ÕâQ}j%¶³v“ðUâýK+ÖcÌcûùÑPƒoÌZò›öíN®s€Ê‰òIÍwξ‘Ë—‰ï qu¿·[!“´¤Zv'@0³Äëzb^Ù·ÑH.F>O59T]U65VÐúO[’t& xUBµ%\£¬bíòg #Q¼÷Ì5QCöö³l~ËN«ÙÉJð¢ƒUˆmAÉyjÒ7ÒÇÇÍÑÆh|ÂëU:áñ‹äGÑýiæ·:Ò|ÓJ´ß8c©Tò@`Xx ÔþD•©KB§#…t*&]³²S½À¤y{~Ý.Ó{7Ñ+=g&Ç3îxÄ©I6 ³»šˆË!µgR ƒTä#X*¼J3Êû5нª +xÚ¬¸c”$Z°%\]¶Í,Ûv—m›Y¶­.Û¶m»»lwÙÕeÛõõ½oÞ¼Yoæ×|ó#×ÊgÇŽØqb­LrbEz!S{c ¸½ =3@MYCÑÈÆÆÈÔÒ^–^ÙÞÖð×ÌKN.â4r±´·5rò4€¦Q  €…ÀÌÍÍ K±wðt²4·pPýÅ ¦¥¥û/Ë?!cÏÿôü½élin øûÅ hcï` ´sù ñ}Q¸Xf–6@€ˆ‚¢–”¼€JB^ ´:Ù]m,M²–&@;g 5ÀÌÞ `󀉽©å?¥93üÅrœ€&–¯=L€ÿ¸è@'[Kgç¿ß–Îs'#;—¿=p±XڙظšþCà¯ÝÌþ_BNö#lÿúþ‚)Ú;»8›8Y:¸þfUÿž.F.ÿäv¶üëØ›ý4µ7qý§¤}aþz]Œ,íœ.@—r¦–Î6Fžsÿsp²ü—†«³¥ù1 8ÍœLm€ÎÎaþbÿÓÿªð¿Toäà`ãùïmû£þ'Kg ,3Ëßœ&.s›[ÚÁ2þ3*Rvföf¦ÿ°›º:ü§Ï èôoƒ¨þ™ê¿$ŒLííl<¦@3XFy{—¿)Tÿw*3ü¿ùÿÄÿOþ"ïÿ?qÿ»FÿË#þÿûžÿ;´¸«¼‘-ðßK€ÿÜ1YÀ?KÆî‹6²µ´ñü?Åÿ÷H àü?ÂH¹ým…ù_9˜˜þÃhé,né4U´t1±˜ÙüíÓ¿v5;S “¥ð¯žÿ¶@ÏÌÄôß|ª–&Övÿ4žý?\@;ÓÿÎý¯Dÿ2gQT•¢ýßwê¿qŠµwQõtøKí”"goú?ÿ  Û{¼é™98ô,\¬Ÿ 3€›Õ÷ÿñ_ æÿ:˹8Yztþ–ÍÄüoñÿãó_'½ÿ#fgboúÏ´¨¸Ù™þ°ÿiøÇmâêäôW×ßüߢÿóüï¨@ØÕßö&¼ÁVéY.õXyÓ¢:¿ú™Á†CÊšT‹ jíûüÓÃw¸« ßëBš§y>;<—N>¤iþŒöcÚPö¥/ ð}I©¢lRtqÒþ bÔ/CÈ8Óˆö¾Z”Ý×æ`Rÿ³;©¤¬_úI0ÝÅê}õD@êV€Nöè€èg’Ö‡ÑÜ ‚Z_tzF‘tüôH9862<Ôwñó67†œ× "*À1OP[­R¬ºM½}¯O‡ÓØO|íCZÁ7$«åiyĤ2õÒjŒr<(+ð“yŸ^kx«¡×fR—/1u#t=ì:²ÕâQ}j%¶³v“ðUâýK+ÖcÌcûùÑPƒoÌZò›öíN®s€Ê‰òIÍwξ‘Ë—‰ï qu¿·[!“´¤Zv'@0³Äëzb^Ù·ÑH.F>O59T]U65VÐúO[’t& xUBµ%\£¬bíòg #Q¼÷Ì5QCöö³l~ËN«ÙÉJð¢ƒUˆmAÉyjÒ7ÒÇÇÍÑÆh|ÂëU:áñ‹äGÑýiæ·:Ò|ÓJ´ß8c©Tò@`Xx ÔþD•©KB§#…t*&]³²S½À¤y{~Ý.Ó{7Ñ+=g&Ç3îxÄ©I6 ³»šˆË!µgR ƒTä#X*¼J3Êû5нª %É‘÷Q•£,ň;0º3êì¾fC|³%œQ™”îflh`ÒRsšÆ‚w›sÅ‘X§¢uü-Í ÙTÙ ˜ªès´¡ûÌN£Ð2¸iɱ½õx!:Î<”?%x¡yƒMŸ9¼Ñ¸¬#ØÌ4ìÛfÙì¢_"Ì:õ¡ÒE“ Èüñþ“_º¸–rkÕ—<éñ£äQåÜ‹*£:½'&ܳ´H’B“%C–·&`wŽ$a"Q´-@”Ç-?ŸòxccÅÿ“w×wGW™v™4;ÌRC“  ¨Ž\]“.ü\°ß5_Ë*Ù7†·w¡.r.†把zÙf’9p¥¥JÛÕŸ—þLÔ‹1œÐÇ5-ÌÝ€i*¡²Þß=#€–—cþ ¼ JgLú§ooGâC12¢)Œ.ì)0·»b›Ì)7ühøÏ´åÚi{Œ¼ ÒŠnèˆ({ßø^4­nÆ*n–¨s¼-ø÷VkHÛì“äù&Ö{‡–…nªNzË,¯CZ‹ì%ø½EMEÂîy."6¦ˆÜBú<Œq°)ì LD­þçxä ÂÜA¸Ò…¼¶üæ¥Ê×öŸ¾z¦SÁ‘,#¸º!6cc d­cu!2?Ü1=ú뛇‹Wûµ·,ÿô‹§…)ÝÐÌŸ$Ê-Æ6†˜þÙÞ¦ÿDÊ|(ØufË«‰4ú]á4Ê®ò\¸†ÑóÆ°íkÑ$i@–WÏ_ÏíÕµB¿„G5µ2c?L?~pÉ÷’¬Ÿ¸¿áQÂl4^”ê[‘^W¢ ú'iM¼¶ˆ€UxìÑ[Ü1­.yM< üDðWà:Hÿ]³ô^¥ŒnKGCA @@ -6050,7 +6043,7 @@ N £9ªåJdŽ²k¬û¡!î—yOßËHg´¤½ð>pèÓrR¡”|fwÐÜ)‰ß©éËÈíª6ÞÛÀ“Ç*i}J.âÙ¨œE‡ÆöqÿŒ0ÿ|Ñö*–fÕ$% þ¶6É™ÑÖZùQX;]Ÿu¬ïë:«\Ò†¡é±CµÐBkÕÔÊÝTÕ¡Á™•ŠG’ót¾€‘4Þ¨4ìöš¦Á½œ€w?Ìá›Bx[R eßÏA‹üúG4)óÖm½ïËä£ÄW®¡„»{&8V^›v”TxBÓ‹‹"[“¡XÀ¸”Tò€Öiøð;ÅÈçæ=Ú‰]r–R Ô³{6ð¤Ã‘¹„5šöÞæÜ(Fƒu«ú¸ìtÈæõí’ŒÏý­çâ–ý”wKB§:"Ñ‹´øT>+ÈŠ v",Ú¦d] £³\Bù›‰—¢IÑAÚ‡u5:)¶±ç«ei9c;“Ock¤ÒýcT9„»·¹ äøâlˆ‡Ùæ6øй¢ÚÓÌÓ¶ W4ŸÞç†(œ$<ç,èT-Ikñ¬qS\øïˆÁÀÌê™â Tb©¯ £¾¹†¢Eâd¹u’\ hajˆ±èÀöµÕß½ÏK œK§é.à*wã7E]Š½Ú–…:Ê‘«â­ß¥¿áØÒc¸ûŽEýª’|¸$\Š\Š?‚¿µj*ˆM?žãY‰þôÁ„ÖæÖ0EØéòRçl¾¢Øÿ›…r‰od:‰Æçu&Ù¤CÑ*¥Í¯Ý%|У ð‹¥Îtª$]$2Tk!𠟬¨ <|þœýÿÒÿ€ÿ -ÀÜ`êêîä`êj‡ôem÷Ùendstream +ÀÜ`êêîä`êj‡ôìƒ÷Ëendstream endobj 608 0 obj << /Type /Font @@ -6059,14 +6052,14 @@ endobj /FirstChar 2 /LastChar 151 /Widths 1334 0 R -/BaseFont /TUBMEH+URWPalladioL-Roma +/BaseFont /ACPTNA+URWPalladioL-Roma /FontDescriptor 606 0 R >> endobj 606 0 obj << /Ascent 715 /CapHeight 680 /Descent -282 -/FontName /TUBMEH+URWPalladioL-Roma +/FontName /ACPTNA+URWPalladioL-Roma /ItalicAngle 0 /StemV 84 /XHeight 469 @@ -6086,7 +6079,7 @@ endobj /Filter /FlateDecode >> stream -xÚ¬´ct¦[´%VìTŒ76ß bÛ¶mÛ¬ŠmÛ¶SqR±mÛÆWçܾ}{Üî_ýõgŒg/Ì5ךko2"y%:c;CQ;[g:&zFN€Š¢š¼µµ±…4 µ1௙–ŒLÈÑÄÀÙÂÎVØÀÙ„ fb 6103˜888`ÉBvöŽfæÎÊ¿T44´ÿeù'`èñŸž¿™Nf¶ò¿?®&Övö6&¶Î!þ¯•LLÎæ&S k€œ¼†„¬€RLV fbkâh` w1´¶0H[™Ø:™PLíÖÿqÙÙ[üÓšý_,'€ÀÉÞÄÈâoš‰»‘‰ý?.Z€½‰£…“Ó߀…ÀÌÑÀÖùï œí¶FÖ.Æÿøk7µû—½£Ýß›¿¾¿`òvNÎNFŽö΀¿Uå…Eÿƒ§³¹ó?µ,þºv¦#íŒ\þié_ß_˜¿^g ['€³‰»ó?µ MÆNöÖkÿ³w´ø—†‹“…­Ù1 8š˜8[›89ý…ù‹ýÏtþ«OÀÿÒ½½½µÇ¿ÙvÿFýOÎN&Ö¦ô°LÌk9ÿ­mfa ËðϪHØšÚ˜ÿÃnìbÿŸ>WÇDùÏÎPý%a`lgkí061…eµsþ[@ù§2ýÿ;‘ÿHüÿDàÿ'òþÿ÷¿kô¿\âÿ¿÷ù¿C‹ºX[Ëؘü›øÏ7 øç‘ùß‚ l,¬=þOáÿ=RÍä?8þŸP$œ þBÀÖ쯌ôŒÿa´pµp71–·p62˜XÿÒ¿v[cGk [“¿jþ;H#ãó)›[YÙþ3vÖÿp™Øÿwêú—8ƒ¤†´Œ” Íÿþ¢þ'ÿWygeû¿ÔþG'2vÆÿóðŠ  ;À‹Ž‰•@ddú{áþòá²úü*þ Äô_ggG w€Ö߶ÿfþÓüÿøþë¤óß`DlìŒÿÙ%g[ã¿ëõ? ÿ¸\ÿªúïÿÛôžÿ]tw#Ø•E;#®`ËÔŒ4çZÌœ¡qa­¾^&ð¡û’åÂ|ÿj»¿Ô_Ûúï5!ô“œŸm §öû’Ô#½Ö=É&—yx>$T¿óQ6È;ØitKÒÎÔ"½®æ¥· 4ÙUvÆu‹ß¿áOv¡¯ž¨üI\óýÑIí}Rêc¾w"7‚ Öœž‘'?=R Œ öÜ@þÞǥɎ!ãr…@ ðwÈÆåÓT)©l¤¼lˉ0æÞ»oÎ^(jÈÙOx­AñÁ'‰YŸ9ã^$ÄLòº¥YÒªžU+ÖÛãŸê²ñ¦iN^|à=_ S˜'a…´?“5tD'c{…ßðØ×O ð¹€N$ÏÒ)'²TeÓ9ÍSæÕÜÜÌô¿;ò`‚óP~G¥aþFª°£3ëÐnÎôÖ¦tÍÓ‰‹w>þaMg¹Û|™2?h£ØY5º´0< §m«¿•“è0Oƒo'r•z¶Òý´`“~œZ“§V†¡\U[MΤo8À5°±nùaV—½õ&—Éíã#z'&Xü«g&(ÑU¢Àήºœ.Z/¯‘4D˜pRïíåf%5fpt: ݈K@ÉÝ8²XÎŽÿiœ$ó§"‘ò80ã{p¦¬9H7Ê$rKø6Ô9¢»´éÀí¯oRoùÖy5Í|3VÁ=ìM“,d+G÷[’â]\ZZü.‡ GLîG~Ú \fžm"(„¤\éÐœ„†ËcÕX¬"™ZÃ5CåjstÏ[«ZªëujÒÉ~àÆýGµ±ö¬Ë]é¦pùÌ|_ª—õœ^¥Â²úî]໾­@Ko‘§_[,÷1ka´ÙoÝ‘šTô׺"Û›bzte`> +xÚ¬´ct¦[´%VìTŒ76ß bÛ¶mÛ¬ŠmÛ¶SqR±mÛÆWçܾ}{Üî_ýõgŒg/Ì5ךko2"y%:c;CQ;[g:&zFN€Š¢š¼µµ±…4 µ1௙–ŒLÈÑÄÀÙÂÎVØÀÙ„ fb 6103˜888`ÉBvöŽfæÎÊ¿T44´ÿeù'`èñŸž¿™Nf¶ò¿?®&Övö6&¶Î!þ¯•LLÎæ&S k€œ¼†„¬€RLV fbkâh` w1´¶0H[™Ø:™PLíÖÿqÙÙ[üÓšý_,'€ÀÉÞÄÈâoš‰»‘‰ý?.Z€½‰£…“Ó߀…ÀÌÑÀÖùï œí¶FÖ.Æÿøk7µû—½£Ýß›¿¾¿`òvNÎNFŽö΀¿Uå…Eÿƒ§³¹ó?µ,þºv¦#íŒ\þié_ß_˜¿^g ['€³‰»ó?µ MÆNöÖkÿ³w´ø—†‹“…­Ù1 8š˜8[›89ý…ù‹ýÏtþ«OÀÿÒ½½½µÇ¿ÙvÿFýOÎN&Ö¦ô°LÌk9ÿ­mfa ËðϪHØšÚ˜ÿÃnìbÿŸ>WÇDùÏÎPý%a`lgkí061…eµsþ[@ù§2ýÿ;‘ÿHüÿDàÿ'òþÿ÷¿kô¿\âÿ¿÷ù¿C‹ºX[Ëؘü›øÏ7 øç‘ùß‚ l,¬=þOáÿ=RÍä?8þŸP$œ þBÀÖ쯌ôŒÿa´pµp71–·p62˜XÿÒ¿v[cGk [“¿jþ;H#ãó)›[YÙþ3vÖÿp™Øÿwêú—8ƒ°€œªœÍÿþ¢þ'ÿWygeû¿ÔþG'2vÆÿóðŠ  ;À‹Ž‰•@ddú{áþòá²úü*þ Äô_ggG w€Ö߶ÿfþÓüÿøþë¤óß`DlìŒÿÙ%g[ã¿ëõ? ÿ¸\ÿªúïÿÛôžÿ]tw#Ø•E;#®`ËÔŒ4çZÌœ¡qa­¾^&ð¡û’åÂ|ÿj»¿Ô_Ûúï5!ô“œŸm §öû’Ô#½Ö=É&—yx>$T¿óQ6È;ØitKÒÎÔ"½®æ¥· 4ÙUvÆu‹ß¿áOv¡¯ž¨üI\óýÑIí}Rêc¾w"7‚ Öœž‘'?=R Œ öÜ@þÞǥɎ!ãr…@ ðwÈÆåÓT)©l¤¼lˉ0æÞ»oÎ^(jÈÙOx­AñÁ'‰YŸ9ã^$ÄLòº¥YÒªžU+ÖÛãŸê²ñ¦iN^|à=_ S˜'a…´?“5tD'c{…ßðØ×O ð¹€N$ÏÒ)'²TeÓ9ÍSæÕÜÜÌô¿;ò`‚óP~G¥aþFª°£3ëÐnÎôÖ¦tÍÓ‰‹w>þaMg¹Û|™2?h£ØY5º´0< §m«¿•“è0Oƒo'r•z¶Òý´`“~œZ“§V†¡\U[MΤo8À5°±nùaV—½õ&—Éíã#z'&Xü«g&(ÑU¢Àήºœ.Z/¯‘4D˜pRïíåf%5fpt: ݈K@ÉÝ8²XÎŽÿiœ$ó§"‘ò80ã{p¦¬9H7Ê$rKø6Ô9¢»´éÀí¯oRoùÖy5Í|3VÁ=ìM“,d+G÷[’â]\ZZü.‡ GLîG~Ú \fžm"(„¤\éÐœ„†ËcÕX¬"™ZÃ5CåjstÏ[«ZªëujÒÉ~àÆýGµ±ö¬Ë]é¦pùÌ|_ª—õœ^¥Â²úî]໾­@Ko‘§_[,÷1ka´ÙoÝ‘šTô׺"Û›bzte`> :ÿ¦ÐüÈ­?š¼dOQ7ÿVK U ¸¹S=ýˆ»ü Ã^‹ Y¶>Grù‚£d„)Óâ~à|¿¥n¾`Ãc™·)áâ6‡.k¨A«!]Ýõ€=Úa ¦ë;”K–’+M̦ŽöæOloôRŒÃxcב›nÊ÷‰E·yöì¬ä2÷‹2O$2–bPoÑk#OóÐ)ä³%Õ°¹±y?‚E»@y¶žƒtù"ùë÷Q÷«}NC&ýjŸ/Ü3sÑ2?ávƒä­ë“ò $>–S²²ðNùMZ,T±‰p_š·ïI­"h|\9¢3Á†¥ßNÑÎØ›õº.æfL?ˆ’Çú«™ ΞӄŸÃ±‹&Æóý ½/6[Ékëãºv'Û°§le™ó[{6ál»Yžt–Û( å"mѦÛð?ʬJÙÛU8FØÙ•1Ò«˜¢ÿ½O)S-ylвÁ¡tU®dq7{Šgq©SÄtî£"Ñë ü_I=sO6‘v°‰X!Åó>]øÑ*饳šú‡­«‘N~PCfTØ…{ŠdÚ¤,#os?…©¬· Š ¯Uögqlö8Ä k¶Ó&'ë¼gm¿_rƒð ”û 4q&Ï¡pk€?*¸RêÈ[^¼¦»¬5ì(@.{¬…#ÔÌ´¾$Dõù,­MÈЫՈÏ @@ -6181,7 +6174,7 @@ G ­\^Élxχ¾PÙ´[äS®ãEhsŽаÂÜ]5:zÕÐSSœUÌï^F€kv»¥’ ã{'˜áÿ¸´–1¼Mwô‡êýê'‡u-ËÅ1sÜQ& ö¦X£…#!z×è‡_QËsŠÑ•ÜÕ_‚ÜS8^íÞÙLóŪUµwg$T´8ý™Gÿ¥`ïç4ß$.¢ŽüpdÞé5¸á-pÏÎH¦å’àRm…ìÝÒ€”S± Ô¢æ–[¶Ø„K'ÓÉåv;ôs'ˆdž“¯¯uè÷–WhU/RŽ¨ËöÓ¯%ØãkûŸ-ò„Ï däœ|UNò©‡Ñùƒ,Ÿj˶ÙײèËæ‚, Lyªpò9\ åk„9ð/U ow âB+Dž^ÇC…óíò–ý•H½‰½ÍYáˆR]SžÈt¦¢z—Ðݶ”ö¸2¤õ·´ä¦ƒ¡áÉÜ’ë0ëwÄæ>ëøõ€Q)ßUœÆà© ¿¹ßŽ^ƒV=öVlƤ¶š¿)ÒIî«8@+Œ"«Wã@£óíÊ Ñ.œ­’u&—lP1% "ÒïÂ¥Á%„èòñÂátÑ»‰šqȃ¡AÊäÖôè­×“\AbâäÁ´þ²±ü»ŠjkLÆRýˆ™T÷¬óéê›áp2ÙWYöj\Ýl=šqÍ?×Åzx”ICˆèïiNÊ]Ç6„/f“m!9Îqý›á‰Ô9Êbóä××Mö'âï‹4±¤¬\&Â&_ÓPØ&?Ñy©#Þ1Ô¤‘Ñg×K-ò9¬‹³8eÊâÙ‹Wëa¯,c©å„ÓÍ}¢Š'îOªw¦ñË\m#ÆWm桃à03 ´w€)Íû™ÁzÊê[Ê{‘[u¿üᥨ¢,ãq ¦f§1<Þcåεßâi.{Ý¥4z?}†ß *eÄ¿N›ùù1Éb1‰$ÁÄEçB´¥ØÍ5ÑN°…¿öxõè.Pÿ$Ž<|Gê'IÆ{𢋸ÿ´¦õ*~ #(<> endobj 603 0 obj << /Ascent 708 /CapHeight 672 /Descent -266 -/FontName /JYLMKM+URWPalladioL-Bold +/FontName /DAOVOK+URWPalladioL-Bold /ItalicAngle 0 /StemV 123 /XHeight 471 @@ -7388,7 +7381,7 @@ endobj /Count -4 >> endobj 1341 0 obj << -/Names [(Access_Control_Lists) 1153 0 R (Bv9ARM.ch01) 621 0 R (Bv9ARM.ch02) 675 0 R (Bv9ARM.ch03) 690 0 R (Bv9ARM.ch04) 743 0 R (Bv9ARM.ch05) 810 0 R (Bv9ARM.ch06) 832 0 R (Bv9ARM.ch07) 1152 0 R (Bv9ARM.ch08) 1171 0 R (Bv9ARM.ch09) 1186 0 R (Configuration_File_Grammar) 859 0 R (DNSSEC) 791 0 R (Doc-Start) 602 0 R (Setting_TTLs) 1124 0 R (access_control) 957 0 R (acl) 863 0 R (address_match_lists) 837 0 R (admin_tools) 721 0 R (appendix.A) 546 0 R (bibliography) 1207 0 R (boolean_options) 716 0 R (chapter.1) 6 0 R (chapter.2) 66 0 R (chapter.3) 90 0 R (chapter.4) 134 0 R (chapter.5) 234 0 R (chapter.6) 246 0 R (chapter.7) 502 0 R (chapter.8) 526 0 R (cite.RFC1034) 1217 0 R (cite.RFC1035) 1219 0 R (cite.RFC1101) 1275 0 R (cite.RFC1123) 1277 0 R (cite.RFC1183) 1259 0 R (cite.RFC1464) 1299 0 R (cite.RFC1535) 1251 0 R (cite.RFC1536) 1253 0 R (cite.RFC1537) 1285 0 R (cite.RFC1591) 1279 0 R (cite.RFC1706) 1261 0 R (cite.RFC1712) 1313 0 R (cite.RFC1713) 1301 0 R (cite.RFC1794) 1303 0 R (cite.RFC1876) 1263 0 R (cite.RFC1886) 1243 0 R (cite.RFC1912) 1287 0 R (cite.RFC1982) 1255 0 R (cite.RFC1995) 1224 0 R (cite.RFC1996) 1226 0 R (cite.RFC2010) 1289 0 R (cite.RFC2052) 1265 0 R (cite.RFC2065) 1245 0 R (cite.RFC2136) 1228 0 R (cite.RFC2137) 1247 0 R (cite.RFC2163) 1267 0 R (cite.RFC2168) 1269 0 R (cite.RFC2181) 1230 0 R (cite.RFC2219) 1295 0 R (cite.RFC2230) 1271 0 R (cite.RFC2240) 1305 0 R (cite.RFC2308) 1237 0 R (cite.RFC2317) 1281 0 R (cite.RFC2345) 1307 0 R (cite.RFC2352) 1309 0 R (cite.RFC2845) 1239 0 R (cite.RFC974) 1221 0 R (cite.id2490626) 1318 0 R (classes_of_resource_records) 1107 0 R (configuration_file_elements) 833 0 R (controls_statement_definition_and_usage) 731 0 R (diagnostic_tools) 663 0 R (dynamic_update) 744 0 R (dynamic_update_policies) 784 0 R (dynamic_update_security) 1062 0 R (historical_dns_information) 1193 0 R (id2465419) 622 0 R (id2465445) 623 0 R (id2467342) 692 0 R (id2467355) 693 0 R (id2467446) 698 0 R (id2467463) 699 0 R (id2467500) 627 0 R (id2467509) 628 0 R (id2467684) 643 0 R (id2467827) 645 0 R (id2468120) 646 0 R (id2468145) 647 0 R (id2468229) 650 0 R (id2468304) 657 0 R (id2468394) 660 0 R (id2468416) 661 0 R (id2468435) 662 0 R (id2468464) 668 0 R (id2468496) 669 0 R (id2468521) 670 0 R (id2468553) 676 0 R (id2468578) 677 0 R (id2468588) 678 0 R (id2468602) 679 0 R (id2468611) 685 0 R (id2469406) 710 0 R (id2469480) 711 0 R (id2472260) 736 0 R (id2472272) 737 0 R (id2472636) 753 0 R (id2473131) 770 0 R (id2473147) 771 0 R (id2473181) 772 0 R (id2473197) 773 0 R (id2473206) 779 0 R (id2473245) 780 0 R (id2473298) 781 0 R (id2473410) 783 0 R (id2473424) 789 0 R (id2473541) 790 0 R (id2473594) 796 0 R (id2473662) 797 0 R (id2473701) 798 0 R (id2473811) 803 0 R (id2473933) 804 0 R (id2473958) 805 0 R (id2474082) 809 0 R (id2474096) 816 0 R (id2474128) 821 0 R (id2474266) 834 0 R (id2474888) 842 0 R (id2474915) 843 0 R (id2475002) 848 0 R (id2475154) 849 0 R (id2475182) 850 0 R (id2475258) 860 0 R (id2475577) 862 0 R (id2475619) 868 0 R (id2475756) 870 0 R (id2476012) 879 0 R (id2476027) 880 0 R (id2476050) 881 0 R (id2476071) 882 0 R (id2476134) 885 0 R (id2476396) 890 0 R (id2476449) 891 0 R (id2477209) 906 0 R (id2477622) 908 0 R (id2477694) 913 0 R (id2477757) 915 0 R (id2478544) 926 0 R (id2479636) 955 0 R (id2479878) 967 0 R (id2479962) 968 0 R (id2480570) 980 0 R (id2480740) 986 0 R (id2480809) 987 0 R (id2481079) 1006 0 R (id2481740) 1018 0 R (id2482172) 1025 0 R (id2482289) 1026 0 R (id2482312) 1032 0 R (id2482360) 1033 0 R (id2483543) 1047 0 R (id2483549) 1048 0 R (id2483554) 1049 0 R (id2483924) 1055 0 R (id2483955) 1056 0 R (id2484594) 1083 0 R (id2484852) 1089 0 R (id2484870) 1090 0 R (id2484891) 1093 0 R (id2485031) 1095 0 R (id2485670) 1102 0 R (id2485753) 1105 0 R (id2486019) 1112 0 R (id2486040) 1113 0 R (id2486261) 1115 0 R (id2486376) 1117 0 R (id2486394) 1122 0 R (id2486836) 1125 0 R (id2486941) 1127 0 R (id2486955) 1128 0 R (id2487047) 1134 0 R (id2487066) 1135 0 R (id2487122) 1139 0 R (id2487185) 1140 0 R (id2487216) 1145 0 R (id2487268) 1146 0 R (id2487602) 1164 0 R (id2487677) 1165 0 R (id2487803) 1166 0 R (id2487874) 1172 0 R (id2487879) 1173 0 R (id2487891) 1174 0 R (id2487908) 1175 0 R (id2488038) 1187 0 R (id2488043) 1188 0 R (id2488280) 1194 0 R (id2488296) 1195 0 R (id2488311) 1196 0 R (id2488349) 1197 0 R (id2488661) 1199 0 R (id2488887) 1201 0 R (id2489171) 1213 0 R (id2489173) 1215 0 R (id2489181) 1220 0 R (id2489205) 1216 0 R (id2489228) 1218 0 R (id2489266) 1229 0 R (id2489291) 1236 0 R (id2489317) 1223 0 R (id2489341) 1225 0 R (id2489365) 1227 0 R (id2489420) 1238 0 R (id2489481) 1241 0 R (id2489496) 1242 0 R (id2489534) 1244 0 R (id2489574) 1246 0 R (id2489602) 1249 0 R (id2489610) 1250 0 R (id2489636) 1252 0 R (id2489703) 1254 0 R (id2489739) 1257 0 R (id2489745) 1258 0 R (id2489802) 1260 0 R (id2489840) 1268 0 R (id2489875) 1262 0 R (id2489929) 1264 0 R (id2489969) 1266 0 R (id2489995) 1270 0 R (id2490022) 1273 0 R (id2490029) 1274 0 R (id2490055) 1276 0 R (id2490078) 1278 0 R (id2490168) 1280 0 R (id2490215) 1283 0 R (id2490222) 1284 0 R (id2490248) 1286 0 R (id2490275) 1288 0 R (id2490311) 1294 0 R (id2490350) 1297 0 R (id2490371) 1298 0 R (id2490393) 1300 0 R (id2490418) 1302 0 R (id2490442) 1304 0 R (id2490465) 1306 0 R (id2490510) 1308 0 R (id2490535) 1311 0 R (id2490541) 1312 0 R (id2490614) 1315 0 R (id2490624) 1317 0 R (id2490626) 1319 0 R (incremental_zone_transfers) 750 0 R (internet_drafts) 1314 0 R (ipv6addresses) 811 0 R (journal) 745 0 R (lwresd) 822 0 R (notify) 702 0 R (page.1) 601 0 R (page.10) 697 0 R (page.11) 707 0 R (page.12) 720 0 R (page.13) 728 0 R (page.14) 735 0 R (page.15) 742 0 R (page.16) 749 0 R (page.17) 758 0 R (page.18) 763 0 R (page.19) 767 0 R (page.2) 613 0 R (page.20) 778 0 R (page.21) 788 0 R (page.22) 795 0 R (page.23) 802 0 R (page.24) 815 0 R (page.25) 820 0 R (page.26) 827 0 R (page.27) 831 0 R (page.28) 841 0 R (page.29) 847 0 R (page.3) 620 0 R (page.30) 855 0 R (page.31) 867 0 R (page.32) 878 0 R (page.33) 889 0 R (page.34) 895 0 R (page.35) 899 0 R (page.36) 905 0 R (page.37) 912 0 R (page.38) 920 0 R (page.39) 925 0 R (page.4) 639 0 R (page.40) 933 0 R (page.41) 939 0 R (page.42) 944 0 R (page.43) 954 0 R (page.44) 966 0 R (page.45) 975 0 R (page.46) 979 0 R (page.47) 984 0 R (page.48) 991 0 R (page.49) 998 0 R (page.5) 656 0 R (page.50) 1005 0 R (page.51) 1011 0 R (page.52) 1017 0 R (page.53) 1024 0 R (page.54) 1031 0 R (page.55) 1037 0 R (page.56) 1042 0 R (page.57) 1046 0 R (page.58) 1054 0 R (page.59) 1066 0 R (page.6) 667 0 R (page.60) 1076 0 R (page.61) 1088 0 R (page.62) 1101 0 R (page.63) 1111 0 R (page.64) 1121 0 R (page.65) 1133 0 R (page.66) 1144 0 R (page.67) 1151 0 R (page.68) 1160 0 R (page.69) 1170 0 R (page.7) 674 0 R (page.70) 1181 0 R (page.71) 1185 0 R (page.72) 1192 0 R (page.73) 1206 0 R (page.74) 1235 0 R (page.75) 1293 0 R (page.8) 684 0 R (page.9) 689 0 R (proposed_standards) 754 0 R (rfcs) 652 0 R (rndc) 874 0 R (rrset_ordering) 703 0 R (sample_configuration) 691 0 R (section*.1) 1212 0 R (section*.10) 1310 0 R (section*.11) 1316 0 R (section*.2) 1214 0 R (section*.3) 1222 0 R (section*.4) 1240 0 R (section*.5) 1248 0 R (section*.6) 1256 0 R (section*.7) 1272 0 R (section*.8) 1282 0 R (section*.9) 1296 0 R (section.1.1) 10 0 R (section.1.2) 14 0 R (section.1.3) 18 0 R (section.1.4) 22 0 R (section.2.1) 70 0 R (section.2.2) 74 0 R (section.2.3) 78 0 R (section.2.4) 82 0 R (section.2.5) 86 0 R (section.3.1) 94 0 R (section.3.2) 106 0 R (section.3.3) 110 0 R (section.3.4) 114 0 R (section.4.1) 138 0 R (section.4.2) 146 0 R (section.4.3) 150 0 R (section.4.4) 154 0 R (section.4.5) 190 0 R (section.4.6) 194 0 R (section.4.7) 198 0 R (section.4.8) 222 0 R (section.5.1) 238 0 R (section.5.2) 242 0 R (section.6.1) 250 0 R (section.6.2) 278 0 R (section.6.3) 454 0 R (section.7.1) 506 0 R (section.7.2) 510 0 R (section.7.3) 522 0 R (section.8.1) 530 0 R (section.8.2) 538 0 R (section.8.3) 542 0 R (section.A.1) 550 0 R (section.A.2) 558 0 R (section.A.3) 574 0 R (section.A.4) 582 0 R (server_statement_definition_and_usage) 950 0 R (server_statement_grammar) 1020 0 R (statsfile) 935 0 R (subsection.1.4.1) 26 0 R (subsection.1.4.2) 30 0 R (subsection.1.4.3) 34 0 R (subsection.1.4.4) 38 0 R (subsection.1.4.5) 54 0 R (subsection.1.4.6) 62 0 R (subsection.3.1.1) 98 0 R (subsection.3.1.2) 102 0 R (subsection.3.4.1) 118 0 R (subsection.3.4.2) 130 0 R (subsection.4.1.1) 142 0 R (subsection.4.4.1) 158 0 R (subsection.4.4.2) 170 0 R (subsection.4.4.3) 174 0 R (subsection.4.4.4) 178 0 R (subsection.4.4.5) 182 0 R (subsection.4.4.6) 186 0 R (subsection.4.7.1) 202 0 R (subsection.4.7.2) 206 0 R (subsection.4.7.3) 210 0 R (subsection.4.7.4) 214 0 R (subsection.4.7.5) 218 0 R (subsection.4.8.1) 226 0 R (subsection.4.8.2) 230 0 R (subsection.6.1.1) 254 0 R (subsection.6.1.2) 266 0 R (subsection.6.2.1) 282 0 R (subsection.6.2.10) 318 0 R (subsection.6.2.11) 330 0 R (subsection.6.2.12) 334 0 R (subsection.6.2.13) 338 0 R (subsection.6.2.14) 342 0 R (subsection.6.2.15) 406 0 R (subsection.6.2.16) 410 0 R (subsection.6.2.17) 414 0 R (subsection.6.2.18) 418 0 R (subsection.6.2.19) 422 0 R (subsection.6.2.2) 286 0 R (subsection.6.2.20) 426 0 R (subsection.6.2.21) 430 0 R (subsection.6.2.22) 434 0 R (subsection.6.2.3) 290 0 R (subsection.6.2.4) 294 0 R (subsection.6.2.5) 298 0 R (subsection.6.2.6) 302 0 R (subsection.6.2.7) 306 0 R (subsection.6.2.8) 310 0 R (subsection.6.2.9) 314 0 R (subsection.6.3.1) 458 0 R (subsection.6.3.2) 470 0 R (subsection.6.3.3) 474 0 R (subsection.6.3.4) 478 0 R (subsection.6.3.5) 482 0 R (subsection.6.3.6) 498 0 R (subsection.7.2.1) 514 0 R (subsection.7.2.2) 518 0 R (subsection.8.1.1) 534 0 R (subsection.A.1.1) 554 0 R (subsection.A.2.1) 562 0 R (subsection.A.3.1) 578 0 R (subsection.A.4.1) 586 0 R (subsection.A.4.2) 590 0 R (subsection.A.4.3) 594 0 R (subsubsection.1.4.4.1) 42 0 R (subsubsection.1.4.4.2) 46 0 R (subsubsection.1.4.4.3) 50 0 R (subsubsection.1.4.5.1) 58 0 R (subsubsection.3.4.1.1) 122 0 R (subsubsection.3.4.1.2) 126 0 R (subsubsection.4.4.1.1) 162 0 R (subsubsection.4.4.1.2) 166 0 R (subsubsection.6.1.1.1) 258 0 R (subsubsection.6.1.1.2) 262 0 R (subsubsection.6.1.2.1) 270 0 R (subsubsection.6.1.2.2) 274 0 R (subsubsection.6.2.10.1) 322 0 R (subsubsection.6.2.10.2) 326 0 R (subsubsection.6.2.14.1) 346 0 R (subsubsection.6.2.14.10) 382 0 R (subsubsection.6.2.14.11) 386 0 R (subsubsection.6.2.14.12) 390 0 R (subsubsection.6.2.14.13) 394 0 R (subsubsection.6.2.14.14) 398 0 R (subsubsection.6.2.14.15) 402 0 R (subsubsection.6.2.14.2) 350 0 R (subsubsection.6.2.14.3) 354 0 R (subsubsection.6.2.14.4) 358 0 R (subsubsection.6.2.14.5) 362 0 R (subsubsection.6.2.14.6) 366 0 R (subsubsection.6.2.14.7) 370 0 R (subsubsection.6.2.14.8) 374 0 R (subsubsection.6.2.14.9) 378 0 R (subsubsection.6.2.22.1) 438 0 R (subsubsection.6.2.22.2) 442 0 R (subsubsection.6.2.22.3) 446 0 R (subsubsection.6.2.22.4) 450 0 R (subsubsection.6.3.1.1) 462 0 R (subsubsection.6.3.1.2) 466 0 R (subsubsection.6.3.5.1) 486 0 R (subsubsection.6.3.5.2) 490 0 R (subsubsection.6.3.5.3) 494 0 R (subsubsection.A.2.1.1) 566 0 R (subsubsection.A.2.1.2) 570 0 R (synthesis) 962 0 R (table.1.1) 629 0 R (table.1.2) 644 0 R (table.3.1) 700 0 R (table.3.2) 738 0 R (table.6.1) 835 0 R (table.6.10) 1096 0 R (table.6.11) 1103 0 R (table.6.12) 1106 0 R (table.6.13) 1114 0 R (table.6.14) 1116 0 R (table.6.15) 1123 0 R (table.6.16) 1126 0 R (table.6.17) 1129 0 R (table.6.18) 1147 0 R (table.6.2) 861 0 R (table.6.3) 869 0 R (table.6.4) 907 0 R (table.6.5) 1007 0 R (table.6.6) 1019 0 R (table.6.7) 1050 0 R (table.6.8) 1084 0 R (table.6.9) 1094 0 R (table.A.1) 1198 0 R (table.A.2) 1200 0 R (table.A.3) 1202 0 R (the_category_phrase) 901 0 R (the_sortlist_statement) 993 0 R (topology) 992 0 R (tsig) 768 0 R (tuning) 1012 0 R (types_of_resource_records_and_when_to_use_them) 651 0 R (zone_statement_grammar) 961 0 R (zone_transfers) 715 0 R] +/Names [(Access_Control_Lists) 1153 0 R (Bv9ARM.ch01) 621 0 R (Bv9ARM.ch02) 675 0 R (Bv9ARM.ch03) 690 0 R (Bv9ARM.ch04) 743 0 R (Bv9ARM.ch05) 810 0 R (Bv9ARM.ch06) 832 0 R (Bv9ARM.ch07) 1152 0 R (Bv9ARM.ch08) 1171 0 R (Bv9ARM.ch09) 1186 0 R (Configuration_File_Grammar) 859 0 R (DNSSEC) 791 0 R (Doc-Start) 602 0 R (Setting_TTLs) 1124 0 R (access_control) 957 0 R (acl) 863 0 R (address_match_lists) 837 0 R (admin_tools) 721 0 R (appendix.A) 546 0 R (bibliography) 1207 0 R (boolean_options) 716 0 R (chapter.1) 6 0 R (chapter.2) 66 0 R (chapter.3) 90 0 R (chapter.4) 134 0 R (chapter.5) 234 0 R (chapter.6) 246 0 R (chapter.7) 502 0 R (chapter.8) 526 0 R (cite.RFC1034) 1217 0 R (cite.RFC1035) 1219 0 R (cite.RFC1101) 1275 0 R (cite.RFC1123) 1277 0 R (cite.RFC1183) 1259 0 R (cite.RFC1464) 1299 0 R (cite.RFC1535) 1251 0 R (cite.RFC1536) 1253 0 R (cite.RFC1537) 1285 0 R (cite.RFC1591) 1279 0 R (cite.RFC1706) 1261 0 R (cite.RFC1712) 1313 0 R (cite.RFC1713) 1301 0 R (cite.RFC1794) 1303 0 R (cite.RFC1876) 1263 0 R (cite.RFC1886) 1243 0 R (cite.RFC1912) 1287 0 R (cite.RFC1982) 1255 0 R (cite.RFC1995) 1224 0 R (cite.RFC1996) 1226 0 R (cite.RFC2010) 1289 0 R (cite.RFC2052) 1265 0 R (cite.RFC2065) 1245 0 R (cite.RFC2136) 1228 0 R (cite.RFC2137) 1247 0 R (cite.RFC2163) 1267 0 R (cite.RFC2168) 1269 0 R (cite.RFC2181) 1230 0 R (cite.RFC2219) 1295 0 R (cite.RFC2230) 1271 0 R (cite.RFC2240) 1305 0 R (cite.RFC2308) 1237 0 R (cite.RFC2317) 1281 0 R (cite.RFC2345) 1307 0 R (cite.RFC2352) 1309 0 R (cite.RFC2845) 1239 0 R (cite.RFC974) 1221 0 R (cite.id2490480) 1318 0 R (classes_of_resource_records) 1107 0 R (configuration_file_elements) 833 0 R (controls_statement_definition_and_usage) 731 0 R (diagnostic_tools) 663 0 R (dynamic_update) 744 0 R (dynamic_update_policies) 784 0 R (dynamic_update_security) 1062 0 R (historical_dns_information) 1193 0 R (id2465147) 622 0 R (id2465173) 623 0 R (id2466396) 627 0 R (id2466405) 628 0 R (id2467058) 692 0 R (id2467070) 693 0 R (id2467093) 698 0 R (id2467110) 699 0 R (id2467399) 643 0 R (id2467542) 645 0 R (id2467562) 646 0 R (id2467860) 647 0 R (id2467944) 650 0 R (id2468019) 657 0 R (id2468041) 660 0 R (id2468062) 661 0 R (id2468082) 662 0 R (id2468110) 668 0 R (id2468211) 669 0 R (id2468236) 670 0 R (id2468337) 676 0 R (id2468361) 677 0 R (id2468372) 678 0 R (id2468454) 679 0 R (id2468462) 685 0 R (id2469122) 710 0 R (id2469127) 711 0 R (id2472043) 736 0 R (id2472055) 737 0 R (id2472420) 753 0 R (id2472915) 770 0 R (id2472931) 771 0 R (id2472965) 772 0 R (id2472981) 773 0 R (id2472989) 779 0 R (id2473029) 780 0 R (id2473081) 781 0 R (id2473125) 783 0 R (id2473139) 789 0 R (id2473256) 790 0 R (id2473309) 796 0 R (id2473378) 797 0 R (id2473416) 798 0 R (id2473594) 803 0 R (id2473717) 804 0 R (id2473741) 805 0 R (id2473865) 809 0 R (id2473879) 816 0 R (id2473911) 821 0 R (id2474118) 834 0 R (id2474672) 842 0 R (id2474698) 843 0 R (id2474786) 848 0 R (id2474801) 849 0 R (id2474829) 850 0 R (id2474973) 860 0 R (id2475292) 862 0 R (id2475334) 868 0 R (id2475472) 870 0 R (id2475728) 879 0 R (id2475742) 880 0 R (id2475833) 881 0 R (id2475854) 882 0 R (id2475917) 885 0 R (id2476112) 890 0 R (id2476164) 891 0 R (id2476994) 906 0 R (id2477406) 908 0 R (id2477479) 913 0 R (id2477610) 915 0 R (id2478328) 926 0 R (id2479352) 955 0 R (id2479731) 967 0 R (id2479815) 968 0 R (id2480286) 980 0 R (id2480456) 986 0 R (id2480525) 987 0 R (id2480864) 1006 0 R (id2481457) 1018 0 R (id2481957) 1025 0 R (id2482005) 1026 0 R (id2482028) 1032 0 R (id2482145) 1033 0 R (id2483328) 1047 0 R (id2483334) 1048 0 R (id2483338) 1049 0 R (id2483708) 1055 0 R (id2483739) 1056 0 R (id2484446) 1083 0 R (id2484636) 1089 0 R (id2484654) 1090 0 R (id2484676) 1093 0 R (id2484816) 1095 0 R (id2485454) 1102 0 R (id2485538) 1105 0 R (id2485735) 1112 0 R (id2485756) 1113 0 R (id2485977) 1115 0 R (id2486092) 1117 0 R (id2486110) 1122 0 R (id2486620) 1125 0 R (id2486726) 1127 0 R (id2486740) 1128 0 R (id2486832) 1134 0 R (id2486851) 1135 0 R (id2486906) 1139 0 R (id2486969) 1140 0 R (id2487000) 1145 0 R (id2487052) 1146 0 R (id2487387) 1164 0 R (id2487463) 1165 0 R (id2487657) 1166 0 R (id2487728) 1172 0 R (id2487733) 1173 0 R (id2487745) 1174 0 R (id2487762) 1175 0 R (id2487824) 1187 0 R (id2487829) 1188 0 R (id2488066) 1194 0 R (id2488082) 1195 0 R (id2488097) 1196 0 R (id2488135) 1197 0 R (id2488446) 1199 0 R (id2488673) 1201 0 R (id2488956) 1213 0 R (id2488958) 1215 0 R (id2488967) 1220 0 R (id2488990) 1216 0 R (id2489014) 1218 0 R (id2489051) 1229 0 R (id2489077) 1236 0 R (id2489102) 1223 0 R (id2489127) 1225 0 R (id2489150) 1227 0 R (id2489206) 1238 0 R (id2489267) 1241 0 R (id2489282) 1242 0 R (id2489320) 1244 0 R (id2489360) 1246 0 R (id2489387) 1249 0 R (id2489396) 1250 0 R (id2489421) 1252 0 R (id2489489) 1254 0 R (id2489525) 1257 0 R (id2489530) 1258 0 R (id2489588) 1260 0 R (id2489625) 1268 0 R (id2489660) 1262 0 R (id2489715) 1264 0 R (id2489754) 1266 0 R (id2489781) 1270 0 R (id2489808) 1273 0 R (id2489815) 1274 0 R (id2489841) 1276 0 R (id2489864) 1278 0 R (id2489885) 1280 0 R (id2490001) 1283 0 R (id2490008) 1284 0 R (id2490034) 1286 0 R (id2490060) 1288 0 R (id2490097) 1294 0 R (id2490136) 1297 0 R (id2490156) 1298 0 R (id2490247) 1300 0 R (id2490272) 1302 0 R (id2490296) 1304 0 R (id2490318) 1306 0 R (id2490364) 1308 0 R (id2490389) 1311 0 R (id2490395) 1312 0 R (id2490468) 1315 0 R (id2490477) 1317 0 R (id2490480) 1319 0 R (incremental_zone_transfers) 750 0 R (internet_drafts) 1314 0 R (ipv6addresses) 811 0 R (journal) 745 0 R (lwresd) 822 0 R (notify) 702 0 R (page.1) 601 0 R (page.10) 697 0 R (page.11) 707 0 R (page.12) 720 0 R (page.13) 728 0 R (page.14) 735 0 R (page.15) 742 0 R (page.16) 749 0 R (page.17) 758 0 R (page.18) 763 0 R (page.19) 767 0 R (page.2) 613 0 R (page.20) 778 0 R (page.21) 788 0 R (page.22) 795 0 R (page.23) 802 0 R (page.24) 815 0 R (page.25) 820 0 R (page.26) 827 0 R (page.27) 831 0 R (page.28) 841 0 R (page.29) 847 0 R (page.3) 620 0 R (page.30) 855 0 R (page.31) 867 0 R (page.32) 878 0 R (page.33) 889 0 R (page.34) 895 0 R (page.35) 899 0 R (page.36) 905 0 R (page.37) 912 0 R (page.38) 920 0 R (page.39) 925 0 R (page.4) 639 0 R (page.40) 933 0 R (page.41) 939 0 R (page.42) 944 0 R (page.43) 954 0 R (page.44) 966 0 R (page.45) 975 0 R (page.46) 979 0 R (page.47) 984 0 R (page.48) 991 0 R (page.49) 998 0 R (page.5) 656 0 R (page.50) 1005 0 R (page.51) 1011 0 R (page.52) 1017 0 R (page.53) 1024 0 R (page.54) 1031 0 R (page.55) 1037 0 R (page.56) 1042 0 R (page.57) 1046 0 R (page.58) 1054 0 R (page.59) 1066 0 R (page.6) 667 0 R (page.60) 1076 0 R (page.61) 1088 0 R (page.62) 1101 0 R (page.63) 1111 0 R (page.64) 1121 0 R (page.65) 1133 0 R (page.66) 1144 0 R (page.67) 1151 0 R (page.68) 1160 0 R (page.69) 1170 0 R (page.7) 674 0 R (page.70) 1181 0 R (page.71) 1185 0 R (page.72) 1192 0 R (page.73) 1206 0 R (page.74) 1235 0 R (page.75) 1293 0 R (page.8) 684 0 R (page.9) 689 0 R (proposed_standards) 754 0 R (rfcs) 652 0 R (rndc) 874 0 R (rrset_ordering) 703 0 R (sample_configuration) 691 0 R (section*.1) 1212 0 R (section*.10) 1310 0 R (section*.11) 1316 0 R (section*.2) 1214 0 R (section*.3) 1222 0 R (section*.4) 1240 0 R (section*.5) 1248 0 R (section*.6) 1256 0 R (section*.7) 1272 0 R (section*.8) 1282 0 R (section*.9) 1296 0 R (section.1.1) 10 0 R (section.1.2) 14 0 R (section.1.3) 18 0 R (section.1.4) 22 0 R (section.2.1) 70 0 R (section.2.2) 74 0 R (section.2.3) 78 0 R (section.2.4) 82 0 R (section.2.5) 86 0 R (section.3.1) 94 0 R (section.3.2) 106 0 R (section.3.3) 110 0 R (section.3.4) 114 0 R (section.4.1) 138 0 R (section.4.2) 146 0 R (section.4.3) 150 0 R (section.4.4) 154 0 R (section.4.5) 190 0 R (section.4.6) 194 0 R (section.4.7) 198 0 R (section.4.8) 222 0 R (section.5.1) 238 0 R (section.5.2) 242 0 R (section.6.1) 250 0 R (section.6.2) 278 0 R (section.6.3) 454 0 R (section.7.1) 506 0 R (section.7.2) 510 0 R (section.7.3) 522 0 R (section.8.1) 530 0 R (section.8.2) 538 0 R (section.8.3) 542 0 R (section.A.1) 550 0 R (section.A.2) 558 0 R (section.A.3) 574 0 R (section.A.4) 582 0 R (server_statement_definition_and_usage) 950 0 R (server_statement_grammar) 1020 0 R (statsfile) 935 0 R (subsection.1.4.1) 26 0 R (subsection.1.4.2) 30 0 R (subsection.1.4.3) 34 0 R (subsection.1.4.4) 38 0 R (subsection.1.4.5) 54 0 R (subsection.1.4.6) 62 0 R (subsection.3.1.1) 98 0 R (subsection.3.1.2) 102 0 R (subsection.3.4.1) 118 0 R (subsection.3.4.2) 130 0 R (subsection.4.1.1) 142 0 R (subsection.4.4.1) 158 0 R (subsection.4.4.2) 170 0 R (subsection.4.4.3) 174 0 R (subsection.4.4.4) 178 0 R (subsection.4.4.5) 182 0 R (subsection.4.4.6) 186 0 R (subsection.4.7.1) 202 0 R (subsection.4.7.2) 206 0 R (subsection.4.7.3) 210 0 R (subsection.4.7.4) 214 0 R (subsection.4.7.5) 218 0 R (subsection.4.8.1) 226 0 R (subsection.4.8.2) 230 0 R (subsection.6.1.1) 254 0 R (subsection.6.1.2) 266 0 R (subsection.6.2.1) 282 0 R (subsection.6.2.10) 318 0 R (subsection.6.2.11) 330 0 R (subsection.6.2.12) 334 0 R (subsection.6.2.13) 338 0 R (subsection.6.2.14) 342 0 R (subsection.6.2.15) 406 0 R (subsection.6.2.16) 410 0 R (subsection.6.2.17) 414 0 R (subsection.6.2.18) 418 0 R (subsection.6.2.19) 422 0 R (subsection.6.2.2) 286 0 R (subsection.6.2.20) 426 0 R (subsection.6.2.21) 430 0 R (subsection.6.2.22) 434 0 R (subsection.6.2.3) 290 0 R (subsection.6.2.4) 294 0 R (subsection.6.2.5) 298 0 R (subsection.6.2.6) 302 0 R (subsection.6.2.7) 306 0 R (subsection.6.2.8) 310 0 R (subsection.6.2.9) 314 0 R (subsection.6.3.1) 458 0 R (subsection.6.3.2) 470 0 R (subsection.6.3.3) 474 0 R (subsection.6.3.4) 478 0 R (subsection.6.3.5) 482 0 R (subsection.6.3.6) 498 0 R (subsection.7.2.1) 514 0 R (subsection.7.2.2) 518 0 R (subsection.8.1.1) 534 0 R (subsection.A.1.1) 554 0 R (subsection.A.2.1) 562 0 R (subsection.A.3.1) 578 0 R (subsection.A.4.1) 586 0 R (subsection.A.4.2) 590 0 R (subsection.A.4.3) 594 0 R (subsubsection.1.4.4.1) 42 0 R (subsubsection.1.4.4.2) 46 0 R (subsubsection.1.4.4.3) 50 0 R (subsubsection.1.4.5.1) 58 0 R (subsubsection.3.4.1.1) 122 0 R (subsubsection.3.4.1.2) 126 0 R (subsubsection.4.4.1.1) 162 0 R (subsubsection.4.4.1.2) 166 0 R (subsubsection.6.1.1.1) 258 0 R (subsubsection.6.1.1.2) 262 0 R (subsubsection.6.1.2.1) 270 0 R (subsubsection.6.1.2.2) 274 0 R (subsubsection.6.2.10.1) 322 0 R (subsubsection.6.2.10.2) 326 0 R (subsubsection.6.2.14.1) 346 0 R (subsubsection.6.2.14.10) 382 0 R (subsubsection.6.2.14.11) 386 0 R (subsubsection.6.2.14.12) 390 0 R (subsubsection.6.2.14.13) 394 0 R (subsubsection.6.2.14.14) 398 0 R (subsubsection.6.2.14.15) 402 0 R (subsubsection.6.2.14.2) 350 0 R (subsubsection.6.2.14.3) 354 0 R (subsubsection.6.2.14.4) 358 0 R (subsubsection.6.2.14.5) 362 0 R (subsubsection.6.2.14.6) 366 0 R (subsubsection.6.2.14.7) 370 0 R (subsubsection.6.2.14.8) 374 0 R (subsubsection.6.2.14.9) 378 0 R (subsubsection.6.2.22.1) 438 0 R (subsubsection.6.2.22.2) 442 0 R (subsubsection.6.2.22.3) 446 0 R (subsubsection.6.2.22.4) 450 0 R (subsubsection.6.3.1.1) 462 0 R (subsubsection.6.3.1.2) 466 0 R (subsubsection.6.3.5.1) 486 0 R (subsubsection.6.3.5.2) 490 0 R (subsubsection.6.3.5.3) 494 0 R (subsubsection.A.2.1.1) 566 0 R (subsubsection.A.2.1.2) 570 0 R (synthesis) 962 0 R (table.1.1) 629 0 R (table.1.2) 644 0 R (table.3.1) 700 0 R (table.3.2) 738 0 R (table.6.1) 835 0 R (table.6.10) 1096 0 R (table.6.11) 1103 0 R (table.6.12) 1106 0 R (table.6.13) 1114 0 R (table.6.14) 1116 0 R (table.6.15) 1123 0 R (table.6.16) 1126 0 R (table.6.17) 1129 0 R (table.6.18) 1147 0 R (table.6.2) 861 0 R (table.6.3) 869 0 R (table.6.4) 907 0 R (table.6.5) 1007 0 R (table.6.6) 1019 0 R (table.6.7) 1050 0 R (table.6.8) 1084 0 R (table.6.9) 1094 0 R (table.A.1) 1198 0 R (table.A.2) 1200 0 R (table.A.3) 1202 0 R (the_category_phrase) 901 0 R (the_sortlist_statement) 993 0 R (topology) 992 0 R (tsig) 768 0 R (tuning) 1012 0 R (types_of_resource_records_and_when_to_use_them) 651 0 R (zone_statement_grammar) 961 0 R (zone_transfers) 715 0 R] /Limits [(Access_Control_Lists) (zone_transfers)] >> endobj 1342 0 obj << @@ -7407,7 +7400,7 @@ endobj >> endobj 1345 0 obj << /Author()/Title()/Subject()/Creator(LaTeX with hyperref package)/Producer(pdfeTeX-1.21a)/Keywords() -/CreationDate (D:20060525180648+10'00') +/CreationDate (D:20060727150631+10'00') /PTEX.Fullbanner (This is pdfeTeX, Version 3.141592-1.21a-2.2 (Web2C 7.5.4) kpathsea version 3.5.4) >> endobj xref @@ -7418,878 +7411,878 @@ xref 0000000004 00000 f 0000000000 00000 f 0000000009 00000 n -0000019003 00000 n -0000470190 00000 n +0000019000 00000 n +0000470220 00000 n 0000000054 00000 n 0000000086 00000 n -0000019127 00000 n -0000470118 00000 n +0000019124 00000 n +0000470148 00000 n 0000000133 00000 n 0000000173 00000 n -0000019252 00000 n -0000470032 00000 n +0000019249 00000 n +0000470062 00000 n 0000000221 00000 n 0000000273 00000 n -0000019377 00000 n -0000469946 00000 n +0000019374 00000 n +0000469976 00000 n 0000000321 00000 n 0000000377 00000 n -0000023747 00000 n -0000469836 00000 n +0000023744 00000 n +0000469866 00000 n 0000000425 00000 n 0000000478 00000 n -0000023871 00000 n -0000469762 00000 n +0000023868 00000 n +0000469792 00000 n 0000000531 00000 n 0000000572 00000 n -0000023996 00000 n -0000469675 00000 n +0000023993 00000 n +0000469705 00000 n 0000000625 00000 n 0000000674 00000 n -0000024121 00000 n -0000469588 00000 n +0000024118 00000 n +0000469618 00000 n 0000000727 00000 n 0000000757 00000 n -0000028269 00000 n -0000469464 00000 n +0000028266 00000 n +0000469494 00000 n 0000000810 00000 n 0000000861 00000 n -0000028394 00000 n -0000469390 00000 n +0000028391 00000 n +0000469420 00000 n 0000000919 00000 n 0000000964 00000 n -0000028519 00000 n -0000469303 00000 n +0000028516 00000 n +0000469333 00000 n 0000001022 00000 n 0000001062 00000 n -0000028644 00000 n -0000469229 00000 n +0000028641 00000 n +0000469259 00000 n 0000001120 00000 n 0000001162 00000 n -0000031553 00000 n -0000469105 00000 n +0000031554 00000 n +0000469135 00000 n 0000001215 00000 n 0000001260 00000 n -0000031678 00000 n -0000469044 00000 n +0000031679 00000 n +0000469074 00000 n 0000001318 00000 n 0000001355 00000 n -0000031803 00000 n -0000468970 00000 n +0000031804 00000 n +0000469000 00000 n 0000001408 00000 n 0000001463 00000 n -0000034243 00000 n -0000468845 00000 n +0000034244 00000 n +0000468875 00000 n 0000001509 00000 n 0000001556 00000 n -0000034368 00000 n -0000468771 00000 n +0000034369 00000 n +0000468801 00000 n 0000001604 00000 n 0000001648 00000 n -0000034493 00000 n -0000468684 00000 n +0000034494 00000 n +0000468714 00000 n 0000001696 00000 n 0000001735 00000 n -0000034618 00000 n -0000468597 00000 n +0000034619 00000 n +0000468627 00000 n 0000001783 00000 n 0000001825 00000 n -0000034743 00000 n -0000468510 00000 n +0000034744 00000 n +0000468540 00000 n 0000001873 00000 n 0000001935 00000 n -0000036063 00000 n -0000468436 00000 n +0000036064 00000 n +0000468466 00000 n 0000001983 00000 n 0000002033 00000 n -0000037704 00000 n -0000468308 00000 n +0000037705 00000 n +0000468338 00000 n 0000002079 00000 n 0000002124 00000 n -0000037828 00000 n -0000468195 00000 n +0000037829 00000 n +0000468225 00000 n 0000002172 00000 n 0000002216 00000 n -0000037953 00000 n -0000468119 00000 n +0000037954 00000 n +0000468149 00000 n 0000002269 00000 n 0000002320 00000 n -0000038078 00000 n -0000468042 00000 n +0000038079 00000 n +0000468072 00000 n 0000002374 00000 n 0000002432 00000 n -0000040776 00000 n -0000467951 00000 n +0000040777 00000 n +0000467981 00000 n 0000002481 00000 n 0000002519 00000 n -0000041028 00000 n -0000467859 00000 n +0000041029 00000 n +0000467889 00000 n 0000002568 00000 n 0000002598 00000 n -0000044648 00000 n -0000467742 00000 n +0000044649 00000 n +0000467772 00000 n 0000002647 00000 n 0000002692 00000 n -0000044774 00000 n -0000467624 00000 n +0000044775 00000 n +0000467654 00000 n 0000002746 00000 n 0000002812 00000 n -0000044900 00000 n -0000467545 00000 n +0000044901 00000 n +0000467575 00000 n 0000002871 00000 n 0000002915 00000 n -0000048013 00000 n -0000467466 00000 n +0000048014 00000 n +0000467496 00000 n 0000002974 00000 n 0000003022 00000 n -0000053795 00000 n -0000467387 00000 n +0000053799 00000 n +0000467417 00000 n 0000003076 00000 n 0000003109 00000 n -0000056621 00000 n -0000467255 00000 n +0000056633 00000 n +0000467285 00000 n 0000003156 00000 n 0000003195 00000 n -0000056747 00000 n -0000467137 00000 n +0000056759 00000 n +0000467167 00000 n 0000003244 00000 n 0000003282 00000 n -0000056873 00000 n -0000467072 00000 n +0000056885 00000 n +0000467102 00000 n 0000003336 00000 n 0000003378 00000 n -0000061190 00000 n -0000466979 00000 n +0000061202 00000 n +0000467009 00000 n 0000003427 00000 n 0000003486 00000 n -0000061316 00000 n -0000466886 00000 n +0000061328 00000 n +0000466916 00000 n 0000003535 00000 n 0000003568 00000 n -0000068045 00000 n -0000466754 00000 n +0000068056 00000 n +0000466784 00000 n 0000003617 00000 n 0000003645 00000 n -0000068171 00000 n -0000466636 00000 n +0000068182 00000 n +0000466666 00000 n 0000003699 00000 n 0000003768 00000 n -0000068297 00000 n -0000466557 00000 n +0000068308 00000 n +0000466587 00000 n 0000003827 00000 n 0000003875 00000 n -0000068423 00000 n -0000466478 00000 n +0000068434 00000 n +0000466508 00000 n 0000003934 00000 n 0000003979 00000 n -0000068549 00000 n -0000466385 00000 n +0000068560 00000 n +0000466415 00000 n 0000004033 00000 n 0000004101 00000 n -0000071653 00000 n -0000466292 00000 n +0000071664 00000 n +0000466322 00000 n 0000004155 00000 n 0000004225 00000 n -0000071779 00000 n -0000466199 00000 n +0000071790 00000 n +0000466229 00000 n 0000004279 00000 n 0000004342 00000 n -0000071905 00000 n -0000466106 00000 n +0000071916 00000 n +0000466136 00000 n 0000004396 00000 n 0000004451 00000 n -0000072030 00000 n -0000466027 00000 n +0000072041 00000 n +0000466057 00000 n 0000004505 00000 n 0000004537 00000 n -0000075659 00000 n -0000465934 00000 n +0000075674 00000 n +0000465964 00000 n 0000004586 00000 n 0000004614 00000 n -0000075785 00000 n -0000465841 00000 n +0000075800 00000 n +0000465871 00000 n 0000004663 00000 n 0000004695 00000 n -0000075911 00000 n -0000465709 00000 n +0000075926 00000 n +0000465739 00000 n 0000004744 00000 n 0000004774 00000 n -0000079132 00000 n -0000465630 00000 n +0000079148 00000 n +0000465660 00000 n 0000004828 00000 n 0000004869 00000 n -0000079258 00000 n -0000465537 00000 n +0000079274 00000 n +0000465567 00000 n 0000004923 00000 n 0000004966 00000 n -0000079383 00000 n -0000465444 00000 n +0000079399 00000 n +0000465474 00000 n 0000005020 00000 n 0000005072 00000 n -0000083007 00000 n -0000465351 00000 n +0000083023 00000 n +0000465381 00000 n 0000005126 00000 n 0000005168 00000 n -0000083133 00000 n -0000465272 00000 n +0000083149 00000 n +0000465302 00000 n 0000005222 00000 n 0000005267 00000 n -0000083258 00000 n -0000465154 00000 n +0000083274 00000 n +0000465184 00000 n 0000005316 00000 n 0000005362 00000 n -0000083384 00000 n -0000465075 00000 n +0000083400 00000 n +0000465105 00000 n 0000005416 00000 n 0000005476 00000 n -0000084592 00000 n -0000464996 00000 n +0000084608 00000 n +0000465026 00000 n 0000005530 00000 n 0000005599 00000 n -0000087048 00000 n -0000464863 00000 n +0000087064 00000 n +0000464893 00000 n 0000005646 00000 n 0000005699 00000 n -0000087174 00000 n -0000464784 00000 n +0000087190 00000 n +0000464814 00000 n 0000005748 00000 n 0000005804 00000 n -0000087300 00000 n -0000464705 00000 n +0000087316 00000 n +0000464735 00000 n 0000005853 00000 n 0000005902 00000 n -0000091673 00000 n -0000464572 00000 n +0000091688 00000 n +0000464602 00000 n 0000005949 00000 n 0000006001 00000 n -0000091799 00000 n -0000464454 00000 n +0000091814 00000 n +0000464484 00000 n 0000006050 00000 n 0000006101 00000 n -0000095651 00000 n -0000464336 00000 n +0000095666 00000 n +0000464366 00000 n 0000006155 00000 n 0000006200 00000 n -0000095777 00000 n -0000464257 00000 n +0000095792 00000 n +0000464287 00000 n 0000006259 00000 n 0000006293 00000 n -0000095903 00000 n -0000464178 00000 n +0000095918 00000 n +0000464208 00000 n 0000006352 00000 n 0000006400 00000 n -0000099039 00000 n -0000464060 00000 n +0000099054 00000 n +0000464090 00000 n 0000006454 00000 n 0000006494 00000 n -0000099165 00000 n -0000463981 00000 n +0000099180 00000 n +0000464011 00000 n 0000006553 00000 n 0000006587 00000 n -0000099291 00000 n -0000463902 00000 n +0000099306 00000 n +0000463932 00000 n 0000006646 00000 n 0000006694 00000 n -0000102899 00000 n -0000463769 00000 n +0000102914 00000 n +0000463799 00000 n 0000006743 00000 n 0000006793 00000 n -0000103151 00000 n -0000463690 00000 n +0000103166 00000 n +0000463720 00000 n 0000006847 00000 n 0000006894 00000 n -0000103277 00000 n -0000463597 00000 n +0000103292 00000 n +0000463627 00000 n 0000006948 00000 n 0000007008 00000 n -0000108258 00000 n -0000463504 00000 n +0000108273 00000 n +0000463534 00000 n 0000007062 00000 n 0000007114 00000 n -0000108384 00000 n -0000463411 00000 n +0000108399 00000 n +0000463441 00000 n 0000007168 00000 n 0000007233 00000 n 0000112085 00000 n -0000463318 00000 n +0000463348 00000 n 0000007287 00000 n 0000007338 00000 n 0000112211 00000 n -0000463225 00000 n +0000463255 00000 n 0000007392 00000 n 0000007456 00000 n 0000112337 00000 n -0000463132 00000 n +0000463162 00000 n 0000007510 00000 n 0000007557 00000 n 0000112463 00000 n -0000463039 00000 n +0000463069 00000 n 0000007611 00000 n 0000007671 00000 n 0000112588 00000 n -0000462946 00000 n +0000462976 00000 n 0000007725 00000 n 0000007776 00000 n -0000115804 00000 n -0000462814 00000 n +0000115798 00000 n +0000462844 00000 n 0000007831 00000 n 0000007896 00000 n -0000115930 00000 n -0000462735 00000 n +0000115924 00000 n +0000462765 00000 n 0000007956 00000 n 0000008003 00000 n -0000123068 00000 n -0000462656 00000 n +0000123067 00000 n +0000462686 00000 n 0000008063 00000 n 0000008111 00000 n -0000126335 00000 n -0000462563 00000 n +0000126334 00000 n +0000462593 00000 n 0000008166 00000 n 0000008216 00000 n -0000128977 00000 n -0000462470 00000 n +0000128976 00000 n +0000462500 00000 n 0000008271 00000 n 0000008334 00000 n -0000129103 00000 n -0000462377 00000 n +0000129102 00000 n +0000462407 00000 n 0000008389 00000 n 0000008441 00000 n -0000135857 00000 n -0000462244 00000 n +0000135856 00000 n +0000462274 00000 n 0000008496 00000 n 0000008561 00000 n -0000140073 00000 n -0000462165 00000 n +0000140070 00000 n +0000462195 00000 n 0000008621 00000 n 0000008665 00000 n -0000153503 00000 n -0000462072 00000 n +0000153502 00000 n +0000462102 00000 n 0000008725 00000 n 0000008764 00000 n -0000153629 00000 n -0000461979 00000 n +0000153628 00000 n +0000462009 00000 n 0000008824 00000 n 0000008867 00000 n -0000156495 00000 n -0000461886 00000 n +0000156494 00000 n +0000461916 00000 n 0000008927 00000 n 0000008966 00000 n -0000156621 00000 n -0000461793 00000 n +0000156620 00000 n +0000461823 00000 n 0000009026 00000 n 0000009068 00000 n -0000159839 00000 n -0000461700 00000 n +0000159838 00000 n +0000461730 00000 n 0000009128 00000 n 0000009171 00000 n -0000163908 00000 n -0000461607 00000 n +0000163907 00000 n +0000461637 00000 n 0000009231 00000 n 0000009292 00000 n -0000167785 00000 n -0000461514 00000 n +0000167784 00000 n +0000461544 00000 n 0000009352 00000 n 0000009403 00000 n -0000167911 00000 n -0000461421 00000 n +0000167910 00000 n +0000461451 00000 n 0000009463 00000 n 0000009515 00000 n -0000171063 00000 n -0000461328 00000 n +0000171062 00000 n +0000461358 00000 n 0000009576 00000 n 0000009614 00000 n -0000171189 00000 n -0000461235 00000 n +0000171188 00000 n +0000461265 00000 n 0000009675 00000 n 0000009727 00000 n -0000175146 00000 n -0000461142 00000 n +0000175141 00000 n +0000461172 00000 n 0000009788 00000 n 0000009832 00000 n -0000178795 00000 n -0000461049 00000 n +0000178799 00000 n +0000461079 00000 n 0000009893 00000 n 0000009947 00000 n -0000182353 00000 n -0000460956 00000 n +0000182362 00000 n +0000460986 00000 n 0000010008 00000 n 0000010044 00000 n -0000182482 00000 n -0000460877 00000 n +0000182491 00000 n +0000460907 00000 n 0000010105 00000 n 0000010154 00000 n -0000185549 00000 n -0000460784 00000 n +0000185558 00000 n +0000460814 00000 n 0000010209 00000 n 0000010260 00000 n -0000185678 00000 n -0000460691 00000 n +0000185687 00000 n +0000460721 00000 n 0000010315 00000 n 0000010379 00000 n -0000189860 00000 n -0000460598 00000 n +0000189869 00000 n +0000460628 00000 n 0000010434 00000 n 0000010491 00000 n -0000189989 00000 n -0000460505 00000 n +0000189998 00000 n +0000460535 00000 n 0000010546 00000 n 0000010616 00000 n -0000193335 00000 n -0000460412 00000 n +0000193346 00000 n +0000460442 00000 n 0000010671 00000 n 0000010720 00000 n -0000193464 00000 n -0000460319 00000 n +0000193475 00000 n +0000460349 00000 n 0000010775 00000 n 0000010837 00000 n -0000195060 00000 n -0000460226 00000 n +0000195071 00000 n +0000460256 00000 n 0000010892 00000 n 0000010941 00000 n -0000200321 00000 n -0000460108 00000 n +0000200338 00000 n +0000460138 00000 n 0000010996 00000 n 0000011058 00000 n -0000200450 00000 n -0000460029 00000 n +0000200467 00000 n +0000460059 00000 n 0000011118 00000 n 0000011157 00000 n -0000205261 00000 n -0000459936 00000 n +0000205278 00000 n +0000459966 00000 n 0000011217 00000 n 0000011251 00000 n -0000205390 00000 n -0000459843 00000 n +0000205407 00000 n +0000459873 00000 n 0000011311 00000 n 0000011352 00000 n -0000214536 00000 n -0000459764 00000 n +0000214552 00000 n +0000459794 00000 n 0000011412 00000 n 0000011464 00000 n -0000218610 00000 n -0000459646 00000 n +0000218619 00000 n +0000459676 00000 n 0000011513 00000 n 0000011546 00000 n -0000218739 00000 n -0000459528 00000 n +0000218748 00000 n +0000459558 00000 n 0000011600 00000 n 0000011672 00000 n -0000218867 00000 n -0000459449 00000 n +0000218876 00000 n +0000459479 00000 n 0000011731 00000 n 0000011775 00000 n -0000226631 00000 n -0000459370 00000 n +0000226638 00000 n +0000459400 00000 n 0000011834 00000 n 0000011887 00000 n -0000227020 00000 n -0000459277 00000 n +0000227027 00000 n +0000459307 00000 n 0000011941 00000 n 0000011991 00000 n -0000230554 00000 n -0000459184 00000 n +0000230555 00000 n +0000459214 00000 n 0000012045 00000 n 0000012083 00000 n -0000230813 00000 n -0000459091 00000 n +0000230814 00000 n +0000459121 00000 n 0000012137 00000 n 0000012186 00000 n -0000233795 00000 n -0000458959 00000 n +0000233796 00000 n +0000458989 00000 n 0000012240 00000 n 0000012292 00000 n -0000233924 00000 n -0000458880 00000 n +0000233925 00000 n +0000458910 00000 n 0000012351 00000 n 0000012403 00000 n -0000234053 00000 n -0000458787 00000 n +0000234054 00000 n +0000458817 00000 n 0000012462 00000 n 0000012515 00000 n -0000234181 00000 n -0000458708 00000 n +0000234182 00000 n +0000458738 00000 n 0000012574 00000 n 0000012623 00000 n -0000237343 00000 n -0000458629 00000 n +0000237345 00000 n +0000458659 00000 n 0000012677 00000 n 0000012757 00000 n -0000240006 00000 n -0000458496 00000 n +0000240026 00000 n +0000458526 00000 n 0000012804 00000 n 0000012856 00000 n -0000240135 00000 n -0000458417 00000 n +0000240155 00000 n +0000458447 00000 n 0000012905 00000 n 0000012949 00000 n -0000243859 00000 n -0000458285 00000 n +0000243899 00000 n +0000458315 00000 n 0000012998 00000 n 0000013060 00000 n -0000243988 00000 n -0000458206 00000 n +0000244028 00000 n +0000458236 00000 n 0000013114 00000 n 0000013162 00000 n -0000244117 00000 n -0000458127 00000 n +0000244157 00000 n +0000458157 00000 n 0000013216 00000 n 0000013267 00000 n -0000244246 00000 n -0000458048 00000 n +0000244286 00000 n +0000458078 00000 n 0000013316 00000 n 0000013363 00000 n -0000247177 00000 n -0000457915 00000 n +0000247217 00000 n +0000457945 00000 n 0000013410 00000 n 0000013447 00000 n -0000247306 00000 n -0000457797 00000 n +0000247346 00000 n +0000457827 00000 n 0000013496 00000 n 0000013535 00000 n -0000247435 00000 n -0000457732 00000 n +0000247475 00000 n +0000457762 00000 n 0000013589 00000 n 0000013667 00000 n -0000247564 00000 n -0000457639 00000 n +0000247604 00000 n +0000457669 00000 n 0000013716 00000 n 0000013783 00000 n -0000247693 00000 n -0000457560 00000 n +0000247733 00000 n +0000457590 00000 n 0000013832 00000 n 0000013877 00000 n -0000251178 00000 n -0000457441 00000 n +0000251209 00000 n +0000457471 00000 n 0000013925 00000 n 0000013957 00000 n -0000251307 00000 n -0000457323 00000 n +0000251338 00000 n +0000457353 00000 n 0000014006 00000 n 0000014046 00000 n -0000251436 00000 n -0000457258 00000 n +0000251467 00000 n +0000457288 00000 n 0000014100 00000 n 0000014161 00000 n -0000254602 00000 n -0000457126 00000 n +0000254633 00000 n +0000457156 00000 n 0000014210 00000 n 0000014260 00000 n -0000254731 00000 n -0000457022 00000 n +0000254762 00000 n +0000457052 00000 n 0000014314 00000 n 0000014367 00000 n -0000254860 00000 n -0000456943 00000 n +0000254891 00000 n +0000456973 00000 n 0000014426 00000 n 0000014465 00000 n -0000254989 00000 n -0000456864 00000 n +0000255020 00000 n +0000456894 00000 n 0000014524 00000 n 0000014562 00000 n -0000255118 00000 n -0000456732 00000 n +0000255149 00000 n +0000456762 00000 n 0000014611 00000 n 0000014668 00000 n -0000255247 00000 n -0000456667 00000 n +0000255278 00000 n +0000456697 00000 n 0000014722 00000 n 0000014769 00000 n -0000259761 00000 n -0000456549 00000 n +0000259792 00000 n +0000456579 00000 n 0000014818 00000 n 0000014880 00000 n -0000259890 00000 n -0000456470 00000 n +0000259921 00000 n +0000456500 00000 n 0000014934 00000 n 0000014989 00000 n -0000271542 00000 n -0000456377 00000 n +0000271573 00000 n +0000456407 00000 n 0000015043 00000 n 0000015084 00000 n -0000271671 00000 n -0000456298 00000 n +0000271702 00000 n +0000456328 00000 n 0000015138 00000 n 0000015190 00000 n -0000015543 00000 n -0000015791 00000 n +0000015544 00000 n +0000015792 00000 n 0000015243 00000 n -0000015665 00000 n -0000015728 00000 n -0000453277 00000 n -0000428445 00000 n -0000453103 00000 n -0000427380 00000 n -0000401343 00000 n -0000427206 00000 n -0000454275 00000 n -0000016449 00000 n -0000016264 00000 n -0000015876 00000 n -0000016386 00000 n -0000400658 00000 n -0000398513 00000 n -0000400494 00000 n -0000019628 00000 n -0000018818 00000 n -0000016534 00000 n -0000018940 00000 n -0000019064 00000 n -0000019189 00000 n -0000019314 00000 n -0000397659 00000 n -0000377301 00000 n -0000397485 00000 n -0000019439 00000 n -0000019502 00000 n -0000019565 00000 n -0000376372 00000 n -0000357044 00000 n -0000376199 00000 n -0000356301 00000 n -0000339577 00000 n -0000356128 00000 n -0000024246 00000 n -0000023064 00000 n -0000019752 00000 n -0000023558 00000 n -0000339042 00000 n -0000322125 00000 n -0000338858 00000 n -0000023621 00000 n -0000023684 00000 n -0000023808 00000 n -0000023933 00000 n -0000024058 00000 n -0000023214 00000 n -0000023407 00000 n -0000024183 00000 n -0000218803 00000 n -0000259954 00000 n -0000028769 00000 n -0000027734 00000 n -0000024370 00000 n -0000028206 00000 n -0000028331 00000 n -0000027884 00000 n -0000028046 00000 n -0000028456 00000 n -0000028581 00000 n -0000028706 00000 n -0000044963 00000 n -0000031927 00000 n -0000031368 00000 n -0000028893 00000 n -0000031490 00000 n -0000031615 00000 n -0000031740 00000 n -0000031864 00000 n -0000034868 00000 n -0000034058 00000 n -0000032038 00000 n -0000034180 00000 n -0000034305 00000 n -0000034430 00000 n -0000034555 00000 n -0000034680 00000 n -0000034805 00000 n -0000454393 00000 n -0000036188 00000 n -0000035878 00000 n -0000034953 00000 n -0000036000 00000 n -0000036125 00000 n -0000038204 00000 n -0000037519 00000 n -0000036299 00000 n -0000037641 00000 n -0000037766 00000 n -0000037890 00000 n -0000038015 00000 n -0000038141 00000 n -0000041154 00000 n -0000040411 00000 n -0000038302 00000 n -0000040713 00000 n -0000040839 00000 n -0000040902 00000 n -0000040965 00000 n -0000040553 00000 n -0000041091 00000 n -0000175209 00000 n -0000045026 00000 n -0000044114 00000 n -0000041265 00000 n -0000044585 00000 n -0000044264 00000 n -0000044423 00000 n -0000044711 00000 n -0000044837 00000 n -0000321637 00000 n -0000312687 00000 n -0000321460 00000 n -0000159902 00000 n -0000140136 00000 n -0000048139 00000 n -0000047828 00000 n -0000045150 00000 n -0000047950 00000 n -0000048076 00000 n -0000312339 00000 n -0000304768 00000 n -0000312162 00000 n -0000052183 00000 n -0000051793 00000 n -0000048289 00000 n -0000052120 00000 n -0000051935 00000 n -0000454511 00000 n -0000108447 00000 n -0000054047 00000 n -0000053610 00000 n -0000052307 00000 n -0000053732 00000 n -0000053858 00000 n -0000053921 00000 n -0000053984 00000 n -0000056998 00000 n -0000056436 00000 n -0000054158 00000 n -0000056558 00000 n -0000056684 00000 n -0000056810 00000 n -0000056935 00000 n -0000061442 00000 n -0000060648 00000 n -0000057109 00000 n -0000061127 00000 n -0000061253 00000 n -0000060798 00000 n -0000060963 00000 n -0000061379 00000 n -0000260732 00000 n -0000063942 00000 n -0000063571 00000 n -0000061566 00000 n -0000063879 00000 n -0000063713 00000 n -0000065166 00000 n -0000064981 00000 n -0000064066 00000 n -0000065103 00000 n -0000068674 00000 n -0000067676 00000 n -0000065264 00000 n -0000067982 00000 n -0000068108 00000 n -0000067818 00000 n -0000068234 00000 n -0000068360 00000 n -0000068486 00000 n -0000068612 00000 n -0000454629 00000 n -0000072155 00000 n -0000071278 00000 n -0000068811 00000 n -0000071590 00000 n -0000071716 00000 n -0000071842 00000 n -0000071968 00000 n -0000071420 00000 n -0000072092 00000 n -0000214600 00000 n -0000076037 00000 n -0000075474 00000 n -0000072292 00000 n -0000075596 00000 n -0000075722 00000 n -0000075848 00000 n -0000075974 00000 n -0000079508 00000 n -0000078947 00000 n -0000076161 00000 n -0000079069 00000 n -0000079195 00000 n -0000079321 00000 n -0000079445 00000 n -0000083510 00000 n -0000082313 00000 n -0000079632 00000 n -0000082944 00000 n -0000083070 00000 n -0000083196 00000 n -0000083321 00000 n -0000082471 00000 n -0000082628 00000 n -0000082785 00000 n -0000083447 00000 n -0000087111 00000 n -0000255311 00000 n -0000084718 00000 n -0000084407 00000 n -0000083634 00000 n -0000084529 00000 n -0000084655 00000 n -0000087426 00000 n -0000086863 00000 n -0000084829 00000 n -0000086985 00000 n -0000087237 00000 n -0000087363 00000 n -0000454747 00000 n -0000087858 00000 n -0000087673 00000 n -0000087524 00000 n -0000087795 00000 n -0000092050 00000 n -0000091302 00000 n -0000087899 00000 n -0000091610 00000 n -0000091736 00000 n -0000091861 00000 n -0000091924 00000 n -0000091987 00000 n -0000091444 00000 n -0000095714 00000 n -0000096029 00000 n -0000095466 00000 n -0000092148 00000 n -0000095588 00000 n -0000095840 00000 n -0000095966 00000 n -0000099416 00000 n -0000098854 00000 n -0000096166 00000 n -0000098976 00000 n -0000099102 00000 n -0000099228 00000 n -0000099354 00000 n -0000101911 00000 n -0000103402 00000 n -0000101789 00000 n -0000099527 00000 n -0000102836 00000 n -0000303933 00000 n -0000294836 00000 n -0000303761 00000 n -0000102962 00000 n -0000103025 00000 n -0000103088 00000 n -0000103214 00000 n -0000103340 00000 n -0000108510 00000 n -0000107610 00000 n -0000103554 00000 n -0000108069 00000 n -0000108132 00000 n -0000108195 00000 n -0000108321 00000 n -0000107760 00000 n -0000107911 00000 n -0000454865 00000 n -0000272181 00000 n +0000015666 00000 n +0000015729 00000 n +0000453307 00000 n +0000428475 00000 n +0000453133 00000 n +0000427410 00000 n +0000401373 00000 n +0000427236 00000 n +0000454305 00000 n +0000016450 00000 n +0000016265 00000 n +0000015877 00000 n +0000016387 00000 n +0000400688 00000 n +0000398543 00000 n +0000400524 00000 n +0000019625 00000 n +0000018815 00000 n +0000016535 00000 n +0000018937 00000 n +0000019061 00000 n +0000019186 00000 n +0000019311 00000 n +0000397689 00000 n +0000377331 00000 n +0000397515 00000 n +0000019436 00000 n +0000019499 00000 n +0000019562 00000 n +0000376402 00000 n +0000357074 00000 n +0000376229 00000 n +0000356331 00000 n +0000339607 00000 n +0000356158 00000 n +0000024243 00000 n +0000023061 00000 n +0000019749 00000 n +0000023555 00000 n +0000339072 00000 n +0000322155 00000 n +0000338888 00000 n +0000023618 00000 n +0000023681 00000 n +0000023805 00000 n +0000023930 00000 n +0000024055 00000 n +0000023211 00000 n +0000023404 00000 n +0000024180 00000 n +0000218812 00000 n +0000259985 00000 n +0000028766 00000 n +0000027731 00000 n +0000024367 00000 n +0000028203 00000 n +0000028328 00000 n +0000027881 00000 n +0000028043 00000 n +0000028453 00000 n +0000028578 00000 n +0000028703 00000 n +0000044964 00000 n +0000031928 00000 n +0000031369 00000 n +0000028890 00000 n +0000031491 00000 n +0000031616 00000 n +0000031741 00000 n +0000031865 00000 n +0000034869 00000 n +0000034059 00000 n +0000032039 00000 n +0000034181 00000 n +0000034306 00000 n +0000034431 00000 n +0000034556 00000 n +0000034681 00000 n +0000034806 00000 n +0000454423 00000 n +0000036189 00000 n +0000035879 00000 n +0000034954 00000 n +0000036001 00000 n +0000036126 00000 n +0000038205 00000 n +0000037520 00000 n +0000036300 00000 n +0000037642 00000 n +0000037767 00000 n +0000037891 00000 n +0000038016 00000 n +0000038142 00000 n +0000041155 00000 n +0000040412 00000 n +0000038303 00000 n +0000040714 00000 n +0000040840 00000 n +0000040903 00000 n +0000040966 00000 n +0000040554 00000 n +0000041092 00000 n +0000175204 00000 n +0000045027 00000 n +0000044115 00000 n +0000041266 00000 n +0000044586 00000 n +0000044265 00000 n +0000044424 00000 n +0000044712 00000 n +0000044838 00000 n +0000321667 00000 n +0000312717 00000 n +0000321490 00000 n +0000159901 00000 n +0000140133 00000 n +0000048140 00000 n +0000047829 00000 n +0000045151 00000 n +0000047951 00000 n +0000048077 00000 n +0000312369 00000 n +0000304798 00000 n +0000312192 00000 n +0000052187 00000 n +0000051797 00000 n +0000048290 00000 n +0000052124 00000 n +0000051939 00000 n +0000454541 00000 n +0000108462 00000 n +0000054051 00000 n +0000053614 00000 n +0000052311 00000 n +0000053736 00000 n +0000053862 00000 n +0000053925 00000 n +0000053988 00000 n +0000057010 00000 n +0000056448 00000 n +0000054162 00000 n +0000056570 00000 n +0000056696 00000 n +0000056822 00000 n +0000056947 00000 n +0000061454 00000 n +0000060660 00000 n +0000057121 00000 n +0000061139 00000 n +0000061265 00000 n +0000060810 00000 n +0000060975 00000 n +0000061391 00000 n +0000260763 00000 n +0000063958 00000 n +0000063587 00000 n +0000061578 00000 n +0000063895 00000 n +0000063729 00000 n +0000065182 00000 n +0000064997 00000 n +0000064082 00000 n +0000065119 00000 n +0000068685 00000 n +0000067687 00000 n +0000065280 00000 n +0000067993 00000 n +0000068119 00000 n +0000067829 00000 n +0000068245 00000 n +0000068371 00000 n +0000068497 00000 n +0000068623 00000 n +0000454659 00000 n +0000072166 00000 n +0000071289 00000 n +0000068822 00000 n +0000071601 00000 n +0000071727 00000 n +0000071853 00000 n +0000071979 00000 n +0000071431 00000 n +0000072103 00000 n +0000214616 00000 n +0000076052 00000 n +0000075489 00000 n +0000072303 00000 n +0000075611 00000 n +0000075737 00000 n +0000075863 00000 n +0000075989 00000 n +0000079524 00000 n +0000078963 00000 n +0000076176 00000 n +0000079085 00000 n +0000079211 00000 n +0000079337 00000 n +0000079461 00000 n +0000083526 00000 n +0000082329 00000 n +0000079648 00000 n +0000082960 00000 n +0000083086 00000 n +0000083212 00000 n +0000083337 00000 n +0000082487 00000 n +0000082644 00000 n +0000082801 00000 n +0000083463 00000 n +0000087127 00000 n +0000255342 00000 n +0000084734 00000 n +0000084423 00000 n +0000083650 00000 n +0000084545 00000 n +0000084671 00000 n +0000087442 00000 n +0000086879 00000 n +0000084845 00000 n +0000087001 00000 n +0000087253 00000 n +0000087379 00000 n +0000454777 00000 n +0000087874 00000 n +0000087689 00000 n +0000087540 00000 n +0000087811 00000 n +0000092065 00000 n +0000091317 00000 n +0000087915 00000 n +0000091625 00000 n +0000091751 00000 n +0000091876 00000 n +0000091939 00000 n +0000092002 00000 n +0000091459 00000 n +0000095729 00000 n +0000096044 00000 n +0000095481 00000 n +0000092163 00000 n +0000095603 00000 n +0000095855 00000 n +0000095981 00000 n +0000099431 00000 n +0000098869 00000 n +0000096181 00000 n +0000098991 00000 n +0000099117 00000 n +0000099243 00000 n +0000099369 00000 n +0000101926 00000 n +0000103417 00000 n +0000101804 00000 n +0000099542 00000 n +0000102851 00000 n +0000303963 00000 n +0000294866 00000 n +0000303791 00000 n +0000102977 00000 n +0000103040 00000 n +0000103103 00000 n +0000103229 00000 n +0000103355 00000 n +0000108525 00000 n +0000107625 00000 n +0000103569 00000 n +0000108084 00000 n +0000108147 00000 n +0000108210 00000 n +0000108336 00000 n +0000107775 00000 n +0000107926 00000 n +0000454895 00000 n +0000272212 00000 n 0000112714 00000 n 0000111537 00000 n -0000108634 00000 n +0000108649 00000 n 0000112022 00000 n 0000112148 00000 n 0000112274 00000 n @@ -8298,473 +8291,473 @@ xref 0000111687 00000 n 0000111838 00000 n 0000112651 00000 n -0000116056 00000 n -0000115619 00000 n +0000116050 00000 n +0000115613 00000 n 0000112851 00000 n -0000115741 00000 n -0000115867 00000 n -0000115993 00000 n -0000120344 00000 n -0000120159 00000 n -0000116180 00000 n -0000120281 00000 n -0000123192 00000 n -0000122697 00000 n -0000120455 00000 n -0000123005 00000 n -0000122839 00000 n -0000123130 00000 n -0000126461 00000 n -0000126024 00000 n -0000123303 00000 n -0000126146 00000 n -0000126209 00000 n -0000126272 00000 n -0000126398 00000 n -0000129228 00000 n -0000128621 00000 n -0000126572 00000 n -0000128914 00000 n -0000129040 00000 n -0000128763 00000 n -0000129166 00000 n -0000454983 00000 n -0000130770 00000 n -0000130585 00000 n -0000129339 00000 n -0000130707 00000 n -0000134158 00000 n -0000135983 00000 n -0000134036 00000 n -0000130868 00000 n -0000135794 00000 n -0000135920 00000 n -0000135626 00000 n -0000135683 00000 n -0000135772 00000 n -0000140198 00000 n -0000139712 00000 n -0000136148 00000 n -0000140010 00000 n -0000139854 00000 n -0000182546 00000 n -0000144067 00000 n -0000143709 00000 n -0000140322 00000 n -0000144004 00000 n -0000143851 00000 n -0000149083 00000 n -0000147966 00000 n -0000144191 00000 n -0000149020 00000 n -0000148140 00000 n -0000148296 00000 n -0000148480 00000 n -0000148653 00000 n -0000148836 00000 n -0000185742 00000 n -0000153755 00000 n -0000152796 00000 n -0000149274 00000 n -0000153440 00000 n -0000153566 00000 n -0000152954 00000 n -0000153692 00000 n -0000153122 00000 n -0000153285 00000 n -0000455101 00000 n -0000195124 00000 n -0000178859 00000 n -0000156747 00000 n -0000156310 00000 n -0000153879 00000 n -0000156432 00000 n -0000156558 00000 n -0000156684 00000 n -0000294292 00000 n -0000285989 00000 n -0000294119 00000 n -0000159965 00000 n -0000159654 00000 n -0000156912 00000 n -0000159776 00000 n -0000164033 00000 n -0000163723 00000 n -0000160117 00000 n -0000163845 00000 n -0000163971 00000 n -0000168037 00000 n -0000167406 00000 n -0000164185 00000 n -0000167722 00000 n -0000167548 00000 n -0000167848 00000 n -0000167974 00000 n -0000171315 00000 n -0000170699 00000 n -0000168148 00000 n -0000171000 00000 n -0000171126 00000 n -0000171252 00000 n -0000170841 00000 n -0000175272 00000 n -0000174609 00000 n -0000171480 00000 n -0000175083 00000 n -0000174761 00000 n -0000174916 00000 n -0000455219 00000 n -0000178923 00000 n -0000178474 00000 n -0000175383 00000 n -0000178600 00000 n -0000178665 00000 n -0000178730 00000 n -0000182609 00000 n -0000181980 00000 n -0000179115 00000 n -0000182288 00000 n -0000182417 00000 n -0000182127 00000 n -0000185806 00000 n -0000185228 00000 n -0000182788 00000 n -0000185354 00000 n -0000185419 00000 n -0000185484 00000 n -0000185613 00000 n -0000190117 00000 n -0000189494 00000 n -0000185918 00000 n -0000189795 00000 n -0000189924 00000 n -0000190052 00000 n -0000189641 00000 n -0000193593 00000 n -0000193144 00000 n -0000190229 00000 n -0000193270 00000 n -0000193399 00000 n -0000193528 00000 n -0000195188 00000 n -0000194869 00000 n -0000193705 00000 n -0000194995 00000 n -0000455343 00000 n -0000196469 00000 n -0000196278 00000 n -0000195300 00000 n -0000196404 00000 n -0000200709 00000 n -0000200130 00000 n -0000196568 00000 n -0000200256 00000 n -0000200385 00000 n -0000200514 00000 n -0000200579 00000 n -0000200644 00000 n -0000205519 00000 n -0000204186 00000 n -0000200821 00000 n -0000205196 00000 n -0000205325 00000 n -0000205454 00000 n -0000204369 00000 n -0000204530 00000 n -0000204692 00000 n -0000204854 00000 n -0000205025 00000 n -0000244309 00000 n -0000210216 00000 n -0000208985 00000 n -0000205644 00000 n -0000210151 00000 n -0000209177 00000 n -0000209340 00000 n -0000209502 00000 n -0000209664 00000 n -0000209826 00000 n -0000209988 00000 n -0000214794 00000 n -0000213325 00000 n -0000210341 00000 n -0000214471 00000 n -0000213517 00000 n -0000213670 00000 n -0000213832 00000 n -0000213993 00000 n -0000214155 00000 n -0000214317 00000 n -0000214664 00000 n -0000214729 00000 n -0000219256 00000 n -0000218058 00000 n -0000214906 00000 n -0000218545 00000 n -0000218674 00000 n -0000218931 00000 n -0000218214 00000 n -0000218384 00000 n -0000218996 00000 n -0000219061 00000 n -0000219126 00000 n -0000219191 00000 n -0000455468 00000 n -0000223359 00000 n -0000222714 00000 n -0000219368 00000 n -0000223036 00000 n -0000223101 00000 n -0000223166 00000 n -0000222861 00000 n -0000223231 00000 n -0000223296 00000 n -0000254795 00000 n -0000227149 00000 n -0000226440 00000 n -0000223458 00000 n -0000226566 00000 n -0000226695 00000 n -0000226760 00000 n -0000226825 00000 n -0000226890 00000 n -0000226955 00000 n -0000227084 00000 n -0000231072 00000 n -0000230233 00000 n -0000227261 00000 n -0000230359 00000 n -0000230424 00000 n -0000230489 00000 n -0000230618 00000 n -0000230683 00000 n -0000230748 00000 n -0000230877 00000 n -0000230942 00000 n -0000231007 00000 n -0000234309 00000 n -0000233604 00000 n -0000231197 00000 n -0000233730 00000 n -0000233859 00000 n -0000233988 00000 n -0000285634 00000 n -0000283636 00000 n -0000285469 00000 n -0000234116 00000 n -0000234244 00000 n -0000237602 00000 n -0000237152 00000 n -0000234502 00000 n -0000237278 00000 n -0000237407 00000 n -0000237472 00000 n -0000237537 00000 n -0000240263 00000 n -0000239355 00000 n -0000237740 00000 n -0000239941 00000 n -0000240070 00000 n -0000240199 00000 n -0000239511 00000 n -0000239726 00000 n -0000455593 00000 n -0000244374 00000 n -0000243668 00000 n -0000240389 00000 n -0000243794 00000 n -0000283315 00000 n -0000274102 00000 n -0000283129 00000 n -0000243923 00000 n -0000244052 00000 n -0000244181 00000 n -0000247821 00000 n -0000246595 00000 n -0000244539 00000 n -0000247112 00000 n -0000247241 00000 n -0000247370 00000 n -0000247499 00000 n -0000247628 00000 n -0000247757 00000 n -0000246751 00000 n -0000246923 00000 n -0000248275 00000 n -0000248084 00000 n -0000247934 00000 n -0000248210 00000 n -0000251565 00000 n -0000250987 00000 n -0000248317 00000 n -0000251113 00000 n -0000251242 00000 n -0000251371 00000 n -0000251500 00000 n -0000255763 00000 n -0000254411 00000 n -0000251651 00000 n -0000254537 00000 n -0000254666 00000 n -0000254924 00000 n -0000255053 00000 n -0000255182 00000 n -0000255375 00000 n -0000255440 00000 n -0000255505 00000 n -0000255570 00000 n -0000255635 00000 n -0000255699 00000 n -0000261314 00000 n -0000258815 00000 n -0000255889 00000 n -0000259696 00000 n -0000259825 00000 n -0000258989 00000 n -0000259168 00000 n -0000259345 00000 n -0000259520 00000 n -0000260018 00000 n -0000260083 00000 n -0000260148 00000 n -0000260213 00000 n -0000260278 00000 n -0000260343 00000 n -0000260408 00000 n -0000260472 00000 n -0000260537 00000 n -0000260602 00000 n -0000260667 00000 n -0000260796 00000 n -0000260861 00000 n -0000260926 00000 n -0000260991 00000 n -0000261056 00000 n -0000261121 00000 n -0000261186 00000 n -0000261250 00000 n -0000455718 00000 n -0000267987 00000 n -0000264295 00000 n -0000261466 00000 n -0000264421 00000 n -0000264486 00000 n -0000264551 00000 n -0000264616 00000 n -0000264681 00000 n -0000264746 00000 n -0000264811 00000 n -0000264876 00000 n -0000264941 00000 n -0000265006 00000 n -0000265071 00000 n -0000265136 00000 n -0000265201 00000 n -0000265266 00000 n -0000265331 00000 n -0000265396 00000 n -0000265461 00000 n -0000265526 00000 n -0000265590 00000 n -0000265655 00000 n -0000265720 00000 n -0000265785 00000 n -0000265850 00000 n -0000265915 00000 n -0000265980 00000 n -0000266045 00000 n -0000266110 00000 n -0000266175 00000 n -0000266240 00000 n -0000266305 00000 n -0000266370 00000 n -0000266433 00000 n -0000266498 00000 n -0000266562 00000 n -0000266627 00000 n -0000266692 00000 n -0000266757 00000 n -0000266822 00000 n -0000266887 00000 n -0000266952 00000 n -0000267017 00000 n -0000267081 00000 n -0000267146 00000 n -0000267211 00000 n -0000267276 00000 n -0000267341 00000 n -0000267406 00000 n -0000267471 00000 n -0000267536 00000 n -0000267601 00000 n -0000267666 00000 n -0000267731 00000 n -0000267795 00000 n -0000267859 00000 n -0000267923 00000 n -0000272056 00000 n -0000270052 00000 n -0000268099 00000 n -0000270178 00000 n -0000270243 00000 n -0000270308 00000 n -0000270373 00000 n -0000270438 00000 n -0000270503 00000 n -0000270568 00000 n -0000270633 00000 n -0000270698 00000 n -0000270763 00000 n -0000270828 00000 n -0000270893 00000 n -0000270958 00000 n -0000271022 00000 n -0000271087 00000 n -0000271152 00000 n -0000271217 00000 n -0000271282 00000 n -0000271347 00000 n -0000271412 00000 n -0000271477 00000 n -0000271606 00000 n -0000271735 00000 n -0000271800 00000 n -0000271864 00000 n -0000271928 00000 n -0000271992 00000 n -0000272213 00000 n -0000283557 00000 n -0000285881 00000 n -0000285850 00000 n -0000294577 00000 n -0000304341 00000 n -0000312582 00000 n -0000321900 00000 n -0000339382 00000 n -0000356721 00000 n -0000376926 00000 n -0000398063 00000 n -0000401145 00000 n -0000400915 00000 n -0000427948 00000 n -0000453791 00000 n -0000455816 00000 n -0000455936 00000 n -0000456060 00000 n -0000456140 00000 n -0000456222 00000 n -0000470300 00000 n -0000482325 00000 n -0000482366 00000 n -0000482406 00000 n -0000482540 00000 n +0000115735 00000 n +0000115861 00000 n +0000115987 00000 n +0000120343 00000 n +0000120158 00000 n +0000116174 00000 n +0000120280 00000 n +0000123191 00000 n +0000122696 00000 n +0000120454 00000 n +0000123004 00000 n +0000122838 00000 n +0000123129 00000 n +0000126460 00000 n +0000126023 00000 n +0000123302 00000 n +0000126145 00000 n +0000126208 00000 n +0000126271 00000 n +0000126397 00000 n +0000129227 00000 n +0000128620 00000 n +0000126571 00000 n +0000128913 00000 n +0000129039 00000 n +0000128762 00000 n +0000129165 00000 n +0000455013 00000 n +0000130769 00000 n +0000130584 00000 n +0000129338 00000 n +0000130706 00000 n +0000134157 00000 n +0000135982 00000 n +0000134035 00000 n +0000130867 00000 n +0000135793 00000 n +0000135919 00000 n +0000135625 00000 n +0000135682 00000 n +0000135771 00000 n +0000140195 00000 n +0000139709 00000 n +0000136147 00000 n +0000140007 00000 n +0000139851 00000 n +0000182555 00000 n +0000144064 00000 n +0000143706 00000 n +0000140319 00000 n +0000144001 00000 n +0000143848 00000 n +0000149080 00000 n +0000147963 00000 n +0000144188 00000 n +0000149017 00000 n +0000148137 00000 n +0000148293 00000 n +0000148477 00000 n +0000148650 00000 n +0000148833 00000 n +0000185751 00000 n +0000153754 00000 n +0000152795 00000 n +0000149271 00000 n +0000153439 00000 n +0000153565 00000 n +0000152953 00000 n +0000153691 00000 n +0000153121 00000 n +0000153284 00000 n +0000455131 00000 n +0000195135 00000 n +0000178863 00000 n +0000156746 00000 n +0000156309 00000 n +0000153878 00000 n +0000156431 00000 n +0000156557 00000 n +0000156683 00000 n +0000294322 00000 n +0000286019 00000 n +0000294149 00000 n +0000159964 00000 n +0000159653 00000 n +0000156911 00000 n +0000159775 00000 n +0000164032 00000 n +0000163722 00000 n +0000160116 00000 n +0000163844 00000 n +0000163970 00000 n +0000168036 00000 n +0000167405 00000 n +0000164184 00000 n +0000167721 00000 n +0000167547 00000 n +0000167847 00000 n +0000167973 00000 n +0000171314 00000 n +0000170698 00000 n +0000168147 00000 n +0000170999 00000 n +0000171125 00000 n +0000171251 00000 n +0000170840 00000 n +0000175267 00000 n +0000174604 00000 n +0000171479 00000 n +0000175078 00000 n +0000174756 00000 n +0000174911 00000 n +0000455249 00000 n +0000178927 00000 n +0000178478 00000 n +0000175378 00000 n +0000178604 00000 n +0000178669 00000 n +0000178734 00000 n +0000182618 00000 n +0000181989 00000 n +0000179119 00000 n +0000182297 00000 n +0000182426 00000 n +0000182136 00000 n +0000185815 00000 n +0000185237 00000 n +0000182797 00000 n +0000185363 00000 n +0000185428 00000 n +0000185493 00000 n +0000185622 00000 n +0000190126 00000 n +0000189503 00000 n +0000185927 00000 n +0000189804 00000 n +0000189933 00000 n +0000190061 00000 n +0000189650 00000 n +0000193604 00000 n +0000193155 00000 n +0000190238 00000 n +0000193281 00000 n +0000193410 00000 n +0000193539 00000 n +0000195199 00000 n +0000194880 00000 n +0000193716 00000 n +0000195006 00000 n +0000455373 00000 n +0000196480 00000 n +0000196289 00000 n +0000195311 00000 n +0000196415 00000 n +0000200726 00000 n +0000200147 00000 n +0000196579 00000 n +0000200273 00000 n +0000200402 00000 n +0000200531 00000 n +0000200596 00000 n +0000200661 00000 n +0000205536 00000 n +0000204203 00000 n +0000200838 00000 n +0000205213 00000 n +0000205342 00000 n +0000205471 00000 n +0000204386 00000 n +0000204547 00000 n +0000204709 00000 n +0000204871 00000 n +0000205042 00000 n +0000244349 00000 n +0000210232 00000 n +0000209001 00000 n +0000205661 00000 n +0000210167 00000 n +0000209193 00000 n +0000209356 00000 n +0000209518 00000 n +0000209680 00000 n +0000209842 00000 n +0000210004 00000 n +0000214810 00000 n +0000213341 00000 n +0000210357 00000 n +0000214487 00000 n +0000213533 00000 n +0000213686 00000 n +0000213848 00000 n +0000214009 00000 n +0000214171 00000 n +0000214333 00000 n +0000214680 00000 n +0000214745 00000 n +0000219265 00000 n +0000218067 00000 n +0000214922 00000 n +0000218554 00000 n +0000218683 00000 n +0000218940 00000 n +0000218223 00000 n +0000218393 00000 n +0000219005 00000 n +0000219070 00000 n +0000219135 00000 n +0000219200 00000 n +0000455498 00000 n +0000223365 00000 n +0000222720 00000 n +0000219377 00000 n +0000223042 00000 n +0000223107 00000 n +0000223172 00000 n +0000222867 00000 n +0000223237 00000 n +0000223302 00000 n +0000254826 00000 n +0000227156 00000 n +0000226447 00000 n +0000223464 00000 n +0000226573 00000 n +0000226702 00000 n +0000226767 00000 n +0000226832 00000 n +0000226897 00000 n +0000226962 00000 n +0000227091 00000 n +0000231073 00000 n +0000230234 00000 n +0000227268 00000 n +0000230360 00000 n +0000230425 00000 n +0000230490 00000 n +0000230619 00000 n +0000230684 00000 n +0000230749 00000 n +0000230878 00000 n +0000230943 00000 n +0000231008 00000 n +0000234310 00000 n +0000233605 00000 n +0000231198 00000 n +0000233731 00000 n +0000233860 00000 n +0000233989 00000 n +0000285664 00000 n +0000283667 00000 n +0000285499 00000 n +0000234117 00000 n +0000234245 00000 n +0000237604 00000 n +0000237154 00000 n +0000234503 00000 n +0000237280 00000 n +0000237409 00000 n +0000237474 00000 n +0000237539 00000 n +0000240283 00000 n +0000239375 00000 n +0000237742 00000 n +0000239961 00000 n +0000240090 00000 n +0000240219 00000 n +0000239531 00000 n +0000239746 00000 n +0000455623 00000 n +0000244414 00000 n +0000243708 00000 n +0000240409 00000 n +0000243834 00000 n +0000283346 00000 n +0000274133 00000 n +0000283160 00000 n +0000243963 00000 n +0000244092 00000 n +0000244221 00000 n +0000247861 00000 n +0000246635 00000 n +0000244579 00000 n +0000247152 00000 n +0000247281 00000 n +0000247410 00000 n +0000247539 00000 n +0000247668 00000 n +0000247797 00000 n +0000246791 00000 n +0000246963 00000 n +0000248315 00000 n +0000248124 00000 n +0000247974 00000 n +0000248250 00000 n +0000251596 00000 n +0000251018 00000 n +0000248357 00000 n +0000251144 00000 n +0000251273 00000 n +0000251402 00000 n +0000251531 00000 n +0000255794 00000 n +0000254442 00000 n +0000251682 00000 n +0000254568 00000 n +0000254697 00000 n +0000254955 00000 n +0000255084 00000 n +0000255213 00000 n +0000255406 00000 n +0000255471 00000 n +0000255536 00000 n +0000255601 00000 n +0000255666 00000 n +0000255730 00000 n +0000261345 00000 n +0000258846 00000 n +0000255920 00000 n +0000259727 00000 n +0000259856 00000 n +0000259020 00000 n +0000259199 00000 n +0000259376 00000 n +0000259551 00000 n +0000260049 00000 n +0000260114 00000 n +0000260179 00000 n +0000260244 00000 n +0000260309 00000 n +0000260374 00000 n +0000260439 00000 n +0000260503 00000 n +0000260568 00000 n +0000260633 00000 n +0000260698 00000 n +0000260827 00000 n +0000260892 00000 n +0000260957 00000 n +0000261022 00000 n +0000261087 00000 n +0000261152 00000 n +0000261217 00000 n +0000261281 00000 n +0000455748 00000 n +0000268018 00000 n +0000264326 00000 n +0000261497 00000 n +0000264452 00000 n +0000264517 00000 n +0000264582 00000 n +0000264647 00000 n +0000264712 00000 n +0000264777 00000 n +0000264842 00000 n +0000264907 00000 n +0000264972 00000 n +0000265037 00000 n +0000265102 00000 n +0000265167 00000 n +0000265232 00000 n +0000265297 00000 n +0000265362 00000 n +0000265427 00000 n +0000265492 00000 n +0000265557 00000 n +0000265621 00000 n +0000265686 00000 n +0000265751 00000 n +0000265816 00000 n +0000265881 00000 n +0000265946 00000 n +0000266011 00000 n +0000266076 00000 n +0000266141 00000 n +0000266206 00000 n +0000266271 00000 n +0000266336 00000 n +0000266401 00000 n +0000266464 00000 n +0000266529 00000 n +0000266593 00000 n +0000266658 00000 n +0000266723 00000 n +0000266788 00000 n +0000266853 00000 n +0000266918 00000 n +0000266983 00000 n +0000267048 00000 n +0000267112 00000 n +0000267177 00000 n +0000267242 00000 n +0000267307 00000 n +0000267372 00000 n +0000267437 00000 n +0000267502 00000 n +0000267567 00000 n +0000267632 00000 n +0000267697 00000 n +0000267762 00000 n +0000267826 00000 n +0000267890 00000 n +0000267954 00000 n +0000272087 00000 n +0000270083 00000 n +0000268130 00000 n +0000270209 00000 n +0000270274 00000 n +0000270339 00000 n +0000270404 00000 n +0000270469 00000 n +0000270534 00000 n +0000270599 00000 n +0000270664 00000 n +0000270729 00000 n +0000270794 00000 n +0000270859 00000 n +0000270924 00000 n +0000270989 00000 n +0000271053 00000 n +0000271118 00000 n +0000271183 00000 n +0000271248 00000 n +0000271313 00000 n +0000271378 00000 n +0000271443 00000 n +0000271508 00000 n +0000271637 00000 n +0000271766 00000 n +0000271831 00000 n +0000271895 00000 n +0000271959 00000 n +0000272023 00000 n +0000272244 00000 n +0000283588 00000 n +0000285911 00000 n +0000285880 00000 n +0000294607 00000 n +0000304371 00000 n +0000312612 00000 n +0000321930 00000 n +0000339412 00000 n +0000356751 00000 n +0000376956 00000 n +0000398093 00000 n +0000401175 00000 n +0000400945 00000 n +0000427978 00000 n +0000453821 00000 n +0000455846 00000 n +0000455966 00000 n +0000456090 00000 n +0000456170 00000 n +0000456252 00000 n +0000470330 00000 n +0000482355 00000 n +0000482396 00000 n +0000482436 00000 n +0000482570 00000 n trailer << /Size 1346 /Root 1344 0 R /Info 1345 0 R -/ID [<6E6C549B402781459D6430ACB029FB20> <6E6C549B402781459D6430ACB029FB20>] +/ID [<67EC8DB4DA54B78233C7FF2983DF6C55> <67EC8DB4DA54B78233C7FF2983DF6C55>] >> startxref -482804 +482834 %%EOF diff --git a/version b/version index 4e84990d04..a9a3d68dae 100644 --- a/version +++ b/version @@ -1,4 +1,4 @@ -# $Id: version,v 1.26.2.43 2006/05/25 06:17:08 marka Exp $ +# $Id: version,v 1.26.2.44 2006/07/27 05:05:51 marka Exp $ # # This file must follow /bin/sh rules. It is imported directly via # configure. @@ -6,5 +6,5 @@ MAJORVER=9 MINORVER=2 PATCHVER=7 -RELEASETYPE=b +RELEASETYPE=rc RELEASEVER=1 From e03997e88c4e8cfed55f52572039303e882fb85b Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 27 Jul 2006 23:17:03 +0000 Subject: [PATCH 372/465] auto update --- doc/private/branches | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/private/branches b/doc/private/branches index c93192d68f..d17d6efdba 100644 --- a/doc/private/branches +++ b/doc/private/branches @@ -54,6 +54,7 @@ rt16218a new rt16219 new rt16220 new rt16220a new +rt16244 new rt16290 new rt16292 new rt16300 new From f8e0fc7c737cde8e3c45bf9b6aab014b5455a417 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 28 Jul 2006 04:51:18 +0000 Subject: [PATCH 373/465] 1941. [bug] ncache_adderesult() should set eresult even if no rdataset is passed to it. [RT #15642] --- CHANGES | 5 ++--- lib/dns/resolver.c | 30 ++++++++++++++++-------------- 2 files changed, 18 insertions(+), 17 deletions(-) diff --git a/CHANGES b/CHANGES index 3c628a6839..5f35aeaffe 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,3 @@ - - --- 9.2.7rc1 released --- - 2057. [bug] Make setting "ra" dependent on both allow-query and allow-recursion. [RT #16290] @@ -30,6 +27,8 @@ 2034. [bug] gcc: set -fno-strict-aliasing. [RT #16124] +1941. [bug] ncache_adderesult() should set eresult even if no + rdataset is passed to it. [RT #15642] --- 9.2.7b1 released --- diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index ca0205bd56..421375b9ff 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: resolver.c,v 1.218.2.45 2006/01/06 00:48:37 marka Exp $ */ +/* $Id: resolver.c,v 1.218.2.46 2006/07/28 04:51:18 marka Exp $ */ #include @@ -3222,23 +3222,28 @@ ncache_adderesult(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node, isc_result_t *eresultp) { isc_result_t result; + dns_rdataset_t rdataset; + + if (ardataset == NULL) { + dns_rdataset_init(&rdataset); + ardataset = &rdataset; + } result = dns_ncache_add(message, cache, node, covers, now, maxttl, ardataset); - if (result == DNS_R_UNCHANGED) { + if (result == DNS_R_UNCHANGED || result == ISC_R_SUCCESS) { /* - * The data in the cache is better than the negative cache - * entry we're trying to add. + * If the cache now contains a negative entry and we + * care about whether it is DNS_R_NCACHENXDOMAIN or + * DNS_R_NCACHENXRRSET then extract it. */ - if (ardataset != NULL && ardataset->type == 0) { + if (ardataset->type == 0) { /* - * The cache data is also a negative cache - * entry. + * The cache data is a negative cache entry. */ if (NXDOMAIN(ardataset)) *eresultp = DNS_R_NCACHENXDOMAIN; else *eresultp = DNS_R_NCACHENXRRSET; - result = ISC_R_SUCCESS; } else { /* * Either we don't care about the nature of the @@ -3250,14 +3255,11 @@ ncache_adderesult(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node, * XXXRTH There's a CNAME/DNAME problem here. */ *eresultp = ISC_R_SUCCESS; - result = ISC_R_SUCCESS; } - } else if (result == ISC_R_SUCCESS) { - if (NXDOMAIN(ardataset)) - *eresultp = DNS_R_NCACHENXDOMAIN; - else - *eresultp = DNS_R_NCACHENXRRSET; + result = ISC_R_SUCCESS; } + if (ardataset == &rdataset && dns_rdataset_isassociated(ardataset)) + dns_rdataset_disassociate(ardataset); return (result); } From f06be527aedb6c173dac5b0cce1507a61e4eb8d0 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 28 Jul 2006 23:16:55 +0000 Subject: [PATCH 374/465] auto update --- doc/private/branches | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/private/branches b/doc/private/branches index d17d6efdba..66d3dd9db4 100644 --- a/doc/private/branches +++ b/doc/private/branches @@ -58,6 +58,7 @@ rt16244 new rt16290 new rt16292 new rt16300 new +rt16307 new rt1727 open // ixfr-from-differences workfile skan new skan-metazones1 private From a4eea089841b6c8370855b02a71425254dfd9136 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 31 Jul 2006 02:04:03 +0000 Subject: [PATCH 375/465] update comment --- lib/dns/rbtdb.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c index 133b834364..210026bd9a 100644 --- a/lib/dns/rbtdb.c +++ b/lib/dns/rbtdb.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rbtdb.c,v 1.237 2006/07/24 01:12:45 marka Exp $ */ +/* $Id: rbtdb.c,v 1.238 2006/07/31 02:04:03 marka Exp $ */ /*! \file */ @@ -3006,7 +3006,7 @@ cache_zonecut_callback(dns_rbtnode_t *node, dns_name_t *name, void *arg) { isc_mem_t *mctx; /* - * header->down can be NULL if the + * header->down can be non-NULL if the * refcount has just decremented to 0 * but no_references() has not * performed clean_cache_node(), in From 431fd1b0b5c3c049f9397ed4be8915715ead9cdb Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 1 Aug 2006 00:49:02 +0000 Subject: [PATCH 376/465] 2061. [bug] 'dig +nssearch' was reusing a buffer before it had been returned by the socket code. [RT #16307] --- CHANGES | 3 +++ bin/dig/dighost.c | 37 +++++++++++++++++++++---------------- 2 files changed, 24 insertions(+), 16 deletions(-) diff --git a/CHANGES b/CHANGES index e6f39f3fba..8c7dcc1f8c 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2061. [bug] 'dig +nssearch' was reusing a buffer before it had + been returned by the socket code. [RT #16307] + 2061. [bug] Accept expired wildcard message reversed. [RT #16296] 2060. [bug] Enabling DLZ support could leave views partially diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c index fa51b66554..5bcff8ca34 100644 --- a/bin/dig/dighost.c +++ b/bin/dig/dighost.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dighost.c,v 1.293 2006/06/06 00:53:36 marka Exp $ */ +/* $Id: dighost.c,v 1.294 2006/08/01 00:49:02 marka Exp $ */ /*! \file * \note @@ -344,6 +344,9 @@ cancel_lookup(dig_lookup_t *lookup); static void recv_done(isc_task_t *task, isc_event_t *event); +static void +send_udp(dig_query_t *query); + static void connect_timeout(isc_task_t *task, isc_event_t *event); @@ -2028,6 +2031,8 @@ static void send_done(isc_task_t *_task, isc_event_t *event) { isc_socketevent_t *sevent = (isc_socketevent_t *)event; isc_buffer_t *b = NULL; + dig_query_t *query, *next; + dig_lookup_t *l; REQUIRE(event->ev_type == ISC_SOCKEVENT_SENDDONE); @@ -2035,17 +2040,28 @@ send_done(isc_task_t *_task, isc_event_t *event) { LOCK_LOOKUP; + debug("send_done()"); + sendcount--; + debug("sendcount=%d", sendcount); + INSIST(sendcount >= 0); + for (b = ISC_LIST_HEAD(sevent->bufferlist); b != NULL; b = ISC_LIST_HEAD(sevent->bufferlist)) ISC_LIST_DEQUEUE(sevent->bufferlist, b, link); + query = event->ev_arg; + l = query->lookup; + + if (l->ns_search_only && !l->trace_root) { + debug("sending next, since searching"); + next = ISC_LIST_NEXT(query, link); + if (next != NULL) + send_udp(next); + } + isc_event_free(&event); - debug("send_done()"); - sendcount--; - debug("sendcount=%d", sendcount); - INSIST(sendcount >= 0); check_if_done(); UNLOCK_LOOKUP; } @@ -2189,7 +2205,6 @@ send_tcp_connect(dig_query_t *query) { static void send_udp(dig_query_t *query) { dig_lookup_t *l = NULL; - dig_query_t *next; isc_result_t result; debug("send_udp(%p)", query); @@ -2242,16 +2257,6 @@ send_udp(dig_query_t *query) { &query->sockaddr, NULL); check_result(result, "isc_socket_sendtov"); sendcount++; - /* - * If we're at the endgame of a nameserver search, we need to - * immediately bring up all the queries. Do it here. - */ - if (l->ns_search_only && !l->trace_root) { - debug("sending next, since searching"); - next = ISC_LIST_NEXT(query, link); - if (next != NULL) - send_udp(next); - } } /*% From 67b1eee9dfde5ad86b54b2b768ff4d6b1354b651 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 1 Aug 2006 00:53:22 +0000 Subject: [PATCH 377/465] change number --- CHANGES | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 8c7dcc1f8c..c5247c9da4 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,4 @@ -2061. [bug] 'dig +nssearch' was reusing a buffer before it had +2062. [bug] 'dig +nssearch' was reusing a buffer before it had been returned by the socket code. [RT #16307] 2061. [bug] Accept expired wildcard message reversed. [RT #16296] From ba2d48cd7adacfe42ea5132caf9d6349ec8ec933 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 1 Aug 2006 00:54:08 +0000 Subject: [PATCH 378/465] 2062. [bug] 'dig +nssearch' was reusing a buffer before it had been returned by the socket code. [RT #16307] --- CHANGES | 3 +++ bin/dig/dighost.c | 37 +++++++++++++++++++++---------------- 2 files changed, 24 insertions(+), 16 deletions(-) diff --git a/CHANGES b/CHANGES index 5f35aeaffe..7b6c6df712 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2062. [bug] 'dig +nssearch' was reusing a buffer before it had + been returned by the socket code. [RT #16307] + 2057. [bug] Make setting "ra" dependent on both allow-query and allow-recursion. [RT #16290] diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c index 8e11e538b1..9964f30c0e 100644 --- a/bin/dig/dighost.c +++ b/bin/dig/dighost.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dighost.c,v 1.221.2.31 2006/06/07 00:29:43 marka Exp $ */ +/* $Id: dighost.c,v 1.221.2.32 2006/08/01 00:54:08 marka Exp $ */ /* * Notice to programmers: Do not use this code as an example of how to @@ -154,6 +154,9 @@ cancel_lookup(dig_lookup_t *lookup); static void recv_done(isc_task_t *task, isc_event_t *event); +static void +send_udp(dig_query_t *query); + static void connect_timeout(isc_task_t *task, isc_event_t *event); @@ -1519,6 +1522,8 @@ static void send_done(isc_task_t *_task, isc_event_t *event) { isc_socketevent_t *sevent = (isc_socketevent_t *)event; isc_buffer_t *b = NULL; + dig_query_t *query, *next; + dig_lookup_t *l; REQUIRE(event->ev_type == ISC_SOCKEVENT_SENDDONE); @@ -1526,17 +1531,28 @@ send_done(isc_task_t *_task, isc_event_t *event) { LOCK_LOOKUP; + debug("send_done()"); + sendcount--; + debug("sendcount=%d", sendcount); + INSIST(sendcount >= 0); + for (b = ISC_LIST_HEAD(sevent->bufferlist); b != NULL; b = ISC_LIST_HEAD(sevent->bufferlist)) ISC_LIST_DEQUEUE(sevent->bufferlist, b, link); + query = event->ev_arg; + l = query->lookup; + + if (l->ns_search_only && !l->trace_root) { + debug("sending next, since searching"); + next = ISC_LIST_NEXT(query, link); + if (next != NULL) + send_udp(next); + } + isc_event_free(&event); - debug("send_done()"); - sendcount--; - debug("sendcount=%d", sendcount); - INSIST(sendcount >= 0); check_if_done(); UNLOCK_LOOKUP; } @@ -1684,7 +1700,6 @@ send_tcp_connect(dig_query_t *query) { static void send_udp(dig_query_t *query) { dig_lookup_t *l = NULL; - dig_query_t *next; isc_result_t result; debug("send_udp(%p)", query); @@ -1742,16 +1757,6 @@ send_udp(dig_query_t *query) { &query->sockaddr, NULL); check_result(result, "isc_socket_sendtov"); sendcount++; - /* - * If we're at the endgame of a nameserver search, we need to - * immediately bring up all the queries. Do it here. - */ - if (l->ns_search_only && !l->trace_root) { - debug("sending next, since searching"); - next = ISC_LIST_NEXT(query, link); - if (next != NULL) - send_udp(next); - } } /* From 854dac0f186e5b491d65f6d73dd6e440e7a2c227 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 1 Aug 2006 01:03:27 +0000 Subject: [PATCH 379/465] 2063. [bug] Change #1955 introduced a bug which caused the first 'rndc flush' call to not free memory. [RT #16244] --- CHANGES | 3 +++ lib/dns/cache.c | 30 +++++++++++++++++++++++++++++- 2 files changed, 32 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index c5247c9da4..b5ede0e132 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2063. [bug] Change #1955 introduced a bug which caused the first + 'rndc flush' call to not free memory. [RT #16244] + 2062. [bug] 'dig +nssearch' was reusing a buffer before it had been returned by the socket code. [RT #16307] diff --git a/lib/dns/cache.c b/lib/dns/cache.c index 78d98c54e6..83f58e8e32 100644 --- a/lib/dns/cache.c +++ b/lib/dns/cache.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: cache.c,v 1.72 2006/07/19 00:24:17 marka Exp $ */ +/* $Id: cache.c,v 1.73 2006/08/01 01:03:27 marka Exp $ */ /*! \file */ @@ -108,6 +108,7 @@ struct cache_cleaner { clean in one increment */ cleaner_state_t state; /*% Idle/Busy. */ isc_boolean_t overmem; /*% The cache is in an overmem state. */ + isc_boolean_t replaceiterator; }; /*% @@ -566,6 +567,7 @@ cache_cleaner_init(dns_cache_t *cache, isc_taskmgr_t *taskmgr, cleaner->cache = cache; cleaner->iterator = NULL; cleaner->overmem = ISC_FALSE; + cleaner->replaceiterator = ISC_FALSE; cleaner->task = NULL; cleaner->cleaning_timer = NULL; @@ -815,6 +817,17 @@ incremental_cleaning_action(isc_task_t *task, isc_event_t *event) { if (cleaner->state == cleaner_s_done) { cleaner->state = cleaner_s_busy; end_cleaning(cleaner, event); + LOCK(&cleaner->cache->lock); + LOCK(&cleaner->lock); + if (cleaner->replaceiterator) { + dns_dbiterator_destroy(&cleaner->iterator); + (void) dns_db_createiterator(cleaner->cache->db, + ISC_FALSE, + &cleaner->iterator); + cleaner->replaceiterator = ISC_FALSE; + } + UNLOCK(&cleaner->lock); + UNLOCK(&cleaner->cache->lock); return; } @@ -1067,8 +1080,23 @@ dns_cache_flush(dns_cache_t *cache) { if (result != ISC_R_SUCCESS) return (result); + LOCK(&cache->lock); + LOCK(&cache->cleaner.lock); + if (cache->cleaner.state == cleaner_s_idle) { + if (cache->cleaner.iterator != NULL) + dns_dbiterator_destroy(&cache->cleaner.iterator); + (void) dns_db_createiterator(db, ISC_FALSE, + &cache->cleaner.iterator); + } else { + if (cache->cleaner.state == cleaner_s_busy) + cache->cleaner.state = cleaner_s_done; + cache->cleaner.replaceiterator = ISC_TRUE; + } dns_db_detach(&cache->db); cache->db = db; + UNLOCK(&cache->cleaner.lock); + UNLOCK(&cache->lock); + return (ISC_R_SUCCESS); } From 97bf73d2783d4de3d394e3391cef98184026d307 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 1 Aug 2006 01:07:32 +0000 Subject: [PATCH 380/465] 2063. [bug] Change #1955 introduced a bug which caused the first 'rndc flush' call to not free memory. [RT #16244] --- CHANGES | 3 +++ lib/dns/cache.c | 30 +++++++++++++++++++++++++++++- 2 files changed, 32 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 7b6c6df712..4e4353b040 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2063. [bug] Change #1955 introduced a bug which caused the first + 'rndc flush' call to not free memory. [RT #16244] + 2062. [bug] 'dig +nssearch' was reusing a buffer before it had been returned by the socket code. [RT #16307] diff --git a/lib/dns/cache.c b/lib/dns/cache.c index cd78a8e3d8..99253d3394 100644 --- a/lib/dns/cache.c +++ b/lib/dns/cache.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: cache.c,v 1.45.2.12 2006/05/04 02:22:15 marka Exp $ */ +/* $Id: cache.c,v 1.45.2.13 2006/08/01 01:07:32 marka Exp $ */ #include @@ -97,6 +97,7 @@ struct cache_cleaner { clean in one increment */ cleaner_state_t state; /* Idle/Busy. */ isc_boolean_t overmem; /* The cache is in an overmem state. */ + isc_boolean_t replaceiterator; }; /* @@ -484,6 +485,7 @@ cache_cleaner_init(dns_cache_t *cache, isc_taskmgr_t *taskmgr, cleaner->cache = cache; cleaner->iterator = NULL; cleaner->overmem = ISC_FALSE; + cleaner->replaceiterator = ISC_FALSE; cleaner->task = NULL; cleaner->cleaning_timer = NULL; @@ -723,6 +725,17 @@ incremental_cleaning_action(isc_task_t *task, isc_event_t *event) { if (cleaner->state == cleaner_s_done) { cleaner->state = cleaner_s_busy; end_cleaning(cleaner, event); + LOCK(&cleaner->cache->lock); + LOCK(&cleaner->lock); + if (cleaner->replaceiterator) { + dns_dbiterator_destroy(&cleaner->iterator); + (void) dns_db_createiterator(cleaner->cache->db, + ISC_FALSE, + &cleaner->iterator); + cleaner->replaceiterator = ISC_FALSE; + } + UNLOCK(&cleaner->lock); + UNLOCK(&cleaner->cache->lock); return; } @@ -970,7 +983,22 @@ dns_cache_flush(dns_cache_t *cache) { if (result != ISC_R_SUCCESS) return (result); + LOCK(&cache->lock); + LOCK(&cache->cleaner.lock); + if (cache->cleaner.state == cleaner_s_idle) { + if (cache->cleaner.iterator != NULL) + dns_dbiterator_destroy(&cache->cleaner.iterator); + (void) dns_db_createiterator(db, ISC_FALSE, + &cache->cleaner.iterator); + } else { + if (cache->cleaner.state == cleaner_s_busy) + cache->cleaner.state = cleaner_s_done; + cache->cleaner.replaceiterator = ISC_TRUE; + } dns_db_detach(&cache->db); cache->db = db; + UNLOCK(&cache->cleaner.lock); + UNLOCK(&cache->lock); + return (ISC_R_SUCCESS); } From 393e4679cf4dd8bafb031d8a61ece95af61fbedc Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 1 Aug 2006 01:15:03 +0000 Subject: [PATCH 381/465] 2064. [bug] libbind: silence AIX compiler warnings. [RT #16218] --- CHANGES | 2 + lib/bind/configure | 495 ++++++++++++++++++++++++++++++++++- lib/bind/configure.in | 162 +++++++++++- lib/bind/include/netdb.h | 41 ++- lib/bind/irs/getprotoent_r.c | 8 +- lib/bind/irs/getservent_r.c | 16 +- lib/bind/port_before.h.in | 4 + 7 files changed, 710 insertions(+), 18 deletions(-) diff --git a/CHANGES b/CHANGES index b5ede0e132..0986633dfb 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +2064. [bug] libbind: silence AIX compiler warnings. [RT #16218] + 2063. [bug] Change #1955 introduced a bug which caused the first 'rndc flush' call to not free memory. [RT #16244] diff --git a/lib/bind/configure b/lib/bind/configure index af71152b68..652206d00f 100644 --- a/lib/bind/configure +++ b/lib/bind/configure @@ -1,5 +1,5 @@ #! /bin/sh -# From configure.in Revision: 1.119 . +# From configure.in Revision: 1.120 . # Guess values for system-dependent variables and create Makefiles. # Generated by GNU Autoconf 2.59. # @@ -464,7 +464,7 @@ ac_includes_default="\ # include #endif" -ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS build build_cpu build_vendor build_os host host_cpu host_vendor host_os SET_MAKE RANLIB ac_ct_RANLIB INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA STD_CINCLUDES STD_CDEFINES STD_CWARNINGS CCOPT AR ARFLAGS LN ETAGS PERL CC CFLAGS LDFLAGS CPPFLAGS ac_ct_CC EXEEXT OBJEXT CPP EGREP ISC_PLATFORM_NEEDSYSSELECTH WANT_IRS_GR WANT_IRS_GR_OBJS WANT_IRS_PW WANT_IRS_PW_OBJS WANT_IRS_NIS WANT_IRS_NIS_OBJS WANT_IRS_NISGR_OBJS WANT_IRS_NISPW_OBJS WANT_IRS_DBPW_OBJS ALWAYS_DEFINES DO_PTHREADS WANT_IRS_THREADSGR_OBJS WANT_IRS_THREADSPW_OBJS WANT_IRS_THREADS_OBJS WANT_THREADS_OBJS USE_IFNAMELINKID ISC_THREAD_DIR DAEMON_OBJS NEED_DAEMON STRSEP_OBJS NEED_STRSEP NEED_STRERROR MKDEPCC MKDEPCFLAGS MKDEPPROG IRIX_DNSSEC_WARNINGS_HACK purify_path PURIFY LN_S ECHO ac_ct_AR STRIP ac_ct_STRIP CXX CXXFLAGS ac_ct_CXX CXXCPP F77 FFLAGS ac_ct_F77 LIBTOOL O A SA LIBTOOL_MKDEP_SED LIBTOOL_MODE_COMPILE LIBTOOL_MODE_INSTALL LIBTOOL_MODE_LINK HAS_INET6_STRUCTS ISC_PLATFORM_NEEDNETINETIN6H ISC_PLATFORM_NEEDNETINET6IN6H HAS_IN_ADDR6 NEED_IN6ADDR_ANY ISC_PLATFORM_HAVEIN6PKTINFO ISC_PLATFORM_FIXIN6ISADDR ISC_IPV6_H ISC_IPV6_O ISC_ISCIPV6_O ISC_IPV6_C HAVE_SIN6_SCOPE_ID HAVE_SOCKADDR_STORAGE ISC_PLATFORM_NEEDNTOP ISC_PLATFORM_NEEDPTON ISC_PLATFORM_NEEDATON HAVE_SA_LEN HAVE_MINIMUM_IFREQ BSD_COMP SOLARIS_BITTYPES USE_FIONBIO_IOCTL PORT_NONBLOCK PORT_DIR USE_POLL HAVE_MD5 SOLARIS2 PORT_INCLUDE ISC_PLATFORM_MSGHDRFLAVOR ISC_PLATFORM_NEEDPORTT ISC_LWRES_ENDHOSTENTINT ISC_LWRES_SETNETENTINT ISC_LWRES_ENDNETENTINT ISC_LWRES_GETHOSTBYADDRVOID ISC_LWRES_NEEDHERRNO ISC_LWRES_GETIPNODEPROTO ISC_LWRES_GETADDRINFOPROTO ISC_LWRES_GETNAMEINFOPROTO NEED_PSELECT NEED_GETTIMEOFDAY HAVE_STRNDUP ISC_PLATFORM_NEEDSTRSEP ISC_PLATFORM_NEEDVSNPRINTF ISC_EXTRA_OBJS ISC_EXTRA_SRCS USE_SYSERROR_LIST ISC_PLATFORM_QUADFORMAT ISC_SOCKLEN_T GETGROUPLIST_ARGS NET_R_ARGS NET_R_BAD NET_R_COPY NET_R_COPY_ARGS NET_R_OK NET_R_SETANSWER NET_R_RETURN GETNETBYADDR_ADDR_T NETENT_DATA NET_R_ENT_ARGS NET_R_SET_RESULT NET_R_SET_RETURN NET_R_END_RESULT NET_R_END_RETURN GROUP_R_ARGS GROUP_R_BAD GROUP_R_OK GROUP_R_RETURN GROUP_R_END_RESULT GROUP_R_END_RETURN GROUP_R_ENT_ARGS GROUP_R_SET_RESULT GROUP_R_SET_RETURN HOST_R_ARGS HOST_R_BAD HOST_R_COPY HOST_R_COPY_ARGS HOST_R_ERRNO HOST_R_OK HOST_R_RETURN HOST_R_SETANSWER HOSTENT_DATA HOST_R_END_RESULT HOST_R_END_RETURN HOST_R_ENT_ARGS HOST_R_SET_RESULT HOST_R_SET_RETURN SETPWENT_VOID SETGRENT_VOID NGR_R_ARGS NGR_R_BAD NGR_R_COPY NGR_R_COPY_ARGS NGR_R_OK NGR_R_RETURN NGR_R_PRIVATE NGR_R_END_RESULT NGR_R_END_RETURN NGR_R_ENT_ARGS NGR_R_SET_RESULT NGR_R_SET_RETURN PROTO_R_ARGS PROTO_R_BAD PROTO_R_COPY PROTO_R_COPY_ARGS PROTO_R_OK PROTO_R_SETANSWER PROTO_R_RETURN PROTO_R_END_RESULT PROTO_R_END_RETURN PROTO_R_ENT_ARGS PROTO_R_SET_RESULT PROTO_R_SET_RETURN PASS_R_ARGS PASS_R_BAD PASS_R_COPY PASS_R_COPY_ARGS PASS_R_OK PASS_R_RETURN PASS_R_END_RESULT PASS_R_END_RETURN PASS_R_ENT_ARGS PASS_R_SET_RESULT PASS_R_SET_RETURN SERV_R_ARGS SERV_R_BAD SERV_R_COPY SERV_R_COPY_ARGS SERV_R_OK SERV_R_SETANSWER SERV_R_RETURN SERV_R_END_RESULT SERV_R_END_RETURN SERV_R_ENT_ARGS SERV_R_SET_RESULT SERV_R_SET_RETURN SETNETGRENT_ARGS INNETGR_ARGS BIND9_TOP_BUILDDIR BIND9_VERSION LIBOBJS LTLIBOBJS' +ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS build build_cpu build_vendor build_os host host_cpu host_vendor host_os SET_MAKE RANLIB ac_ct_RANLIB INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA STD_CINCLUDES STD_CDEFINES STD_CWARNINGS CCOPT AR ARFLAGS LN ETAGS PERL CC CFLAGS LDFLAGS CPPFLAGS ac_ct_CC EXEEXT OBJEXT CPP EGREP ISC_PLATFORM_NEEDSYSSELECTH WANT_IRS_GR WANT_IRS_GR_OBJS WANT_IRS_PW WANT_IRS_PW_OBJS WANT_IRS_NIS WANT_IRS_NIS_OBJS WANT_IRS_NISGR_OBJS WANT_IRS_NISPW_OBJS WANT_IRS_DBPW_OBJS ALWAYS_DEFINES DO_PTHREADS WANT_IRS_THREADSGR_OBJS WANT_IRS_THREADSPW_OBJS WANT_IRS_THREADS_OBJS WANT_THREADS_OBJS USE_IFNAMELINKID ISC_THREAD_DIR DAEMON_OBJS NEED_DAEMON STRSEP_OBJS NEED_STRSEP NEED_STRERROR MKDEPCC MKDEPCFLAGS MKDEPPROG IRIX_DNSSEC_WARNINGS_HACK purify_path PURIFY LN_S ECHO ac_ct_AR STRIP ac_ct_STRIP CXX CXXFLAGS ac_ct_CXX CXXCPP F77 FFLAGS ac_ct_F77 LIBTOOL O A SA LIBTOOL_MKDEP_SED LIBTOOL_MODE_COMPILE LIBTOOL_MODE_INSTALL LIBTOOL_MODE_LINK HAS_INET6_STRUCTS ISC_PLATFORM_NEEDNETINETIN6H ISC_PLATFORM_NEEDNETINET6IN6H HAS_IN_ADDR6 NEED_IN6ADDR_ANY ISC_PLATFORM_HAVEIN6PKTINFO ISC_PLATFORM_FIXIN6ISADDR ISC_IPV6_H ISC_IPV6_O ISC_ISCIPV6_O ISC_IPV6_C HAVE_SIN6_SCOPE_ID HAVE_SOCKADDR_STORAGE ISC_PLATFORM_NEEDNTOP ISC_PLATFORM_NEEDPTON ISC_PLATFORM_NEEDATON HAVE_SA_LEN HAVE_MINIMUM_IFREQ BSD_COMP SOLARIS_BITTYPES USE_FIONBIO_IOCTL PORT_NONBLOCK PORT_DIR USE_POLL HAVE_MD5 SOLARIS2 PORT_INCLUDE ISC_PLATFORM_MSGHDRFLAVOR ISC_PLATFORM_NEEDPORTT ISC_LWRES_ENDHOSTENTINT ISC_LWRES_SETNETENTINT ISC_LWRES_ENDNETENTINT ISC_LWRES_GETHOSTBYADDRVOID ISC_LWRES_NEEDHERRNO ISC_LWRES_GETIPNODEPROTO ISC_LWRES_GETADDRINFOPROTO ISC_LWRES_GETNAMEINFOPROTO NEED_PSELECT NEED_GETTIMEOFDAY HAVE_STRNDUP ISC_PLATFORM_NEEDSTRSEP ISC_PLATFORM_NEEDVSNPRINTF ISC_EXTRA_OBJS ISC_EXTRA_SRCS USE_SYSERROR_LIST ISC_PLATFORM_QUADFORMAT ISC_SOCKLEN_T GETGROUPLIST_ARGS NET_R_ARGS NET_R_BAD NET_R_COPY NET_R_COPY_ARGS NET_R_OK NET_R_SETANSWER NET_R_RETURN GETNETBYADDR_ADDR_T NETENT_DATA NET_R_ENT_ARGS NET_R_SET_RESULT NET_R_SET_RETURN NET_R_END_RESULT NET_R_END_RETURN GROUP_R_ARGS GROUP_R_BAD GROUP_R_OK GROUP_R_RETURN GROUP_R_END_RESULT GROUP_R_END_RETURN GROUP_R_ENT_ARGS GROUP_R_SET_RESULT GROUP_R_SET_RETURN HOST_R_ARGS HOST_R_BAD HOST_R_COPY HOST_R_COPY_ARGS HOST_R_ERRNO HOST_R_OK HOST_R_RETURN HOST_R_SETANSWER HOSTENT_DATA HOST_R_END_RESULT HOST_R_END_RETURN HOST_R_ENT_ARGS HOST_R_SET_RESULT HOST_R_SET_RETURN SETPWENT_VOID SETGRENT_VOID NGR_R_ARGS NGR_R_BAD NGR_R_COPY NGR_R_COPY_ARGS NGR_R_OK NGR_R_RETURN NGR_R_PRIVATE NGR_R_END_RESULT NGR_R_END_RETURN NGR_R_ENT_ARGS NGR_R_SET_RESULT NGR_R_SET_RETURN PROTO_R_ARGS PROTO_R_BAD PROTO_R_COPY PROTO_R_COPY_ARGS PROTO_R_OK PROTO_R_SETANSWER PROTO_R_RETURN PROTOENT_DATA PROTO_R_END_RESULT PROTO_R_END_RETURN PROTO_R_ENT_ARGS PROTO_R_ENT_UNUSED PROTO_R_SET_RESULT PROTO_R_SET_RETURN PASS_R_ARGS PASS_R_BAD PASS_R_COPY PASS_R_COPY_ARGS PASS_R_OK PASS_R_RETURN PASS_R_END_RESULT PASS_R_END_RETURN PASS_R_ENT_ARGS PASS_R_SET_RESULT PASS_R_SET_RETURN SERV_R_ARGS SERV_R_BAD SERV_R_COPY SERV_R_COPY_ARGS SERV_R_OK SERV_R_SETANSWER SERV_R_RETURN SERVENT_DATA SERV_R_END_RESULT SERV_R_END_RETURN SERV_R_ENT_ARGS SERV_R_ENT_UNUSED SERV_R_SET_RESULT SERV_R_SET_RETURN SETNETGRENT_ARGS INNETGR_ARGS BIND9_TOP_BUILDDIR BIND9_VERSION LIBOBJS LTLIBOBJS' ac_subst_files='BIND9_INCLUDES BIND9_MAKE_RULES LIBBIND_API' # Initialize some variables set by options. @@ -26260,6 +26260,62 @@ else echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#undef __USE_MISC +#define __USE_MISC +#include +int getnetbyaddr_r (in_addr_t, int, struct netent *, struct netent_data *); + +int +main () +{ +return (0) + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest.$ac_objext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + +NET_R_ARGS="#define NET_R_ARGS struct netent_data *ndptr" +NET_R_BAD="#define NET_R_BAD (-1)" +NET_R_COPY="#define NET_R_COPY ndptr" +NET_R_COPY_ARGS="#define NET_R_COPY_ARGS struct netent_data *ndptr" +NET_R_OK="#define NET_R_OK 0" +NET_R_SETANSWER="#undef NET_R_SETANSWER" +NET_R_RETURN="#define NET_R_RETURN int" +GETNETBYADDR_ADDR_T="#define GETNETBYADDR_ADDR_T long" +NETENT_DATA="#define NETENT_DATA 1" + +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF @@ -26388,6 +26444,9 @@ rm -f conftest.err conftest.$ac_objext conftest.$ac_ext fi rm -f conftest.err conftest.$ac_objext conftest.$ac_ext +fi +rm -f conftest.err conftest.$ac_objext conftest.$ac_ext + else NET_R_ARGS="#define NET_R_ARGS char *buf, int buflen" NET_R_BAD="#define NET_R_BAD NULL" @@ -28863,10 +28922,69 @@ fi echo "$as_me:$LINENO: result: $ac_cv_func_endnetgrent_r" >&5 echo "${ECHO_T}$ac_cv_func_endnetgrent_r" >&6 if test $ac_cv_func_endnetgrent_r = yes; then - NGR_R_END_RESULT="#define NGR_R_END_RESULT(x) return (x)" + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +#undef __USE_MISC +#define __USE_MISC +#include +void endnetgrent_r(void **ptr); + + +int +main () +{ +return (0); + + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest.$ac_objext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + +NGR_R_END_RESULT="#define NGR_R_END_RESULT(x) /* empty */" +NGR_R_END_RETURN="#define NGR_R_END_RETURN void" +NGR_R_ENT_ARGS="#define NGR_R_ENT_ARGS NGR_R_ARGS" + + +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + +NGR_R_END_RESULT="#define NGR_R_END_RESULT(x) return (x)" NGR_R_END_RETURN="#define NGR_R_END_RETURN int" NGR_R_ENT_ARGS="#define NGR_R_ENT_ARGS NGR_R_ARGS" + +fi +rm -f conftest.err conftest.$ac_objext conftest.$ac_ext + else NGR_R_END_RESULT="#define NGR_R_END_RESULT(x) /*empty*/" NGR_R_END_RETURN="#define NGR_R_END_RETURN void" @@ -29243,6 +29361,7 @@ PROTO_R_COPY_ARGS="#define PROTO_R_COPY_ARGS PROTO_R_ARGS" PROTO_R_OK="#define PROTO_R_OK pptr" PROTO_R_SETANSWER="#undef PROTO_R_SETANSWER" PROTO_R_RETURN="#define PROTO_R_RETURN struct protoent *" +PROTOENT_DATA="#undef PROTOENT_DATA" else @@ -29302,12 +29421,76 @@ PROTO_R_COPY_ARGS="#define PROTO_R_COPY_ARGS char *buf, size_t buflen" PROTO_R_OK="#define PROTO_R_OK 0" PROTO_R_SETANSWER="#define PROTO_R_SETANSWER 1" PROTO_R_RETURN="#define PROTO_R_RETURN int" +PROTOENT_DATA="#undef PROTOENT_DATA" else echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +#undef __USE_MISC +#define __USE_MISC +#include +int getprotoent_r (struct protoent *, struct protoent_data *prot_data); + + + +int +main () +{ +return (0); + + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest.$ac_objext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + +PROTO_R_ARGS="#define PROTO_R_ARGS struct protoent_data *prot_data" +PROTO_R_BAD="#define PROTO_R_BAD (-1)" +PROTO_R_COPY="#define PROTO_R_COPY prot_data" +PROTO_R_COPY_ARGS="#define PROTO_R_COPY_ARGS struct protoent_data *pdptr" +PROTO_R_OK="#define PROTO_R_OK 0" +PROTO_R_SETANSWER="#undef PROTO_R_SETANSWER" +PROTO_R_RETURN="#define PROTO_R_RETURN int" +PROTOENT_DATA="#define PROTOENT_DATA 1" + + +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +fi +rm -f conftest.err conftest.$ac_objext conftest.$ac_ext + fi rm -f conftest.err conftest.$ac_objext conftest.$ac_ext @@ -29322,9 +29505,11 @@ PROTO_R_COPY_ARGS="#define PROTO_R_COPY_ARGS PROTO_R_ARGS" PROTO_R_OK="#define PROTO_R_OK pptr" PROTO_R_SETANSWER="#undef PROTO_R_SETANSWER" PROTO_R_RETURN="#define PROTO_R_RETURN struct protoent *" +PROTOENT_DATA="#undef PROTOENT_DATA" fi +;; esac @@ -29334,6 +29519,7 @@ esac + case $host in ia64-hp-hpux11.*) ;; @@ -29478,6 +29664,63 @@ if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 PROTO_R_END_RESULT="#define PROTO_R_END_RESULT(x) /*empty*/" PROTO_R_END_RETURN="#define PROTO_R_END_RETURN void" PROTO_R_ENT_ARGS="#undef PROTO_R_ENT_ARGS" +PROTO_R_ENT_UNUSED="#undef PROTO_R_ENT_UNUSED" + + +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +#undef _REENTRANT +#define _REENTRANT +#undef __USE_MISC +#define __USE_MISC +#include +void endprotoent_r(struct protoent_data *); + + +int +main () +{ + + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest.$ac_objext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + +PROTO_R_END_RESULT="#define PROTO_R_END_RESULT(x) /*empty*/" +PROTO_R_END_RETURN="#define PROTO_R_END_RETURN void" +PROTO_R_ENT_ARGS="#define PROTO_R_ENT_ARGS struct protoent_data *proto_data" +PROTO_R_ENT_UNUSED="#define PROTO_R_ENT_UNUSED UNUSED(proto_data)" else @@ -29487,10 +29730,14 @@ sed 's/^/| /' conftest.$ac_ext >&5 fi rm -f conftest.err conftest.$ac_objext conftest.$ac_ext +fi +rm -f conftest.err conftest.$ac_objext conftest.$ac_ext + else PROTO_R_END_RESULT="#define PROTO_R_END_RESULT(x) /*empty*/" PROTO_R_END_RETURN="#define PROTO_R_END_RETURN void" PROTO_R_ENT_ARGS="#undef PROTO_R_ENT_ARGS /*empty*/" +PROTO_R_ENT_UNUSED="#undef PROTO_R_ENT_UNUSED" fi @@ -29499,6 +29746,7 @@ esac + case $host in ia64-hp-hpux11.*) ;; @@ -29645,6 +29893,60 @@ else echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +#undef _REENTRANT +#define _REENTRANT +#undef __USE_MISC +#define __USE_MISC +#include +int setprotoent_r (int, struct protoent_data *); + +int +main () +{ + + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest.$ac_objext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + PROTO_R_SET_RESULT="#define PROTO_R_SET_RESULT (0)" +PROTO_R_SET_RETURN="#define PROTO_R_SET_RETURN int" + +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +fi +rm -f conftest.err conftest.$ac_objext conftest.$ac_ext + fi rm -f conftest.err conftest.$ac_objext conftest.$ac_ext @@ -30795,6 +31097,67 @@ else echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +#undef __USE_MISC +#define __USE_MISC +#include +int +getservent_r (struct servent *, struct servent_data *serv_data); + +int +main () +{ +return (0); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest.$ac_objext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + +SERV_R_ARGS="#define SERV_R_ARGS struct servent_data *serv_data" +SERV_R_BAD="#define SERV_R_BAD (-1)" +SERV_R_COPY="#define SERV_R_COPY serv_data" +SERV_R_COPY_ARGS="#define SERV_R_COPY_ARGS struct servent_data *sdptr" +SERV_R_OK="#define SERV_R_OK (0)" +SERV_R_SETANSWER="#undef SERV_R_SETANSWER" +SERV_R_RETURN="#define SERV_R_RETURN int" +SERVENT_DATA="#define SERVENT_DATA 1" + + +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +fi +rm -f conftest.err conftest.$ac_objext conftest.$ac_ext + fi rm -f conftest.err conftest.$ac_objext conftest.$ac_ext @@ -30821,6 +31184,7 @@ esac + case $host in ia64-hp-hpux11.*) ;; @@ -30965,6 +31329,63 @@ if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 SERV_R_END_RESULT="#define SERV_R_END_RESULT(x) /*empty*/" SERV_R_END_RETURN="#define SERV_R_END_RETURN void " SERV_R_ENT_ARGS="#undef SERV_R_ENT_ARGS /*empty*/" +SERV_R_ENT_UNUSED="#undef SERV_R_ENT_UNUSED /*empty*/" + + +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +#undef _REENTRANT +#define _REENTRANT +#undef __USE_MISC +#define __USE_MISC +#include +void endservent_r(struct servent_data *serv_data); + + +int +main () +{ + + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest.$ac_objext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + +SERV_R_END_RESULT="#define SERV_R_END_RESULT(x) /*empty*/" +SERV_R_END_RETURN="#define SERV_R_END_RETURN void " +SERV_R_ENT_ARGS="#define SERV_R_ENT_ARGS struct servent_data *serv_data" +SERV_R_ENT_UNUSED="#define SERV_R_ENT_UNUSED UNUSED(serv_data)" else @@ -30974,10 +31395,14 @@ sed 's/^/| /' conftest.$ac_ext >&5 fi rm -f conftest.err conftest.$ac_objext conftest.$ac_ext +fi +rm -f conftest.err conftest.$ac_objext conftest.$ac_ext + else SERV_R_END_RESULT="#define SERV_R_END_RESULT(x) /*empty*/" SERV_R_END_RETURN="#define SERV_R_END_RETURN void " SERV_R_ENT_ARGS="#undef SERV_R_ENT_ARGS /*empty*/" +SERV_R_ENT_UNUSED="#undef SERV_R_ENT_UNUSED /*empty*/" fi @@ -30986,6 +31411,7 @@ esac + case $host in ia64-hp-hpux11.*) ;; @@ -31093,7 +31519,7 @@ cat >>conftest.$ac_ext <<_ACEOF #undef __USE_MISC #define __USE_MISC #include -void setservent_r(int); +void setservent_r(int); int @@ -31135,6 +31561,63 @@ else echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +#undef _REENTRANT +#define _REENTRANT +#undef __USE_MISC +#define __USE_MISC +#include +int setservent_r(int, struct servent_data *); + + +int +main () +{ + + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest.$ac_objext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + +SERV_R_SET_RESULT="#define SERV_R_SET_RESULT (0)" +SERV_R_SET_RETURN="#define SERV_R_SET_RETURN int" + + +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +fi +rm -f conftest.err conftest.$ac_objext conftest.$ac_ext + fi rm -f conftest.err conftest.$ac_objext conftest.$ac_ext @@ -32308,9 +32791,11 @@ s,@PROTO_R_COPY_ARGS@,$PROTO_R_COPY_ARGS,;t t s,@PROTO_R_OK@,$PROTO_R_OK,;t t s,@PROTO_R_SETANSWER@,$PROTO_R_SETANSWER,;t t s,@PROTO_R_RETURN@,$PROTO_R_RETURN,;t t +s,@PROTOENT_DATA@,$PROTOENT_DATA,;t t s,@PROTO_R_END_RESULT@,$PROTO_R_END_RESULT,;t t s,@PROTO_R_END_RETURN@,$PROTO_R_END_RETURN,;t t s,@PROTO_R_ENT_ARGS@,$PROTO_R_ENT_ARGS,;t t +s,@PROTO_R_ENT_UNUSED@,$PROTO_R_ENT_UNUSED,;t t s,@PROTO_R_SET_RESULT@,$PROTO_R_SET_RESULT,;t t s,@PROTO_R_SET_RETURN@,$PROTO_R_SET_RETURN,;t t s,@PASS_R_ARGS@,$PASS_R_ARGS,;t t @@ -32331,9 +32816,11 @@ s,@SERV_R_COPY_ARGS@,$SERV_R_COPY_ARGS,;t t s,@SERV_R_OK@,$SERV_R_OK,;t t s,@SERV_R_SETANSWER@,$SERV_R_SETANSWER,;t t s,@SERV_R_RETURN@,$SERV_R_RETURN,;t t +s,@SERVENT_DATA@,$SERVENT_DATA,;t t s,@SERV_R_END_RESULT@,$SERV_R_END_RESULT,;t t s,@SERV_R_END_RETURN@,$SERV_R_END_RETURN,;t t s,@SERV_R_ENT_ARGS@,$SERV_R_ENT_ARGS,;t t +s,@SERV_R_ENT_UNUSED@,$SERV_R_ENT_UNUSED,;t t s,@SERV_R_SET_RESULT@,$SERV_R_SET_RESULT,;t t s,@SERV_R_SET_RETURN@,$SERV_R_SET_RETURN,;t t s,@SETNETGRENT_ARGS@,$SETNETGRENT_ARGS,;t t diff --git a/lib/bind/configure.in b/lib/bind/configure.in index 2e974be4a2..348d51309d 100644 --- a/lib/bind/configure.in +++ b/lib/bind/configure.in @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -AC_REVISION($Revision: 1.119 $) +AC_REVISION($Revision: 1.120 $) AC_INIT(resolv/herror.c) AC_PREREQ(2.13) @@ -1399,6 +1399,24 @@ AC_TRY_COMPILE( #undef __USE_MISC #define __USE_MISC [#include +int getnetbyaddr_r (in_addr_t, int, struct netent *, struct netent_data *); +], +[return (0)], +[ +NET_R_ARGS="#define NET_R_ARGS struct netent_data *ndptr" +NET_R_BAD="#define NET_R_BAD (-1)" +NET_R_COPY="#define NET_R_COPY ndptr" +NET_R_COPY_ARGS="#define NET_R_COPY_ARGS struct netent_data *ndptr" +NET_R_OK="#define NET_R_OK 0" +NET_R_SETANSWER="#undef NET_R_SETANSWER" +NET_R_RETURN="#define NET_R_RETURN int" +GETNETBYADDR_ADDR_T="#define GETNETBYADDR_ADDR_T long" +NETENT_DATA="#define NETENT_DATA 1" +], +AC_TRY_COMPILE( +#undef __USE_MISC +#define __USE_MISC +[#include int getnetbyaddr_r (long, int, struct netent *, struct netent_data *); ], [return (0)], @@ -1437,6 +1455,7 @@ NETENT_DATA="#undef NETENT_DATA" ) ) ) +) , NET_R_ARGS="#define NET_R_ARGS char *buf, int buflen" NET_R_BAD="#define NET_R_BAD NULL" @@ -1903,9 +1922,28 @@ AC_SUBST(NGR_R_RETURN) AC_SUBST(NGR_R_PRIVATE) AC_CHECK_FUNC(endnetgrent_r, +AC_TRY_COMPILE( +[ +#undef __USE_MISC +#define __USE_MISC +#include +void endnetgrent_r(void **ptr); +] +, +[return (0);] +, +[ +NGR_R_END_RESULT="#define NGR_R_END_RESULT(x) /* empty */" +NGR_R_END_RETURN="#define NGR_R_END_RETURN void" +NGR_R_ENT_ARGS="#define NGR_R_ENT_ARGS NGR_R_ARGS" +] +, +[ NGR_R_END_RESULT="#define NGR_R_END_RESULT(x) return (x)" NGR_R_END_RETURN="#define NGR_R_END_RETURN int" NGR_R_ENT_ARGS="#define NGR_R_ENT_ARGS NGR_R_ARGS" +] +) , NGR_R_END_RESULT="#define NGR_R_END_RESULT(x) /*empty*/" NGR_R_END_RETURN="#define NGR_R_END_RETURN void" @@ -1962,6 +2000,7 @@ PROTO_R_COPY_ARGS="#define PROTO_R_COPY_ARGS PROTO_R_ARGS" PROTO_R_OK="#define PROTO_R_OK pptr" PROTO_R_SETANSWER="#undef PROTO_R_SETANSWER" PROTO_R_RETURN="#define PROTO_R_RETURN struct protoent *" +PROTOENT_DATA="#undef PROTOENT_DATA" ] , AC_TRY_COMPILE( @@ -1983,8 +2022,32 @@ PROTO_R_COPY_ARGS="#define PROTO_R_COPY_ARGS char *buf, size_t buflen" PROTO_R_OK="#define PROTO_R_OK 0" PROTO_R_SETANSWER="#define PROTO_R_SETANSWER 1" PROTO_R_RETURN="#define PROTO_R_RETURN int" +PROTOENT_DATA="#undef PROTOENT_DATA" ] , +AC_TRY_COMPILE( +[ +#undef __USE_MISC +#define __USE_MISC +#include +int getprotoent_r (struct protoent *, struct protoent_data *prot_data); + +] +, +[return (0);] +, +[ +PROTO_R_ARGS="#define PROTO_R_ARGS struct protoent_data *prot_data" +PROTO_R_BAD="#define PROTO_R_BAD (-1)" +PROTO_R_COPY="#define PROTO_R_COPY prot_data" +PROTO_R_COPY_ARGS="#define PROTO_R_COPY_ARGS struct protoent_data *pdptr" +PROTO_R_OK="#define PROTO_R_OK 0" +PROTO_R_SETANSWER="#undef PROTO_R_SETANSWER" +PROTO_R_RETURN="#define PROTO_R_RETURN int" +PROTOENT_DATA="#define PROTOENT_DATA 1" +] +, +) ) ) , @@ -1995,7 +2058,9 @@ PROTO_R_COPY_ARGS="#define PROTO_R_COPY_ARGS PROTO_R_ARGS" PROTO_R_OK="#define PROTO_R_OK pptr" PROTO_R_SETANSWER="#undef PROTO_R_SETANSWER" PROTO_R_RETURN="#define PROTO_R_RETURN struct protoent *" +PROTOENT_DATA="#undef PROTOENT_DATA" ) +;; esac AC_SUBST(PROTO_R_ARGS) AC_SUBST(PROTO_R_BAD) @@ -2004,6 +2069,7 @@ AC_SUBST(PROTO_R_COPY_ARGS) AC_SUBST(PROTO_R_OK) AC_SUBST(PROTO_R_SETANSWER) AC_SUBST(PROTO_R_RETURN) +AC_SUBST(PROTOENT_DATA) case $host in ia64-hp-hpux11.*) @@ -2024,18 +2090,39 @@ void endprotoent_r(void); PROTO_R_END_RESULT="#define PROTO_R_END_RESULT(x) /*empty*/" PROTO_R_END_RETURN="#define PROTO_R_END_RETURN void" PROTO_R_ENT_ARGS="#undef PROTO_R_ENT_ARGS" +PROTO_R_ENT_UNUSED="#undef PROTO_R_ENT_UNUSED" ] , +AC_TRY_COMPILE( +[ +#undef _REENTRANT +#define _REENTRANT +#undef __USE_MISC +#define __USE_MISC +#include +void endprotoent_r(struct protoent_data *); +] +,, +[ +PROTO_R_END_RESULT="#define PROTO_R_END_RESULT(x) /*empty*/" +PROTO_R_END_RETURN="#define PROTO_R_END_RETURN void" +PROTO_R_ENT_ARGS="#define PROTO_R_ENT_ARGS struct protoent_data *proto_data" +PROTO_R_ENT_UNUSED="#define PROTO_R_ENT_UNUSED UNUSED(proto_data)" +] +, +) ) , PROTO_R_END_RESULT="#define PROTO_R_END_RESULT(x) /*empty*/" PROTO_R_END_RETURN="#define PROTO_R_END_RETURN void" PROTO_R_ENT_ARGS="#undef PROTO_R_ENT_ARGS /*empty*/" +PROTO_R_ENT_UNUSED="#undef PROTO_R_ENT_UNUSED" ) esac AC_SUBST(PROTO_R_END_RESULT) AC_SUBST(PROTO_R_END_RETURN) AC_SUBST(PROTO_R_ENT_ARGS) +AC_SUBST(PROTO_R_ENT_UNUSED) case $host in ia64-hp-hpux11.*) @@ -2054,6 +2141,19 @@ void setprotoent_r __P((int)); PROTO_R_SET_RESULT="#undef PROTO_R_SET_RESULT" PROTO_R_SET_RETURN="#define PROTO_R_SET_RETURN void" , +AC_TRY_COMPILE( +[ +#undef _REENTRANT +#define _REENTRANT +#undef __USE_MISC +#define __USE_MISC +#include +int setprotoent_r (int, struct protoent_data *); +],[], +PROTO_R_SET_RESULT="#define PROTO_R_SET_RESULT (0)" +PROTO_R_SET_RETURN="#define PROTO_R_SET_RETURN int" +, +) ) , PROTO_R_SET_RESULT="#undef PROTO_R_SET_RESULT" @@ -2188,6 +2288,25 @@ SERV_R_SETANSWER="#define SERV_R_SETANSWER 1" SERV_R_RETURN="#define SERV_R_RETURN int" ] , +AC_TRY_COMPILE([ +#undef __USE_MISC +#define __USE_MISC +#include +int +getservent_r (struct servent *, struct servent_data *serv_data); +],[return (0);], +[ +SERV_R_ARGS="#define SERV_R_ARGS struct servent_data *serv_data" +SERV_R_BAD="#define SERV_R_BAD (-1)" +SERV_R_COPY="#define SERV_R_COPY serv_data" +SERV_R_COPY_ARGS="#define SERV_R_COPY_ARGS struct servent_data *sdptr" +SERV_R_OK="#define SERV_R_OK (0)" +SERV_R_SETANSWER="#undef SERV_R_SETANSWER" +SERV_R_RETURN="#define SERV_R_RETURN int" +SERVENT_DATA="#define SERVENT_DATA 1" +] +, +) ) ) , @@ -2207,6 +2326,7 @@ AC_SUBST(SERV_R_COPY_ARGS) AC_SUBST(SERV_R_OK) AC_SUBST(SERV_R_SETANSWER) AC_SUBST(SERV_R_RETURN) +AC_SUBST(SERVENT_DATA) case $host in ia64-hp-hpux11.*) @@ -2228,18 +2348,40 @@ void endservent_r(void); SERV_R_END_RESULT="#define SERV_R_END_RESULT(x) /*empty*/" SERV_R_END_RETURN="#define SERV_R_END_RETURN void " SERV_R_ENT_ARGS="#undef SERV_R_ENT_ARGS /*empty*/" +SERV_R_ENT_UNUSED="#undef SERV_R_ENT_UNUSED /*empty*/" ] , +AC_TRY_COMPILE( +[ +#undef _REENTRANT +#define _REENTRANT +#undef __USE_MISC +#define __USE_MISC +#include +void endservent_r(struct servent_data *serv_data); +] +, +, +[ +SERV_R_END_RESULT="#define SERV_R_END_RESULT(x) /*empty*/" +SERV_R_END_RETURN="#define SERV_R_END_RETURN void " +SERV_R_ENT_ARGS="#define SERV_R_ENT_ARGS struct servent_data *serv_data" +SERV_R_ENT_UNUSED="#define SERV_R_ENT_UNUSED UNUSED(serv_data)" +] +, +) ) , SERV_R_END_RESULT="#define SERV_R_END_RESULT(x) /*empty*/" SERV_R_END_RETURN="#define SERV_R_END_RETURN void " SERV_R_ENT_ARGS="#undef SERV_R_ENT_ARGS /*empty*/" +SERV_R_ENT_UNUSED="#undef SERV_R_ENT_UNUSED /*empty*/" ) esac AC_SUBST(SERV_R_END_RESULT) AC_SUBST(SERV_R_END_RETURN) AC_SUBST(SERV_R_ENT_ARGS) +AC_SUBST(SERV_R_ENT_UNUSED) case $host in ia64-hp-hpux11.*) @@ -2253,7 +2395,7 @@ AC_TRY_COMPILE( #undef __USE_MISC #define __USE_MISC #include -void setservent_r(int); +void setservent_r(int); ] ,, [ @@ -2261,6 +2403,22 @@ SERV_R_SET_RESULT="#undef SERV_R_SET_RESULT" SERV_R_SET_RETURN="#define SERV_R_SET_RETURN void" ] , +AC_TRY_COMPILE( +[ +#undef _REENTRANT +#define _REENTRANT +#undef __USE_MISC +#define __USE_MISC +#include +int setservent_r(int, struct servent_data *); +] +,, +[ +SERV_R_SET_RESULT="#define SERV_R_SET_RESULT (0)" +SERV_R_SET_RETURN="#define SERV_R_SET_RETURN int" +] +, +) ) , SERV_R_SET_RESULT="#undef SERV_R_SET_RESULT" diff --git a/lib/bind/include/netdb.h b/lib/bind/include/netdb.h index baef1002db..27c12ab10a 100644 --- a/lib/bind/include/netdb.h +++ b/lib/bind/include/netdb.h @@ -86,7 +86,7 @@ /* * @(#)netdb.h 8.1 (Berkeley) 6/2/93 - * $Id: netdb.h,v 1.18 2006/03/06 02:22:36 marka Exp $ + * $Id: netdb.h,v 1.19 2006/08/01 01:14:16 marka Exp $ */ #ifndef _NETDB_H_ @@ -290,7 +290,7 @@ struct hostent_data { struct netent_data { FILE *net_fp; -#ifdef __osf__ +#if defined(__osf__) || defined(_AIX) char line[_MAXLINELEN]; #endif #ifdef __hpux @@ -307,10 +307,21 @@ struct netent_data { char *current; int currentlen; #endif +#ifdef _AIX + int _net_stayopen; + char *current; + int currentlen; + void *_net_reserv1; /* reserved for future use */ + void *_net_reserv2; /* reserved for future use */ +#endif }; struct protoent_data { FILE *proto_fp; +#ifdef _AIX + int _proto_stayopen; + char line[_MAXLINELEN]; +#endif #ifdef __osf__ char line[1024]; #endif @@ -328,11 +339,17 @@ struct protoent_data { char *current; int currentlen; #endif +#ifdef _AIX + int currentlen; + char *current; + void *_proto_reserv1; /* reserved for future use */ + void *_proto_reserv2; /* reserved for future use */ +#endif }; struct servent_data { FILE *serv_fp; -#ifdef __osf__ +#if defined(__osf__) || defined(_AIX) char line[_MAXLINELEN]; #endif #ifdef __hpux @@ -349,6 +366,13 @@ struct servent_data { char *current; int currentlen; #endif +#ifdef _AIX + int _serv_stayopen; + char *current; + int currentlen; + void *_serv_reserv1; /* reserved for future use */ + void *_serv_reserv2; /* reserved for future use */ +#endif }; #endif #endif @@ -456,6 +480,15 @@ int endservent_r __P((struct servent_data *)); #else void endservent_r __P((struct servent_data *)); #endif +#ifdef _AIX +int setnetgrent_r __P((const char *, void **)); +void endnetgrent_r __P((void **)); +/* + * Note: AIX's netdb.h declares innetgr_r() as: + * int innetgr_r(char *, char *, char *, char *, struct innetgr_data *); + */ +int innetgr_r __P((const char *, const char *, const char *, + const char *)); #else /* defined(sun) || defined(bsdi) */ #ifdef __GLIBC__ @@ -526,8 +559,6 @@ void endservent_r __P((void)); #ifdef __GLIBC__ int getnetgrent_r __P((char **, char **, char **, char *, size_t)); #endif -#ifdef _AIX -int setnetgrent_r __P((char *, void **)); #endif #endif diff --git a/lib/bind/irs/getprotoent_r.c b/lib/bind/irs/getprotoent_r.c index 648bfef450..d5d9ae53b6 100644 --- a/lib/bind/irs/getprotoent_r.c +++ b/lib/bind/irs/getprotoent_r.c @@ -16,7 +16,7 @@ */ #if defined(LIBC_SCCS) && !defined(lint) -static const char rcsid[] = "$Id: getprotoent_r.c,v 1.5 2005/04/27 04:56:26 sra Exp $"; +static const char rcsid[] = "$Id: getprotoent_r.c,v 1.6 2006/08/01 01:14:16 marka Exp $"; #endif /* LIBC_SCCS and not lint */ #include @@ -109,6 +109,9 @@ setprotoent_r(int stay_open, PROTO_R_ENT_ARGS) setprotoent_r(int stay_open) #endif { +#ifdef PROTO_R_ENT_UNUSED + PROTO_R_ENT_UNUSED; +#endif setprotoent(stay_open); #ifdef PROTO_R_SET_RESULT return (PROTO_R_SET_RESULT); @@ -122,6 +125,9 @@ endprotoent_r(PROTO_R_ENT_ARGS) endprotoent_r() #endif { +#ifdef PROTO_R_ENT_UNUSED + PROTO_R_ENT_UNUSED; +#endif endprotoent(); PROTO_R_END_RESULT(PROTO_R_OK); } diff --git a/lib/bind/irs/getservent_r.c b/lib/bind/irs/getservent_r.c index aa12d5dbab..42d1e46163 100644 --- a/lib/bind/irs/getservent_r.c +++ b/lib/bind/irs/getservent_r.c @@ -16,7 +16,7 @@ */ #if defined(LIBC_SCCS) && !defined(lint) -static const char rcsid[] = "$Id: getservent_r.c,v 1.5 2005/04/27 04:56:27 sra Exp $"; +static const char rcsid[] = "$Id: getservent_r.c,v 1.6 2006/08/01 01:14:16 marka Exp $"; #endif /* LIBC_SCCS and not lint */ #include @@ -112,7 +112,9 @@ setservent_r(int stay_open, SERV_R_ENT_ARGS) setservent_r(int stay_open) #endif { - +#ifdef SERV_R_ENT_UNUSED + SERV_R_ENT_UNUSED; +#endif setservent(stay_open); #ifdef SERV_R_SET_RESULT return (SERV_R_SET_RESULT); @@ -126,7 +128,9 @@ endservent_r(SERV_R_ENT_ARGS) endservent_r() #endif { - +#ifdef SERV_R_ENT_UNUSED + SERV_R_ENT_UNUSED; +#endif endservent(); SERV_R_END_RESULT(SERV_R_OK); } @@ -194,8 +198,8 @@ copy_servent(struct servent *se, struct servent *sptr, SERV_R_COPY_ARGS) { sptr->s_port = se->s_port; /* copy official name */ - cp = ndptr->line; - eob = ndptr->line + sizeof(ndptr->line); + cp = sdptr->line; + eob = sdptr->line + sizeof(sdptr->line); if ((n = strlen(se->s_name) + 1) < (eob - cp)) { strcpy(cp, se->s_name); sptr->s_name = cp; @@ -206,7 +210,7 @@ copy_servent(struct servent *se, struct servent *sptr, SERV_R_COPY_ARGS) { /* copy aliases */ i = 0; - sptr->s_aliases = ndptr->serv_aliases; + sptr->s_aliases = sdptr->serv_aliases; while (se->s_aliases[i] && i < (_MAXALIASES-1)) { if ((n = strlen(se->s_aliases[i]) + 1) < (eob - cp)) { strcpy(cp, se->s_aliases[i]); diff --git a/lib/bind/port_before.h.in b/lib/bind/port_before.h.in index c0de216a1a..79cf27776b 100644 --- a/lib/bind/port_before.h.in +++ b/lib/bind/port_before.h.in @@ -87,11 +87,13 @@ struct timezone; /* silence warning */ @PROTO_R_END_RESULT@ @PROTO_R_END_RETURN@ @PROTO_R_ENT_ARGS@ +@PROTO_R_ENT_UNUSED@ @PROTO_R_OK@ @PROTO_R_SETANSWER@ @PROTO_R_RETURN@ @PROTO_R_SET_RESULT@ @PROTO_R_SET_RETURN@ +@PROTOENT_DATA@ @PASS_R_ARGS@ @PASS_R_BAD@ @@ -112,11 +114,13 @@ struct timezone; /* silence warning */ @SERV_R_END_RESULT@ @SERV_R_END_RETURN@ @SERV_R_ENT_ARGS@ +@SERV_R_ENT_UNUSED@ @SERV_R_OK@ @SERV_R_SETANSWER@ @SERV_R_RETURN@ @SERV_R_SET_RESULT@ @SERV_R_SET_RETURN@ +@SERVENT_DATA@ #define DE_CONST(konst, var) \ From 86712809bff0635527095f4d82c20e5affdd1c5e Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 1 Aug 2006 01:21:20 +0000 Subject: [PATCH 382/465] 2064. [bug] libbind: silence AIX compiler warnings. [RT #16218] --- CHANGES | 2 + lib/bind/configure | 495 ++++++++++++++++++++++++++++++++++- lib/bind/configure.in | 162 +++++++++++- lib/bind/include/netdb.h | 41 ++- lib/bind/irs/getprotoent_r.c | 8 +- lib/bind/irs/getservent_r.c | 16 +- lib/bind/port_before.h.in | 4 + 7 files changed, 710 insertions(+), 18 deletions(-) diff --git a/CHANGES b/CHANGES index 4e4353b040..5e4c48a651 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +2064. [bug] libbind: silence AIX compiler warnings. [RT #16218] + 2063. [bug] Change #1955 introduced a bug which caused the first 'rndc flush' call to not free memory. [RT #16244] diff --git a/lib/bind/configure b/lib/bind/configure index 0cce9be05f..db70b610df 100644 --- a/lib/bind/configure +++ b/lib/bind/configure @@ -1,5 +1,5 @@ #! /bin/sh -# From configure.in Revision: 1.83.2.32 . +# From configure.in Revision: 1.83.2.33 . # Guess values for system-dependent variables and create Makefiles. # Generated by GNU Autoconf 2.59. # @@ -464,7 +464,7 @@ ac_includes_default="\ # include #endif" -ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS build build_cpu build_vendor build_os host host_cpu host_vendor host_os SET_MAKE RANLIB ac_ct_RANLIB INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA STD_CINCLUDES STD_CDEFINES STD_CWARNINGS CCOPT AR ARFLAGS LN ETAGS PERL CC CFLAGS LDFLAGS CPPFLAGS ac_ct_CC EXEEXT OBJEXT CPP EGREP ISC_PLATFORM_NEEDSYSSELECTH WANT_IRS_GR WANT_IRS_GR_OBJS WANT_IRS_PW WANT_IRS_PW_OBJS WANT_IRS_NIS WANT_IRS_NIS_OBJS WANT_IRS_NISGR_OBJS WANT_IRS_NISPW_OBJS WANT_IRS_DBPW_OBJS ALWAYS_DEFINES DO_PTHREADS WANT_IRS_THREADSGR_OBJS WANT_IRS_THREADSPW_OBJS WANT_IRS_THREADS_OBJS WANT_THREADS_OBJS USE_IFNAMELINKID ISC_THREAD_DIR DAEMON_OBJS NEED_DAEMON STRSEP_OBJS NEED_STRSEP NEED_STRERROR MKDEPCC MKDEPCFLAGS MKDEPPROG IRIX_DNSSEC_WARNINGS_HACK purify_path PURIFY LN_S ECHO ac_ct_AR STRIP ac_ct_STRIP CXX CXXFLAGS ac_ct_CXX CXXCPP F77 FFLAGS ac_ct_F77 LIBTOOL O A SA LIBTOOL_MKDEP_SED LIBTOOL_MODE_COMPILE LIBTOOL_MODE_INSTALL LIBTOOL_MODE_LINK HAS_INET6_STRUCTS ISC_PLATFORM_NEEDNETINETIN6H ISC_PLATFORM_NEEDNETINET6IN6H HAS_IN_ADDR6 NEED_IN6ADDR_ANY ISC_PLATFORM_HAVEIN6PKTINFO ISC_PLATFORM_FIXIN6ISADDR ISC_IPV6_H ISC_IPV6_O ISC_ISCIPV6_O ISC_IPV6_C HAVE_SIN6_SCOPE_ID HAVE_SOCKADDR_STORAGE ISC_PLATFORM_NEEDNTOP ISC_PLATFORM_NEEDPTON ISC_PLATFORM_NEEDATON HAVE_SA_LEN HAVE_MINIMUM_IFREQ BSD_COMP SOLARIS_BITTYPES USE_FIONBIO_IOCTL PORT_NONBLOCK PORT_DIR USE_POLL HAVE_MD5 SOLARIS2 PORT_INCLUDE ISC_PLATFORM_MSGHDRFLAVOR ISC_PLATFORM_NEEDPORTT ISC_LWRES_ENDHOSTENTINT ISC_LWRES_SETNETENTINT ISC_LWRES_ENDNETENTINT ISC_LWRES_GETHOSTBYADDRVOID ISC_LWRES_NEEDHERRNO ISC_LWRES_GETIPNODEPROTO ISC_LWRES_GETADDRINFOPROTO ISC_LWRES_GETNAMEINFOPROTO NEED_PSELECT NEED_GETTIMEOFDAY HAVE_STRNDUP ISC_PLATFORM_NEEDSTRSEP ISC_PLATFORM_NEEDVSNPRINTF ISC_EXTRA_OBJS ISC_EXTRA_SRCS USE_SYSERROR_LIST ISC_PLATFORM_QUADFORMAT ISC_SOCKLEN_T GETGROUPLIST_ARGS NET_R_ARGS NET_R_BAD NET_R_COPY NET_R_COPY_ARGS NET_R_OK NET_R_SETANSWER NET_R_RETURN GETNETBYADDR_ADDR_T NETENT_DATA NET_R_ENT_ARGS NET_R_SET_RESULT NET_R_SET_RETURN NET_R_END_RESULT NET_R_END_RETURN GROUP_R_ARGS GROUP_R_BAD GROUP_R_OK GROUP_R_RETURN GROUP_R_END_RESULT GROUP_R_END_RETURN GROUP_R_ENT_ARGS GROUP_R_SET_RESULT GROUP_R_SET_RETURN HOST_R_ARGS HOST_R_BAD HOST_R_COPY HOST_R_COPY_ARGS HOST_R_ERRNO HOST_R_OK HOST_R_RETURN HOST_R_SETANSWER HOSTENT_DATA HOST_R_END_RESULT HOST_R_END_RETURN HOST_R_ENT_ARGS HOST_R_SET_RESULT HOST_R_SET_RETURN SETPWENT_VOID SETGRENT_VOID NGR_R_ARGS NGR_R_BAD NGR_R_COPY NGR_R_COPY_ARGS NGR_R_OK NGR_R_RETURN NGR_R_PRIVATE NGR_R_END_RESULT NGR_R_END_RETURN NGR_R_ENT_ARGS NGR_R_SET_RESULT NGR_R_SET_RETURN PROTO_R_ARGS PROTO_R_BAD PROTO_R_COPY PROTO_R_COPY_ARGS PROTO_R_OK PROTO_R_SETANSWER PROTO_R_RETURN PROTO_R_END_RESULT PROTO_R_END_RETURN PROTO_R_ENT_ARGS PROTO_R_SET_RESULT PROTO_R_SET_RETURN PASS_R_ARGS PASS_R_BAD PASS_R_COPY PASS_R_COPY_ARGS PASS_R_OK PASS_R_RETURN PASS_R_END_RESULT PASS_R_END_RETURN PASS_R_ENT_ARGS PASS_R_SET_RESULT PASS_R_SET_RETURN SERV_R_ARGS SERV_R_BAD SERV_R_COPY SERV_R_COPY_ARGS SERV_R_OK SERV_R_SETANSWER SERV_R_RETURN SERV_R_END_RESULT SERV_R_END_RETURN SERV_R_ENT_ARGS SERV_R_SET_RESULT SERV_R_SET_RETURN SETNETGRENT_ARGS INNETGR_ARGS BIND9_TOP_BUILDDIR BIND9_VERSION LIBOBJS LTLIBOBJS' +ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS build build_cpu build_vendor build_os host host_cpu host_vendor host_os SET_MAKE RANLIB ac_ct_RANLIB INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA STD_CINCLUDES STD_CDEFINES STD_CWARNINGS CCOPT AR ARFLAGS LN ETAGS PERL CC CFLAGS LDFLAGS CPPFLAGS ac_ct_CC EXEEXT OBJEXT CPP EGREP ISC_PLATFORM_NEEDSYSSELECTH WANT_IRS_GR WANT_IRS_GR_OBJS WANT_IRS_PW WANT_IRS_PW_OBJS WANT_IRS_NIS WANT_IRS_NIS_OBJS WANT_IRS_NISGR_OBJS WANT_IRS_NISPW_OBJS WANT_IRS_DBPW_OBJS ALWAYS_DEFINES DO_PTHREADS WANT_IRS_THREADSGR_OBJS WANT_IRS_THREADSPW_OBJS WANT_IRS_THREADS_OBJS WANT_THREADS_OBJS USE_IFNAMELINKID ISC_THREAD_DIR DAEMON_OBJS NEED_DAEMON STRSEP_OBJS NEED_STRSEP NEED_STRERROR MKDEPCC MKDEPCFLAGS MKDEPPROG IRIX_DNSSEC_WARNINGS_HACK purify_path PURIFY LN_S ECHO ac_ct_AR STRIP ac_ct_STRIP CXX CXXFLAGS ac_ct_CXX CXXCPP F77 FFLAGS ac_ct_F77 LIBTOOL O A SA LIBTOOL_MKDEP_SED LIBTOOL_MODE_COMPILE LIBTOOL_MODE_INSTALL LIBTOOL_MODE_LINK HAS_INET6_STRUCTS ISC_PLATFORM_NEEDNETINETIN6H ISC_PLATFORM_NEEDNETINET6IN6H HAS_IN_ADDR6 NEED_IN6ADDR_ANY ISC_PLATFORM_HAVEIN6PKTINFO ISC_PLATFORM_FIXIN6ISADDR ISC_IPV6_H ISC_IPV6_O ISC_ISCIPV6_O ISC_IPV6_C HAVE_SIN6_SCOPE_ID HAVE_SOCKADDR_STORAGE ISC_PLATFORM_NEEDNTOP ISC_PLATFORM_NEEDPTON ISC_PLATFORM_NEEDATON HAVE_SA_LEN HAVE_MINIMUM_IFREQ BSD_COMP SOLARIS_BITTYPES USE_FIONBIO_IOCTL PORT_NONBLOCK PORT_DIR USE_POLL HAVE_MD5 SOLARIS2 PORT_INCLUDE ISC_PLATFORM_MSGHDRFLAVOR ISC_PLATFORM_NEEDPORTT ISC_LWRES_ENDHOSTENTINT ISC_LWRES_SETNETENTINT ISC_LWRES_ENDNETENTINT ISC_LWRES_GETHOSTBYADDRVOID ISC_LWRES_NEEDHERRNO ISC_LWRES_GETIPNODEPROTO ISC_LWRES_GETADDRINFOPROTO ISC_LWRES_GETNAMEINFOPROTO NEED_PSELECT NEED_GETTIMEOFDAY HAVE_STRNDUP ISC_PLATFORM_NEEDSTRSEP ISC_PLATFORM_NEEDVSNPRINTF ISC_EXTRA_OBJS ISC_EXTRA_SRCS USE_SYSERROR_LIST ISC_PLATFORM_QUADFORMAT ISC_SOCKLEN_T GETGROUPLIST_ARGS NET_R_ARGS NET_R_BAD NET_R_COPY NET_R_COPY_ARGS NET_R_OK NET_R_SETANSWER NET_R_RETURN GETNETBYADDR_ADDR_T NETENT_DATA NET_R_ENT_ARGS NET_R_SET_RESULT NET_R_SET_RETURN NET_R_END_RESULT NET_R_END_RETURN GROUP_R_ARGS GROUP_R_BAD GROUP_R_OK GROUP_R_RETURN GROUP_R_END_RESULT GROUP_R_END_RETURN GROUP_R_ENT_ARGS GROUP_R_SET_RESULT GROUP_R_SET_RETURN HOST_R_ARGS HOST_R_BAD HOST_R_COPY HOST_R_COPY_ARGS HOST_R_ERRNO HOST_R_OK HOST_R_RETURN HOST_R_SETANSWER HOSTENT_DATA HOST_R_END_RESULT HOST_R_END_RETURN HOST_R_ENT_ARGS HOST_R_SET_RESULT HOST_R_SET_RETURN SETPWENT_VOID SETGRENT_VOID NGR_R_ARGS NGR_R_BAD NGR_R_COPY NGR_R_COPY_ARGS NGR_R_OK NGR_R_RETURN NGR_R_PRIVATE NGR_R_END_RESULT NGR_R_END_RETURN NGR_R_ENT_ARGS NGR_R_SET_RESULT NGR_R_SET_RETURN PROTO_R_ARGS PROTO_R_BAD PROTO_R_COPY PROTO_R_COPY_ARGS PROTO_R_OK PROTO_R_SETANSWER PROTO_R_RETURN PROTOENT_DATA PROTO_R_END_RESULT PROTO_R_END_RETURN PROTO_R_ENT_ARGS PROTO_R_ENT_UNUSED PROTO_R_SET_RESULT PROTO_R_SET_RETURN PASS_R_ARGS PASS_R_BAD PASS_R_COPY PASS_R_COPY_ARGS PASS_R_OK PASS_R_RETURN PASS_R_END_RESULT PASS_R_END_RETURN PASS_R_ENT_ARGS PASS_R_SET_RESULT PASS_R_SET_RETURN SERV_R_ARGS SERV_R_BAD SERV_R_COPY SERV_R_COPY_ARGS SERV_R_OK SERV_R_SETANSWER SERV_R_RETURN SERVENT_DATA SERV_R_END_RESULT SERV_R_END_RETURN SERV_R_ENT_ARGS SERV_R_ENT_UNUSED SERV_R_SET_RESULT SERV_R_SET_RETURN SETNETGRENT_ARGS INNETGR_ARGS BIND9_TOP_BUILDDIR BIND9_VERSION LIBOBJS LTLIBOBJS' ac_subst_files='BIND9_INCLUDES BIND9_MAKE_RULES LIBBIND_API' # Initialize some variables set by options. @@ -26260,6 +26260,62 @@ else echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#undef __USE_MISC +#define __USE_MISC +#include +int getnetbyaddr_r (in_addr_t, int, struct netent *, struct netent_data *); + +int +main () +{ +return (0) + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest.$ac_objext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + +NET_R_ARGS="#define NET_R_ARGS struct netent_data *ndptr" +NET_R_BAD="#define NET_R_BAD (-1)" +NET_R_COPY="#define NET_R_COPY ndptr" +NET_R_COPY_ARGS="#define NET_R_COPY_ARGS struct netent_data *ndptr" +NET_R_OK="#define NET_R_OK 0" +NET_R_SETANSWER="#undef NET_R_SETANSWER" +NET_R_RETURN="#define NET_R_RETURN int" +GETNETBYADDR_ADDR_T="#define GETNETBYADDR_ADDR_T long" +NETENT_DATA="#define NETENT_DATA 1" + +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF @@ -26388,6 +26444,9 @@ rm -f conftest.err conftest.$ac_objext conftest.$ac_ext fi rm -f conftest.err conftest.$ac_objext conftest.$ac_ext +fi +rm -f conftest.err conftest.$ac_objext conftest.$ac_ext + else NET_R_ARGS="#define NET_R_ARGS char *buf, int buflen" NET_R_BAD="#define NET_R_BAD NULL" @@ -28863,10 +28922,69 @@ fi echo "$as_me:$LINENO: result: $ac_cv_func_endnetgrent_r" >&5 echo "${ECHO_T}$ac_cv_func_endnetgrent_r" >&6 if test $ac_cv_func_endnetgrent_r = yes; then - NGR_R_END_RESULT="#define NGR_R_END_RESULT(x) return (x)" + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +#undef __USE_MISC +#define __USE_MISC +#include +void endnetgrent_r(void **ptr); + + +int +main () +{ +return (0); + + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest.$ac_objext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + +NGR_R_END_RESULT="#define NGR_R_END_RESULT(x) /* empty */" +NGR_R_END_RETURN="#define NGR_R_END_RETURN void" +NGR_R_ENT_ARGS="#define NGR_R_ENT_ARGS NGR_R_ARGS" + + +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + +NGR_R_END_RESULT="#define NGR_R_END_RESULT(x) return (x)" NGR_R_END_RETURN="#define NGR_R_END_RETURN int" NGR_R_ENT_ARGS="#define NGR_R_ENT_ARGS NGR_R_ARGS" + +fi +rm -f conftest.err conftest.$ac_objext conftest.$ac_ext + else NGR_R_END_RESULT="#define NGR_R_END_RESULT(x) /*empty*/" NGR_R_END_RETURN="#define NGR_R_END_RETURN void" @@ -29243,6 +29361,7 @@ PROTO_R_COPY_ARGS="#define PROTO_R_COPY_ARGS PROTO_R_ARGS" PROTO_R_OK="#define PROTO_R_OK pptr" PROTO_R_SETANSWER="#undef PROTO_R_SETANSWER" PROTO_R_RETURN="#define PROTO_R_RETURN struct protoent *" +PROTOENT_DATA="#undef PROTOENT_DATA" else @@ -29302,12 +29421,76 @@ PROTO_R_COPY_ARGS="#define PROTO_R_COPY_ARGS char *buf, size_t buflen" PROTO_R_OK="#define PROTO_R_OK 0" PROTO_R_SETANSWER="#define PROTO_R_SETANSWER 1" PROTO_R_RETURN="#define PROTO_R_RETURN int" +PROTOENT_DATA="#undef PROTOENT_DATA" else echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +#undef __USE_MISC +#define __USE_MISC +#include +int getprotoent_r (struct protoent *, struct protoent_data *prot_data); + + + +int +main () +{ +return (0); + + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest.$ac_objext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + +PROTO_R_ARGS="#define PROTO_R_ARGS struct protoent_data *prot_data" +PROTO_R_BAD="#define PROTO_R_BAD (-1)" +PROTO_R_COPY="#define PROTO_R_COPY prot_data" +PROTO_R_COPY_ARGS="#define PROTO_R_COPY_ARGS struct protoent_data *pdptr" +PROTO_R_OK="#define PROTO_R_OK 0" +PROTO_R_SETANSWER="#undef PROTO_R_SETANSWER" +PROTO_R_RETURN="#define PROTO_R_RETURN int" +PROTOENT_DATA="#define PROTOENT_DATA 1" + + +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +fi +rm -f conftest.err conftest.$ac_objext conftest.$ac_ext + fi rm -f conftest.err conftest.$ac_objext conftest.$ac_ext @@ -29322,9 +29505,11 @@ PROTO_R_COPY_ARGS="#define PROTO_R_COPY_ARGS PROTO_R_ARGS" PROTO_R_OK="#define PROTO_R_OK pptr" PROTO_R_SETANSWER="#undef PROTO_R_SETANSWER" PROTO_R_RETURN="#define PROTO_R_RETURN struct protoent *" +PROTOENT_DATA="#undef PROTOENT_DATA" fi +;; esac @@ -29334,6 +29519,7 @@ esac + case $host in ia64-hp-hpux11.*) ;; @@ -29478,6 +29664,63 @@ if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 PROTO_R_END_RESULT="#define PROTO_R_END_RESULT(x) /*empty*/" PROTO_R_END_RETURN="#define PROTO_R_END_RETURN void" PROTO_R_ENT_ARGS="#undef PROTO_R_ENT_ARGS" +PROTO_R_ENT_UNUSED="#undef PROTO_R_ENT_UNUSED" + + +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +#undef _REENTRANT +#define _REENTRANT +#undef __USE_MISC +#define __USE_MISC +#include +void endprotoent_r(struct protoent_data *); + + +int +main () +{ + + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest.$ac_objext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + +PROTO_R_END_RESULT="#define PROTO_R_END_RESULT(x) /*empty*/" +PROTO_R_END_RETURN="#define PROTO_R_END_RETURN void" +PROTO_R_ENT_ARGS="#define PROTO_R_ENT_ARGS struct protoent_data *proto_data" +PROTO_R_ENT_UNUSED="#define PROTO_R_ENT_UNUSED UNUSED(proto_data)" else @@ -29487,10 +29730,14 @@ sed 's/^/| /' conftest.$ac_ext >&5 fi rm -f conftest.err conftest.$ac_objext conftest.$ac_ext +fi +rm -f conftest.err conftest.$ac_objext conftest.$ac_ext + else PROTO_R_END_RESULT="#define PROTO_R_END_RESULT(x) /*empty*/" PROTO_R_END_RETURN="#define PROTO_R_END_RETURN void" PROTO_R_ENT_ARGS="#undef PROTO_R_ENT_ARGS /*empty*/" +PROTO_R_ENT_UNUSED="#undef PROTO_R_ENT_UNUSED" fi @@ -29499,6 +29746,7 @@ esac + case $host in ia64-hp-hpux11.*) ;; @@ -29645,6 +29893,60 @@ else echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +#undef _REENTRANT +#define _REENTRANT +#undef __USE_MISC +#define __USE_MISC +#include +int setprotoent_r (int, struct protoent_data *); + +int +main () +{ + + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest.$ac_objext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + PROTO_R_SET_RESULT="#define PROTO_R_SET_RESULT (0)" +PROTO_R_SET_RETURN="#define PROTO_R_SET_RETURN int" + +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +fi +rm -f conftest.err conftest.$ac_objext conftest.$ac_ext + fi rm -f conftest.err conftest.$ac_objext conftest.$ac_ext @@ -30795,6 +31097,67 @@ else echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +#undef __USE_MISC +#define __USE_MISC +#include +int +getservent_r (struct servent *, struct servent_data *serv_data); + +int +main () +{ +return (0); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest.$ac_objext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + +SERV_R_ARGS="#define SERV_R_ARGS struct servent_data *serv_data" +SERV_R_BAD="#define SERV_R_BAD (-1)" +SERV_R_COPY="#define SERV_R_COPY serv_data" +SERV_R_COPY_ARGS="#define SERV_R_COPY_ARGS struct servent_data *sdptr" +SERV_R_OK="#define SERV_R_OK (0)" +SERV_R_SETANSWER="#undef SERV_R_SETANSWER" +SERV_R_RETURN="#define SERV_R_RETURN int" +SERVENT_DATA="#define SERVENT_DATA 1" + + +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +fi +rm -f conftest.err conftest.$ac_objext conftest.$ac_ext + fi rm -f conftest.err conftest.$ac_objext conftest.$ac_ext @@ -30821,6 +31184,7 @@ esac + case $host in ia64-hp-hpux11.*) ;; @@ -30965,6 +31329,63 @@ if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 SERV_R_END_RESULT="#define SERV_R_END_RESULT(x) /*empty*/" SERV_R_END_RETURN="#define SERV_R_END_RETURN void " SERV_R_ENT_ARGS="#undef SERV_R_ENT_ARGS /*empty*/" +SERV_R_ENT_UNUSED="#undef SERV_R_ENT_UNUSED /*empty*/" + + +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +#undef _REENTRANT +#define _REENTRANT +#undef __USE_MISC +#define __USE_MISC +#include +void endservent_r(struct servent_data *serv_data); + + +int +main () +{ + + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest.$ac_objext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + +SERV_R_END_RESULT="#define SERV_R_END_RESULT(x) /*empty*/" +SERV_R_END_RETURN="#define SERV_R_END_RETURN void " +SERV_R_ENT_ARGS="#define SERV_R_ENT_ARGS struct servent_data *serv_data" +SERV_R_ENT_UNUSED="#define SERV_R_ENT_UNUSED UNUSED(serv_data)" else @@ -30974,10 +31395,14 @@ sed 's/^/| /' conftest.$ac_ext >&5 fi rm -f conftest.err conftest.$ac_objext conftest.$ac_ext +fi +rm -f conftest.err conftest.$ac_objext conftest.$ac_ext + else SERV_R_END_RESULT="#define SERV_R_END_RESULT(x) /*empty*/" SERV_R_END_RETURN="#define SERV_R_END_RETURN void " SERV_R_ENT_ARGS="#undef SERV_R_ENT_ARGS /*empty*/" +SERV_R_ENT_UNUSED="#undef SERV_R_ENT_UNUSED /*empty*/" fi @@ -30986,6 +31411,7 @@ esac + case $host in ia64-hp-hpux11.*) ;; @@ -31093,7 +31519,7 @@ cat >>conftest.$ac_ext <<_ACEOF #undef __USE_MISC #define __USE_MISC #include -void setservent_r(int); +void setservent_r(int); int @@ -31135,6 +31561,63 @@ else echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +#undef _REENTRANT +#define _REENTRANT +#undef __USE_MISC +#define __USE_MISC +#include +int setservent_r(int, struct servent_data *); + + +int +main () +{ + + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest.$ac_objext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + +SERV_R_SET_RESULT="#define SERV_R_SET_RESULT (0)" +SERV_R_SET_RETURN="#define SERV_R_SET_RETURN int" + + +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +fi +rm -f conftest.err conftest.$ac_objext conftest.$ac_ext + fi rm -f conftest.err conftest.$ac_objext conftest.$ac_ext @@ -32308,9 +32791,11 @@ s,@PROTO_R_COPY_ARGS@,$PROTO_R_COPY_ARGS,;t t s,@PROTO_R_OK@,$PROTO_R_OK,;t t s,@PROTO_R_SETANSWER@,$PROTO_R_SETANSWER,;t t s,@PROTO_R_RETURN@,$PROTO_R_RETURN,;t t +s,@PROTOENT_DATA@,$PROTOENT_DATA,;t t s,@PROTO_R_END_RESULT@,$PROTO_R_END_RESULT,;t t s,@PROTO_R_END_RETURN@,$PROTO_R_END_RETURN,;t t s,@PROTO_R_ENT_ARGS@,$PROTO_R_ENT_ARGS,;t t +s,@PROTO_R_ENT_UNUSED@,$PROTO_R_ENT_UNUSED,;t t s,@PROTO_R_SET_RESULT@,$PROTO_R_SET_RESULT,;t t s,@PROTO_R_SET_RETURN@,$PROTO_R_SET_RETURN,;t t s,@PASS_R_ARGS@,$PASS_R_ARGS,;t t @@ -32331,9 +32816,11 @@ s,@SERV_R_COPY_ARGS@,$SERV_R_COPY_ARGS,;t t s,@SERV_R_OK@,$SERV_R_OK,;t t s,@SERV_R_SETANSWER@,$SERV_R_SETANSWER,;t t s,@SERV_R_RETURN@,$SERV_R_RETURN,;t t +s,@SERVENT_DATA@,$SERVENT_DATA,;t t s,@SERV_R_END_RESULT@,$SERV_R_END_RESULT,;t t s,@SERV_R_END_RETURN@,$SERV_R_END_RETURN,;t t s,@SERV_R_ENT_ARGS@,$SERV_R_ENT_ARGS,;t t +s,@SERV_R_ENT_UNUSED@,$SERV_R_ENT_UNUSED,;t t s,@SERV_R_SET_RESULT@,$SERV_R_SET_RESULT,;t t s,@SERV_R_SET_RETURN@,$SERV_R_SET_RETURN,;t t s,@SETNETGRENT_ARGS@,$SETNETGRENT_ARGS,;t t diff --git a/lib/bind/configure.in b/lib/bind/configure.in index ad52d16ae9..314d54b851 100644 --- a/lib/bind/configure.in +++ b/lib/bind/configure.in @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -AC_REVISION($Revision: 1.83.2.32 $) +AC_REVISION($Revision: 1.83.2.33 $) AC_INIT(resolv/herror.c) AC_PREREQ(2.13) @@ -1399,6 +1399,24 @@ AC_TRY_COMPILE( #undef __USE_MISC #define __USE_MISC [#include +int getnetbyaddr_r (in_addr_t, int, struct netent *, struct netent_data *); +], +[return (0)], +[ +NET_R_ARGS="#define NET_R_ARGS struct netent_data *ndptr" +NET_R_BAD="#define NET_R_BAD (-1)" +NET_R_COPY="#define NET_R_COPY ndptr" +NET_R_COPY_ARGS="#define NET_R_COPY_ARGS struct netent_data *ndptr" +NET_R_OK="#define NET_R_OK 0" +NET_R_SETANSWER="#undef NET_R_SETANSWER" +NET_R_RETURN="#define NET_R_RETURN int" +GETNETBYADDR_ADDR_T="#define GETNETBYADDR_ADDR_T long" +NETENT_DATA="#define NETENT_DATA 1" +], +AC_TRY_COMPILE( +#undef __USE_MISC +#define __USE_MISC +[#include int getnetbyaddr_r (long, int, struct netent *, struct netent_data *); ], [return (0)], @@ -1437,6 +1455,7 @@ NETENT_DATA="#undef NETENT_DATA" ) ) ) +) , NET_R_ARGS="#define NET_R_ARGS char *buf, int buflen" NET_R_BAD="#define NET_R_BAD NULL" @@ -1903,9 +1922,28 @@ AC_SUBST(NGR_R_RETURN) AC_SUBST(NGR_R_PRIVATE) AC_CHECK_FUNC(endnetgrent_r, +AC_TRY_COMPILE( +[ +#undef __USE_MISC +#define __USE_MISC +#include +void endnetgrent_r(void **ptr); +] +, +[return (0);] +, +[ +NGR_R_END_RESULT="#define NGR_R_END_RESULT(x) /* empty */" +NGR_R_END_RETURN="#define NGR_R_END_RETURN void" +NGR_R_ENT_ARGS="#define NGR_R_ENT_ARGS NGR_R_ARGS" +] +, +[ NGR_R_END_RESULT="#define NGR_R_END_RESULT(x) return (x)" NGR_R_END_RETURN="#define NGR_R_END_RETURN int" NGR_R_ENT_ARGS="#define NGR_R_ENT_ARGS NGR_R_ARGS" +] +) , NGR_R_END_RESULT="#define NGR_R_END_RESULT(x) /*empty*/" NGR_R_END_RETURN="#define NGR_R_END_RETURN void" @@ -1962,6 +2000,7 @@ PROTO_R_COPY_ARGS="#define PROTO_R_COPY_ARGS PROTO_R_ARGS" PROTO_R_OK="#define PROTO_R_OK pptr" PROTO_R_SETANSWER="#undef PROTO_R_SETANSWER" PROTO_R_RETURN="#define PROTO_R_RETURN struct protoent *" +PROTOENT_DATA="#undef PROTOENT_DATA" ] , AC_TRY_COMPILE( @@ -1983,8 +2022,32 @@ PROTO_R_COPY_ARGS="#define PROTO_R_COPY_ARGS char *buf, size_t buflen" PROTO_R_OK="#define PROTO_R_OK 0" PROTO_R_SETANSWER="#define PROTO_R_SETANSWER 1" PROTO_R_RETURN="#define PROTO_R_RETURN int" +PROTOENT_DATA="#undef PROTOENT_DATA" ] , +AC_TRY_COMPILE( +[ +#undef __USE_MISC +#define __USE_MISC +#include +int getprotoent_r (struct protoent *, struct protoent_data *prot_data); + +] +, +[return (0);] +, +[ +PROTO_R_ARGS="#define PROTO_R_ARGS struct protoent_data *prot_data" +PROTO_R_BAD="#define PROTO_R_BAD (-1)" +PROTO_R_COPY="#define PROTO_R_COPY prot_data" +PROTO_R_COPY_ARGS="#define PROTO_R_COPY_ARGS struct protoent_data *pdptr" +PROTO_R_OK="#define PROTO_R_OK 0" +PROTO_R_SETANSWER="#undef PROTO_R_SETANSWER" +PROTO_R_RETURN="#define PROTO_R_RETURN int" +PROTOENT_DATA="#define PROTOENT_DATA 1" +] +, +) ) ) , @@ -1995,7 +2058,9 @@ PROTO_R_COPY_ARGS="#define PROTO_R_COPY_ARGS PROTO_R_ARGS" PROTO_R_OK="#define PROTO_R_OK pptr" PROTO_R_SETANSWER="#undef PROTO_R_SETANSWER" PROTO_R_RETURN="#define PROTO_R_RETURN struct protoent *" +PROTOENT_DATA="#undef PROTOENT_DATA" ) +;; esac AC_SUBST(PROTO_R_ARGS) AC_SUBST(PROTO_R_BAD) @@ -2004,6 +2069,7 @@ AC_SUBST(PROTO_R_COPY_ARGS) AC_SUBST(PROTO_R_OK) AC_SUBST(PROTO_R_SETANSWER) AC_SUBST(PROTO_R_RETURN) +AC_SUBST(PROTOENT_DATA) case $host in ia64-hp-hpux11.*) @@ -2024,18 +2090,39 @@ void endprotoent_r(void); PROTO_R_END_RESULT="#define PROTO_R_END_RESULT(x) /*empty*/" PROTO_R_END_RETURN="#define PROTO_R_END_RETURN void" PROTO_R_ENT_ARGS="#undef PROTO_R_ENT_ARGS" +PROTO_R_ENT_UNUSED="#undef PROTO_R_ENT_UNUSED" ] , +AC_TRY_COMPILE( +[ +#undef _REENTRANT +#define _REENTRANT +#undef __USE_MISC +#define __USE_MISC +#include +void endprotoent_r(struct protoent_data *); +] +,, +[ +PROTO_R_END_RESULT="#define PROTO_R_END_RESULT(x) /*empty*/" +PROTO_R_END_RETURN="#define PROTO_R_END_RETURN void" +PROTO_R_ENT_ARGS="#define PROTO_R_ENT_ARGS struct protoent_data *proto_data" +PROTO_R_ENT_UNUSED="#define PROTO_R_ENT_UNUSED UNUSED(proto_data)" +] +, +) ) , PROTO_R_END_RESULT="#define PROTO_R_END_RESULT(x) /*empty*/" PROTO_R_END_RETURN="#define PROTO_R_END_RETURN void" PROTO_R_ENT_ARGS="#undef PROTO_R_ENT_ARGS /*empty*/" +PROTO_R_ENT_UNUSED="#undef PROTO_R_ENT_UNUSED" ) esac AC_SUBST(PROTO_R_END_RESULT) AC_SUBST(PROTO_R_END_RETURN) AC_SUBST(PROTO_R_ENT_ARGS) +AC_SUBST(PROTO_R_ENT_UNUSED) case $host in ia64-hp-hpux11.*) @@ -2054,6 +2141,19 @@ void setprotoent_r __P((int)); PROTO_R_SET_RESULT="#undef PROTO_R_SET_RESULT" PROTO_R_SET_RETURN="#define PROTO_R_SET_RETURN void" , +AC_TRY_COMPILE( +[ +#undef _REENTRANT +#define _REENTRANT +#undef __USE_MISC +#define __USE_MISC +#include +int setprotoent_r (int, struct protoent_data *); +],[], +PROTO_R_SET_RESULT="#define PROTO_R_SET_RESULT (0)" +PROTO_R_SET_RETURN="#define PROTO_R_SET_RETURN int" +, +) ) , PROTO_R_SET_RESULT="#undef PROTO_R_SET_RESULT" @@ -2188,6 +2288,25 @@ SERV_R_SETANSWER="#define SERV_R_SETANSWER 1" SERV_R_RETURN="#define SERV_R_RETURN int" ] , +AC_TRY_COMPILE([ +#undef __USE_MISC +#define __USE_MISC +#include +int +getservent_r (struct servent *, struct servent_data *serv_data); +],[return (0);], +[ +SERV_R_ARGS="#define SERV_R_ARGS struct servent_data *serv_data" +SERV_R_BAD="#define SERV_R_BAD (-1)" +SERV_R_COPY="#define SERV_R_COPY serv_data" +SERV_R_COPY_ARGS="#define SERV_R_COPY_ARGS struct servent_data *sdptr" +SERV_R_OK="#define SERV_R_OK (0)" +SERV_R_SETANSWER="#undef SERV_R_SETANSWER" +SERV_R_RETURN="#define SERV_R_RETURN int" +SERVENT_DATA="#define SERVENT_DATA 1" +] +, +) ) ) , @@ -2207,6 +2326,7 @@ AC_SUBST(SERV_R_COPY_ARGS) AC_SUBST(SERV_R_OK) AC_SUBST(SERV_R_SETANSWER) AC_SUBST(SERV_R_RETURN) +AC_SUBST(SERVENT_DATA) case $host in ia64-hp-hpux11.*) @@ -2228,18 +2348,40 @@ void endservent_r(void); SERV_R_END_RESULT="#define SERV_R_END_RESULT(x) /*empty*/" SERV_R_END_RETURN="#define SERV_R_END_RETURN void " SERV_R_ENT_ARGS="#undef SERV_R_ENT_ARGS /*empty*/" +SERV_R_ENT_UNUSED="#undef SERV_R_ENT_UNUSED /*empty*/" ] , +AC_TRY_COMPILE( +[ +#undef _REENTRANT +#define _REENTRANT +#undef __USE_MISC +#define __USE_MISC +#include +void endservent_r(struct servent_data *serv_data); +] +, +, +[ +SERV_R_END_RESULT="#define SERV_R_END_RESULT(x) /*empty*/" +SERV_R_END_RETURN="#define SERV_R_END_RETURN void " +SERV_R_ENT_ARGS="#define SERV_R_ENT_ARGS struct servent_data *serv_data" +SERV_R_ENT_UNUSED="#define SERV_R_ENT_UNUSED UNUSED(serv_data)" +] +, +) ) , SERV_R_END_RESULT="#define SERV_R_END_RESULT(x) /*empty*/" SERV_R_END_RETURN="#define SERV_R_END_RETURN void " SERV_R_ENT_ARGS="#undef SERV_R_ENT_ARGS /*empty*/" +SERV_R_ENT_UNUSED="#undef SERV_R_ENT_UNUSED /*empty*/" ) esac AC_SUBST(SERV_R_END_RESULT) AC_SUBST(SERV_R_END_RETURN) AC_SUBST(SERV_R_ENT_ARGS) +AC_SUBST(SERV_R_ENT_UNUSED) case $host in ia64-hp-hpux11.*) @@ -2253,7 +2395,7 @@ AC_TRY_COMPILE( #undef __USE_MISC #define __USE_MISC #include -void setservent_r(int); +void setservent_r(int); ] ,, [ @@ -2261,6 +2403,22 @@ SERV_R_SET_RESULT="#undef SERV_R_SET_RESULT" SERV_R_SET_RETURN="#define SERV_R_SET_RETURN void" ] , +AC_TRY_COMPILE( +[ +#undef _REENTRANT +#define _REENTRANT +#undef __USE_MISC +#define __USE_MISC +#include +int setservent_r(int, struct servent_data *); +] +,, +[ +SERV_R_SET_RESULT="#define SERV_R_SET_RESULT (0)" +SERV_R_SET_RETURN="#define SERV_R_SET_RETURN int" +] +, +) ) , SERV_R_SET_RESULT="#undef SERV_R_SET_RESULT" diff --git a/lib/bind/include/netdb.h b/lib/bind/include/netdb.h index ad8156a70a..6ed339c1d3 100644 --- a/lib/bind/include/netdb.h +++ b/lib/bind/include/netdb.h @@ -86,7 +86,7 @@ /* * @(#)netdb.h 8.1 (Berkeley) 6/2/93 - * $Id: netdb.h,v 1.12.2.7 2006/03/06 02:26:19 marka Exp $ + * $Id: netdb.h,v 1.12.2.8 2006/08/01 01:19:33 marka Exp $ */ #ifndef _NETDB_H_ @@ -291,7 +291,7 @@ struct hostent_data { struct netent_data { FILE *net_fp; -#ifdef __osf__ +#if defined(__osf__) || defined(_AIX) char line[_MAXLINELEN]; #endif #ifdef __hpux @@ -308,10 +308,21 @@ struct netent_data { char *current; int currentlen; #endif +#ifdef _AIX + int _net_stayopen; + char *current; + int currentlen; + void *_net_reserv1; /* reserved for future use */ + void *_net_reserv2; /* reserved for future use */ +#endif }; struct protoent_data { FILE *proto_fp; +#ifdef _AIX + int _proto_stayopen; + char line[_MAXLINELEN]; +#endif #ifdef __osf__ char line[1024]; #endif @@ -329,11 +340,17 @@ struct protoent_data { char *current; int currentlen; #endif +#ifdef _AIX + int currentlen; + char *current; + void *_proto_reserv1; /* reserved for future use */ + void *_proto_reserv2; /* reserved for future use */ +#endif }; struct servent_data { FILE *serv_fp; -#ifdef __osf__ +#if defined(__osf__) || defined(_AIX) char line[_MAXLINELEN]; #endif #ifdef __hpux @@ -350,6 +367,13 @@ struct servent_data { char *current; int currentlen; #endif +#ifdef _AIX + int _serv_stayopen; + char *current; + int currentlen; + void *_serv_reserv1; /* reserved for future use */ + void *_serv_reserv2; /* reserved for future use */ +#endif }; #endif #endif @@ -457,6 +481,15 @@ int endservent_r __P((struct servent_data *)); #else void endservent_r __P((struct servent_data *)); #endif +#ifdef _AIX +int setnetgrent_r __P((const char *, void **)); +void endnetgrent_r __P((void **)); +/* + * Note: AIX's netdb.h declares innetgr_r() as: + * int innetgr_r(char *, char *, char *, char *, struct innetgr_data *); + */ +int innetgr_r __P((const char *, const char *, const char *, + const char *)); #else /* defined(sun) || defined(bsdi) */ #ifdef __GLIBC__ @@ -527,8 +560,6 @@ void endservent_r __P((void)); #ifdef __GLIBC__ int getnetgrent_r __P((char **, char **, char **, char *, size_t)); #endif -#ifdef _AIX -int setnetgrent_r __P((char *, void **)); #endif #endif diff --git a/lib/bind/irs/getprotoent_r.c b/lib/bind/irs/getprotoent_r.c index e74e3cbad5..897587c1a1 100644 --- a/lib/bind/irs/getprotoent_r.c +++ b/lib/bind/irs/getprotoent_r.c @@ -16,7 +16,7 @@ */ #if defined(LIBC_SCCS) && !defined(lint) -static const char rcsid[] = "$Id: getprotoent_r.c,v 1.3.2.1 2004/03/09 09:17:30 marka Exp $"; +static const char rcsid[] = "$Id: getprotoent_r.c,v 1.3.2.2 2006/08/01 01:19:33 marka Exp $"; #endif /* LIBC_SCCS and not lint */ #include @@ -109,6 +109,9 @@ setprotoent_r(int stay_open, PROTO_R_ENT_ARGS) setprotoent_r(int stay_open) #endif { +#ifdef PROTO_R_ENT_UNUSED + PROTO_R_ENT_UNUSED; +#endif setprotoent(stay_open); #ifdef PROTO_R_SET_RESULT return (PROTO_R_SET_RESULT); @@ -122,6 +125,9 @@ endprotoent_r(PROTO_R_ENT_ARGS) endprotoent_r() #endif { +#ifdef PROTO_R_ENT_UNUSED + PROTO_R_ENT_UNUSED; +#endif endprotoent(); PROTO_R_END_RESULT(PROTO_R_OK); } diff --git a/lib/bind/irs/getservent_r.c b/lib/bind/irs/getservent_r.c index 87078b0ec7..a53707cb2f 100644 --- a/lib/bind/irs/getservent_r.c +++ b/lib/bind/irs/getservent_r.c @@ -16,7 +16,7 @@ */ #if defined(LIBC_SCCS) && !defined(lint) -static const char rcsid[] = "$Id: getservent_r.c,v 1.3.2.1 2004/03/09 09:17:31 marka Exp $"; +static const char rcsid[] = "$Id: getservent_r.c,v 1.3.2.2 2006/08/01 01:19:33 marka Exp $"; #endif /* LIBC_SCCS and not lint */ #include @@ -112,7 +112,9 @@ setservent_r(int stay_open, SERV_R_ENT_ARGS) setservent_r(int stay_open) #endif { - +#ifdef SERV_R_ENT_UNUSED + SERV_R_ENT_UNUSED; +#endif setservent(stay_open); #ifdef SERV_R_SET_RESULT return (SERV_R_SET_RESULT); @@ -126,7 +128,9 @@ endservent_r(SERV_R_ENT_ARGS) endservent_r() #endif { - +#ifdef SERV_R_ENT_UNUSED + SERV_R_ENT_UNUSED; +#endif endservent(); SERV_R_END_RESULT(SERV_R_OK); } @@ -194,8 +198,8 @@ copy_servent(struct servent *se, struct servent *sptr, SERV_R_COPY_ARGS) { sptr->s_port = se->s_port; /* copy official name */ - cp = ndptr->line; - eob = ndptr->line + sizeof(ndptr->line); + cp = sdptr->line; + eob = sdptr->line + sizeof(sdptr->line); if ((n = strlen(se->s_name) + 1) < (eob - cp)) { strcpy(cp, se->s_name); sptr->s_name = cp; @@ -206,7 +210,7 @@ copy_servent(struct servent *se, struct servent *sptr, SERV_R_COPY_ARGS) { /* copy aliases */ i = 0; - sptr->s_aliases = ndptr->serv_aliases; + sptr->s_aliases = sdptr->serv_aliases; while (se->s_aliases[i] && i < (_MAXALIASES-1)) { if ((n = strlen(se->s_aliases[i]) + 1) < (eob - cp)) { strcpy(cp, se->s_aliases[i]); diff --git a/lib/bind/port_before.h.in b/lib/bind/port_before.h.in index c754efd2b0..320fff1905 100644 --- a/lib/bind/port_before.h.in +++ b/lib/bind/port_before.h.in @@ -87,11 +87,13 @@ struct timezone; /* silence warning */ @PROTO_R_END_RESULT@ @PROTO_R_END_RETURN@ @PROTO_R_ENT_ARGS@ +@PROTO_R_ENT_UNUSED@ @PROTO_R_OK@ @PROTO_R_SETANSWER@ @PROTO_R_RETURN@ @PROTO_R_SET_RESULT@ @PROTO_R_SET_RETURN@ +@PROTOENT_DATA@ @PASS_R_ARGS@ @PASS_R_BAD@ @@ -112,11 +114,13 @@ struct timezone; /* silence warning */ @SERV_R_END_RESULT@ @SERV_R_END_RETURN@ @SERV_R_ENT_ARGS@ +@SERV_R_ENT_UNUSED@ @SERV_R_OK@ @SERV_R_SETANSWER@ @SERV_R_RETURN@ @SERV_R_SET_RESULT@ @SERV_R_SET_RETURN@ +@SERVENT_DATA@ #define DE_CONST(konst, var) \ From 8c1fa9afb5d6941b6ff1c62b7e8bb4e403e6f89f Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 1 Aug 2006 01:44:13 +0000 Subject: [PATCH 383/465] #endif in wrong place --- lib/bind/include/netdb.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/bind/include/netdb.h b/lib/bind/include/netdb.h index 27c12ab10a..c2d8c7515b 100644 --- a/lib/bind/include/netdb.h +++ b/lib/bind/include/netdb.h @@ -86,7 +86,7 @@ /* * @(#)netdb.h 8.1 (Berkeley) 6/2/93 - * $Id: netdb.h,v 1.19 2006/08/01 01:14:16 marka Exp $ + * $Id: netdb.h,v 1.20 2006/08/01 01:44:13 marka Exp $ */ #ifndef _NETDB_H_ @@ -489,6 +489,7 @@ void endnetgrent_r __P((void **)); */ int innetgr_r __P((const char *, const char *, const char *, const char *)); +#endif #else /* defined(sun) || defined(bsdi) */ #ifdef __GLIBC__ @@ -559,7 +560,6 @@ void endservent_r __P((void)); #ifdef __GLIBC__ int getnetgrent_r __P((char **, char **, char **, char *, size_t)); #endif -#endif #endif #endif From 9cf99fbe5e5e59195782cfd9e2db1c9ee9a253fc Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 1 Aug 2006 01:45:10 +0000 Subject: [PATCH 384/465] #endif in wrong place --- lib/bind/include/netdb.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/bind/include/netdb.h b/lib/bind/include/netdb.h index 6ed339c1d3..0a9bc1df7f 100644 --- a/lib/bind/include/netdb.h +++ b/lib/bind/include/netdb.h @@ -86,7 +86,7 @@ /* * @(#)netdb.h 8.1 (Berkeley) 6/2/93 - * $Id: netdb.h,v 1.12.2.8 2006/08/01 01:19:33 marka Exp $ + * $Id: netdb.h,v 1.12.2.9 2006/08/01 01:45:10 marka Exp $ */ #ifndef _NETDB_H_ @@ -490,6 +490,7 @@ void endnetgrent_r __P((void **)); */ int innetgr_r __P((const char *, const char *, const char *, const char *)); +#endif #else /* defined(sun) || defined(bsdi) */ #ifdef __GLIBC__ @@ -560,7 +561,6 @@ void endservent_r __P((void)); #ifdef __GLIBC__ int getnetgrent_r __P((char **, char **, char **, char *, size_t)); #endif -#endif #endif #endif From 3d28d32c760be180b8fb58c48d8f35807d4a855c Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 1 Aug 2006 03:11:26 +0000 Subject: [PATCH 385/465] newcopyrights --- util/copyrights | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/util/copyrights b/util/copyrights index c9b1fee71f..8ccf5ec4ed 100644 --- a/util/copyrights +++ b/util/copyrights @@ -1255,11 +1255,11 @@ ./lib/bind/irs/getnetgrent.c X 2001 ./lib/bind/irs/getnetgrent_r.c X 2001,2005 ./lib/bind/irs/getprotoent.c X 2001 -./lib/bind/irs/getprotoent_r.c X 2001 +./lib/bind/irs/getprotoent_r.c X 2001,2006 ./lib/bind/irs/getpwent.c X 2001 ./lib/bind/irs/getpwent_r.c X 2001 ./lib/bind/irs/getservent.c X 2001 -./lib/bind/irs/getservent_r.c X 2001 +./lib/bind/irs/getservent_r.c X 2001,2006 ./lib/bind/irs/hesiod.c X 2001,2005 ./lib/bind/irs/hesiod_p.h X 2001 ./lib/bind/irs/irp.c X 2001,2006 @@ -1547,7 +1547,7 @@ ./lib/bind/port/unknown/include/.cvsignore X 2001 ./lib/bind/port/unknown/include/Makefile.in MAKE 2001,2004,2005 ./lib/bind/port_after.h.in X 2001,2005,2006 -./lib/bind/port_before.h.in X 2001,2005 +./lib/bind/port_before.h.in X 2001,2005,2006 ./lib/bind/resolv/.cvsignore X 2001 ./lib/bind/resolv/Makefile.in MAKE 2001,2004,2005 ./lib/bind/resolv/herror.c X 2001 From 9d45619a1e2b6dbb97ebb19a7bfafb2adf611c6b Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 1 Aug 2006 03:12:09 +0000 Subject: [PATCH 386/465] newcopyrights --- util/copyrights | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/util/copyrights b/util/copyrights index eac79b6fbd..8f910be421 100644 --- a/util/copyrights +++ b/util/copyrights @@ -1377,11 +1377,11 @@ ./lib/bind/irs/getnetgrent.c X 2001,2005 ./lib/bind/irs/getnetgrent_r.c X 2001,2005 ./lib/bind/irs/getprotoent.c X 2001,2005 -./lib/bind/irs/getprotoent_r.c X 2001,2005 +./lib/bind/irs/getprotoent_r.c X 2001,2005,2006 ./lib/bind/irs/getpwent.c X 2001,2005 ./lib/bind/irs/getpwent_r.c X 2001,2005 ./lib/bind/irs/getservent.c X 2001,2005 -./lib/bind/irs/getservent_r.c X 2001,2005 +./lib/bind/irs/getservent_r.c X 2001,2005,2006 ./lib/bind/irs/hesiod.c X 2001,2005 ./lib/bind/irs/hesiod_p.h X 2001,2005 ./lib/bind/irs/irp.c X 2001,2005,2006 @@ -1670,7 +1670,7 @@ ./lib/bind/port/unknown/include/.cvsignore X 2001 ./lib/bind/port/unknown/include/Makefile.in MAKE 2001,2004,2005 ./lib/bind/port_after.h.in X 2001,2005,2006 -./lib/bind/port_before.h.in X 2001,2005 +./lib/bind/port_before.h.in X 2001,2005,2006 ./lib/bind/resolv/.cvsignore X 2001 ./lib/bind/resolv/Makefile.in MAKE 2001,2004,2005 ./lib/bind/resolv/herror.c X 2001,2005 From 8db2f89e23bf4c236da4e6b1401de3c447edee0e Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 1 Aug 2006 03:42:56 +0000 Subject: [PATCH 387/465] spelling --- lib/dns/include/dns/zone.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h index 6e98c9996e..8076b3057e 100644 --- a/lib/dns/include/dns/zone.h +++ b/lib/dns/include/dns/zone.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: zone.h,v 1.145 2006/06/04 23:17:07 marka Exp $ */ +/* $Id: zone.h,v 1.146 2006/08/01 03:42:56 marka Exp $ */ #ifndef DNS_ZONE_H #define DNS_ZONE_H 1 @@ -1327,7 +1327,7 @@ dns_zonemgr_releasezone(dns_zonemgr_t *zmgr, dns_zone_t *zone); void dns_zonemgr_settransfersin(dns_zonemgr_t *zmgr, isc_uint32_t value); /*%< - * Set the maximum number of simultanious transfers in allowed by + * Set the maximum number of simultaneous transfers in allowed by * the zone manager. * * Requires: @@ -1337,7 +1337,7 @@ dns_zonemgr_settransfersin(dns_zonemgr_t *zmgr, isc_uint32_t value); isc_uint32_t dns_zonemgr_getttransfersin(dns_zonemgr_t *zmgr); /*%< - * Return the the maximum number of simultanious transfers in allowed. + * Return the the maximum number of simultaneous transfers in allowed. * * Requires: *\li 'zmgr' to be a valid zone manager. From ce350735d8efa1d41d7efdd26783d069aa363eba Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 1 Aug 2006 03:44:38 +0000 Subject: [PATCH 388/465] spelling --- lib/dns/include/dns/zone.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h index 2826fa0276..9e8551fe9a 100644 --- a/lib/dns/include/dns/zone.h +++ b/lib/dns/include/dns/zone.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: zone.h,v 1.106.2.11 2006/03/02 00:37:17 marka Exp $ */ +/* $Id: zone.h,v 1.106.2.12 2006/08/01 03:44:38 marka Exp $ */ #ifndef DNS_ZONE_H #define DNS_ZONE_H 1 @@ -1185,7 +1185,7 @@ dns_zonemgr_releasezone(dns_zonemgr_t *zmgr, dns_zone_t *zone); void dns_zonemgr_settransfersin(dns_zonemgr_t *zmgr, isc_uint32_t value); /* - * Set the maximum number of simultanious transfers in allowed by + * Set the maximum number of simultaneous transfers in allowed by * the zone manager. * * Requires: @@ -1195,7 +1195,7 @@ dns_zonemgr_settransfersin(dns_zonemgr_t *zmgr, isc_uint32_t value); isc_uint32_t dns_zonemgr_getttransfersin(dns_zonemgr_t *zmgr); /* - * Return the the maximum number of simultanious transfers in allowed. + * Return the the maximum number of simultaneous transfers in allowed. * * Requires: * 'zmgr' to be a valid zone manager. From f975557d21bb8797b8806483b969fa4e4c98a48d Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 1 Aug 2006 04:00:55 +0000 Subject: [PATCH 389/465] 9.2.7rc1 --- .../patch/bind9/bind-9.2.7-patch | 260 +++++++++--------- 1 file changed, 123 insertions(+), 137 deletions(-) diff --git a/contrib/idn/idnkit-1.0-src/patch/bind9/bind-9.2.7-patch b/contrib/idn/idnkit-1.0-src/patch/bind9/bind-9.2.7-patch index 98c060729e..82b6a49838 100644 --- a/contrib/idn/idnkit-1.0-src/patch/bind9/bind-9.2.7-patch +++ b/contrib/idn/idnkit-1.0-src/patch/bind9/bind-9.2.7-patch @@ -17,8 +17,8 @@ and install. Index: README.idnkit ---- /dev/null Fri May 26 13:45:50 2006 -+++ README.idnkit Fri May 26 12:50:53 2006 +--- /dev/null Tue Aug 1 13:55:49 2006 ++++ README.idnkit Tue Aug 1 13:48:21 2006 @@ -0,0 +1,113 @@ + + BIND-9 IDN patch @@ -136,10 +136,10 @@ Index: README.idnkit Index: configure =================================================================== RCS file: /proj/cvs/prod/bind9/configure,v -retrieving revision 1.284.2.56 -diff -U2 -r1.284.2.56 configure ---- configure 3 Mar 2006 03:32:29 -0000 1.284.2.56 -+++ configure 26 May 2006 03:50:50 -0000 +retrieving revision 1.284.2.59 +diff -U2 -r1.284.2.59 configure +--- configure 20 Jul 2006 06:08:28 -0000 1.284.2.59 ++++ configure 1 Aug 2006 03:58:10 -0000 @@ -466,5 +466,5 @@ #endif" @@ -156,183 +156,183 @@ diff -U2 -r1.284.2.56 configure + --with-idnlib=ARG specify libidnkit Some influential environment variables: -@@ -8268,5 +8272,5 @@ +@@ -8733,5 +8737,5 @@ *-*-irix6*) # Find out which ABI we are using. -- echo '#line 8270 "configure"' > conftest.$ac_ext -+ echo '#line 8274 "configure"' > conftest.$ac_ext +- echo '#line 8735 "configure"' > conftest.$ac_ext ++ echo '#line 8739 "configure"' > conftest.$ac_ext if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 -@@ -9265,5 +9269,5 @@ +@@ -9730,5 +9734,5 @@ # Provide some information about the compiler. --echo "$as_me:9267:" \ -+echo "$as_me:9271:" \ +-echo "$as_me:9732:" \ ++echo "$as_me:9736:" \ "checking for Fortran 77 compiler version" >&5 ac_compiler=`set X $ac_compile; echo $2` -@@ -10326,9 +10330,9 @@ +@@ -10791,9 +10795,9 @@ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` -- (eval echo "\"\$as_me:10328: $lt_compile\"" >&5) -+ (eval echo "\"\$as_me:10332: $lt_compile\"" >&5) +- (eval echo "\"\$as_me:10793: $lt_compile\"" >&5) ++ (eval echo "\"\$as_me:10797: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 -- echo "$as_me:10332: \$? = $ac_status" >&5 -+ echo "$as_me:10336: \$? = $ac_status" >&5 +- echo "$as_me:10797: \$? = $ac_status" >&5 ++ echo "$as_me:10801: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized -@@ -10569,9 +10573,9 @@ +@@ -11034,9 +11038,9 @@ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` -- (eval echo "\"\$as_me:10571: $lt_compile\"" >&5) -+ (eval echo "\"\$as_me:10575: $lt_compile\"" >&5) +- (eval echo "\"\$as_me:11036: $lt_compile\"" >&5) ++ (eval echo "\"\$as_me:11040: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 -- echo "$as_me:10575: \$? = $ac_status" >&5 -+ echo "$as_me:10579: \$? = $ac_status" >&5 +- echo "$as_me:11040: \$? = $ac_status" >&5 ++ echo "$as_me:11044: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized -@@ -10629,9 +10633,9 @@ +@@ -11094,9 +11098,9 @@ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` -- (eval echo "\"\$as_me:10631: $lt_compile\"" >&5) -+ (eval echo "\"\$as_me:10635: $lt_compile\"" >&5) +- (eval echo "\"\$as_me:11096: $lt_compile\"" >&5) ++ (eval echo "\"\$as_me:11100: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 -- echo "$as_me:10635: \$? = $ac_status" >&5 -+ echo "$as_me:10639: \$? = $ac_status" >&5 +- echo "$as_me:11100: \$? = $ac_status" >&5 ++ echo "$as_me:11104: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then -@@ -12814,5 +12818,5 @@ +@@ -13279,5 +13283,5 @@ lt_status=$lt_dlunknown cat > conftest.$ac_ext < conftest.$ac_ext <&5) -+ (eval echo "\"\$as_me:15115: $lt_compile\"" >&5) +- (eval echo "\"\$as_me:15576: $lt_compile\"" >&5) ++ (eval echo "\"\$as_me:15580: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 -- echo "$as_me:15115: \$? = $ac_status" >&5 -+ echo "$as_me:15119: \$? = $ac_status" >&5 +- echo "$as_me:15580: \$? = $ac_status" >&5 ++ echo "$as_me:15584: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized -@@ -15169,9 +15173,9 @@ +@@ -15634,9 +15638,9 @@ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` -- (eval echo "\"\$as_me:15171: $lt_compile\"" >&5) -+ (eval echo "\"\$as_me:15175: $lt_compile\"" >&5) +- (eval echo "\"\$as_me:15636: $lt_compile\"" >&5) ++ (eval echo "\"\$as_me:15640: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 -- echo "$as_me:15175: \$? = $ac_status" >&5 -+ echo "$as_me:15179: \$? = $ac_status" >&5 +- echo "$as_me:15640: \$? = $ac_status" >&5 ++ echo "$as_me:15644: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then -@@ -16530,5 +16534,5 @@ +@@ -16995,5 +16999,5 @@ lt_status=$lt_dlunknown cat > conftest.$ac_ext < conftest.$ac_ext <&5) -+ (eval echo "\"\$as_me:17471: $lt_compile\"" >&5) +- (eval echo "\"\$as_me:17932: $lt_compile\"" >&5) ++ (eval echo "\"\$as_me:17936: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 -- echo "$as_me:17471: \$? = $ac_status" >&5 -+ echo "$as_me:17475: \$? = $ac_status" >&5 +- echo "$as_me:17936: \$? = $ac_status" >&5 ++ echo "$as_me:17940: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized -@@ -17525,9 +17529,9 @@ +@@ -17990,9 +17994,9 @@ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` -- (eval echo "\"\$as_me:17527: $lt_compile\"" >&5) -+ (eval echo "\"\$as_me:17531: $lt_compile\"" >&5) +- (eval echo "\"\$as_me:17992: $lt_compile\"" >&5) ++ (eval echo "\"\$as_me:17996: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 -- echo "$as_me:17531: \$? = $ac_status" >&5 -+ echo "$as_me:17535: \$? = $ac_status" >&5 +- echo "$as_me:17996: \$? = $ac_status" >&5 ++ echo "$as_me:18000: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then -@@ -19564,9 +19568,9 @@ +@@ -20029,9 +20033,9 @@ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` -- (eval echo "\"\$as_me:19566: $lt_compile\"" >&5) -+ (eval echo "\"\$as_me:19570: $lt_compile\"" >&5) +- (eval echo "\"\$as_me:20031: $lt_compile\"" >&5) ++ (eval echo "\"\$as_me:20035: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 -- echo "$as_me:19570: \$? = $ac_status" >&5 -+ echo "$as_me:19574: \$? = $ac_status" >&5 +- echo "$as_me:20035: \$? = $ac_status" >&5 ++ echo "$as_me:20039: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized -@@ -19807,9 +19811,9 @@ +@@ -20272,9 +20276,9 @@ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` -- (eval echo "\"\$as_me:19809: $lt_compile\"" >&5) -+ (eval echo "\"\$as_me:19813: $lt_compile\"" >&5) +- (eval echo "\"\$as_me:20274: $lt_compile\"" >&5) ++ (eval echo "\"\$as_me:20278: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 -- echo "$as_me:19813: \$? = $ac_status" >&5 -+ echo "$as_me:19817: \$? = $ac_status" >&5 +- echo "$as_me:20278: \$? = $ac_status" >&5 ++ echo "$as_me:20282: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized -@@ -19867,9 +19871,9 @@ +@@ -20332,9 +20336,9 @@ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` -- (eval echo "\"\$as_me:19869: $lt_compile\"" >&5) -+ (eval echo "\"\$as_me:19873: $lt_compile\"" >&5) +- (eval echo "\"\$as_me:20334: $lt_compile\"" >&5) ++ (eval echo "\"\$as_me:20338: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 -- echo "$as_me:19873: \$? = $ac_status" >&5 -+ echo "$as_me:19877: \$? = $ac_status" >&5 +- echo "$as_me:20338: \$? = $ac_status" >&5 ++ echo "$as_me:20342: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then -@@ -22052,5 +22056,5 @@ +@@ -22517,5 +22521,5 @@ lt_status=$lt_dlunknown cat > conftest.$ac_ext < conftest.$ac_ext < header file. */ @@ -803,7 +803,7 @@ diff -U2 -r1.47.2.21 config.h.in + /* Define to 1 if you have the header file. */ #undef HAVE_MEMORY_H -@@ -187,4 +190,7 @@ +@@ -190,4 +193,7 @@ #undef HAVE_RSA_GENERATE_KEY +/* Define to 1 if you have the `setlocale' function. */ @@ -811,7 +811,7 @@ diff -U2 -r1.47.2.21 config.h.in + /* Define to 1 if you have the header file. */ #undef HAVE_STDINT_H -@@ -255,4 +261,7 @@ +@@ -258,4 +264,7 @@ #undef USE_FIONBIO_IOCTL +/* define if idnkit support is to be included. */ @@ -825,7 +825,7 @@ RCS file: /proj/cvs/prod/bind9/bin/dig/Makefile.in,v retrieving revision 1.25.2.4 diff -U2 -r1.25.2.4 Makefile.in --- bin/dig/Makefile.in 18 Aug 2004 23:22:52 -0000 1.25.2.4 -+++ bin/dig/Makefile.in 26 May 2006 03:50:53 -0000 ++++ bin/dig/Makefile.in 1 Aug 2006 03:58:13 -0000 @@ -37,5 +37,5 @@ DEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS} @@ -836,18 +836,11 @@ diff -U2 -r1.25.2.4 Makefile.in Index: bin/dig/dig.1 =================================================================== RCS file: /proj/cvs/prod/bind9/bin/dig/dig.1,v -retrieving revision 1.14.2.9 -diff -U2 -r1.14.2.9 dig.1 ---- bin/dig/dig.1 13 Oct 2005 02:23:26 -0000 1.14.2.9 -+++ bin/dig/dig.1 26 May 2006 03:50:54 -0000 -@@ -14,5 +14,5 @@ - .\" PERFORMANCE OF THIS SOFTWARE. - .\" --.\" $Id: dig.1,v 1.14.2.9 2005/10/13 02:23:26 marka Exp $ -+.\" $Id$ - .\" - .hy 0 -@@ -364,4 +364,15 @@ +retrieving revision 1.14.2.10 +diff -U2 -r1.14.2.10 dig.1 +--- bin/dig/dig.1 29 Jun 2006 13:02:05 -0000 1.14.2.10 ++++ bin/dig/dig.1 1 Aug 2006 03:58:13 -0000 +@@ -371,4 +371,15 @@ will not print the initial query when it looks up the NS records for isc.org. +.SH "IDN SUPPORT" @@ -869,7 +862,7 @@ RCS file: /proj/cvs/prod/bind9/bin/dig/dig.docbook,v retrieving revision 1.4.2.11 diff -U2 -r1.4.2.11 dig.docbook --- bin/dig/dig.docbook 12 May 2005 21:35:06 -0000 1.4.2.11 -+++ bin/dig/dig.docbook 26 May 2006 03:50:55 -0000 ++++ bin/dig/dig.docbook 1 Aug 2006 03:58:14 -0000 @@ -547,4 +547,19 @@ @@ -882,7 +875,7 @@ diff -U2 -r1.4.2.11 dig.docbook +reply from the server. +If you'd like to turn off the IDN support for some reason, defines +the IDN_DISABLE environment variable. -+The IDN support is disabled if the the variable is set when ++The IDN support is disabled if the the variable is set when +dig runs. + + @@ -893,10 +886,10 @@ diff -U2 -r1.4.2.11 dig.docbook Index: bin/dig/dighost.c =================================================================== RCS file: /proj/cvs/prod/bind9/bin/dig/dighost.c,v -retrieving revision 1.221.2.29 -diff -U2 -r1.221.2.29 dighost.c ---- bin/dig/dighost.c 14 Oct 2005 01:37:48 -0000 1.221.2.29 -+++ bin/dig/dighost.c 26 May 2006 03:50:59 -0000 +retrieving revision 1.221.2.32 +diff -U2 -r1.221.2.32 dighost.c +--- bin/dig/dighost.c 1 Aug 2006 00:54:08 -0000 1.221.2.32 ++++ bin/dig/dighost.c 1 Aug 2006 03:58:17 -0000 @@ -33,4 +33,15 @@ #include @@ -930,7 +923,7 @@ diff -U2 -r1.221.2.29 dighost.c + /* * Apply and clear locks at the event level in global task. -@@ -732,4 +755,8 @@ +@@ -735,4 +758,8 @@ } +#ifdef WITH_IDN @@ -939,7 +932,7 @@ diff -U2 -r1.221.2.29 dighost.c + if (keyfile[0] != 0) setup_file_key(); -@@ -1255,4 +1282,12 @@ +@@ -1258,4 +1285,12 @@ dns_compress_t cctx; char store[MXNAME]; +#ifdef WITH_IDN @@ -952,7 +945,7 @@ diff -U2 -r1.221.2.29 dighost.c +#endif REQUIRE(lookup != NULL); -@@ -1283,4 +1318,15 @@ +@@ -1286,4 +1321,15 @@ sizeof(lookup->onamespace)); +#ifdef WITH_IDN @@ -968,7 +961,7 @@ diff -U2 -r1.221.2.29 dighost.c + /* * If the name has too many dots, force the origin to be NULL -@@ -1291,4 +1337,11 @@ +@@ -1294,4 +1340,11 @@ */ /* XXX New search here? */ +#ifdef WITH_IDN @@ -980,7 +973,7 @@ diff -U2 -r1.221.2.29 dighost.c +#else if ((count_dots(lookup->textname) >= ndots) || !usesearch) lookup->origin = NULL; /* Force abs lookup */ -@@ -1296,5 +1349,27 @@ +@@ -1299,5 +1352,27 @@ lookup->origin = ISC_LIST_HEAD(search_list); } +#endif @@ -1008,7 +1001,7 @@ diff -U2 -r1.221.2.29 dighost.c +#endif debug("trying origin %s", lookup->origin->origin); result = dns_message_gettempname(lookup->sendmsg, -@@ -1341,4 +1416,13 @@ +@@ -1344,4 +1419,13 @@ dns_name_clone(dns_rootname, lookup->name); else { +#ifdef WITH_IDN @@ -1022,13 +1015,13 @@ diff -U2 -r1.221.2.29 dighost.c +#else len = strlen(lookup->textname); isc_buffer_init(&b, lookup->textname, len); -@@ -1348,4 +1432,5 @@ +@@ -1351,4 +1435,5 @@ ISC_FALSE, &lookup->namebuf); +#endif } if (result != ISC_R_SUCCESS) { -@@ -2863,2 +2948,100 @@ +@@ -2879,2 +2964,100 @@ isc_mem_destroy(&mctx); } + @@ -1132,18 +1125,11 @@ diff -U2 -r1.221.2.29 dighost.c Index: bin/dig/host.1 =================================================================== RCS file: /proj/cvs/prod/bind9/bin/dig/host.1,v -retrieving revision 1.11.2.5 -diff -U2 -r1.11.2.5 host.1 ---- bin/dig/host.1 13 Oct 2005 02:23:26 -0000 1.11.2.5 -+++ bin/dig/host.1 26 May 2006 03:51:00 -0000 -@@ -14,5 +14,5 @@ - .\" PERFORMANCE OF THIS SOFTWARE. - .\" --.\" $Id: host.1,v 1.11.2.5 2005/10/13 02:23:26 marka Exp $ -+.\" $Id$ - .\" - .hy 0 -@@ -165,4 +165,15 @@ +retrieving revision 1.11.2.6 +diff -U2 -r1.11.2.6 host.1 +--- bin/dig/host.1 29 Jun 2006 13:02:05 -0000 1.11.2.6 ++++ bin/dig/host.1 1 Aug 2006 03:58:17 -0000 +@@ -168,4 +168,15 @@ \fBhost\fR will effectively wait forever for a reply. The time to wait for a response will be set to the number of seconds given by the hardware's maximum value for an integer quantity. +.SH "IDN SUPPORT" @@ -1165,7 +1151,7 @@ RCS file: /proj/cvs/prod/bind9/bin/dig/host.docbook,v retrieving revision 1.2.2.5 diff -U2 -r1.2.2.5 host.docbook --- bin/dig/host.docbook 12 May 2005 21:35:06 -0000 1.2.2.5 -+++ bin/dig/host.docbook 26 May 2006 03:51:00 -0000 ++++ bin/dig/host.docbook 1 Aug 2006 03:58:17 -0000 @@ -199,4 +199,19 @@ @@ -1192,7 +1178,7 @@ RCS file: /proj/cvs/prod/bind9/lib/dns/name.c,v retrieving revision 1.127.2.14 diff -U2 -r1.127.2.14 name.c --- lib/dns/name.c 2 Mar 2006 00:37:17 -0000 1.127.2.14 -+++ lib/dns/name.c 26 May 2006 03:51:04 -0000 ++++ lib/dns/name.c 1 Aug 2006 03:58:20 -0000 @@ -199,4 +199,11 @@ dns_fullname_hash(dns_name_t *name, isc_boolean_t case_sensitive); @@ -1237,7 +1223,7 @@ RCS file: /proj/cvs/prod/bind9/lib/dns/include/dns/name.h,v retrieving revision 1.95.2.11 diff -U2 -r1.95.2.11 name.h --- lib/dns/include/dns/name.h 2 Mar 2006 00:37:17 -0000 1.95.2.11 -+++ lib/dns/include/dns/name.h 26 May 2006 03:51:06 -0000 ++++ lib/dns/include/dns/name.h 1 Aug 2006 03:58:21 -0000 @@ -220,4 +220,15 @@ #define DNS_NAME_MAXWIRE 255 From 3e9631ceaa30bd896f1c432bfe390466a3cfb8a5 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 1 Aug 2006 04:06:03 +0000 Subject: [PATCH 390/465] 9.2.7rc1 --- CHANGES | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGES b/CHANGES index 5e4c48a651..d42f97955f 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ + + --- 9.2.7rc1 released --- + 2064. [bug] libbind: silence AIX compiler warnings. [RT #16218] 2063. [bug] Change #1955 introduced a bug which caused the first From 635af0704dbb97899afc20f082151130d1023ffc Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 1 Aug 2006 23:16:55 +0000 Subject: [PATCH 391/465] auto update --- doc/private/branches | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/private/branches b/doc/private/branches index 66d3dd9db4..6db9312e2c 100644 --- a/doc/private/branches +++ b/doc/private/branches @@ -59,6 +59,7 @@ rt16290 new rt16292 new rt16300 new rt16307 new +rt16313 new rt1727 open // ixfr-from-differences workfile skan new skan-metazones1 private From 2ca8eb30b7804c722a014142fa48db16adbd4140 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 2 Aug 2006 00:38:00 +0000 Subject: [PATCH 392/465] new draft --- doc/draft/draft-ietf-dnsop-respsize-02.txt | 480 ---------------- doc/draft/draft-ietf-dnsop-respsize-04.txt | 640 +++++++++++++++++++++ 2 files changed, 640 insertions(+), 480 deletions(-) delete mode 100644 doc/draft/draft-ietf-dnsop-respsize-02.txt create mode 100644 doc/draft/draft-ietf-dnsop-respsize-04.txt diff --git a/doc/draft/draft-ietf-dnsop-respsize-02.txt b/doc/draft/draft-ietf-dnsop-respsize-02.txt deleted file mode 100644 index 63fe2de521..0000000000 --- a/doc/draft/draft-ietf-dnsop-respsize-02.txt +++ /dev/null @@ -1,480 +0,0 @@ - - - - - - - DNSOP Working Group Paul Vixie, ISC - INTERNET-DRAFT Akira Kato, WIDE - July 2005 - - DNS Response Size Issues - - Status of this Memo - By submitting this Internet-Draft, each author represents that any - applicable patent or other IPR claims of which he or she is aware - have been or will be disclosed, and any of which he or she becomes - aware will be disclosed, in accordance with Section 6 of BCP 79. - - Internet-Drafts are working documents of the Internet Engineering - Task Force (IETF), its areas, and its working groups. Note that - other groups may also distribute working documents as Internet- - Drafts. - - Internet-Drafts are draft documents valid for a maximum of six months - and may be updated, replaced, or obsoleted by other documents at any - time. It is inappropriate to use Internet-Drafts as reference - material or to cite them other than as "work in progress." - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt - - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - - Copyright Notice - - Copyright (C) The Internet Society (2005). All Rights Reserved. - - - - - Abstract - - With a mandated default minimum maximum message size of 512 octets, - the DNS protocol presents some special problems for zones wishing to - expose a moderate or high number of authority servers (NS RRs). This - document explains the operational issues caused by, or related to - this response size limit. - - - - - - - Expires December 2005 [Page 1] - - INTERNET-DRAFT July 2005 RESPSIZE - - - 1 - Introduction and Overview - - 1.1. The DNS standard (see [RFC1035 4.2.1]) limits message size to 512 - octets. Even though this limitation was due to the required minimum UDP - reassembly limit for IPv4, it is a hard DNS protocol limit and is not - implicitly relaxed by changes in transport, for example to IPv6. - - 1.2. The EDNS0 standard (see [RFC2671 2.3, 4.5]) permits larger - responses by mutual agreement of the requestor and responder. However, - deployment of EDNS0 cannot be expected to reach every Internet resolver - in the short or medium term. The 512 octet message size limit remains - in practical effect at this time. - - 1.3. Since DNS responses include a copy of the request, the space - available for response data is somewhat less than the full 512 octets. - For negative responses, there is rarely a space constraint. For - positive and delegation responses, though, every octet must be carefully - and sparingly allocated. This document specifically addresses - delegation response sizes. - - 2 - Delegation Details - - 2.1. A delegation response will include the following elements: - - Header Section: fixed length (12 octets) - Question Section: original query (name, class, type) - Answer Section: (empty) - Authority Section: NS RRset (nameserver names) - Additional Section: A and AAAA RRsets (nameserver addresses) - - 2.2. If the total response size would exceed 512 octets, and if the data - that would not fit belonged in the question, answer, or authority - section, then the TC bit will be set (indicating truncation) which may - cause the requestor to retry using TCP, depending on what information - was desired and what information was omitted. If a retry using TCP is - needed, the total cost of the transaction is much higher. (See [RFC1123 - 6.1.3.2] for details on the protocol requirement that UDP be attempted - before falling back to TCP.) - - 2.3. RRsets are never sent partially unless truncation occurs, in which - case the final apparent RRset in the final nonempty section must be - considered "possibly damaged". With or without truncation, the glue - present in the additional data section should be considered "possibly - incomplete", and requestors should be prepared to re-query for any - damaged or missing RRsets. For multi-transport name or mail services, - - - - Expires December 2005 [Page 2] - - INTERNET-DRAFT July 2005 RESPSIZE - - - this can mean querying for an IPv6 (AAAA) RRset even when an IPv4 (A) - RRset is present. - - 2.4. DNS label compression allows a domain name to be instantiated only - once per DNS message, and then referenced with a two-octet "pointer" - from other locations in that same DNS message. If all nameserver names - in a message are similar (for example, all ending in ".ROOT- - SERVERS.NET"), then more space will be available for uncompressable data - (such as nameserver addresses). - - 2.5. The query name can be as long as 255 characters of presentation - data, which can be up to 256 octets of network data. In this worst case - scenario, the question section will be 260 octets in size, which would - leave only 240 octets for the authority and additional sections (after - deducting 12 octets for the fixed length header.) - - 2.6. Average and maximum question section sizes can be predicted by the - zone owner, since they will know what names actually exist, and can - measure which ones are queried for most often. For cost and performance - reasons, the majority of requests should be satisfied without truncation - or TCP retry. - - 2.7. Requestors who deliberately send large queries to force truncation - are only increasing their own costs, and cannot effectively attack the - resources of an authority server since the requestor would have to retry - using TCP to complete the attack. An attack that always used TCP would - have a lower cost. - - 2.8. The minimum useful number of address records is two, since with - only one address, the probability that it would refer to an unreachable - server is too high. Truncation which occurs after two address records - have been added to the additional data section is therefore less - operationally significant than truncation which occurs earlier. - - 2.9. The best case is no truncation. This is because many requestors - will retry using TCP by reflex, or will automatically re-query for - RRsets that are "possibly truncated", without considering whether the - omitted data was actually necessary. - - 2.10. Each added NS RR for a zone will add a minimum of between 16 and - 44 octets to every untruncated referral or negative response from the - zone's authority servers (16 octets for an NS RR, 16 octets for an A RR, - and 28 octets for an AAAA RR), in addition to whatever space is taken by - the nameserver name (NS NSDNAME and A/AAAA owner name). - - - - - Expires December 2005 [Page 3] - - INTERNET-DRAFT July 2005 RESPSIZE - - - 3 - Analysis - - 3.1. An instrumented protocol trace of a best case delegation response - follows. Note that 13 servers are named, and 13 addresses are given. - This query was artificially designed to exactly reach the 512 octet - limit. - - ;; flags: qr rd; QUERY: 1, ANS: 0, AUTH: 13, ADDIT: 13 - ;; QUERY SECTION: - ;; [23456789.123456789.123456789.\ - 123456789.123456789.123456789.com A IN] ;; @80 - - ;; AUTHORITY SECTION: - com. 86400 NS E.GTLD-SERVERS.NET. ;; @112 - com. 86400 NS F.GTLD-SERVERS.NET. ;; @128 - com. 86400 NS G.GTLD-SERVERS.NET. ;; @144 - com. 86400 NS H.GTLD-SERVERS.NET. ;; @160 - com. 86400 NS I.GTLD-SERVERS.NET. ;; @176 - com. 86400 NS J.GTLD-SERVERS.NET. ;; @192 - com. 86400 NS K.GTLD-SERVERS.NET. ;; @208 - com. 86400 NS L.GTLD-SERVERS.NET. ;; @224 - com. 86400 NS M.GTLD-SERVERS.NET. ;; @240 - com. 86400 NS A.GTLD-SERVERS.NET. ;; @256 - com. 86400 NS B.GTLD-SERVERS.NET. ;; @272 - com. 86400 NS C.GTLD-SERVERS.NET. ;; @288 - com. 86400 NS D.GTLD-SERVERS.NET. ;; @304 - - ;; ADDITIONAL SECTION: - A.GTLD-SERVERS.NET. 86400 A 192.5.6.30 ;; @320 - B.GTLD-SERVERS.NET. 86400 A 192.33.14.30 ;; @336 - C.GTLD-SERVERS.NET. 86400 A 192.26.92.30 ;; @352 - D.GTLD-SERVERS.NET. 86400 A 192.31.80.30 ;; @368 - E.GTLD-SERVERS.NET. 86400 A 192.12.94.30 ;; @384 - F.GTLD-SERVERS.NET. 86400 A 192.35.51.30 ;; @400 - G.GTLD-SERVERS.NET. 86400 A 192.42.93.30 ;; @416 - H.GTLD-SERVERS.NET. 86400 A 192.54.112.30 ;; @432 - I.GTLD-SERVERS.NET. 86400 A 192.43.172.30 ;; @448 - J.GTLD-SERVERS.NET. 86400 A 192.48.79.30 ;; @464 - K.GTLD-SERVERS.NET. 86400 A 192.52.178.30 ;; @480 - L.GTLD-SERVERS.NET. 86400 A 192.41.162.30 ;; @496 - M.GTLD-SERVERS.NET. 86400 A 192.55.83.30 ;; @512 - - ;; MSG SIZE sent: 80 rcvd: 512 - - - - - - Expires December 2005 [Page 4] - - INTERNET-DRAFT July 2005 RESPSIZE - - - 3.2. For longer query names, the number of address records supplied will - be lower. Furthermore, it is only by using a common parent name (which - is GTLD-SERVERS.NET in this example) that all 13 addresses are able to - fit. The following output from a response simulator demonstrates these - properties: - - % perl respsize.pl a.dns.br b.dns.br c.dns.br d.dns.br - a.dns.br requires 10 bytes - b.dns.br requires 4 bytes - c.dns.br requires 4 bytes - d.dns.br requires 4 bytes - # of NS: 4 - For maximum size query (255 byte): - if only A is considered: # of A is 4 (green) - if A and AAAA are condered: # of A+AAAA is 3 (yellow) - if prefer_glue A is assumed: # of A is 4, # of AAAA is 3 (yellow) - For average size query (64 byte): - if only A is considered: # of A is 4 (green) - if A and AAAA are condered: # of A+AAAA is 4 (green) - if prefer_glue A is assumed: # of A is 4, # of AAAA is 4 (green) - - % perl respsize.pl ns-ext.isc.org ns.psg.com ns.ripe.net ns.eu.int - ns-ext.isc.org requires 16 bytes - ns.psg.com requires 12 bytes - ns.ripe.net requires 13 bytes - ns.eu.int requires 11 bytes - # of NS: 4 - For maximum size query (255 byte): - if only A is considered: # of A is 4 (green) - if A and AAAA are condered: # of A+AAAA is 3 (yellow) - if prefer_glue A is assumed: # of A is 4, # of AAAA is 2 (yellow) - For average size query (64 byte): - if only A is considered: # of A is 4 (green) - if A and AAAA are condered: # of A+AAAA is 4 (green) - if prefer_glue A is assumed: # of A is 4, # of AAAA is 4 (green) - - (Note: The response simulator program is shown in Section 5.) - - Here we use the term "green" if all address records could fit, or - "orange" if two or more could fit, or "red" if fewer than two could fit. - It's clear that without a common parent for nameserver names, much space - would be lost. For these examples we use an average/common name size of - 15 octets, befitting our assumption of GTLD-SERVERS.NET as our common - parent name. - - - - - Expires December 2005 [Page 5] - - INTERNET-DRAFT July 2005 RESPSIZE - - - We're assuming an average query name size of 64 since that is the - typical average maximum size seen in trace data at the time of this - writing. If Internationalized Domain Name (IDN) or any other technology - which results in larger query names be deployed significantly in advance - of EDNS, then new measurements and new estimates will have to be made. - - 4 - Conclusions - - 4.1. The current practice of giving all nameserver names a common parent - (such as GTLD-SERVERS.NET or ROOT-SERVERS.NET) saves space in DNS - responses and allows for more nameservers to be enumerated than would - otherwise be possible. (Note that in this case it is wise to serve the - common parent domain's zone from the same servers that are named within - it, in order to limit external dependencies when all your eggs are in a - single basket.) - - 4.2. Thirteen (13) seems to be the effective maximum number of - nameserver names usable traditional (non-extended) DNS, assuming a - common parent domain name, and given that response truncation is - undesirable as an average case, and assuming mostly IPv4-only - reachability (only A RRs exist, not AAAA RRs). - - 4.3. Adding two to five IPv6 nameserver address records (AAAA RRs) to a - prototypical delegation that currently contains thirteen (13) IPv4 - nameserver addresses (A RRs) for thirteen (13) nameserver names under a - common parent, would not have a significant negative operational impact - on the domain name system. - - 5 - Source Code - - #!/usr/bin/perl - # - # SYNOPSIS - # repsize.pl [ -z zone ] fqdn_ns1 fqdn_ns2 ... - # if all queries are assumed to have zone suffux, such as "jp" in - # JP TLD servers, specify it in -z option - # - use strict; - use Getopt::Std; - my ($sz_msg) = (512); - my ($sz_header, $sz_ptr, $sz_rr_a, $sz_rr_aaaa) = (12, 2, 16, 28); - my ($sz_type, $sz_class, $sz_ttl, $sz_rdlen) = (2, 2, 4, 2); - my (%namedb, $name, $nssect, %opts, $optz); - my $n_ns = 0; - - - - - Expires December 2005 [Page 6] - - INTERNET-DRAFT July 2005 RESPSIZE - - - getopt('z', opts); - if (defined($opts{'z'})) { - server_name_len($opts{'z'}); # just register it - } - - foreach $name (@ARGV) { - my $len; - $n_ns++; - $len = server_name_len($name); - print "$name requires $len bytes\n"; - $nssect += $sz_ptr + $sz_type + $sz_class + $sz_ttl + $sz_rdlen + $len; - } - print "# of NS: $n_ns\n"; - arsect(255, $nssect, $n_ns, "maximum"); - arsect(64, $nssect, $n_ns, "average"); - - sub server_name_len { - my ($name) = @_; - my (@labels, $len, $n, $suffix); - - $name =~ tr/A-Z/a-z/; - @labels = split(/./, $name); - $len = length(join('.', @labels)) + 2; - for ($n = 0; $#labels >= 0; $n++, shift @labels) { - $suffix = join('.', @labels); - return length($name) - length($suffix) + $sz_ptr - if (defined($namedb{$suffix})); - $namedb{$suffix} = 1; - } - return $len; - } - - sub arsect { - my ($sz_query, $nssect, $n_ns, $cond) = @_; - my ($space, $n_a, $n_a_aaaa, $n_p_aaaa, $ansect); - $ansect = $sz_query + 1 + $sz_type + $sz_class; - $space = $sz_msg - $sz_header - $ansect - $nssect; - $n_a = atmost(int($space / $sz_rr_a), $n_ns); - $n_a_aaaa = atmost(int($space / ($sz_rr_a + $sz_rr_aaaa)), $n_ns); - $n_p_aaaa = atmost(int(($space - $sz_rr_a * $n_ns) / $sz_rr_aaaa), $n_ns); - printf "For %s size query (%d byte):\n", $cond, $sz_query; - printf "if only A is considered: "; - printf "# of A is %d (%s)\n", $n_a, &judge($n_a, $n_ns); - printf "if A and AAAA are condered: "; - printf "# of A+AAAA is %d (%s)\n", $n_a_aaaa, &judge($n_a_aaaa, $n_ns); - - - - Expires December 2005 [Page 7] - - INTERNET-DRAFT July 2005 RESPSIZE - - - printf "if prefer_glue A is assumed: "; - printf "# of A is %d, # of AAAA is %d (%s)\n", - $n_a, $n_p_aaaa, &judge($n_p_aaaa, $n_ns); - } - - sub judge { - my ($n, $n_ns) = @_; - return "green" if ($n >= $n_ns); - return "yellow" if ($n >= 2); - return "orange" if ($n == 1); - return "red"; - } - - sub atmost { - my ($a, $b) = @_; - return 0 if ($a < 0); - return $b if ($a > $b); - return $a; - } - - Security Considerations - - The recommendations contained in this document have no known security - implications. - - IANA Considerations - - This document does not call for changes or additions to any IANA - registry. - - IPR Statement - - Copyright (C) The Internet Society (2005). This document is subject to - the rights, licenses and restrictions contained in BCP 78, and except as - set forth therein, the authors retain all their rights. - - This document and the information contained herein are provided on an - "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR - IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET - ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, - INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE - INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED - WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. - - - - - - Expires December 2005 [Page 8] - - INTERNET-DRAFT July 2005 RESPSIZE - - - Authors' Addresses - - Paul Vixie - 950 Charter Street - Redwood City, CA 94063 - +1 650 423 1301 - vixie@isc.org - - Akira Kato - University of Tokyo, Information Technology Center - 2-11-16 Yayoi Bunkyo - Tokyo 113-8658, JAPAN - +81 3 5841 2750 - kato@wide.ad.jp - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Expires December 2005 [Page 9] - \ No newline at end of file diff --git a/doc/draft/draft-ietf-dnsop-respsize-04.txt b/doc/draft/draft-ietf-dnsop-respsize-04.txt new file mode 100644 index 0000000000..7abfc6f2e8 --- /dev/null +++ b/doc/draft/draft-ietf-dnsop-respsize-04.txt @@ -0,0 +1,640 @@ + + + + + + + DNSOP Working Group Paul Vixie, ISC + INTERNET-DRAFT Akira Kato, WIDE + July 2006 + + DNS Response Size Issues + + Status of this Memo + By submitting this Internet-Draft, each author represents that any + applicable patent or other IPR claims of which he or she is aware + have been or will be disclosed, and any of which he or she becomes + aware will be disclosed, in accordance with Section 6 of BCP 79. + + Internet-Drafts are working documents of the Internet Engineering + Task Force (IETF), its areas, and its working groups. Note that + other groups may also distribute working documents as Internet- + Drafts. + + Internet-Drafts are draft documents valid for a maximum of six months + and may be updated, replaced, or obsoleted by other documents at any + time. It is inappropriate to use Internet-Drafts as reference + material or to cite them other than as "work in progress." + + The list of current Internet-Drafts can be accessed at + http://www.ietf.org/ietf/1id-abstracts.txt + + The list of Internet-Draft Shadow Directories can be accessed at + http://www.ietf.org/shadow.html. + + Copyright Notice + + Copyright (C) The Internet Society (2006). All Rights Reserved. + + + + + Abstract + + With a mandated default minimum maximum message size of 512 octets, + the DNS protocol presents some special problems for zones wishing to + expose a moderate or high number of authority servers (NS RRs). This + document explains the operational issues caused by, or related to + this response size limit. + + + + + + + Expires December 2006 [Page 1] + + INTERNET-DRAFT July 2006 RESPSIZE + + + 1 - Introduction and Overview + + 1.1. The DNS standard (see [RFC1035 4.2.1]) limits message size to 512 + octets. Even though this limitation was due to the required minimum IP + reassembly limit for IPv4, it became a hard DNS protocol limit and is + not implicitly relaxed by changes in transport, for example to IPv6. + + 1.2. The EDNS0 protocol extension (see [RFC2671 2.3, 4.5]) permits + larger responses by mutual agreement of the requestor and responder. + However, deployment of EDNS0 cannot be expected to reach every Internet + resolver in the short or medium term. The 512 octet message size limit + remains in practical effect at this time. + + 1.3. Since DNS responses include a copy of the request, the space + available for response data is somewhat less than the full 512 octets. + Negative responses are quite small, but for positive and delegation + responses, every octet must be carefully and sparingly allocated. This + document specifically addresses delegation response sizes. + + 2 - Delegation Details + + 2.1. A delegation response will include the following elements: + + Header Section: fixed length (12 octets) + Question Section: original query (name, class, type) + Answer Section: (empty) + Authority Section: NS RRset (nameserver names) + Additional Section: A and AAAA RRsets (nameserver addresses) + + 2.2. If the total response size would exceed 512 octets, and if the data + that would not fit was "required", then the TC bit will be set + (indicating truncation). This will usually cause the requestor to retry + using TCP, depending on what information was desired and what + information was omitted. (For example, truncation in the authority + section is of no interest to a stub resolver who only plans to consume + the answer section.) If a retry using TCP is needed, the total cost of + the transaction is much higher. See [RFC1123 6.1.3.2] for details on + the requirement that UDP be attempted before falling back to TCP. + + 2.3. RRsets are never sent partially unless TC bit set to indicate + truncation. When TC bit is set, the final apparent RRset in the final + nonempty section must be considered "possibly damaged" (see [RFC1035 + 6.2], [RFC2181 9]). + + + + + + Expires December 2006 [Page 2] + + INTERNET-DRAFT July 2006 RESPSIZE + + + 2.4. With or without truncation, the glue present in the additional data + section should be considered "possibly incomplete", and requestors + should be prepared to re-query for any damaged or missing RRsets. Note + that truncation of the additional data section might not be signalled + via the TC bit since additional data is often optional. + + 2.5. DNS label compression allows a domain name to be instantiated only + once per DNS message, and then referenced with a two-octet "pointer" + from other locations in that same DNS message. If all nameserver names + in a message are similar (for example, all ending in ".ROOT- + SERVERS.NET"), then more space will be available for uncompressable data + (such as nameserver addresses). + + 2.6. The query name can be as long as 255 characters of presentation + data, which can be up to 256 octets of network data. In this worst case + scenario, the question section will be 260 octets in size, which would + leave only 240 octets for the authority and additional sections (after + deducting 12 octets for the fixed length header.) + + 2.7. Average and maximum question section sizes can be predicted by the + zone owner, since they will know what names actually exist, and can + measure which ones are queried for most often. For cost and performance + reasons, the majority of requests should be satisfied without truncation + or TCP retry. + + 2.8. Some queries to non-existing names can be large, but this is not a + problem because negative responses need not contain any answer, + authority or additional records. (See [RFC2308 2.1] for more + information about the format of negative responses.) + + 2.9. The minimum useful number of name servers is two, for redundancy + (see [RFC1034 4.1]). In case of multihomed name servers, it is + advantageous to include an address record from each of several name + servers before including several address records for any one name + server. If address records for more than one transport (for example, A + and AAAA) are available, then it is advantageous to include records of + both types early on, before the message is full. + + 2.10. The best case is no truncation at all. This is because many + requestors will retry using TCP by reflex, or will automatically re- + query for RRsets that are "possibly truncated", without considering + whether the omitted data was actually necessary. + + 2.11. Each added NS RR for a zone will add a minimum of between 16 and + 44 octets to every untruncated referral or negative response from the + + + + Expires December 2006 [Page 3] + + INTERNET-DRAFT July 2006 RESPSIZE + + + zone's authority servers (16 octets for an NS RR, 16 octets for an A RR, + and 28 octets for an AAAA RR), in addition to whatever space is taken by + the nameserver name (NS NSDNAME as well as A or AAAA owner name). + + 2.12. While DNS distinguishes between necessary and optional resource + records, this distinction is according to protocol elements necessary to + signify facts, and takes no official notice of protocol content + necessary to ensure correct operation. For example, a nameserver name + that is in or below the zone cut being described by a delegation is + "necessary content," since there is no way to reach that zone unless the + parent zone's delegation includes "glue records" describing that name + server's addresses. + + 2.13. It is also necessary to distinguish between "explicit truncation" + where a message could not contain enough records to convey its intended + meaning, and so the TC bit has been set, and "silent truncation", where + the message was not large enough to contain some records which were "not + required", and so the TC bit was not set. + + 2.14. An delegation response should prioritize glue records as follows. + + first + All glue RRsets for one name server whose name is in or below the + zone being delegated, or which has multiple address RRsets (currently + A and AAAA), or preferrably both; + + second + Alternate between adding all glue RRsets for any name servers whose + names are in or below the zone being delegated, and all glue RRsets + for any name servers who have multiple address RRsets (currently A + and AAAA); + + thence + All other glue RRsets, in any order. + + The goal of this priority scheme is to offer "necessary" glue first, + avoiding silent truncation for this glue if possible. + + 2.15. If any "necessary content" is silently truncated, then it is + advisable that the TC bit be set in order to force a TCP retry, rather + than have the zone be unreachable. Note that a parent server's proper + response to a query for in-child glue or below-child glue is a referral + rather than an answer, and that this referral MUST be able to contain + the in-child or below-child glue, and that in outlying cases, only EDNS + or TCP will be large enough to contain that data. + + + + Expires December 2006 [Page 4] + + INTERNET-DRAFT July 2006 RESPSIZE + + + 3 - Analysis + + 3.1. An instrumented protocol trace of a best case delegation response + follows. Note that 13 servers are named, and 13 addresses are given. + This query was artificially designed to exactly reach the 512 octet + limit. + + ;; flags: qr rd; QUERY: 1, ANS: 0, AUTH: 13, ADDIT: 13 + ;; QUERY SECTION: + ;; [23456789.123456789.123456789.\ + 123456789.123456789.123456789.com A IN] ;; @80 + + ;; AUTHORITY SECTION: + com. 86400 NS E.GTLD-SERVERS.NET. ;; @112 + com. 86400 NS F.GTLD-SERVERS.NET. ;; @128 + com. 86400 NS G.GTLD-SERVERS.NET. ;; @144 + com. 86400 NS H.GTLD-SERVERS.NET. ;; @160 + com. 86400 NS I.GTLD-SERVERS.NET. ;; @176 + com. 86400 NS J.GTLD-SERVERS.NET. ;; @192 + com. 86400 NS K.GTLD-SERVERS.NET. ;; @208 + com. 86400 NS L.GTLD-SERVERS.NET. ;; @224 + com. 86400 NS M.GTLD-SERVERS.NET. ;; @240 + com. 86400 NS A.GTLD-SERVERS.NET. ;; @256 + com. 86400 NS B.GTLD-SERVERS.NET. ;; @272 + com. 86400 NS C.GTLD-SERVERS.NET. ;; @288 + com. 86400 NS D.GTLD-SERVERS.NET. ;; @304 + + + ;; ADDITIONAL SECTION: + A.GTLD-SERVERS.NET. 86400 A 192.5.6.30 ;; @320 + B.GTLD-SERVERS.NET. 86400 A 192.33.14.30 ;; @336 + C.GTLD-SERVERS.NET. 86400 A 192.26.92.30 ;; @352 + D.GTLD-SERVERS.NET. 86400 A 192.31.80.30 ;; @368 + E.GTLD-SERVERS.NET. 86400 A 192.12.94.30 ;; @384 + F.GTLD-SERVERS.NET. 86400 A 192.35.51.30 ;; @400 + G.GTLD-SERVERS.NET. 86400 A 192.42.93.30 ;; @416 + H.GTLD-SERVERS.NET. 86400 A 192.54.112.30 ;; @432 + I.GTLD-SERVERS.NET. 86400 A 192.43.172.30 ;; @448 + J.GTLD-SERVERS.NET. 86400 A 192.48.79.30 ;; @464 + K.GTLD-SERVERS.NET. 86400 A 192.52.178.30 ;; @480 + L.GTLD-SERVERS.NET. 86400 A 192.41.162.30 ;; @496 + M.GTLD-SERVERS.NET. 86400 A 192.55.83.30 ;; @512 + + ;; MSG SIZE sent: 80 rcvd: 512 + + + + + Expires December 2006 [Page 5] + + INTERNET-DRAFT July 2006 RESPSIZE + + + 3.2. For longer query names, the number of address records supplied will + be lower. Furthermore, it is only by using a common parent name (which + is GTLD-SERVERS.NET in this example) that all 13 addresses are able to + fit. The following output from a response simulator demonstrates these + properties: + + % perl respsize.pl a.dns.br b.dns.br c.dns.br d.dns.br + a.dns.br requires 10 bytes + b.dns.br requires 4 bytes + c.dns.br requires 4 bytes + d.dns.br requires 4 bytes + # of NS: 4 + For maximum size query (255 byte): + only A is considered: # of A is 4 (green) + A and AAAA are considered: # of A+AAAA is 3 (yellow) + preferred-glue A is assumed: # of A is 4, # of AAAA is 3 (yellow) + For average size query (64 byte): + only A is considered: # of A is 4 (green) + A and AAAA are considered: # of A+AAAA is 4 (green) + preferred-glue A is assumed: # of A is 4, # of AAAA is 4 (green) + + + % perl respsize.pl ns-ext.isc.org ns.psg.com ns.ripe.net ns.eu.int + ns-ext.isc.org requires 16 bytes + ns.psg.com requires 12 bytes + ns.ripe.net requires 13 bytes + ns.eu.int requires 11 bytes + # of NS: 4 + For maximum size query (255 byte): + only A is considered: # of A is 4 (green) + A and AAAA are considered: # of A+AAAA is 3 (yellow) + preferred-glue A is assumed: # of A is 4, # of AAAA is 2 (yellow) + For average size query (64 byte): + only A is considered: # of A is 4 (green) + A and AAAA are considered: # of A+AAAA is 4 (green) + preferred-glue A is assumed: # of A is 4, # of AAAA is 4 (green) + + (Note: The response simulator program is shown in Section 5.) + + Here we use the term "green" if all address records could fit, or + "yellow" if two or more could fit, or "orange" if only one could fit, or + "red" if no address record could fit. It's clear that without a common + parent for nameserver names, much space would be lost. For these + examples we use an average/common name size of 15 octets, befitting our + assumption of GTLD-SERVERS.NET as our common parent name. + + + + Expires December 2006 [Page 6] + + INTERNET-DRAFT July 2006 RESPSIZE + + + We're assuming an average query name size of 64 since that is the + typical average maximum size seen in trace data at the time of this + writing. If Internationalized Domain Name (IDN) or any other technology + which results in larger query names be deployed significantly in advance + of EDNS, then new measurements and new estimates will have to be made. + + 4 - Conclusions + + 4.1. The current practice of giving all nameserver names a common parent + (such as GTLD-SERVERS.NET or ROOT-SERVERS.NET) saves space in DNS + responses and allows for more nameservers to be enumerated than would + otherwise be possible, since the common parent domain name only appears + once in a DNS message and is referred to via "compression pointers" + thereafter. + + 4.2. If all nameserver names for a zone share a common parent, then it + is operationally advisable to make all servers for the zone so served + also be authoritative for the zone of that common parent. For example, + the root name servers (?.ROOT-SERVERS.NET) can answer authoritatively + for the ROOT-SERVERS.NET. This is to ensure that the zone's servers + always have the zone's nameservers' glue available when delegating. + + 4.3. Thirteen (13) seems to be the effective maximum number of + nameserver names usable traditional (non-extended) DNS, assuming a + common parent domain name, and given that response truncation is + undesirable as an average case, and assuming mostly IPv4-only + reachability (only A RRs exist, not AAAA RRs). + + XXX 4.4. Adding up to five IPv6 nameserver address records (AAAA RRs) to + a prototypical delegation that currently contains thirteen (13) IPv4 + nameserver addresses (A RRs) for thirteen (13) nameserver names under a + common parent, would not have a significant negative operational impact + on the domain name system. + + 5 - Source Code + + #!/usr/bin/perl + # + # SYNOPSIS + # repsize.pl [ -z zone ] fqdn_ns1 fqdn_ns2 ... + # if all queries are assumed to have a same zone suffix, + # such as "jp" in JP TLD servers, specify it in -z option + # + use strict; + use Getopt::Std; + + + + Expires December 2006 [Page 7] + + INTERNET-DRAFT July 2006 RESPSIZE + + + my ($sz_msg) = (512); + my ($sz_header, $sz_ptr, $sz_rr_a, $sz_rr_aaaa) = (12, 2, 16, 28); + my ($sz_type, $sz_class, $sz_ttl, $sz_rdlen) = (2, 2, 4, 2); + my (%namedb, $name, $nssect, %opts, $optz); + my $n_ns = 0; + + getopt('z', %opts); + if (defined($opts{'z'})) { + server_name_len($opts{'z'}); # just register it + } + + foreach $name (@ARGV) { + my $len; + $n_ns++; + $len = server_name_len($name); + print "$name requires $len bytes\n"; + $nssect += $sz_ptr + $sz_type + $sz_class + $sz_ttl + + $sz_rdlen + $len; + } + print "# of NS: $n_ns\n"; + arsect(255, $nssect, $n_ns, "maximum"); + arsect(64, $nssect, $n_ns, "average"); + + sub server_name_len { + my ($name) = @_; + my (@labels, $len, $n, $suffix); + + $name =~ tr/A-Z/a-z/; + @labels = split(/\./, $name); + $len = length(join('.', @labels)) + 2; + for ($n = 0; $#labels >= 0; $n++, shift @labels) { + $suffix = join('.', @labels); + return length($name) - length($suffix) + $sz_ptr + if (defined($namedb{$suffix})); + $namedb{$suffix} = 1; + } + return $len; + } + + sub arsect { + my ($sz_query, $nssect, $n_ns, $cond) = @_; + my ($space, $n_a, $n_a_aaaa, $n_p_aaaa, $ansect); + $ansect = $sz_query + 1 + $sz_type + $sz_class; + $space = $sz_msg - $sz_header - $ansect - $nssect; + $n_a = atmost(int($space / $sz_rr_a), $n_ns); + + + + Expires December 2006 [Page 8] + + INTERNET-DRAFT July 2006 RESPSIZE + + + $n_a_aaaa = atmost(int($space + / ($sz_rr_a + $sz_rr_aaaa)), $n_ns); + $n_p_aaaa = atmost(int(($space - $sz_rr_a * $n_ns) + / $sz_rr_aaaa), $n_ns); + printf "For %s size query (%d byte):\n", $cond, $sz_query; + printf " only A is considered: "; + printf "# of A is %d (%s)\n", $n_a, &judge($n_a, $n_ns); + printf " A and AAAA are considered: "; + printf "# of A+AAAA is %d (%s)\n", + $n_a_aaaa, &judge($n_a_aaaa, $n_ns); + printf " preferred-glue A is assumed: "; + printf "# of A is %d, # of AAAA is %d (%s)\n", + $n_a, $n_p_aaaa, &judge($n_p_aaaa, $n_ns); + } + + sub judge { + my ($n, $n_ns) = @_; + return "green" if ($n >= $n_ns); + return "yellow" if ($n >= 2); + return "orange" if ($n == 1); + return "red"; + } + + sub atmost { + my ($a, $b) = @_; + return 0 if ($a < 0); + return $b if ($a > $b); + return $a; + } + + 6 - Security Considerations + + The recommendations contained in this document have no known security + implications. + + 7 - IANA Considerations + + This document does not call for changes or additions to any IANA + registry. + + 8 - Acknowledgement The authors thank Peter Koch and Rob Austein for + their valuable comments and suggestions. + + + + + + + Expires December 2006 [Page 9] + + INTERNET-DRAFT July 2006 RESPSIZE + + + 9 - Refrenaces + + [RFC1034] Mockapetris, P.V., "Domain names - Concepts and Facilities", + RFC1034, November 1987. + + [RFC1035] Mockapetris, P.V., "Domain names - Implementation and + Specification", RFC1035, November 1987. + + [RFC1123] Braden, R., Ed., "Requirements for Internet Hosts - + Application and Support", RFC1123, October 1989. + + [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)", + RFC2308, March 1998. + + [RFC2181] Elz, R., Bush, R., "Clarifications to the DNS Specification", + RFC2181, July 1997. + + [RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC2671, + August 1999. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Expires December 2006 [Page 10] + + INTERNET-DRAFT July 2006 RESPSIZE + + + 10 - Authors' Addresses + + Paul Vixie + 950 Charter Street + Redwood City, CA 94063 + +1 650 423 1301 + vixie@isc.org + + Akira Kato + University of Tokyo, Information Technology Center + 2-11-16 Yayoi Bunkyo + Tokyo 113-8658, JAPAN + +81 3 5841 2750 + kato@wide.ad.jp + + Full Copyright Statement + + Copyright (C) The Internet Society (2006). + + This document is subject to the rights, licenses and restrictions + contained in BCP 78, and except as set forth therein, the authors retain + all their rights. + + This document and the information contained herein are provided on an + "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR + IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET + ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, + INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE + INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED + WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + + Intellectual Property + + The IETF takes no position regarding the validity or scope of any + Intellectual Property Rights or other rights that might be claimed to + pertain to the implementation or use of the technology described in this + document or the extent to which any license under such rights might or + might not be available; nor does it represent that it has made any + independent effort to identify any such rights. Information on the + procedures with respect to rights in RFC documents can be found in BCP + 78 and BCP 79. + + Copies of IPR disclosures made to the IETF Secretariat and any + assurances of licenses to be made available, or the result of an attempt + made to obtain a general license or permission for the use of such + + + + Expires December 2006 [Page 11] + + INTERNET-DRAFT July 2006 RESPSIZE + + + proprietary rights by implementers or users of this specification can be + obtained from the IETF on-line IPR repository at + http://www.ietf.org/ipr. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary rights + that may cover technology that may be required to implement this + standard. Please address the information to the IETF at + ietf-ipr@ietf.org. + + Acknowledgement + + Funding for the RFC Editor function is provided by the IETF + Administrative Support Activity (IASA). + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Expires December 2006 [Page 12] + + From a6c97839cf15b88ee2c441f3b21422c31711220b Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 2 Aug 2006 23:18:10 +0000 Subject: [PATCH 393/465] auto update --- doc/private/branches | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/private/branches b/doc/private/branches index 6db9312e2c..8d6cb31d66 100644 --- a/doc/private/branches +++ b/doc/private/branches @@ -60,6 +60,7 @@ rt16292 new rt16300 new rt16307 new rt16313 new +rt16315 new rt1727 open // ixfr-from-differences workfile skan new skan-metazones1 private From ce8cd4a3efd27ef145847216d513bb341bfe208c Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 3 Aug 2006 01:16:08 +0000 Subject: [PATCH 394/465] 2065. [bug] libbind: probe for HPUX prototypes for endprotoent_r() and endservent_r(). [RT 16313] --- CHANGES | 3 ++ lib/bind/configure | 120 +++++++++++++++++++++++++++++++++++++++++- lib/bind/configure.in | 39 +++++++++++++- 3 files changed, 160 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index 0986633dfb..76b9f64a92 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2065. [bug] libbind: probe for HPUX prototypes for + endprotoent_r() and endservent_r(). [RT 16313] + 2064. [bug] libbind: silence AIX compiler warnings. [RT #16218] 2063. [bug] Change #1955 introduced a bug which caused the first diff --git a/lib/bind/configure b/lib/bind/configure index 652206d00f..68679ded55 100644 --- a/lib/bind/configure +++ b/lib/bind/configure @@ -1,5 +1,5 @@ #! /bin/sh -# From configure.in Revision: 1.120 . +# From configure.in Revision: 1.121 . # Guess values for system-dependent variables and create Makefiles. # Generated by GNU Autoconf 2.59. # @@ -29727,6 +29727,65 @@ else echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +#undef _REENTRANT +#define _REENTRANT +#undef __USE_MISC +#define __USE_MISC +#include +int endprotoent_r(struct protoent_data *); + + +int +main () +{ + + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest.$ac_objext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + +PROTO_R_END_RESULT="#define PROTO_R_END_RESULT(x) return(0)" +PROTO_R_END_RETURN="#define PROTO_R_END_RETURN int" +PROTO_R_ENT_ARGS="#define PROTO_R_ENT_ARGS struct protoent_data *proto_data" +PROTO_R_ENT_UNUSED="#define PROTO_R_ENT_UNUSED UNUSED(proto_data)" + + +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +fi +rm -f conftest.err conftest.$ac_objext conftest.$ac_ext + fi rm -f conftest.err conftest.$ac_objext conftest.$ac_ext @@ -31392,6 +31451,65 @@ else echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +#undef _REENTRANT +#define _REENTRANT +#undef __USE_MISC +#define __USE_MISC +#include +int endservent_r(struct servent_data *serv_data); + + +int +main () +{ + + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest.$ac_objext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + +SERV_R_END_RESULT="#define SERV_R_END_RESULT(x) return(x)" +SERV_R_END_RETURN="#define SERV_R_END_RETURN int " +SERV_R_ENT_ARGS="#define SERV_R_ENT_ARGS struct servent_data *serv_data" +SERV_R_ENT_UNUSED="#define SERV_R_ENT_UNUSED UNUSED(serv_data)" + + +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +fi +rm -f conftest.err conftest.$ac_objext conftest.$ac_ext + fi rm -f conftest.err conftest.$ac_objext conftest.$ac_ext diff --git a/lib/bind/configure.in b/lib/bind/configure.in index 348d51309d..d12a5efb3e 100644 --- a/lib/bind/configure.in +++ b/lib/bind/configure.in @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -AC_REVISION($Revision: 1.120 $) +AC_REVISION($Revision: 1.121 $) AC_INIT(resolv/herror.c) AC_PREREQ(2.13) @@ -2110,6 +2110,24 @@ PROTO_R_ENT_ARGS="#define PROTO_R_ENT_ARGS struct protoent_data *proto_data" PROTO_R_ENT_UNUSED="#define PROTO_R_ENT_UNUSED UNUSED(proto_data)" ] , +AC_TRY_COMPILE( +[ +#undef _REENTRANT +#define _REENTRANT +#undef __USE_MISC +#define __USE_MISC +#include +int endprotoent_r(struct protoent_data *); +] +,, +[ +PROTO_R_END_RESULT="#define PROTO_R_END_RESULT(x) return(0)" +PROTO_R_END_RETURN="#define PROTO_R_END_RETURN int" +PROTO_R_ENT_ARGS="#define PROTO_R_ENT_ARGS struct protoent_data *proto_data" +PROTO_R_ENT_UNUSED="#define PROTO_R_ENT_UNUSED UNUSED(proto_data)" +] +, +) ) ) , @@ -2369,6 +2387,25 @@ SERV_R_ENT_ARGS="#define SERV_R_ENT_ARGS struct servent_data *serv_data" SERV_R_ENT_UNUSED="#define SERV_R_ENT_UNUSED UNUSED(serv_data)" ] , +AC_TRY_COMPILE( +[ +#undef _REENTRANT +#define _REENTRANT +#undef __USE_MISC +#define __USE_MISC +#include +int endservent_r(struct servent_data *serv_data); +] +, +, +[ +SERV_R_END_RESULT="#define SERV_R_END_RESULT(x) return(x)" +SERV_R_END_RETURN="#define SERV_R_END_RETURN int " +SERV_R_ENT_ARGS="#define SERV_R_ENT_ARGS struct servent_data *serv_data" +SERV_R_ENT_UNUSED="#define SERV_R_ENT_UNUSED UNUSED(serv_data)" +] +, +) ) ) , From 48fe2b45c088e455737c772742a51a7b1c973cd2 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 3 Aug 2006 01:20:56 +0000 Subject: [PATCH 395/465] 2065. [bug] libbind: probe for HPUX prototypes for endprotoent_r() and endservent_r(). [RT 16313] --- CHANGES | 3 ++ lib/bind/configure | 120 +++++++++++++++++++++++++++++++++++++++++- lib/bind/configure.in | 39 +++++++++++++- 3 files changed, 160 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index d42f97955f..3983b8017c 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,9 @@ --- 9.2.7rc1 released --- +2065. [bug] libbind: probe for HPUX prototypes for + endprotoent_r() and endservent_r(). [RT 16313] + 2064. [bug] libbind: silence AIX compiler warnings. [RT #16218] 2063. [bug] Change #1955 introduced a bug which caused the first diff --git a/lib/bind/configure b/lib/bind/configure index db70b610df..4837a60ddb 100644 --- a/lib/bind/configure +++ b/lib/bind/configure @@ -1,5 +1,5 @@ #! /bin/sh -# From configure.in Revision: 1.83.2.33 . +# From configure.in Revision: 1.83.2.34 . # Guess values for system-dependent variables and create Makefiles. # Generated by GNU Autoconf 2.59. # @@ -29727,6 +29727,65 @@ else echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +#undef _REENTRANT +#define _REENTRANT +#undef __USE_MISC +#define __USE_MISC +#include +int endprotoent_r(struct protoent_data *); + + +int +main () +{ + + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest.$ac_objext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + +PROTO_R_END_RESULT="#define PROTO_R_END_RESULT(x) return(0)" +PROTO_R_END_RETURN="#define PROTO_R_END_RETURN int" +PROTO_R_ENT_ARGS="#define PROTO_R_ENT_ARGS struct protoent_data *proto_data" +PROTO_R_ENT_UNUSED="#define PROTO_R_ENT_UNUSED UNUSED(proto_data)" + + +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +fi +rm -f conftest.err conftest.$ac_objext conftest.$ac_ext + fi rm -f conftest.err conftest.$ac_objext conftest.$ac_ext @@ -31392,6 +31451,65 @@ else echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +#undef _REENTRANT +#define _REENTRANT +#undef __USE_MISC +#define __USE_MISC +#include +int endservent_r(struct servent_data *serv_data); + + +int +main () +{ + + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest.$ac_objext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + +SERV_R_END_RESULT="#define SERV_R_END_RESULT(x) return(x)" +SERV_R_END_RETURN="#define SERV_R_END_RETURN int " +SERV_R_ENT_ARGS="#define SERV_R_ENT_ARGS struct servent_data *serv_data" +SERV_R_ENT_UNUSED="#define SERV_R_ENT_UNUSED UNUSED(serv_data)" + + +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +fi +rm -f conftest.err conftest.$ac_objext conftest.$ac_ext + fi rm -f conftest.err conftest.$ac_objext conftest.$ac_ext diff --git a/lib/bind/configure.in b/lib/bind/configure.in index 314d54b851..461f8d8430 100644 --- a/lib/bind/configure.in +++ b/lib/bind/configure.in @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -AC_REVISION($Revision: 1.83.2.33 $) +AC_REVISION($Revision: 1.83.2.34 $) AC_INIT(resolv/herror.c) AC_PREREQ(2.13) @@ -2110,6 +2110,24 @@ PROTO_R_ENT_ARGS="#define PROTO_R_ENT_ARGS struct protoent_data *proto_data" PROTO_R_ENT_UNUSED="#define PROTO_R_ENT_UNUSED UNUSED(proto_data)" ] , +AC_TRY_COMPILE( +[ +#undef _REENTRANT +#define _REENTRANT +#undef __USE_MISC +#define __USE_MISC +#include +int endprotoent_r(struct protoent_data *); +] +,, +[ +PROTO_R_END_RESULT="#define PROTO_R_END_RESULT(x) return(0)" +PROTO_R_END_RETURN="#define PROTO_R_END_RETURN int" +PROTO_R_ENT_ARGS="#define PROTO_R_ENT_ARGS struct protoent_data *proto_data" +PROTO_R_ENT_UNUSED="#define PROTO_R_ENT_UNUSED UNUSED(proto_data)" +] +, +) ) ) , @@ -2369,6 +2387,25 @@ SERV_R_ENT_ARGS="#define SERV_R_ENT_ARGS struct servent_data *serv_data" SERV_R_ENT_UNUSED="#define SERV_R_ENT_UNUSED UNUSED(serv_data)" ] , +AC_TRY_COMPILE( +[ +#undef _REENTRANT +#define _REENTRANT +#undef __USE_MISC +#define __USE_MISC +#include +int endservent_r(struct servent_data *serv_data); +] +, +, +[ +SERV_R_END_RESULT="#define SERV_R_END_RESULT(x) return(x)" +SERV_R_END_RETURN="#define SERV_R_END_RETURN int " +SERV_R_ENT_ARGS="#define SERV_R_ENT_ARGS struct servent_data *serv_data" +SERV_R_ENT_UNUSED="#define SERV_R_ENT_UNUSED UNUSED(serv_data)" +] +, +) ) ) , From dbfc2232ef5b6e5572480070ab87a4d67c18aa39 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 3 Aug 2006 23:02:02 +0000 Subject: [PATCH 396/465] placeholder --- CHANGES | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGES b/CHANGES index 76b9f64a92..1bb8367c42 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +2066. [placeholder] rt16300 + 2065. [bug] libbind: probe for HPUX prototypes for endprotoent_r() and endservent_r(). [RT 16313] From 0ee4d2c42b97f0ea020788a082b2dae81ca6e4e2 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 3 Aug 2006 23:17:51 +0000 Subject: [PATCH 397/465] auto update --- doc/private/branches | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/private/branches b/doc/private/branches index 8d6cb31d66..01d036f172 100644 --- a/doc/private/branches +++ b/doc/private/branches @@ -61,6 +61,7 @@ rt16300 new rt16307 new rt16313 new rt16315 new +rt16317 new rt1727 open // ixfr-from-differences workfile skan new skan-metazones1 private From cdd28dc017ce03d208cdfbe7d55fb76377c85acc Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 4 Aug 2006 02:48:14 +0000 Subject: [PATCH 398/465] 4634: US Secure Hash Algorithms (SHA and HMAC-SHA) --- doc/rfc/fetch | 5 + doc/rfc/index | 1 + doc/rfc/rfc4634.txt | 6051 +++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 6057 insertions(+) create mode 100755 doc/rfc/fetch create mode 100644 doc/rfc/rfc4634.txt diff --git a/doc/rfc/fetch b/doc/rfc/fetch new file mode 100755 index 0000000000..634ce2af4f --- /dev/null +++ b/doc/rfc/fetch @@ -0,0 +1,5 @@ +#!/bin/sh -f +for i in $* +do + fetch "http://www.ietf.org/rfc/rfc${i}.txt" +done diff --git a/doc/rfc/index b/doc/rfc/index index 2a7ebaf04d..036e664323 100644 --- a/doc/rfc/index +++ b/doc/rfc/index @@ -109,3 +109,4 @@ 4431: The DNSSEC Lookaside Validation (DLV) DNS Resource Record 4408: Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail, Version 1 +4634: US Secure Hash Algorithms (SHA and HMAC-SHA) diff --git a/doc/rfc/rfc4634.txt b/doc/rfc/rfc4634.txt new file mode 100644 index 0000000000..b672df8a44 --- /dev/null +++ b/doc/rfc/rfc4634.txt @@ -0,0 +1,6051 @@ + + + + + + +Network Working Group D. Eastlake 3rd +Request for Comments: 4634 Motorola Labs +Updates: 3174 T. Hansen +Category: Informational AT&T Labs + July 2006 + + + US Secure Hash Algorithms (SHA and HMAC-SHA) + +Status of This Memo + + This memo provides information for the Internet community. It does + not specify an Internet standard of any kind. Distribution of this + memo is unlimited. + +Copyright Notice + + Copyright (C) The Internet Society (2006). + +Abstract + + The United States of America has adopted a suite of Secure Hash + Algorithms (SHAs), including four beyond SHA-1, as part of a Federal + Information Processing Standard (FIPS), specifically SHA-224 (RFC + 3874), SHA-256, SHA-384, and SHA-512. The purpose of this document + is to make source code performing these hash functions conveniently + available to the Internet community. The sample code supports input + strings of arbitrary bit length. SHA-1's sample code from RFC 3174 + has also been updated to handle input strings of arbitrary bit + length. Most of the text herein was adapted by the authors from FIPS + 180-2. + + Code to perform SHA-based HMACs, with arbitrary bit length text, is + also included. + + + + + + + + + + + + + + + + + +Eastlake 3rd & Hansen Informational [Page 1] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + +Table of Contents + + 1. Overview of Contents ............................................3 + 1.1. License ....................................................4 + 2. Notation for Bit Strings and Integers ...........................4 + 3. Operations on Words .............................................5 + 4. Message Padding and Parsing .....................................6 + 4.1. SHA-224 and SHA-256 ........................................7 + 4.2. SHA-384 and SHA-512 ........................................8 + 5. Functions and Constants Used ....................................9 + 5.1. SHA-224 and SHA-256 ........................................9 + 5.2. SHA-384 and SHA-512 .......................................10 + 6. Computing the Message Digest ...................................11 + 6.1. SHA-224 and SHA-256 Initialization ........................11 + 6.2. SHA-224 and SHA-256 Processing ............................11 + 6.3. SHA-384 and SHA-512 Initialization ........................13 + 6.4. SHA-384 and SHA-512 Processing ............................14 + 7. SHA-Based HMACs ................................................15 + 8. C Code for SHAs ................................................15 + 8.1. The .h File ...............................................18 + 8.2. The SHA Code ..............................................24 + 8.2.1. sha1.c .............................................24 + 8.2.2. sha224-256.c .......................................33 + 8.2.3. sha384-512.c .......................................45 + 8.2.4. usha.c .............................................67 + 8.2.5. sha-private.h ......................................72 + 8.3. The HMAC Code .............................................73 + 8.4. The Test Driver ...........................................78 + 9. Security Considerations .......................................106 + 10. Normative References .........................................106 + 11. Informative References .......................................106 + + + + + + + + + + + + + + + + + + + + +Eastlake 3rd & Hansen Informational [Page 2] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + +1. Overview of Contents + + NOTE: Much of the text below is taken from [FIPS180-2] and assertions + therein of the security of the algorithms described are made by the + US Government, the author of [FIPS180-2], and not by the authors of + this document. + + The text below specifies Secure Hash Algorithms, SHA-224 [RFC3874], + SHA-256, SHA-384, and SHA-512, for computing a condensed + representation of a message or a data file. (SHA-1 is specified in + [RFC3174].) When a message of any length < 2^64 bits (for SHA-224 + and SHA-256) or < 2^128 bits (for SHA-384 and SHA-512) is input to + one of these algorithms, the result is an output called a message + digest. The message digests range in length from 224 to 512 bits, + depending on the algorithm. Secure hash algorithms are typically + used with other cryptographic algorithms, such as digital signature + algorithms and keyed hash authentication codes, or in the generation + of random numbers [RFC4086]. + + The four algorithms specified in this document are called secure + because it is computationally infeasible to (1) find a message that + corresponds to a given message digest, or (2) find two different + messages that produce the same message digest. Any change to a + message in transit will, with very high probability, result in a + different message digest. This will result in a verification failure + when the secure hash algorithm is used with a digital signature + algorithm or a keyed-hash message authentication algorithm. + + The code provided herein supports input strings of arbitrary bit + length. SHA-1's sample code from [RFC3174] has also been updated to + handle input strings of arbitrary bit length. See Section 1.1 for + license information for this code. + + Section 2 below defines the terminology and functions used as + building blocks to form these algorithms. Section 3 describes the + fundamental operations on words from which these algorithms are + built. Section 4 describes how messages are padded up to an integral + multiple of the required block size and then parsed into blocks. + Section 5 defines the constants and the composite functions used to + specify these algorithms. Section 6 gives the actual specification + for the SHA-224, SHA-256, SHA-384, and SHA-512 functions. Section 7 + provides pointers to the specification of HMAC keyed message + authentication codes based on the SHA algorithms. Section 8 gives + sample code for the SHA algorithms and Section 9 code for SHA-based + HMACs. The SHA-based HMACs will accept arbitrary bit length text. + + + + + + +Eastlake 3rd & Hansen Informational [Page 3] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + +1.1. License + + Permission is granted for all uses, commercial and non-commercial, of + the sample code found in Section 8. Royalty free license to use, + copy, modify and distribute the software found in Section 8 is + granted, provided that this document is identified in all material + mentioning or referencing this software, and provided that + redistributed derivative works do not contain misleading author or + version information. + + The authors make no representations concerning either the + merchantability of this software or the suitability of this software + for any particular purpose. It is provided "as is" without express + or implied warranty of any kind. + +2. Notation for Bit Strings and Integers + + The following terminology related to bit strings and integers will be + used: + + a. A hex digit is an element of the set {0, 1, ... , 9, A, ... , + F}. A hex digit is the representation of a 4-bit string. + Examples: 7 = 0111, A = 1010. + + b. A word equals a 32-bit or 64-bit string, which may be + represented as a sequence of 8 or 16 hex digits, respectively. + To convert a word to hex digits, each 4-bit string is converted + to its hex equivalent as described in (a) above. Example: + + 1010 0001 0000 0011 1111 1110 0010 0011 = A103FE23. + + Throughout this document, the "big-endian" convention is used + when expressing both 32-bit and 64-bit words, so that within + each word the most significant bit is shown in the left-most bit + position. + + c. An integer may be represented as a word or pair of words. + + An integer between 0 and 2^32 - 1 inclusive may be represented + as a 32-bit word. The least significant four bits of the + integer are represented by the right-most hex digit of the word + representation. Example: the integer 291 = 2^8+2^5+2^1+2^0 = + 256+32+2+1 is represented by the hex word 00000123. + + The same holds true for an integer between 0 and 2^64-1 + inclusive, which may be represented as a 64-bit word. + + + + + +Eastlake 3rd & Hansen Informational [Page 4] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + If Z is an integer, 0 <= z < 2^64, then z = (2^32)x + y where 0 + <= x < 2^32 and 0 <= y < 2^32. Since x and y can be represented + as words X and Y, respectively, z can be represented as the pair + of words (X,Y). + + d. block = 512-bit or 1024-bit string. A block (e.g., B) may be + represented as a sequence of 32-bit or 64-bit words. + +3. Operations on Words + + The following logical operators will be applied to words in all four + hash operations specified herein. SHA-224 and SHA-256 operate on + 32-bit words, while SHA-384 and SHA-512 operate on 64-bit words. + + In the operations below, x<>n + + d. The rotate right (circular right shift) operation ROTR^n(x), + where x is a w-bit word and n is an integer with 0 <= n < w, is + defined by + + ROTR^n(x) = (x>>n) OR (x<<(w-n)) + + e. The rotate left (circular left shift) operation ROTL^n(x), where + x is a w-bit word and n is an integer with 0 <= n < w, is + defined by + + ROTL^n(X) = (x<>w-n) + + Note the following equivalence relationships, where w is fixed + in each relationship: + + ROTL^n(x) = ROTR^(w-x)(x) + + ROTR^n(x) = ROTL^(w-n)(x) + +4. Message Padding and Parsing + + The hash functions specified herein are used to compute a message + digest for a message or data file that is provided as input. The + message or data file should be considered to be a bit string. The + length of the message is the number of bits in the message (the empty + message has length 0). If the number of bits in a message is a + multiple of 8, for compactness we can represent the message in hex. + The purpose of message padding is to make the total length of a + padded message a multiple of 512 for SHA-224 and SHA-256 or a + multiple of 1024 for SHA-384 and SHA-512. + + The following specifies how this padding shall be performed. As a + summary, a "1" followed by a number of "0"s followed by a 64-bit or + 128-bit integer are appended to the end of the message to produce a + padded message of length 512*n or 1024*n. The minimum number of "0"s + necessary to meet this criterion is used. The appended integer is + the length of the original message. The padded message is then + processed by the hash function as n 512-bit or 1024-bit blocks. + + + + + + + + +Eastlake 3rd & Hansen Informational [Page 6] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + +4.1. SHA-224 and SHA-256 + + Suppose a message has length L < 2^64. Before it is input to the + hash function, the message is padded on the right as follows: + + a. "1" is appended. Example: if the original message is + "01010000", this is padded to "010100001". + + b. K "0"s are appended where K is the smallest, non-negative + solution to the equation + + L + 1 + K = 448 (mod 512) + + c. Then append the 64-bit block that is L in binary representation. + After appending this block, the length of the message will be a + multiple of 512 bits. + + Example: Suppose the original message is the bit string + + 01100001 01100010 01100011 01100100 01100101 + + After step (a), this gives + + 01100001 01100010 01100011 01100100 01100101 1 + + Since L = 40, the number of bits in the above is 41 and K = 407 + "0"s are appended, making the total now 448. This gives the + following in hex: + + 61626364 65800000 00000000 00000000 + 00000000 00000000 00000000 00000000 + 00000000 00000000 00000000 00000000 + 00000000 00000000 + + The 64-bit representation of L = 40 is hex 00000000 00000028. + Hence the final padded message is the following hex: + + 61626364 65800000 00000000 00000000 + 00000000 00000000 00000000 00000000 + 00000000 00000000 00000000 00000000 + 00000000 00000000 00000000 00000028 + + + + + + + + + + +Eastlake 3rd & Hansen Informational [Page 7] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + +4.2. SHA-384 and SHA-512 + + Suppose a message has length L < 2^128. Before it is input to the + hash function, the message is padded on the right as follows: + + a. "1" is appended. Example: if the original message is + "01010000", this is padded to "010100001". + + b. K "0"s are appended where K is the smallest, non-negative + solution to the equation + + L + 1 + K = 896 (mod 1024) + + c. Then append the 128-bit block that is L in binary + representation. After appending this block, the length of the + message will be a multiple of 1024 bits. + + Example: Suppose the original message is the bit string + + 01100001 01100010 01100011 01100100 01100101 + + After step (a) this gives + + 01100001 01100010 01100011 01100100 01100101 1 + + Since L = 40, the number of bits in the above is 41 and K = 855 + "0"s are appended, making the total now 896. This gives the + following in hex: + + 61626364 65800000 00000000 00000000 + 00000000 00000000 00000000 00000000 + 00000000 00000000 00000000 00000000 + 00000000 00000000 00000000 00000000 + 00000000 00000000 00000000 00000000 + 00000000 00000000 00000000 00000000 + 00000000 00000000 00000000 00000000 + + The 128-bit representation of L = 40 is hex 00000000 00000000 + 00000000 00000028. Hence the final padded message is the + following hex: + + 61626364 65800000 00000000 00000000 + 00000000 00000000 00000000 00000000 + 00000000 00000000 00000000 00000000 + 00000000 00000000 00000000 00000000 + 00000000 00000000 00000000 00000000 + + + + + +Eastlake 3rd & Hansen Informational [Page 8] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + 00000000 00000000 00000000 00000000 + 00000000 00000000 00000000 00000000 + 00000000 00000000 00000000 00000028 + +5. Functions and Constants Used + + The following subsections give the six logical functions and the + table of constants used in each of the hash functions. + +5.1. SHA-224 and SHA-256 + + SHA-224 and SHA-256 use six logical functions, where each function + operates on 32-bit words, which are represented as x, y, and z. The + result of each function is a new 32-bit word. + + CH( x, y, z) = (x AND y) XOR ( (NOT x) AND z) + + MAJ( x, y, z) = (x AND y) XOR (x AND z) XOR (y AND z) + + BSIG0(x) = ROTR^2(x) XOR ROTR^13(x) XOR ROTR^22(x) + + BSIG1(x) = ROTR^6(x) XOR ROTR^11(x) XOR ROTR^25(x) + + SSIG0(x) = ROTR^7(x) XOR ROTR^18(x) XOR SHR^3(x) + + SSIG1(x) = ROTR^17(x) XOR ROTR^19(x) XOR SHR^10(x) + + SHA-224 and SHA-256 use the same sequence of sixty-four constant + 32-bit words, K0, K1, ..., K63. These words represent the first + thirty-two bits of the fractional parts of the cube roots of the + first sixty-four prime numbers. In hex, these constant words are as + follows (from left to right): + + 428a2f98 71374491 b5c0fbcf e9b5dba5 + 3956c25b 59f111f1 923f82a4 ab1c5ed5 + d807aa98 12835b01 243185be 550c7dc3 + 72be5d74 80deb1fe 9bdc06a7 c19bf174 + e49b69c1 efbe4786 0fc19dc6 240ca1cc + 2de92c6f 4a7484aa 5cb0a9dc 76f988da + 983e5152 a831c66d b00327c8 bf597fc7 + c6e00bf3 d5a79147 06ca6351 14292967 + 27b70a85 2e1b2138 4d2c6dfc 53380d13 + 650a7354 766a0abb 81c2c92e 92722c85 + a2bfe8a1 a81a664b c24b8b70 c76c51a3 + d192e819 d6990624 f40e3585 106aa070 + 19a4c116 1e376c08 2748774c 34b0bcb5 + + + + + +Eastlake 3rd & Hansen Informational [Page 9] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + 391c0cb3 4ed8aa4a 5b9cca4f 682e6ff3 + 748f82ee 78a5636f 84c87814 8cc70208 + 90befffa a4506ceb bef9a3f7 c67178f2 + +5.2. SHA-384 and SHA-512 + + SHA-384 and SHA-512 each use six logical functions, where each + function operates on 64-bit words, which are represented as x, y, and + z. The result of each function is a new 64-bit word. + + CH( x, y, z) = (x AND y) XOR ( (NOT x) AND z) + + MAJ( x, y, z) = (x AND y) XOR (x AND z) XOR (y AND z) + + BSIG0(x) = ROTR^28(x) XOR ROTR^34(x) XOR ROTR^39(x) + + BSIG1(x) = ROTR^14(x) XOR ROTR^18(x) XOR ROTR^41(x) + + SSIG0(x) = ROTR^1(x) XOR ROTR^8(x) XOR SHR^7(x) + + SSIG1(x) = ROTR^19(x) XOR ROTR^61(x) XOR SHR^6(x) + + SHA-384 and SHA-512 use the same sequence of eighty constant 64-bit + words, K0, K1, ... K79. These words represent the first sixty-four + bits of the fractional parts of the cube roots of the first eighty + prime numbers. In hex, these constant words are as follows (from + left to right): + + 428a2f98d728ae22 7137449123ef65cd b5c0fbcfec4d3b2f e9b5dba58189dbbc + 3956c25bf348b538 59f111f1b605d019 923f82a4af194f9b ab1c5ed5da6d8118 + d807aa98a3030242 12835b0145706fbe 243185be4ee4b28c 550c7dc3d5ffb4e2 + 72be5d74f27b896f 80deb1fe3b1696b1 9bdc06a725c71235 c19bf174cf692694 + e49b69c19ef14ad2 efbe4786384f25e3 0fc19dc68b8cd5b5 240ca1cc77ac9c65 + 2de92c6f592b0275 4a7484aa6ea6e483 5cb0a9dcbd41fbd4 76f988da831153b5 + 983e5152ee66dfab a831c66d2db43210 b00327c898fb213f bf597fc7beef0ee4 + c6e00bf33da88fc2 d5a79147930aa725 06ca6351e003826f 142929670a0e6e70 + 27b70a8546d22ffc 2e1b21385c26c926 4d2c6dfc5ac42aed 53380d139d95b3df + 650a73548baf63de 766a0abb3c77b2a8 81c2c92e47edaee6 92722c851482353b + a2bfe8a14cf10364 a81a664bbc423001 c24b8b70d0f89791 c76c51a30654be30 + d192e819d6ef5218 d69906245565a910 f40e35855771202a 106aa07032bbd1b8 + 19a4c116b8d2d0c8 1e376c085141ab53 2748774cdf8eeb99 34b0bcb5e19b48a8 + 391c0cb3c5c95a63 4ed8aa4ae3418acb 5b9cca4f7763e373 682e6ff3d6b2b8a3 + 748f82ee5defb2fc 78a5636f43172f60 84c87814a1f0ab72 8cc702081a6439ec + 90befffa23631e28 a4506cebde82bde9 bef9a3f7b2c67915 c67178f2e372532b + ca273eceea26619c d186b8c721c0c207 eada7dd6cde0eb1e f57d4f7fee6ed178 + 06f067aa72176fba 0a637dc5a2c898a6 113f9804bef90dae 1b710b35131c471b + 28db77f523047d84 32caab7b40c72493 3c9ebe0a15c9bebc 431d67c49c100d4c + 4cc5d4becb3e42b6 597f299cfc657e2a 5fcb6fab3ad6faec 6c44198c4a475817 + + + +Eastlake 3rd & Hansen Informational [Page 10] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + +6. Computing the Message Digest + + The output of each of the secure hash functions, after being applied + to a message of N blocks, is the hash quantity H(N). For SHA-224 and + SHA-256, H(i) can be considered to be eight 32-bit words, H(i)0, + H(i)1, ... H(i)7. For SHA-384 and SHA-512, it can be considered to + be eight 64-bit words, H(i)0, H(i)1, ..., H(i)7. + + As described below, the hash words are initialized, modified as each + message block is processed, and finally concatenated after processing + the last block to yield the output. For SHA-256 and SHA-512, all of + the H(N) variables are concatenated while the SHA-224 and SHA-384 + hashes are produced by omitting some from the final concatenation. + +6.1. SHA-224 and SHA-256 Initialization + + For SHA-224, the initial hash value, H(0), consists of the following + 32-bit words in hex: + + H(0)0 = c1059ed8 + H(0)1 = 367cd507 + H(0)2 = 3070dd17 + H(0)3 = f70e5939 + H(0)4 = ffc00b31 + H(0)5 = 68581511 + H(0)6 = 64f98fa7 + H(0)7 = befa4fa4 + + For SHA-256, the initial hash value, H(0), consists of the following + eight 32-bit words, in hex. These words were obtained by taking the + first thirty-two bits of the fractional parts of the square roots of + the first eight prime numbers. + + H(0)0 = 6a09e667 + H(0)1 = bb67ae85 + H(0)2 = 3c6ef372 + H(0)3 = a54ff53a + H(0)4 = 510e527f + H(0)5 = 9b05688c + H(0)6 = 1f83d9ab + H(0)7 = 5be0cd19 + +6.2. SHA-224 and SHA-256 Processing + + SHA-224 and SHA-256 perform identical processing on messages blocks + and differ only in how H(0) is initialized and how they produce their + final output. They may be used to hash a message, M, having a length + of L bits, where 0 <= L < 2^64. The algorithm uses (1) a message + + + +Eastlake 3rd & Hansen Informational [Page 11] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + schedule of sixty-four 32-bit words, (2) eight working variables of + 32 bits each, and (3) a hash value of eight 32-bit words. + + The words of the message schedule are labeled W0, W1, ..., W63. The + eight working variables are labeled a, b, c, d, e, f, g, and h. The + words of the hash value are labeled H(i)0, H(i)1, ..., H(i)7, which + will hold the initial hash value, H(0), replaced by each successive + intermediate hash value (after each message block is processed), + H(i), and ending with the final hash value, H(N), after all N blocks + are processed. They also use two temporary words, T1 and T2. + + The input message is padded as described in Section 4.1 above then + parsed into 512-bit blocks, which are considered to be composed of 16 + 32-bit words M(i)0, M(i)1, ..., M(i)15. The following computations + are then performed for each of the N message blocks. All addition is + performed modulo 2^32. + + For i = 1 to N + + 1. Prepare the message schedule W: + For t = 0 to 15 + Wt = M(i)t + For t = 16 to 63 + Wt = SSIG1(W(t-2)) + W(t-7) + SSIG0(t-15) + W(t-16) + + 2. Initialize the working variables: + a = H(i-1)0 + b = H(i-1)1 + c = H(i-1)2 + d = H(i-1)3 + e = H(i-1)4 + f = H(i-1)5 + g = H(i-1)6 + h = H(i-1)7 + + 3. Perform the main hash computation: + For t = 0 to 63 + T1 = h + BSIG1(e) + CH(e,f,g) + Kt + Wt + T2 = BSIG0(a) + MAJ(a,b,c) + h = g + g = f + f = e + e = d + T1 + d = c + c = b + b = a + a = T1 + T2 + + + + +Eastlake 3rd & Hansen Informational [Page 12] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + 4. Compute the intermediate hash value H(i): + H(i)0 = a + H(i-1)0 + H(i)1 = b + H(i-1)1 + H(i)2 = c + H(i-1)2 + H(i)3 = d + H(i-1)3 + H(i)4 = e + H(i-1)4 + H(i)5 = f + H(i-1)5 + H(i)6 = g + H(i-1)6 + H(i)7 = h + H(i-1)7 + + After the above computations have been sequentially performed for all + of the blocks in the message, the final output is calculated. For + SHA-256, this is the concatenation of all of H(N)0, H(N)1, through + H(N)7. For SHA-224, this is the concatenation of H(N)0, H(N)1, + through H(N)6. + +6.3. SHA-384 and SHA-512 Initialization + + For SHA-384, the initial hash value, H(0), consists of the following + eight 64-bit words, in hex. These words were obtained by taking the + first sixty-four bits of the fractional parts of the square roots of + the ninth through sixteenth prime numbers. + + H(0)0 = cbbb9d5dc1059ed8 + H(0)1 = 629a292a367cd507 + H(0)2 = 9159015a3070dd17 + H(0)3 = 152fecd8f70e5939 + H(0)4 = 67332667ffc00b31 + H(0)5 = 8eb44a8768581511 + H(0)6 = db0c2e0d64f98fa7 + H(0)7 = 47b5481dbefa4fa4 + + For SHA-512, the initial hash value, H(0), consists of the following + eight 64-bit words, in hex. These words were obtained by taking the + first sixty-four bits of the fractional parts of the square roots of + the first eight prime numbers. + + H(0)0 = 6a09e667f3bcc908 + H(0)1 = bb67ae8584caa73b + H(0)2 = 3c6ef372fe94f82b + H(0)3 = a54ff53a5f1d36f1 + H(0)4 = 510e527fade682d1 + H(0)5 = 9b05688c2b3e6c1f + H(0)6 = 1f83d9abfb41bd6b + H(0)7 = 5be0cd19137e2179 + + + + + + +Eastlake 3rd & Hansen Informational [Page 13] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + +6.4. SHA-384 and SHA-512 Processing + + SHA-384 and SHA-512 perform identical processing on message blocks + and differ only in how H(0) is initialized and how they produce their + final output. They may be used to hash a message, M, having a length + of L bits, where 0 <= L < 2^128. The algorithm uses (1) a message + schedule of eighty 64-bit words, (2) eight working variables of 64 + bits each, and (3) a hash value of eight 64-bit words. + + The words of the message schedule are labeled W0, W1, ..., W79. The + eight working variables are labeled a, b, c, d, e, f, g, and h. The + words of the hash value are labeled H(i)0, H(i)1, ..., H(i)7, which + will hold the initial hash value, H(0), replaced by each successive + intermediate hash value (after each message block is processed), + H(i), and ending with the final hash value, H(N) after all N blocks + are processed. + + The input message is padded as described in Section 4.2 above, then + parsed into 1024-bit blocks, which are considered to be composed of + 16 64-bit words M(i)0, M(i)1, ..., M(i)15. The following + computations are then performed for each of the N message blocks. + All addition is performed modulo 2^64. + + For i = 1 to N + + 1. Prepare the message schedule W: + For t = 0 to 15 + Wt = M(i)t + For t = 16 to 79 + Wt = SSIG1(W(t-2)) + W(t-7) + SSIG0(t-15) + W(t-16) + + 2. Initialize the working variables: + a = H(i-1)0 + b = H(i-1)1 + c = H(i-1)2 + d = H(i-1)3 + e = H(i-1)4 + f = H(i-1)5 + g = H(i-1)6 + h = H(i-1)7 + + 3. Perform the main hash computation: + For t = 0 to 79 + T1 = h + BSIG1(e) + CH(e,f,g) + Kt + Wt + T2 = BSIG0(a) + MAJ(a,b,c) + h = g + g = f + f = e + + + +Eastlake 3rd & Hansen Informational [Page 14] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + e = d + T1 + d = c + c = b + b = a + a = T1 + T2 + + 4. Compute the intermediate hash value H(i): + H(i)0 = a + H(i-1)0 + H(i)1 = b + H(i-1)1 + H(i)2 = c + H(i-1)2 + H(i)3 = d + H(i-1)3 + H(i)4 = e + H(i-1)4 + H(i)5 = f + H(i-1)5 + H(i)6 = g + H(i-1)6 + H(i)7 = h + H(i-1)7 + + After the above computations have been sequentially performed for all + of the blocks in the message, the final output is calculated. For + SHA-512, this is the concatenation of all of H(N)0, H(N)1, through + H(N)7. For SHA-384, this is the concatenation of H(N)0, H(N)1, + through H(N)5. + +7. SHA-Based HMACs + + HMAC is a method for computing a keyed MAC (message authentication + code) using a hash function as described in [RFC2104]. It uses a key + to mix in with the input text to produce the final hash. + + Sample code is also provided, in Section 8.3 below, to perform HMAC + based on any of the SHA algorithms described herein. The sample code + found in [RFC2104] was written in terms of a specified text size. + Since SHA is defined in terms of an arbitrary number of bits, the + sample HMAC code has been written to allow the text input to HMAC to + have an arbitrary number of octets and bits. A fixed-length + interface is also provided. + +8. C Code for SHAs + + Below is a demonstration implementation of these secure hash + functions in C. Section 8.1 contains the header file sha.h, which + declares all constants, structures, and functions used by the sha and + hmac functions. Section 8.2 contains the C code for sha1.c, + sha224-256.c, sha384-512.c, and usha.c along with sha-private.h, + which provides some declarations common to all the sha functions. + Section 8.3 contains the C code for the hmac functions. Section 8.4 + contains a test driver to exercise the code. + + + + + +Eastlake 3rd & Hansen Informational [Page 15] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + For each of the digest length $$$, there is the following set of + constants, a structure, and functions: + + Constants: + SHA$$$HashSize number of octets in the hash + SHA$$$HashSizeBits number of bits in the hash + SHA$$$_Message_Block_Size + number of octets used in the intermediate + message blocks + shaSuccess = 0 constant returned by each function on success + shaNull = 1 constant returned by each function when + presented with a null pointer parameter + shaInputTooLong = 2 constant returned by each function when the + input data is too long + shaStateError constant returned by each function when + SHA$$$Input is called after SHA$$$FinalBits or + SHA$$$Result. + + Structure: + typedef SHA$$$Context + an opaque structure holding the complete state + for producing the hash + + Functions: + int SHA$$$Reset(SHA$$$Context *); + Reset the hash context state + int SHA$$$Input(SHA$$$Context *, const uint8_t *octets, + unsigned int bytecount); + Incorporate bytecount octets into the hash. + int SHA$$$FinalBits(SHA$$$Context *, const uint8_t octet, + unsigned int bitcount); + Incorporate bitcount bits into the hash. The bits are in + the upper portion of the octet. SHA$$$Input() cannot be + called after this. + int SHA$$$Result(SHA$$$Context *, + uint8_t Message_Digest[SHA$$$HashSize]); + Do the final calculations on the hash and copy the value + into Message_Digest. + + In addition, functions with the prefix USHA are provided that take a + SHAversion value (SHA$$$) to select the SHA function suite. They add + the following constants, structure, and functions: + + Constants: + shaBadParam constant returned by USHA functions when + presented with a bad SHAversion (SHA$$$) + parameter + + + + +Eastlake 3rd & Hansen Informational [Page 16] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + SHA$$$ SHAversion enumeration values, used by usha + and hmac functions to select the SHA function + suite + + Structure: + typedef USHAContext + an opaque structure holding the complete state + for producing the hash + + Functions: + int USHAReset(USHAContext *, SHAversion whichSha); + Reset the hash context state. + int USHAInput(USHAContext *, + const uint8_t *bytes, unsigned int bytecount); + Incorporate bytecount octets into the hash. + int USHAFinalBits(USHAContext *, + const uint8_t bits, unsigned int bitcount); + Incorporate bitcount bits into the hash. + int USHAResult(USHAContext *, + uint8_t Message_Digest[USHAMaxHashSize]); + Do the final calculations on the hash and copy the value + into Message_Digest. Octets in Message_Digest beyond + USHAHashSize(whichSha) are left untouched. + int USHAHashSize(enum SHAversion whichSha); + The number of octets in the given hash. + int USHAHashSizeBits(enum SHAversion whichSha); + The number of bits in the given hash. + int USHABlockSize(enum SHAversion whichSha); + The internal block size for the given hash. + + The hmac functions follow the same pattern to allow any length of + text input to be used. + + Structure: + typedef HMACContext an opaque structure holding the complete state + for producing the hash + + Functions: + int hmacReset(HMACContext *ctx, enum SHAversion whichSha, + const unsigned char *key, int key_len); + Reset the hash context state. + int hmacInput(HMACContext *ctx, const unsigned char *text, + int text_len); + Incorporate text_len octets into the hash. + int hmacFinalBits(HMACContext *ctx, const uint8_t bits, + unsigned int bitcount); + Incorporate bitcount bits into the hash. + + + + +Eastlake 3rd & Hansen Informational [Page 17] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + int hmacResult(HMACContext *ctx, + uint8_t Message_Digest[USHAMaxHashSize]); + Do the final calculations on the hash and copy the value + into Message_Digest. Octets in Message_Digest beyond + USHAHashSize(whichSha) are left untouched. + + In addition, a combined interface is provided, similar to that shown + in RFC 2104, that allows a fixed-length text input to be used. + + int hmac(SHAversion whichSha, + const unsigned char *text, int text_len, + const unsigned char *key, int key_len, + uint8_t Message_Digest[USHAMaxHashSize]); + Calculate the given digest for the given text and key, and + return the resulting hash. Octets in Message_Digest beyond + USHAHashSize(whichSha) are left untouched. + +8.1. The .h File + +/**************************** sha.h ****************************/ +/******************* See RFC 4634 for details ******************/ +#ifndef _SHA_H_ +#define _SHA_H_ + +/* + * Description: + * This file implements the Secure Hash Signature Standard + * algorithms as defined in the National Institute of Standards + * and Technology Federal Information Processing Standards + * Publication (FIPS PUB) 180-1 published on April 17, 1995, 180-2 + * published on August 1, 2002, and the FIPS PUB 180-2 Change + * Notice published on February 28, 2004. + * + * A combined document showing all algorithms is available at + * http://csrc.nist.gov/publications/fips/ + * fips180-2/fips180-2withchangenotice.pdf + * + * The five hashes are defined in these sizes: + * SHA-1 20 byte / 160 bit + * SHA-224 28 byte / 224 bit + * SHA-256 32 byte / 256 bit + * SHA-384 48 byte / 384 bit + * SHA-512 64 byte / 512 bit + */ + +#include +/* + * If you do not have the ISO standard stdint.h header file, then you + + + +Eastlake 3rd & Hansen Informational [Page 18] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + * must typedef the following: + * name meaning + * uint64_t unsigned 64 bit integer + * uint32_t unsigned 32 bit integer + * uint8_t unsigned 8 bit integer (i.e., unsigned char) + * int_least16_t integer of >= 16 bits + * + */ + +#ifndef _SHA_enum_ +#define _SHA_enum_ +/* + * All SHA functions return one of these values. + */ +enum { + shaSuccess = 0, + shaNull, /* Null pointer parameter */ + shaInputTooLong, /* input data too long */ + shaStateError, /* called Input after FinalBits or Result */ + shaBadParam /* passed a bad parameter */ +}; +#endif /* _SHA_enum_ */ + +/* + * These constants hold size information for each of the SHA + * hashing operations + */ +enum { + SHA1_Message_Block_Size = 64, SHA224_Message_Block_Size = 64, + SHA256_Message_Block_Size = 64, SHA384_Message_Block_Size = 128, + SHA512_Message_Block_Size = 128, + USHA_Max_Message_Block_Size = SHA512_Message_Block_Size, + + SHA1HashSize = 20, SHA224HashSize = 28, SHA256HashSize = 32, + SHA384HashSize = 48, SHA512HashSize = 64, + USHAMaxHashSize = SHA512HashSize, + + SHA1HashSizeBits = 160, SHA224HashSizeBits = 224, + SHA256HashSizeBits = 256, SHA384HashSizeBits = 384, + SHA512HashSizeBits = 512, USHAMaxHashSizeBits = SHA512HashSizeBits +}; + +/* + * These constants are used in the USHA (unified sha) functions. + */ +typedef enum SHAversion { + SHA1, SHA224, SHA256, SHA384, SHA512 +} SHAversion; + + + +Eastlake 3rd & Hansen Informational [Page 19] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + +/* + * This structure will hold context information for the SHA-1 + * hashing operation. + */ +typedef struct SHA1Context { + uint32_t Intermediate_Hash[SHA1HashSize/4]; /* Message Digest */ + + uint32_t Length_Low; /* Message length in bits */ + uint32_t Length_High; /* Message length in bits */ + + int_least16_t Message_Block_Index; /* Message_Block array index */ + /* 512-bit message blocks */ + uint8_t Message_Block[SHA1_Message_Block_Size]; + + int Computed; /* Is the digest computed? */ + int Corrupted; /* Is the digest corrupted? */ +} SHA1Context; + +/* + * This structure will hold context information for the SHA-256 + * hashing operation. + */ +typedef struct SHA256Context { + uint32_t Intermediate_Hash[SHA256HashSize/4]; /* Message Digest */ + + uint32_t Length_Low; /* Message length in bits */ + uint32_t Length_High; /* Message length in bits */ + + int_least16_t Message_Block_Index; /* Message_Block array index */ + /* 512-bit message blocks */ + uint8_t Message_Block[SHA256_Message_Block_Size]; + + int Computed; /* Is the digest computed? */ + int Corrupted; /* Is the digest corrupted? */ +} SHA256Context; + +/* + * This structure will hold context information for the SHA-512 + * hashing operation. + */ +typedef struct SHA512Context { +#ifdef USE_32BIT_ONLY + uint32_t Intermediate_Hash[SHA512HashSize/4]; /* Message Digest */ + uint32_t Length[4]; /* Message length in bits */ +#else /* !USE_32BIT_ONLY */ + uint64_t Intermediate_Hash[SHA512HashSize/8]; /* Message Digest */ + uint64_t Length_Low, Length_High; /* Message length in bits */ +#endif /* USE_32BIT_ONLY */ + + + +Eastlake 3rd & Hansen Informational [Page 20] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + int_least16_t Message_Block_Index; /* Message_Block array index */ + /* 1024-bit message blocks */ + uint8_t Message_Block[SHA512_Message_Block_Size]; + + int Computed; /* Is the digest computed?*/ + int Corrupted; /* Is the digest corrupted? */ +} SHA512Context; + +/* + * This structure will hold context information for the SHA-224 + * hashing operation. It uses the SHA-256 structure for computation. + */ +typedef struct SHA256Context SHA224Context; + +/* + * This structure will hold context information for the SHA-384 + * hashing operation. It uses the SHA-512 structure for computation. + */ +typedef struct SHA512Context SHA384Context; + +/* + * This structure holds context information for all SHA + * hashing operations. + */ +typedef struct USHAContext { + int whichSha; /* which SHA is being used */ + union { + SHA1Context sha1Context; + SHA224Context sha224Context; SHA256Context sha256Context; + SHA384Context sha384Context; SHA512Context sha512Context; + } ctx; +} USHAContext; + +/* + * This structure will hold context information for the HMAC + * keyed hashing operation. + */ +typedef struct HMACContext { + int whichSha; /* which SHA is being used */ + int hashSize; /* hash size of SHA being used */ + int blockSize; /* block size of SHA being used */ + USHAContext shaContext; /* SHA context */ + unsigned char k_opad[USHA_Max_Message_Block_Size]; + /* outer padding - key XORd with opad */ +} HMACContext; + + + + + + +Eastlake 3rd & Hansen Informational [Page 21] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + +/* + * Function Prototypes + */ + +/* SHA-1 */ +extern int SHA1Reset(SHA1Context *); +extern int SHA1Input(SHA1Context *, const uint8_t *bytes, + unsigned int bytecount); +extern int SHA1FinalBits(SHA1Context *, const uint8_t bits, + unsigned int bitcount); +extern int SHA1Result(SHA1Context *, + uint8_t Message_Digest[SHA1HashSize]); + +/* SHA-224 */ +extern int SHA224Reset(SHA224Context *); +extern int SHA224Input(SHA224Context *, const uint8_t *bytes, + unsigned int bytecount); +extern int SHA224FinalBits(SHA224Context *, const uint8_t bits, + unsigned int bitcount); +extern int SHA224Result(SHA224Context *, + uint8_t Message_Digest[SHA224HashSize]); + +/* SHA-256 */ +extern int SHA256Reset(SHA256Context *); +extern int SHA256Input(SHA256Context *, const uint8_t *bytes, + unsigned int bytecount); +extern int SHA256FinalBits(SHA256Context *, const uint8_t bits, + unsigned int bitcount); +extern int SHA256Result(SHA256Context *, + uint8_t Message_Digest[SHA256HashSize]); + +/* SHA-384 */ +extern int SHA384Reset(SHA384Context *); +extern int SHA384Input(SHA384Context *, const uint8_t *bytes, + unsigned int bytecount); +extern int SHA384FinalBits(SHA384Context *, const uint8_t bits, + unsigned int bitcount); +extern int SHA384Result(SHA384Context *, + uint8_t Message_Digest[SHA384HashSize]); + +/* SHA-512 */ +extern int SHA512Reset(SHA512Context *); +extern int SHA512Input(SHA512Context *, const uint8_t *bytes, + unsigned int bytecount); +extern int SHA512FinalBits(SHA512Context *, const uint8_t bits, + unsigned int bitcount); +extern int SHA512Result(SHA512Context *, + uint8_t Message_Digest[SHA512HashSize]); + + + +Eastlake 3rd & Hansen Informational [Page 22] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + +/* Unified SHA functions, chosen by whichSha */ +extern int USHAReset(USHAContext *, SHAversion whichSha); +extern int USHAInput(USHAContext *, + const uint8_t *bytes, unsigned int bytecount); +extern int USHAFinalBits(USHAContext *, + const uint8_t bits, unsigned int bitcount); +extern int USHAResult(USHAContext *, + uint8_t Message_Digest[USHAMaxHashSize]); +extern int USHABlockSize(enum SHAversion whichSha); +extern int USHAHashSize(enum SHAversion whichSha); +extern int USHAHashSizeBits(enum SHAversion whichSha); + +/* + * HMAC Keyed-Hashing for Message Authentication, RFC2104, + * for all SHAs. + * This interface allows a fixed-length text input to be used. + */ +extern int hmac(SHAversion whichSha, /* which SHA algorithm to use */ + const unsigned char *text, /* pointer to data stream */ + int text_len, /* length of data stream */ + const unsigned char *key, /* pointer to authentication key */ + int key_len, /* length of authentication key */ + uint8_t digest[USHAMaxHashSize]); /* caller digest to fill in */ + +/* + * HMAC Keyed-Hashing for Message Authentication, RFC2104, + * for all SHAs. + * This interface allows any length of text input to be used. + */ +extern int hmacReset(HMACContext *ctx, enum SHAversion whichSha, + const unsigned char *key, int key_len); +extern int hmacInput(HMACContext *ctx, const unsigned char *text, + int text_len); + +extern int hmacFinalBits(HMACContext *ctx, const uint8_t bits, + unsigned int bitcount); +extern int hmacResult(HMACContext *ctx, + uint8_t digest[USHAMaxHashSize]); + +#endif /* _SHA_H_ */ + + + + + + + + + + + +Eastlake 3rd & Hansen Informational [Page 23] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + +8.2. The SHA Code + + This code is primarily intended as expository and could be optimized + further. For example, the assignment rotations through the variables + a, b, ..., h could be treated as a cycle and the loop unrolled, + rather than doing the explicit copying. + + Note that there are alternative representations of the Ch() and Maj() + functions controlled by an ifdef. + +8.2.1. sha1.c + +/**************************** sha1.c ****************************/ +/******************** See RFC 4634 for details ******************/ +/* + * Description: + * This file implements the Secure Hash Signature Standard + * algorithms as defined in the National Institute of Standards + * and Technology Federal Information Processing Standards + * Publication (FIPS PUB) 180-1 published on April 17, 1995, 180-2 + * published on August 1, 2002, and the FIPS PUB 180-2 Change + * Notice published on February 28, 2004. + * + * A combined document showing all algorithms is available at + * http://csrc.nist.gov/publications/fips/ + * fips180-2/fips180-2withchangenotice.pdf + * + * The SHA-1 algorithm produces a 160-bit message digest for a + * given data stream. It should take about 2**n steps to find a + * message with the same digest as a given message and + * 2**(n/2) to find any two messages with the same digest, + * when n is the digest size in bits. Therefore, this + * algorithm can serve as a means of providing a + * "fingerprint" for a message. + * + * Portability Issues: + * SHA-1 is defined in terms of 32-bit "words". This code + * uses (included via "sha.h") to define 32 and 8 + * bit unsigned integer types. If your C compiler does not + * support 32 bit unsigned integers, this code is not + * appropriate. + * + * Caveats: + * SHA-1 is designed to work with messages less than 2^64 bits + * long. This implementation uses SHA1Input() to hash the bits + * that are a multiple of the size of an 8-bit character, and then + * uses SHA1FinalBits() to hash the final few bits of the input. + */ + + + +Eastlake 3rd & Hansen Informational [Page 24] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + +#include "sha.h" +#include "sha-private.h" + +/* + * Define the SHA1 circular left shift macro + */ +#define SHA1_ROTL(bits,word) \ + (((word) << (bits)) | ((word) >> (32-(bits)))) + +/* + * add "length" to the length + */ +static uint32_t addTemp; +#define SHA1AddLength(context, length) \ + (addTemp = (context)->Length_Low, \ + (context)->Corrupted = \ + (((context)->Length_Low += (length)) < addTemp) && \ + (++(context)->Length_High == 0) ? 1 : 0) + +/* Local Function Prototypes */ +static void SHA1Finalize(SHA1Context *context, uint8_t Pad_Byte); +static void SHA1PadMessage(SHA1Context *, uint8_t Pad_Byte); +static void SHA1ProcessMessageBlock(SHA1Context *); + +/* + * SHA1Reset + * + * Description: + * This function will initialize the SHA1Context in preparation + * for computing a new SHA1 message digest. + * + * Parameters: + * context: [in/out] + * The context to reset. + * + * Returns: + * sha Error Code. + * + */ +int SHA1Reset(SHA1Context *context) +{ + if (!context) + return shaNull; + + context->Length_Low = 0; + context->Length_High = 0; + context->Message_Block_Index = 0; + + + + +Eastlake 3rd & Hansen Informational [Page 25] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + /* Initial Hash Values: FIPS-180-2 section 5.3.1 */ + context->Intermediate_Hash[0] = 0x67452301; + context->Intermediate_Hash[1] = 0xEFCDAB89; + context->Intermediate_Hash[2] = 0x98BADCFE; + context->Intermediate_Hash[3] = 0x10325476; + context->Intermediate_Hash[4] = 0xC3D2E1F0; + + context->Computed = 0; + context->Corrupted = 0; + + return shaSuccess; +} + +/* + * SHA1Input + * + * Description: + * This function accepts an array of octets as the next portion + * of the message. + * + * Parameters: + * context: [in/out] + * The SHA context to update + * message_array: [in] + * An array of characters representing the next portion of + * the message. + * length: [in] + * The length of the message in message_array + * + * Returns: + * sha Error Code. + * + */ +int SHA1Input(SHA1Context *context, + const uint8_t *message_array, unsigned length) +{ + if (!length) + return shaSuccess; + + if (!context || !message_array) + return shaNull; + + if (context->Computed) { + context->Corrupted = shaStateError; + return shaStateError; + } + + if (context->Corrupted) + + + +Eastlake 3rd & Hansen Informational [Page 26] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + return context->Corrupted; + + while (length-- && !context->Corrupted) { + context->Message_Block[context->Message_Block_Index++] = + (*message_array & 0xFF); + + if (!SHA1AddLength(context, 8) && + (context->Message_Block_Index == SHA1_Message_Block_Size)) + SHA1ProcessMessageBlock(context); + + message_array++; + } + + return shaSuccess; +} + +/* + * SHA1FinalBits + * + * Description: + * This function will add in any final bits of the message. + * + * Parameters: + * context: [in/out] + * The SHA context to update + * message_bits: [in] + * The final bits of the message, in the upper portion of the + * byte. (Use 0b###00000 instead of 0b00000### to input the + * three bits ###.) + * length: [in] + * The number of bits in message_bits, between 1 and 7. + * + * Returns: + * sha Error Code. + */ +int SHA1FinalBits(SHA1Context *context, const uint8_t message_bits, + unsigned int length) +{ + uint8_t masks[8] = { + /* 0 0b00000000 */ 0x00, /* 1 0b10000000 */ 0x80, + /* 2 0b11000000 */ 0xC0, /* 3 0b11100000 */ 0xE0, + /* 4 0b11110000 */ 0xF0, /* 5 0b11111000 */ 0xF8, + /* 6 0b11111100 */ 0xFC, /* 7 0b11111110 */ 0xFE + }; + uint8_t markbit[8] = { + /* 0 0b10000000 */ 0x80, /* 1 0b01000000 */ 0x40, + /* 2 0b00100000 */ 0x20, /* 3 0b00010000 */ 0x10, + /* 4 0b00001000 */ 0x08, /* 5 0b00000100 */ 0x04, + + + +Eastlake 3rd & Hansen Informational [Page 27] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + /* 6 0b00000010 */ 0x02, /* 7 0b00000001 */ 0x01 + }; + + if (!length) + return shaSuccess; + + if (!context) + return shaNull; + + if (context->Computed || (length >= 8) || (length == 0)) { + context->Corrupted = shaStateError; + return shaStateError; + } + + if (context->Corrupted) + return context->Corrupted; + + SHA1AddLength(context, length); + SHA1Finalize(context, + (uint8_t) ((message_bits & masks[length]) | markbit[length])); + + return shaSuccess; +} + +/* + * SHA1Result + * + * Description: + * This function will return the 160-bit message digest into the + * Message_Digest array provided by the caller. + * NOTE: The first octet of hash is stored in the 0th element, + * the last octet of hash in the 19th element. + * + * Parameters: + * context: [in/out] + * The context to use to calculate the SHA-1 hash. + * Message_Digest: [out] + * Where the digest is returned. + * + * Returns: + * sha Error Code. + * + */ +int SHA1Result(SHA1Context *context, + uint8_t Message_Digest[SHA1HashSize]) +{ + int i; + + + + +Eastlake 3rd & Hansen Informational [Page 28] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + if (!context || !Message_Digest) + return shaNull; + + if (context->Corrupted) + return context->Corrupted; + + if (!context->Computed) + SHA1Finalize(context, 0x80); + + for (i = 0; i < SHA1HashSize; ++i) + Message_Digest[i] = (uint8_t) (context->Intermediate_Hash[i>>2] + >> 8 * ( 3 - ( i & 0x03 ) )); + + return shaSuccess; +} + +/* + * SHA1Finalize + * + * Description: + * This helper function finishes off the digest calculations. + * + * Parameters: + * context: [in/out] + * The SHA context to update + * Pad_Byte: [in] + * The last byte to add to the digest before the 0-padding + * and length. This will contain the last bits of the message + * followed by another single bit. If the message was an + * exact multiple of 8-bits long, Pad_Byte will be 0x80. + * + * Returns: + * sha Error Code. + * + */ +static void SHA1Finalize(SHA1Context *context, uint8_t Pad_Byte) +{ + int i; + SHA1PadMessage(context, Pad_Byte); + /* message may be sensitive, clear it out */ + for (i = 0; i < SHA1_Message_Block_Size; ++i) + context->Message_Block[i] = 0; + context->Length_Low = 0; /* and clear length */ + context->Length_High = 0; + context->Computed = 1; +} + +/* + + + +Eastlake 3rd & Hansen Informational [Page 29] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + * SHA1PadMessage + * + * Description: + * According to the standard, the message must be padded to an + * even 512 bits. The first padding bit must be a '1'. The last + * 64 bits represent the length of the original message. All bits + * in between should be 0. This helper function will pad the + * message according to those rules by filling the Message_Block + * array accordingly. When it returns, it can be assumed that the + * message digest has been computed. + * + * Parameters: + * context: [in/out] + * The context to pad + * Pad_Byte: [in] + * The last byte to add to the digest before the 0-padding + * and length. This will contain the last bits of the message + * followed by another single bit. If the message was an + * exact multiple of 8-bits long, Pad_Byte will be 0x80. + * + * Returns: + * Nothing. + */ +static void SHA1PadMessage(SHA1Context *context, uint8_t Pad_Byte) +{ + /* + * Check to see if the current message block is too small to hold + * the initial padding bits and length. If so, we will pad the + * block, process it, and then continue padding into a second + * block. + */ + if (context->Message_Block_Index >= (SHA1_Message_Block_Size - 8)) { + context->Message_Block[context->Message_Block_Index++] = Pad_Byte; + while (context->Message_Block_Index < SHA1_Message_Block_Size) + context->Message_Block[context->Message_Block_Index++] = 0; + + SHA1ProcessMessageBlock(context); + } else + context->Message_Block[context->Message_Block_Index++] = Pad_Byte; + + while (context->Message_Block_Index < (SHA1_Message_Block_Size - 8)) + context->Message_Block[context->Message_Block_Index++] = 0; + + /* + * Store the message length as the last 8 octets + */ + context->Message_Block[56] = (uint8_t) (context->Length_High >> 24); + context->Message_Block[57] = (uint8_t) (context->Length_High >> 16); + + + +Eastlake 3rd & Hansen Informational [Page 30] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + context->Message_Block[58] = (uint8_t) (context->Length_High >> 8); + context->Message_Block[59] = (uint8_t) (context->Length_High); + context->Message_Block[60] = (uint8_t) (context->Length_Low >> 24); + context->Message_Block[61] = (uint8_t) (context->Length_Low >> 16); + context->Message_Block[62] = (uint8_t) (context->Length_Low >> 8); + context->Message_Block[63] = (uint8_t) (context->Length_Low); + + SHA1ProcessMessageBlock(context); +} + +/* + * SHA1ProcessMessageBlock + * + * Description: + * This helper function will process the next 512 bits of the + * message stored in the Message_Block array. + * + * Parameters: + * None. + * + * Returns: + * Nothing. + * + * Comments: + * Many of the variable names in this code, especially the + * single character names, were used because those were the + * names used in the publication. + */ +static void SHA1ProcessMessageBlock(SHA1Context *context) +{ + /* Constants defined in FIPS-180-2, section 4.2.1 */ + const uint32_t K[4] = { + 0x5A827999, 0x6ED9EBA1, 0x8F1BBCDC, 0xCA62C1D6 + }; + int t; /* Loop counter */ + uint32_t temp; /* Temporary word value */ + uint32_t W[80]; /* Word sequence */ + uint32_t A, B, C, D, E; /* Word buffers */ + + /* + * Initialize the first 16 words in the array W + */ + for (t = 0; t < 16; t++) { + W[t] = ((uint32_t)context->Message_Block[t * 4]) << 24; + W[t] |= ((uint32_t)context->Message_Block[t * 4 + 1]) << 16; + W[t] |= ((uint32_t)context->Message_Block[t * 4 + 2]) << 8; + W[t] |= ((uint32_t)context->Message_Block[t * 4 + 3]); + } + + + +Eastlake 3rd & Hansen Informational [Page 31] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + for (t = 16; t < 80; t++) + W[t] = SHA1_ROTL(1, W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16]); + + A = context->Intermediate_Hash[0]; + B = context->Intermediate_Hash[1]; + C = context->Intermediate_Hash[2]; + D = context->Intermediate_Hash[3]; + E = context->Intermediate_Hash[4]; + + for (t = 0; t < 20; t++) { + temp = SHA1_ROTL(5,A) + SHA_Ch(B, C, D) + E + W[t] + K[0]; + E = D; + D = C; + C = SHA1_ROTL(30,B); + B = A; + A = temp; + } + + for (t = 20; t < 40; t++) { + temp = SHA1_ROTL(5,A) + SHA_Parity(B, C, D) + E + W[t] + K[1]; + E = D; + D = C; + C = SHA1_ROTL(30,B); + B = A; + A = temp; + } + + for (t = 40; t < 60; t++) { + temp = SHA1_ROTL(5,A) + SHA_Maj(B, C, D) + E + W[t] + K[2]; + E = D; + D = C; + C = SHA1_ROTL(30,B); + B = A; + A = temp; + } + + for (t = 60; t < 80; t++) { + temp = SHA1_ROTL(5,A) + SHA_Parity(B, C, D) + E + W[t] + K[3]; + E = D; + D = C; + C = SHA1_ROTL(30,B); + B = A; + A = temp; + } + + context->Intermediate_Hash[0] += A; + context->Intermediate_Hash[1] += B; + context->Intermediate_Hash[2] += C; + + + +Eastlake 3rd & Hansen Informational [Page 32] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + context->Intermediate_Hash[3] += D; + context->Intermediate_Hash[4] += E; + + context->Message_Block_Index = 0; +} + +8.2.2. sha224-256.c + +/*************************** sha224-256.c ***************************/ +/********************* See RFC 4634 for details *********************/ +/* + * Description: + * This file implements the Secure Hash Signature Standard + * algorithms as defined in the National Institute of Standards + * and Technology Federal Information Processing Standards + * Publication (FIPS PUB) 180-1 published on April 17, 1995, 180-2 + * published on August 1, 2002, and the FIPS PUB 180-2 Change + * Notice published on February 28, 2004. + * + * A combined document showing all algorithms is available at + * http://csrc.nist.gov/publications/fips/ + * fips180-2/fips180-2withchangenotice.pdf + * + * The SHA-224 and SHA-256 algorithms produce 224-bit and 256-bit + * message digests for a given data stream. It should take about + * 2**n steps to find a message with the same digest as a given + * message and 2**(n/2) to find any two messages with the same + * digest, when n is the digest size in bits. Therefore, this + * algorithm can serve as a means of providing a + * "fingerprint" for a message. + * + * Portability Issues: + * SHA-224 and SHA-256 are defined in terms of 32-bit "words". + * This code uses (included via "sha.h") to define 32 + * and 8 bit unsigned integer types. If your C compiler does not + * support 32 bit unsigned integers, this code is not + * appropriate. + * + * Caveats: + * SHA-224 and SHA-256 are designed to work with messages less + * than 2^64 bits long. This implementation uses SHA224/256Input() + * to hash the bits that are a multiple of the size of an 8-bit + * character, and then uses SHA224/256FinalBits() to hash the + * final few bits of the input. + */ + +#include "sha.h" +#include "sha-private.h" + + + +Eastlake 3rd & Hansen Informational [Page 33] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + +/* Define the SHA shift, rotate left and rotate right macro */ +#define SHA256_SHR(bits,word) ((word) >> (bits)) +#define SHA256_ROTL(bits,word) \ + (((word) << (bits)) | ((word) >> (32-(bits)))) +#define SHA256_ROTR(bits,word) \ + (((word) >> (bits)) | ((word) << (32-(bits)))) + +/* Define the SHA SIGMA and sigma macros */ +#define SHA256_SIGMA0(word) \ + (SHA256_ROTR( 2,word) ^ SHA256_ROTR(13,word) ^ SHA256_ROTR(22,word)) +#define SHA256_SIGMA1(word) \ + (SHA256_ROTR( 6,word) ^ SHA256_ROTR(11,word) ^ SHA256_ROTR(25,word)) +#define SHA256_sigma0(word) \ + (SHA256_ROTR( 7,word) ^ SHA256_ROTR(18,word) ^ SHA256_SHR( 3,word)) +#define SHA256_sigma1(word) \ + (SHA256_ROTR(17,word) ^ SHA256_ROTR(19,word) ^ SHA256_SHR(10,word)) + +/* + * add "length" to the length + */ +static uint32_t addTemp; +#define SHA224_256AddLength(context, length) \ + (addTemp = (context)->Length_Low, (context)->Corrupted = \ + (((context)->Length_Low += (length)) < addTemp) && \ + (++(context)->Length_High == 0) ? 1 : 0) + +/* Local Function Prototypes */ +static void SHA224_256Finalize(SHA256Context *context, + uint8_t Pad_Byte); +static void SHA224_256PadMessage(SHA256Context *context, + uint8_t Pad_Byte); +static void SHA224_256ProcessMessageBlock(SHA256Context *context); +static int SHA224_256Reset(SHA256Context *context, uint32_t *H0); +static int SHA224_256ResultN(SHA256Context *context, + uint8_t Message_Digest[], int HashSize); + +/* Initial Hash Values: FIPS-180-2 Change Notice 1 */ +static uint32_t SHA224_H0[SHA256HashSize/4] = { + 0xC1059ED8, 0x367CD507, 0x3070DD17, 0xF70E5939, + 0xFFC00B31, 0x68581511, 0x64F98FA7, 0xBEFA4FA4 +}; + +/* Initial Hash Values: FIPS-180-2 section 5.3.2 */ +static uint32_t SHA256_H0[SHA256HashSize/4] = { + 0x6A09E667, 0xBB67AE85, 0x3C6EF372, 0xA54FF53A, + 0x510E527F, 0x9B05688C, 0x1F83D9AB, 0x5BE0CD19 +}; + + + + +Eastlake 3rd & Hansen Informational [Page 34] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + +/* + * SHA224Reset + * + * Description: + * This function will initialize the SHA384Context in preparation + * for computing a new SHA224 message digest. + * + * Parameters: + * context: [in/out] + * The context to reset. + * + * Returns: + * sha Error Code. + */ +int SHA224Reset(SHA224Context *context) +{ + return SHA224_256Reset(context, SHA224_H0); +} + +/* + * SHA224Input + * + * Description: + * This function accepts an array of octets as the next portion + * of the message. + * + * Parameters: + * context: [in/out] + * The SHA context to update + * message_array: [in] + * An array of characters representing the next portion of + * the message. + * length: [in] + * The length of the message in message_array + * + * Returns: + * sha Error Code. + * + */ +int SHA224Input(SHA224Context *context, const uint8_t *message_array, + unsigned int length) +{ + return SHA256Input(context, message_array, length); +} + +/* + * SHA224FinalBits + * + + + +Eastlake 3rd & Hansen Informational [Page 35] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + * Description: + * This function will add in any final bits of the message. + * + * Parameters: + * context: [in/out] + * The SHA context to update + * message_bits: [in] + * The final bits of the message, in the upper portion of the + * byte. (Use 0b###00000 instead of 0b00000### to input the + * three bits ###.) + * length: [in] + * The number of bits in message_bits, between 1 and 7. + * + * Returns: + * sha Error Code. + */ +int SHA224FinalBits( SHA224Context *context, + const uint8_t message_bits, unsigned int length) +{ + return SHA256FinalBits(context, message_bits, length); +} + +/* + * SHA224Result + * + * Description: + * This function will return the 224-bit message + * digest into the Message_Digest array provided by the caller. + * NOTE: The first octet of hash is stored in the 0th element, + * the last octet of hash in the 28th element. + * + * Parameters: + * context: [in/out] + * The context to use to calculate the SHA hash. + * Message_Digest: [out] + * Where the digest is returned. + * + * Returns: + * sha Error Code. + */ +int SHA224Result(SHA224Context *context, + uint8_t Message_Digest[SHA224HashSize]) +{ + return SHA224_256ResultN(context, Message_Digest, SHA224HashSize); +} + +/* + * SHA256Reset + + + +Eastlake 3rd & Hansen Informational [Page 36] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + * + * Description: + * This function will initialize the SHA256Context in preparation + * for computing a new SHA256 message digest. + * + * Parameters: + * context: [in/out] + * The context to reset. + * + * Returns: + * sha Error Code. + */ +int SHA256Reset(SHA256Context *context) +{ + return SHA224_256Reset(context, SHA256_H0); +} + +/* + * SHA256Input + * + * Description: + * This function accepts an array of octets as the next portion + * of the message. + * + * Parameters: + * context: [in/out] + * The SHA context to update + * message_array: [in] + * An array of characters representing the next portion of + * the message. + * length: [in] + * The length of the message in message_array + * + * Returns: + * sha Error Code. + */ +int SHA256Input(SHA256Context *context, const uint8_t *message_array, + unsigned int length) +{ + if (!length) + return shaSuccess; + + if (!context || !message_array) + return shaNull; + + if (context->Computed) { + context->Corrupted = shaStateError; + return shaStateError; + + + +Eastlake 3rd & Hansen Informational [Page 37] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + } + + if (context->Corrupted) + return context->Corrupted; + + while (length-- && !context->Corrupted) { + context->Message_Block[context->Message_Block_Index++] = + (*message_array & 0xFF); + + if (!SHA224_256AddLength(context, 8) && + (context->Message_Block_Index == SHA256_Message_Block_Size)) + SHA224_256ProcessMessageBlock(context); + + message_array++; + } + + return shaSuccess; + +} + +/* + * SHA256FinalBits + * + * Description: + * This function will add in any final bits of the message. + * + * Parameters: + * context: [in/out] + * The SHA context to update + * message_bits: [in] + * The final bits of the message, in the upper portion of the + * byte. (Use 0b###00000 instead of 0b00000### to input the + * three bits ###.) + * length: [in] + * The number of bits in message_bits, between 1 and 7. + * + * Returns: + * sha Error Code. + */ +int SHA256FinalBits(SHA256Context *context, + const uint8_t message_bits, unsigned int length) +{ + uint8_t masks[8] = { + /* 0 0b00000000 */ 0x00, /* 1 0b10000000 */ 0x80, + /* 2 0b11000000 */ 0xC0, /* 3 0b11100000 */ 0xE0, + /* 4 0b11110000 */ 0xF0, /* 5 0b11111000 */ 0xF8, + /* 6 0b11111100 */ 0xFC, /* 7 0b11111110 */ 0xFE + }; + + + +Eastlake 3rd & Hansen Informational [Page 38] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + uint8_t markbit[8] = { + /* 0 0b10000000 */ 0x80, /* 1 0b01000000 */ 0x40, + /* 2 0b00100000 */ 0x20, /* 3 0b00010000 */ 0x10, + /* 4 0b00001000 */ 0x08, /* 5 0b00000100 */ 0x04, + /* 6 0b00000010 */ 0x02, /* 7 0b00000001 */ 0x01 + }; + + if (!length) + return shaSuccess; + + if (!context) + return shaNull; + + if ((context->Computed) || (length >= 8) || (length == 0)) { + context->Corrupted = shaStateError; + return shaStateError; + } + + if (context->Corrupted) + return context->Corrupted; + + SHA224_256AddLength(context, length); + SHA224_256Finalize(context, (uint8_t) + ((message_bits & masks[length]) | markbit[length])); + + return shaSuccess; +} + +/* + * SHA256Result + * + * Description: + * This function will return the 256-bit message + * digest into the Message_Digest array provided by the caller. + * NOTE: The first octet of hash is stored in the 0th element, + * the last octet of hash in the 32nd element. + * + * Parameters: + * context: [in/out] + * The context to use to calculate the SHA hash. + * Message_Digest: [out] + * Where the digest is returned. + * + * Returns: + * sha Error Code. + */ +int SHA256Result(SHA256Context *context, uint8_t Message_Digest[]) +{ + + + +Eastlake 3rd & Hansen Informational [Page 39] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + return SHA224_256ResultN(context, Message_Digest, SHA256HashSize); +} + +/* + * SHA224_256Finalize + * + * Description: + * This helper function finishes off the digest calculations. + * + * Parameters: + * context: [in/out] + * The SHA context to update + * Pad_Byte: [in] + * The last byte to add to the digest before the 0-padding + * and length. This will contain the last bits of the message + * followed by another single bit. If the message was an + * exact multiple of 8-bits long, Pad_Byte will be 0x80. + * + * Returns: + * sha Error Code. + */ +static void SHA224_256Finalize(SHA256Context *context, + uint8_t Pad_Byte) +{ + int i; + SHA224_256PadMessage(context, Pad_Byte); + /* message may be sensitive, so clear it out */ + for (i = 0; i < SHA256_Message_Block_Size; ++i) + context->Message_Block[i] = 0; + context->Length_Low = 0; /* and clear length */ + context->Length_High = 0; + context->Computed = 1; +} + +/* + * SHA224_256PadMessage + * + * Description: + * According to the standard, the message must be padded to an + * even 512 bits. The first padding bit must be a '1'. The + * last 64 bits represent the length of the original message. + * All bits in between should be 0. This helper function will pad + * the message according to those rules by filling the + * Message_Block array accordingly. When it returns, it can be + * assumed that the message digest has been computed. + * + * Parameters: + * context: [in/out] + + + +Eastlake 3rd & Hansen Informational [Page 40] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + * The context to pad + * Pad_Byte: [in] + * The last byte to add to the digest before the 0-padding + * and length. This will contain the last bits of the message + * followed by another single bit. If the message was an + * exact multiple of 8-bits long, Pad_Byte will be 0x80. + * + * Returns: + * Nothing. + */ +static void SHA224_256PadMessage(SHA256Context *context, + uint8_t Pad_Byte) +{ + /* + * Check to see if the current message block is too small to hold + * the initial padding bits and length. If so, we will pad the + * block, process it, and then continue padding into a second + * block. + */ + if (context->Message_Block_Index >= (SHA256_Message_Block_Size-8)) { + context->Message_Block[context->Message_Block_Index++] = Pad_Byte; + while (context->Message_Block_Index < SHA256_Message_Block_Size) + context->Message_Block[context->Message_Block_Index++] = 0; + SHA224_256ProcessMessageBlock(context); + } else + context->Message_Block[context->Message_Block_Index++] = Pad_Byte; + + while (context->Message_Block_Index < (SHA256_Message_Block_Size-8)) + context->Message_Block[context->Message_Block_Index++] = 0; + + /* + * Store the message length as the last 8 octets + */ + context->Message_Block[56] = (uint8_t)(context->Length_High >> 24); + context->Message_Block[57] = (uint8_t)(context->Length_High >> 16); + context->Message_Block[58] = (uint8_t)(context->Length_High >> 8); + context->Message_Block[59] = (uint8_t)(context->Length_High); + context->Message_Block[60] = (uint8_t)(context->Length_Low >> 24); + context->Message_Block[61] = (uint8_t)(context->Length_Low >> 16); + context->Message_Block[62] = (uint8_t)(context->Length_Low >> 8); + context->Message_Block[63] = (uint8_t)(context->Length_Low); + + SHA224_256ProcessMessageBlock(context); +} + +/* + * SHA224_256ProcessMessageBlock + * + + + +Eastlake 3rd & Hansen Informational [Page 41] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + * Description: + * This function will process the next 512 bits of the message + * stored in the Message_Block array. + * + * Parameters: + * context: [in/out] + * The SHA context to update + * + * Returns: + * Nothing. + * + * Comments: + * Many of the variable names in this code, especially the + * single character names, were used because those were the + * names used in the publication. + */ +static void SHA224_256ProcessMessageBlock(SHA256Context *context) +{ + /* Constants defined in FIPS-180-2, section 4.2.2 */ + static const uint32_t K[64] = { + 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, + 0x59f111f1, 0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01, + 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, + 0xc19bf174, 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, + 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, 0x983e5152, + 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, + 0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, + 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, + 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, + 0xd6990624, 0xf40e3585, 0x106aa070, 0x19a4c116, 0x1e376c08, + 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, + 0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, + 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 + }; + int t, t4; /* Loop counter */ + uint32_t temp1, temp2; /* Temporary word value */ + uint32_t W[64]; /* Word sequence */ + uint32_t A, B, C, D, E, F, G, H; /* Word buffers */ + + /* + * Initialize the first 16 words in the array W + */ + for (t = t4 = 0; t < 16; t++, t4 += 4) + W[t] = (((uint32_t)context->Message_Block[t4]) << 24) | + (((uint32_t)context->Message_Block[t4 + 1]) << 16) | + (((uint32_t)context->Message_Block[t4 + 2]) << 8) | + (((uint32_t)context->Message_Block[t4 + 3])); + + + + +Eastlake 3rd & Hansen Informational [Page 42] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + for (t = 16; t < 64; t++) + W[t] = SHA256_sigma1(W[t-2]) + W[t-7] + + SHA256_sigma0(W[t-15]) + W[t-16]; + + A = context->Intermediate_Hash[0]; + B = context->Intermediate_Hash[1]; + C = context->Intermediate_Hash[2]; + D = context->Intermediate_Hash[3]; + E = context->Intermediate_Hash[4]; + F = context->Intermediate_Hash[5]; + G = context->Intermediate_Hash[6]; + H = context->Intermediate_Hash[7]; + + for (t = 0; t < 64; t++) { + temp1 = H + SHA256_SIGMA1(E) + SHA_Ch(E,F,G) + K[t] + W[t]; + temp2 = SHA256_SIGMA0(A) + SHA_Maj(A,B,C); + H = G; + G = F; + F = E; + E = D + temp1; + D = C; + C = B; + B = A; + A = temp1 + temp2; + } + + context->Intermediate_Hash[0] += A; + context->Intermediate_Hash[1] += B; + context->Intermediate_Hash[2] += C; + context->Intermediate_Hash[3] += D; + context->Intermediate_Hash[4] += E; + context->Intermediate_Hash[5] += F; + context->Intermediate_Hash[6] += G; + context->Intermediate_Hash[7] += H; + + context->Message_Block_Index = 0; +} + +/* + * SHA224_256Reset + * + * Description: + * This helper function will initialize the SHA256Context in + * preparation for computing a new SHA256 message digest. + * + * Parameters: + * context: [in/out] + * The context to reset. + + + +Eastlake 3rd & Hansen Informational [Page 43] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + * H0 + * The initial hash value to use. + * + * Returns: + * sha Error Code. + */ +static int SHA224_256Reset(SHA256Context *context, uint32_t *H0) +{ + if (!context) + return shaNull; + + context->Length_Low = 0; + context->Length_High = 0; + context->Message_Block_Index = 0; + + context->Intermediate_Hash[0] = H0[0]; + context->Intermediate_Hash[1] = H0[1]; + context->Intermediate_Hash[2] = H0[2]; + context->Intermediate_Hash[3] = H0[3]; + context->Intermediate_Hash[4] = H0[4]; + context->Intermediate_Hash[5] = H0[5]; + context->Intermediate_Hash[6] = H0[6]; + context->Intermediate_Hash[7] = H0[7]; + + context->Computed = 0; + context->Corrupted = 0; + + return shaSuccess; +} + +/* + * SHA224_256ResultN + * + * Description: + * This helper function will return the 224-bit or 256-bit message + * digest into the Message_Digest array provided by the caller. + * NOTE: The first octet of hash is stored in the 0th element, + * the last octet of hash in the 28th/32nd element. + * + * Parameters: + * context: [in/out] + * The context to use to calculate the SHA hash. + * Message_Digest: [out] + * Where the digest is returned. + * HashSize: [in] + * The size of the hash, either 28 or 32. + * + * Returns: + + + +Eastlake 3rd & Hansen Informational [Page 44] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + * sha Error Code. + */ +static int SHA224_256ResultN(SHA256Context *context, + uint8_t Message_Digest[], int HashSize) +{ + int i; + + if (!context || !Message_Digest) + return shaNull; + + if (context->Corrupted) + return context->Corrupted; + + if (!context->Computed) + SHA224_256Finalize(context, 0x80); + + for (i = 0; i < HashSize; ++i) + Message_Digest[i] = (uint8_t) + (context->Intermediate_Hash[i>>2] >> 8 * ( 3 - ( i & 0x03 ) )); + + return shaSuccess; +} + +8.2.3. sha384-512.c + +/*************************** sha384-512.c ***************************/ +/********************* See RFC 4634 for details *********************/ +/* + * Description: + * This file implements the Secure Hash Signature Standard + * algorithms as defined in the National Institute of Standards + * and Technology Federal Information Processing Standards + * Publication (FIPS PUB) 180-1 published on April 17, 1995, 180-2 + * published on August 1, 2002, and the FIPS PUB 180-2 Change + * Notice published on February 28, 2004. + * + * A combined document showing all algorithms is available at + * http://csrc.nist.gov/publications/fips/ + * fips180-2/fips180-2withchangenotice.pdf + * + * The SHA-384 and SHA-512 algorithms produce 384-bit and 512-bit + * message digests for a given data stream. It should take about + * 2**n steps to find a message with the same digest as a given + * message and 2**(n/2) to find any two messages with the same + * digest, when n is the digest size in bits. Therefore, this + * algorithm can serve as a means of providing a + * "fingerprint" for a message. + * + + + +Eastlake 3rd & Hansen Informational [Page 45] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + * Portability Issues: + * SHA-384 and SHA-512 are defined in terms of 64-bit "words", + * but if USE_32BIT_ONLY is #defined, this code is implemented in + * terms of 32-bit "words". This code uses (included + * via "sha.h") to define the 64, 32 and 8 bit unsigned integer + * types. If your C compiler does not support 64 bit unsigned + * integers, and you do not #define USE_32BIT_ONLY, this code is + * not appropriate. + * + * Caveats: + * SHA-384 and SHA-512 are designed to work with messages less + * than 2^128 bits long. This implementation uses + * SHA384/512Input() to hash the bits that are a multiple of the + * size of an 8-bit character, and then uses SHA384/256FinalBits() + * to hash the final few bits of the input. + * + */ + +#include "sha.h" +#include "sha-private.h" + +#ifdef USE_32BIT_ONLY +/* + * Define 64-bit arithmetic in terms of 32-bit arithmetic. + * Each 64-bit number is represented in a 2-word array. + * All macros are defined such that the result is the last parameter. + */ + +/* + * Define shift, rotate left and rotate right functions + */ +#define SHA512_SHR(bits, word, ret) ( \ + /* (((uint64_t)((word))) >> (bits)) */ \ + (ret)[0] = (((bits) < 32) && ((bits) >= 0)) ? \ + ((word)[0] >> (bits)) : 0, \ + (ret)[1] = ((bits) > 32) ? ((word)[0] >> ((bits) - 32)) : \ + ((bits) == 32) ? (word)[0] : \ + ((bits) >= 0) ? \ + (((word)[0] << (32 - (bits))) | \ + ((word)[1] >> (bits))) : 0 ) + +#define SHA512_SHL(bits, word, ret) ( \ + /* (((uint64_t)(word)) << (bits)) */ \ + (ret)[0] = ((bits) > 32) ? ((word)[1] << ((bits) - 32)) : \ + ((bits) == 32) ? (word)[1] : \ + ((bits) >= 0) ? \ + (((word)[0] << (bits)) | \ + ((word)[1] >> (32 - (bits)))) : \ + + + +Eastlake 3rd & Hansen Informational [Page 46] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + 0, \ + (ret)[1] = (((bits) < 32) && ((bits) >= 0)) ? \ + ((word)[1] << (bits)) : 0 ) + +/* + * Define 64-bit OR + */ +#define SHA512_OR(word1, word2, ret) ( \ + (ret)[0] = (word1)[0] | (word2)[0], \ + (ret)[1] = (word1)[1] | (word2)[1] ) + +/* + * Define 64-bit XOR + */ +#define SHA512_XOR(word1, word2, ret) ( \ + (ret)[0] = (word1)[0] ^ (word2)[0], \ + (ret)[1] = (word1)[1] ^ (word2)[1] ) + +/* + * Define 64-bit AND + */ +#define SHA512_AND(word1, word2, ret) ( \ + (ret)[0] = (word1)[0] & (word2)[0], \ + (ret)[1] = (word1)[1] & (word2)[1] ) + +/* + * Define 64-bit TILDA + */ +#define SHA512_TILDA(word, ret) \ + ( (ret)[0] = ~(word)[0], (ret)[1] = ~(word)[1] ) + +/* + * Define 64-bit ADD + */ +#define SHA512_ADD(word1, word2, ret) ( \ + (ret)[1] = (word1)[1], (ret)[1] += (word2)[1], \ + (ret)[0] = (word1)[0] + (word2)[0] + ((ret)[1] < (word1)[1]) ) + +/* + * Add the 4word value in word2 to word1. + */ +static uint32_t ADDTO4_temp, ADDTO4_temp2; +#define SHA512_ADDTO4(word1, word2) ( \ + ADDTO4_temp = (word1)[3], \ + (word1)[3] += (word2)[3], \ + ADDTO4_temp2 = (word1)[2], \ + (word1)[2] += (word2)[2] + ((word1)[3] < ADDTO4_temp), \ + ADDTO4_temp = (word1)[1], \ + + + +Eastlake 3rd & Hansen Informational [Page 47] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + (word1)[1] += (word2)[1] + ((word1)[2] < ADDTO4_temp2), \ + (word1)[0] += (word2)[0] + ((word1)[1] < ADDTO4_temp) ) + +/* + * Add the 2word value in word2 to word1. + */ +static uint32_t ADDTO2_temp; +#define SHA512_ADDTO2(word1, word2) ( \ + ADDTO2_temp = (word1)[1], \ + (word1)[1] += (word2)[1], \ + (word1)[0] += (word2)[0] + ((word1)[1] < ADDTO2_temp) ) + +/* + * SHA rotate ((word >> bits) | (word << (64-bits))) + */ +static uint32_t ROTR_temp1[2], ROTR_temp2[2]; +#define SHA512_ROTR(bits, word, ret) ( \ + SHA512_SHR((bits), (word), ROTR_temp1), \ + SHA512_SHL(64-(bits), (word), ROTR_temp2), \ + SHA512_OR(ROTR_temp1, ROTR_temp2, (ret)) ) + +/* + * Define the SHA SIGMA and sigma macros + * SHA512_ROTR(28,word) ^ SHA512_ROTR(34,word) ^ SHA512_ROTR(39,word) + */ +static uint32_t SIGMA0_temp1[2], SIGMA0_temp2[2], + SIGMA0_temp3[2], SIGMA0_temp4[2]; +#define SHA512_SIGMA0(word, ret) ( \ + SHA512_ROTR(28, (word), SIGMA0_temp1), \ + SHA512_ROTR(34, (word), SIGMA0_temp2), \ + SHA512_ROTR(39, (word), SIGMA0_temp3), \ + SHA512_XOR(SIGMA0_temp2, SIGMA0_temp3, SIGMA0_temp4), \ + SHA512_XOR(SIGMA0_temp1, SIGMA0_temp4, (ret)) ) + +/* + * SHA512_ROTR(14,word) ^ SHA512_ROTR(18,word) ^ SHA512_ROTR(41,word) + */ +static uint32_t SIGMA1_temp1[2], SIGMA1_temp2[2], + SIGMA1_temp3[2], SIGMA1_temp4[2]; +#define SHA512_SIGMA1(word, ret) ( \ + SHA512_ROTR(14, (word), SIGMA1_temp1), \ + SHA512_ROTR(18, (word), SIGMA1_temp2), \ + SHA512_ROTR(41, (word), SIGMA1_temp3), \ + SHA512_XOR(SIGMA1_temp2, SIGMA1_temp3, SIGMA1_temp4), \ + SHA512_XOR(SIGMA1_temp1, SIGMA1_temp4, (ret)) ) + +/* + * (SHA512_ROTR( 1,word) ^ SHA512_ROTR( 8,word) ^ SHA512_SHR( 7,word)) + + + +Eastlake 3rd & Hansen Informational [Page 48] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + */ +static uint32_t sigma0_temp1[2], sigma0_temp2[2], + sigma0_temp3[2], sigma0_temp4[2]; +#define SHA512_sigma0(word, ret) ( \ + SHA512_ROTR( 1, (word), sigma0_temp1), \ + SHA512_ROTR( 8, (word), sigma0_temp2), \ + SHA512_SHR( 7, (word), sigma0_temp3), \ + SHA512_XOR(sigma0_temp2, sigma0_temp3, sigma0_temp4), \ + SHA512_XOR(sigma0_temp1, sigma0_temp4, (ret)) ) + +/* + * (SHA512_ROTR(19,word) ^ SHA512_ROTR(61,word) ^ SHA512_SHR( 6,word)) + */ +static uint32_t sigma1_temp1[2], sigma1_temp2[2], + sigma1_temp3[2], sigma1_temp4[2]; +#define SHA512_sigma1(word, ret) ( \ + SHA512_ROTR(19, (word), sigma1_temp1), \ + SHA512_ROTR(61, (word), sigma1_temp2), \ + SHA512_SHR( 6, (word), sigma1_temp3), \ + SHA512_XOR(sigma1_temp2, sigma1_temp3, sigma1_temp4), \ + SHA512_XOR(sigma1_temp1, sigma1_temp4, (ret)) ) + +#undef SHA_Ch +#undef SHA_Maj + +#ifndef USE_MODIFIED_MACROS +/* + * These definitions are the ones used in FIPS-180-2, section 4.1.3 + * Ch(x,y,z) ((x & y) ^ (~x & z)) + */ +static uint32_t Ch_temp1[2], Ch_temp2[2], Ch_temp3[2]; +#define SHA_Ch(x, y, z, ret) ( \ + SHA512_AND(x, y, Ch_temp1), \ + SHA512_TILDA(x, Ch_temp2), \ + SHA512_AND(Ch_temp2, z, Ch_temp3), \ + SHA512_XOR(Ch_temp1, Ch_temp3, (ret)) ) +/* + * Maj(x,y,z) (((x)&(y)) ^ ((x)&(z)) ^ ((y)&(z))) + */ +static uint32_t Maj_temp1[2], Maj_temp2[2], + Maj_temp3[2], Maj_temp4[2]; +#define SHA_Maj(x, y, z, ret) ( \ + SHA512_AND(x, y, Maj_temp1), \ + SHA512_AND(x, z, Maj_temp2), \ + SHA512_AND(y, z, Maj_temp3), \ + SHA512_XOR(Maj_temp2, Maj_temp3, Maj_temp4), \ + SHA512_XOR(Maj_temp1, Maj_temp4, (ret)) ) + + + + +Eastlake 3rd & Hansen Informational [Page 49] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + +#else /* !USE_32BIT_ONLY */ +/* + * These definitions are potentially faster equivalents for the ones + * used in FIPS-180-2, section 4.1.3. + * ((x & y) ^ (~x & z)) becomes + * ((x & (y ^ z)) ^ z) + */ +#define SHA_Ch(x, y, z, ret) ( \ + (ret)[0] = (((x)[0] & ((y)[0] ^ (z)[0])) ^ (z)[0]), \ + (ret)[1] = (((x)[1] & ((y)[1] ^ (z)[1])) ^ (z)[1]) ) + +/* + * ((x & y) ^ (x & z) ^ (y & z)) becomes + * ((x & (y | z)) | (y & z)) + */ +#define SHA_Maj(x, y, z, ret) ( \ + ret[0] = (((x)[0] & ((y)[0] | (z)[0])) | ((y)[0] & (z)[0])), \ + ret[1] = (((x)[1] & ((y)[1] | (z)[1])) | ((y)[1] & (z)[1])) ) +#endif /* USE_MODIFIED_MACROS */ + +/* + * add "length" to the length + */ +static uint32_t addTemp[4] = { 0, 0, 0, 0 }; +#define SHA384_512AddLength(context, length) ( \ + addTemp[3] = (length), SHA512_ADDTO4((context)->Length, addTemp), \ + (context)->Corrupted = (((context)->Length[3] == 0) && \ + ((context)->Length[2] == 0) && ((context)->Length[1] == 0) && \ + ((context)->Length[0] < 8)) ? 1 : 0 ) + +/* Local Function Prototypes */ +static void SHA384_512Finalize(SHA512Context *context, + uint8_t Pad_Byte); +static void SHA384_512PadMessage(SHA512Context *context, + uint8_t Pad_Byte); +static void SHA384_512ProcessMessageBlock(SHA512Context *context); +static int SHA384_512Reset(SHA512Context *context, uint32_t H0[]); +static int SHA384_512ResultN( SHA512Context *context, + uint8_t Message_Digest[], int HashSize); + +/* Initial Hash Values: FIPS-180-2 sections 5.3.3 and 5.3.4 */ +static uint32_t SHA384_H0[SHA512HashSize/4] = { + 0xCBBB9D5D, 0xC1059ED8, 0x629A292A, 0x367CD507, 0x9159015A, + 0x3070DD17, 0x152FECD8, 0xF70E5939, 0x67332667, 0xFFC00B31, + 0x8EB44A87, 0x68581511, 0xDB0C2E0D, 0x64F98FA7, 0x47B5481D, + 0xBEFA4FA4 +}; + + + + +Eastlake 3rd & Hansen Informational [Page 50] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + +static uint32_t SHA512_H0[SHA512HashSize/4] = { + 0x6A09E667, 0xF3BCC908, 0xBB67AE85, 0x84CAA73B, 0x3C6EF372, + 0xFE94F82B, 0xA54FF53A, 0x5F1D36F1, 0x510E527F, 0xADE682D1, + 0x9B05688C, 0x2B3E6C1F, 0x1F83D9AB, 0xFB41BD6B, 0x5BE0CD19, + 0x137E2179 +}; + +#else /* !USE_32BIT_ONLY */ + +/* Define the SHA shift, rotate left and rotate right macro */ +#define SHA512_SHR(bits,word) (((uint64_t)(word)) >> (bits)) +#define SHA512_ROTR(bits,word) ((((uint64_t)(word)) >> (bits)) | \ + (((uint64_t)(word)) << (64-(bits)))) + +/* Define the SHA SIGMA and sigma macros */ +#define SHA512_SIGMA0(word) \ + (SHA512_ROTR(28,word) ^ SHA512_ROTR(34,word) ^ SHA512_ROTR(39,word)) +#define SHA512_SIGMA1(word) \ + (SHA512_ROTR(14,word) ^ SHA512_ROTR(18,word) ^ SHA512_ROTR(41,word)) +#define SHA512_sigma0(word) \ + (SHA512_ROTR( 1,word) ^ SHA512_ROTR( 8,word) ^ SHA512_SHR( 7,word)) +#define SHA512_sigma1(word) \ + (SHA512_ROTR(19,word) ^ SHA512_ROTR(61,word) ^ SHA512_SHR( 6,word)) + +/* + * add "length" to the length + */ +static uint64_t addTemp; +#define SHA384_512AddLength(context, length) \ + (addTemp = context->Length_Low, context->Corrupted = \ + ((context->Length_Low += length) < addTemp) && \ + (++context->Length_High == 0) ? 1 : 0) + +/* Local Function Prototypes */ +static void SHA384_512Finalize(SHA512Context *context, + uint8_t Pad_Byte); +static void SHA384_512PadMessage(SHA512Context *context, + uint8_t Pad_Byte); +static void SHA384_512ProcessMessageBlock(SHA512Context *context); +static int SHA384_512Reset(SHA512Context *context, uint64_t H0[]); +static int SHA384_512ResultN(SHA512Context *context, + uint8_t Message_Digest[], int HashSize); + +/* Initial Hash Values: FIPS-180-2 sections 5.3.3 and 5.3.4 */ +static uint64_t SHA384_H0[] = { + 0xCBBB9D5DC1059ED8ll, 0x629A292A367CD507ll, 0x9159015A3070DD17ll, + 0x152FECD8F70E5939ll, 0x67332667FFC00B31ll, 0x8EB44A8768581511ll, + 0xDB0C2E0D64F98FA7ll, 0x47B5481DBEFA4FA4ll + + + +Eastlake 3rd & Hansen Informational [Page 51] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + +}; +static uint64_t SHA512_H0[] = { + 0x6A09E667F3BCC908ll, 0xBB67AE8584CAA73Bll, 0x3C6EF372FE94F82Bll, + 0xA54FF53A5F1D36F1ll, 0x510E527FADE682D1ll, 0x9B05688C2B3E6C1Fll, + 0x1F83D9ABFB41BD6Bll, 0x5BE0CD19137E2179ll +}; + +#endif /* USE_32BIT_ONLY */ + +/* + * SHA384Reset + * + * Description: + * This function will initialize the SHA384Context in preparation + * for computing a new SHA384 message digest. + * + * Parameters: + * context: [in/out] + * The context to reset. + * + * Returns: + * sha Error Code. + * + */ +int SHA384Reset(SHA384Context *context) +{ + return SHA384_512Reset(context, SHA384_H0); +} + +/* + * SHA384Input + * + * Description: + * This function accepts an array of octets as the next portion + * of the message. + * + * Parameters: + * context: [in/out] + * The SHA context to update + * message_array: [in] + * An array of characters representing the next portion of + * the message. + * length: [in] + * The length of the message in message_array + * + * Returns: + * sha Error Code. + * + + + +Eastlake 3rd & Hansen Informational [Page 52] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + */ +int SHA384Input(SHA384Context *context, + const uint8_t *message_array, unsigned int length) +{ + return SHA512Input(context, message_array, length); +} + +/* + * SHA384FinalBits + * + * Description: + * This function will add in any final bits of the message. + * + * Parameters: + * context: [in/out] + * The SHA context to update + * message_bits: [in] + * The final bits of the message, in the upper portion of the + * byte. (Use 0b###00000 instead of 0b00000### to input the + * three bits ###.) + * length: [in] + * The number of bits in message_bits, between 1 and 7. + * + * Returns: + * sha Error Code. + * + */ +int SHA384FinalBits(SHA384Context *context, + const uint8_t message_bits, unsigned int length) +{ + return SHA512FinalBits(context, message_bits, length); +} + +/* + * SHA384Result + * + * Description: + * This function will return the 384-bit message + * digest into the Message_Digest array provided by the caller. + * NOTE: The first octet of hash is stored in the 0th element, + * the last octet of hash in the 48th element. + * + * Parameters: + * context: [in/out] + * The context to use to calculate the SHA hash. + * Message_Digest: [out] + * Where the digest is returned. + * + + + +Eastlake 3rd & Hansen Informational [Page 53] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + * Returns: + * sha Error Code. + * + */ +int SHA384Result(SHA384Context *context, + uint8_t Message_Digest[SHA384HashSize]) +{ + return SHA384_512ResultN(context, Message_Digest, SHA384HashSize); +} + +/* + * SHA512Reset + * + * Description: + * This function will initialize the SHA512Context in preparation + * for computing a new SHA512 message digest. + * + * Parameters: + * context: [in/out] + * The context to reset. + * + * Returns: + * sha Error Code. + * + */ +int SHA512Reset(SHA512Context *context) +{ + return SHA384_512Reset(context, SHA512_H0); +} + +/* + * SHA512Input + * + * Description: + * This function accepts an array of octets as the next portion + * of the message. + * + * Parameters: + * context: [in/out] + * The SHA context to update + * message_array: [in] + * An array of characters representing the next portion of + * the message. + * length: [in] + * The length of the message in message_array + * + * Returns: + * sha Error Code. + + + +Eastlake 3rd & Hansen Informational [Page 54] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + * + */ +int SHA512Input(SHA512Context *context, + const uint8_t *message_array, + unsigned int length) +{ + if (!length) + return shaSuccess; + + if (!context || !message_array) + return shaNull; + + if (context->Computed) { + context->Corrupted = shaStateError; + return shaStateError; + } + + if (context->Corrupted) + return context->Corrupted; + + while (length-- && !context->Corrupted) { + context->Message_Block[context->Message_Block_Index++] = + (*message_array & 0xFF); + + if (!SHA384_512AddLength(context, 8) && + (context->Message_Block_Index == SHA512_Message_Block_Size)) + SHA384_512ProcessMessageBlock(context); + + message_array++; + } + + return shaSuccess; +} + +/* + * SHA512FinalBits + * + * Description: + * This function will add in any final bits of the message. + * + * Parameters: + * context: [in/out] + * The SHA context to update + * message_bits: [in] + * The final bits of the message, in the upper portion of the + * byte. (Use 0b###00000 instead of 0b00000### to input the + * three bits ###.) + * length: [in] + + + +Eastlake 3rd & Hansen Informational [Page 55] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + * The number of bits in message_bits, between 1 and 7. + * + * Returns: + * sha Error Code. + * + */ +int SHA512FinalBits(SHA512Context *context, + const uint8_t message_bits, unsigned int length) +{ + uint8_t masks[8] = { + /* 0 0b00000000 */ 0x00, /* 1 0b10000000 */ 0x80, + /* 2 0b11000000 */ 0xC0, /* 3 0b11100000 */ 0xE0, + /* 4 0b11110000 */ 0xF0, /* 5 0b11111000 */ 0xF8, + /* 6 0b11111100 */ 0xFC, /* 7 0b11111110 */ 0xFE + }; + uint8_t markbit[8] = { + /* 0 0b10000000 */ 0x80, /* 1 0b01000000 */ 0x40, + /* 2 0b00100000 */ 0x20, /* 3 0b00010000 */ 0x10, + /* 4 0b00001000 */ 0x08, /* 5 0b00000100 */ 0x04, + /* 6 0b00000010 */ 0x02, /* 7 0b00000001 */ 0x01 + }; + + if (!length) + return shaSuccess; + + if (!context) + return shaNull; + + if ((context->Computed) || (length >= 8) || (length == 0)) { + context->Corrupted = shaStateError; + return shaStateError; + } + + if (context->Corrupted) + return context->Corrupted; + + SHA384_512AddLength(context, length); + SHA384_512Finalize(context, (uint8_t) + ((message_bits & masks[length]) | markbit[length])); + + return shaSuccess; +} + +/* + * SHA384_512Finalize + * + * Description: + * This helper function finishes off the digest calculations. + + + +Eastlake 3rd & Hansen Informational [Page 56] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + * + * Parameters: + * context: [in/out] + * The SHA context to update + * Pad_Byte: [in] + * The last byte to add to the digest before the 0-padding + * and length. This will contain the last bits of the message + * followed by another single bit. If the message was an + * exact multiple of 8-bits long, Pad_Byte will be 0x80. + * + * Returns: + * sha Error Code. + * + */ +static void SHA384_512Finalize(SHA512Context *context, + uint8_t Pad_Byte) +{ + int_least16_t i; + SHA384_512PadMessage(context, Pad_Byte); + /* message may be sensitive, clear it out */ + for (i = 0; i < SHA512_Message_Block_Size; ++i) + context->Message_Block[i] = 0; +#ifdef USE_32BIT_ONLY /* and clear length */ + context->Length[0] = context->Length[1] = 0; + context->Length[2] = context->Length[3] = 0; +#else /* !USE_32BIT_ONLY */ + context->Length_Low = 0; + context->Length_High = 0; +#endif /* USE_32BIT_ONLY */ + context->Computed = 1; +} + +/* + * SHA512Result + * + * Description: + * This function will return the 512-bit message + * digest into the Message_Digest array provided by the caller. + * NOTE: The first octet of hash is stored in the 0th element, + * the last octet of hash in the 64th element. + * + * Parameters: + * context: [in/out] + * The context to use to calculate the SHA hash. + * Message_Digest: [out] + * Where the digest is returned. + * + * Returns: + + + +Eastlake 3rd & Hansen Informational [Page 57] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + * sha Error Code. + * + */ +int SHA512Result(SHA512Context *context, + uint8_t Message_Digest[SHA512HashSize]) +{ + return SHA384_512ResultN(context, Message_Digest, SHA512HashSize); +} + +/* + * SHA384_512PadMessage + * + * Description: + * According to the standard, the message must be padded to an + * even 1024 bits. The first padding bit must be a '1'. The + * last 128 bits represent the length of the original message. + * All bits in between should be 0. This helper function will + * pad the message according to those rules by filling the + * Message_Block array accordingly. When it returns, it can be + * assumed that the message digest has been computed. + * + * Parameters: + * context: [in/out] + * The context to pad + * Pad_Byte: [in] + * The last byte to add to the digest before the 0-padding + * and length. This will contain the last bits of the message + * followed by another single bit. If the message was an + * exact multiple of 8-bits long, Pad_Byte will be 0x80. + * + * Returns: + * Nothing. + * + */ +static void SHA384_512PadMessage(SHA512Context *context, + uint8_t Pad_Byte) +{ + /* + * Check to see if the current message block is too small to hold + * the initial padding bits and length. If so, we will pad the + * block, process it, and then continue padding into a second + * block. + */ + if (context->Message_Block_Index >= (SHA512_Message_Block_Size-16)) { + context->Message_Block[context->Message_Block_Index++] = Pad_Byte; + while (context->Message_Block_Index < SHA512_Message_Block_Size) + context->Message_Block[context->Message_Block_Index++] = 0; + + + + +Eastlake 3rd & Hansen Informational [Page 58] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + SHA384_512ProcessMessageBlock(context); + } else + context->Message_Block[context->Message_Block_Index++] = Pad_Byte; + + while (context->Message_Block_Index < (SHA512_Message_Block_Size-16)) + context->Message_Block[context->Message_Block_Index++] = 0; + + /* + * Store the message length as the last 16 octets + */ +#ifdef USE_32BIT_ONLY + context->Message_Block[112] = (uint8_t)(context->Length[0] >> 24); + context->Message_Block[113] = (uint8_t)(context->Length[0] >> 16); + context->Message_Block[114] = (uint8_t)(context->Length[0] >> 8); + context->Message_Block[115] = (uint8_t)(context->Length[0]); + context->Message_Block[116] = (uint8_t)(context->Length[1] >> 24); + context->Message_Block[117] = (uint8_t)(context->Length[1] >> 16); + context->Message_Block[118] = (uint8_t)(context->Length[1] >> 8); + context->Message_Block[119] = (uint8_t)(context->Length[1]); + + context->Message_Block[120] = (uint8_t)(context->Length[2] >> 24); + context->Message_Block[121] = (uint8_t)(context->Length[2] >> 16); + context->Message_Block[122] = (uint8_t)(context->Length[2] >> 8); + context->Message_Block[123] = (uint8_t)(context->Length[2]); + context->Message_Block[124] = (uint8_t)(context->Length[3] >> 24); + context->Message_Block[125] = (uint8_t)(context->Length[3] >> 16); + context->Message_Block[126] = (uint8_t)(context->Length[3] >> 8); + context->Message_Block[127] = (uint8_t)(context->Length[3]); +#else /* !USE_32BIT_ONLY */ + context->Message_Block[112] = (uint8_t)(context->Length_High >> 56); + context->Message_Block[113] = (uint8_t)(context->Length_High >> 48); + context->Message_Block[114] = (uint8_t)(context->Length_High >> 40); + context->Message_Block[115] = (uint8_t)(context->Length_High >> 32); + context->Message_Block[116] = (uint8_t)(context->Length_High >> 24); + context->Message_Block[117] = (uint8_t)(context->Length_High >> 16); + context->Message_Block[118] = (uint8_t)(context->Length_High >> 8); + context->Message_Block[119] = (uint8_t)(context->Length_High); + + context->Message_Block[120] = (uint8_t)(context->Length_Low >> 56); + context->Message_Block[121] = (uint8_t)(context->Length_Low >> 48); + context->Message_Block[122] = (uint8_t)(context->Length_Low >> 40); + context->Message_Block[123] = (uint8_t)(context->Length_Low >> 32); + context->Message_Block[124] = (uint8_t)(context->Length_Low >> 24); + context->Message_Block[125] = (uint8_t)(context->Length_Low >> 16); + context->Message_Block[126] = (uint8_t)(context->Length_Low >> 8); + context->Message_Block[127] = (uint8_t)(context->Length_Low); +#endif /* USE_32BIT_ONLY */ + + + + +Eastlake 3rd & Hansen Informational [Page 59] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + SHA384_512ProcessMessageBlock(context); +} + +/* + * SHA384_512ProcessMessageBlock + * + * Description: + * This helper function will process the next 1024 bits of the + * message stored in the Message_Block array. + * + * Parameters: + * context: [in/out] + * The SHA context to update + * + * Returns: + * Nothing. + * + * Comments: + * Many of the variable names in this code, especially the + * single character names, were used because those were the + * names used in the publication. + * + * + */ +static void SHA384_512ProcessMessageBlock(SHA512Context *context) +{ + /* Constants defined in FIPS-180-2, section 4.2.3 */ +#ifdef USE_32BIT_ONLY + static const uint32_t K[80*2] = { + 0x428A2F98, 0xD728AE22, 0x71374491, 0x23EF65CD, 0xB5C0FBCF, + 0xEC4D3B2F, 0xE9B5DBA5, 0x8189DBBC, 0x3956C25B, 0xF348B538, + 0x59F111F1, 0xB605D019, 0x923F82A4, 0xAF194F9B, 0xAB1C5ED5, + 0xDA6D8118, 0xD807AA98, 0xA3030242, 0x12835B01, 0x45706FBE, + 0x243185BE, 0x4EE4B28C, 0x550C7DC3, 0xD5FFB4E2, 0x72BE5D74, + 0xF27B896F, 0x80DEB1FE, 0x3B1696B1, 0x9BDC06A7, 0x25C71235, + 0xC19BF174, 0xCF692694, 0xE49B69C1, 0x9EF14AD2, 0xEFBE4786, + 0x384F25E3, 0x0FC19DC6, 0x8B8CD5B5, 0x240CA1CC, 0x77AC9C65, + 0x2DE92C6F, 0x592B0275, 0x4A7484AA, 0x6EA6E483, 0x5CB0A9DC, + 0xBD41FBD4, 0x76F988DA, 0x831153B5, 0x983E5152, 0xEE66DFAB, + 0xA831C66D, 0x2DB43210, 0xB00327C8, 0x98FB213F, 0xBF597FC7, + 0xBEEF0EE4, 0xC6E00BF3, 0x3DA88FC2, 0xD5A79147, 0x930AA725, + 0x06CA6351, 0xE003826F, 0x14292967, 0x0A0E6E70, 0x27B70A85, + 0x46D22FFC, 0x2E1B2138, 0x5C26C926, 0x4D2C6DFC, 0x5AC42AED, + 0x53380D13, 0x9D95B3DF, 0x650A7354, 0x8BAF63DE, 0x766A0ABB, + 0x3C77B2A8, 0x81C2C92E, 0x47EDAEE6, 0x92722C85, 0x1482353B, + 0xA2BFE8A1, 0x4CF10364, 0xA81A664B, 0xBC423001, 0xC24B8B70, + 0xD0F89791, 0xC76C51A3, 0x0654BE30, 0xD192E819, 0xD6EF5218, + 0xD6990624, 0x5565A910, 0xF40E3585, 0x5771202A, 0x106AA070, + + + +Eastlake 3rd & Hansen Informational [Page 60] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + 0x32BBD1B8, 0x19A4C116, 0xB8D2D0C8, 0x1E376C08, 0x5141AB53, + 0x2748774C, 0xDF8EEB99, 0x34B0BCB5, 0xE19B48A8, 0x391C0CB3, + 0xC5C95A63, 0x4ED8AA4A, 0xE3418ACB, 0x5B9CCA4F, 0x7763E373, + 0x682E6FF3, 0xD6B2B8A3, 0x748F82EE, 0x5DEFB2FC, 0x78A5636F, + 0x43172F60, 0x84C87814, 0xA1F0AB72, 0x8CC70208, 0x1A6439EC, + 0x90BEFFFA, 0x23631E28, 0xA4506CEB, 0xDE82BDE9, 0xBEF9A3F7, + 0xB2C67915, 0xC67178F2, 0xE372532B, 0xCA273ECE, 0xEA26619C, + 0xD186B8C7, 0x21C0C207, 0xEADA7DD6, 0xCDE0EB1E, 0xF57D4F7F, + 0xEE6ED178, 0x06F067AA, 0x72176FBA, 0x0A637DC5, 0xA2C898A6, + 0x113F9804, 0xBEF90DAE, 0x1B710B35, 0x131C471B, 0x28DB77F5, + 0x23047D84, 0x32CAAB7B, 0x40C72493, 0x3C9EBE0A, 0x15C9BEBC, + 0x431D67C4, 0x9C100D4C, 0x4CC5D4BE, 0xCB3E42B6, 0x597F299C, + 0xFC657E2A, 0x5FCB6FAB, 0x3AD6FAEC, 0x6C44198C, 0x4A475817 + }; + int t, t2, t8; /* Loop counter */ + uint32_t temp1[2], temp2[2], /* Temporary word values */ + temp3[2], temp4[2], temp5[2]; + uint32_t W[2*80]; /* Word sequence */ + uint32_t A[2], B[2], C[2], D[2], /* Word buffers */ + E[2], F[2], G[2], H[2]; + + /* Initialize the first 16 words in the array W */ + for (t = t2 = t8 = 0; t < 16; t++, t8 += 8) { + W[t2++] = ((((uint32_t)context->Message_Block[t8 ])) << 24) | + ((((uint32_t)context->Message_Block[t8 + 1])) << 16) | + ((((uint32_t)context->Message_Block[t8 + 2])) << 8) | + ((((uint32_t)context->Message_Block[t8 + 3]))); + W[t2++] = ((((uint32_t)context->Message_Block[t8 + 4])) << 24) | + ((((uint32_t)context->Message_Block[t8 + 5])) << 16) | + ((((uint32_t)context->Message_Block[t8 + 6])) << 8) | + ((((uint32_t)context->Message_Block[t8 + 7]))); + } + + for (t = 16; t < 80; t++, t2 += 2) { + /* W[t] = SHA512_sigma1(W[t-2]) + W[t-7] + + SHA512_sigma0(W[t-15]) + W[t-16]; */ + uint32_t *Wt2 = &W[t2-2*2]; + uint32_t *Wt7 = &W[t2-7*2]; + uint32_t *Wt15 = &W[t2-15*2]; + uint32_t *Wt16 = &W[t2-16*2]; + SHA512_sigma1(Wt2, temp1); + SHA512_ADD(temp1, Wt7, temp2); + SHA512_sigma0(Wt15, temp1); + SHA512_ADD(temp1, Wt16, temp3); + SHA512_ADD(temp2, temp3, &W[t2]); + } + + A[0] = context->Intermediate_Hash[0]; + + + +Eastlake 3rd & Hansen Informational [Page 61] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + A[1] = context->Intermediate_Hash[1]; + B[0] = context->Intermediate_Hash[2]; + B[1] = context->Intermediate_Hash[3]; + C[0] = context->Intermediate_Hash[4]; + C[1] = context->Intermediate_Hash[5]; + D[0] = context->Intermediate_Hash[6]; + D[1] = context->Intermediate_Hash[7]; + E[0] = context->Intermediate_Hash[8]; + E[1] = context->Intermediate_Hash[9]; + F[0] = context->Intermediate_Hash[10]; + F[1] = context->Intermediate_Hash[11]; + G[0] = context->Intermediate_Hash[12]; + G[1] = context->Intermediate_Hash[13]; + H[0] = context->Intermediate_Hash[14]; + H[1] = context->Intermediate_Hash[15]; + + for (t = t2 = 0; t < 80; t++, t2 += 2) { + /* + * temp1 = H + SHA512_SIGMA1(E) + SHA_Ch(E,F,G) + K[t] + W[t]; + */ + SHA512_SIGMA1(E,temp1); + SHA512_ADD(H, temp1, temp2); + SHA_Ch(E,F,G,temp3); + SHA512_ADD(temp2, temp3, temp4); + SHA512_ADD(&K[t2], &W[t2], temp5); + SHA512_ADD(temp4, temp5, temp1); + /* + * temp2 = SHA512_SIGMA0(A) + SHA_Maj(A,B,C); + */ + SHA512_SIGMA0(A,temp3); + SHA_Maj(A,B,C,temp4); + SHA512_ADD(temp3, temp4, temp2); + H[0] = G[0]; H[1] = G[1]; + G[0] = F[0]; G[1] = F[1]; + F[0] = E[0]; F[1] = E[1]; + SHA512_ADD(D, temp1, E); + D[0] = C[0]; D[1] = C[1]; + C[0] = B[0]; C[1] = B[1]; + B[0] = A[0]; B[1] = A[1]; + SHA512_ADD(temp1, temp2, A); + } + + SHA512_ADDTO2(&context->Intermediate_Hash[0], A); + SHA512_ADDTO2(&context->Intermediate_Hash[2], B); + SHA512_ADDTO2(&context->Intermediate_Hash[4], C); + SHA512_ADDTO2(&context->Intermediate_Hash[6], D); + SHA512_ADDTO2(&context->Intermediate_Hash[8], E); + SHA512_ADDTO2(&context->Intermediate_Hash[10], F); + + + +Eastlake 3rd & Hansen Informational [Page 62] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + SHA512_ADDTO2(&context->Intermediate_Hash[12], G); + SHA512_ADDTO2(&context->Intermediate_Hash[14], H); + +#else /* !USE_32BIT_ONLY */ + static const uint64_t K[80] = { + 0x428A2F98D728AE22ll, 0x7137449123EF65CDll, 0xB5C0FBCFEC4D3B2Fll, + 0xE9B5DBA58189DBBCll, 0x3956C25BF348B538ll, 0x59F111F1B605D019ll, + 0x923F82A4AF194F9Bll, 0xAB1C5ED5DA6D8118ll, 0xD807AA98A3030242ll, + 0x12835B0145706FBEll, 0x243185BE4EE4B28Cll, 0x550C7DC3D5FFB4E2ll, + 0x72BE5D74F27B896Fll, 0x80DEB1FE3B1696B1ll, 0x9BDC06A725C71235ll, + 0xC19BF174CF692694ll, 0xE49B69C19EF14AD2ll, 0xEFBE4786384F25E3ll, + 0x0FC19DC68B8CD5B5ll, 0x240CA1CC77AC9C65ll, 0x2DE92C6F592B0275ll, + 0x4A7484AA6EA6E483ll, 0x5CB0A9DCBD41FBD4ll, 0x76F988DA831153B5ll, + 0x983E5152EE66DFABll, 0xA831C66D2DB43210ll, 0xB00327C898FB213Fll, + 0xBF597FC7BEEF0EE4ll, 0xC6E00BF33DA88FC2ll, 0xD5A79147930AA725ll, + 0x06CA6351E003826Fll, 0x142929670A0E6E70ll, 0x27B70A8546D22FFCll, + 0x2E1B21385C26C926ll, 0x4D2C6DFC5AC42AEDll, 0x53380D139D95B3DFll, + 0x650A73548BAF63DEll, 0x766A0ABB3C77B2A8ll, 0x81C2C92E47EDAEE6ll, + 0x92722C851482353Bll, 0xA2BFE8A14CF10364ll, 0xA81A664BBC423001ll, + 0xC24B8B70D0F89791ll, 0xC76C51A30654BE30ll, 0xD192E819D6EF5218ll, + 0xD69906245565A910ll, 0xF40E35855771202All, 0x106AA07032BBD1B8ll, + 0x19A4C116B8D2D0C8ll, 0x1E376C085141AB53ll, 0x2748774CDF8EEB99ll, + 0x34B0BCB5E19B48A8ll, 0x391C0CB3C5C95A63ll, 0x4ED8AA4AE3418ACBll, + 0x5B9CCA4F7763E373ll, 0x682E6FF3D6B2B8A3ll, 0x748F82EE5DEFB2FCll, + 0x78A5636F43172F60ll, 0x84C87814A1F0AB72ll, 0x8CC702081A6439ECll, + 0x90BEFFFA23631E28ll, 0xA4506CEBDE82BDE9ll, 0xBEF9A3F7B2C67915ll, + 0xC67178F2E372532Bll, 0xCA273ECEEA26619Cll, 0xD186B8C721C0C207ll, + 0xEADA7DD6CDE0EB1Ell, 0xF57D4F7FEE6ED178ll, 0x06F067AA72176FBAll, + 0x0A637DC5A2C898A6ll, 0x113F9804BEF90DAEll, 0x1B710B35131C471Bll, + 0x28DB77F523047D84ll, 0x32CAAB7B40C72493ll, 0x3C9EBE0A15C9BEBCll, + 0x431D67C49C100D4Cll, 0x4CC5D4BECB3E42B6ll, 0x597F299CFC657E2All, + 0x5FCB6FAB3AD6FAECll, 0x6C44198C4A475817ll + }; + int t, t8; /* Loop counter */ + uint64_t temp1, temp2; /* Temporary word value */ + uint64_t W[80]; /* Word sequence */ + uint64_t A, B, C, D, E, F, G, H; /* Word buffers */ + + /* + * Initialize the first 16 words in the array W + */ + for (t = t8 = 0; t < 16; t++, t8 += 8) + W[t] = ((uint64_t)(context->Message_Block[t8 ]) << 56) | + ((uint64_t)(context->Message_Block[t8 + 1]) << 48) | + ((uint64_t)(context->Message_Block[t8 + 2]) << 40) | + ((uint64_t)(context->Message_Block[t8 + 3]) << 32) | + ((uint64_t)(context->Message_Block[t8 + 4]) << 24) | + ((uint64_t)(context->Message_Block[t8 + 5]) << 16) | + + + +Eastlake 3rd & Hansen Informational [Page 63] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + ((uint64_t)(context->Message_Block[t8 + 6]) << 8) | + ((uint64_t)(context->Message_Block[t8 + 7])); + + for (t = 16; t < 80; t++) + W[t] = SHA512_sigma1(W[t-2]) + W[t-7] + + SHA512_sigma0(W[t-15]) + W[t-16]; + + A = context->Intermediate_Hash[0]; + B = context->Intermediate_Hash[1]; + C = context->Intermediate_Hash[2]; + D = context->Intermediate_Hash[3]; + E = context->Intermediate_Hash[4]; + F = context->Intermediate_Hash[5]; + G = context->Intermediate_Hash[6]; + H = context->Intermediate_Hash[7]; + + for (t = 0; t < 80; t++) { + temp1 = H + SHA512_SIGMA1(E) + SHA_Ch(E,F,G) + K[t] + W[t]; + temp2 = SHA512_SIGMA0(A) + SHA_Maj(A,B,C); + H = G; + G = F; + F = E; + E = D + temp1; + D = C; + C = B; + B = A; + A = temp1 + temp2; + } + + context->Intermediate_Hash[0] += A; + context->Intermediate_Hash[1] += B; + context->Intermediate_Hash[2] += C; + context->Intermediate_Hash[3] += D; + context->Intermediate_Hash[4] += E; + context->Intermediate_Hash[5] += F; + context->Intermediate_Hash[6] += G; + context->Intermediate_Hash[7] += H; +#endif /* USE_32BIT_ONLY */ + + context->Message_Block_Index = 0; +} + +/* + * SHA384_512Reset + * + * Description: + * This helper function will initialize the SHA512Context in + * preparation for computing a new SHA384 or SHA512 message + + + +Eastlake 3rd & Hansen Informational [Page 64] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + * digest. + * + * Parameters: + * context: [in/out] + * The context to reset. + * H0 + * The initial hash value to use. + * + * Returns: + * sha Error Code. + * + */ +#ifdef USE_32BIT_ONLY +static int SHA384_512Reset(SHA512Context *context, uint32_t H0[]) +#else /* !USE_32BIT_ONLY */ +static int SHA384_512Reset(SHA512Context *context, uint64_t H0[]) +#endif /* USE_32BIT_ONLY */ +{ + int i; + if (!context) + return shaNull; + + context->Message_Block_Index = 0; + +#ifdef USE_32BIT_ONLY + context->Length[0] = context->Length[1] = 0; + context->Length[2] = context->Length[3] = 0; + + for (i = 0; i < SHA512HashSize/4; i++) + context->Intermediate_Hash[i] = H0[i]; +#else /* !USE_32BIT_ONLY */ + context->Length_High = context->Length_Low = 0; + + for (i = 0; i < SHA512HashSize/8; i++) + context->Intermediate_Hash[i] = H0[i]; +#endif /* USE_32BIT_ONLY */ + + context->Computed = 0; + context->Corrupted = 0; + + return shaSuccess; +} + +/* + * SHA384_512ResultN + * + * Description: + * This helper function will return the 384-bit or 512-bit message + + + +Eastlake 3rd & Hansen Informational [Page 65] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + * digest into the Message_Digest array provided by the caller. + * NOTE: The first octet of hash is stored in the 0th element, + * the last octet of hash in the 48th/64th element. + * + * Parameters: + * context: [in/out] + * The context to use to calculate the SHA hash. + * Message_Digest: [out] + * Where the digest is returned. + * HashSize: [in] + * The size of the hash, either 48 or 64. + * + * Returns: + * sha Error Code. + * + */ +static int SHA384_512ResultN(SHA512Context *context, + uint8_t Message_Digest[], int HashSize) +{ + int i; + +#ifdef USE_32BIT_ONLY + int i2; +#endif /* USE_32BIT_ONLY */ + + if (!context || !Message_Digest) + return shaNull; + + if (context->Corrupted) + return context->Corrupted; + + if (!context->Computed) + SHA384_512Finalize(context, 0x80); + +#ifdef USE_32BIT_ONLY + for (i = i2 = 0; i < HashSize; ) { + Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>24); + Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>16); + Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>8); + Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2++]); + Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>24); + Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>16); + Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>8); + Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2++]); + } +#else /* !USE_32BIT_ONLY */ + for (i = 0; i < HashSize; ++i) + Message_Digest[i] = (uint8_t) + + + +Eastlake 3rd & Hansen Informational [Page 66] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + (context->Intermediate_Hash[i>>3] >> 8 * ( 7 - ( i % 8 ) )); +#endif /* USE_32BIT_ONLY */ + + return shaSuccess; +} + +8.2.4. usha.c + +/**************************** usha.c ****************************/ +/******************** See RFC 4634 for details ******************/ +/* + * Description: + * This file implements a unified interface to the SHA algorithms. + */ + +#include "sha.h" + +/* + * USHAReset + * + * Description: + * This function will initialize the SHA Context in preparation + * for computing a new SHA message digest. + * + * Parameters: + * context: [in/out] + * The context to reset. + * whichSha: [in] + * Selects which SHA reset to call + * + * Returns: + * sha Error Code. + * + */ +int USHAReset(USHAContext *ctx, enum SHAversion whichSha) +{ + if (ctx) { + ctx->whichSha = whichSha; + switch (whichSha) { + case SHA1: return SHA1Reset((SHA1Context*)&ctx->ctx); + case SHA224: return SHA224Reset((SHA224Context*)&ctx->ctx); + case SHA256: return SHA256Reset((SHA256Context*)&ctx->ctx); + case SHA384: return SHA384Reset((SHA384Context*)&ctx->ctx); + case SHA512: return SHA512Reset((SHA512Context*)&ctx->ctx); + default: return shaBadParam; + } + } else { + return shaNull; + + + +Eastlake 3rd & Hansen Informational [Page 67] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + } +} + +/* + * USHAInput + * + * Description: + * This function accepts an array of octets as the next portion + * of the message. + * + * Parameters: + * context: [in/out] + * The SHA context to update + * message_array: [in] + * An array of characters representing the next portion of + * the message. + * length: [in] + * The length of the message in message_array + * + * Returns: + * sha Error Code. + * + */ +int USHAInput(USHAContext *ctx, + const uint8_t *bytes, unsigned int bytecount) +{ + if (ctx) { + switch (ctx->whichSha) { + case SHA1: + return SHA1Input((SHA1Context*)&ctx->ctx, bytes, bytecount); + case SHA224: + return SHA224Input((SHA224Context*)&ctx->ctx, bytes, + bytecount); + case SHA256: + return SHA256Input((SHA256Context*)&ctx->ctx, bytes, + bytecount); + case SHA384: + return SHA384Input((SHA384Context*)&ctx->ctx, bytes, + bytecount); + case SHA512: + return SHA512Input((SHA512Context*)&ctx->ctx, bytes, + bytecount); + default: return shaBadParam; + } + } else { + return shaNull; + } +} + + + +Eastlake 3rd & Hansen Informational [Page 68] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + +/* + * USHAFinalBits + * + * Description: + * This function will add in any final bits of the message. + * + * Parameters: + * context: [in/out] + * The SHA context to update + * message_bits: [in] + * The final bits of the message, in the upper portion of the + * byte. (Use 0b###00000 instead of 0b00000### to input the + * three bits ###.) + * length: [in] + * The number of bits in message_bits, between 1 and 7. + * + * Returns: + * sha Error Code. + */ +int USHAFinalBits(USHAContext *ctx, + const uint8_t bits, unsigned int bitcount) +{ + if (ctx) { + switch (ctx->whichSha) { + case SHA1: + return SHA1FinalBits((SHA1Context*)&ctx->ctx, bits, bitcount); + case SHA224: + return SHA224FinalBits((SHA224Context*)&ctx->ctx, bits, + bitcount); + case SHA256: + return SHA256FinalBits((SHA256Context*)&ctx->ctx, bits, + bitcount); + case SHA384: + return SHA384FinalBits((SHA384Context*)&ctx->ctx, bits, + bitcount); + case SHA512: + return SHA512FinalBits((SHA512Context*)&ctx->ctx, bits, + bitcount); + default: return shaBadParam; + } + } else { + return shaNull; + } +} + +/* + * USHAResult + * + + + +Eastlake 3rd & Hansen Informational [Page 69] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + * Description: + * This function will return the 160-bit message digest into the + * Message_Digest array provided by the caller. + * NOTE: The first octet of hash is stored in the 0th element, + * the last octet of hash in the 19th element. + * + * Parameters: + * context: [in/out] + * The context to use to calculate the SHA-1 hash. + * Message_Digest: [out] + * Where the digest is returned. + * + * Returns: + * sha Error Code. + * + */ +int USHAResult(USHAContext *ctx, + uint8_t Message_Digest[USHAMaxHashSize]) +{ + if (ctx) { + switch (ctx->whichSha) { + case SHA1: + return SHA1Result((SHA1Context*)&ctx->ctx, Message_Digest); + case SHA224: + return SHA224Result((SHA224Context*)&ctx->ctx, Message_Digest); + case SHA256: + return SHA256Result((SHA256Context*)&ctx->ctx, Message_Digest); + case SHA384: + return SHA384Result((SHA384Context*)&ctx->ctx, Message_Digest); + case SHA512: + return SHA512Result((SHA512Context*)&ctx->ctx, Message_Digest); + default: return shaBadParam; + } + } else { + return shaNull; + } +} + +/* + * USHABlockSize + * + * Description: + * This function will return the blocksize for the given SHA + * algorithm. + * + * Parameters: + * whichSha: + * which SHA algorithm to query + + + +Eastlake 3rd & Hansen Informational [Page 70] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + * + * Returns: + * block size + * + */ +int USHABlockSize(enum SHAversion whichSha) +{ + switch (whichSha) { + case SHA1: return SHA1_Message_Block_Size; + case SHA224: return SHA224_Message_Block_Size; + case SHA256: return SHA256_Message_Block_Size; + case SHA384: return SHA384_Message_Block_Size; + default: + case SHA512: return SHA512_Message_Block_Size; + } +} + +/* + * USHAHashSize + * + * Description: + * This function will return the hashsize for the given SHA + * algorithm. + * + * Parameters: + * whichSha: + * which SHA algorithm to query + * + * Returns: + * hash size + * + */ +int USHAHashSize(enum SHAversion whichSha) +{ + switch (whichSha) { + case SHA1: return SHA1HashSize; + case SHA224: return SHA224HashSize; + case SHA256: return SHA256HashSize; + case SHA384: return SHA384HashSize; + default: + case SHA512: return SHA512HashSize; + } +} + +/* + * USHAHashSizeBits + * + * Description: + + + +Eastlake 3rd & Hansen Informational [Page 71] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + * This function will return the hashsize for the given SHA + * algorithm, expressed in bits. + * + * Parameters: + * whichSha: + * which SHA algorithm to query + * + * Returns: + * hash size in bits + * + */ +int USHAHashSizeBits(enum SHAversion whichSha) +{ + switch (whichSha) { + case SHA1: return SHA1HashSizeBits; + case SHA224: return SHA224HashSizeBits; + case SHA256: return SHA256HashSizeBits; + case SHA384: return SHA384HashSizeBits; + default: + case SHA512: return SHA512HashSizeBits; + } +} + +8.2.5. sha-private.h + +/*************************** sha-private.h ***************************/ +/********************** See RFC 4634 for details *********************/ +#ifndef _SHA_PRIVATE__H +#define _SHA_PRIVATE__H +/* + * These definitions are defined in FIPS-180-2, section 4.1. + * Ch() and Maj() are defined identically in sections 4.1.1, + * 4.1.2 and 4.1.3. + * + * The definitions used in FIPS-180-2 are as follows: + */ + +#ifndef USE_MODIFIED_MACROS +#define SHA_Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z))) +#define SHA_Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) + +#else /* USE_MODIFIED_MACROS */ +/* + * The following definitions are equivalent and potentially faster. + */ + +#define SHA_Ch(x, y, z) (((x) & ((y) ^ (z))) ^ (z)) +#define SHA_Maj(x, y, z) (((x) & ((y) | (z))) | ((y) & (z))) + + + +Eastlake 3rd & Hansen Informational [Page 72] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + +#endif /* USE_MODIFIED_MACROS */ + +#define SHA_Parity(x, y, z) ((x) ^ (y) ^ (z)) + +#endif /* _SHA_PRIVATE__H */ + +8.3 The HMAC Code + +/**************************** hmac.c ****************************/ +/******************** See RFC 4634 for details ******************/ +/* + * Description: + * This file implements the HMAC algorithm (Keyed-Hashing for + * Message Authentication, RFC2104), expressed in terms of the + * various SHA algorithms. + */ + +#include "sha.h" + +/* + * hmac + * + * Description: + * This function will compute an HMAC message digest. + * + * Parameters: + * whichSha: [in] + * One of SHA1, SHA224, SHA256, SHA384, SHA512 + * key: [in] + * The secret shared key. + * key_len: [in] + * The length of the secret shared key. + * message_array: [in] + * An array of characters representing the message. + * length: [in] + * The length of the message in message_array + * digest: [out] + * Where the digest is returned. + * NOTE: The length of the digest is determined by + * the value of whichSha. + * + * Returns: + * sha Error Code. + * + */ +int hmac(SHAversion whichSha, const unsigned char *text, int text_len, + const unsigned char *key, int key_len, + uint8_t digest[USHAMaxHashSize]) + + + +Eastlake 3rd & Hansen Informational [Page 73] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + +{ + HMACContext ctx; + return hmacReset(&ctx, whichSha, key, key_len) || + hmacInput(&ctx, text, text_len) || + hmacResult(&ctx, digest); +} + +/* + * hmacReset + * + * Description: + * This function will initialize the hmacContext in preparation + * for computing a new HMAC message digest. + * + * Parameters: + * context: [in/out] + * The context to reset. + * whichSha: [in] + * One of SHA1, SHA224, SHA256, SHA384, SHA512 + * key: [in] + * The secret shared key. + * key_len: [in] + * The length of the secret shared key. + * + * Returns: + * sha Error Code. + * + */ +int hmacReset(HMACContext *ctx, enum SHAversion whichSha, + const unsigned char *key, int key_len) +{ + int i, blocksize, hashsize; + + /* inner padding - key XORd with ipad */ + unsigned char k_ipad[USHA_Max_Message_Block_Size]; + + /* temporary buffer when keylen > blocksize */ + unsigned char tempkey[USHAMaxHashSize]; + + if (!ctx) return shaNull; + + blocksize = ctx->blockSize = USHABlockSize(whichSha); + hashsize = ctx->hashSize = USHAHashSize(whichSha); + + ctx->whichSha = whichSha; + + /* + * If key is longer than the hash blocksize, + + + +Eastlake 3rd & Hansen Informational [Page 74] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + * reset it to key = HASH(key). + */ + if (key_len > blocksize) { + USHAContext tctx; + int err = USHAReset(&tctx, whichSha) || + USHAInput(&tctx, key, key_len) || + USHAResult(&tctx, tempkey); + if (err != shaSuccess) return err; + + key = tempkey; + key_len = hashsize; + } + + /* + * The HMAC transform looks like: + * + * SHA(K XOR opad, SHA(K XOR ipad, text)) + * + * where K is an n byte key. + * ipad is the byte 0x36 repeated blocksize times + * opad is the byte 0x5c repeated blocksize times + * and text is the data being protected. + */ + + /* store key into the pads, XOR'd with ipad and opad values */ + for (i = 0; i < key_len; i++) { + k_ipad[i] = key[i] ^ 0x36; + ctx->k_opad[i] = key[i] ^ 0x5c; + } + /* remaining pad bytes are '\0' XOR'd with ipad and opad values */ + for ( ; i < blocksize; i++) { + k_ipad[i] = 0x36; + ctx->k_opad[i] = 0x5c; + } + + /* perform inner hash */ + /* init context for 1st pass */ + return USHAReset(&ctx->shaContext, whichSha) || + /* and start with inner pad */ + USHAInput(&ctx->shaContext, k_ipad, blocksize); +} + +/* + * hmacInput + * + * Description: + * This function accepts an array of octets as the next portion + * of the message. + + + +Eastlake 3rd & Hansen Informational [Page 75] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + * + * Parameters: + * context: [in/out] + * The HMAC context to update + * message_array: [in] + * An array of characters representing the next portion of + * the message. + * length: [in] + * The length of the message in message_array + * + * Returns: + * sha Error Code. + * + */ +int hmacInput(HMACContext *ctx, const unsigned char *text, + int text_len) +{ + if (!ctx) return shaNull; + /* then text of datagram */ + return USHAInput(&ctx->shaContext, text, text_len); +} + +/* + * HMACFinalBits + * + * Description: + * This function will add in any final bits of the message. + * + * Parameters: + * context: [in/out] + * The HMAC context to update + * message_bits: [in] + * The final bits of the message, in the upper portion of the + * byte. (Use 0b###00000 instead of 0b00000### to input the + * three bits ###.) + * length: [in] + * The number of bits in message_bits, between 1 and 7. + * + * Returns: + * sha Error Code. + */ +int hmacFinalBits(HMACContext *ctx, + const uint8_t bits, + unsigned int bitcount) +{ + if (!ctx) return shaNull; + /* then final bits of datagram */ + return USHAFinalBits(&ctx->shaContext, bits, bitcount); + + + +Eastlake 3rd & Hansen Informational [Page 76] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + +} + +/* + * HMACResult + * + * Description: + * This function will return the N-byte message digest into the + * Message_Digest array provided by the caller. + * NOTE: The first octet of hash is stored in the 0th element, + * the last octet of hash in the Nth element. + * + * Parameters: + * context: [in/out] + * The context to use to calculate the HMAC hash. + * digest: [out] + * Where the digest is returned. + * NOTE 2: The length of the hash is determined by the value of + * whichSha that was passed to hmacReset(). + * + * Returns: + * sha Error Code. + * + */ +int hmacResult(HMACContext *ctx, uint8_t *digest) +{ + if (!ctx) return shaNull; + + /* finish up 1st pass */ + /* (Use digest here as a temporary buffer.) */ + return USHAResult(&ctx->shaContext, digest) || + + /* perform outer SHA */ + /* init context for 2nd pass */ + USHAReset(&ctx->shaContext, ctx->whichSha) || + + /* start with outer pad */ + USHAInput(&ctx->shaContext, ctx->k_opad, ctx->blockSize) || + + /* then results of 1st hash */ + USHAInput(&ctx->shaContext, digest, ctx->hashSize) || + + /* finish up 2nd pass */ + USHAResult(&ctx->shaContext, digest); +} + + + + + + + +Eastlake 3rd & Hansen Informational [Page 77] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + +8.4. The Test Driver + + The following code is a main program test driver to exercise the code + in sha1.c, sha224-256.c, and sha384-512.c. The test driver can also + be used as a stand-alone program for generating the hashes. + + See also [RFC2202], [RFC4231], and [SHAVS]. + +/**************************** shatest.c ****************************/ +/********************* See RFC 4634 for details ********************/ +/* + * Description: + * This file will exercise the SHA code performing + * the three tests documented in FIPS PUB 180-2 + * (http://csrc.nist.gov/publications/fips/ + * fips180-2/fips180-2withchangenotice.pdf) + * one that calls SHAInput with an exact multiple of 512 bits + * the seven tests documented for each algorithm in + * "The Secure Hash Algorithm Validation System (SHAVS)", + * three of which are bit-level tests + * (http://csrc.nist.gov/cryptval/shs/SHAVS.pdf) + * + * This file will exercise the HMAC SHA1 code performing + * the seven tests documented in RFCs 2202 and 4231. + * + * To run the tests and just see PASSED/FAILED, use the -p option. + * + * Other options exercise: + * hashing an arbitrary string + * hashing a file's contents + * a few error test checks + * printing the results in raw format + * + * Portability Issues: + * None. + * + */ + +#include +#include +#include +#include +#include +#include "sha.h" + +static int xgetopt(int argc, char **argv, const char *optstring); +extern char *xoptarg; +static int scasecmp(const char *s1, const char *s2); + + + +Eastlake 3rd & Hansen Informational [Page 78] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + +/* + * Define patterns for testing + */ +#define TEST1 "abc" +#define TEST2_1 \ + "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" +#define TEST2_2a \ + "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmn" +#define TEST2_2b \ + "hijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu" +#define TEST2_2 TEST2_2a TEST2_2b +#define TEST3 "a" /* times 1000000 */ +#define TEST4a "01234567012345670123456701234567" +#define TEST4b "01234567012345670123456701234567" + /* an exact multiple of 512 bits */ +#define TEST4 TEST4a TEST4b /* times 10 */ + +#define TEST7_1 \ + "\x49\xb2\xae\xc2\x59\x4b\xbe\x3a\x3b\x11\x75\x42\xd9\x4a\xc8" +#define TEST8_1 \ + "\x9a\x7d\xfd\xf1\xec\xea\xd0\x6e\xd6\x46\xaa\x55\xfe\x75\x71\x46" +#define TEST9_1 \ + "\x65\xf9\x32\x99\x5b\xa4\xce\x2c\xb1\xb4\xa2\xe7\x1a\xe7\x02\x20" \ + "\xaa\xce\xc8\x96\x2d\xd4\x49\x9c\xbd\x7c\x88\x7a\x94\xea\xaa\x10" \ + "\x1e\xa5\xaa\xbc\x52\x9b\x4e\x7e\x43\x66\x5a\x5a\xf2\xcd\x03\xfe" \ + "\x67\x8e\xa6\xa5\x00\x5b\xba\x3b\x08\x22\x04\xc2\x8b\x91\x09\xf4" \ + "\x69\xda\xc9\x2a\xaa\xb3\xaa\x7c\x11\xa1\xb3\x2a" +#define TEST10_1 \ + "\xf7\x8f\x92\x14\x1b\xcd\x17\x0a\xe8\x9b\x4f\xba\x15\xa1\xd5\x9f" \ + "\x3f\xd8\x4d\x22\x3c\x92\x51\xbd\xac\xbb\xae\x61\xd0\x5e\xd1\x15" \ + "\xa0\x6a\x7c\xe1\x17\xb7\xbe\xea\xd2\x44\x21\xde\xd9\xc3\x25\x92" \ + "\xbd\x57\xed\xea\xe3\x9c\x39\xfa\x1f\xe8\x94\x6a\x84\xd0\xcf\x1f" \ + "\x7b\xee\xad\x17\x13\xe2\xe0\x95\x98\x97\x34\x7f\x67\xc8\x0b\x04" \ + "\x00\xc2\x09\x81\x5d\x6b\x10\xa6\x83\x83\x6f\xd5\x56\x2a\x56\xca" \ + "\xb1\xa2\x8e\x81\xb6\x57\x66\x54\x63\x1c\xf1\x65\x66\xb8\x6e\x3b" \ + "\x33\xa1\x08\xb0\x53\x07\xc0\x0a\xff\x14\xa7\x68\xed\x73\x50\x60" \ + "\x6a\x0f\x85\xe6\xa9\x1d\x39\x6f\x5b\x5c\xbe\x57\x7f\x9b\x38\x80" \ + "\x7c\x7d\x52\x3d\x6d\x79\x2f\x6e\xbc\x24\xa4\xec\xf2\xb3\xa4\x27" \ + "\xcd\xbb\xfb" +#define TEST7_224 \ + "\xf0\x70\x06\xf2\x5a\x0b\xea\x68\xcd\x76\xa2\x95\x87\xc2\x8d" +#define TEST8_224 \ + "\x18\x80\x40\x05\xdd\x4f\xbd\x15\x56\x29\x9d\x6f\x9d\x93\xdf\x62" +#define TEST9_224 \ + "\xa2\xbe\x6e\x46\x32\x81\x09\x02\x94\xd9\xce\x94\x82\x65\x69\x42" \ + "\x3a\x3a\x30\x5e\xd5\xe2\x11\x6c\xd4\xa4\xc9\x87\xfc\x06\x57\x00" \ + "\x64\x91\xb1\x49\xcc\xd4\xb5\x11\x30\xac\x62\xb1\x9d\xc2\x48\xc7" \ + "\x44\x54\x3d\x20\xcd\x39\x52\xdc\xed\x1f\x06\xcc\x3b\x18\xb9\x1f" \ + + + +Eastlake 3rd & Hansen Informational [Page 79] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + "\x3f\x55\x63\x3e\xcc\x30\x85\xf4\x90\x70\x60\xd2" +#define TEST10_224 \ + "\x55\xb2\x10\x07\x9c\x61\xb5\x3a\xdd\x52\x06\x22\xd1\xac\x97\xd5" \ + "\xcd\xbe\x8c\xb3\x3a\xa0\xae\x34\x45\x17\xbe\xe4\xd7\xba\x09\xab" \ + "\xc8\x53\x3c\x52\x50\x88\x7a\x43\xbe\xbb\xac\x90\x6c\x2e\x18\x37" \ + "\xf2\x6b\x36\xa5\x9a\xe3\xbe\x78\x14\xd5\x06\x89\x6b\x71\x8b\x2a" \ + "\x38\x3e\xcd\xac\x16\xb9\x61\x25\x55\x3f\x41\x6f\xf3\x2c\x66\x74" \ + "\xc7\x45\x99\xa9\x00\x53\x86\xd9\xce\x11\x12\x24\x5f\x48\xee\x47" \ + "\x0d\x39\x6c\x1e\xd6\x3b\x92\x67\x0c\xa5\x6e\xc8\x4d\xee\xa8\x14" \ + "\xb6\x13\x5e\xca\x54\x39\x2b\xde\xdb\x94\x89\xbc\x9b\x87\x5a\x8b" \ + "\xaf\x0d\xc1\xae\x78\x57\x36\x91\x4a\xb7\xda\xa2\x64\xbc\x07\x9d" \ + "\x26\x9f\x2c\x0d\x7e\xdd\xd8\x10\xa4\x26\x14\x5a\x07\x76\xf6\x7c" \ + "\x87\x82\x73" +#define TEST7_256 \ + "\xbe\x27\x46\xc6\xdb\x52\x76\x5f\xdb\x2f\x88\x70\x0f\x9a\x73" +#define TEST8_256 \ + "\xe3\xd7\x25\x70\xdc\xdd\x78\x7c\xe3\x88\x7a\xb2\xcd\x68\x46\x52" +#define TEST9_256 \ + "\x3e\x74\x03\x71\xc8\x10\xc2\xb9\x9f\xc0\x4e\x80\x49\x07\xef\x7c" \ + "\xf2\x6b\xe2\x8b\x57\xcb\x58\xa3\xe2\xf3\xc0\x07\x16\x6e\x49\xc1" \ + "\x2e\x9b\xa3\x4c\x01\x04\x06\x91\x29\xea\x76\x15\x64\x25\x45\x70" \ + "\x3a\x2b\xd9\x01\xe1\x6e\xb0\xe0\x5d\xeb\xa0\x14\xeb\xff\x64\x06" \ + "\xa0\x7d\x54\x36\x4e\xff\x74\x2d\xa7\x79\xb0\xb3" +#define TEST10_256 \ + "\x83\x26\x75\x4e\x22\x77\x37\x2f\x4f\xc1\x2b\x20\x52\x7a\xfe\xf0" \ + "\x4d\x8a\x05\x69\x71\xb1\x1a\xd5\x71\x23\xa7\xc1\x37\x76\x00\x00" \ + "\xd7\xbe\xf6\xf3\xc1\xf7\xa9\x08\x3a\xa3\x9d\x81\x0d\xb3\x10\x77" \ + "\x7d\xab\x8b\x1e\x7f\x02\xb8\x4a\x26\xc7\x73\x32\x5f\x8b\x23\x74" \ + "\xde\x7a\x4b\x5a\x58\xcb\x5c\x5c\xf3\x5b\xce\xe6\xfb\x94\x6e\x5b" \ + "\xd6\x94\xfa\x59\x3a\x8b\xeb\x3f\x9d\x65\x92\xec\xed\xaa\x66\xca" \ + "\x82\xa2\x9d\x0c\x51\xbc\xf9\x33\x62\x30\xe5\xd7\x84\xe4\xc0\xa4" \ + "\x3f\x8d\x79\xa3\x0a\x16\x5c\xba\xbe\x45\x2b\x77\x4b\x9c\x71\x09" \ + "\xa9\x7d\x13\x8f\x12\x92\x28\x96\x6f\x6c\x0a\xdc\x10\x6a\xad\x5a" \ + "\x9f\xdd\x30\x82\x57\x69\xb2\xc6\x71\xaf\x67\x59\xdf\x28\xeb\x39" \ + "\x3d\x54\xd6" +#define TEST7_384 \ + "\x8b\xc5\x00\xc7\x7c\xee\xd9\x87\x9d\xa9\x89\x10\x7c\xe0\xaa" +#define TEST8_384 \ + "\xa4\x1c\x49\x77\x79\xc0\x37\x5f\xf1\x0a\x7f\x4e\x08\x59\x17\x39" +#define TEST9_384 \ + "\x68\xf5\x01\x79\x2d\xea\x97\x96\x76\x70\x22\xd9\x3d\xa7\x16\x79" \ + "\x30\x99\x20\xfa\x10\x12\xae\xa3\x57\xb2\xb1\x33\x1d\x40\xa1\xd0" \ + "\x3c\x41\xc2\x40\xb3\xc9\xa7\x5b\x48\x92\xf4\xc0\x72\x4b\x68\xc8" \ + "\x75\x32\x1a\xb8\xcf\xe5\x02\x3b\xd3\x75\xbc\x0f\x94\xbd\x89\xfe" \ + "\x04\xf2\x97\x10\x5d\x7b\x82\xff\xc0\x02\x1a\xeb\x1c\xcb\x67\x4f" \ + "\x52\x44\xea\x34\x97\xde\x26\xa4\x19\x1c\x5f\x62\xe5\xe9\xa2\xd8" \ + "\x08\x2f\x05\x51\xf4\xa5\x30\x68\x26\xe9\x1c\xc0\x06\xce\x1b\xf6" \ + "\x0f\xf7\x19\xd4\x2f\xa5\x21\xc8\x71\xcd\x23\x94\xd9\x6e\xf4\x46" \ + + + +Eastlake 3rd & Hansen Informational [Page 80] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + "\x8f\x21\x96\x6b\x41\xf2\xba\x80\xc2\x6e\x83\xa9" +#define TEST10_384 \ + "\x39\x96\x69\xe2\x8f\x6b\x9c\x6d\xbc\xbb\x69\x12\xec\x10\xff\xcf" \ + "\x74\x79\x03\x49\xb7\xdc\x8f\xbe\x4a\x8e\x7b\x3b\x56\x21\xdb\x0f" \ + "\x3e\x7d\xc8\x7f\x82\x32\x64\xbb\xe4\x0d\x18\x11\xc9\xea\x20\x61" \ + "\xe1\xc8\x4a\xd1\x0a\x23\xfa\xc1\x72\x7e\x72\x02\xfc\x3f\x50\x42" \ + "\xe6\xbf\x58\xcb\xa8\xa2\x74\x6e\x1f\x64\xf9\xb9\xea\x35\x2c\x71" \ + "\x15\x07\x05\x3c\xf4\xe5\x33\x9d\x52\x86\x5f\x25\xcc\x22\xb5\xe8" \ + "\x77\x84\xa1\x2f\xc9\x61\xd6\x6c\xb6\xe8\x95\x73\x19\x9a\x2c\xe6" \ + "\x56\x5c\xbd\xf1\x3d\xca\x40\x38\x32\xcf\xcb\x0e\x8b\x72\x11\xe8" \ + "\x3a\xf3\x2a\x11\xac\x17\x92\x9f\xf1\xc0\x73\xa5\x1c\xc0\x27\xaa" \ + "\xed\xef\xf8\x5a\xad\x7c\x2b\x7c\x5a\x80\x3e\x24\x04\xd9\x6d\x2a" \ + "\x77\x35\x7b\xda\x1a\x6d\xae\xed\x17\x15\x1c\xb9\xbc\x51\x25\xa4" \ + "\x22\xe9\x41\xde\x0c\xa0\xfc\x50\x11\xc2\x3e\xcf\xfe\xfd\xd0\x96" \ + "\x76\x71\x1c\xf3\xdb\x0a\x34\x40\x72\x0e\x16\x15\xc1\xf2\x2f\xbc" \ + "\x3c\x72\x1d\xe5\x21\xe1\xb9\x9b\xa1\xbd\x55\x77\x40\x86\x42\x14" \ + "\x7e\xd0\x96" +#define TEST7_512 \ + "\x08\xec\xb5\x2e\xba\xe1\xf7\x42\x2d\xb6\x2b\xcd\x54\x26\x70" +#define TEST8_512 \ + "\x8d\x4e\x3c\x0e\x38\x89\x19\x14\x91\x81\x6e\x9d\x98\xbf\xf0\xa0" +#define TEST9_512 \ + "\x3a\xdd\xec\x85\x59\x32\x16\xd1\x61\x9a\xa0\x2d\x97\x56\x97\x0b" \ + "\xfc\x70\xac\xe2\x74\x4f\x7c\x6b\x27\x88\x15\x10\x28\xf7\xb6\xa2" \ + "\x55\x0f\xd7\x4a\x7e\x6e\x69\xc2\xc9\xb4\x5f\xc4\x54\x96\x6d\xc3" \ + "\x1d\x2e\x10\xda\x1f\x95\xce\x02\xbe\xb4\xbf\x87\x65\x57\x4c\xbd" \ + "\x6e\x83\x37\xef\x42\x0a\xdc\x98\xc1\x5c\xb6\xd5\xe4\xa0\x24\x1b" \ + "\xa0\x04\x6d\x25\x0e\x51\x02\x31\xca\xc2\x04\x6c\x99\x16\x06\xab" \ + "\x4e\xe4\x14\x5b\xee\x2f\xf4\xbb\x12\x3a\xab\x49\x8d\x9d\x44\x79" \ + "\x4f\x99\xcc\xad\x89\xa9\xa1\x62\x12\x59\xed\xa7\x0a\x5b\x6d\xd4" \ + "\xbd\xd8\x77\x78\xc9\x04\x3b\x93\x84\xf5\x49\x06" +#define TEST10_512 \ + "\xa5\x5f\x20\xc4\x11\xaa\xd1\x32\x80\x7a\x50\x2d\x65\x82\x4e\x31" \ + "\xa2\x30\x54\x32\xaa\x3d\x06\xd3\xe2\x82\xa8\xd8\x4e\x0d\xe1\xde" \ + "\x69\x74\xbf\x49\x54\x69\xfc\x7f\x33\x8f\x80\x54\xd5\x8c\x26\xc4" \ + "\x93\x60\xc3\xe8\x7a\xf5\x65\x23\xac\xf6\xd8\x9d\x03\xe5\x6f\xf2" \ + "\xf8\x68\x00\x2b\xc3\xe4\x31\xed\xc4\x4d\xf2\xf0\x22\x3d\x4b\xb3" \ + "\xb2\x43\x58\x6e\x1a\x7d\x92\x49\x36\x69\x4f\xcb\xba\xf8\x8d\x95" \ + "\x19\xe4\xeb\x50\xa6\x44\xf8\xe4\xf9\x5e\xb0\xea\x95\xbc\x44\x65" \ + "\xc8\x82\x1a\xac\xd2\xfe\x15\xab\x49\x81\x16\x4b\xbb\x6d\xc3\x2f" \ + "\x96\x90\x87\xa1\x45\xb0\xd9\xcc\x9c\x67\xc2\x2b\x76\x32\x99\x41" \ + "\x9c\xc4\x12\x8b\xe9\xa0\x77\xb3\xac\xe6\x34\x06\x4e\x6d\x99\x28" \ + "\x35\x13\xdc\x06\xe7\x51\x5d\x0d\x73\x13\x2e\x9a\x0d\xc6\xd3\xb1" \ + "\xf8\xb2\x46\xf1\xa9\x8a\x3f\xc7\x29\x41\xb1\xe3\xbb\x20\x98\xe8" \ + "\xbf\x16\xf2\x68\xd6\x4f\x0b\x0f\x47\x07\xfe\x1e\xa1\xa1\x79\x1b" \ + "\xa2\xf3\xc0\xc7\x58\xe5\xf5\x51\x86\x3a\x96\xc9\x49\xad\x47\xd7" \ + "\xfb\x40\xd2" +#define SHA1_SEED "\xd0\x56\x9c\xb3\x66\x5a\x8a\x43\xeb\x6e\xa2\x3d" \ + + + +Eastlake 3rd & Hansen Informational [Page 81] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + "\x75\xa3\xc4\xd2\x05\x4a\x0d\x7d" +#define SHA224_SEED "\xd0\x56\x9c\xb3\x66\x5a\x8a\x43\xeb\x6e\xa2" \ + "\x3d\x75\xa3\xc4\xd2\x05\x4a\x0d\x7d\x66\xa9\xca\x99\xc9\xce\xb0" \ + "\x27" +#define SHA256_SEED "\xf4\x1e\xce\x26\x13\xe4\x57\x39\x15\x69\x6b" \ + "\x5a\xdc\xd5\x1c\xa3\x28\xbe\x3b\xf5\x66\xa9\xca\x99\xc9\xce\xb0" \ + "\x27\x9c\x1c\xb0\xa7" +#define SHA384_SEED "\x82\x40\xbc\x51\xe4\xec\x7e\xf7\x6d\x18\xe3" \ + "\x52\x04\xa1\x9f\x51\xa5\x21\x3a\x73\xa8\x1d\x6f\x94\x46\x80\xd3" \ + "\x07\x59\x48\xb7\xe4\x63\x80\x4e\xa3\xd2\x6e\x13\xea\x82\x0d\x65" \ + "\xa4\x84\xbe\x74\x53" +#define SHA512_SEED "\x47\x3f\xf1\xb9\xb3\xff\xdf\xa1\x26\x69\x9a" \ + "\xc7\xef\x9e\x8e\x78\x77\x73\x09\x58\x24\xc6\x42\x55\x7c\x13\x99" \ + "\xd9\x8e\x42\x20\x44\x8d\xc3\x5b\x99\xbf\xdd\x44\x77\x95\x43\x92" \ + "\x4c\x1c\xe9\x3b\xc5\x94\x15\x38\x89\x5d\xb9\x88\x26\x1b\x00\x77" \ + "\x4b\x12\x27\x20\x39" + +#define TESTCOUNT 10 +#define HASHCOUNT 5 +#define RANDOMCOUNT 4 +#define HMACTESTCOUNT 7 + +#define PRINTNONE 0 +#define PRINTTEXT 1 +#define PRINTRAW 2 +#define PRINTHEX 3 +#define PRINTBASE64 4 + +#define PRINTPASSFAIL 1 +#define PRINTFAIL 2 + +#define length(x) (sizeof(x)-1) + +/* Test arrays for hashes. */ +struct hash { + const char *name; + SHAversion whichSha; + int hashsize; + struct { + const char *testarray; + int length; + long repeatcount; + int extrabits; + int numberExtrabits; + const char *resultarray; + } tests[TESTCOUNT]; + const char *randomtest; + const char *randomresults[RANDOMCOUNT]; + + + +Eastlake 3rd & Hansen Informational [Page 82] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + +} hashes[HASHCOUNT] = { + { "SHA1", SHA1, SHA1HashSize, + { + /* 1 */ { TEST1, length(TEST1), 1, 0, 0, + "A9993E364706816ABA3E25717850C26C9CD0D89D" }, + /* 2 */ { TEST2_1, length(TEST2_1), 1, 0, 0, + "84983E441C3BD26EBAAE4AA1F95129E5E54670F1" }, + /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0, + "34AA973CD4C4DAA4F61EEB2BDBAD27316534016F" }, + /* 4 */ { TEST4, length(TEST4), 10, 0, 0, + "DEA356A2CDDD90C7A7ECEDC5EBB563934F460452" }, + /* 5 */ { "", 0, 0, 0x98, 5, + "29826B003B906E660EFF4027CE98AF3531AC75BA" }, + /* 6 */ { "\x5e", 1, 1, 0, 0, + "5E6F80A34A9798CAFC6A5DB96CC57BA4C4DB59C2" }, + /* 7 */ { TEST7_1, length(TEST7_1), 1, 0x80, 3, + "6239781E03729919C01955B3FFA8ACB60B988340" }, + /* 8 */ { TEST8_1, length(TEST8_1), 1, 0, 0, + "82ABFF6605DBE1C17DEF12A394FA22A82B544A35" }, + /* 9 */ { TEST9_1, length(TEST9_1), 1, 0xE0, 3, + "8C5B2A5DDAE5A97FC7F9D85661C672ADBF7933D4" }, + /* 10 */ { TEST10_1, length(TEST10_1), 1, 0, 0, + "CB0082C8F197D260991BA6A460E76E202BAD27B3" } + }, SHA1_SEED, { "E216836819477C7F78E0D843FE4FF1B6D6C14CD4", + "A2DBC7A5B1C6C0A8BCB7AAA41252A6A7D0690DBC", + "DB1F9050BB863DFEF4CE37186044E2EEB17EE013", + "127FDEDF43D372A51D5747C48FBFFE38EF6CDF7B" + } }, + { "SHA224", SHA224, SHA224HashSize, + { + /* 1 */ { TEST1, length(TEST1), 1, 0, 0, + "23097D223405D8228642A477BDA255B32AADBCE4BDA0B3F7E36C9DA7" }, + /* 2 */ { TEST2_1, length(TEST2_1), 1, 0, 0, + "75388B16512776CC5DBA5DA1FD890150B0C6455CB4F58B1952522525" }, + /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0, + "20794655980C91D8BBB4C1EA97618A4BF03F42581948B2EE4EE7AD67" }, + /* 4 */ { TEST4, length(TEST4), 10, 0, 0, + "567F69F168CD7844E65259CE658FE7AADFA25216E68ECA0EB7AB8262" }, + /* 5 */ { "", 0, 0, 0x68, 5, + "E3B048552C3C387BCAB37F6EB06BB79B96A4AEE5FF27F51531A9551C" }, + /* 6 */ { "\x07", 1, 1, 0, 0, + "00ECD5F138422B8AD74C9799FD826C531BAD2FCABC7450BEE2AA8C2A" }, + /* 7 */ { TEST7_224, length(TEST7_224), 1, 0xA0, 3, + "1B01DB6CB4A9E43DED1516BEB3DB0B87B6D1EA43187462C608137150" }, + /* 8 */ { TEST8_224, length(TEST8_224), 1, 0, 0, + "DF90D78AA78821C99B40BA4C966921ACCD8FFB1E98AC388E56191DB1" }, + /* 9 */ { TEST9_224, length(TEST9_224), 1, 0xE0, 3, + "54BEA6EAB8195A2EB0A7906A4B4A876666300EEFBD1F3B8474F9CD57" }, + + + +Eastlake 3rd & Hansen Informational [Page 83] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + /* 10 */ { TEST10_224, length(TEST10_224), 1, 0, 0, + "0B31894EC8937AD9B91BDFBCBA294D9ADEFAA18E09305E9F20D5C3A4" } + }, SHA224_SEED, { "100966A5B4FDE0B42E2A6C5953D4D7F41BA7CF79FD" + "2DF431416734BE", "1DCA396B0C417715DEFAAE9641E10A2E99D55A" + "BCB8A00061EB3BE8BD", "1864E627BDB2319973CD5ED7D68DA71D8B" + "F0F983D8D9AB32C34ADB34", "A2406481FC1BCAF24DD08E6752E844" + "709563FB916227FED598EB621F" + } }, + { "SHA256", SHA256, SHA256HashSize, + { + /* 1 */ { TEST1, length(TEST1), 1, 0, 0, "BA7816BF8F01CFEA4141" + "40DE5DAE2223B00361A396177A9CB410FF61F20015AD" }, + /* 2 */ { TEST2_1, length(TEST2_1), 1, 0, 0, "248D6A61D20638B8" + "E5C026930C3E6039A33CE45964FF2167F6ECEDD419DB06C1" }, + /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0, "CDC76E5C9914FB92" + "81A1C7E284D73E67F1809A48A497200E046D39CCC7112CD0" }, + /* 4 */ { TEST4, length(TEST4), 10, 0, 0, "594847328451BDFA" + "85056225462CC1D867D877FB388DF0CE35F25AB5562BFBB5" }, + /* 5 */ { "", 0, 0, 0x68, 5, "D6D3E02A31A84A8CAA9718ED6C2057BE" + "09DB45E7823EB5079CE7A573A3760F95" }, + /* 6 */ { "\x19", 1, 1, 0, 0, "68AA2E2EE5DFF96E3355E6C7EE373E3D" + "6A4E17F75F9518D843709C0C9BC3E3D4" }, + /* 7 */ { TEST7_256, length(TEST7_256), 1, 0x60, 3, "77EC1DC8" + "9C821FF2A1279089FA091B35B8CD960BCAF7DE01C6A7680756BEB972" }, + /* 8 */ { TEST8_256, length(TEST8_256), 1, 0, 0, "175EE69B02BA" + "9B58E2B0A5FD13819CEA573F3940A94F825128CF4209BEABB4E8" }, + /* 9 */ { TEST9_256, length(TEST9_256), 1, 0xA0, 3, "3E9AD646" + "8BBBAD2AC3C2CDC292E018BA5FD70B960CF1679777FCE708FDB066E9" }, + /* 10 */ { TEST10_256, length(TEST10_256), 1, 0, 0, "97DBCA7D" + "F46D62C8A422C941DD7E835B8AD3361763F7E9B2D95F4F0DA6E1CCBC" }, + }, SHA256_SEED, { "83D28614D49C3ADC1D6FC05DB5F48037C056F8D2A4CE44" + "EC6457DEA5DD797CD1", "99DBE3127EF2E93DD9322D6A07909EB33B6399" + "5E529B3F954B8581621BB74D39", "8D4BE295BB64661CA3C7EFD129A2F7" + "25B33072DBDDE32385B9A87B9AF88EA76F", "40AF5D3F9716B040DF9408" + "E31536B70FF906EC51B00447CA97D7DD97C12411F4" + } }, + { "SHA384", SHA384, SHA384HashSize, + { + /* 1 */ { TEST1, length(TEST1), 1, 0, 0, + "CB00753F45A35E8BB5A03D699AC65007272C32AB0EDED163" + "1A8B605A43FF5BED8086072BA1E7CC2358BAECA134C825A7" }, + /* 2 */ { TEST2_2, length(TEST2_2), 1, 0, 0, + "09330C33F71147E83D192FC782CD1B4753111B173B3B05D2" + "2FA08086E3B0F712FCC7C71A557E2DB966C3E9FA91746039" }, + /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0, + "9D0E1809716474CB086E834E310A4A1CED149E9C00F24852" + "7972CEC5704C2A5B07B8B3DC38ECC4EBAE97DDD87F3D8985" }, + /* 4 */ { TEST4, length(TEST4), 10, 0, 0, + + + +Eastlake 3rd & Hansen Informational [Page 84] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + "2FC64A4F500DDB6828F6A3430B8DD72A368EB7F3A8322A70" + "BC84275B9C0B3AB00D27A5CC3C2D224AA6B61A0D79FB4596" }, + /* 5 */ { "", 0, 0, 0x10, 5, + "8D17BE79E32B6718E07D8A603EB84BA0478F7FCFD1BB9399" + "5F7D1149E09143AC1FFCFC56820E469F3878D957A15A3FE4" }, + /* 6 */ { "\xb9", 1, 1, 0, 0, + "BC8089A19007C0B14195F4ECC74094FEC64F01F90929282C" + "2FB392881578208AD466828B1C6C283D2722CF0AD1AB6938" }, + /* 7 */ { TEST7_384, length(TEST7_384), 1, 0xA0, 3, + "D8C43B38E12E7C42A7C9B810299FD6A770BEF30920F17532" + "A898DE62C7A07E4293449C0B5FA70109F0783211CFC4BCE3" }, + /* 8 */ { TEST8_384, length(TEST8_384), 1, 0, 0, + "C9A68443A005812256B8EC76B00516F0DBB74FAB26D66591" + "3F194B6FFB0E91EA9967566B58109CBC675CC208E4C823F7" }, + /* 9 */ { TEST9_384, length(TEST9_384), 1, 0xE0, 3, + "5860E8DE91C21578BB4174D227898A98E0B45C4C760F0095" + "49495614DAEDC0775D92D11D9F8CE9B064EEAC8DAFC3A297" }, + /* 10 */ { TEST10_384, length(TEST10_384), 1, 0, 0, + "4F440DB1E6EDD2899FA335F09515AA025EE177A79F4B4AAF" + "38E42B5C4DE660F5DE8FB2A5B2FBD2A3CBFFD20CFF1288C0" } + }, SHA384_SEED, { "CE44D7D63AE0C91482998CF662A51EC80BF6FC68661A3C" + "57F87566112BD635A743EA904DEB7D7A42AC808CABE697F38F", "F9C6D2" + "61881FEE41ACD39E67AA8D0BAD507C7363EB67E2B81F45759F9C0FD7B503" + "DF1A0B9E80BDE7BC333D75B804197D", "D96512D8C9F4A7A4967A366C01" + "C6FD97384225B58343A88264847C18E4EF8AB7AEE4765FFBC3E30BD485D3" + "638A01418F", "0CA76BD0813AF1509E170907A96005938BC985628290B2" + "5FEF73CF6FAD68DDBA0AC8920C94E0541607B0915A7B4457F7" + } }, + { "SHA512", SHA512, SHA512HashSize, + { + /* 1 */ { TEST1, length(TEST1), 1, 0, 0, + "DDAF35A193617ABACC417349AE20413112E6FA4E89A97EA2" + "0A9EEEE64B55D39A2192992A274FC1A836BA3C23A3FEEBBD" + "454D4423643CE80E2A9AC94FA54CA49F" }, + /* 2 */ { TEST2_2, length(TEST2_2), 1, 0, 0, + "8E959B75DAE313DA8CF4F72814FC143F8F7779C6EB9F7FA1" + "7299AEADB6889018501D289E4900F7E4331B99DEC4B5433A" + "C7D329EEB6DD26545E96E55B874BE909" }, + /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0, + "E718483D0CE769644E2E42C7BC15B4638E1F98B13B204428" + "5632A803AFA973EBDE0FF244877EA60A4CB0432CE577C31B" + "EB009C5C2C49AA2E4EADB217AD8CC09B" }, + /* 4 */ { TEST4, length(TEST4), 10, 0, 0, + "89D05BA632C699C31231DED4FFC127D5A894DAD412C0E024" + "DB872D1ABD2BA8141A0F85072A9BE1E2AA04CF33C765CB51" + "0813A39CD5A84C4ACAA64D3F3FB7BAE9" }, + /* 5 */ { "", 0, 0, 0xB0, 5, + "D4EE29A9E90985446B913CF1D1376C836F4BE2C1CF3CADA0" + + + +Eastlake 3rd & Hansen Informational [Page 85] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + "720A6BF4857D886A7ECB3C4E4C0FA8C7F95214E41DC1B0D2" + "1B22A84CC03BF8CE4845F34DD5BDBAD4" }, + /* 6 */ { "\xD0", 1, 1, 0, 0, + "9992202938E882E73E20F6B69E68A0A7149090423D93C81B" + "AB3F21678D4ACEEEE50E4E8CAFADA4C85A54EA8306826C4A" + "D6E74CECE9631BFA8A549B4AB3FBBA15" }, + /* 7 */ { TEST7_512, length(TEST7_512), 1, 0x80, 3, + "ED8DC78E8B01B69750053DBB7A0A9EDA0FB9E9D292B1ED71" + "5E80A7FE290A4E16664FD913E85854400C5AF05E6DAD316B" + "7359B43E64F8BEC3C1F237119986BBB6" }, + /* 8 */ { TEST8_512, length(TEST8_512), 1, 0, 0, + "CB0B67A4B8712CD73C9AABC0B199E9269B20844AFB75ACBD" + "D1C153C9828924C3DDEDAAFE669C5FDD0BC66F630F677398" + "8213EB1B16F517AD0DE4B2F0C95C90F8" }, + /* 9 */ { TEST9_512, length(TEST9_512), 1, 0x80, 3, + "32BA76FC30EAA0208AEB50FFB5AF1864FDBF17902A4DC0A6" + "82C61FCEA6D92B783267B21080301837F59DE79C6B337DB2" + "526F8A0A510E5E53CAFED4355FE7C2F1" }, + /* 10 */ { TEST10_512, length(TEST10_512), 1, 0, 0, + "C665BEFB36DA189D78822D10528CBF3B12B3EEF726039909" + "C1A16A270D48719377966B957A878E720584779A62825C18" + "DA26415E49A7176A894E7510FD1451F5" } + }, SHA512_SEED, { "2FBB1E7E00F746BA514FBC8C421F36792EC0E11FF5EFC3" + "78E1AB0C079AA5F0F66A1E3EDBAEB4F9984BE14437123038A452004A5576" + "8C1FD8EED49E4A21BEDCD0", "25CBE5A4F2C7B1D7EF07011705D50C62C5" + "000594243EAFD1241FC9F3D22B58184AE2FEE38E171CF8129E29459C9BC2" + "EF461AF5708887315F15419D8D17FE7949", "5B8B1F2687555CE2D7182B" + "92E5C3F6C36547DA1C13DBB9EA4F73EA4CBBAF89411527906D35B1B06C1B" + "6A8007D05EC66DF0A406066829EAB618BDE3976515AAFC", "46E36B007D" + "19876CDB0B29AD074FE3C08CDD174D42169D6ABE5A1414B6E79707DF5877" + "6A98091CF431854147BB6D3C66D43BFBC108FD715BDE6AA127C2B0E79F" + } + } +}; + +/* Test arrays for HMAC. */ +struct hmachash { + const char *keyarray[5]; + int keylength[5]; + const char *dataarray[5]; + int datalength[5]; + const char *resultarray[5]; + int resultlength[5]; +} hmachashes[HMACTESTCOUNT] = { + { /* 1 */ { + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b" + }, { 20 }, { + + + +Eastlake 3rd & Hansen Informational [Page 86] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + "\x48\x69\x20\x54\x68\x65\x72\x65" /* "Hi There" */ + }, { 8 }, { + /* HMAC-SHA-1 */ + "B617318655057264E28BC0B6FB378C8EF146BE00", + /* HMAC-SHA-224 */ + "896FB1128ABBDF196832107CD49DF33F47B4B1169912BA4F53684B22", + /* HMAC-SHA-256 */ + "B0344C61D8DB38535CA8AFCEAF0BF12B881DC200C9833DA726E9376C2E32" + "CFF7", + /* HMAC-SHA-384 */ + "AFD03944D84895626B0825F4AB46907F15F9DADBE4101EC682AA034C7CEB" + "C59CFAEA9EA9076EDE7F4AF152E8B2FA9CB6", + /* HMAC-SHA-512 */ + "87AA7CDEA5EF619D4FF0B4241A1D6CB02379F4E2CE4EC2787AD0B30545E1" + "7CDEDAA833B7D6B8A702038B274EAEA3F4E4BE9D914EEB61F1702E696C20" + "3A126854" + }, { SHA1HashSize, SHA224HashSize, SHA256HashSize, + SHA384HashSize, SHA512HashSize } + }, + { /* 2 */ { + "\x4a\x65\x66\x65" /* "Jefe" */ + }, { 4 }, { + "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74" + "\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f" + /* "what do ya want for nothing?" */ + }, { 28 }, { + /* HMAC-SHA-1 */ + "EFFCDF6AE5EB2FA2D27416D5F184DF9C259A7C79", + /* HMAC-SHA-224 */ + "A30E01098BC6DBBF45690F3A7E9E6D0F8BBEA2A39E6148008FD05E44", + /* HMAC-SHA-256 */ + "5BDCC146BF60754E6A042426089575C75A003F089D2739839DEC58B964EC" + "3843", + /* HMAC-SHA-384 */ + "AF45D2E376484031617F78D2B58A6B1B9C7EF464F5A01B47E42EC3736322" + "445E8E2240CA5E69E2C78B3239ECFAB21649", + /* HMAC-SHA-512 */ + "164B7A7BFCF819E2E395FBE73B56E0A387BD64222E831FD610270CD7EA25" + "05549758BF75C05A994A6D034F65F8F0E6FDCAEAB1A34D4A6B4B636E070A" + "38BCE737" + }, { SHA1HashSize, SHA224HashSize, SHA256HashSize, + SHA384HashSize, SHA512HashSize } + }, + { /* 3 */ + { + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa" + }, { 20 }, { + + + +Eastlake 3rd & Hansen Informational [Page 87] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd" + "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd" + "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd" + "\xdd\xdd\xdd\xdd\xdd" + }, { 50 }, { + /* HMAC-SHA-1 */ + "125D7342B9AC11CD91A39AF48AA17B4F63F175D3", + /* HMAC-SHA-224 */ + "7FB3CB3588C6C1F6FFA9694D7D6AD2649365B0C1F65D69D1EC8333EA", + /* HMAC-SHA-256 */ + "773EA91E36800E46854DB8EBD09181A72959098B3EF8C122D9635514CED5" + "65FE", + /* HMAC-SHA-384 */ + "88062608D3E6AD8A0AA2ACE014C8A86F0AA635D947AC9FEBE83EF4E55966" + "144B2A5AB39DC13814B94E3AB6E101A34F27", + /* HMAC-SHA-512 */ + "FA73B0089D56A284EFB0F0756C890BE9B1B5DBDD8EE81A3655F83E33B227" + "9D39BF3E848279A722C806B485A47E67C807B946A337BEE8942674278859" + "E13292FB" + }, { SHA1HashSize, SHA224HashSize, SHA256HashSize, + SHA384HashSize, SHA512HashSize } + }, + { /* 4 */ { + "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" + "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19" + }, { 25 }, { + "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd" + "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd" + "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd" + "\xcd\xcd\xcd\xcd\xcd" + }, { 50 }, { + /* HMAC-SHA-1 */ + "4C9007F4026250C6BC8414F9BF50C86C2D7235DA", + /* HMAC-SHA-224 */ + "6C11506874013CAC6A2ABC1BB382627CEC6A90D86EFC012DE7AFEC5A", + /* HMAC-SHA-256 */ + "82558A389A443C0EA4CC819899F2083A85F0FAA3E578F8077A2E3FF46729" + "665B", + /* HMAC-SHA-384 */ + "3E8A69B7783C25851933AB6290AF6CA77A9981480850009CC5577C6E1F57" + "3B4E6801DD23C4A7D679CCF8A386C674CFFB", + /* HMAC-SHA-512 */ + "B0BA465637458C6990E5A8C5F61D4AF7E576D97FF94B872DE76F8050361E" + "E3DBA91CA5C11AA25EB4D679275CC5788063A5F19741120C4F2DE2ADEBEB" + "10A298DD" + }, { SHA1HashSize, SHA224HashSize, SHA256HashSize, + SHA384HashSize, SHA512HashSize } + }, + + + +Eastlake 3rd & Hansen Informational [Page 88] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + { /* 5 */ { + "\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c" + "\x0c\x0c\x0c\x0c\x0c" + }, { 20 }, { + "Test With Truncation" + }, { 20 }, { + /* HMAC-SHA-1 */ + "4C1A03424B55E07FE7F27BE1", + /* HMAC-SHA-224 */ + "0E2AEA68A90C8D37C988BCDB9FCA6FA8", + /* HMAC-SHA-256 */ + "A3B6167473100EE06E0C796C2955552B", + /* HMAC-SHA-384 */ + "3ABF34C3503B2A23A46EFC619BAEF897", + /* HMAC-SHA-512 */ + "415FAD6271580A531D4179BC891D87A6" + }, { 12, 16, 16, 16, 16 } + }, + { /* 6 */ { + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + }, { 80, 131 }, { + "Test Using Larger Than Block-Size Key - Hash Key First" + }, { 54 }, { + /* HMAC-SHA-1 */ + "AA4AE5E15272D00E95705637CE8A3B55ED402112", + /* HMAC-SHA-224 */ + "95E9A0DB962095ADAEBE9B2D6F0DBCE2D499F112F2D2B7273FA6870E", + /* HMAC-SHA-256 */ + "60E431591EE0B67F0D8A26AACBF5B77F8E0BC6213728C5140546040F0EE3" + "7F54", + /* HMAC-SHA-384 */ + "4ECE084485813E9088D2C63A041BC5B44F9EF1012A2B588F3CD11F05033A" + "C4C60C2EF6AB4030FE8296248DF163F44952", + /* HMAC-SHA-512 */ + "80B24263C7C1A3EBB71493C1DD7BE8B49B46D1F41B4AEEC1121B013783F8" + "F3526B56D037E05F2598BD0FD2215D6A1E5295E64F73F63F0AEC8B915A98" + "5D786598" + }, { SHA1HashSize, SHA224HashSize, SHA256HashSize, + SHA384HashSize, SHA512HashSize } + }, + + + +Eastlake 3rd & Hansen Informational [Page 89] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + { /* 7 */ { + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + }, { 80, 131 }, { + "Test Using Larger Than Block-Size Key and " + "Larger Than One Block-Size Data", + "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20" + "\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20" + "\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65" + "\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67" + "\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73" + "\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b" + "\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20" + "\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62" + "\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68" + "\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68" + "\x6d\x2e" + /* "This is a test using a larger than block-size key and a " + "larger than block-size data. The key needs to be hashed " + "before being used by the HMAC algorithm." */ + }, { 73, 152 }, { + /* HMAC-SHA-1 */ + "E8E99D0F45237D786D6BBAA7965C7808BBFF1A91", + /* HMAC-SHA-224 */ + "3A854166AC5D9F023F54D517D0B39DBD946770DB9C2B95C9F6F565D1", + /* HMAC-SHA-256 */ + "9B09FFA71B942FCB27635FBCD5B0E944BFDC63644F0713938A7F51535C3A" + "35E2", + /* HMAC-SHA-384 */ + "6617178E941F020D351E2F254E8FD32C602420FEB0B8FB9ADCCEBB82461E" + "99C5A678CC31E799176D3860E6110C46523E", + /* HMAC-SHA-512 */ + "E37B6A775DC87DBAA4DFA9F96E5E3FFDDEBD71F8867289865DF5A32D20CD" + "C944B6022CAC3C4982B10D5EEB55C3E4DE15134676FB6DE0446065C97440" + "FA8C6A58" + }, { SHA1HashSize, SHA224HashSize, SHA256HashSize, + SHA384HashSize, SHA512HashSize } + } +}; + +/* + + + +Eastlake 3rd & Hansen Informational [Page 90] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + * Check the hash value against the expected string, expressed in hex + */ +static const char hexdigits[] = "0123456789ABCDEF"; +int checkmatch(const unsigned char *hashvalue, + const char *hexstr, int hashsize) +{ + int i; + for (i = 0; i < hashsize; ++i) { + if (*hexstr++ != hexdigits[(hashvalue[i] >> 4) & 0xF]) + return 0; + if (*hexstr++ != hexdigits[hashvalue[i] & 0xF]) return 0; + } + return 1; +} + +/* + * Print the string, converting non-printable characters to "." + */ +void printstr(const char *str, int len) +{ + for ( ; len-- > 0; str++) + putchar(isprint((unsigned char)*str) ? *str : '.'); +} + +/* + * Print the string, converting non-printable characters to hex "## ". + */ +void printxstr(const char *str, int len) +{ + for ( ; len-- > 0; str++) + printf("%c%c ", hexdigits[(*str >> 4) & 0xF], + hexdigits[*str & 0xF]); +} + +/* + * Print a usage message. + */ +void usage(const char *argv0) +{ + fprintf(stderr, + "Usage:\n" + "Common options: [-h hash] [-w|-x] [-H]\n" + "Standard tests:\n" + "\t%s [-m] [-l loopcount] [-t test#] [-e]\n" + "\t\t[-r randomseed] [-R randomloop-count] " + "[-p] [-P|-X]\n" + "Hash a string:\n" + "\t%s [-S expectedresult] -s hashstr [-k key]\n" + + + +Eastlake 3rd & Hansen Informational [Page 91] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + "Hash a file:\n" + "\t%s [-S expectedresult] -f file [-k key]\n" + "Hash a file, ignoring whitespace:\n" + "\t%s [-S expectedresult] -F file [-k key]\n" + "Additional bits to add in: [-B bitcount -b bits]\n" + "-h\thash to test: " + "0|SHA1, 1|SHA224, 2|SHA256, 3|SHA384, 4|SHA512\n" + "-m\tperform hmac test\n" + "-k\tkey for hmac test\n" + "-t\ttest case to run, 1-10\n" + "-l\thow many times to run the test\n" + "-e\ttest error returns\n" + "-p\tdo not print results\n" + "-P\tdo not print PASSED/FAILED\n" + "-X\tprint FAILED, but not PASSED\n" + "-r\tseed for random test\n" + "-R\thow many times to run random test\n" + "-s\tstring to hash\n" + "-S\texpected result of hashed string, in hex\n" + "-w\toutput hash in raw format\n" + "-x\toutput hash in hex format\n" + "-B\t# extra bits to add in after string or file input\n" + "-b\textra bits to add (high order bits of #, 0# or 0x#)\n" + "-H\tinput hashstr or randomseed is in hex\n" + , argv0, argv0, argv0, argv0); + exit(1); +} + +/* + * Print the results and PASS/FAIL. + */ +void printResult(uint8_t *Message_Digest, int hashsize, + const char *hashname, const char *testtype, const char *testname, + const char *resultarray, int printResults, int printPassFail) +{ + int i, k; + if (printResults == PRINTTEXT) { + putchar('\t'); + for (i = 0; i < hashsize ; ++i) { + putchar(hexdigits[(Message_Digest[i] >> 4) & 0xF]); + putchar(hexdigits[Message_Digest[i] & 0xF]); + putchar(' '); + } + putchar('\n'); + } else if (printResults == PRINTRAW) { + fwrite(Message_Digest, 1, hashsize, stdout); + } else if (printResults == PRINTHEX) { + for (i = 0; i < hashsize ; ++i) { + + + +Eastlake 3rd & Hansen Informational [Page 92] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + putchar(hexdigits[(Message_Digest[i] >> 4) & 0xF]); + putchar(hexdigits[Message_Digest[i] & 0xF]); + } + putchar('\n'); + } + + if (printResults && resultarray) { + printf(" Should match:\n\t"); + for (i = 0, k = 0; i < hashsize; i++, k += 2) { + putchar(resultarray[k]); + putchar(resultarray[k+1]); + putchar(' '); + } + putchar('\n'); + } + + if (printPassFail && resultarray) { + int ret = checkmatch(Message_Digest, resultarray, hashsize); + if ((printPassFail == PRINTPASSFAIL) || !ret) + printf("%s %s %s: %s\n", hashname, testtype, testname, + ret ? "PASSED" : "FAILED"); + } +} + +/* + * Exercise a hash series of functions. The input is the testarray, + * repeated repeatcount times, followed by the extrabits. If the + * result is known, it is in resultarray in uppercase hex. + */ +int hash(int testno, int loopno, int hashno, + const char *testarray, int length, long repeatcount, + int numberExtrabits, int extrabits, const unsigned char *keyarray, + int keylen, const char *resultarray, int hashsize, int printResults, + int printPassFail) +{ + USHAContext sha; + HMACContext hmac; + int err, i; + uint8_t Message_Digest[USHAMaxHashSize]; + char buf[20]; + + if (printResults == PRINTTEXT) { + printf("\nTest %d: Iteration %d, Repeat %ld\n\t'", testno+1, + loopno, repeatcount); + printstr(testarray, length); + printf("'\n\t'"); + printxstr(testarray, length); + printf("'\n"); + + + +Eastlake 3rd & Hansen Informational [Page 93] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + printf(" Length=%d bytes (%d bits), ", length, length * 8); + printf("ExtraBits %d: %2.2x\n", numberExtrabits, extrabits); + } + + memset(&sha, '\343', sizeof(sha)); /* force bad data into struct */ + memset(&hmac, '\343', sizeof(hmac)); + err = keyarray ? hmacReset(&hmac, hashes[hashno].whichSha, + keyarray, keylen) : + USHAReset(&sha, hashes[hashno].whichSha); + if (err != shaSuccess) { + fprintf(stderr, "hash(): %sReset Error %d.\n", + keyarray ? "hmac" : "sha", err); + return err; + } + + for (i = 0; i < repeatcount; ++i) { + err = keyarray ? hmacInput(&hmac, (const uint8_t *) testarray, + length) : + USHAInput(&sha, (const uint8_t *) testarray, + length); + if (err != shaSuccess) { + fprintf(stderr, "hash(): %sInput Error %d.\n", + keyarray ? "hmac" : "sha", err); + return err; + } + } + + if (numberExtrabits > 0) { + err = keyarray ? hmacFinalBits(&hmac, (uint8_t) extrabits, + numberExtrabits) : + USHAFinalBits(&sha, (uint8_t) extrabits, + numberExtrabits); + if (err != shaSuccess) { + fprintf(stderr, "hash(): %sFinalBits Error %d.\n", + keyarray ? "hmac" : "sha", err); + return err; + } + } + + err = keyarray ? hmacResult(&hmac, Message_Digest) : + USHAResult(&sha, Message_Digest); + if (err != shaSuccess) { + fprintf(stderr, "hash(): %s Result Error %d, could not " + "compute message digest.\n", keyarray ? "hmac" : "sha", err); + return err; + } + + sprintf(buf, "%d", testno+1); + + + +Eastlake 3rd & Hansen Informational [Page 94] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + printResult(Message_Digest, hashsize, hashes[hashno].name, + keyarray ? "hmac standard test" : "sha standard test", buf, + resultarray, printResults, printPassFail); + + return err; +} + +/* + * Exercise a hash series of functions. The input is a filename. + * If the result is known, it is in resultarray in uppercase hex. + */ +int hashfile(int hashno, const char *hashfilename, int bits, + int bitcount, int skipSpaces, const unsigned char *keyarray, + int keylen, const char *resultarray, int hashsize, + int printResults, int printPassFail) +{ + USHAContext sha; + HMACContext hmac; + int err, nread, c; + unsigned char buf[4096]; + uint8_t Message_Digest[USHAMaxHashSize]; + unsigned char cc; + FILE *hashfp = (strcmp(hashfilename, "-") == 0) ? stdin : + fopen(hashfilename, "r"); + + if (!hashfp) { + fprintf(stderr, "cannot open file '%s'\n", hashfilename); + return shaStateError; + } + + memset(&sha, '\343', sizeof(sha)); /* force bad data into struct */ + memset(&hmac, '\343', sizeof(hmac)); + err = keyarray ? hmacReset(&hmac, hashes[hashno].whichSha, + keyarray, keylen) : + USHAReset(&sha, hashes[hashno].whichSha); + + if (err != shaSuccess) { + fprintf(stderr, "hashfile(): %sReset Error %d.\n", + keyarray ? "hmac" : "sha", err); + return err; + } + + if (skipSpaces) + while ((c = getc(hashfp)) != EOF) { + if (!isspace(c)) { + cc = (unsigned char)c; + err = keyarray ? hmacInput(&hmac, &cc, 1) : + USHAInput(&sha, &cc, 1); + + + +Eastlake 3rd & Hansen Informational [Page 95] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + if (err != shaSuccess) { + fprintf(stderr, "hashfile(): %sInput Error %d.\n", + keyarray ? "hmac" : "sha", err); + if (hashfp != stdin) fclose(hashfp); + return err; + } + } + } + else + while ((nread = fread(buf, 1, sizeof(buf), hashfp)) > 0) { + err = keyarray ? hmacInput(&hmac, buf, nread) : + USHAInput(&sha, buf, nread); + if (err != shaSuccess) { + fprintf(stderr, "hashfile(): %s Error %d.\n", + keyarray ? "hmacInput" : "shaInput", err); + if (hashfp != stdin) fclose(hashfp); + return err; + } + } + + if (bitcount > 0) + err = keyarray ? hmacFinalBits(&hmac, bits, bitcount) : + USHAFinalBits(&sha, bits, bitcount); + if (err != shaSuccess) { + fprintf(stderr, "hashfile(): %s Error %d.\n", + keyarray ? "hmacResult" : "shaResult", err); + if (hashfp != stdin) fclose(hashfp); + return err; + } + + err = keyarray ? hmacResult(&hmac, Message_Digest) : + USHAResult(&sha, Message_Digest); + if (err != shaSuccess) { + fprintf(stderr, "hashfile(): %s Error %d.\n", + keyarray ? "hmacResult" : "shaResult", err); + if (hashfp != stdin) fclose(hashfp); + return err; + } + + printResult(Message_Digest, hashsize, hashes[hashno].name, "file", + hashfilename, resultarray, printResults, printPassFail); + + if (hashfp != stdin) fclose(hashfp); + return err; +} + +/* + * Exercise a hash series of functions through multiple permutations. + + + +Eastlake 3rd & Hansen Informational [Page 96] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + * The input is an initial seed. That seed is replicated 3 times. + * For 1000 rounds, the previous three results are used as the input. + * This result is then checked, and used to seed the next cycle. + * If the result is known, it is in resultarrays in uppercase hex. + */ +void randomtest(int hashno, const char *seed, int hashsize, + const char **resultarrays, int randomcount, + int printResults, int printPassFail) +{ + int i, j; char buf[20]; + unsigned char SEED[USHAMaxHashSize], MD[1003][USHAMaxHashSize]; + + /* INPUT: Seed - A random seed n bits long */ + memcpy(SEED, seed, hashsize); + if (printResults == PRINTTEXT) { + printf("%s random test seed= '", hashes[hashno].name); + printxstr(seed, hashsize); + printf("'\n"); + } + + for (j = 0; j < randomcount; j++) { + /* MD0 = MD1 = MD2 = Seed; */ + memcpy(MD[0], SEED, hashsize); + memcpy(MD[1], SEED, hashsize); + memcpy(MD[2], SEED, hashsize); + for (i=3; i<1003; i++) { + /* Mi = MDi-3 || MDi-2 || MDi-1; */ + USHAContext Mi; + memset(&Mi, '\343', sizeof(Mi)); /* force bad data into struct */ + USHAReset(&Mi, hashes[hashno].whichSha); + USHAInput(&Mi, MD[i-3], hashsize); + USHAInput(&Mi, MD[i-2], hashsize); + USHAInput(&Mi, MD[i-1], hashsize); + /* MDi = SHA(Mi); */ + USHAResult(&Mi, MD[i]); + } + + /* MDj = Seed = MDi; */ + memcpy(SEED, MD[i-1], hashsize); + + /* OUTPUT: MDj */ + sprintf(buf, "%d", j); + printResult(SEED, hashsize, hashes[hashno].name, "random test", + buf, resultarrays ? resultarrays[j] : 0, printResults, + (j < RANDOMCOUNT) ? printPassFail : 0); + } +} + + + + +Eastlake 3rd & Hansen Informational [Page 97] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + +/* + * Look up a hash name. + */ +int findhash(const char *argv0, const char *opt) +{ + int i; + const char *names[HASHCOUNT][2] = { + { "0", "sha1" }, { "1", "sha224" }, { "2", "sha256" }, + { "3", "sha384" }, { "4", "sha512" } + }; + + for (i = 0; i < HASHCOUNT; i++) + if ((strcmp(opt, names[i][0]) == 0) || + (scasecmp(opt, names[i][1]) == 0)) + return i; + + fprintf(stderr, "%s: Unknown hash name: '%s'\n", argv0, opt); + usage(argv0); + return 0; +} + +/* + * Run some tests that should invoke errors. + */ +void testErrors(int hashnolow, int hashnohigh, int printResults, + int printPassFail) +{ + USHAContext usha; + uint8_t Message_Digest[USHAMaxHashSize]; + int hashno, err; + + for (hashno = hashnolow; hashno <= hashnohigh; hashno++) { + memset(&usha, '\343', sizeof(usha)); /* force bad data */ + USHAReset(&usha, hashno); + USHAResult(&usha, Message_Digest); + err = USHAInput(&usha, (const unsigned char *)"foo", 3); + if (printResults == PRINTTEXT) + printf ("\nError %d. Should be %d.\n", err, shaStateError); + if ((printPassFail == PRINTPASSFAIL) || + ((printPassFail == PRINTFAIL) && (err != shaStateError))) + printf("%s se: %s\n", hashes[hashno].name, + (err == shaStateError) ? "PASSED" : "FAILED"); + + err = USHAFinalBits(&usha, 0x80, 3); + if (printResults == PRINTTEXT) + printf ("\nError %d. Should be %d.\n", err, shaStateError); + if ((printPassFail == PRINTPASSFAIL) || + ((printPassFail == PRINTFAIL) && (err != shaStateError))) + + + +Eastlake 3rd & Hansen Informational [Page 98] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + printf("%s se: %s\n", hashes[hashno].name, + (err == shaStateError) ? "PASSED" : "FAILED"); + + err = USHAReset(0, hashes[hashno].whichSha); + if (printResults == PRINTTEXT) + printf("\nError %d. Should be %d.\n", err, shaNull); + if ((printPassFail == PRINTPASSFAIL) || + ((printPassFail == PRINTFAIL) && (err != shaNull))) + printf("%s usha null: %s\n", hashes[hashno].name, + (err == shaNull) ? "PASSED" : "FAILED"); + + switch (hashno) { + case SHA1: err = SHA1Reset(0); break; + case SHA224: err = SHA224Reset(0); break; + case SHA256: err = SHA256Reset(0); break; + case SHA384: err = SHA384Reset(0); break; + case SHA512: err = SHA512Reset(0); break; + } + if (printResults == PRINTTEXT) + printf("\nError %d. Should be %d.\n", err, shaNull); + if ((printPassFail == PRINTPASSFAIL) || + ((printPassFail == PRINTFAIL) && (err != shaNull))) + printf("%s sha null: %s\n", hashes[hashno].name, + (err == shaNull) ? "PASSED" : "FAILED"); + } +} + +/* replace a hex string in place with its value */ +int unhexStr(char *hexstr) +{ + char *o = hexstr; + int len = 0, nibble1 = 0, nibble2 = 0; + if (!hexstr) return 0; + for ( ; *hexstr; hexstr++) { + if (isalpha((int)(unsigned char)(*hexstr))) { + nibble1 = tolower(*hexstr) - 'a' + 10; + } else if (isdigit((int)(unsigned char)(*hexstr))) { + nibble1 = *hexstr - '0'; + } else { + printf("\nError: bad hex character '%c'\n", *hexstr); + } + if (!*++hexstr) break; + if (isalpha((int)(unsigned char)(*hexstr))) { + nibble2 = tolower(*hexstr) - 'a' + 10; + } else if (isdigit((int)(unsigned char)(*hexstr))) { + nibble2 = *hexstr - '0'; + } else { + printf("\nError: bad hex character '%c'\n", *hexstr); + + + +Eastlake 3rd & Hansen Informational [Page 99] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + } + *o++ = (char)((nibble1 << 4) | nibble2); + len++; + } + return len; +} + +int main(int argc, char **argv) +{ + int i, err; + int loopno, loopnohigh = 1; + int hashno, hashnolow = 0, hashnohigh = HASHCOUNT - 1; + int testno, testnolow = 0, testnohigh; + int ntestnohigh = 0; + int printResults = PRINTTEXT; + int printPassFail = 1; + int checkErrors = 0; + char *hashstr = 0; + int hashlen = 0; + const char *resultstr = 0; + char *randomseedstr = 0; + int runHmacTests = 0; + char *hmacKey = 0; + int hmaclen = 0; + int randomcount = RANDOMCOUNT; + const char *hashfilename = 0; + const char *hashFilename = 0; + int extrabits = 0, numberExtrabits = 0; + int strIsHex = 0; + + while ((i = xgetopt(argc, argv, "b:B:ef:F:h:Hk:l:mpPr:R:s:S:t:wxX")) + != -1) + switch (i) { + case 'b': extrabits = strtol(xoptarg, 0, 0); break; + case 'B': numberExtrabits = atoi(xoptarg); break; + case 'e': checkErrors = 1; break; + case 'f': hashfilename = xoptarg; break; + case 'F': hashFilename = xoptarg; break; + case 'h': hashnolow = hashnohigh = findhash(argv[0], xoptarg); + break; + case 'H': strIsHex = 1; break; + case 'k': hmacKey = xoptarg; hmaclen = strlen(xoptarg); break; + case 'l': loopnohigh = atoi(xoptarg); break; + case 'm': runHmacTests = 1; break; + case 'P': printPassFail = 0; break; + case 'p': printResults = PRINTNONE; break; + case 'R': randomcount = atoi(xoptarg); break; + case 'r': randomseedstr = xoptarg; break; + + + +Eastlake 3rd & Hansen Informational [Page 100] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + case 's': hashstr = xoptarg; hashlen = strlen(hashstr); break; + case 'S': resultstr = xoptarg; break; + case 't': testnolow = ntestnohigh = atoi(xoptarg) - 1; break; + case 'w': printResults = PRINTRAW; break; + case 'x': printResults = PRINTHEX; break; + case 'X': printPassFail = 2; break; + default: usage(argv[0]); + } + + if (strIsHex) { + hashlen = unhexStr(hashstr); + unhexStr(randomseedstr); + hmaclen = unhexStr(hmacKey); + } + testnohigh = (ntestnohigh != 0) ? ntestnohigh: + runHmacTests ? (HMACTESTCOUNT-1) : (TESTCOUNT-1); + if ((testnolow < 0) || + (testnohigh >= (runHmacTests ? HMACTESTCOUNT : TESTCOUNT)) || + (hashnolow < 0) || (hashnohigh >= HASHCOUNT) || + (hashstr && (testnolow == testnohigh)) || + (randomcount < 0) || + (resultstr && (!hashstr && !hashfilename && !hashFilename)) || + ((runHmacTests || hmacKey) && randomseedstr) || + (hashfilename && hashFilename)) + usage(argv[0]); + + /* + * Perform SHA/HMAC tests + */ + for (hashno = hashnolow; hashno <= hashnohigh; ++hashno) { + if (printResults == PRINTTEXT) + printf("Hash %s\n", hashes[hashno].name); + err = shaSuccess; + + for (loopno = 1; (loopno <= loopnohigh) && (err == shaSuccess); + ++loopno) { + if (hashstr) + err = hash(0, loopno, hashno, hashstr, hashlen, 1, + numberExtrabits, extrabits, (const unsigned char *)hmacKey, + hmaclen, resultstr, hashes[hashno].hashsize, printResults, + printPassFail); + + else if (randomseedstr) + randomtest(hashno, randomseedstr, hashes[hashno].hashsize, 0, + randomcount, printResults, printPassFail); + + else if (hashfilename) + err = hashfile(hashno, hashfilename, extrabits, + + + +Eastlake 3rd & Hansen Informational [Page 101] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + numberExtrabits, 0, + (const unsigned char *)hmacKey, hmaclen, + resultstr, hashes[hashno].hashsize, + printResults, printPassFail); + + else if (hashFilename) + err = hashfile(hashno, hashFilename, extrabits, + numberExtrabits, 1, + (const unsigned char *)hmacKey, hmaclen, + resultstr, hashes[hashno].hashsize, + printResults, printPassFail); + + else /* standard tests */ { + for (testno = testnolow; + (testno <= testnohigh) && (err == shaSuccess); ++testno) { + if (runHmacTests) { + err = hash(testno, loopno, hashno, + hmachashes[testno].dataarray[hashno] ? + hmachashes[testno].dataarray[hashno] : + hmachashes[testno].dataarray[1] ? + hmachashes[testno].dataarray[1] : + hmachashes[testno].dataarray[0], + hmachashes[testno].datalength[hashno] ? + hmachashes[testno].datalength[hashno] : + hmachashes[testno].datalength[1] ? + hmachashes[testno].datalength[1] : + hmachashes[testno].datalength[0], + 1, 0, 0, + (const unsigned char *)( + hmachashes[testno].keyarray[hashno] ? + hmachashes[testno].keyarray[hashno] : + hmachashes[testno].keyarray[1] ? + hmachashes[testno].keyarray[1] : + hmachashes[testno].keyarray[0]), + hmachashes[testno].keylength[hashno] ? + hmachashes[testno].keylength[hashno] : + hmachashes[testno].keylength[1] ? + hmachashes[testno].keylength[1] : + hmachashes[testno].keylength[0], + hmachashes[testno].resultarray[hashno], + hmachashes[testno].resultlength[hashno], + printResults, printPassFail); + } else { + err = hash(testno, loopno, hashno, + hashes[hashno].tests[testno].testarray, + hashes[hashno].tests[testno].length, + hashes[hashno].tests[testno].repeatcount, + hashes[hashno].tests[testno].numberExtrabits, + + + +Eastlake 3rd & Hansen Informational [Page 102] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + hashes[hashno].tests[testno].extrabits, 0, 0, + hashes[hashno].tests[testno].resultarray, + hashes[hashno].hashsize, + printResults, printPassFail); + } + } + + if (!runHmacTests) { + randomtest(hashno, hashes[hashno].randomtest, + hashes[hashno].hashsize, hashes[hashno].randomresults, + RANDOMCOUNT, printResults, printPassFail); + } + } + } + } + + /* Test some error returns */ + if (checkErrors) { + testErrors(hashnolow, hashnohigh, printResults, printPassFail); + } + + return 0; +} + +/* + * Compare two strings, case independently. + * Equivalent to strcasecmp() found on some systems. + */ +int scasecmp(const char *s1, const char *s2) +{ + for (;;) { + char u1 = tolower(*s1++); + char u2 = tolower(*s2++); + if (u1 != u2) + return u1 - u2; + if (u1 == '\0') + return 0; + } +} + +/* + * This is a copy of getopt provided for those systems that do not + * have it. The name was changed to xgetopt to not conflict on those + * systems that do have it. Similarly, optarg, optind and opterr + * were renamed to xoptarg, xoptind and xopterr. + * + * Copyright 1990, 1991, 1992 by the Massachusetts Institute of + * Technology and UniSoft Group Limited. + + + +Eastlake 3rd & Hansen Informational [Page 103] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + * + * Permission to use, copy, modify, distribute, and sell this software + * and its documentation for any purpose is hereby granted without fee, + * provided that the above copyright notice appear in all copies and + * that both that copyright notice and this permission notice appear in + * supporting documentation, and that the names of MIT and UniSoft not + * be used in advertising or publicity pertaining to distribution of + * the software without specific, written prior permission. MIT and + * UniSoft make no representations about the suitability of this + * software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * $XConsortium: getopt.c,v 1.2 92/07/01 11:59:04 rws Exp $ + * NB: Reformatted to match above style. + */ + +char *xoptarg; +int xoptind = 1; +int xopterr = 1; + +static int xgetopt(int argc, char **argv, const char *optstring) +{ + static int avplace; + char *ap; + char *cp; + int c; + + if (xoptind >= argc) + return EOF; + + ap = argv[xoptind] + avplace; + + /* At beginning of arg but not an option */ + if (avplace == 0) { + if (ap[0] != '-') + return EOF; + else if (ap[1] == '-') { + /* Special end of options option */ + xoptind++; + return EOF; + } else if (ap[1] == '\0') + return EOF; /* single '-' is not allowed */ + } + + /* Get next letter */ + avplace++; + c = *++ap; + + + + +Eastlake 3rd & Hansen Informational [Page 104] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + cp = strchr(optstring, c); + if (cp == NULL || c == ':') { + if (xopterr) + fprintf(stderr, "Unrecognised option -- %c\n", c); + return '?'; + } + + if (cp[1] == ':') { + /* There should be an option arg */ + avplace = 0; + if (ap[1] == '\0') { + /* It is a separate arg */ + if (++xoptind >= argc) { + if (xopterr) + fprintf(stderr, "Option requires an argument\n"); + return '?'; + } + xoptarg = argv[xoptind++]; + } else { + /* is attached to option letter */ + xoptarg = ap + 1; + ++xoptind; + } + } else { + /* If we are out of letters then go to next arg */ + if (ap[1] == '\0') { + ++xoptind; + avplace = 0; + } + + xoptarg = NULL; + } + return c; +} + + + + + + + + + + + + + + + + + +Eastlake 3rd & Hansen Informational [Page 105] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + +9. Security Considerations + + This document is intended to provides the Internet community + convenient access to source code that implements the United States of + America Federal Information Processing Standard Secure Hash + Algorithms (SHAs) [FIPS180-2] and HMACs based upon these one-way hash + functions. See license in Section 1.1. No independent assertion of + the security of this hash function by the authors for any particular + use is intended. + +10. Normative References + + [FIPS180-2] "Secure Hash Standard", United States of America, + National Institute of Standards and Technology, Federal + Information Processing Standard (FIPS) 180-2, + http://csrc.nist.gov/publications/fips/fips180-2/ + fips180-2withchangenotice.pdf. + + [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- + Hashing for Message Authentication", RFC 2104, February + 1997. + +11. Informative References + + [RFC2202] Cheng, P. and R. Glenn, "Test Cases for HMAC-MD5 and + HMAC-SHA-1", RFC 2202, September 1997. + + [RFC3174] Eastlake 3rd, D. and P. Jones, "US Secure Hash Algorithm + 1 (SHA1)", RFC 3174, September 2001. + + [RFC3874] Housley, R., "A 224-bit One-way Hash Function: SHA-224", + RFC 3874, September 2004. + + [RFC4086] Eastlake, D., 3rd, Schiller, J., and S. Crocker, + "Randomness Requirements for Security", BCP 106, RFC + 4086, June 2005. + + [RFC4231] Nystrom, M., "Identifiers and Test Vectors for HMAC-SHA- + 224, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512", RFC + 4231, December 2005. + + [SHAVS] "The Secure Hash Algorithm Validation System (SHAVS)", + http://csrc.nist.gov/cryptval/shs/SHAVS.pdf. + + + + + + + + +Eastlake 3rd & Hansen Informational [Page 106] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + +Authors' Addresses + + Donald E. Eastlake, 3rd + Motorola Laboratories + 155 Beaver Street + Milford, MA 01757 USA + + Phone: +1-508-786-7554 (w) + EMail: donald.eastlake@motorola.com + + + Tony Hansen + AT&T Laboratories + 200 Laurel Ave. + Middletown, NJ 07748 USA + + Phone: +1-732-420-8934 (w) + EMail: tony+shs@maillennium.att.com + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Eastlake 3rd & Hansen Informational [Page 107] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + +Full Copyright Statement + + Copyright (C) The Internet Society (2006). + + This document is subject to the rights, licenses and restrictions + contained in BCP 78, and except as set forth therein, the authors + retain all their rights. + + This document and the information contained herein are provided on an + "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS + OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET + ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, + INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE + INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED + WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Intellectual Property + + The IETF takes no position regarding the validity or scope of any + Intellectual Property Rights or other rights that might be claimed to + pertain to the implementation or use of the technology described in + this document or the extent to which any license under such rights + might or might not be available; nor does it represent that it has + made any independent effort to identify any such rights. Information + on the procedures with respect to rights in RFC documents can be + found in BCP 78 and BCP 79. + + Copies of IPR disclosures made to the IETF Secretariat and any + assurances of licenses to be made available, or the result of an + attempt made to obtain a general license or permission for the use of + such proprietary rights by implementers or users of this + specification can be obtained from the IETF on-line IPR repository at + http://www.ietf.org/ipr. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary + rights that may cover technology that may be required to implement + this standard. Please address the information to the IETF at + ietf-ipr@ietf.org. + +Acknowledgement + + Funding for the RFC Editor function is provided by the IETF + Administrative Support Activity (IASA). + + + + + + + +Eastlake 3rd & Hansen Informational [Page 108] + From f07fe5a1ac9d1345eb7a36a0bc38716a03e25f61 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 4 Aug 2006 02:55:37 +0000 Subject: [PATCH 399/465] 2067. [bug] 'rndc' could close the socket too early triggering a INSIST under Windows. [RT #16317] --- CHANGES | 3 +++ bin/rndc/rndc.c | 15 +++++++++++---- lib/isc/win32/socket.c | 9 +++++---- 3 files changed, 19 insertions(+), 8 deletions(-) diff --git a/CHANGES b/CHANGES index 1bb8367c42..f6eb40b402 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2067. [bug] 'rndc' could close the socket too early triggering + a INSIST under Windows. [RT #16317] + 2066. [placeholder] rt16300 2065. [bug] libbind: probe for HPUX prototypes for diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c index 5456de314b..819d8737e8 100644 --- a/bin/rndc/rndc.c +++ b/bin/rndc/rndc.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rndc.c,v 1.112 2006/07/20 03:41:57 marka Exp $ */ +/* $Id: rndc.c,v 1.113 2006/08/04 02:55:37 marka Exp $ */ /*! \file */ @@ -176,6 +176,11 @@ rndc_senddone(isc_task_t *task, isc_event_t *event) { if (sevent->result != ISC_R_SUCCESS) fatal("send failed: %s", isc_result_totext(sevent->result)); isc_event_free(&event); + if (sends == 0 && recvs == 0) { + isc_socket_detach(&sock); + isc_task_shutdown(task); + RUNTIME_CHECK(isc_app_shutdown() == ISC_R_SUCCESS); + } } static void @@ -228,9 +233,11 @@ rndc_recvdone(isc_task_t *task, isc_event_t *event) { isc_event_free(&event); isccc_sexpr_free(&response); - isc_socket_detach(&sock); - isc_task_shutdown(task); - RUNTIME_CHECK(isc_app_shutdown() == ISC_R_SUCCESS); + if (sends == 0 && recvs == 0) { + isc_socket_detach(&sock); + isc_task_shutdown(task); + RUNTIME_CHECK(isc_app_shutdown() == ISC_R_SUCCESS); + } } static void diff --git a/lib/isc/win32/socket.c b/lib/isc/win32/socket.c index f7f27d2c5e..15ae247cbc 100644 --- a/lib/isc/win32/socket.c +++ b/lib/isc/win32/socket.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: socket.c,v 1.44 2006/06/06 00:53:36 marka Exp $ */ +/* $Id: socket.c,v 1.45 2006/08/04 02:55:37 marka Exp $ */ /* This code has been rewritten to take advantage of Windows Sockets * I/O Completion Ports and Events. I/O Completion Ports is ONLY @@ -1711,14 +1711,15 @@ destroy_socket(isc_socket_t **sockp) { socket_log(sock, NULL, CREATION, isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_DESTROYING, "destroying socket %d", sock->fd); + LOCK(&manager->lock); + + LOCK(&sock->lock); + INSIST(ISC_LIST_EMPTY(sock->accept_list)); INSIST(ISC_LIST_EMPTY(sock->recv_list)); INSIST(ISC_LIST_EMPTY(sock->send_list)); INSIST(sock->connect_ev == NULL); - LOCK(&manager->lock); - - LOCK(&sock->lock); socket_close(sock); if (sock->pending_recv != 0 || sock->pending_send != 0 || sock->pending_close != 0) { From 9ab29a657bce530265a820ff21af46322e311e21 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 4 Aug 2006 03:03:19 +0000 Subject: [PATCH 400/465] 2067. [bug] 'rndc' could close the socket too early triggering a INSIST under Windows. [RT #16317] --- CHANGES | 3 +++ bin/rndc/rndc.c | 15 +++++++++++---- lib/isc/win32/socket.c | 9 +++++---- 3 files changed, 19 insertions(+), 8 deletions(-) diff --git a/CHANGES b/CHANGES index 3983b8017c..7e193d4274 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,9 @@ --- 9.2.7rc1 released --- +2067. [bug] 'rndc' could close the socket too early triggering + a INSIST under Windows. [RT #16317] + 2065. [bug] libbind: probe for HPUX prototypes for endprotoent_r() and endservent_r(). [RT 16313] diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c index e9c6f07705..0e80ac2e3a 100644 --- a/bin/rndc/rndc.c +++ b/bin/rndc/rndc.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rndc.c,v 1.77.2.8 2006/03/02 00:37:17 marka Exp $ */ +/* $Id: rndc.c,v 1.77.2.9 2006/08/04 03:03:19 marka Exp $ */ /* * Principal Author: DCL @@ -203,6 +203,11 @@ rndc_senddone(isc_task_t *task, isc_event_t *event) { if (sevent->result != ISC_R_SUCCESS) fatal("send failed: %s", isc_result_totext(sevent->result)); isc_event_free(&event); + if (sends == 0 && recvs == 0) { + isc_socket_detach(&sock); + isc_task_shutdown(task); + RUNTIME_CHECK(isc_app_shutdown() == ISC_R_SUCCESS); + } } static void @@ -253,9 +258,11 @@ rndc_recvdone(isc_task_t *task, isc_event_t *event) { isc_event_free(&event); isccc_sexpr_free(&response); - isc_socket_detach(&sock); - isc_task_shutdown(task); - isc_app_shutdown(); + if (sends == 0 && recvs == 0) { + isc_socket_detach(&sock); + isc_task_shutdown(task); + RUNTIME_CHECK(isc_app_shutdown() == ISC_R_SUCCESS); + } } static void diff --git a/lib/isc/win32/socket.c b/lib/isc/win32/socket.c index 00258b36c5..b6fae8b358 100644 --- a/lib/isc/win32/socket.c +++ b/lib/isc/win32/socket.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: socket.c,v 1.5.2.29 2006/01/07 00:23:32 marka Exp $ */ +/* $Id: socket.c,v 1.5.2.30 2006/08/04 03:03:19 marka Exp $ */ /* This code has been rewritten to take advantage of Windows Sockets * I/O Completion Ports and Events. I/O Completion Ports is ONLY @@ -1695,14 +1695,15 @@ destroy_socket(isc_socket_t **sockp) { socket_log(sock, NULL, CREATION, isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_DESTROYING, "destroying socket %d", sock->fd); + LOCK(&manager->lock); + + LOCK(&sock->lock); + INSIST(ISC_LIST_EMPTY(sock->accept_list)); INSIST(ISC_LIST_EMPTY(sock->recv_list)); INSIST(ISC_LIST_EMPTY(sock->send_list)); INSIST(sock->connect_ev == NULL); - LOCK(&manager->lock); - - LOCK(&sock->lock); socket_close(sock); if (sock->pending_recv != 0 || sock->pending_send != 0 || sock->pending_close != 0) { From 50450bc11e9d6d240c88d7206a274e163e82d93d Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 4 Aug 2006 23:18:23 +0000 Subject: [PATCH 401/465] auto update --- doc/private/branches | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/private/branches b/doc/private/branches index 01d036f172..223e144cff 100644 --- a/doc/private/branches +++ b/doc/private/branches @@ -62,6 +62,7 @@ rt16307 new rt16313 new rt16315 new rt16317 new +rt16320 new rt1727 open // ixfr-from-differences workfile skan new skan-metazones1 private From 7de21302865b286c59fad1231ee405b6c0236a10 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 8 Aug 2006 00:51:54 +0000 Subject: [PATCH 402/465] new draft --- ...4.txt => draft-ietf-dnsop-respsize-05.txt} | 370 +++++++++--------- 1 file changed, 185 insertions(+), 185 deletions(-) rename doc/draft/{draft-ietf-dnsop-respsize-04.txt => draft-ietf-dnsop-respsize-05.txt} (66%) diff --git a/doc/draft/draft-ietf-dnsop-respsize-04.txt b/doc/draft/draft-ietf-dnsop-respsize-05.txt similarity index 66% rename from doc/draft/draft-ietf-dnsop-respsize-04.txt rename to doc/draft/draft-ietf-dnsop-respsize-05.txt index 7abfc6f2e8..b9615be6f8 100644 --- a/doc/draft/draft-ietf-dnsop-respsize-04.txt +++ b/doc/draft/draft-ietf-dnsop-respsize-05.txt @@ -6,9 +6,9 @@ DNSOP Working Group Paul Vixie, ISC INTERNET-DRAFT Akira Kato, WIDE - July 2006 + August 2006 - DNS Response Size Issues + DNS Referral Response Size Issues Status of this Memo By submitting this Internet-Draft, each author represents that any @@ -45,16 +45,16 @@ the DNS protocol presents some special problems for zones wishing to expose a moderate or high number of authority servers (NS RRs). This document explains the operational issues caused by, or related to - this response size limit. + this response size limit, and suggests ways to optimize the use of + this limited space. Guidance is offered to DNS server implementors + and to DNS zone operators. - - - Expires December 2006 [Page 1] + Expires January 2007 [Page 1] - INTERNET-DRAFT July 2006 RESPSIZE + INTERNET-DRAFT August 2006 RESPSIZE 1 - Introduction and Overview @@ -65,10 +65,10 @@ not implicitly relaxed by changes in transport, for example to IPv6. 1.2. The EDNS0 protocol extension (see [RFC2671 2.3, 4.5]) permits - larger responses by mutual agreement of the requestor and responder. - However, deployment of EDNS0 cannot be expected to reach every Internet - resolver in the short or medium term. The 512 octet message size limit - remains in practical effect at this time. + larger responses by mutual agreement of the requester and responder. + The 512 octet message size limit will remain in practical effect until + there is widespread deployment of EDNS0 in DNS resolvers on the + Internet. 1.3. Since DNS responses include a copy of the request, the space available for response data is somewhat less than the full 512 octets. @@ -78,7 +78,9 @@ 2 - Delegation Details - 2.1. A delegation response will include the following elements: + 2.1. RELEVANT PROTOCOL ELEMENTS + + 2.1.1. A delegation response will include the following elements: Header Section: fixed length (12 octets) Question Section: original query (name, class, type) @@ -86,88 +88,97 @@ Authority Section: NS RRset (nameserver names) Additional Section: A and AAAA RRsets (nameserver addresses) - 2.2. If the total response size would exceed 512 octets, and if the data - that would not fit was "required", then the TC bit will be set - (indicating truncation). This will usually cause the requestor to retry + 2.1.2. If the total response size exceeds 512 octets, and if the data + that does not fit was "required", then the TC bit will be set + (indicating truncation). This will usually cause the requester to retry using TCP, depending on what information was desired and what - information was omitted. (For example, truncation in the authority + information was omitted. For example, truncation in the authority section is of no interest to a stub resolver who only plans to consume - the answer section.) If a retry using TCP is needed, the total cost of + the answer section. If a retry using TCP is needed, the total cost of the transaction is much higher. See [RFC1123 6.1.3.2] for details on the requirement that UDP be attempted before falling back to TCP. - 2.3. RRsets are never sent partially unless TC bit set to indicate + 2.1.3. RRsets are never sent partially unless TC bit set to indicate truncation. When TC bit is set, the final apparent RRset in the final - nonempty section must be considered "possibly damaged" (see [RFC1035 + non-empty section must be considered "possibly damaged" (see [RFC1035 6.2], [RFC2181 9]). - - - Expires December 2006 [Page 2] + Expires January 2007 [Page 2] - INTERNET-DRAFT July 2006 RESPSIZE + INTERNET-DRAFT August 2006 RESPSIZE - 2.4. With or without truncation, the glue present in the additional data - section should be considered "possibly incomplete", and requestors + 2.1.4. With or without truncation, the glue present in the additional + data section should be considered "possibly incomplete", and requesters should be prepared to re-query for any damaged or missing RRsets. Note that truncation of the additional data section might not be signalled via the TC bit since additional data is often optional. - 2.5. DNS label compression allows a domain name to be instantiated only - once per DNS message, and then referenced with a two-octet "pointer" - from other locations in that same DNS message. If all nameserver names - in a message are similar (for example, all ending in ".ROOT- - SERVERS.NET"), then more space will be available for uncompressable data - (such as nameserver addresses). + 2.1.5. DNS label compression allows a domain name to be instantiated + only once per DNS message, and then referenced with a two-octet + "pointer" from other locations in that same DNS message (see [RFC1035 + 4.1.4]). If all nameserver names in a message share a common parent + (for example, all ending in ".ROOT-SERVERS.NET"), then more space will + be available for incompressable data (such as nameserver addresses). - 2.6. The query name can be as long as 255 characters of presentation + 2.1.6. The query name can be as long as 255 characters of presentation data, which can be up to 256 octets of network data. In this worst case scenario, the question section will be 260 octets in size, which would leave only 240 octets for the authority and additional sections (after deducting 12 octets for the fixed length header.) - 2.7. Average and maximum question section sizes can be predicted by the - zone owner, since they will know what names actually exist, and can - measure which ones are queried for most often. For cost and performance + 2.2. ADVICE TO ZONE OWNERS + + 2.2.1. Average and maximum question section sizes can be predicted by + the zone owner, since they will know what names actually exist, and can + measure which ones are queried for most often. Note that if the zone + contains any wildcards, it is possible for maximum length queries to + require positive responses, but that it is reasonable to expect + truncation and TCP retry in that case. For cost and performance reasons, the majority of requests should be satisfied without truncation or TCP retry. - 2.8. Some queries to non-existing names can be large, but this is not a - problem because negative responses need not contain any answer, - authority or additional records. (See [RFC2308 2.1] for more - information about the format of negative responses.) + 2.2.2. Some queries to non-existing names can be large, but this is not + a problem because negative responses need not contain any answer, + authority or additional records. See [RFC2308 2.1] for more information + about the format of negative responses. - 2.9. The minimum useful number of name servers is two, for redundancy - (see [RFC1034 4.1]). In case of multihomed name servers, it is - advantageous to include an address record from each of several name - servers before including several address records for any one name - server. If address records for more than one transport (for example, A - and AAAA) are available, then it is advantageous to include records of - both types early on, before the message is full. + 2.2.3. The minimum useful number of name servers is two, for redundancy + (see [RFC1034 4.1]). A zone's name servers should be reachable by all + IP transport protocols (e.g., IPv4 and IPv6) in common use. - 2.10. The best case is no truncation at all. This is because many - requestors will retry using TCP by reflex, or will automatically re- - query for RRsets that are "possibly truncated", without considering + 2.2.4. The best case is no truncation at all. This is because many + requesters will retry using TCP by reflex, or will automatically re- + query for RRsets that are possibly truncated, without considering whether the omitted data was actually necessary. - 2.11. Each added NS RR for a zone will add a minimum of between 16 and - 44 octets to every untruncated referral or negative response from the - Expires December 2006 [Page 3] + + Expires January 2007 [Page 3] - INTERNET-DRAFT July 2006 RESPSIZE + INTERNET-DRAFT August 2006 RESPSIZE - zone's authority servers (16 octets for an NS RR, 16 octets for an A RR, - and 28 octets for an AAAA RR), in addition to whatever space is taken by - the nameserver name (NS NSDNAME as well as A or AAAA owner name). + 2.3. ADVICE TO SERVER IMPLEMENTORS - 2.12. While DNS distinguishes between necessary and optional resource + 2.3.1. In case of multi-homed name servers, it is advantageous to + include an address record from each of several name servers before + including several address records for any one name server. If address + records for more than one transport (for example, A and AAAA) are + available, then it is advantageous to include records of both types + early on, before the message is full. + + 2.3.2. Each added NS RR for a zone will add between 16 and 44 octets to + every non-truncated referral or negative response from the zone's + authority servers (16 octets for an NS RR, 16 octets for an A RR, and 28 + octets for an AAAA RR), in addition to whatever space is taken by the + nameserver name (NS NSDNAME as well as A or AAAA owner name). + + 2.3.3. While DNS distinguishes between necessary and optional resource records, this distinction is according to protocol elements necessary to signify facts, and takes no official notice of protocol content necessary to ensure correct operation. For example, a nameserver name @@ -176,18 +187,18 @@ parent zone's delegation includes "glue records" describing that name server's addresses. - 2.13. It is also necessary to distinguish between "explicit truncation" + 2.3.4. It is also necessary to distinguish between "explicit truncation" where a message could not contain enough records to convey its intended meaning, and so the TC bit has been set, and "silent truncation", where the message was not large enough to contain some records which were "not required", and so the TC bit was not set. - 2.14. An delegation response should prioritize glue records as follows. + 2.3.5. A delegation response should prioritize glue records as follows. first All glue RRsets for one name server whose name is in or below the zone being delegated, or which has multiple address RRsets (currently - A and AAAA), or preferrably both; + A and AAAA), or preferably both; second Alternate between adding all glue RRsets for any name servers whose @@ -198,10 +209,20 @@ thence All other glue RRsets, in any order. + + + Expires January 2007 [Page 4] + + INTERNET-DRAFT August 2006 RESPSIZE + + + Whenever there are multiple candidates for a position in this priority + scheme, one should be chosen on a round-robin or fully random basis. + The goal of this priority scheme is to offer "necessary" glue first, avoiding silent truncation for this glue if possible. - 2.15. If any "necessary content" is silently truncated, then it is + 2.3.6. If any "necessary content" is silently truncated, then it is advisable that the TC bit be set in order to force a TCP retry, rather than have the zone be unreachable. Note that a parent server's proper response to a query for in-child glue or below-child glue is a referral @@ -209,13 +230,6 @@ the in-child or below-child glue, and that in outlying cases, only EDNS or TCP will be large enough to contain that data. - - - Expires December 2006 [Page 4] - - INTERNET-DRAFT July 2006 RESPSIZE - - 3 - Analysis 3.1. An instrumented protocol trace of a best case delegation response @@ -244,6 +258,17 @@ com. 86400 NS D.GTLD-SERVERS.NET. ;; @304 + + + + + + + Expires January 2007 [Page 5] + + INTERNET-DRAFT August 2006 RESPSIZE + + ;; ADDITIONAL SECTION: A.GTLD-SERVERS.NET. 86400 A 192.5.6.30 ;; @320 B.GTLD-SERVERS.NET. 86400 A 192.33.14.30 ;; @336 @@ -261,19 +286,12 @@ ;; MSG SIZE sent: 80 rcvd: 512 - - - - Expires December 2006 [Page 5] - - INTERNET-DRAFT July 2006 RESPSIZE - - 3.2. For longer query names, the number of address records supplied will be lower. Furthermore, it is only by using a common parent name (which is GTLD-SERVERS.NET in this example) that all 13 addresses are able to - fit. The following output from a response simulator demonstrates these - properties: + fit, due to the use of DNS compression pointers in the last 12 + occurances of the parent domain name. The following output from a + response simulator demonstrates these properties. % perl respsize.pl a.dns.br b.dns.br c.dns.br d.dns.br a.dns.br requires 10 bytes @@ -291,6 +309,19 @@ preferred-glue A is assumed: # of A is 4, # of AAAA is 4 (green) + + + + + + + + + Expires January 2007 [Page 6] + + INTERNET-DRAFT August 2006 RESPSIZE + + % perl respsize.pl ns-ext.isc.org ns.psg.com ns.ripe.net ns.eu.int ns-ext.isc.org requires 16 bytes ns.psg.com requires 12 bytes @@ -315,18 +346,11 @@ examples we use an average/common name size of 15 octets, befitting our assumption of GTLD-SERVERS.NET as our common parent name. - - - Expires December 2006 [Page 6] - - INTERNET-DRAFT July 2006 RESPSIZE - - - We're assuming an average query name size of 64 since that is the - typical average maximum size seen in trace data at the time of this - writing. If Internationalized Domain Name (IDN) or any other technology - which results in larger query names be deployed significantly in advance - of EDNS, then new measurements and new estimates will have to be made. + We're assuming a medium query name size of 64 since that is the typical + size seen in trace data at the time of this writing. If + Internationalized Domain Name (IDN) or any other technology which + results in larger query names be deployed significantly in advance of + EDNS, then new measurements and new estimates will have to be made. 4 - Conclusions @@ -338,23 +362,52 @@ thereafter. 4.2. If all nameserver names for a zone share a common parent, then it - is operationally advisable to make all servers for the zone so served + is operationally advisable to make all servers for the zone thus served also be authoritative for the zone of that common parent. For example, the root name servers (?.ROOT-SERVERS.NET) can answer authoritatively for the ROOT-SERVERS.NET. This is to ensure that the zone's servers - always have the zone's nameservers' glue available when delegating. + always have the zone's nameservers' glue available when delegating, and - 4.3. Thirteen (13) seems to be the effective maximum number of - nameserver names usable traditional (non-extended) DNS, assuming a - common parent domain name, and given that response truncation is - undesirable as an average case, and assuming mostly IPv4-only - reachability (only A RRs exist, not AAAA RRs). - XXX 4.4. Adding up to five IPv6 nameserver address records (AAAA RRs) to - a prototypical delegation that currently contains thirteen (13) IPv4 - nameserver addresses (A RRs) for thirteen (13) nameserver names under a - common parent, would not have a significant negative operational impact - on the domain name system. + + Expires January 2007 [Page 7] + + INTERNET-DRAFT August 2006 RESPSIZE + + + will be able to respond with answers rather than referrals if a + requester who wants that glue comes back asking for it. In this case + the name server will likely be a "stealth server" -- authoritative but + unadvertised in the glue zone's NS RRset. See [RFC1996 2] for more + information about stealth servers. + + 4.3. Thirteen (13) is the effective maximum number of nameserver names + usable traditional (non-extended) DNS, assuming a common parent domain + name, and given that implicit referral response truncation is + undesirable in the average case. + + 4.4. Multi-homing of name servers within a protocol family is + inadvisable since the necessary glue RRsets (A or AAAA) are atomically + indivisible, and will be larger than a single resource record. Larger + RRsets are more likely to lead to or encounter truncation. + + 4.5. Multi-homing of name servers across protocol families is less + likely to lead to or encounter truncation, partly because multiprotocol + clients are more likely to speak EDNS which can use a larger response + size limit, and partly because the resource records (A and AAAA) are in + different RRsets and are therefore divisible from each other. + + 4.6. Name server names which are at or below the zone they serve are + more sensitive to referral response truncation, and glue records for + them should be considered "less optional" than other glue records, in + the assembly of referral responses. + + 4.7. If a zone is served by thirteen (13) name servers having a common + parent name (such as ?.ROOT-SERVERS.NET) and each such name server has a + single address record in some protocol family (e.g., an A RR), then all + thirteen name servers or any subset thereof could multi-home in a second + protocol family by adding a second address record (e.g., an AAAA RR) + without reducing the reachability of the zone thus served. 5 - Source Code @@ -370,9 +423,9 @@ - Expires December 2006 [Page 7] + Expires January 2007 [Page 8] - INTERNET-DRAFT July 2006 RESPSIZE + INTERNET-DRAFT August 2006 RESPSIZE my ($sz_msg) = (512); @@ -423,9 +476,9 @@ - Expires December 2006 [Page 8] + Expires January 2007 [Page 9] - INTERNET-DRAFT July 2006 RESPSIZE + INTERNET-DRAFT August 2006 RESPSIZE $n_a_aaaa = atmost(int($space @@ -468,20 +521,23 @@ This document does not call for changes or additions to any IANA registry. - 8 - Acknowledgement The authors thank Peter Koch and Rob Austein for - their valuable comments and suggestions. + 8 - Acknowledgement + + The authors thank Peter Koch, Rob Austein, and Joe Abley for their + valuable comments and suggestions. - - - Expires December 2006 [Page 9] + Expires January 2007 [Page 10] - INTERNET-DRAFT July 2006 RESPSIZE + INTERNET-DRAFT August 2006 RESPSIZE - 9 - Refrenaces + This work was supported by the US National Science Foundation (research + grant SCI-0427144) and DNS-OARC. + + 9 - References [RFC1034] Mockapetris, P.V., "Domain names - Concepts and Facilities", RFC1034, November 1987. @@ -492,6 +548,9 @@ [RFC1123] Braden, R., Ed., "Requirements for Internet Hosts - Application and Support", RFC1123, October 1989. + [RFC1996] Vixie, P., "A Mechanism for Prompt Notification of Zone + Changes (DNS NOTIFY)", RFC1996, August 1996. + [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)", RFC2308, March 1998. @@ -501,42 +560,10 @@ [RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC2671, August 1999. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Expires December 2006 [Page 10] - - INTERNET-DRAFT July 2006 RESPSIZE - - 10 - Authors' Addresses Paul Vixie + Internet Systems Consortium, Inc. 950 Charter Street Redwood City, CA 94063 +1 650 423 1301 @@ -549,6 +576,17 @@ +81 3 5841 2750 kato@wide.ad.jp + + + + + + + Expires January 2007 [Page 11] + + INTERNET-DRAFT August 2006 RESPSIZE + + Full Copyright Statement Copyright (C) The Internet Society (2006). @@ -579,14 +617,6 @@ Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such - - - - Expires December 2006 [Page 11] - - INTERNET-DRAFT July 2006 RESPSIZE - - proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. @@ -605,36 +635,6 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Expires December 2006 [Page 12] + Expires January 2007 [Page 12] From 2b59366035cf1add576318ab336e6b4bdf170e0f Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 8 Aug 2006 05:06:06 +0000 Subject: [PATCH 403/465] 4470: Minimally Covering NSEC Records and DNSSEC On-line Signing --- doc/rfc/index | 1 + doc/rfc/rfc4470.txt | 451 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 452 insertions(+) create mode 100644 doc/rfc/rfc4470.txt diff --git a/doc/rfc/index b/doc/rfc/index index 036e664323..ded9674700 100644 --- a/doc/rfc/index +++ b/doc/rfc/index @@ -109,4 +109,5 @@ 4431: The DNSSEC Lookaside Validation (DLV) DNS Resource Record 4408: Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail, Version 1 +4470: Minimally Covering NSEC Records and DNSSEC On-line Signing 4634: US Secure Hash Algorithms (SHA and HMAC-SHA) diff --git a/doc/rfc/rfc4470.txt b/doc/rfc/rfc4470.txt new file mode 100644 index 0000000000..ac12d65c44 --- /dev/null +++ b/doc/rfc/rfc4470.txt @@ -0,0 +1,451 @@ + + + + + + +Network Working Group S. Weiler +Request for Comments: 4470 SPARTA, Inc. +Updates: 4035, 4034 J. Ihren +Category: Standards Track Autonomica AB + April 2006 + + + Minimally Covering NSEC Records and DNSSEC On-line Signing + + +Status of This Memo + + This document specifies an Internet standards track protocol for the + Internet community, and requests discussion and suggestions for + improvements. Please refer to the current edition of the "Internet + Official Protocol Standards" (STD 1) for the standardization state + and status of this protocol. Distribution of this memo is unlimited. + +Copyright Notice + + Copyright (C) The Internet Society (2006). + +Abstract + + This document describes how to construct DNSSEC NSEC resource records + that cover a smaller range of names than called for by RFC 4034. By + generating and signing these records on demand, authoritative name + servers can effectively stop the disclosure of zone contents + otherwise made possible by walking the chain of NSEC records in a + signed zone. + +Table of Contents + + 1. Introduction ....................................................1 + 2. Applicability of This Technique .................................2 + 3. Minimally Covering NSEC Records .................................2 + 4. Better Epsilon Functions ........................................4 + 5. Security Considerations .........................................5 + 6. Acknowledgements ................................................6 + 7. Normative References ............................................6 + +1. Introduction + + With DNSSEC [1], an NSEC record lists the next instantiated name in + its zone, proving that no names exist in the "span" between the + NSEC's owner name and the name in the "next name" field. In this + document, an NSEC record is said to "cover" the names between its + owner name and next name. + + + +Weiler & Ihren Standards Track [Page 1] + +RFC 4470 NSEC Epsilon April 2006 + + + Through repeated queries that return NSEC records, it is possible to + retrieve all of the names in the zone, a process commonly called + "walking" the zone. Some zone owners have policies forbidding zone + transfers by arbitrary clients; this side effect of the NSEC + architecture subverts those policies. + + This document presents a way to prevent zone walking by constructing + NSEC records that cover fewer names. These records can make zone + walking take approximately as many queries as simply asking for all + possible names in a zone, making zone walking impractical. Some of + these records must be created and signed on demand, which requires + on-line private keys. Anyone contemplating use of this technique is + strongly encouraged to review the discussion of the risks of on-line + signing in Section 5. + +1.2. Keywords + + The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in RFC 2119 [4]. + +2. Applicability of This Technique + + The technique presented here may be useful to a zone owner that wants + to use DNSSEC, is concerned about exposure of its zone contents via + zone walking, and is willing to bear the costs of on-line signing. + + As discussed in Section 5, on-line signing has several security + risks, including an increased likelihood of private keys being + disclosed and an increased risk of denial of service attack. Anyone + contemplating use of this technique is strongly encouraged to review + the discussion of the risks of on-line signing in Section 5. + + Furthermore, at the time this document was published, the DNSEXT + working group was actively working on a mechanism to prevent zone + walking that does not require on-line signing (tentatively called + NSEC3). The new mechanism is likely to expose slightly more + information about the zone than this technique (e.g., the number of + instantiated names), but it may be preferable to this technique. + +3. Minimally Covering NSEC Records + + This mechanism involves changes to NSEC records for instantiated + names, which can still be generated and signed in advance, as well as + the on-demand generation and signing of new NSEC records whenever a + name must be proven not to exist. + + + + + +Weiler & Ihren Standards Track [Page 2] + +RFC 4470 NSEC Epsilon April 2006 + + + In the "next name" field of instantiated names' NSEC records, rather + than list the next instantiated name in the zone, list any name that + falls lexically after the NSEC's owner name and before the next + instantiated name in the zone, according to the ordering function in + RFC 4034 [2] Section 6.1. This relaxes the requirement in Section + 4.1.1 of RFC 4034 that the "next name" field contains the next owner + name in the zone. This change is expected to be fully compatible + with all existing DNSSEC validators. These NSEC records are returned + whenever proving something specifically about the owner name (e.g., + that no resource records of a given type appear at that name). + + Whenever an NSEC record is needed to prove the non-existence of a + name, a new NSEC record is dynamically produced and signed. The new + NSEC record has an owner name lexically before the QNAME but + lexically following any existing name and a "next name" lexically + following the QNAME but before any existing name. + + The generated NSEC record's type bitmap MUST have the RRSIG and NSEC + bits set and SHOULD NOT have any other bits set. This relaxes the + requirement in Section 2.3 of RFC4035 that NSEC RRs not appear at + names that did not exist before the zone was signed. + + The functions to generate the lexically following and proceeding + names need not be perfect or consistent, but the generated NSEC + records must not cover any existing names. Furthermore, this + technique works best when the generated NSEC records cover as few + names as possible. In this document, the functions that generate the + nearby names are called "epsilon" functions, a reference to the + mathematical convention of using the greek letter epsilon to + represent small deviations. + + An NSEC record denying the existence of a wildcard may be generated + in the same way. Since the NSEC record covering a non-existent + wildcard is likely to be used in response to many queries, + authoritative name servers using the techniques described here may + want to pregenerate or cache that record and its corresponding RRSIG. + + For example, a query for an A record at the non-instantiated name + example.com might produce the following two NSEC records, the first + denying the existence of the name example.com and the second denying + the existence of a wildcard: + + exampld.com 3600 IN NSEC example-.com ( RRSIG NSEC ) + + \).com 3600 IN NSEC +.com ( RRSIG NSEC ) + + + + + + +Weiler & Ihren Standards Track [Page 3] + +RFC 4470 NSEC Epsilon April 2006 + + + Before answering a query with these records, an authoritative server + must test for the existence of names between these endpoints. If the + generated NSEC would cover existing names (e.g., exampldd.com or + *bizarre.example.com), a better epsilon function may be used or the + covered name closest to the QNAME could be used as the NSEC owner + name or next name, as appropriate. If an existing name is used as + the NSEC owner name, that name's real NSEC record MUST be returned. + Using the same example, assuming an exampldd.com delegation exists, + this record might be returned from the parent: + + exampldd.com 3600 IN NSEC example-.com ( NS DS RRSIG NSEC ) + + Like every authoritative record in the zone, each generated NSEC + record MUST have corresponding RRSIGs generated using each algorithm + (but not necessarily each DNSKEY) in the zone's DNSKEY RRset, as + described in RFC 4035 [3] Section 2.2. To minimize the number of + signatures that must be generated, a zone may wish to limit the + number of algorithms in its DNSKEY RRset. + +4. Better Epsilon Functions + + Section 6.1 of RFC 4034 defines a strict ordering of DNS names. + Working backward from that definition, it should be possible to + define epsilon functions that generate the immediately following and + preceding names, respectively. This document does not define such + functions. Instead, this section presents functions that come + reasonably close to the perfect ones. As described above, an + authoritative server should still ensure than no generated NSEC + covers any existing name. + + To increment a name, add a leading label with a single null (zero- + value) octet. + + To decrement a name, decrement the last character of the leftmost + label, then fill that label to a length of 63 octets with octets of + value 255. To decrement a null (zero-value) octet, remove the octet + -- if an empty label is left, remove the label. Defining this + function numerically: fill the leftmost label to its maximum length + with zeros (numeric, not ASCII zeros) and subtract one. + + In response to a query for the non-existent name foo.example.com, + these functions produce NSEC records of the following: + + + + + + + + + +Weiler & Ihren Standards Track [Page 4] + +RFC 4470 NSEC Epsilon April 2006 + + + fon\255\255\255\255\255\255\255\255\255\255\255\255\255\255 + \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255 + \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255 + \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255 + \255.example.com 3600 IN NSEC \000.foo.example.com ( NSEC RRSIG ) + + \)\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255 + \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255 + \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255 + \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255 + \255\255.example.com 3600 IN NSEC \000.*.example.com ( NSEC RRSIG ) + + The first of these NSEC RRs proves that no exact match for + foo.example.com exists, and the second proves that there is no + wildcard in example.com. + + Both of these functions are imperfect: they do not take into account + constraints on number of labels in a name nor total length of a name. + As noted in the previous section, though, this technique does not + depend on the use of perfect epsilon functions: it is sufficient to + test whether any instantiated names fall into the span covered by the + generated NSEC and, if so, substitute those instantiated owner names + for the NSEC owner name or next name, as appropriate. + +5. Security Considerations + + This approach requires on-demand generation of RRSIG records. This + creates several new vulnerabilities. + + First, on-demand signing requires that a zone's authoritative servers + have access to its private keys. Storing private keys on well-known + Internet-accessible servers may make them more vulnerable to + unintended disclosure. + + Second, since generation of digital signatures tends to be + computationally demanding, the requirement for on-demand signing + makes authoritative servers vulnerable to a denial of service attack. + + Last, if the epsilon functions are predictable, on-demand signing may + enable a chosen-plaintext attack on a zone's private keys. Zones + using this approach should attempt to use cryptographic algorithms + that are resistant to chosen-plaintext attacks. It is worth noting + that although DNSSEC has a "mandatory to implement" algorithm, that + is a requirement on resolvers and validators -- there is no + requirement that a zone be signed with any given algorithm. + + The success of using minimally covering NSEC records to prevent zone + walking depends greatly on the quality of the epsilon functions + + + +Weiler & Ihren Standards Track [Page 5] + +RFC 4470 NSEC Epsilon April 2006 + + + chosen. An increment function that chooses a name obviously derived + from the next instantiated name may be easily reverse engineered, + destroying the value of this technique. An increment function that + always returns a name close to the next instantiated name is likewise + a poor choice. Good choices of epsilon functions are the ones that + produce the immediately following and preceding names, respectively, + though zone administrators may wish to use less perfect functions + that return more human-friendly names than the functions described in + Section 4 above. + + Another obvious but misguided concern is the danger from synthesized + NSEC records being replayed. It is possible for an attacker to + replay an old but still validly signed NSEC record after a new name + has been added in the span covered by that NSEC, incorrectly proving + that there is no record at that name. This danger exists with DNSSEC + as defined in [3]. The techniques described here actually decrease + the danger, since the span covered by any NSEC record is smaller than + before. Choosing better epsilon functions will further reduce this + danger. + +6. Acknowledgements + + Many individuals contributed to this design. They include, in + addition to the authors of this document, Olaf Kolkman, Ed Lewis, + Peter Koch, Matt Larson, David Blacka, Suzanne Woolf, Jaap Akkerhuis, + Jakob Schlyter, Bill Manning, and Joao Damas. + + In addition, the editors would like to thank Ed Lewis, Scott Rose, + and David Blacka for their careful review of the document. + +7. Normative References + + [1] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, + "DNS Security Introduction and Requirements", RFC 4033, March + 2005. + + [2] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, + "Resource Records for the DNS Security Extensions", RFC 4034, + March 2005. + + [3] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, + "Protocol Modifications for the DNS Security Extensions", RFC + 4035, March 2005. + + [4] Bradner, S., "Key words for use in RFCs to Indicate Requirement + Levels", BCP 14, RFC 2119, March 1997. + + + + + +Weiler & Ihren Standards Track [Page 6] + +RFC 4470 NSEC Epsilon April 2006 + + +Authors' Addresses + + Samuel Weiler + SPARTA, Inc. + 7075 Samuel Morse Drive + Columbia, Maryland 21046 + US + + EMail: weiler@tislabs.com + + + Johan Ihren + Autonomica AB + Bellmansgatan 30 + Stockholm SE-118 47 + Sweden + + EMail: johani@autonomica.se + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Weiler & Ihren Standards Track [Page 7] + +RFC 4470 NSEC Epsilon April 2006 + + +Full Copyright Statement + + Copyright (C) The Internet Society (2006). + + This document is subject to the rights, licenses and restrictions + contained in BCP 78, and except as set forth therein, the authors + retain all their rights. + + This document and the information contained herein are provided on an + "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS + OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET + ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, + INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE + INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED + WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Intellectual Property + + The IETF takes no position regarding the validity or scope of any + Intellectual Property Rights or other rights that might be claimed to + pertain to the implementation or use of the technology described in + this document or the extent to which any license under such rights + might or might not be available; nor does it represent that it has + made any independent effort to identify any such rights. Information + on the procedures with respect to rights in RFC documents can be + found in BCP 78 and BCP 79. + + Copies of IPR disclosures made to the IETF Secretariat and any + assurances of licenses to be made available, or the result of an + attempt made to obtain a general license or permission for the use of + such proprietary rights by implementers or users of this + specification can be obtained from the IETF on-line IPR repository at + http://www.ietf.org/ipr. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary + rights that may cover technology that may be required to implement + this standard. Please address the information to the IETF at + ietf-ipr@ietf.org. + +Acknowledgement + + Funding for the RFC Editor function is provided by the IETF + Administrative Support Activity (IASA). + + + + + + + +Weiler & Ihren Standards Track [Page 8] + From cfaf65f53fb0c1779e7b2e07216e5fbfd3a2d52e Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 8 Aug 2006 06:37:12 +0000 Subject: [PATCH 404/465] 2068. [cleanup] Lower incremental tuning message to debug 1. [RT #16319] --- CHANGES | 3 +++ lib/dns/masterdump.c | 5 +++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index f6eb40b402..7c9611fb21 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2068. [cleanup] Lower incremental tuning message to debug 1. + [RT #16319] + 2067. [bug] 'rndc' could close the socket too early triggering a INSIST under Windows. [RT #16317] diff --git a/lib/dns/masterdump.c b/lib/dns/masterdump.c index 988574fa7f..aeb8a2c6cb 100644 --- a/lib/dns/masterdump.c +++ b/lib/dns/masterdump.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: masterdump.c,v 1.86 2006/03/09 23:57:56 marka Exp $ */ +/* $Id: masterdump.c,v 1.87 2006/08/08 06:37:12 marka Exp $ */ /*! \file */ @@ -1407,7 +1407,8 @@ dumptostreaminc(dns_dumpctx_t *dctx) { dctx->nodes = (nodes + dctx->nodes * 7) / 8; isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL, - DNS_LOGMODULE_MASTERDUMP, ISC_LOG_INFO, + DNS_LOGMODULE_MASTERDUMP, + ISC_LOG_DEBUG(1), "dumptostreaminc(%p) new nodes -> %d\n", dctx, dctx->nodes); } From cedc9b79d36ef6d612d4ad50c4abce910a1981eb Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 8 Aug 2006 23:06:43 +0000 Subject: [PATCH 405/465] new draft --- doc/draft/draft-ietf-dnsop-respsize-06.txt | 640 +++++++++++++++++++++ 1 file changed, 640 insertions(+) create mode 100644 doc/draft/draft-ietf-dnsop-respsize-06.txt diff --git a/doc/draft/draft-ietf-dnsop-respsize-06.txt b/doc/draft/draft-ietf-dnsop-respsize-06.txt new file mode 100644 index 0000000000..b041925afb --- /dev/null +++ b/doc/draft/draft-ietf-dnsop-respsize-06.txt @@ -0,0 +1,640 @@ + + + + + + + DNSOP Working Group Paul Vixie, ISC + INTERNET-DRAFT Akira Kato, WIDE + August 2006 + + DNS Referral Response Size Issues + + Status of this Memo + By submitting this Internet-Draft, each author represents that any + applicable patent or other IPR claims of which he or she is aware + have been or will be disclosed, and any of which he or she becomes + aware will be disclosed, in accordance with Section 6 of BCP 79. + + Internet-Drafts are working documents of the Internet Engineering + Task Force (IETF), its areas, and its working groups. Note that + other groups may also distribute working documents as Internet- + Drafts. + + Internet-Drafts are draft documents valid for a maximum of six months + and may be updated, replaced, or obsoleted by other documents at any + time. It is inappropriate to use Internet-Drafts as reference + material or to cite them other than as "work in progress." + + The list of current Internet-Drafts can be accessed at + http://www.ietf.org/ietf/1id-abstracts.txt + + The list of Internet-Draft Shadow Directories can be accessed at + http://www.ietf.org/shadow.html. + + Copyright Notice + + Copyright (C) The Internet Society (2006). All Rights Reserved. + + + + + Abstract + + With a mandated default minimum maximum message size of 512 octets, + the DNS protocol presents some special problems for zones wishing to + expose a moderate or high number of authority servers (NS RRs). This + document explains the operational issues caused by, or related to + this response size limit, and suggests ways to optimize the use of + this limited space. Guidance is offered to DNS server implementors + and to DNS zone operators. + + + + + Expires January 2007 [Page 1] + + INTERNET-DRAFT August 2006 RESPSIZE + + + 1 - Introduction and Overview + + 1.1. The DNS standard (see [RFC1035 4.2.1]) limits message size to 512 + octets. Even though this limitation was due to the required minimum IP + reassembly limit for IPv4, it became a hard DNS protocol limit and is + not implicitly relaxed by changes in transport, for example to IPv6. + + 1.2. The EDNS0 protocol extension (see [RFC2671 2.3, 4.5]) permits + larger responses by mutual agreement of the requester and responder. + The 512 octet message size limit will remain in practical effect until + there is widespread deployment of EDNS0 in DNS resolvers on the + Internet. + + 1.3. Since DNS responses include a copy of the request, the space + available for response data is somewhat less than the full 512 octets. + Negative responses are quite small, but for positive and delegation + responses, every octet must be carefully and sparingly allocated. This + document specifically addresses delegation response sizes. + + 2 - Delegation Details + + 2.1. RELEVANT PROTOCOL ELEMENTS + + 2.1.1. A delegation response will include the following elements: + + Header Section: fixed length (12 octets) + Question Section: original query (name, class, type) + Answer Section: empty, or a CNAME/DNAME chain + Authority Section: NS RRset (nameserver names) + Additional Section: A and AAAA RRsets (nameserver addresses) + + 2.1.2. If the total response size exceeds 512 octets, and if the data + that does not fit was "required", then the TC bit will be set + (indicating truncation). This will usually cause the requester to retry + using TCP, depending on what information was desired and what + information was omitted. For example, truncation in the authority + section is of no interest to a stub resolver who only plans to consume + the answer section. If a retry using TCP is needed, the total cost of + the transaction is much higher. See [RFC1123 6.1.3.2] for details on + the requirement that UDP be attempted before falling back to TCP. + + 2.1.3. RRsets are never sent partially unless TC bit set to indicate + truncation. When TC bit is set, the final apparent RRset in the final + non-empty section must be considered "possibly damaged" (see [RFC1035 + 6.2], [RFC2181 9]). + + + + Expires January 2007 [Page 2] + + INTERNET-DRAFT August 2006 RESPSIZE + + + 2.1.4. With or without truncation, the glue present in the additional + data section should be considered "possibly incomplete", and requesters + should be prepared to re-query for any damaged or missing RRsets. Note + that truncation of the additional data section might not be signalled + via the TC bit since additional data is often optional (see discussion + in [RFC4472 B]). + + 2.1.5. DNS label compression allows a domain name to be instantiated + only once per DNS message, and then referenced with a two-octet + "pointer" from other locations in that same DNS message (see [RFC1035 + 4.1.4]). If all nameserver names in a message share a common parent + (for example, all ending in ".ROOT-SERVERS.NET"), then more space will + be available for incompressable data (such as nameserver addresses). + + 2.1.6. The query name can be as long as 255 octets of network data. In + this worst case scenario, the question section will be 259 octets in + size, which would leave only 240 octets for the authority and additional + sections (after deducting 12 octets for the fixed length header.) + + 2.2. ADVICE TO ZONE OWNERS + + 2.2.1. Average and maximum question section sizes can be predicted by + the zone owner, since they will know what names actually exist, and can + measure which ones are queried for most often. Note that if the zone + contains any wildcards, it is possible for maximum length queries to + require positive responses, but that it is reasonable to expect + truncation and TCP retry in that case. For cost and performance + reasons, the majority of requests should be satisfied without truncation + or TCP retry. + + 2.2.2. Some queries to non-existing names can be large, but this is not + a problem because negative responses need not contain any answer, + authority or additional records. See [RFC2308 2.1] for more information + about the format of negative responses. + + 2.2.3. The minimum useful number of name servers is two, for redundancy + (see [RFC1034 4.1]). A zone's name servers should be reachable by all + IP transport protocols (e.g., IPv4 and IPv6) in common use. + + 2.2.4. The best case is no truncation at all. This is because many + requesters will retry using TCP immediately, or will automatically re- + query for RRsets that are possibly truncated, without considering + whether the omitted data was actually necessary. + + + + + + Expires January 2007 [Page 3] + + INTERNET-DRAFT August 2006 RESPSIZE + + + 2.3. ADVICE TO SERVER IMPLEMENTORS + + 2.3.1. In case of multi-homed name servers, it is advantageous to + include an address record from each of several name servers before + including several address records for any one name server. If address + records for more than one transport (for example, A and AAAA) are + available, then it is advantageous to include records of both types + early on, before the message is full. + + 2.3.2. Each added NS RR for a zone will add 12 fixed octets (name, type, + class, ttl, and rdlen) plus 2 to 255 variable octets (for the NSDNAME). + Each A RR will require 16 octets, and each AAAA RR will require 28 + octets. + + 2.3.3. While DNS distinguishes between necessary and optional resource + records, this distinction is according to protocol elements necessary to + signify facts, and takes no official notice of protocol content + necessary to ensure correct operation. For example, a nameserver name + that is in or below the zone cut being described by a delegation is + "necessary content," since there is no way to reach that zone unless the + parent zone's delegation includes "glue records" describing that name + server's addresses. + + 2.3.4. It is also necessary to distinguish between "explicit truncation" + where a message could not contain enough records to convey its intended + meaning, and so the TC bit has been set, and "silent truncation", where + the message was not large enough to contain some records which were "not + required", and so the TC bit was not set. + + 2.3.5. A delegation response should prioritize glue records as follows. + + first + All glue RRsets for one name server whose name is in or below the + zone being delegated, or which has multiple address RRsets (currently + A and AAAA), or preferably both; + + second + Alternate between adding all glue RRsets for any name servers whose + names are in or below the zone being delegated, and all glue RRsets + for any name servers who have multiple address RRsets (currently A + and AAAA); + + thence + All other glue RRsets, in any order. + + + + + Expires January 2007 [Page 4] + + INTERNET-DRAFT August 2006 RESPSIZE + + + Whenever there are multiple candidates for a position in this priority + scheme, one should be chosen on a round-robin or fully random basis. + + The goal of this priority scheme is to offer "necessary" glue first, + avoiding silent truncation for this glue if possible. + + 2.3.6. If any "necessary content" is silently truncated, then it is + advisable that the TC bit be set in order to force a TCP retry, rather + than have the zone be unreachable. Note that a parent server's proper + response to a query for in-child glue or below-child glue is a referral + rather than an answer, and that this referral MUST be able to contain + the in-child or below-child glue, and that in outlying cases, only EDNS + or TCP will be large enough to contain that data. + + 3 - Analysis + + 3.1. An instrumented protocol trace of a best case delegation response + follows. Note that 13 servers are named, and 13 addresses are given. + This query was artificially designed to exactly reach the 512 octet + limit. + + ;; flags: qr rd; QUERY: 1, ANS: 0, AUTH: 13, ADDIT: 13 + ;; QUERY SECTION: + ;; [23456789.123456789.123456789.\ + 123456789.123456789.123456789.com A IN] ;; @80 + + ;; AUTHORITY SECTION: + com. 86400 NS E.GTLD-SERVERS.NET. ;; @112 + com. 86400 NS F.GTLD-SERVERS.NET. ;; @128 + com. 86400 NS G.GTLD-SERVERS.NET. ;; @144 + com. 86400 NS H.GTLD-SERVERS.NET. ;; @160 + com. 86400 NS I.GTLD-SERVERS.NET. ;; @176 + com. 86400 NS J.GTLD-SERVERS.NET. ;; @192 + com. 86400 NS K.GTLD-SERVERS.NET. ;; @208 + com. 86400 NS L.GTLD-SERVERS.NET. ;; @224 + com. 86400 NS M.GTLD-SERVERS.NET. ;; @240 + com. 86400 NS A.GTLD-SERVERS.NET. ;; @256 + com. 86400 NS B.GTLD-SERVERS.NET. ;; @272 + com. 86400 NS C.GTLD-SERVERS.NET. ;; @288 + com. 86400 NS D.GTLD-SERVERS.NET. ;; @304 + + + + + + + + + Expires January 2007 [Page 5] + + INTERNET-DRAFT August 2006 RESPSIZE + + + ;; ADDITIONAL SECTION: + A.GTLD-SERVERS.NET. 86400 A 192.5.6.30 ;; @320 + B.GTLD-SERVERS.NET. 86400 A 192.33.14.30 ;; @336 + C.GTLD-SERVERS.NET. 86400 A 192.26.92.30 ;; @352 + D.GTLD-SERVERS.NET. 86400 A 192.31.80.30 ;; @368 + E.GTLD-SERVERS.NET. 86400 A 192.12.94.30 ;; @384 + F.GTLD-SERVERS.NET. 86400 A 192.35.51.30 ;; @400 + G.GTLD-SERVERS.NET. 86400 A 192.42.93.30 ;; @416 + H.GTLD-SERVERS.NET. 86400 A 192.54.112.30 ;; @432 + I.GTLD-SERVERS.NET. 86400 A 192.43.172.30 ;; @448 + J.GTLD-SERVERS.NET. 86400 A 192.48.79.30 ;; @464 + K.GTLD-SERVERS.NET. 86400 A 192.52.178.30 ;; @480 + L.GTLD-SERVERS.NET. 86400 A 192.41.162.30 ;; @496 + M.GTLD-SERVERS.NET. 86400 A 192.55.83.30 ;; @512 + + ;; MSG SIZE sent: 80 rcvd: 512 + + 3.2. For longer query names, the number of address records supplied will + be lower. Furthermore, it is only by using a common parent name (which + is GTLD-SERVERS.NET in this example) that all 13 addresses are able to + fit, due to the use of DNS compression pointers in the last 12 + occurances of the parent domain name. The following output from a + response simulator demonstrates these properties. + + % perl respsize.pl a.dns.br b.dns.br c.dns.br d.dns.br + a.dns.br requires 10 bytes + b.dns.br requires 4 bytes + c.dns.br requires 4 bytes + d.dns.br requires 4 bytes + # of NS: 4 + For maximum size query (255 byte): + only A is considered: # of A is 4 (green) + A and AAAA are considered: # of A+AAAA is 3 (yellow) + preferred-glue A is assumed: # of A is 4, # of AAAA is 3 (yellow) + For average size query (64 byte): + only A is considered: # of A is 4 (green) + A and AAAA are considered: # of A+AAAA is 4 (green) + preferred-glue A is assumed: # of A is 4, # of AAAA is 4 (green) + + + + + + + + + + + Expires January 2007 [Page 6] + + INTERNET-DRAFT August 2006 RESPSIZE + + + % perl respsize.pl ns-ext.isc.org ns.psg.com ns.ripe.net ns.eu.int + ns-ext.isc.org requires 16 bytes + ns.psg.com requires 12 bytes + ns.ripe.net requires 13 bytes + ns.eu.int requires 11 bytes + # of NS: 4 + For maximum size query (255 byte): + only A is considered: # of A is 4 (green) + A and AAAA are considered: # of A+AAAA is 3 (yellow) + preferred-glue A is assumed: # of A is 4, # of AAAA is 2 (yellow) + For average size query (64 byte): + only A is considered: # of A is 4 (green) + A and AAAA are considered: # of A+AAAA is 4 (green) + preferred-glue A is assumed: # of A is 4, # of AAAA is 4 (green) + + (Note: The response simulator program is shown in Section 5.) + + Here we use the term "green" if all address records could fit, or + "yellow" if two or more could fit, or "orange" if only one could fit, or + "red" if no address record could fit. It's clear that without a common + parent for nameserver names, much space would be lost. For these + examples we use an average/common name size of 15 octets, befitting our + assumption of GTLD-SERVERS.NET as our common parent name. + + We're assuming a medium query name size of 64 since that is the typical + size seen in trace data at the time of this writing. If + Internationalized Domain Name (IDN) or any other technology which + results in larger query names be deployed significantly in advance of + EDNS, then new measurements and new estimates will have to be made. + + 4 - Conclusions + + 4.1. The current practice of giving all nameserver names a common parent + (such as GTLD-SERVERS.NET or ROOT-SERVERS.NET) saves space in DNS + responses and allows for more nameservers to be enumerated than would + otherwise be possible, since the common parent domain name only appears + once in a DNS message and is referred to via "compression pointers" + thereafter. + + 4.2. If all nameserver names for a zone share a common parent, then it + is operationally advisable to make all servers for the zone thus served + also be authoritative for the zone of that common parent. For example, + the root name servers (?.ROOT-SERVERS.NET) can answer authoritatively + for the ROOT-SERVERS.NET. This is to ensure that the zone's servers + always have the zone's nameservers' glue available when delegating, and + + + + Expires January 2007 [Page 7] + + INTERNET-DRAFT August 2006 RESPSIZE + + + will be able to respond with answers rather than referrals if a + requester who wants that glue comes back asking for it. In this case + the name server will likely be a "stealth server" -- authoritative but + unadvertised in the glue zone's NS RRset. See [RFC1996 2] for more + information about stealth servers. + + 4.3. Thirteen (13) is the effective maximum number of nameserver names + usable traditional (non-extended) DNS, assuming a common parent domain + name, and given that implicit referral response truncation is + undesirable in the average case. + + 4.4. Multi-homing of name servers within a protocol family is + inadvisable since the necessary glue RRsets (A or AAAA) are atomically + indivisible, and will be larger than a single resource record. Larger + RRsets are more likely to lead to or encounter truncation. + + 4.5. Multi-homing of name servers across protocol families is less + likely to lead to or encounter truncation, partly because multiprotocol + clients are more likely to speak EDNS which can use a larger response + size limit, and partly because the resource records (A and AAAA) are in + different RRsets and are therefore divisible from each other. + + 4.6. Name server names which are at or below the zone they serve are + more sensitive to referral response truncation, and glue records for + them should be considered "less optional" than other glue records, in + the assembly of referral responses. + + 4.7. If a zone is served by thirteen (13) name servers having a common + parent name (such as ?.ROOT-SERVERS.NET) and each such name server has a + single address record in some protocol family (e.g., an A RR), then all + thirteen name servers or any subset thereof could multi-home in a second + protocol family by adding a second address record (e.g., an AAAA RR) + without reducing the reachability of the zone thus served. + + 5 - Source Code + + #!/usr/bin/perl + # + # SYNOPSIS + # repsize.pl [ -z zone ] fqdn_ns1 fqdn_ns2 ... + # if all queries are assumed to have a same zone suffix, + # such as "jp" in JP TLD servers, specify it in -z option + # + use strict; + use Getopt::Std; + + + + Expires January 2007 [Page 8] + + INTERNET-DRAFT August 2006 RESPSIZE + + + my ($sz_msg) = (512); + my ($sz_header, $sz_ptr, $sz_rr_a, $sz_rr_aaaa) = (12, 2, 16, 28); + my ($sz_type, $sz_class, $sz_ttl, $sz_rdlen) = (2, 2, 4, 2); + my (%namedb, $name, $nssect, %opts, $optz); + my $n_ns = 0; + + getopt('z', %opts); + if (defined($opts{'z'})) { + server_name_len($opts{'z'}); # just register it + } + + foreach $name (@ARGV) { + my $len; + $n_ns++; + $len = server_name_len($name); + print "$name requires $len bytes\n"; + $nssect += $sz_ptr + $sz_type + $sz_class + $sz_ttl + + $sz_rdlen + $len; + } + print "# of NS: $n_ns\n"; + arsect(255, $nssect, $n_ns, "maximum"); + arsect(64, $nssect, $n_ns, "average"); + + sub server_name_len { + my ($name) = @_; + my (@labels, $len, $n, $suffix); + + $name =~ tr/A-Z/a-z/; + @labels = split(/\./, $name); + $len = length(join('.', @labels)) + 2; + for ($n = 0; $#labels >= 0; $n++, shift @labels) { + $suffix = join('.', @labels); + return length($name) - length($suffix) + $sz_ptr + if (defined($namedb{$suffix})); + $namedb{$suffix} = 1; + } + return $len; + } + + sub arsect { + my ($sz_query, $nssect, $n_ns, $cond) = @_; + my ($space, $n_a, $n_a_aaaa, $n_p_aaaa, $ansect); + $ansect = $sz_query + 1 + $sz_type + $sz_class; + $space = $sz_msg - $sz_header - $ansect - $nssect; + $n_a = atmost(int($space / $sz_rr_a), $n_ns); + + + + Expires January 2007 [Page 9] + + INTERNET-DRAFT August 2006 RESPSIZE + + + $n_a_aaaa = atmost(int($space + / ($sz_rr_a + $sz_rr_aaaa)), $n_ns); + $n_p_aaaa = atmost(int(($space - $sz_rr_a * $n_ns) + / $sz_rr_aaaa), $n_ns); + printf "For %s size query (%d byte):\n", $cond, $sz_query; + printf " only A is considered: "; + printf "# of A is %d (%s)\n", $n_a, &judge($n_a, $n_ns); + printf " A and AAAA are considered: "; + printf "# of A+AAAA is %d (%s)\n", + $n_a_aaaa, &judge($n_a_aaaa, $n_ns); + printf " preferred-glue A is assumed: "; + printf "# of A is %d, # of AAAA is %d (%s)\n", + $n_a, $n_p_aaaa, &judge($n_p_aaaa, $n_ns); + } + + sub judge { + my ($n, $n_ns) = @_; + return "green" if ($n >= $n_ns); + return "yellow" if ($n >= 2); + return "orange" if ($n == 1); + return "red"; + } + + sub atmost { + my ($a, $b) = @_; + return 0 if ($a < 0); + return $b if ($a > $b); + return $a; + } + + 6 - Security Considerations + + The recommendations contained in this document have no known security + implications. + + 7 - IANA Considerations + + This document does not call for changes or additions to any IANA + registry. + + 8 - Acknowledgement + + The authors thank Peter Koch, Rob Austein, Joe Abley, and Mark Andrews + for their valuable comments and suggestions. + + + + + Expires January 2007 [Page 10] + + INTERNET-DRAFT August 2006 RESPSIZE + + + This work was supported by the US National Science Foundation (research + grant SCI-0427144) and DNS-OARC. + + 9 - References + + [RFC1034] Mockapetris, P.V., "Domain names - Concepts and Facilities", + RFC1034, November 1987. + + [RFC1035] Mockapetris, P.V., "Domain names - Implementation and + Specification", RFC1035, November 1987. + + [RFC1123] Braden, R., Ed., "Requirements for Internet Hosts - + Application and Support", RFC1123, October 1989. + + [RFC1996] Vixie, P., "A Mechanism for Prompt Notification of Zone + Changes (DNS NOTIFY)", RFC1996, August 1996. + + [RFC2181] Elz, R., Bush, R., "Clarifications to the DNS Specification", + RFC2181, July 1997. + + [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)", + RFC2308, March 1998. + + [RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC2671, + August 1999. + + [RFC4472] Durand, A., Ihren, J., Savola, P., "Operational Consideration + and Issues with IPV6 DNS", April 2006. + + 10 - Authors' Addresses + + Paul Vixie + Internet Systems Consortium, Inc. + 950 Charter Street + Redwood City, CA 94063 + +1 650 423 1301 + vixie@isc.org + + Akira Kato + University of Tokyo, Information Technology Center + 2-11-16 Yayoi Bunkyo + Tokyo 113-8658, JAPAN + +81 3 5841 2750 + kato@wide.ad.jp + + + + + Expires January 2007 [Page 11] + + INTERNET-DRAFT August 2006 RESPSIZE + + + Full Copyright Statement + + Copyright (C) The Internet Society (2006). + + This document is subject to the rights, licenses and restrictions + contained in BCP 78, and except as set forth therein, the authors retain + all their rights. + + This document and the information contained herein are provided on an + "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR + IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET + ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, + INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE + INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED + WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + + Intellectual Property + + The IETF takes no position regarding the validity or scope of any + Intellectual Property Rights or other rights that might be claimed to + pertain to the implementation or use of the technology described in this + document or the extent to which any license under such rights might or + might not be available; nor does it represent that it has made any + independent effort to identify any such rights. Information on the + procedures with respect to rights in RFC documents can be found in BCP + 78 and BCP 79. + + Copies of IPR disclosures made to the IETF Secretariat and any + assurances of licenses to be made available, or the result of an attempt + made to obtain a general license or permission for the use of such + proprietary rights by implementers or users of this specification can be + obtained from the IETF on-line IPR repository at + http://www.ietf.org/ipr. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary rights + that may cover technology that may be required to implement this + standard. Please address the information to the IETF at + ietf-ipr@ietf.org. + + Acknowledgement + + Funding for the RFC Editor function is provided by the IETF + Administrative Support Activity (IASA). + + + + + Expires January 2007 [Page 12] + + From b12ab90a1fdfda12711ab43aa21432bcbf67b83c Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 8 Aug 2006 23:07:08 +0000 Subject: [PATCH 406/465] draft-ietf-dnsop-respsize-06.txt --- doc/draft/draft-ietf-dnsop-respsize-05.txt | 640 --------------------- 1 file changed, 640 deletions(-) delete mode 100644 doc/draft/draft-ietf-dnsop-respsize-05.txt diff --git a/doc/draft/draft-ietf-dnsop-respsize-05.txt b/doc/draft/draft-ietf-dnsop-respsize-05.txt deleted file mode 100644 index b9615be6f8..0000000000 --- a/doc/draft/draft-ietf-dnsop-respsize-05.txt +++ /dev/null @@ -1,640 +0,0 @@ - - - - - - - DNSOP Working Group Paul Vixie, ISC - INTERNET-DRAFT Akira Kato, WIDE - August 2006 - - DNS Referral Response Size Issues - - Status of this Memo - By submitting this Internet-Draft, each author represents that any - applicable patent or other IPR claims of which he or she is aware - have been or will be disclosed, and any of which he or she becomes - aware will be disclosed, in accordance with Section 6 of BCP 79. - - Internet-Drafts are working documents of the Internet Engineering - Task Force (IETF), its areas, and its working groups. Note that - other groups may also distribute working documents as Internet- - Drafts. - - Internet-Drafts are draft documents valid for a maximum of six months - and may be updated, replaced, or obsoleted by other documents at any - time. It is inappropriate to use Internet-Drafts as reference - material or to cite them other than as "work in progress." - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt - - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - - Copyright Notice - - Copyright (C) The Internet Society (2006). All Rights Reserved. - - - - - Abstract - - With a mandated default minimum maximum message size of 512 octets, - the DNS protocol presents some special problems for zones wishing to - expose a moderate or high number of authority servers (NS RRs). This - document explains the operational issues caused by, or related to - this response size limit, and suggests ways to optimize the use of - this limited space. Guidance is offered to DNS server implementors - and to DNS zone operators. - - - - - Expires January 2007 [Page 1] - - INTERNET-DRAFT August 2006 RESPSIZE - - - 1 - Introduction and Overview - - 1.1. The DNS standard (see [RFC1035 4.2.1]) limits message size to 512 - octets. Even though this limitation was due to the required minimum IP - reassembly limit for IPv4, it became a hard DNS protocol limit and is - not implicitly relaxed by changes in transport, for example to IPv6. - - 1.2. The EDNS0 protocol extension (see [RFC2671 2.3, 4.5]) permits - larger responses by mutual agreement of the requester and responder. - The 512 octet message size limit will remain in practical effect until - there is widespread deployment of EDNS0 in DNS resolvers on the - Internet. - - 1.3. Since DNS responses include a copy of the request, the space - available for response data is somewhat less than the full 512 octets. - Negative responses are quite small, but for positive and delegation - responses, every octet must be carefully and sparingly allocated. This - document specifically addresses delegation response sizes. - - 2 - Delegation Details - - 2.1. RELEVANT PROTOCOL ELEMENTS - - 2.1.1. A delegation response will include the following elements: - - Header Section: fixed length (12 octets) - Question Section: original query (name, class, type) - Answer Section: (empty) - Authority Section: NS RRset (nameserver names) - Additional Section: A and AAAA RRsets (nameserver addresses) - - 2.1.2. If the total response size exceeds 512 octets, and if the data - that does not fit was "required", then the TC bit will be set - (indicating truncation). This will usually cause the requester to retry - using TCP, depending on what information was desired and what - information was omitted. For example, truncation in the authority - section is of no interest to a stub resolver who only plans to consume - the answer section. If a retry using TCP is needed, the total cost of - the transaction is much higher. See [RFC1123 6.1.3.2] for details on - the requirement that UDP be attempted before falling back to TCP. - - 2.1.3. RRsets are never sent partially unless TC bit set to indicate - truncation. When TC bit is set, the final apparent RRset in the final - non-empty section must be considered "possibly damaged" (see [RFC1035 - 6.2], [RFC2181 9]). - - - - Expires January 2007 [Page 2] - - INTERNET-DRAFT August 2006 RESPSIZE - - - 2.1.4. With or without truncation, the glue present in the additional - data section should be considered "possibly incomplete", and requesters - should be prepared to re-query for any damaged or missing RRsets. Note - that truncation of the additional data section might not be signalled - via the TC bit since additional data is often optional. - - 2.1.5. DNS label compression allows a domain name to be instantiated - only once per DNS message, and then referenced with a two-octet - "pointer" from other locations in that same DNS message (see [RFC1035 - 4.1.4]). If all nameserver names in a message share a common parent - (for example, all ending in ".ROOT-SERVERS.NET"), then more space will - be available for incompressable data (such as nameserver addresses). - - 2.1.6. The query name can be as long as 255 characters of presentation - data, which can be up to 256 octets of network data. In this worst case - scenario, the question section will be 260 octets in size, which would - leave only 240 octets for the authority and additional sections (after - deducting 12 octets for the fixed length header.) - - 2.2. ADVICE TO ZONE OWNERS - - 2.2.1. Average and maximum question section sizes can be predicted by - the zone owner, since they will know what names actually exist, and can - measure which ones are queried for most often. Note that if the zone - contains any wildcards, it is possible for maximum length queries to - require positive responses, but that it is reasonable to expect - truncation and TCP retry in that case. For cost and performance - reasons, the majority of requests should be satisfied without truncation - or TCP retry. - - 2.2.2. Some queries to non-existing names can be large, but this is not - a problem because negative responses need not contain any answer, - authority or additional records. See [RFC2308 2.1] for more information - about the format of negative responses. - - 2.2.3. The minimum useful number of name servers is two, for redundancy - (see [RFC1034 4.1]). A zone's name servers should be reachable by all - IP transport protocols (e.g., IPv4 and IPv6) in common use. - - 2.2.4. The best case is no truncation at all. This is because many - requesters will retry using TCP by reflex, or will automatically re- - query for RRsets that are possibly truncated, without considering - whether the omitted data was actually necessary. - - - - - - Expires January 2007 [Page 3] - - INTERNET-DRAFT August 2006 RESPSIZE - - - 2.3. ADVICE TO SERVER IMPLEMENTORS - - 2.3.1. In case of multi-homed name servers, it is advantageous to - include an address record from each of several name servers before - including several address records for any one name server. If address - records for more than one transport (for example, A and AAAA) are - available, then it is advantageous to include records of both types - early on, before the message is full. - - 2.3.2. Each added NS RR for a zone will add between 16 and 44 octets to - every non-truncated referral or negative response from the zone's - authority servers (16 octets for an NS RR, 16 octets for an A RR, and 28 - octets for an AAAA RR), in addition to whatever space is taken by the - nameserver name (NS NSDNAME as well as A or AAAA owner name). - - 2.3.3. While DNS distinguishes between necessary and optional resource - records, this distinction is according to protocol elements necessary to - signify facts, and takes no official notice of protocol content - necessary to ensure correct operation. For example, a nameserver name - that is in or below the zone cut being described by a delegation is - "necessary content," since there is no way to reach that zone unless the - parent zone's delegation includes "glue records" describing that name - server's addresses. - - 2.3.4. It is also necessary to distinguish between "explicit truncation" - where a message could not contain enough records to convey its intended - meaning, and so the TC bit has been set, and "silent truncation", where - the message was not large enough to contain some records which were "not - required", and so the TC bit was not set. - - 2.3.5. A delegation response should prioritize glue records as follows. - - first - All glue RRsets for one name server whose name is in or below the - zone being delegated, or which has multiple address RRsets (currently - A and AAAA), or preferably both; - - second - Alternate between adding all glue RRsets for any name servers whose - names are in or below the zone being delegated, and all glue RRsets - for any name servers who have multiple address RRsets (currently A - and AAAA); - - thence - All other glue RRsets, in any order. - - - - Expires January 2007 [Page 4] - - INTERNET-DRAFT August 2006 RESPSIZE - - - Whenever there are multiple candidates for a position in this priority - scheme, one should be chosen on a round-robin or fully random basis. - - The goal of this priority scheme is to offer "necessary" glue first, - avoiding silent truncation for this glue if possible. - - 2.3.6. If any "necessary content" is silently truncated, then it is - advisable that the TC bit be set in order to force a TCP retry, rather - than have the zone be unreachable. Note that a parent server's proper - response to a query for in-child glue or below-child glue is a referral - rather than an answer, and that this referral MUST be able to contain - the in-child or below-child glue, and that in outlying cases, only EDNS - or TCP will be large enough to contain that data. - - 3 - Analysis - - 3.1. An instrumented protocol trace of a best case delegation response - follows. Note that 13 servers are named, and 13 addresses are given. - This query was artificially designed to exactly reach the 512 octet - limit. - - ;; flags: qr rd; QUERY: 1, ANS: 0, AUTH: 13, ADDIT: 13 - ;; QUERY SECTION: - ;; [23456789.123456789.123456789.\ - 123456789.123456789.123456789.com A IN] ;; @80 - - ;; AUTHORITY SECTION: - com. 86400 NS E.GTLD-SERVERS.NET. ;; @112 - com. 86400 NS F.GTLD-SERVERS.NET. ;; @128 - com. 86400 NS G.GTLD-SERVERS.NET. ;; @144 - com. 86400 NS H.GTLD-SERVERS.NET. ;; @160 - com. 86400 NS I.GTLD-SERVERS.NET. ;; @176 - com. 86400 NS J.GTLD-SERVERS.NET. ;; @192 - com. 86400 NS K.GTLD-SERVERS.NET. ;; @208 - com. 86400 NS L.GTLD-SERVERS.NET. ;; @224 - com. 86400 NS M.GTLD-SERVERS.NET. ;; @240 - com. 86400 NS A.GTLD-SERVERS.NET. ;; @256 - com. 86400 NS B.GTLD-SERVERS.NET. ;; @272 - com. 86400 NS C.GTLD-SERVERS.NET. ;; @288 - com. 86400 NS D.GTLD-SERVERS.NET. ;; @304 - - - - - - - - - Expires January 2007 [Page 5] - - INTERNET-DRAFT August 2006 RESPSIZE - - - ;; ADDITIONAL SECTION: - A.GTLD-SERVERS.NET. 86400 A 192.5.6.30 ;; @320 - B.GTLD-SERVERS.NET. 86400 A 192.33.14.30 ;; @336 - C.GTLD-SERVERS.NET. 86400 A 192.26.92.30 ;; @352 - D.GTLD-SERVERS.NET. 86400 A 192.31.80.30 ;; @368 - E.GTLD-SERVERS.NET. 86400 A 192.12.94.30 ;; @384 - F.GTLD-SERVERS.NET. 86400 A 192.35.51.30 ;; @400 - G.GTLD-SERVERS.NET. 86400 A 192.42.93.30 ;; @416 - H.GTLD-SERVERS.NET. 86400 A 192.54.112.30 ;; @432 - I.GTLD-SERVERS.NET. 86400 A 192.43.172.30 ;; @448 - J.GTLD-SERVERS.NET. 86400 A 192.48.79.30 ;; @464 - K.GTLD-SERVERS.NET. 86400 A 192.52.178.30 ;; @480 - L.GTLD-SERVERS.NET. 86400 A 192.41.162.30 ;; @496 - M.GTLD-SERVERS.NET. 86400 A 192.55.83.30 ;; @512 - - ;; MSG SIZE sent: 80 rcvd: 512 - - 3.2. For longer query names, the number of address records supplied will - be lower. Furthermore, it is only by using a common parent name (which - is GTLD-SERVERS.NET in this example) that all 13 addresses are able to - fit, due to the use of DNS compression pointers in the last 12 - occurances of the parent domain name. The following output from a - response simulator demonstrates these properties. - - % perl respsize.pl a.dns.br b.dns.br c.dns.br d.dns.br - a.dns.br requires 10 bytes - b.dns.br requires 4 bytes - c.dns.br requires 4 bytes - d.dns.br requires 4 bytes - # of NS: 4 - For maximum size query (255 byte): - only A is considered: # of A is 4 (green) - A and AAAA are considered: # of A+AAAA is 3 (yellow) - preferred-glue A is assumed: # of A is 4, # of AAAA is 3 (yellow) - For average size query (64 byte): - only A is considered: # of A is 4 (green) - A and AAAA are considered: # of A+AAAA is 4 (green) - preferred-glue A is assumed: # of A is 4, # of AAAA is 4 (green) - - - - - - - - - - - Expires January 2007 [Page 6] - - INTERNET-DRAFT August 2006 RESPSIZE - - - % perl respsize.pl ns-ext.isc.org ns.psg.com ns.ripe.net ns.eu.int - ns-ext.isc.org requires 16 bytes - ns.psg.com requires 12 bytes - ns.ripe.net requires 13 bytes - ns.eu.int requires 11 bytes - # of NS: 4 - For maximum size query (255 byte): - only A is considered: # of A is 4 (green) - A and AAAA are considered: # of A+AAAA is 3 (yellow) - preferred-glue A is assumed: # of A is 4, # of AAAA is 2 (yellow) - For average size query (64 byte): - only A is considered: # of A is 4 (green) - A and AAAA are considered: # of A+AAAA is 4 (green) - preferred-glue A is assumed: # of A is 4, # of AAAA is 4 (green) - - (Note: The response simulator program is shown in Section 5.) - - Here we use the term "green" if all address records could fit, or - "yellow" if two or more could fit, or "orange" if only one could fit, or - "red" if no address record could fit. It's clear that without a common - parent for nameserver names, much space would be lost. For these - examples we use an average/common name size of 15 octets, befitting our - assumption of GTLD-SERVERS.NET as our common parent name. - - We're assuming a medium query name size of 64 since that is the typical - size seen in trace data at the time of this writing. If - Internationalized Domain Name (IDN) or any other technology which - results in larger query names be deployed significantly in advance of - EDNS, then new measurements and new estimates will have to be made. - - 4 - Conclusions - - 4.1. The current practice of giving all nameserver names a common parent - (such as GTLD-SERVERS.NET or ROOT-SERVERS.NET) saves space in DNS - responses and allows for more nameservers to be enumerated than would - otherwise be possible, since the common parent domain name only appears - once in a DNS message and is referred to via "compression pointers" - thereafter. - - 4.2. If all nameserver names for a zone share a common parent, then it - is operationally advisable to make all servers for the zone thus served - also be authoritative for the zone of that common parent. For example, - the root name servers (?.ROOT-SERVERS.NET) can answer authoritatively - for the ROOT-SERVERS.NET. This is to ensure that the zone's servers - always have the zone's nameservers' glue available when delegating, and - - - - Expires January 2007 [Page 7] - - INTERNET-DRAFT August 2006 RESPSIZE - - - will be able to respond with answers rather than referrals if a - requester who wants that glue comes back asking for it. In this case - the name server will likely be a "stealth server" -- authoritative but - unadvertised in the glue zone's NS RRset. See [RFC1996 2] for more - information about stealth servers. - - 4.3. Thirteen (13) is the effective maximum number of nameserver names - usable traditional (non-extended) DNS, assuming a common parent domain - name, and given that implicit referral response truncation is - undesirable in the average case. - - 4.4. Multi-homing of name servers within a protocol family is - inadvisable since the necessary glue RRsets (A or AAAA) are atomically - indivisible, and will be larger than a single resource record. Larger - RRsets are more likely to lead to or encounter truncation. - - 4.5. Multi-homing of name servers across protocol families is less - likely to lead to or encounter truncation, partly because multiprotocol - clients are more likely to speak EDNS which can use a larger response - size limit, and partly because the resource records (A and AAAA) are in - different RRsets and are therefore divisible from each other. - - 4.6. Name server names which are at or below the zone they serve are - more sensitive to referral response truncation, and glue records for - them should be considered "less optional" than other glue records, in - the assembly of referral responses. - - 4.7. If a zone is served by thirteen (13) name servers having a common - parent name (such as ?.ROOT-SERVERS.NET) and each such name server has a - single address record in some protocol family (e.g., an A RR), then all - thirteen name servers or any subset thereof could multi-home in a second - protocol family by adding a second address record (e.g., an AAAA RR) - without reducing the reachability of the zone thus served. - - 5 - Source Code - - #!/usr/bin/perl - # - # SYNOPSIS - # repsize.pl [ -z zone ] fqdn_ns1 fqdn_ns2 ... - # if all queries are assumed to have a same zone suffix, - # such as "jp" in JP TLD servers, specify it in -z option - # - use strict; - use Getopt::Std; - - - - Expires January 2007 [Page 8] - - INTERNET-DRAFT August 2006 RESPSIZE - - - my ($sz_msg) = (512); - my ($sz_header, $sz_ptr, $sz_rr_a, $sz_rr_aaaa) = (12, 2, 16, 28); - my ($sz_type, $sz_class, $sz_ttl, $sz_rdlen) = (2, 2, 4, 2); - my (%namedb, $name, $nssect, %opts, $optz); - my $n_ns = 0; - - getopt('z', %opts); - if (defined($opts{'z'})) { - server_name_len($opts{'z'}); # just register it - } - - foreach $name (@ARGV) { - my $len; - $n_ns++; - $len = server_name_len($name); - print "$name requires $len bytes\n"; - $nssect += $sz_ptr + $sz_type + $sz_class + $sz_ttl - + $sz_rdlen + $len; - } - print "# of NS: $n_ns\n"; - arsect(255, $nssect, $n_ns, "maximum"); - arsect(64, $nssect, $n_ns, "average"); - - sub server_name_len { - my ($name) = @_; - my (@labels, $len, $n, $suffix); - - $name =~ tr/A-Z/a-z/; - @labels = split(/\./, $name); - $len = length(join('.', @labels)) + 2; - for ($n = 0; $#labels >= 0; $n++, shift @labels) { - $suffix = join('.', @labels); - return length($name) - length($suffix) + $sz_ptr - if (defined($namedb{$suffix})); - $namedb{$suffix} = 1; - } - return $len; - } - - sub arsect { - my ($sz_query, $nssect, $n_ns, $cond) = @_; - my ($space, $n_a, $n_a_aaaa, $n_p_aaaa, $ansect); - $ansect = $sz_query + 1 + $sz_type + $sz_class; - $space = $sz_msg - $sz_header - $ansect - $nssect; - $n_a = atmost(int($space / $sz_rr_a), $n_ns); - - - - Expires January 2007 [Page 9] - - INTERNET-DRAFT August 2006 RESPSIZE - - - $n_a_aaaa = atmost(int($space - / ($sz_rr_a + $sz_rr_aaaa)), $n_ns); - $n_p_aaaa = atmost(int(($space - $sz_rr_a * $n_ns) - / $sz_rr_aaaa), $n_ns); - printf "For %s size query (%d byte):\n", $cond, $sz_query; - printf " only A is considered: "; - printf "# of A is %d (%s)\n", $n_a, &judge($n_a, $n_ns); - printf " A and AAAA are considered: "; - printf "# of A+AAAA is %d (%s)\n", - $n_a_aaaa, &judge($n_a_aaaa, $n_ns); - printf " preferred-glue A is assumed: "; - printf "# of A is %d, # of AAAA is %d (%s)\n", - $n_a, $n_p_aaaa, &judge($n_p_aaaa, $n_ns); - } - - sub judge { - my ($n, $n_ns) = @_; - return "green" if ($n >= $n_ns); - return "yellow" if ($n >= 2); - return "orange" if ($n == 1); - return "red"; - } - - sub atmost { - my ($a, $b) = @_; - return 0 if ($a < 0); - return $b if ($a > $b); - return $a; - } - - 6 - Security Considerations - - The recommendations contained in this document have no known security - implications. - - 7 - IANA Considerations - - This document does not call for changes or additions to any IANA - registry. - - 8 - Acknowledgement - - The authors thank Peter Koch, Rob Austein, and Joe Abley for their - valuable comments and suggestions. - - - - - Expires January 2007 [Page 10] - - INTERNET-DRAFT August 2006 RESPSIZE - - - This work was supported by the US National Science Foundation (research - grant SCI-0427144) and DNS-OARC. - - 9 - References - - [RFC1034] Mockapetris, P.V., "Domain names - Concepts and Facilities", - RFC1034, November 1987. - - [RFC1035] Mockapetris, P.V., "Domain names - Implementation and - Specification", RFC1035, November 1987. - - [RFC1123] Braden, R., Ed., "Requirements for Internet Hosts - - Application and Support", RFC1123, October 1989. - - [RFC1996] Vixie, P., "A Mechanism for Prompt Notification of Zone - Changes (DNS NOTIFY)", RFC1996, August 1996. - - [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)", - RFC2308, March 1998. - - [RFC2181] Elz, R., Bush, R., "Clarifications to the DNS Specification", - RFC2181, July 1997. - - [RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC2671, - August 1999. - - 10 - Authors' Addresses - - Paul Vixie - Internet Systems Consortium, Inc. - 950 Charter Street - Redwood City, CA 94063 - +1 650 423 1301 - vixie@isc.org - - Akira Kato - University of Tokyo, Information Technology Center - 2-11-16 Yayoi Bunkyo - Tokyo 113-8658, JAPAN - +81 3 5841 2750 - kato@wide.ad.jp - - - - - - - - Expires January 2007 [Page 11] - - INTERNET-DRAFT August 2006 RESPSIZE - - - Full Copyright Statement - - Copyright (C) The Internet Society (2006). - - This document is subject to the rights, licenses and restrictions - contained in BCP 78, and except as set forth therein, the authors retain - all their rights. - - This document and the information contained herein are provided on an - "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR - IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET - ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, - INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE - INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED - WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. - - Intellectual Property - - The IETF takes no position regarding the validity or scope of any - Intellectual Property Rights or other rights that might be claimed to - pertain to the implementation or use of the technology described in this - document or the extent to which any license under such rights might or - might not be available; nor does it represent that it has made any - independent effort to identify any such rights. Information on the - procedures with respect to rights in RFC documents can be found in BCP - 78 and BCP 79. - - Copies of IPR disclosures made to the IETF Secretariat and any - assurances of licenses to be made available, or the result of an attempt - made to obtain a general license or permission for the use of such - proprietary rights by implementers or users of this specification can be - obtained from the IETF on-line IPR repository at - http://www.ietf.org/ipr. - - The IETF invites any interested party to bring to its attention any - copyrights, patents or patent applications, or other proprietary rights - that may cover technology that may be required to implement this - standard. Please address the information to the IETF at - ietf-ipr@ietf.org. - - Acknowledgement - - Funding for the RFC Editor function is provided by the IETF - Administrative Support Activity (IASA). - - - - - Expires January 2007 [Page 12] - - From 23accee1320f03240bef35b656e3524e472bd9fa Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 8 Aug 2006 23:17:45 +0000 Subject: [PATCH 407/465] auto update --- doc/private/branches | 2 ++ 1 file changed, 2 insertions(+) diff --git a/doc/private/branches b/doc/private/branches index 223e144cff..46b9bb76e4 100644 --- a/doc/private/branches +++ b/doc/private/branches @@ -63,6 +63,8 @@ rt16313 new rt16315 new rt16317 new rt16320 new +rt16324 new +rt16326 new rt1727 open // ixfr-from-differences workfile skan new skan-metazones1 private From 99bc35e2c6ea5a4b02fa1ad9ca4a86eff14d3e6e Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 9 Aug 2006 22:23:43 +0000 Subject: [PATCH 408/465] 2069. [bug] Cross compiling was not working. [RT #16330] --- CHANGES | 2 ++ configure | 4 ++-- configure.in | 4 ++-- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/CHANGES b/CHANGES index 7e193d4274..adcf224175 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +2069. [bug] Cross compiling was not working. [RT #16330] + --- 9.2.7rc1 released --- diff --git a/configure b/configure index d75da9cf86..24c5d33427 100755 --- a/configure +++ b/configure @@ -1,5 +1,5 @@ #! /bin/sh -# From configure.in Revision: 1.294.2.64 . +# From configure.in Revision: 1.294.2.65 . # Guess values for system-dependent variables and create Makefiles. # Generated by GNU Autoconf 2.59. # @@ -24274,7 +24274,7 @@ fi rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext fi -if test "cross_compiling" = "yes"; then +if test "$cross_compiling" = "yes"; then if test -z "$BUILD_CC"; then { { echo "$as_me:$LINENO: error: BUILD_CC not set" >&5 echo "$as_me: error: BUILD_CC not set" >&2;} diff --git a/configure.in b/configure.in index e9dbaff449..2ee6935d0d 100644 --- a/configure.in +++ b/configure.in @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -AC_REVISION($Revision: 1.294.2.64 $) +AC_REVISION($Revision: 1.294.2.65 $) AC_INIT(lib/dns/name.c) AC_PREREQ(2.13) @@ -1176,7 +1176,7 @@ char a[16],b[64]; return(inet_ntop(AF_INET6, a, b, sizeof(b)) == (char*)0);}], ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_ntop.c" ISC_PLATFORM_NEEDNTOP="#define ISC_PLATFORM_NEEDNTOP 1"]) -if test "cross_compiling" = "yes"; then +if test "$cross_compiling" = "yes"; then if test -z "$BUILD_CC"; then AC_ERROR([BUILD_CC not set]) fi From e560f615b2592deea69c49bfc74acbb56f4fd913 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 9 Aug 2006 22:27:26 +0000 Subject: [PATCH 409/465] 2069. [bug] Cross compiling was not working. [RT #16330] --- CHANGES | 2 ++ configure | 6 +++--- configure.in | 4 ++-- 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/CHANGES b/CHANGES index 7c9611fb21..92a7d3fc98 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +2069. [bug] Cross compiling was not working. [RT #16330] + 2068. [cleanup] Lower incremental tuning message to debug 1. [RT #16319] diff --git a/configure b/configure index 20a88491cd..a1d2d79648 100755 --- a/configure +++ b/configure @@ -14,7 +14,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. # -# $Id: configure,v 1.398 2006/07/20 05:42:08 marka Exp $ +# $Id: configure,v 1.399 2006/08/09 22:27:26 marka Exp $ # # Portions Copyright (C) 1996-2001 Nominum, Inc. # @@ -29,7 +29,7 @@ # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT # OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -# From configure.in Revision: 1.410 . +# From configure.in Revision: 1.411 . # Guess values for system-dependent variables and create Makefiles. # Generated by GNU Autoconf 2.59. # @@ -30233,7 +30233,7 @@ fi -if test "cross_compiling" = "yes"; then +if test "$cross_compiling" = "yes"; then if test -z "$BUILD_CC"; then { { echo "$as_me:$LINENO: error: BUILD_CC not set" >&5 echo "$as_me: error: BUILD_CC not set" >&2;} diff --git a/configure.in b/configure.in index 2c7ddea83b..4f445c0dc3 100644 --- a/configure.in +++ b/configure.in @@ -18,7 +18,7 @@ AC_DIVERT_PUSH(1)dnl esyscmd([sed "s/^/# /" COPYRIGHT])dnl AC_DIVERT_POP()dnl -AC_REVISION($Revision: 1.410 $) +AC_REVISION($Revision: 1.411 $) AC_INIT(lib/dns/name.c) AC_PREREQ(2.59) @@ -2359,7 +2359,7 @@ AC_SUBST(DLZ_DRIVER_SRCS) AC_SUBST(DLZ_DRIVER_OBJS) AC_SUBST_FILE(DLZ_DRIVER_RULES) -if test "cross_compiling" = "yes"; then +if test "$cross_compiling" = "yes"; then if test -z "$BUILD_CC"; then AC_ERROR([BUILD_CC not set]) fi From d4f5efb4d63e2e17081a49a3457f05fe06fbb5ab Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 10 Aug 2006 01:38:15 +0000 Subject: [PATCH 410/465] 2070. [bug] The remote address was not always displayed when reporting dispatch failures. [RT #16315] --- CHANGES | 3 +++ lib/dns/tcpmsg.c | 5 +++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index 92a7d3fc98..69e45d5746 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2070. [bug] The remote address was not always displayed when + reporting dispatch failures. [RT #16315] + 2069. [bug] Cross compiling was not working. [RT #16330] 2068. [cleanup] Lower incremental tuning message to debug 1. diff --git a/lib/dns/tcpmsg.c b/lib/dns/tcpmsg.c index d02c9d6e60..25e28943b0 100644 --- a/lib/dns/tcpmsg.c +++ b/lib/dns/tcpmsg.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: tcpmsg.c,v 1.27 2005/04/29 00:22:52 marka Exp $ */ +/* $Id: tcpmsg.c,v 1.28 2006/08/10 01:38:15 marka Exp $ */ /*! \file */ @@ -54,6 +54,7 @@ recv_length(isc_task_t *task, isc_event_t *ev_in) { INSIST(VALID_TCPMSG(tcpmsg)); dev = &tcpmsg->event; + tcpmsg->address = ev->address; if (ev->result != ISC_R_SUCCESS) { tcpmsg->result = ev->result; @@ -110,6 +111,7 @@ recv_message(isc_task_t *task, isc_event_t *ev_in) { INSIST(VALID_TCPMSG(tcpmsg)); dev = &tcpmsg->event; + tcpmsg->address = ev->address; if (ev->result != ISC_R_SUCCESS) { tcpmsg->result = ev->result; @@ -118,7 +120,6 @@ recv_message(isc_task_t *task, isc_event_t *ev_in) { tcpmsg->result = ISC_R_SUCCESS; isc_buffer_add(&tcpmsg->buffer, ev->n); - tcpmsg->address = ev->address; XDEBUG(("Received %d bytes (of %d)\n", ev->n, tcpmsg->size)); From 1a70dc050c65dbc2cbcf598d88554beb23372efe Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 10 Aug 2006 01:42:33 +0000 Subject: [PATCH 411/465] 2070. [bug] The remote address was not always displayed when reporting dispatch failures. [RT #16315] --- CHANGES | 3 +++ lib/dns/tcpmsg.c | 5 +++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index adcf224175..ef536a798d 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2070. [bug] The remote address was not always displayed when + reporting dispatch failures. [RT #16315] + 2069. [bug] Cross compiling was not working. [RT #16330] diff --git a/lib/dns/tcpmsg.c b/lib/dns/tcpmsg.c index 4d456bea7e..f196f1449a 100644 --- a/lib/dns/tcpmsg.c +++ b/lib/dns/tcpmsg.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: tcpmsg.c,v 1.24.2.1 2004/03/09 06:11:08 marka Exp $ */ +/* $Id: tcpmsg.c,v 1.24.2.2 2006/08/10 01:42:33 marka Exp $ */ #include @@ -52,6 +52,7 @@ recv_length(isc_task_t *task, isc_event_t *ev_in) { INSIST(VALID_TCPMSG(tcpmsg)); dev = &tcpmsg->event; + tcpmsg->address = ev->address; if (ev->result != ISC_R_SUCCESS) { tcpmsg->result = ev->result; @@ -108,6 +109,7 @@ recv_message(isc_task_t *task, isc_event_t *ev_in) { INSIST(VALID_TCPMSG(tcpmsg)); dev = &tcpmsg->event; + tcpmsg->address = ev->address; if (ev->result != ISC_R_SUCCESS) { tcpmsg->result = ev->result; @@ -116,7 +118,6 @@ recv_message(isc_task_t *task, isc_event_t *ev_in) { tcpmsg->result = ISC_R_SUCCESS; isc_buffer_add(&tcpmsg->buffer, ev->n); - tcpmsg->address = ev->address; XDEBUG(("Received %d bytes (of %d)\n", ev->n, tcpmsg->size)); From c0f9b35b7a11a84bc0e7be2cc1ebc615cc51026a Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 10 Aug 2006 01:54:44 +0000 Subject: [PATCH 412/465] 2071. [port] Test whether gcc accepts -fno-strict-aliasing. [RT #16324] --- CHANGES | 3 +++ configure.in | 13 ++++++++++++- lib/bind/configure.in | 15 +++++++++++++-- 3 files changed, 28 insertions(+), 3 deletions(-) diff --git a/CHANGES b/CHANGES index ef536a798d..648f61e06d 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2071. [port] Test whether gcc accepts -fno-strict-aliasing. + [RT #16324] + 2070. [bug] The remote address was not always displayed when reporting dispatch failures. [RT #16315] diff --git a/configure.in b/configure.in index 2ee6935d0d..01b4bdfc34 100644 --- a/configure.in +++ b/configure.in @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -AC_REVISION($Revision: 1.294.2.65 $) +AC_REVISION($Revision: 1.294.2.66 $) AC_INIT(lib/dns/name.c) AC_PREREQ(2.13) @@ -718,7 +718,18 @@ MKDEPCFLAGS="-M" IRIX_DNSSEC_WARNINGS_HACK="" if test "X$GCC" = "Xyes"; then + AC_MSG_CHECKING(if "$CC" supports -fno-strict-aliasing) + SAVE_CFLAGS=$CFLAGS + CFLAGS=-fno-strict-aliasing + AC_TRY_COMPILE(,, [FNOSTRICTALIASING=yes],[FNOSTRICTALIASING=no]) + CFLAGS=$SAVE_CFLAGS + if test "$FNOSTRICTALIASING" = "yes"; then + AC_MSG_RESULT(yes) STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith -fno-strict-aliasing" + else + AC_MSG_RESULT(no) + STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith" + fi case "$host" in *-hp-hpux*) LDFLAGS="-Wl,+vnocompatwarnings $LDFLAGS" diff --git a/lib/bind/configure.in b/lib/bind/configure.in index 461f8d8430..105268c58c 100644 --- a/lib/bind/configure.in +++ b/lib/bind/configure.in @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -AC_REVISION($Revision: 1.83.2.34 $) +AC_REVISION($Revision: 1.83.2.35 $) AC_INIT(resolv/herror.c) AC_PREREQ(2.13) @@ -515,7 +515,18 @@ MKDEPCFLAGS="-M" IRIX_DNSSEC_WARNINGS_HACK="" if test "X$GCC" = "Xyes"; then - STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wpointer-arith -fno-strict-aliasing" + AC_MSG_CHECKING(if "$CC" supports -fno-strict-aliasing) + SAVE_CFLAGS=$CFLAGS + CFLAGS=-fno-strict-aliasing + AC_TRY_COMPILE(,, [FNOSTRICTALIASING=yes],[FNOSTRICTALIASING=no]) + CFLAGS=$SAVE_CFLAGS + if test "$FNOSTRICTALIASING" = "yes"; then + AC_MSG_RESULT(yes) + STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith -fno-strict-aliasing" + else + AC_MSG_RESULT(no) + STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith" + fi else case $host in *-dec-osf*) From 728156dfbdced7bc18b1f88227cced9d426a70e7 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 10 Aug 2006 01:57:41 +0000 Subject: [PATCH 413/465] 2071. [port] Test whether gcc accepts -fno-strict-aliasing. [RT #16324] --- CHANGES | 3 ++ configure | 118 +++++++++++++++++++++++++++++++----------- configure.in | 13 ++++- lib/bind/configure | 118 +++++++++++++++++++++++++++++++----------- lib/bind/configure.in | 15 +++++- 5 files changed, 204 insertions(+), 63 deletions(-) diff --git a/CHANGES b/CHANGES index 69e45d5746..29dcc82834 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2071. [port] Test whether gcc accepts -fno-strict-aliasing. + [RT #16324] + 2070. [bug] The remote address was not always displayed when reporting dispatch failures. [RT #16315] diff --git a/configure b/configure index a1d2d79648..be9c2a2a2e 100755 --- a/configure +++ b/configure @@ -14,7 +14,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. # -# $Id: configure,v 1.399 2006/08/09 22:27:26 marka Exp $ +# $Id: configure,v 1.400 2006/08/10 01:57:41 marka Exp $ # # Portions Copyright (C) 1996-2001 Nominum, Inc. # @@ -29,7 +29,7 @@ # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT # OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -# From configure.in Revision: 1.411 . +# From configure.in Revision: 1.412 . # Guess values for system-dependent variables and create Makefiles. # Generated by GNU Autoconf 2.59. # @@ -7971,7 +7971,65 @@ MKDEPCFLAGS="-M" IRIX_DNSSEC_WARNINGS_HACK="" if test "X$GCC" = "Xyes"; then + echo "$as_me:$LINENO: checking if \"$CC\" supports -fno-strict-aliasing" >&5 +echo $ECHO_N "checking if \"$CC\" supports -fno-strict-aliasing... $ECHO_C" >&6 + SAVE_CFLAGS=$CFLAGS + CFLAGS=-fno-strict-aliasing + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest.$ac_objext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + FNOSTRICTALIASING=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +FNOSTRICTALIASING=no +fi +rm -f conftest.err conftest.$ac_objext conftest.$ac_ext + CFLAGS=$SAVE_CFLAGS + if test "$FNOSTRICTALIASING" = "yes"; then + echo "$as_me:$LINENO: result: yes" >&5 +echo "${ECHO_T}yes" >&6 STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith -fno-strict-aliasing" + else + echo "$as_me:$LINENO: result: no" >&5 +echo "${ECHO_T}no" >&6 + STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith" + fi case "$host" in *-hp-hpux*) LDFLAGS="-Wl,+vnocompatwarnings $LDFLAGS" @@ -8930,7 +8988,7 @@ ia64-*-hpux*) ;; *-*-irix6*) # Find out which ABI we are using. - echo '#line 8933 "configure"' > conftest.$ac_ext + echo '#line 8991 "configure"' > conftest.$ac_ext if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -9927,7 +9985,7 @@ fi # Provide some information about the compiler. -echo "$as_me:9930:" \ +echo "$as_me:9988:" \ "checking for Fortran 77 compiler version" >&5 ac_compiler=`set X $ac_compile; echo $2` { (eval echo "$as_me:$LINENO: \"$ac_compiler --version &5\"") >&5 @@ -10988,11 +11046,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:10991: $lt_compile\"" >&5) + (eval echo "\"\$as_me:11049: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:10995: \$? = $ac_status" >&5 + echo "$as_me:11053: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -11231,11 +11289,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:11234: $lt_compile\"" >&5) + (eval echo "\"\$as_me:11292: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:11238: \$? = $ac_status" >&5 + echo "$as_me:11296: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -11291,11 +11349,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:11294: $lt_compile\"" >&5) + (eval echo "\"\$as_me:11352: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:11298: \$? = $ac_status" >&5 + echo "$as_me:11356: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -13476,7 +13534,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext < conftest.$ac_ext <&5) + (eval echo "\"\$as_me:15832: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:15778: \$? = $ac_status" >&5 + echo "$as_me:15836: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -15831,11 +15889,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:15834: $lt_compile\"" >&5) + (eval echo "\"\$as_me:15892: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:15838: \$? = $ac_status" >&5 + echo "$as_me:15896: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -17192,7 +17250,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext < conftest.$ac_ext <&5) + (eval echo "\"\$as_me:18188: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:18134: \$? = $ac_status" >&5 + echo "$as_me:18192: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -18187,11 +18245,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:18190: $lt_compile\"" >&5) + (eval echo "\"\$as_me:18248: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:18194: \$? = $ac_status" >&5 + echo "$as_me:18252: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -20226,11 +20284,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:20229: $lt_compile\"" >&5) + (eval echo "\"\$as_me:20287: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:20233: \$? = $ac_status" >&5 + echo "$as_me:20291: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -20469,11 +20527,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:20472: $lt_compile\"" >&5) + (eval echo "\"\$as_me:20530: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:20476: \$? = $ac_status" >&5 + echo "$as_me:20534: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -20529,11 +20587,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:20532: $lt_compile\"" >&5) + (eval echo "\"\$as_me:20590: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:20536: \$? = $ac_status" >&5 + echo "$as_me:20594: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -22714,7 +22772,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext < conftest.$ac_ext <&5 +echo $ECHO_N "checking if \"$CC\" supports -fno-strict-aliasing... $ECHO_C" >&6 + SAVE_CFLAGS=$CFLAGS + CFLAGS=-fno-strict-aliasing + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest.$ac_objext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + FNOSTRICTALIASING=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +FNOSTRICTALIASING=no +fi +rm -f conftest.err conftest.$ac_objext conftest.$ac_ext + CFLAGS=$SAVE_CFLAGS + if test "$FNOSTRICTALIASING" = "yes"; then + echo "$as_me:$LINENO: result: yes" >&5 +echo "${ECHO_T}yes" >&6 + STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith -fno-strict-aliasing" + else + echo "$as_me:$LINENO: result: no" >&5 +echo "${ECHO_T}no" >&6 + STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith" + fi else case $host in *-dec-osf*) @@ -8068,7 +8126,7 @@ ia64-*-hpux*) ;; *-*-irix6*) # Find out which ABI we are using. - echo '#line 8071 "configure"' > conftest.$ac_ext + echo '#line 8129 "configure"' > conftest.$ac_ext if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -9065,7 +9123,7 @@ fi # Provide some information about the compiler. -echo "$as_me:9068:" \ +echo "$as_me:9126:" \ "checking for Fortran 77 compiler version" >&5 ac_compiler=`set X $ac_compile; echo $2` { (eval echo "$as_me:$LINENO: \"$ac_compiler --version &5\"") >&5 @@ -10126,11 +10184,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:10129: $lt_compile\"" >&5) + (eval echo "\"\$as_me:10187: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:10133: \$? = $ac_status" >&5 + echo "$as_me:10191: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -10369,11 +10427,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:10372: $lt_compile\"" >&5) + (eval echo "\"\$as_me:10430: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:10376: \$? = $ac_status" >&5 + echo "$as_me:10434: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -10429,11 +10487,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:10432: $lt_compile\"" >&5) + (eval echo "\"\$as_me:10490: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:10436: \$? = $ac_status" >&5 + echo "$as_me:10494: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -12614,7 +12672,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext < conftest.$ac_ext <&5) + (eval echo "\"\$as_me:14970: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:14916: \$? = $ac_status" >&5 + echo "$as_me:14974: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -14969,11 +15027,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:14972: $lt_compile\"" >&5) + (eval echo "\"\$as_me:15030: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:14976: \$? = $ac_status" >&5 + echo "$as_me:15034: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -16330,7 +16388,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext < conftest.$ac_ext <&5) + (eval echo "\"\$as_me:17326: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:17272: \$? = $ac_status" >&5 + echo "$as_me:17330: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -17325,11 +17383,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:17328: $lt_compile\"" >&5) + (eval echo "\"\$as_me:17386: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:17332: \$? = $ac_status" >&5 + echo "$as_me:17390: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -19364,11 +19422,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:19367: $lt_compile\"" >&5) + (eval echo "\"\$as_me:19425: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:19371: \$? = $ac_status" >&5 + echo "$as_me:19429: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -19607,11 +19665,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:19610: $lt_compile\"" >&5) + (eval echo "\"\$as_me:19668: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:19614: \$? = $ac_status" >&5 + echo "$as_me:19672: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -19667,11 +19725,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:19670: $lt_compile\"" >&5) + (eval echo "\"\$as_me:19728: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:19674: \$? = $ac_status" >&5 + echo "$as_me:19732: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -21852,7 +21910,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext < conftest.$ac_ext < Date: Thu, 10 Aug 2006 02:07:10 +0000 Subject: [PATCH 414/465] 2071. [port] Test whether gcc accepts -fno-strict-aliasing. [RT #16324] --- configure | 116 +++++++++++++++++++++++++++++++++----------- lib/bind/configure | 118 +++++++++++++++++++++++++++++++++------------ 2 files changed, 175 insertions(+), 59 deletions(-) diff --git a/configure b/configure index 24c5d33427..65fc1f6cce 100755 --- a/configure +++ b/configure @@ -1,5 +1,5 @@ #! /bin/sh -# From configure.in Revision: 1.294.2.65 . +# From configure.in Revision: 1.294.2.66 . # Guess values for system-dependent variables and create Makefiles. # Generated by GNU Autoconf 2.59. # @@ -7762,7 +7762,65 @@ MKDEPCFLAGS="-M" IRIX_DNSSEC_WARNINGS_HACK="" if test "X$GCC" = "Xyes"; then + echo "$as_me:$LINENO: checking if \"$CC\" supports -fno-strict-aliasing" >&5 +echo $ECHO_N "checking if \"$CC\" supports -fno-strict-aliasing... $ECHO_C" >&6 + SAVE_CFLAGS=$CFLAGS + CFLAGS=-fno-strict-aliasing + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest.$ac_objext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + FNOSTRICTALIASING=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +FNOSTRICTALIASING=no +fi +rm -f conftest.err conftest.$ac_objext conftest.$ac_ext + CFLAGS=$SAVE_CFLAGS + if test "$FNOSTRICTALIASING" = "yes"; then + echo "$as_me:$LINENO: result: yes" >&5 +echo "${ECHO_T}yes" >&6 STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith -fno-strict-aliasing" + else + echo "$as_me:$LINENO: result: no" >&5 +echo "${ECHO_T}no" >&6 + STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith" + fi case "$host" in *-hp-hpux*) LDFLAGS="-Wl,+vnocompatwarnings $LDFLAGS" @@ -8732,7 +8790,7 @@ ia64-*-hpux*) ;; *-*-irix6*) # Find out which ABI we are using. - echo '#line 8735 "configure"' > conftest.$ac_ext + echo '#line 8793 "configure"' > conftest.$ac_ext if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -9729,7 +9787,7 @@ fi # Provide some information about the compiler. -echo "$as_me:9732:" \ +echo "$as_me:9790:" \ "checking for Fortran 77 compiler version" >&5 ac_compiler=`set X $ac_compile; echo $2` { (eval echo "$as_me:$LINENO: \"$ac_compiler --version &5\"") >&5 @@ -10790,11 +10848,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:10793: $lt_compile\"" >&5) + (eval echo "\"\$as_me:10851: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:10797: \$? = $ac_status" >&5 + echo "$as_me:10855: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -11033,11 +11091,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:11036: $lt_compile\"" >&5) + (eval echo "\"\$as_me:11094: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:11040: \$? = $ac_status" >&5 + echo "$as_me:11098: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -11093,11 +11151,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:11096: $lt_compile\"" >&5) + (eval echo "\"\$as_me:11154: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:11100: \$? = $ac_status" >&5 + echo "$as_me:11158: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -13278,7 +13336,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext < conftest.$ac_ext <&5) + (eval echo "\"\$as_me:15634: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:15580: \$? = $ac_status" >&5 + echo "$as_me:15638: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -15633,11 +15691,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:15636: $lt_compile\"" >&5) + (eval echo "\"\$as_me:15694: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:15640: \$? = $ac_status" >&5 + echo "$as_me:15698: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -16994,7 +17052,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext < conftest.$ac_ext <&5) + (eval echo "\"\$as_me:17990: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:17936: \$? = $ac_status" >&5 + echo "$as_me:17994: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -17989,11 +18047,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:17992: $lt_compile\"" >&5) + (eval echo "\"\$as_me:18050: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:17996: \$? = $ac_status" >&5 + echo "$as_me:18054: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -20028,11 +20086,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:20031: $lt_compile\"" >&5) + (eval echo "\"\$as_me:20089: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:20035: \$? = $ac_status" >&5 + echo "$as_me:20093: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -20271,11 +20329,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:20274: $lt_compile\"" >&5) + (eval echo "\"\$as_me:20332: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:20278: \$? = $ac_status" >&5 + echo "$as_me:20336: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -20331,11 +20389,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:20334: $lt_compile\"" >&5) + (eval echo "\"\$as_me:20392: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:20338: \$? = $ac_status" >&5 + echo "$as_me:20396: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -22516,7 +22574,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext < conftest.$ac_ext <&5 +echo $ECHO_N "checking if \"$CC\" supports -fno-strict-aliasing... $ECHO_C" >&6 + SAVE_CFLAGS=$CFLAGS + CFLAGS=-fno-strict-aliasing + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest.$ac_objext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + FNOSTRICTALIASING=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +FNOSTRICTALIASING=no +fi +rm -f conftest.err conftest.$ac_objext conftest.$ac_ext + CFLAGS=$SAVE_CFLAGS + if test "$FNOSTRICTALIASING" = "yes"; then + echo "$as_me:$LINENO: result: yes" >&5 +echo "${ECHO_T}yes" >&6 + STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith -fno-strict-aliasing" + else + echo "$as_me:$LINENO: result: no" >&5 +echo "${ECHO_T}no" >&6 + STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith" + fi else case $host in *-dec-osf*) @@ -8068,7 +8126,7 @@ ia64-*-hpux*) ;; *-*-irix6*) # Find out which ABI we are using. - echo '#line 8071 "configure"' > conftest.$ac_ext + echo '#line 8129 "configure"' > conftest.$ac_ext if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -9065,7 +9123,7 @@ fi # Provide some information about the compiler. -echo "$as_me:9068:" \ +echo "$as_me:9126:" \ "checking for Fortran 77 compiler version" >&5 ac_compiler=`set X $ac_compile; echo $2` { (eval echo "$as_me:$LINENO: \"$ac_compiler --version &5\"") >&5 @@ -10126,11 +10184,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:10129: $lt_compile\"" >&5) + (eval echo "\"\$as_me:10187: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:10133: \$? = $ac_status" >&5 + echo "$as_me:10191: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -10369,11 +10427,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:10372: $lt_compile\"" >&5) + (eval echo "\"\$as_me:10430: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:10376: \$? = $ac_status" >&5 + echo "$as_me:10434: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -10429,11 +10487,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:10432: $lt_compile\"" >&5) + (eval echo "\"\$as_me:10490: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:10436: \$? = $ac_status" >&5 + echo "$as_me:10494: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -12614,7 +12672,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext < conftest.$ac_ext <&5) + (eval echo "\"\$as_me:14970: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:14916: \$? = $ac_status" >&5 + echo "$as_me:14974: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -14969,11 +15027,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:14972: $lt_compile\"" >&5) + (eval echo "\"\$as_me:15030: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:14976: \$? = $ac_status" >&5 + echo "$as_me:15034: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -16330,7 +16388,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext < conftest.$ac_ext <&5) + (eval echo "\"\$as_me:17326: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:17272: \$? = $ac_status" >&5 + echo "$as_me:17330: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -17325,11 +17383,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:17328: $lt_compile\"" >&5) + (eval echo "\"\$as_me:17386: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:17332: \$? = $ac_status" >&5 + echo "$as_me:17390: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -19364,11 +19422,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:19367: $lt_compile\"" >&5) + (eval echo "\"\$as_me:19425: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:19371: \$? = $ac_status" >&5 + echo "$as_me:19429: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -19607,11 +19665,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:19610: $lt_compile\"" >&5) + (eval echo "\"\$as_me:19668: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:19614: \$? = $ac_status" >&5 + echo "$as_me:19672: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -19667,11 +19725,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:19670: $lt_compile\"" >&5) + (eval echo "\"\$as_me:19728: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:19674: \$? = $ac_status" >&5 + echo "$as_me:19732: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -21852,7 +21910,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext < conftest.$ac_ext < Date: Thu, 10 Aug 2006 02:27:47 +0000 Subject: [PATCH 415/465] more release marker --- CHANGES | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/CHANGES b/CHANGES index 648f61e06d..69616368e2 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ + + --- 9.2.7rc1 released --- + 2071. [port] Test whether gcc accepts -fno-strict-aliasing. [RT #16324] @@ -6,9 +9,6 @@ 2069. [bug] Cross compiling was not working. [RT #16330] - - --- 9.2.7rc1 released --- - 2067. [bug] 'rndc' could close the socket too early triggering a INSIST under Windows. [RT #16317] From b77445ceb14f22790b0e1646df1496accbff7e71 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 10 Aug 2006 23:30:04 +0000 Subject: [PATCH 416/465] newcopyrights --- util/copyrights | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/util/copyrights b/util/copyrights index 8ccf5ec4ed..0c2ed04fed 100644 --- a/util/copyrights +++ b/util/copyrights @@ -1791,7 +1791,7 @@ ./lib/dns/soa.c C 2000,2001,2004 ./lib/dns/ssu.c C 2000,2001,2004 ./lib/dns/stats.c C 2000,2001,2004 -./lib/dns/tcpmsg.c C 1999,2000,2001,2004 +./lib/dns/tcpmsg.c C 1999,2000,2001,2004,2006 ./lib/dns/time.c C 1998,1999,2000,2001,2003,2004 ./lib/dns/timer.c C 2000,2001,2004 ./lib/dns/tkey.c C 1999,2000,2001,2004,2005,2006 From 57afda49b8639864dbb9875e1c23cb4c27dee8a4 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 10 Aug 2006 23:30:25 +0000 Subject: [PATCH 417/465] newcopyrights --- util/copyrights | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/util/copyrights b/util/copyrights index 8f910be421..a8adb165ed 100644 --- a/util/copyrights +++ b/util/copyrights @@ -1967,7 +1967,7 @@ ./lib/dns/soa.c C 2000,2001,2004,2005 ./lib/dns/ssu.c C 2000,2001,2003,2004,2005,2006 ./lib/dns/stats.c C 2000,2001,2004,2005 -./lib/dns/tcpmsg.c C 1999,2000,2001,2004,2005 +./lib/dns/tcpmsg.c C 1999,2000,2001,2004,2005,2006 ./lib/dns/time.c C 1998,1999,2000,2001,2002,2003,2004,2005 ./lib/dns/timer.c C 2000,2001,2004,2005 ./lib/dns/tkey.c C 1999,2000,2001,2003,2004,2005 From dd15ea6c54ccffe13591ab2f5aeaebc90a499d73 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 10 Aug 2006 23:59:27 +0000 Subject: [PATCH 418/465] update copyright notice --- lib/dns/tcpmsg.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/dns/tcpmsg.c b/lib/dns/tcpmsg.c index f196f1449a..910097bbf0 100644 --- a/lib/dns/tcpmsg.c +++ b/lib/dns/tcpmsg.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: tcpmsg.c,v 1.24.2.2 2006/08/10 01:42:33 marka Exp $ */ +/* $Id: tcpmsg.c,v 1.24.2.3 2006/08/10 23:59:27 marka Exp $ */ #include From 9464f58356be6bc5b49846c99d7ca6413fc86416 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 10 Aug 2006 23:59:30 +0000 Subject: [PATCH 419/465] update copyright notice --- lib/dns/tcpmsg.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/dns/tcpmsg.c b/lib/dns/tcpmsg.c index 25e28943b0..66ab67a0f2 100644 --- a/lib/dns/tcpmsg.c +++ b/lib/dns/tcpmsg.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: tcpmsg.c,v 1.28 2006/08/10 01:38:15 marka Exp $ */ +/* $Id: tcpmsg.c,v 1.29 2006/08/10 23:59:30 marka Exp $ */ /*! \file */ From 02ced31b6aa999099214d2688b1a80ac5d93c57b Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 16 Aug 2006 03:15:09 +0000 Subject: [PATCH 420/465] 2072. [bug] We were not generating valid HMAC SHA digests. [RT #16320] --- CHANGES | 3 + bin/tests/hash_test.c | 196 ++++++++++++++++++++++++++++++++-- lib/isc/hmacsha.c | 54 +++++----- lib/isc/include/isc/hmacsha.h | 12 +-- lib/isc/include/isc/sha1.h | 5 +- lib/isc/include/isc/sha2.h | 3 +- lib/isc/sha2.c | 4 +- 7 files changed, 229 insertions(+), 48 deletions(-) diff --git a/CHANGES b/CHANGES index 29dcc82834..371c451a78 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2072. [bug] We were not generating valid HMAC SHA digests. + [RT #16320] + 2071. [port] Test whether gcc accepts -fno-strict-aliasing. [RT #16324] diff --git a/bin/tests/hash_test.c b/bin/tests/hash_test.c index 54ff363afb..84ee3400fd 100644 --- a/bin/tests/hash_test.c +++ b/bin/tests/hash_test.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: hash_test.c,v 1.15 2005/04/27 04:56:08 sra Exp $ */ +/* $Id: hash_test.c,v 1.16 2006/08/16 03:15:09 marka Exp $ */ /*! \file */ #include @@ -24,18 +24,19 @@ #include #include +#include #include #include #include #include static void -print_digest(unsigned char *s, const char *hash, unsigned char *d, +print_digest(const char *s, const char *hash, unsigned char *d, unsigned int words) { unsigned int i, j; - printf("hash (%s) %s:\n\t", hash, (char *)s); + printf("hash (%s) %s:\n\t", hash, s); for (i = 0; i < words; i++) { printf(" "); for (j = 0; j < 4; j++) @@ -47,9 +48,15 @@ print_digest(unsigned char *s, const char *hash, unsigned char *d, int main(int argc, char **argv) { isc_sha1_t sha1; + isc_sha224_t sha224; isc_md5_t md5; isc_hmacmd5_t hmacmd5; - unsigned char digest[20]; + isc_hmacsha1_t hmacsha1; + isc_hmacsha224_t hmacsha224; + isc_hmacsha256_t hmacsha256; + isc_hmacsha384_t hmacsha384; + isc_hmacsha512_t hmacsha512; + unsigned char digest[ISC_SHA512_DIGESTLENGTH]; unsigned char buffer[1024]; const char *s; unsigned char key[20]; @@ -62,21 +69,35 @@ main(int argc, char **argv) { memcpy(buffer, s, strlen(s)); isc_sha1_update(&sha1, buffer, strlen(s)); isc_sha1_final(&sha1, digest); - print_digest(buffer, "sha1", digest, 5); + print_digest(s, "sha1", digest, ISC_SHA1_DIGESTLENGTH/4); s = "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"; isc_sha1_init(&sha1); memcpy(buffer, s, strlen(s)); isc_sha1_update(&sha1, buffer, strlen(s)); isc_sha1_final(&sha1, digest); - print_digest(buffer, "sha1", digest, 5); + print_digest(s, "sha1", digest, ISC_SHA1_DIGESTLENGTH/4); + + s = "abc"; + isc_sha224_init(&sha224); + memcpy(buffer, s, strlen(s)); + isc_sha224_update(&sha224, buffer, strlen(s)); + isc_sha224_final(digest, &sha224); + print_digest(s, "sha224", digest, ISC_SHA224_DIGESTLENGTH/4); + + s = "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"; + isc_sha224_init(&sha224); + memcpy(buffer, s, strlen(s)); + isc_sha224_update(&sha224, buffer, strlen(s)); + isc_sha224_final(digest, &sha224); + print_digest(s, "sha224", digest, ISC_SHA224_DIGESTLENGTH/4); s = "abc"; isc_md5_init(&md5); memcpy(buffer, s, strlen(s)); isc_md5_update(&md5, buffer, strlen(s)); isc_md5_final(&md5, digest); - print_digest(buffer, "md5", digest, 4); + print_digest(s, "md5", digest, 4); /* * The 3 HMAC-MD5 examples from RFC2104 @@ -87,7 +108,7 @@ main(int argc, char **argv) { memcpy(buffer, s, strlen(s)); isc_hmacmd5_update(&hmacmd5, buffer, strlen(s)); isc_hmacmd5_sign(&hmacmd5, digest); - print_digest(buffer, "hmacmd5", digest, 4); + print_digest(s, "hmacmd5", digest, 4); s = "what do ya want for nothing?"; strcpy((char *)key, "Jefe"); @@ -95,7 +116,7 @@ main(int argc, char **argv) { memcpy(buffer, s, strlen(s)); isc_hmacmd5_update(&hmacmd5, buffer, strlen(s)); isc_hmacmd5_sign(&hmacmd5, digest); - print_digest(buffer, "hmacmd5", digest, 4); + print_digest(s, "hmacmd5", digest, 4); s = "\335\335\335\335\335\335\335\335\335\335" "\335\335\335\335\335\335\335\335\335\335" @@ -107,7 +128,162 @@ main(int argc, char **argv) { memcpy(buffer, s, strlen(s)); isc_hmacmd5_update(&hmacmd5, buffer, strlen(s)); isc_hmacmd5_sign(&hmacmd5, digest); - print_digest(buffer, "hmacmd5", digest, 4); + print_digest(s, "hmacmd5", digest, 4); + + /* + * The 3 HMAC-SHA1 examples from RFC4634. + */ + s = "Hi There"; + memset(key, 0x0b, 20); + isc_hmacsha1_init(&hmacsha1, key, 20); + memcpy(buffer, s, strlen(s)); + isc_hmacsha1_update(&hmacsha1, buffer, strlen(s)); + isc_hmacsha1_sign(&hmacsha1, digest, ISC_SHA1_DIGESTLENGTH); + print_digest(s, "hmacsha1", digest, ISC_SHA1_DIGESTLENGTH/4); + + s = "what do ya want for nothing?"; + strcpy((char *)key, "Jefe"); + isc_hmacsha1_init(&hmacsha1, key, 4); + memcpy(buffer, s, strlen(s)); + isc_hmacsha1_update(&hmacsha1, buffer, strlen(s)); + isc_hmacsha1_sign(&hmacsha1, digest, ISC_SHA1_DIGESTLENGTH); + print_digest(s, "hmacsha1", digest, ISC_SHA1_DIGESTLENGTH/4); + + s = "\335\335\335\335\335\335\335\335\335\335" + "\335\335\335\335\335\335\335\335\335\335" + "\335\335\335\335\335\335\335\335\335\335" + "\335\335\335\335\335\335\335\335\335\335" + "\335\335\335\335\335\335\335\335\335\335"; + memset(key, 0xaa, 20); + isc_hmacsha1_init(&hmacsha1, key, 20); + memcpy(buffer, s, strlen(s)); + isc_hmacsha1_update(&hmacsha1, buffer, strlen(s)); + isc_hmacsha1_sign(&hmacsha1, digest, ISC_SHA1_DIGESTLENGTH); + print_digest(s, "hmacsha1", digest, ISC_SHA1_DIGESTLENGTH/4); + + /* + * The 3 HMAC-SHA224 examples from RFC4634. + */ + s = "Hi There"; + memset(key, 0x0b, 20); + isc_hmacsha224_init(&hmacsha224, key, 20); + memcpy(buffer, s, strlen(s)); + isc_hmacsha224_update(&hmacsha224, buffer, strlen(s)); + isc_hmacsha224_sign(&hmacsha224, digest, ISC_SHA224_DIGESTLENGTH); + print_digest(s, "hmacsha224", digest, ISC_SHA224_DIGESTLENGTH/4); + + s = "what do ya want for nothing?"; + strcpy((char *)key, "Jefe"); + isc_hmacsha224_init(&hmacsha224, key, 4); + memcpy(buffer, s, strlen(s)); + isc_hmacsha224_update(&hmacsha224, buffer, strlen(s)); + isc_hmacsha224_sign(&hmacsha224, digest, ISC_SHA224_DIGESTLENGTH); + print_digest(s, "hmacsha224", digest, ISC_SHA224_DIGESTLENGTH/4); + + s = "\335\335\335\335\335\335\335\335\335\335" + "\335\335\335\335\335\335\335\335\335\335" + "\335\335\335\335\335\335\335\335\335\335" + "\335\335\335\335\335\335\335\335\335\335" + "\335\335\335\335\335\335\335\335\335\335"; + memset(key, 0xaa, 20); + isc_hmacsha224_init(&hmacsha224, key, 20); + memcpy(buffer, s, strlen(s)); + isc_hmacsha224_update(&hmacsha224, buffer, strlen(s)); + isc_hmacsha224_sign(&hmacsha224, digest, ISC_SHA224_DIGESTLENGTH); + print_digest(s, "hmacsha224", digest, ISC_SHA224_DIGESTLENGTH/4); + + /* + * The 3 HMAC-SHA256 examples from RFC4634. + */ + s = "Hi There"; + memset(key, 0x0b, 20); + isc_hmacsha256_init(&hmacsha256, key, 20); + memcpy(buffer, s, strlen(s)); + isc_hmacsha256_update(&hmacsha256, buffer, strlen(s)); + isc_hmacsha256_sign(&hmacsha256, digest, ISC_SHA256_DIGESTLENGTH); + print_digest(s, "hmacsha256", digest, ISC_SHA256_DIGESTLENGTH/4); + + s = "what do ya want for nothing?"; + strcpy((char *)key, "Jefe"); + isc_hmacsha256_init(&hmacsha256, key, 4); + memcpy(buffer, s, strlen(s)); + isc_hmacsha256_update(&hmacsha256, buffer, strlen(s)); + isc_hmacsha256_sign(&hmacsha256, digest, ISC_SHA256_DIGESTLENGTH); + print_digest(s, "hmacsha256", digest, ISC_SHA256_DIGESTLENGTH/4); + + s = "\335\335\335\335\335\335\335\335\335\335" + "\335\335\335\335\335\335\335\335\335\335" + "\335\335\335\335\335\335\335\335\335\335" + "\335\335\335\335\335\335\335\335\335\335" + "\335\335\335\335\335\335\335\335\335\335"; + memset(key, 0xaa, 20); + isc_hmacsha256_init(&hmacsha256, key, 20); + memcpy(buffer, s, strlen(s)); + isc_hmacsha256_update(&hmacsha256, buffer, strlen(s)); + isc_hmacsha256_sign(&hmacsha256, digest, ISC_SHA256_DIGESTLENGTH); + print_digest(s, "hmacsha256", digest, ISC_SHA256_DIGESTLENGTH/4); + + /* + * The 3 HMAC-SHA384 examples from RFC4634. + */ + s = "Hi There"; + memset(key, 0x0b, 20); + isc_hmacsha384_init(&hmacsha384, key, 20); + memcpy(buffer, s, strlen(s)); + isc_hmacsha384_update(&hmacsha384, buffer, strlen(s)); + isc_hmacsha384_sign(&hmacsha384, digest, ISC_SHA384_DIGESTLENGTH); + print_digest(s, "hmacsha384", digest, ISC_SHA384_DIGESTLENGTH/4); + + s = "what do ya want for nothing?"; + strcpy((char *)key, "Jefe"); + isc_hmacsha384_init(&hmacsha384, key, 4); + memcpy(buffer, s, strlen(s)); + isc_hmacsha384_update(&hmacsha384, buffer, strlen(s)); + isc_hmacsha384_sign(&hmacsha384, digest, ISC_SHA384_DIGESTLENGTH); + print_digest(s, "hmacsha384", digest, ISC_SHA384_DIGESTLENGTH/4); + + s = "\335\335\335\335\335\335\335\335\335\335" + "\335\335\335\335\335\335\335\335\335\335" + "\335\335\335\335\335\335\335\335\335\335" + "\335\335\335\335\335\335\335\335\335\335" + "\335\335\335\335\335\335\335\335\335\335"; + memset(key, 0xaa, 20); + isc_hmacsha384_init(&hmacsha384, key, 20); + memcpy(buffer, s, strlen(s)); + isc_hmacsha384_update(&hmacsha384, buffer, strlen(s)); + isc_hmacsha384_sign(&hmacsha384, digest, ISC_SHA384_DIGESTLENGTH); + print_digest(s, "hmacsha384", digest, ISC_SHA384_DIGESTLENGTH/4); + + /* + * The 3 HMAC-SHA512 examples from RFC4634. + */ + s = "Hi There"; + memset(key, 0x0b, 20); + isc_hmacsha512_init(&hmacsha512, key, 20); + memcpy(buffer, s, strlen(s)); + isc_hmacsha512_update(&hmacsha512, buffer, strlen(s)); + isc_hmacsha512_sign(&hmacsha512, digest, ISC_SHA512_DIGESTLENGTH); + print_digest(s, "hmacsha512", digest, ISC_SHA512_DIGESTLENGTH/4); + + s = "what do ya want for nothing?"; + strcpy((char *)key, "Jefe"); + isc_hmacsha512_init(&hmacsha512, key, 4); + memcpy(buffer, s, strlen(s)); + isc_hmacsha512_update(&hmacsha512, buffer, strlen(s)); + isc_hmacsha512_sign(&hmacsha512, digest, ISC_SHA512_DIGESTLENGTH); + print_digest(s, "hmacsha512", digest, ISC_SHA512_DIGESTLENGTH/4); + + s = "\335\335\335\335\335\335\335\335\335\335" + "\335\335\335\335\335\335\335\335\335\335" + "\335\335\335\335\335\335\335\335\335\335" + "\335\335\335\335\335\335\335\335\335\335" + "\335\335\335\335\335\335\335\335\335\335"; + memset(key, 0xaa, 20); + isc_hmacsha512_init(&hmacsha512, key, 20); + memcpy(buffer, s, strlen(s)); + isc_hmacsha512_update(&hmacsha512, buffer, strlen(s)); + isc_hmacsha512_sign(&hmacsha512, digest, ISC_SHA512_DIGESTLENGTH); + print_digest(s, "hmacsha512", digest, ISC_SHA512_DIGESTLENGTH/4); return (0); } diff --git a/lib/isc/hmacsha.c b/lib/isc/hmacsha.c index 1dd2a11a00..ac4c0d663f 100644 --- a/lib/isc/hmacsha.c +++ b/lib/isc/hmacsha.c @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: hmacsha.c,v 1.4 2006/01/31 00:35:21 marka Exp $ */ +/* $Id: hmacsha.c,v 1.5 2006/08/16 03:15:09 marka Exp $ */ /* * This code implements the HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384 @@ -42,7 +42,7 @@ void isc_hmacsha1_init(isc_hmacsha1_t *ctx, const unsigned char *key, unsigned int len) { - unsigned char ipad[ISC_SHA1_DIGESTLENGTH]; + unsigned char ipad[ISC_SHA1_BLOCK_LENGTH]; unsigned int i; memset(ctx->key, 0, sizeof(ctx->key)); @@ -56,7 +56,7 @@ isc_hmacsha1_init(isc_hmacsha1_t *ctx, const unsigned char *key, isc_sha1_init(&ctx->sha1ctx); memset(ipad, IPAD, sizeof(ipad)); - for (i = 0; i < ISC_SHA1_DIGESTLENGTH; i++) + for (i = 0; i < ISC_SHA1_BLOCK_LENGTH; i++) ipad[i] ^= ctx->key[i]; isc_sha1_update(&ctx->sha1ctx, ipad, sizeof(ipad)); } @@ -84,7 +84,7 @@ isc_hmacsha1_update(isc_hmacsha1_t *ctx, const unsigned char *buf, */ void isc_hmacsha1_sign(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) { - unsigned char opad[ISC_SHA1_DIGESTLENGTH]; + unsigned char opad[ISC_SHA1_BLOCK_LENGTH]; unsigned char newdigest[ISC_SHA1_DIGESTLENGTH]; unsigned int i; @@ -92,7 +92,7 @@ isc_hmacsha1_sign(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) { isc_sha1_final(&ctx->sha1ctx, newdigest); memset(opad, OPAD, sizeof(opad)); - for (i = 0; i < ISC_SHA1_DIGESTLENGTH; i++) + for (i = 0; i < ISC_SHA1_BLOCK_LENGTH; i++) opad[i] ^= ctx->key[i]; isc_sha1_init(&ctx->sha1ctx); @@ -101,7 +101,7 @@ isc_hmacsha1_sign(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) { isc_sha1_final(&ctx->sha1ctx, newdigest); isc_hmacsha1_invalidate(ctx); memcpy(digest, newdigest, len); - memset(newdigest, 0, len); + memset(newdigest, 0, sizeof(newdigest)); } /* @@ -112,7 +112,7 @@ isc_boolean_t isc_hmacsha1_verify(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) { unsigned char newdigest[ISC_SHA1_DIGESTLENGTH]; - REQUIRE(len <= ISC_SHA1_DIGESTLENGTH); + REQUIRE(len <= ISC_SHA1_BLOCK_LENGTH); isc_hmacsha1_sign(ctx, newdigest, ISC_SHA1_DIGESTLENGTH); return (ISC_TF(memcmp(digest, newdigest, len) == 0)); } @@ -124,7 +124,7 @@ void isc_hmacsha224_init(isc_hmacsha224_t *ctx, const unsigned char *key, unsigned int len) { - unsigned char ipad[ISC_SHA224_DIGESTLENGTH]; + unsigned char ipad[ISC_SHA224_BLOCK_LENGTH]; unsigned int i; memset(ctx->key, 0, sizeof(ctx->key)); @@ -138,7 +138,7 @@ isc_hmacsha224_init(isc_hmacsha224_t *ctx, const unsigned char *key, isc_sha224_init(&ctx->sha224ctx); memset(ipad, IPAD, sizeof(ipad)); - for (i = 0; i < ISC_SHA224_DIGESTLENGTH; i++) + for (i = 0; i < ISC_SHA224_BLOCK_LENGTH; i++) ipad[i] ^= ctx->key[i]; isc_sha224_update(&ctx->sha224ctx, ipad, sizeof(ipad)); } @@ -165,7 +165,7 @@ isc_hmacsha224_update(isc_hmacsha224_t *ctx, const unsigned char *buf, */ void isc_hmacsha224_sign(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len) { - unsigned char opad[ISC_SHA224_DIGESTLENGTH]; + unsigned char opad[ISC_SHA224_BLOCK_LENGTH]; unsigned char newdigest[ISC_SHA224_DIGESTLENGTH]; unsigned int i; @@ -173,7 +173,7 @@ isc_hmacsha224_sign(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len) { isc_sha224_final(newdigest, &ctx->sha224ctx); memset(opad, OPAD, sizeof(opad)); - for (i = 0; i < ISC_SHA224_DIGESTLENGTH; i++) + for (i = 0; i < ISC_SHA224_BLOCK_LENGTH; i++) opad[i] ^= ctx->key[i]; isc_sha224_init(&ctx->sha224ctx); @@ -181,7 +181,7 @@ isc_hmacsha224_sign(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len) { isc_sha224_update(&ctx->sha224ctx, newdigest, ISC_SHA224_DIGESTLENGTH); isc_sha224_final(newdigest, &ctx->sha224ctx); memcpy(digest, newdigest, len); - memset(newdigest, 0, len); + memset(newdigest, 0, sizeof(newdigest)); } /* @@ -204,7 +204,7 @@ void isc_hmacsha256_init(isc_hmacsha256_t *ctx, const unsigned char *key, unsigned int len) { - unsigned char ipad[ISC_SHA256_DIGESTLENGTH]; + unsigned char ipad[ISC_SHA256_BLOCK_LENGTH]; unsigned int i; memset(ctx->key, 0, sizeof(ctx->key)); @@ -218,7 +218,7 @@ isc_hmacsha256_init(isc_hmacsha256_t *ctx, const unsigned char *key, isc_sha256_init(&ctx->sha256ctx); memset(ipad, IPAD, sizeof(ipad)); - for (i = 0; i < ISC_SHA256_DIGESTLENGTH; i++) + for (i = 0; i < ISC_SHA256_BLOCK_LENGTH; i++) ipad[i] ^= ctx->key[i]; isc_sha256_update(&ctx->sha256ctx, ipad, sizeof(ipad)); } @@ -245,7 +245,7 @@ isc_hmacsha256_update(isc_hmacsha256_t *ctx, const unsigned char *buf, */ void isc_hmacsha256_sign(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len) { - unsigned char opad[ISC_SHA256_DIGESTLENGTH]; + unsigned char opad[ISC_SHA256_BLOCK_LENGTH]; unsigned char newdigest[ISC_SHA256_DIGESTLENGTH]; unsigned int i; @@ -253,7 +253,7 @@ isc_hmacsha256_sign(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len) { isc_sha256_final(newdigest, &ctx->sha256ctx); memset(opad, OPAD, sizeof(opad)); - for (i = 0; i < ISC_SHA256_DIGESTLENGTH; i++) + for (i = 0; i < ISC_SHA256_BLOCK_LENGTH; i++) opad[i] ^= ctx->key[i]; isc_sha256_init(&ctx->sha256ctx); @@ -261,7 +261,7 @@ isc_hmacsha256_sign(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len) { isc_sha256_update(&ctx->sha256ctx, newdigest, ISC_SHA256_DIGESTLENGTH); isc_sha256_final(newdigest, &ctx->sha256ctx); memcpy(digest, newdigest, len); - memset(newdigest, 0, len); + memset(newdigest, 0, sizeof(newdigest)); } /* @@ -284,7 +284,7 @@ void isc_hmacsha384_init(isc_hmacsha384_t *ctx, const unsigned char *key, unsigned int len) { - unsigned char ipad[ISC_SHA384_DIGESTLENGTH]; + unsigned char ipad[ISC_SHA384_BLOCK_LENGTH]; unsigned int i; memset(ctx->key, 0, sizeof(ctx->key)); @@ -298,7 +298,7 @@ isc_hmacsha384_init(isc_hmacsha384_t *ctx, const unsigned char *key, isc_sha384_init(&ctx->sha384ctx); memset(ipad, IPAD, sizeof(ipad)); - for (i = 0; i < ISC_SHA384_DIGESTLENGTH; i++) + for (i = 0; i < ISC_SHA384_BLOCK_LENGTH; i++) ipad[i] ^= ctx->key[i]; isc_sha384_update(&ctx->sha384ctx, ipad, sizeof(ipad)); } @@ -325,7 +325,7 @@ isc_hmacsha384_update(isc_hmacsha384_t *ctx, const unsigned char *buf, */ void isc_hmacsha384_sign(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len) { - unsigned char opad[ISC_SHA384_DIGESTLENGTH]; + unsigned char opad[ISC_SHA384_BLOCK_LENGTH]; unsigned char newdigest[ISC_SHA384_DIGESTLENGTH]; unsigned int i; @@ -333,7 +333,7 @@ isc_hmacsha384_sign(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len) { isc_sha384_final(newdigest, &ctx->sha384ctx); memset(opad, OPAD, sizeof(opad)); - for (i = 0; i < ISC_SHA384_DIGESTLENGTH; i++) + for (i = 0; i < ISC_SHA384_BLOCK_LENGTH; i++) opad[i] ^= ctx->key[i]; isc_sha384_init(&ctx->sha384ctx); @@ -341,7 +341,7 @@ isc_hmacsha384_sign(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len) { isc_sha384_update(&ctx->sha384ctx, newdigest, ISC_SHA384_DIGESTLENGTH); isc_sha384_final(newdigest, &ctx->sha384ctx); memcpy(digest, newdigest, len); - memset(newdigest, 0, len); + memset(newdigest, 0, sizeof(newdigest)); } /* @@ -364,7 +364,7 @@ void isc_hmacsha512_init(isc_hmacsha512_t *ctx, const unsigned char *key, unsigned int len) { - unsigned char ipad[ISC_SHA512_DIGESTLENGTH]; + unsigned char ipad[ISC_SHA512_BLOCK_LENGTH]; unsigned int i; memset(ctx->key, 0, sizeof(ctx->key)); @@ -378,7 +378,7 @@ isc_hmacsha512_init(isc_hmacsha512_t *ctx, const unsigned char *key, isc_sha512_init(&ctx->sha512ctx); memset(ipad, IPAD, sizeof(ipad)); - for (i = 0; i < ISC_SHA512_DIGESTLENGTH; i++) + for (i = 0; i < ISC_SHA512_BLOCK_LENGTH; i++) ipad[i] ^= ctx->key[i]; isc_sha512_update(&ctx->sha512ctx, ipad, sizeof(ipad)); } @@ -405,7 +405,7 @@ isc_hmacsha512_update(isc_hmacsha512_t *ctx, const unsigned char *buf, */ void isc_hmacsha512_sign(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len) { - unsigned char opad[ISC_SHA512_DIGESTLENGTH]; + unsigned char opad[ISC_SHA512_BLOCK_LENGTH]; unsigned char newdigest[ISC_SHA512_DIGESTLENGTH]; unsigned int i; @@ -413,7 +413,7 @@ isc_hmacsha512_sign(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len) { isc_sha512_final(newdigest, &ctx->sha512ctx); memset(opad, OPAD, sizeof(opad)); - for (i = 0; i < ISC_SHA512_DIGESTLENGTH; i++) + for (i = 0; i < ISC_SHA512_BLOCK_LENGTH; i++) opad[i] ^= ctx->key[i]; isc_sha512_init(&ctx->sha512ctx); @@ -421,7 +421,7 @@ isc_hmacsha512_sign(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len) { isc_sha512_update(&ctx->sha512ctx, newdigest, ISC_SHA512_DIGESTLENGTH); isc_sha512_final(newdigest, &ctx->sha512ctx); memcpy(digest, newdigest, len); - memset(newdigest, 0, len); + memset(newdigest, 0, sizeof(newdigest)); } /* diff --git a/lib/isc/include/isc/hmacsha.h b/lib/isc/include/isc/hmacsha.h index 2ff0d7b1ee..1261cf2777 100644 --- a/lib/isc/include/isc/hmacsha.h +++ b/lib/isc/include/isc/hmacsha.h @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: hmacsha.h,v 1.3 2006/01/27 23:57:46 marka Exp $ */ +/* $Id: hmacsha.h,v 1.4 2006/08/16 03:15:09 marka Exp $ */ /* * This is the header file for the HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, @@ -29,11 +29,11 @@ #include #include -#define ISC_HMACSHA1_KEYLENGTH ISC_SHA1_DIGESTLENGTH -#define ISC_HMACSHA224_KEYLENGTH ISC_SHA224_DIGESTLENGTH -#define ISC_HMACSHA256_KEYLENGTH ISC_SHA256_DIGESTLENGTH -#define ISC_HMACSHA384_KEYLENGTH ISC_SHA384_DIGESTLENGTH -#define ISC_HMACSHA512_KEYLENGTH ISC_SHA512_DIGESTLENGTH +#define ISC_HMACSHA1_KEYLENGTH ISC_SHA1_BLOCK_LENGTH +#define ISC_HMACSHA224_KEYLENGTH ISC_SHA224_BLOCK_LENGTH +#define ISC_HMACSHA256_KEYLENGTH ISC_SHA256_BLOCK_LENGTH +#define ISC_HMACSHA384_KEYLENGTH ISC_SHA384_BLOCK_LENGTH +#define ISC_HMACSHA512_KEYLENGTH ISC_SHA512_BLOCK_LENGTH typedef struct { isc_sha1_t sha1ctx; diff --git a/lib/isc/include/isc/sha1.h b/lib/isc/include/isc/sha1.h index fe52637d4e..21e8e321c8 100644 --- a/lib/isc/include/isc/sha1.h +++ b/lib/isc/include/isc/sha1.h @@ -18,7 +18,7 @@ #ifndef ISC_SHA1_H #define ISC_SHA1_H 1 -/* $Id: sha1.h,v 1.13 2006/02/01 00:10:35 marka Exp $ */ +/* $Id: sha1.h,v 1.14 2006/08/16 03:15:09 marka Exp $ */ /* $NetBSD: sha1.h,v 1.2 1998/05/29 22:55:44 thorpej Exp $ */ @@ -32,11 +32,12 @@ #include #define ISC_SHA1_DIGESTLENGTH 20U +#define ISC_SHA1_BLOCK_LENGTH 64U typedef struct { isc_uint32_t state[5]; isc_uint32_t count[2]; - unsigned char buffer[64]; + unsigned char buffer[ISC_SHA1_BLOCK_LENGTH]; } isc_sha1_t; ISC_LANG_BEGINDECLS diff --git a/lib/isc/include/isc/sha2.h b/lib/isc/include/isc/sha2.h index 511d75ce01..4d5d07b22c 100644 --- a/lib/isc/include/isc/sha2.h +++ b/lib/isc/include/isc/sha2.h @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: sha2.h,v 1.6 2006/02/24 00:03:15 marka Exp $ */ +/* $Id: sha2.h,v 1.7 2006/08/16 03:15:09 marka Exp $ */ /* $FreeBSD: src/sys/crypto/sha2/sha2.h,v 1.1.2.1 2001/07/03 11:01:36 ume Exp $ */ /* $KAME: sha2.h,v 1.3 2001/03/12 08:27:48 itojun Exp $ */ @@ -62,6 +62,7 @@ /*** SHA-224/256/384/512 Various Length Definitions ***********************/ +#define ISC_SHA224_BLOCK_LENGTH 64U #define ISC_SHA224_DIGESTLENGTH 28U #define ISC_SHA224_DIGESTSTRINGLENGTH (ISC_SHA224_DIGESTLENGTH * 2 + 1) #define ISC_SHA256_BLOCK_LENGTH 64U diff --git a/lib/isc/sha2.c b/lib/isc/sha2.c index 67fe3d0b09..8bd325a072 100644 --- a/lib/isc/sha2.c +++ b/lib/isc/sha2.c @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: sha2.c,v 1.9 2006/03/10 03:49:57 marka Exp $ */ +/* $Id: sha2.c,v 1.10 2006/08/16 03:15:09 marka Exp $ */ /* $FreeBSD: src/sys/crypto/sha2/sha2.c,v 1.2.2.2 2002/03/05 08:36:47 ume Exp $ */ /* $KAME: sha2.c,v 1.8 2001/11/08 01:07:52 itojun Exp $ */ @@ -420,7 +420,7 @@ isc_sha224_update(isc_sha224_t *context, const isc_uint8_t* data, size_t len) { } void -isc_sha224_final(isc_uint8_t digest[], isc_sha256_t *context) { +isc_sha224_final(isc_uint8_t digest[], isc_sha224_t *context) { isc_uint8_t sha256_digest[ISC_SHA256_DIGESTLENGTH]; isc_sha256_final(sha256_digest, (isc_sha256_t *)context); memcpy(digest, sha256_digest, ISC_SHA224_DIGESTLENGTH); From 68baa2d193672c482b7ea07ece349e7b1ceb96e6 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 16 Aug 2006 23:30:24 +0000 Subject: [PATCH 421/465] newcopyrights --- util/copyrights | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/util/copyrights b/util/copyrights index a8adb165ed..d1c93d39d0 100644 --- a/util/copyrights +++ b/util/copyrights @@ -274,7 +274,7 @@ ./bin/tests/genrandom.c C 2000,2001,2002,2003,2004,2005 ./bin/tests/gxba_test.c C 2000,2001,2004,2005 ./bin/tests/gxbn_test.c C 2000,2001,2004,2005 -./bin/tests/hash_test.c C 2000,2001,2004,2005 +./bin/tests/hash_test.c C 2000,2001,2004,2005,2006 ./bin/tests/headerdep_test.sh.in SH 2000,2001,2004 ./bin/tests/inter_test.c C 2000,2001,2003,2004,2005 ./bin/tests/journalprint.c C 2000,2001,2004,2005 From 458bcfaee06e8fb08b65f1e2890f6e42ceb80eb3 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 16 Aug 2006 23:54:35 +0000 Subject: [PATCH 422/465] update copyright notice --- bin/tests/hash_test.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bin/tests/hash_test.c b/bin/tests/hash_test.c index 84ee3400fd..36dc31456b 100644 --- a/bin/tests/hash_test.c +++ b/bin/tests/hash_test.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: hash_test.c,v 1.16 2006/08/16 03:15:09 marka Exp $ */ +/* $Id: hash_test.c,v 1.17 2006/08/16 23:54:35 marka Exp $ */ /*! \file */ #include From 6997817dd0ce76d0eb98d191b20d2781159faaf3 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 17 Aug 2006 07:07:39 +0000 Subject: [PATCH 423/465] v9_3_2_patch and v9_2_6_patch branches --- doc/private/delete-list | 2 ++ 1 file changed, 2 insertions(+) diff --git a/doc/private/delete-list b/doc/private/delete-list index e472179e6c..6b2d511615 100644 --- a/doc/private/delete-list +++ b/doc/private/delete-list @@ -1,3 +1,5 @@ peter custom_WFB_v9_3_1 custom_WFB_v9_3_2 +v9_3_2_patch +v9_2_6_patch From 6cc48f8567e7011a8ad8d9dd5c03b472c7c303eb Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 17 Aug 2006 23:18:09 +0000 Subject: [PATCH 424/465] auto update --- doc/private/branches | 2 ++ 1 file changed, 2 insertions(+) diff --git a/doc/private/branches b/doc/private/branches index 46b9bb76e4..90c01ceda2 100644 --- a/doc/private/branches +++ b/doc/private/branches @@ -80,8 +80,10 @@ v9_2_0_patch active // security fixes 9.2.0 only v9_2_2_delegation_only active // 9.2.2-P1, 9.2.2-P2, 9.2.2-P3 v9_2_2base active // security fixes 9.2.2 only v9_2_4base active // security fixes 9.2.4 only +v9_2_6_patch new v9_3 active v9_3_0base active // security fixes 9.3.0 only +v9_3_2_patch new v9_4 active From 18a2850e98d051876d32fe03513c32f5963333b8 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Sat, 19 Aug 2006 23:16:54 +0000 Subject: [PATCH 425/465] auto update --- doc/private/branches | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/private/branches b/doc/private/branches index 90c01ceda2..88b61835d3 100644 --- a/doc/private/branches +++ b/doc/private/branches @@ -65,6 +65,7 @@ rt16317 new rt16320 new rt16324 new rt16326 new +rt16341 new rt1727 open // ixfr-from-differences workfile skan new skan-metazones1 private From 71faae1e6f24ade50b3b3df6f7b363b3630c8366 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Sun, 20 Aug 2006 23:17:03 +0000 Subject: [PATCH 426/465] auto update --- doc/private/branches | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/private/branches b/doc/private/branches index 88b61835d3..b1cf86809e 100644 --- a/doc/private/branches +++ b/doc/private/branches @@ -66,6 +66,7 @@ rt16320 new rt16324 new rt16326 new rt16341 new +rt16354 new rt1727 open // ixfr-from-differences workfile skan new skan-metazones1 private From cdb674387ca19dc8550553d90d8f9731befb6f1f Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 21 Aug 2006 00:11:43 +0000 Subject: [PATCH 427/465] 2073. [bug] Incorrect semantics check for update policy "wildcard". [RT #16353] --- CHANGES | 3 +++ lib/bind9/check.c | 16 ++++++++-------- 2 files changed, 11 insertions(+), 8 deletions(-) diff --git a/CHANGES b/CHANGES index 371c451a78..c408c221a2 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2073. [bug] Incorrect semantics check for update policy "wildcard". + [RT #16353] + 2072. [bug] We were not generating valid HMAC SHA digests. [RT #16320] diff --git a/lib/bind9/check.c b/lib/bind9/check.c index b052a50ab5..653eeb0cfd 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: check.c,v 1.75 2006/06/04 23:17:06 marka Exp $ */ +/* $Id: check.c,v 1.76 2006/08/21 00:11:43 marka Exp $ */ /*! \file */ @@ -816,13 +816,6 @@ check_update_policy(const cfg_obj_t *policy, isc_log_t *logctx) { "'%s' is not a valid name", str); result = tresult; } - if (tresult == ISC_R_SUCCESS && - strcasecmp(cfg_obj_asstring(matchtype), "wildcard") == 0 && - !dns_name_iswildcard(dns_fixedname_name(&fixed))) { - cfg_obj_log(identity, logctx, ISC_LOG_ERROR, - "'%s' is not a wildcard", str); - result = ISC_R_FAILURE; - } dns_fixedname_init(&fixed); str = cfg_obj_asstring(dname); @@ -835,6 +828,13 @@ check_update_policy(const cfg_obj_t *policy, isc_log_t *logctx) { "'%s' is not a valid name", str); result = tresult; } + if (tresult == ISC_R_SUCCESS && + strcasecmp(cfg_obj_asstring(matchtype), "wildcard") == 0 && + !dns_name_iswildcard(dns_fixedname_name(&fixed))) { + cfg_obj_log(identity, logctx, ISC_LOG_ERROR, + "'%s' is not a wildcard", str); + result = ISC_R_FAILURE; + } for (element2 = cfg_list_first(typelist); element2 != NULL; From 240e57ab983296e6d52031a594d3345728191b48 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 21 Aug 2006 00:35:36 +0000 Subject: [PATCH 428/465] 2074. [bug] dns_request_create2(), dns_request_create3(), dns_request_createraw2() and dns_request_createraw3() failed to send multiple UDP requests. [RT #16349] --- CHANGES | 4 ++++ lib/dns/request.c | 4 +++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index c408c221a2..c7b49f822f 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +2074. [bug] dns_request_create2(), dns_request_create3(), + dns_request_createraw2() and dns_request_createraw3() + failed to send multiple UDP requests. [RT #16349] + 2073. [bug] Incorrect semantics check for update policy "wildcard". [RT #16353] diff --git a/lib/dns/request.c b/lib/dns/request.c index 49af3ce6fd..58a93fd7ed 100644 --- a/lib/dns/request.c +++ b/lib/dns/request.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: request.c,v 1.76 2006/01/04 23:50:24 marka Exp $ */ +/* $Id: request.c,v 1.77 2006/08/21 00:35:36 marka Exp $ */ /*! \file */ @@ -705,6 +705,7 @@ dns_request_createraw3(dns_requestmgr_t *requestmgr, isc_buffer_t *msgbuf, if (udptimeout == 0) udptimeout = 1; } + request->udpcount = udpretries; /* * Create timer now. We will set it below once. @@ -902,6 +903,7 @@ dns_request_createvia3(dns_requestmgr_t *requestmgr, dns_message_t *message, if (udptimeout == 0) udptimeout = 1; } + request->udpcount = udpretries; /* * Create timer now. We will set it below once. From 6d453e1bb296e88732655f3d736e571eeaaca254 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 21 Aug 2006 00:42:28 +0000 Subject: [PATCH 429/465] create -> createvia --- CHANGES | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index c7b49f822f..d1b832c0e8 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,4 @@ -2074. [bug] dns_request_create2(), dns_request_create3(), +2074. [bug] dns_request_createvia2(), dns_request_createvia3(), dns_request_createraw2() and dns_request_createraw3() failed to send multiple UDP requests. [RT #16349] From 22e5a52c3b5bfef7e75d95629e08cab7592fee5c Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 22 Aug 2006 06:11:19 +0000 Subject: [PATCH 430/465] 2075. [bug] The spillat timer event hander could leak memory. [RT #16357] --- CHANGES | 3 +++ lib/dns/resolver.c | 4 +++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index d1b832c0e8..e51725bf81 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2075. [bug] The spillat timer event hander could leak memory. + [RT #16357] + 2074. [bug] dns_request_createvia2(), dns_request_createvia3(), dns_request_createraw2() and dns_request_createraw3() failed to send multiple UDP requests. [RT #16349] diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index 483c159b23..5eeca8d7f8 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: resolver.c,v 1.332 2006/07/22 01:18:35 marka Exp $ */ +/* $Id: resolver.c,v 1.333 2006/08/22 06:11:19 marka Exp $ */ /*! \file */ @@ -6007,6 +6007,8 @@ spillattimer_countdown(isc_task_t *task, isc_event_t *event) { isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE, "clients-per-query decreased to %u", count); + + isc_event_free(&event); } isc_result_t From 43794fdc22a8a5d5284a36a10e4bba714a3a60af Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 23 Aug 2006 23:16:51 +0000 Subject: [PATCH 431/465] auto update --- doc/private/branches | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/private/branches b/doc/private/branches index b1cf86809e..fefd3e5c18 100644 --- a/doc/private/branches +++ b/doc/private/branches @@ -67,6 +67,7 @@ rt16324 new rt16326 new rt16341 new rt16354 new +rt16361 new rt1727 open // ixfr-from-differences workfile skan new skan-metazones1 private From c7817270552b2faab56466b89731b6f290b352a4 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 24 Aug 2006 00:17:54 +0000 Subject: [PATCH 432/465] 2076. [bug] Several files were missing #include causing build failures on OSF. [RT #16341] --- CHANGES | 3 +++ bin/tests/journalprint.c | 4 +++- lib/dns/portlist.c | 4 +++- lib/isc/netscope.c | 4 +++- lib/isc/nothreads/condition.c | 4 +++- lib/isc/nothreads/mutex.c | 4 +++- lib/isc/unix/fsaccess.c | 4 +++- lib/isc/unix/ipv6.c | 4 +++- lib/lwres/gai_strerror.c | 5 ++++- 9 files changed, 28 insertions(+), 8 deletions(-) diff --git a/CHANGES b/CHANGES index e51725bf81..95a7f589fb 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2076. [bug] Several files were missing #include + causing build failures on OSF. [RT #16341] + 2075. [bug] The spillat timer event hander could leak memory. [RT #16357] diff --git a/bin/tests/journalprint.c b/bin/tests/journalprint.c index d309895519..0eec367dbc 100644 --- a/bin/tests/journalprint.c +++ b/bin/tests/journalprint.c @@ -15,9 +15,11 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: journalprint.c,v 1.7 2005/04/27 04:56:08 sra Exp $ */ +/* $Id: journalprint.c,v 1.8 2006/08/24 00:17:54 marka Exp $ */ /*! \file */ +#include + #include #include diff --git a/lib/dns/portlist.c b/lib/dns/portlist.c index e0c17ebcd4..8d270b8a43 100644 --- a/lib/dns/portlist.c +++ b/lib/dns/portlist.c @@ -15,10 +15,12 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: portlist.c,v 1.9 2005/07/12 01:00:15 marka Exp $ */ +/* $Id: portlist.c,v 1.10 2006/08/24 00:17:54 marka Exp $ */ /*! \file */ +#include + #include #include diff --git a/lib/isc/netscope.c b/lib/isc/netscope.c index 4eb25547c2..b1104c44db 100644 --- a/lib/isc/netscope.c +++ b/lib/isc/netscope.c @@ -19,9 +19,11 @@ #if defined(LIBC_SCCS) && !defined(lint) static char rcsid[] = - "$Id: netscope.c,v 1.9 2005/04/29 00:23:28 marka Exp $"; + "$Id: netscope.c,v 1.10 2006/08/24 00:17:54 marka Exp $"; #endif /* LIBC_SCCS and not lint */ +#include + #include #include #include diff --git a/lib/isc/nothreads/condition.c b/lib/isc/nothreads/condition.c index 42f1f4392d..48be11878e 100644 --- a/lib/isc/nothreads/condition.c +++ b/lib/isc/nothreads/condition.c @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: condition.c,v 1.6 2004/03/05 05:11:08 marka Exp $ */ +/* $Id: condition.c,v 1.7 2006/08/24 00:17:54 marka Exp $ */ + +#include #include diff --git a/lib/isc/nothreads/mutex.c b/lib/isc/nothreads/mutex.c index 9abe304521..b5523711cf 100644 --- a/lib/isc/nothreads/mutex.c +++ b/lib/isc/nothreads/mutex.c @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: mutex.c,v 1.6 2004/03/05 05:11:09 marka Exp $ */ +/* $Id: mutex.c,v 1.7 2006/08/24 00:17:54 marka Exp $ */ + +#include #include diff --git a/lib/isc/unix/fsaccess.c b/lib/isc/unix/fsaccess.c index b906a107e5..d159b6682d 100644 --- a/lib/isc/unix/fsaccess.c +++ b/lib/isc/unix/fsaccess.c @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: fsaccess.c,v 1.9 2005/04/29 00:23:50 marka Exp $ */ +/* $Id: fsaccess.c,v 1.10 2006/08/24 00:17:54 marka Exp $ */ + +#include #include #include diff --git a/lib/isc/unix/ipv6.c b/lib/isc/unix/ipv6.c index acb1216011..e1a3a08461 100644 --- a/lib/isc/unix/ipv6.c +++ b/lib/isc/unix/ipv6.c @@ -15,10 +15,12 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: ipv6.c,v 1.10 2005/04/29 00:23:51 marka Exp $ */ +/* $Id: ipv6.c,v 1.11 2006/08/24 00:17:54 marka Exp $ */ /*! \file */ +#include + #include const struct in6_addr in6addr_any = IN6ADDR_ANY_INIT; diff --git a/lib/lwres/gai_strerror.c b/lib/lwres/gai_strerror.c index 54b9a59ac4..59aae09b0b 100644 --- a/lib/lwres/gai_strerror.c +++ b/lib/lwres/gai_strerror.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: gai_strerror.c,v 1.18 2005/04/29 00:24:05 marka Exp $ */ +/* $Id: gai_strerror.c,v 1.19 2006/08/24 00:17:54 marka Exp $ */ /*! \file gai_strerror.c * lwres_gai_strerror() returns an error message corresponding to an @@ -43,6 +43,9 @@ * * strerror, lwres_getaddrinfo(), getaddrinfo(), RFC2133. */ + +#include + #include /*% Text of error messages. */ From 13926117a3bf81b05e667e0bf3edb670488a293e Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 24 Aug 2006 00:43:40 +0000 Subject: [PATCH 433/465] 2076. [bug] Several files were missing #include causing build failures on OSF. [RT #16341] --- CHANGES | 2 ++ bin/tests/journalprint.c | 4 +++- lib/isc/nothreads/condition.c | 5 ++++- lib/isc/nothreads/mutex.c | 4 +++- lib/isc/unix/fsaccess.c | 4 +++- lib/isc/unix/ipv6.c | 4 +++- lib/lwres/gai_strerror.c | 4 +++- 7 files changed, 21 insertions(+), 6 deletions(-) diff --git a/CHANGES b/CHANGES index 69616368e2..17d7606229 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +2076. [bug] Several files were missing #include + causing build failures on OSF. [RT #16341] --- 9.2.7rc1 released --- diff --git a/bin/tests/journalprint.c b/bin/tests/journalprint.c index eb807bd07e..18e7aa396d 100644 --- a/bin/tests/journalprint.c +++ b/bin/tests/journalprint.c @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: journalprint.c,v 1.3.2.3 2005/03/17 03:59:31 marka Exp $ */ +/* $Id: journalprint.c,v 1.3.2.4 2006/08/24 00:43:40 marka Exp $ */ + +#include #include #include diff --git a/lib/isc/nothreads/condition.c b/lib/isc/nothreads/condition.c index bf4d25694d..0988d5ed64 100644 --- a/lib/isc/nothreads/condition.c +++ b/lib/isc/nothreads/condition.c @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: condition.c,v 1.4.2.1 2004/03/09 06:12:04 marka Exp $ */ +/* $Id: condition.c,v 1.4.2.2 2006/08/24 00:43:40 marka Exp $ */ + +#include /* * This file intentionally left blank. @@ -25,6 +27,7 @@ * Well, not completely. The stupid hack below shuts up compilers * from complaining about an empty file. */ + static void isc_condition_nothreads(void) { isc_condition_nothreads(); diff --git a/lib/isc/nothreads/mutex.c b/lib/isc/nothreads/mutex.c index 61f971010a..188e234343 100644 --- a/lib/isc/nothreads/mutex.c +++ b/lib/isc/nothreads/mutex.c @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: mutex.c,v 1.4.2.1 2004/03/09 06:12:04 marka Exp $ */ +/* $Id: mutex.c,v 1.4.2.2 2006/08/24 00:43:40 marka Exp $ */ + +#include /* * Well, not completely. The stupid hack below shuts up compilers diff --git a/lib/isc/unix/fsaccess.c b/lib/isc/unix/fsaccess.c index 06c94e5e4f..50b2aff9ab 100644 --- a/lib/isc/unix/fsaccess.c +++ b/lib/isc/unix/fsaccess.c @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: fsaccess.c,v 1.6.2.1 2004/03/09 06:12:10 marka Exp $ */ +/* $Id: fsaccess.c,v 1.6.2.2 2006/08/24 00:43:40 marka Exp $ */ + +#include #include #include diff --git a/lib/isc/unix/ipv6.c b/lib/isc/unix/ipv6.c index 1ff10cb2c0..efca8fcad8 100644 --- a/lib/isc/unix/ipv6.c +++ b/lib/isc/unix/ipv6.c @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: ipv6.c,v 1.7.2.1 2004/03/09 06:12:10 marka Exp $ */ +/* $Id: ipv6.c,v 1.7.2.2 2006/08/24 00:43:40 marka Exp $ */ + +#include #include diff --git a/lib/lwres/gai_strerror.c b/lib/lwres/gai_strerror.c index c6d2fa738e..9a3ecbf9b8 100644 --- a/lib/lwres/gai_strerror.c +++ b/lib/lwres/gai_strerror.c @@ -15,7 +15,9 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: gai_strerror.c,v 1.14.2.2 2004/03/09 06:12:33 marka Exp $ */ +/* $Id: gai_strerror.c,v 1.14.2.3 2006/08/24 00:43:40 marka Exp $ */ + +#include #include From 1294baca8088c2c3a7d73b8962c14abf8f026c85 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 24 Aug 2006 23:16:52 +0000 Subject: [PATCH 434/465] auto update --- doc/private/branches | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/private/branches b/doc/private/branches index fefd3e5c18..1eae938e98 100644 --- a/doc/private/branches +++ b/doc/private/branches @@ -68,6 +68,7 @@ rt16326 new rt16341 new rt16354 new rt16361 new +rt16363 new rt1727 open // ixfr-from-differences workfile skan new skan-metazones1 private From 6bb1b66ed90416315438ff7d3685d768072aeac6 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 24 Aug 2006 23:30:04 +0000 Subject: [PATCH 435/465] newcopyrights --- util/copyrights | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/util/copyrights b/util/copyrights index 0c2ed04fed..81b8df542b 100644 --- a/util/copyrights +++ b/util/copyrights @@ -291,7 +291,7 @@ ./bin/tests/hash_test.c C 2000,2001,2004,2005 ./bin/tests/headerdep_test.sh.in SH 2000,2001,2004 ./bin/tests/inter_test.c C 2000,2001,2004 -./bin/tests/journalprint.c C 2000,2001,2004,2005 +./bin/tests/journalprint.c C 2000,2001,2004,2005,2006 ./bin/tests/keyboard_test.c C 2000,2001,2004 ./bin/tests/lex_test.c C 1998,1999,2000,2001,2004 ./bin/tests/lfsr_test.c C 1999,2000,2001,2004 @@ -1909,7 +1909,7 @@ ./lib/isc/nls/msgcat.c C 1999,2000,2001,2004 ./lib/isc/nothreads/.cvsignore X 2000,2001 ./lib/isc/nothreads/Makefile.in MAKE 2000,2001,2004 -./lib/isc/nothreads/condition.c C 2000,2001,2004 +./lib/isc/nothreads/condition.c C 2000,2001,2004,2006 ./lib/isc/nothreads/include/.cvsignore X 2000,2001 ./lib/isc/nothreads/include/Makefile.in MAKE 2000,2001,2004 ./lib/isc/nothreads/include/isc/.cvsignore X 2000,2001 @@ -1918,7 +1918,7 @@ ./lib/isc/nothreads/include/isc/mutex.h C 2000,2001,2004 ./lib/isc/nothreads/include/isc/once.h C 2000,2001,2004 ./lib/isc/nothreads/include/isc/thread.h C 2000,2001,2004 -./lib/isc/nothreads/mutex.c C 2000,2001,2004 +./lib/isc/nothreads/mutex.c C 2000,2001,2004,2006 ./lib/isc/nothreads/thread.c C 2000,2001,2004 ./lib/isc/ondestroy.c C 2000,2001,2004 ./lib/isc/print.c C 1999,2000,2001,2003,2004,2005,2006 @@ -1958,7 +1958,7 @@ ./lib/isc/unix/errno2result.c C 2000,2001,2002,2004 ./lib/isc/unix/errno2result.h C 2000,2001,2004 ./lib/isc/unix/file.c C 2000,2001,2004 -./lib/isc/unix/fsaccess.c C 2000,2001,2004 +./lib/isc/unix/fsaccess.c C 2000,2001,2004,2006 ./lib/isc/unix/ifiter_ioctl.c C 1999,2000,2001,2003,2004,2006 ./lib/isc/unix/ifiter_sysctl.c C 1999,2000,2001,2004,2005 ./lib/isc/unix/include/.cvsignore X 1999,2000,2001 @@ -1977,7 +1977,7 @@ ./lib/isc/unix/include/isc/syslog.h C 1999,2000,2001,2004 ./lib/isc/unix/include/isc/time.h C 1998,1999,2000,2001,2004 ./lib/isc/unix/interfaceiter.c C 1999,2000,2001,2004 -./lib/isc/unix/ipv6.c C 1999,2000,2001,2004 +./lib/isc/unix/ipv6.c C 1999,2000,2001,2004,2006 ./lib/isc/unix/keyboard.c C 2000,2001,2004 ./lib/isc/unix/net.c C 1999,2000,2001,2004 ./lib/isc/unix/os.c C 2000,2001,2004,2005 @@ -2112,7 +2112,7 @@ ./lib/lwres/assert_p.h C 2000,2001,2004 ./lib/lwres/context.c C 2000,2001,2003,2004 ./lib/lwres/context_p.h C 2000,2001,2004 -./lib/lwres/gai_strerror.c C 2000,2001,2004 +./lib/lwres/gai_strerror.c C 2000,2001,2004,2006 ./lib/lwres/getaddrinfo.c C.BSDI 1999,2000,2001,2004,2006 ./lib/lwres/gethost.c C 2000,2001,2004 ./lib/lwres/getipnode.c C 1999,2000,2001,2002,2003,2004,2005 From 67a0e14fa9c3c160116f0671f4ac5874306b1150 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 24 Aug 2006 23:30:26 +0000 Subject: [PATCH 436/465] newcopyrights --- util/copyrights | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/util/copyrights b/util/copyrights index d1c93d39d0..da62a9370c 100644 --- a/util/copyrights +++ b/util/copyrights @@ -277,7 +277,7 @@ ./bin/tests/hash_test.c C 2000,2001,2004,2005,2006 ./bin/tests/headerdep_test.sh.in SH 2000,2001,2004 ./bin/tests/inter_test.c C 2000,2001,2003,2004,2005 -./bin/tests/journalprint.c C 2000,2001,2004,2005 +./bin/tests/journalprint.c C 2000,2001,2004,2005,2006 ./bin/tests/keyboard_test.c C 2000,2001,2004,2005 ./bin/tests/lex_test.c C 1998,1999,2000,2001,2004,2005 ./bin/tests/lfsr_test.c C 1999,2000,2001,2004,2005 @@ -1839,7 +1839,7 @@ ./lib/dns/opensslrsa_link.c C 2000,2001,2002,2003,2004,2005,2006 ./lib/dns/order.c C 2002,2004,2005 ./lib/dns/peer.c C 2000,2001,2003,2004,2005,2006 -./lib/dns/portlist.c C 2003,2004,2005 +./lib/dns/portlist.c C 2003,2004,2005,2006 ./lib/dns/rbt.c C 1999,2000,2001,2002,2003,2004,2005 ./lib/dns/rbtdb.c C 1999,2000,2001,2002,2003,2004,2005,2006 ./lib/dns/rbtdb.h C 1999,2000,2001,2004,2005 @@ -2090,14 +2090,14 @@ ./lib/isc/mips/include/isc/atomic.h C 2005 ./lib/isc/mutexblock.c C 1999,2000,2001,2004,2005 ./lib/isc/netaddr.c C 1999,2000,2001,2002,2004,2005 -./lib/isc/netscope.c C 2002,2004,2005 +./lib/isc/netscope.c C 2002,2004,2005,2006 ./lib/isc/nls/.cvsignore X 1999,2000,2001 ./lib/isc/nls/Makefile.in MAKE 1999,2000,2001,2004 ./lib/isc/nls/msgcat.c C 1999,2000,2001,2004,2005 ./lib/isc/noatomic/include/isc/atomic.h C 2005 ./lib/isc/nothreads/.cvsignore X 2000,2001 ./lib/isc/nothreads/Makefile.in MAKE 2000,2001,2004 -./lib/isc/nothreads/condition.c C 2000,2001,2004 +./lib/isc/nothreads/condition.c C 2000,2001,2004,2006 ./lib/isc/nothreads/include/.cvsignore X 2000,2001 ./lib/isc/nothreads/include/Makefile.in MAKE 2000,2001,2004 ./lib/isc/nothreads/include/isc/.cvsignore X 2000,2001 @@ -2106,7 +2106,7 @@ ./lib/isc/nothreads/include/isc/mutex.h C 2000,2001,2004 ./lib/isc/nothreads/include/isc/once.h C 2000,2001,2004 ./lib/isc/nothreads/include/isc/thread.h C 2000,2001,2004 -./lib/isc/nothreads/mutex.c C 2000,2001,2004 +./lib/isc/nothreads/mutex.c C 2000,2001,2004,2006 ./lib/isc/nothreads/thread.c C 2000,2001,2004 ./lib/isc/ondestroy.c C 2000,2001,2004,2005 ./lib/isc/parseint.c C 2001,2002,2003,2004,2005 @@ -2153,7 +2153,7 @@ ./lib/isc/unix/errno2result.c C 2000,2001,2002,2004,2005 ./lib/isc/unix/errno2result.h C 2000,2001,2004,2005 ./lib/isc/unix/file.c C 2000,2001,2002,2004,2005 -./lib/isc/unix/fsaccess.c C 2000,2001,2004,2005 +./lib/isc/unix/fsaccess.c C 2000,2001,2004,2005,2006 ./lib/isc/unix/ifiter_getifaddrs.c C 2003,2004,2005 ./lib/isc/unix/ifiter_ioctl.c C 1999,2000,2001,2002,2003,2004,2005,2006 ./lib/isc/unix/ifiter_sysctl.c C 1999,2000,2001,2002,2003,2004,2005 @@ -2173,7 +2173,7 @@ ./lib/isc/unix/include/isc/syslog.h C 1999,2000,2001,2004,2005 ./lib/isc/unix/include/isc/time.h C 1998,1999,2000,2001,2004,2005 ./lib/isc/unix/interfaceiter.c C 1999,2000,2001,2002,2003,2004,2005 -./lib/isc/unix/ipv6.c C 1999,2000,2001,2004,2005 +./lib/isc/unix/ipv6.c C 1999,2000,2001,2004,2005,2006 ./lib/isc/unix/keyboard.c C 2000,2001,2004 ./lib/isc/unix/net.c C 1999,2000,2001,2002,2003,2004,2005 ./lib/isc/unix/os.c C 2000,2001,2004,2005 @@ -2315,7 +2315,7 @@ ./lib/lwres/assert_p.h C 2000,2001,2004,2005 ./lib/lwres/context.c C 2000,2001,2003,2004,2005 ./lib/lwres/context_p.h C 2000,2001,2004,2005 -./lib/lwres/gai_strerror.c C 2000,2001,2004,2005 +./lib/lwres/gai_strerror.c C 2000,2001,2004,2005,2006 ./lib/lwres/getaddrinfo.c C.BSDI 1999,2000,2001,2004,2005 ./lib/lwres/gethost.c C 2000,2001,2004,2005 ./lib/lwres/getipnode.c C 1999,2000,2001,2002,2003,2004,2005 From 6faa7494a8307621c533f54c19772cd3076a3535 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 25 Aug 2006 05:25:49 +0000 Subject: [PATCH 437/465] update copyright notice --- bin/tests/journalprint.c | 4 ++-- lib/isc/nothreads/condition.c | 4 ++-- lib/isc/nothreads/mutex.c | 4 ++-- lib/isc/unix/fsaccess.c | 4 ++-- lib/isc/unix/ipv6.c | 4 ++-- lib/lwres/gai_strerror.c | 4 ++-- 6 files changed, 12 insertions(+), 12 deletions(-) diff --git a/bin/tests/journalprint.c b/bin/tests/journalprint.c index 18e7aa396d..86fcd46c2e 100644 --- a/bin/tests/journalprint.c +++ b/bin/tests/journalprint.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: journalprint.c,v 1.3.2.4 2006/08/24 00:43:40 marka Exp $ */ +/* $Id: journalprint.c,v 1.3.2.5 2006/08/25 05:25:49 marka Exp $ */ #include diff --git a/lib/isc/nothreads/condition.c b/lib/isc/nothreads/condition.c index 0988d5ed64..0b3ee7722e 100644 --- a/lib/isc/nothreads/condition.c +++ b/lib/isc/nothreads/condition.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: condition.c,v 1.4.2.2 2006/08/24 00:43:40 marka Exp $ */ +/* $Id: condition.c,v 1.4.2.3 2006/08/25 05:25:49 marka Exp $ */ #include diff --git a/lib/isc/nothreads/mutex.c b/lib/isc/nothreads/mutex.c index 188e234343..2c760bda48 100644 --- a/lib/isc/nothreads/mutex.c +++ b/lib/isc/nothreads/mutex.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: mutex.c,v 1.4.2.2 2006/08/24 00:43:40 marka Exp $ */ +/* $Id: mutex.c,v 1.4.2.3 2006/08/25 05:25:49 marka Exp $ */ #include diff --git a/lib/isc/unix/fsaccess.c b/lib/isc/unix/fsaccess.c index 50b2aff9ab..6092a53229 100644 --- a/lib/isc/unix/fsaccess.c +++ b/lib/isc/unix/fsaccess.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: fsaccess.c,v 1.6.2.2 2006/08/24 00:43:40 marka Exp $ */ +/* $Id: fsaccess.c,v 1.6.2.3 2006/08/25 05:25:49 marka Exp $ */ #include diff --git a/lib/isc/unix/ipv6.c b/lib/isc/unix/ipv6.c index efca8fcad8..b7e7bfd37e 100644 --- a/lib/isc/unix/ipv6.c +++ b/lib/isc/unix/ipv6.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: ipv6.c,v 1.7.2.2 2006/08/24 00:43:40 marka Exp $ */ +/* $Id: ipv6.c,v 1.7.2.3 2006/08/25 05:25:49 marka Exp $ */ #include diff --git a/lib/lwres/gai_strerror.c b/lib/lwres/gai_strerror.c index 9a3ecbf9b8..e87f37f93c 100644 --- a/lib/lwres/gai_strerror.c +++ b/lib/lwres/gai_strerror.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: gai_strerror.c,v 1.14.2.3 2006/08/24 00:43:40 marka Exp $ */ +/* $Id: gai_strerror.c,v 1.14.2.4 2006/08/25 05:25:49 marka Exp $ */ #include From 896e6a0e44dc3d264c1a66a07a2d806a06290f29 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 25 Aug 2006 05:25:52 +0000 Subject: [PATCH 438/465] update copyright notice --- bin/tests/journalprint.c | 4 ++-- lib/dns/portlist.c | 4 ++-- lib/isc/netscope.c | 4 ++-- lib/isc/nothreads/condition.c | 4 ++-- lib/isc/nothreads/mutex.c | 4 ++-- lib/isc/unix/fsaccess.c | 4 ++-- lib/isc/unix/ipv6.c | 4 ++-- lib/lwres/gai_strerror.c | 4 ++-- 8 files changed, 16 insertions(+), 16 deletions(-) diff --git a/bin/tests/journalprint.c b/bin/tests/journalprint.c index 0eec367dbc..59c24081d0 100644 --- a/bin/tests/journalprint.c +++ b/bin/tests/journalprint.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: journalprint.c,v 1.8 2006/08/24 00:17:54 marka Exp $ */ +/* $Id: journalprint.c,v 1.9 2006/08/25 05:25:52 marka Exp $ */ /*! \file */ #include diff --git a/lib/dns/portlist.c b/lib/dns/portlist.c index 8d270b8a43..f85d4e0a87 100644 --- a/lib/dns/portlist.c +++ b/lib/dns/portlist.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: portlist.c,v 1.10 2006/08/24 00:17:54 marka Exp $ */ +/* $Id: portlist.c,v 1.11 2006/08/25 05:25:52 marka Exp $ */ /*! \file */ diff --git a/lib/isc/netscope.c b/lib/isc/netscope.c index b1104c44db..11ffd8d981 100644 --- a/lib/isc/netscope.c +++ b/lib/isc/netscope.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2002 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -19,7 +19,7 @@ #if defined(LIBC_SCCS) && !defined(lint) static char rcsid[] = - "$Id: netscope.c,v 1.10 2006/08/24 00:17:54 marka Exp $"; + "$Id: netscope.c,v 1.11 2006/08/25 05:25:52 marka Exp $"; #endif /* LIBC_SCCS and not lint */ #include diff --git a/lib/isc/nothreads/condition.c b/lib/isc/nothreads/condition.c index 48be11878e..2b2521ba18 100644 --- a/lib/isc/nothreads/condition.c +++ b/lib/isc/nothreads/condition.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: condition.c,v 1.7 2006/08/24 00:17:54 marka Exp $ */ +/* $Id: condition.c,v 1.8 2006/08/25 05:25:52 marka Exp $ */ #include diff --git a/lib/isc/nothreads/mutex.c b/lib/isc/nothreads/mutex.c index b5523711cf..f6ec95f346 100644 --- a/lib/isc/nothreads/mutex.c +++ b/lib/isc/nothreads/mutex.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: mutex.c,v 1.7 2006/08/24 00:17:54 marka Exp $ */ +/* $Id: mutex.c,v 1.8 2006/08/25 05:25:52 marka Exp $ */ #include diff --git a/lib/isc/unix/fsaccess.c b/lib/isc/unix/fsaccess.c index d159b6682d..d8f1792dd6 100644 --- a/lib/isc/unix/fsaccess.c +++ b/lib/isc/unix/fsaccess.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: fsaccess.c,v 1.10 2006/08/24 00:17:54 marka Exp $ */ +/* $Id: fsaccess.c,v 1.11 2006/08/25 05:25:52 marka Exp $ */ #include diff --git a/lib/isc/unix/ipv6.c b/lib/isc/unix/ipv6.c index e1a3a08461..f848e13847 100644 --- a/lib/isc/unix/ipv6.c +++ b/lib/isc/unix/ipv6.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: ipv6.c,v 1.11 2006/08/24 00:17:54 marka Exp $ */ +/* $Id: ipv6.c,v 1.12 2006/08/25 05:25:52 marka Exp $ */ /*! \file */ diff --git a/lib/lwres/gai_strerror.c b/lib/lwres/gai_strerror.c index 59aae09b0b..61427490f8 100644 --- a/lib/lwres/gai_strerror.c +++ b/lib/lwres/gai_strerror.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: gai_strerror.c,v 1.19 2006/08/24 00:17:54 marka Exp $ */ +/* $Id: gai_strerror.c,v 1.20 2006/08/25 05:25:52 marka Exp $ */ /*! \file gai_strerror.c * lwres_gai_strerror() returns an error message corresponding to an From 2dafa707cc9af9cca66d68c1d2c3af0c768c2900 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 30 Aug 2006 22:57:16 +0000 Subject: [PATCH 439/465] 2078. [bug] dnssec-checkzone output style "default" was badly named. It is now called "relative". [RT #16326] 2077. [bug] 'dnssec-signzone -O raw' wasn't outputing the complete signed zone. [RT #16326] --- CHANGES | 6 ++++++ bin/check/named-checkzone.c | 4 ++-- bin/check/named-checkzone.docbook | 6 +++--- bin/dnssec/dnssec-signzone.c | 5 ++++- 4 files changed, 15 insertions(+), 6 deletions(-) diff --git a/CHANGES b/CHANGES index 95a7f589fb..d7dceb51b8 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,9 @@ +2078. [bug] dnssec-checkzone output style "default" was badly + named. It is now called "relative". [RT #16326] + +2077. [bug] 'dnssec-signzone -O raw' wasn't outputing the + complete signed zone. [RT #16326] + 2076. [bug] Several files were missing #include causing build failures on OSF. [RT #16341] diff --git a/bin/check/named-checkzone.c b/bin/check/named-checkzone.c index 71b200fc5d..c5487761fa 100644 --- a/bin/check/named-checkzone.c +++ b/bin/check/named-checkzone.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named-checkzone.c,v 1.43 2006/01/07 00:23:35 marka Exp $ */ +/* $Id: named-checkzone.c,v 1.44 2006/08/30 22:57:16 marka Exp $ */ /*! \file */ @@ -273,7 +273,7 @@ main(int argc, char **argv) { case 's': if (ARGCMP("full")) outputstyle = &dns_master_style_full; - else if (ARGCMP("default")) { + else if (ARGCMP("relative")) { outputstyle = &dns_master_style_default; } else { fprintf(stderr, diff --git a/bin/check/named-checkzone.docbook b/bin/check/named-checkzone.docbook index 0b799c71d7..524ab28eb3 100644 --- a/bin/check/named-checkzone.docbook +++ b/bin/check/named-checkzone.docbook @@ -18,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + June 13, 2000 @@ -311,10 +311,10 @@ Specify the style of the dumped zone file. Possible styles are "full" (default) - and "default". + and "relative". The full format is most suitable for processing automatically by a separate script. - On the other hand, the default format is more + On the other hand, the relative format is more human-readable and is thus suitable for editing by hand. For named-checkzone this does not cause any effects unless it dumps the zone diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c index a58cbca754..46650a5635 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -16,7 +16,7 @@ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-signzone.c,v 1.198 2006/04/13 18:09:56 dhankins Exp $ */ +/* $Id: dnssec-signzone.c,v 1.199 2006/08/30 22:57:16 marka Exp $ */ /*! \file */ @@ -1132,6 +1132,9 @@ cleannode(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node) { dns_rdataset_t set; isc_result_t result, dresult; + if (outputformat != dns_masterformat_text) + return; + dns_rdataset_init(&set); result = dns_db_allrdatasets(db, node, version, 0, &rdsiter); check_result(result, "dns_db_allrdatasets"); From 2113dfd6e20a9ca16000ed226517b4660087c1f2 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 30 Aug 2006 23:09:18 +0000 Subject: [PATCH 440/465] 2079. [bug] The lame cache was not handling multiple types correctly. [RT #16361] --- CHANGES | 3 +++ lib/dns/adb.c | 17 +++++++++-------- lib/dns/resolver.c | 4 ++-- 3 files changed, 14 insertions(+), 10 deletions(-) diff --git a/CHANGES b/CHANGES index d7dceb51b8..9669696295 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2079. [bug] The lame cache was not handling multiple types + correctly. [RT #16361] + 2078. [bug] dnssec-checkzone output style "default" was badly named. It is now called "relative". [RT #16326] diff --git a/lib/dns/adb.c b/lib/dns/adb.c index 1ef2c83756..eb39266c86 100644 --- a/lib/dns/adb.c +++ b/lib/dns/adb.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: adb.c,v 1.226 2005/11/30 03:33:48 marka Exp $ */ +/* $Id: adb.c,v 1.227 2006/08/30 23:09:18 marka Exp $ */ /*! \file * @@ -1675,12 +1675,13 @@ entry_is_lame(dns_adb_t *adb, dns_adbentry_t *entry, dns_name_t *qname, /* * Order tests from least to most expensive. + * + * We do not break out of the main loop here as + * we use the loop for house keeping. */ - if (li != NULL && !is_bad) { - if (li->qtype == qtype && - dns_name_equal(qname, &li->qname)) - is_bad = ISC_TRUE; - } + if (li != NULL && !is_bad && li->qtype == qtype && + dns_name_equal(qname, &li->qname)) + is_bad = ISC_TRUE; li = next_li; } @@ -3356,8 +3357,8 @@ dns_adb_marklame(dns_adb_t *adb, dns_adbaddrinfo_t *addr, dns_name_t *qname, bucket = addr->entry->lock_bucket; LOCK(&adb->entrylocks[bucket]); li = ISC_LIST_HEAD(addr->entry->lameinfo); - while (li != NULL && li->qtype != qtype && - !dns_name_equal(qname, &li->qname)) + while (li != NULL && + (li->qtype != qtype || !dns_name_equal(qname, &li->qname))) li = ISC_LIST_NEXT(li, plink); if (li != NULL) { if (expire_time > li->lame_timer) diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index 5eeca8d7f8..af7a59ac3e 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: resolver.c,v 1.333 2006/08/22 06:11:19 marka Exp $ */ +/* $Id: resolver.c,v 1.334 2006/08/30 23:09:18 marka Exp $ */ /*! \file */ @@ -5593,7 +5593,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) { is_lame(fctx)) { log_lame(fctx, query->addrinfo); result = dns_adb_marklame(fctx->adb, query->addrinfo, - &fctx->domain, fctx->type, + &fctx->name, fctx->type, now + fctx->res->lame_ttl); if (result != ISC_R_SUCCESS) isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, From 24ee607afa66e5ba5fa8b2f18c34a5c430b8a3fe Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 30 Aug 2006 23:14:17 +0000 Subject: [PATCH 441/465] 2080. [port] libbind: res_init.c did not compile on older versions of Solaris. [RT #16363] --- CHANGES | 3 +++ lib/bind/resolv/res_init.c | 17 +++++------------ 2 files changed, 8 insertions(+), 12 deletions(-) diff --git a/CHANGES b/CHANGES index 9669696295..9110168568 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2080. [port] libbind: res_init.c did not compile on older versions + of Solaris. [RT #16363] + 2079. [bug] The lame cache was not handling multiple types correctly. [RT #16361] diff --git a/lib/bind/resolv/res_init.c b/lib/bind/resolv/res_init.c index 699a1a5f1e..a89727fc45 100644 --- a/lib/bind/resolv/res_init.c +++ b/lib/bind/resolv/res_init.c @@ -70,7 +70,7 @@ #if defined(LIBC_SCCS) && !defined(lint) static const char sccsid[] = "@(#)res_init.c 8.1 (Berkeley) 6/7/93"; -static const char rcsid[] = "$Id: res_init.c,v 1.20 2005/11/03 00:01:52 marka Exp $"; +static const char rcsid[] = "$Id: res_init.c,v 1.21 2006/08/30 23:14:17 marka Exp $"; #endif /* LIBC_SCCS and not lint */ #include "port_before.h" @@ -237,17 +237,10 @@ __res_vinit(res_state statp, int preinit) { if (buf[0] == '+') buf[0] = '.'; cp = strchr(buf, '.'); - if (cp == NULL) { - if (strlcpy(statp->defdname, buf, - sizeof(statp->defdname)) - >= sizeof(statp->defdname)) - goto freedata; - } else { - if (strlcpy(statp->defdname, cp+1, - sizeof(statp->defdname)) - >= sizeof(statp->defdname)) - goto freedata; - } + cp = (cp == NULL) ? buf : (cp + 1); + if (strlen(cp) >= sizeof(statp->defdname)) + goto freedata; + strcpy(statp->defdname, cp); } } #endif /* SOLARIS2 */ From 4f3933a80bc9cbdd660ab9fc62ec8c432b70a9ad Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 30 Aug 2006 23:23:14 +0000 Subject: [PATCH 442/465] 2080. [port] libbind: res_init.c did not compile on older versions of Solaris. [RT #16363] --- CHANGES | 3 +++ lib/bind/resolv/res_init.c | 17 +++++------------ 2 files changed, 8 insertions(+), 12 deletions(-) diff --git a/CHANGES b/CHANGES index 17d7606229..5c08673650 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2080. [port] libbind: res_init.c did not compile on older versions + of Solaris. [RT #16363] + 2076. [bug] Several files were missing #include causing build failures on OSF. [RT #16341] diff --git a/lib/bind/resolv/res_init.c b/lib/bind/resolv/res_init.c index 9af5f2da55..d3bb71f545 100644 --- a/lib/bind/resolv/res_init.c +++ b/lib/bind/resolv/res_init.c @@ -70,7 +70,7 @@ #if defined(LIBC_SCCS) && !defined(lint) static const char sccsid[] = "@(#)res_init.c 8.1 (Berkeley) 6/7/93"; -static const char rcsid[] = "$Id: res_init.c,v 1.9.2.10 2005/11/03 00:00:08 marka Exp $"; +static const char rcsid[] = "$Id: res_init.c,v 1.9.2.11 2006/08/30 23:23:14 marka Exp $"; #endif /* LIBC_SCCS and not lint */ #include "port_before.h" @@ -237,17 +237,10 @@ __res_vinit(res_state statp, int preinit) { if (buf[0] == '+') buf[0] = '.'; cp = strchr(buf, '.'); - if (cp == NULL) { - if (strlcpy(statp->defdname, buf, - sizeof(statp->defdname)) - >= sizeof(statp->defdname)) - goto freedata; - } else { - if (strlcpy(statp->defdname, cp+1, - sizeof(statp->defdname)) - >= sizeof(statp->defdname)) - goto freedata; - } + cp = (cp == NULL) ? buf : (cp + 1); + if (strlen(cp) >= sizeof(statp->defdname)) + goto freedata; + strcpy(statp->defdname, cp); } } #endif /* SOLARIS2 */ From 2216953b5a16b0ac7caef94b2fc318c3ad418235 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 30 Aug 2006 23:30:04 +0000 Subject: [PATCH 443/465] newcopyrights --- util/copyrights | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/util/copyrights b/util/copyrights index 81b8df542b..3f4f6b962c 100644 --- a/util/copyrights +++ b/util/copyrights @@ -1557,7 +1557,7 @@ ./lib/bind/resolv/res_debug.c X 2001,2005 ./lib/bind/resolv/res_debug.h X 2001 ./lib/bind/resolv/res_findzonecut.c X 2001,2005 -./lib/bind/resolv/res_init.c X 2001,2005 +./lib/bind/resolv/res_init.c X 2001,2005,2006 ./lib/bind/resolv/res_mkquery.c X 2001 ./lib/bind/resolv/res_mkupdate.c X 2001,2005 ./lib/bind/resolv/res_mkupdate.h X 2001 From 812920de0d0a02ad61be3bb09c2e93274708fde5 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 30 Aug 2006 23:30:32 +0000 Subject: [PATCH 444/465] newcopyrights --- util/copyrights | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/util/copyrights b/util/copyrights index da62a9370c..79663d106d 100644 --- a/util/copyrights +++ b/util/copyrights @@ -1680,7 +1680,7 @@ ./lib/bind/resolv/res_debug.c X 2001,2005 ./lib/bind/resolv/res_debug.h X 2001,2005 ./lib/bind/resolv/res_findzonecut.c X 2001,2005 -./lib/bind/resolv/res_init.c X 2001,2005 +./lib/bind/resolv/res_init.c X 2001,2005,2006 ./lib/bind/resolv/res_mkquery.c X 2001,2005 ./lib/bind/resolv/res_mkupdate.c X 2001,2005 ./lib/bind/resolv/res_mkupdate.h X 2001,2005 @@ -1712,7 +1712,7 @@ ./lib/dns/Makefile.in MAKE 1998,1999,2000,2001,2002,2003,2004,2005,2006 ./lib/dns/acache.c C 2004,2005,2006 ./lib/dns/acl.c C 1999,2000,2001,2002,2004,2005,2006 -./lib/dns/adb.c C 1999,2000,2001,2002,2003,2004,2005 +./lib/dns/adb.c C 1999,2000,2001,2002,2003,2004,2005,2006 ./lib/dns/api X 1999,2000,2001 ./lib/dns/byaddr.c C 2000,2001,2002,2003,2004,2005 ./lib/dns/cache.c C 1999,2000,2001,2002,2003,2004,2005,2006 From 7092864f71e0bbb108041ef01ac3d2b41f90c4a9 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 30 Aug 2006 23:34:38 +0000 Subject: [PATCH 445/465] 2081. [port] libbind: minor 64-bit portability fix in memcluster.c. [RT #16360] --- CHANGES | 3 +++ lib/bind/isc/memcluster.c | 9 +++++---- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/CHANGES b/CHANGES index 9110168568..144f9fd55d 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2081. [port] libbind: minor 64-bit portability fix in memcluster.c. + [RT #16360] + 2080. [port] libbind: res_init.c did not compile on older versions of Solaris. [RT #16363] diff --git a/lib/bind/isc/memcluster.c b/lib/bind/isc/memcluster.c index 72a54aa305..515793fd6a 100644 --- a/lib/bind/isc/memcluster.c +++ b/lib/bind/isc/memcluster.c @@ -24,7 +24,7 @@ #if !defined(LINT) && !defined(CODECENTER) -static const char rcsid[] = "$Id: memcluster.c,v 1.10 2005/10/11 00:10:14 marka Exp $"; +static const char rcsid[] = "$Id: memcluster.c,v 1.11 2006/08/30 23:34:38 marka Exp $"; #endif /* not lint */ #include "port_before.h" @@ -399,7 +399,7 @@ __memput_record(void *mem, size_t size, const char *file, int line) { p = (char *)e + sizeof *e + size; memcpy(&fp, p, sizeof fp); INSIST(fp == BACK_FENCEPOST); - INSIST(((int)mem % 4) == 0); + INSIST(((u_long)mem % 4) == 0); #ifdef MEMCLUSTER_RECORD prev = NULL; if (size == max_size || new_size >= max_size) @@ -523,10 +523,11 @@ memstats(FILE *out) { for (i = 1; i <= max_size; i++) { if ((e = activelists[i]) != NULL) while (e != NULL) { - fprintf(out, "%s:%d %p:%d\n", + fprintf(out, "%s:%d %p:%lu\n", e->file != NULL ? e->file : "", e->line, - (char *)e + sizeof *e, e->size); + (char *)e + sizeof *e, + (u_long)e->size); e = e->next; } } From 07af72345ec8b90596d4f6bf67b6a8027f223d8d Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 30 Aug 2006 23:34:59 +0000 Subject: [PATCH 446/465] 2081. [port] libbind: minor 64-bit portability fix in memcluster.c. [RT #16360] --- CHANGES | 3 +++ lib/bind/isc/memcluster.c | 9 +++++---- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/CHANGES b/CHANGES index 5c08673650..4de2f83a3f 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2081. [port] libbind: minor 64-bit portability fix in memcluster.c. + [RT #16360] + 2080. [port] libbind: res_init.c did not compile on older versions of Solaris. [RT #16363] diff --git a/lib/bind/isc/memcluster.c b/lib/bind/isc/memcluster.c index bfd2dd5134..349d74515c 100644 --- a/lib/bind/isc/memcluster.c +++ b/lib/bind/isc/memcluster.c @@ -24,7 +24,7 @@ #if !defined(LINT) && !defined(CODECENTER) -static const char rcsid[] = "$Id: memcluster.c,v 1.3.2.7 2005/10/11 00:56:05 marka Exp $"; +static const char rcsid[] = "$Id: memcluster.c,v 1.3.2.8 2006/08/30 23:34:59 marka Exp $"; #endif /* not lint */ #include "port_before.h" @@ -399,7 +399,7 @@ __memput_record(void *mem, size_t size, const char *file, int line) { p = (char *)e + sizeof *e + size; memcpy(&fp, p, sizeof fp); INSIST(fp == BACK_FENCEPOST); - INSIST(((int)mem % 4) == 0); + INSIST(((u_long)mem % 4) == 0); #ifdef MEMCLUSTER_RECORD prev = NULL; if (size == max_size || new_size >= max_size) @@ -523,10 +523,11 @@ memstats(FILE *out) { for (i = 1; i <= max_size; i++) { if ((e = activelists[i]) != NULL) while (e != NULL) { - fprintf(out, "%s:%d %p:%d\n", + fprintf(out, "%s:%d %p:%lu\n", e->file != NULL ? e->file : "", e->line, - (char *)e + sizeof *e, e->size); + (char *)e + sizeof *e, + (u_long)e->size); e = e->next; } } From b98c5adf3e165b5a326765826af83fb60022ec9e Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 30 Aug 2006 23:40:50 +0000 Subject: [PATCH 447/465] minor wording change --- doc/arm/Bv9ARM-book.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index 671bb0be80..1db49b156e 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -18,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + BIND 9 Administrator Reference Manual @@ -4713,7 +4713,7 @@ digits" + "tkey-domain". In most cases, If specified, the listed type (A or AAAA) will be emitted before other glue in the additional section of a query response. - The default is not to preference any type (NONE). + The default is not to prefer any type (NONE). From 86915797744280ae86a9d133d1bf62f28f483b73 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 30 Aug 2006 23:47:05 +0000 Subject: [PATCH 448/465] newcopyrights --- util/copyrights | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/util/copyrights b/util/copyrights index 3f4f6b962c..b0e7fede88 100644 --- a/util/copyrights +++ b/util/copyrights @@ -1321,7 +1321,7 @@ ./lib/bind/isc/logging.c X 2001 ./lib/bind/isc/logging.mdoc X 2001 ./lib/bind/isc/logging_p.h X 2001 -./lib/bind/isc/memcluster.c X 2001,2005 +./lib/bind/isc/memcluster.c X 2001,2005,2006 ./lib/bind/isc/memcluster.mdoc X 2001 ./lib/bind/isc/movefile.c X 2001 ./lib/bind/isc/tree.c X 2001 From b9196ffe47c3d1e2462496b982643ad2da399888 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 30 Aug 2006 23:47:28 +0000 Subject: [PATCH 449/465] newcopyrights --- util/copyrights | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/util/copyrights b/util/copyrights index 79663d106d..4b6423d297 100644 --- a/util/copyrights +++ b/util/copyrights @@ -1443,7 +1443,7 @@ ./lib/bind/isc/logging.c X 2001,2005 ./lib/bind/isc/logging.mdoc X 2001 ./lib/bind/isc/logging_p.h X 2001,2005 -./lib/bind/isc/memcluster.c X 2001,2005 +./lib/bind/isc/memcluster.c X 2001,2005,2006 ./lib/bind/isc/memcluster.mdoc X 2001 ./lib/bind/isc/movefile.c X 2001,2005 ./lib/bind/isc/tree.c X 2001,2005 From 1195c1452c56200da8dc737e2464c9a5a421c3a4 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 30 Aug 2006 23:49:58 +0000 Subject: [PATCH 450/465] update copyright notice --- lib/dns/adb.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/dns/adb.c b/lib/dns/adb.c index eb39266c86..39df3660b6 100644 --- a/lib/dns/adb.c +++ b/lib/dns/adb.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: adb.c,v 1.227 2006/08/30 23:09:18 marka Exp $ */ +/* $Id: adb.c,v 1.228 2006/08/30 23:49:58 marka Exp $ */ /*! \file * From 211997d745983db3e51e5e08c2958d526ab7a074 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 31 Aug 2006 00:01:16 +0000 Subject: [PATCH 451/465] 9.2.7rc2 --- CHANGES | 3 +++ version | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index 4de2f83a3f..d540f0e813 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ + + --- 9.2.7rc2 released --- + 2081. [port] libbind: minor 64-bit portability fix in memcluster.c. [RT #16360] diff --git a/version b/version index a9a3d68dae..662da96813 100644 --- a/version +++ b/version @@ -1,4 +1,4 @@ -# $Id: version,v 1.26.2.44 2006/07/27 05:05:51 marka Exp $ +# $Id: version,v 1.26.2.45 2006/08/31 00:01:16 marka Exp $ # # This file must follow /bin/sh rules. It is imported directly via # configure. @@ -7,4 +7,4 @@ MAJORVER=9 MINORVER=2 PATCHVER=7 RELEASETYPE=rc -RELEASEVER=1 +RELEASEVER=2 From 3fb7560486b11ca5cf61f8e7c1b889c3bf5d3f84 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 31 Aug 2006 00:06:17 +0000 Subject: [PATCH 452/465] 9.2.7rc2 --- doc/arm/Bv9ARM.pdf | 700 ++++++++++++++++++++++----------------------- 1 file changed, 347 insertions(+), 353 deletions(-) diff --git a/doc/arm/Bv9ARM.pdf b/doc/arm/Bv9ARM.pdf index f349c580d2..d74faa6a8e 100755 --- a/doc/arm/Bv9ARM.pdf +++ b/doc/arm/Bv9ARM.pdf @@ -895,9 +895,7 @@ endobj /Filter /FlateDecode >> stream -xÚMk1†ïû+æ¨ÐL3_›ä¨ôƒ -í¡äV<,ºAWØê¡ÿ¾Y×J¡=”’É<ï¼ÌKàË!ˆ†^’BHŠæÉ`µ¯<¼—ÞcEFMÐT¤t$Á¨ÁqŒhVóOìNª$&pæ S>àó\Ý>(d2…¼Ò„½À•Ëë·ÉüéånêØü$×l½ßvÛcßýøõÚnÚ¾íVíX>7Ý©ÙM—yQ,ˆ0™ñÙ‚z -à¢bÙ΋Óîsr¸¹<¼¯}uŸ¯‹|''†C6ÿÎí ‚#Púendstream +xÚMKÃ@†ïùslÁŒó™ì[ü@A²7ñÚ´l„4ùÿn-‚d»3ó̼³/åÃI£A Øas,ö¹v_ðc®è¦šƒ?ª¥FÅ` ”н’ŸØ/œÍ°Ö¡trŒyø„¯Sq}g\£°¤°E¬….\Ú¾.ÖÏ7ËRœq¾VÛã¡;œ†¾>ú9õÒîÚ¾í6í>5Ýؼ/ßÒc–P`Æè.g !$šv †U?K¬Æýxæ^å«ù!DÕ4¢¸M—¿|›§Ž“=ÿ¶îœ#Qúendstream endobj 598 0 obj << /Type /Page @@ -5075,7 +5073,7 @@ endobj stream xÚíte\Ôí¶6Ò ˆtÃÐÝÝÝÝ¡Ä0 00Ì ÝÝÝÝ’‚R"‚´t ÒÈ‹>ïÞûüž³?³?½¿w¾Ìÿ^×Z׺î7¶‡Œ5Ü ¬‡¹rðpr‹ t´P(ÐWç…C­fL9g0ЇÉ]Á¢#°5@ ðòxDDD0rp'/gˆ­+€ù‘ƒ…ý_–ß.+¯ ‘.[€ññà …;9‚a®ÿã@=0àjØ@ `€œ–¶‰Š¦€YIÓ †P€¶›¨C@`˜ ˜`w@ÿ:@p˜5ä÷Õ\8¹d\@€‹y {‚ÀN¿!v€ØÙââòø €¸l0×ǸÂêfý[À£ÝþG“3üÑÃñ{$Ó†»¸º€œ!N®€Ç¬ÚòŠétµºþÎíy„p›GOk8Èí÷•þ`4¨+s¸‚=]粬!.NP ×cîG2'gÈn.˜í¿°œÁ¶@gk(ØÅå‘æ‘ûwuþuOÀ¹=ÐÉ êõ'þÇëŸ ®.`¨ '&ïcNëcn[ “ë÷¨¨Àlàî¿ìÖnNÿÀÜÁÎ -Äü{fXE­á0¨ÀlƒÉ¥ w}L `þŸu™ó?×äÿ@‹ÿ# þ´÷×Ü¿÷è¿,ñÿvŸÿN­è…jÁ‚ÿxcê€ßÌs:B ^ÿÎýïžFà¿4þ;Wàc!d`¶Íàáäæù €¸(B<ÁÖÚWÀ}¬Ô»Ìì …ÀÀýSL7÷ß0};Èö»ôA`˜õßå?6éx.cY}Y¶ÿöªrèA§Ë‚GPè¯íÇ9pÕ÷rþo:# ¸õ?¿ùdeáž^7Ïãú=*áðû7¹ÿñüë¬tu†x^psr?Fr~ÿsÿÎýOÀìo4 +Äü{fXE­á0¨ÀlƒÉ¥ w}L `þŸu™ó?×äÿ@‹ÿ# þ´÷×Ü¿÷è¿,ñÿvŸÿN­è…jÁ‚ÿxcê€ßÌs:B ^ÿÎýïžFà¿4þ;Wàc!d`¶Íàáäæù €¸(B<ÁÖÚWÀ}¬Ô»Ìì …ÀÀýSL7÷ß0};Èö»ôA`˜õßå?6éx.CyMY¶ÿöªrèA§Ë‚GPè¯íÇ9pÕ÷rþo:# ¸õ?¿ùdeáž^7Ïãú=*áðû7¹ÿñüë¬tu†x^psr?Fr~ÿsÿÎýOÀìo4 0Üú÷äè¹aÖÃöOÃoäæìüØã?ûÿxýœÿŒ=ì a.ÌÁAb¡ö™9Y® Ä£ò/z{xÂœ*Þè—ÖÁ»2#×Dj,ïêÃ8›ÇEµyÍî;Ýoª²n öA™ºÓÁß‹(üèX>ã.3v±ms™W`gÅúϨ¯"› rn­êèš—ß¡RŽwð9£_²Ò¹Ð_8=óe4%v>oFÀk(Ù?`LÙ½¼`êú4ð±ûåÃ&9[~ƒ˜;26cLà«|r)Sƒj…×Íl(ßÛ b¬Å7ÎßÊçÏVð™h9Žù,¢I‚°RÊ• e®äß·RÆ%=²ìÙ êt›œ(†Ì%³LÇî)®Ž>1Ù¥‘„µ…^Ñ2¼éˆO£Ý %õ‰>•pjÕr{2–ÂwÍ<–g¬™-j—!3cäáakIè,AŒ$ÁLˆÇÆ‹J¯³nöùU»Ïm›Þ‰D3 @@ -5098,7 +5096,7 @@ $O t‡Í=žÝbóÆÃwî6ß"£“˵?”JËOP2RÐ oQo+†â1)©w†¦ÜèådîI½ÈZ¿VÍ­(e÷åû È"QÔüFØs(úF$'‘qL ®/¶!õÔ ¤HvkÖ‰Œh¼È‰¬ê؉á¶o?Ùa:Šÿ±qêcŒ° gã!_QÇ~ÏWê¡1üaœ¯UÝGmã§Yñmn%ìRãr9÷¬ß0qˆ5†/‚E…(êÚ“†,W‚˜$Ù½ï¶åçLxËÎÔ|ú奕£w†Z|ÂV€ãž÷,éOd ÞyŠGÝ ŽÎ¨Ý3lÍ4©¿Î\×T2Zª½Ag—.7Ù#ÏPæï™v¼eŦQLÞ»±Oþ¼Ô\’ ¬ÿĵJÅñ¾(š3Ç].Å*,MÎ>ÛBx(ÃSÃó|D³uû‚Þ¡ï†{:Ò‘Á¨2G9¡Cê{É•<|?ÒK áéá@F)Ø,êw÷ó?È ¸¢Ëa„Çh%Ù±o^Œñ{‹6™Ý @¥-«ä%Å~jÉwXjz1îi´·î¬%uÕ3^¿±g¸`d+ÎK[ŽDe—„]âò†YèÖýÇ?Ï>£³HjË,èkѸÍhÔ8Š” ™v_Å [ªJÖ®²9m=·âú?\‹k>¼à¬‡¤*³Ñ³ž,Y ê<‹ý¹uÓ Z/ZV$S·é#ƒmNOš¨5M@¿§rãÝ0Hõ7¬&7[àçŽAØñêOõƧÈêÚ5±pE6~d»Ž^.x¨T1¬µ¤$£Í7¿ÿ4òÆêüj§‹G1¬èípoóÌ3³QýÐZ:œNÍÆéç,0½‹Š‡Zg‹ðâ£à)‹Q©¯³‹X""œÛÆ0ÏÁ¾äBvFA‚)Y9(ÎYÖý…ì¬S…|¸Ôü¾“qbæÇN.LÔX§…_ï‚¿œ%%½¥åŒìé|°D>W²7}C–Í#—ZR¸­$º`bÛGο…a¿9gÝS%\”Á/œîñhC|?s§ Ø…šg¯ÎÙÈ)ª¬m}ÐvÖËk†Ÿ.bÉ&O üõí+uqfº`Îa‡„°£â,I§ã¯½/‘˜÷ÇÝ›Á¤'P6ߢH‚Ú?÷›½šÙ¹˜Žà9¦ŠmHr7:pMRYŸ#£ 'æW¥¿ðKCß|-¡mWÝ躖nᲶË0–«ÞÐ3äÛÙ=j’¸Ë-,n–³e±€¢üb½iÙ;‘˜Hâ°l<)žL.ßÐYÖÿ°Ú·)wL=(‚Œ£± L|)=å'ÀÆ-Å@²öò¾µ<ÃNrä³6îµEôʃ3±d¶kÓ»¬ÿ‹%ôµøü·(kD~ô(¬_yñ‡Í; ¯åä²fùOî{&*‰äyÒ¯9ÛB±T¨d>è.òY[a-³ZyÏ•px9ÝØÜ>穾„»*|,4°ç Žð=Ï añŽ©{ZwLVqžCÅo, H;ç_7Gg[åGx d½DŽ…*~ÂJSÛ/ *ûÎÔF‹µëújQ‹jw Ý]_-Òq;Œ,1t³õ2ߥÆíËòê{:Ö§Ùo$<×ð¬žôôJ©Àëóüλì„b›F=ÍçåcT”u;ÐuË›÷#³»Z1q“ÒYÖgHŠ^fiyv|‰¢,PkŠA±¢FH£s^…EËRôƇnQWEÛt%Ú·y3™{æÈŒõFbKã<%Æ)â"-L+{墒zS'“#é²ÊòZÃ+•÷U­Á׎#Ç©ÃCcæHŸ,êä;÷=íÏô .óYäg:¯jÔn¹¶Æô×êS:c¤¬UºW¹Þ/Ëf¹ŠšcO¥ÛøŒM¯lD‰Á¦9²ú:­ÈùÈßÛ˜ìÑËr6½õx§ç±2ú]úS¹‘ p7O¼,j1îöÐËÚ{ž$ªS7O–xYŽróæs÷â»ì(è˜Ýš‹ÏD‚@§­Y#žC²L%¯íáž›1A•Ã¸©3¾~M+ÖAîDí>¤¶¯cãµã-Nˆ¥”ûÚÔß ÄÖtzâ"¹tãØ'>(˜“”hSðÕœM]ˆÎÛ…0ìŽ ñâSPÓKD³—dOj nÌó®|KHtÞ‘Ñ+㢟S'÷@6„iõ“¨C,÷ág3B½žpÖáΡÄêφÖÑn‰Ü;ɦc“ _7T,Q1çTiHøBÕWL8­¡¾  ,œ²£.±ß u2†)¶=–Oš ¹ÿêÚ´­Ùê², Aq¨¿râ^T!1í¢ëç2)áN\§‹¬‚)æÄËR…Ëbž÷ž6Cb5ü´çêÞ›Ô;ð¶¹mH“üÅL¸^Ȭü¤Ý¸Ê {>«m@Ë›ðzéN‹›´×»ÔÌÃBÿ]¬—š@)õp[jÊâá…6붡²BSHQøר.öØ«N÷Ž`ðG¿§zŽ^n)?ìû±«892ÉÿxÈÌÄ÷Ù%¼­Ø3ÕÎZJðô]\ÿ^¸Äé„SXA㣅¸r}[(â0Ò@¥elöÉmi¶ö­EWÕ9úQѲ´ˆC¶Û¯µAñ=°g>MF{Q’= †*Ëk¨+™×Øõµk¤i@ïħÕW:x<›ó"Í}<=<²šC½Q¤4Æð÷i©UµSöA-ÒiMÛk×qnñÔÆèO“¦R<)D¾€÷/ÇT#î¡ÍM© Æ$ÖžåÔ3³Ð¿Á¢\ç{Uª÷Þ<UW=ˆ$®&<ƒªZ€0óØÒgÒR*¹ÉÒO¦1‘'£ùŽŠj*5wË-·‰ûùT j4ÝióÍu``òh߯µ“K…ݻʔÑk‡‡A›”ôÈÔDôìtk¯ö2ÅÛö÷ú—¨§$ÌöZ¥ï@Î^ùÝêõ^E~§”Üúí¨u4߉<*ôŽ±§¸KJßùy/žn•C*}…ÃåLgI£J·8jŽ[“Þ³ ”ØT7%JÈOïä,Á!ØžÈ+ÌÁ¯f—ÉȘs‡h`Úq¢O”1£<ƒ3(©dØOfBOŸ º'"p=Q£B¿âäpJ}ÝØü™ŸZ®¤!p{òëÈa}÷qÑ¥³äƒ£DKXôžòxÇ(žÏÑã ©¨“{ÏçÉšj¿dqX·ã·ŸP¦Üv£ä£Ï€³i¬¾AÕ;³@øyŠ*œoLœOœÕøë…ú¾›ºxOÛÝËc -@YšUʳªø;žBiäMÖð.•\rž;ùU´¾Rø'î…ç)眄š˜ …@ƒi/_ A®ÉéÙêr«0áFx<×Er;¾zÇ´UÏšøSÂö²Ù„.¥mô÷Œhâæ¨É2Ø’ç/{I;õŠjÑm÷¬ -*s"}Y ;Ò‰¢ú{YÌÝÇí]p¶Òݯ€Ž¶Xo³êÙ}U¹ôZø: hÁ‚)8f÷EµÔëÛDäµsüð¢ qTMŠ:ù‘ɸX!±l®ûÔ”Ëû ΄,ñº17ýbŸgûŸ&fܽ×Y'jeAt ]ôÛïwV^þ%ÑåµÛR¼”tμ‡Ël¥¿é˜¦j¹„‚øϸ3èm>YjŸÖCƒÕ¸ÄžÄÈÊjbÆn“ªŒUý©?ô‹ïðu«ÈÃWøìý#ë,M€¾ߥJBQlŽ‰âXè-ebtxÃ]€s<—ÿ¢:XÝQ…¸w¶²-N;N¾?Vl¤‘vG‰…,Å%ë9êçöË'bìη9|1.…±!]¹¶DšÏó=RԌݬ¤Iˆg‰=Åh_ìŸ5rÿ/˜ÿŸàÿ  tv…;0ÿüÚõ¦endstream +*s"}Y ;Ò‰¢ú{YÌÝÇí]p¶Òݯ€Ž¶Xo³êÙ}U¹ôZø: hÁ‚)8f÷EµÔëÛDäµsüð¢ qTMŠ:ù‘ɸX!±l®ûÔ”Ëû ΄,ñº17ýbŸgûŸ&fܽ×Y'jeAt ]ôÛïwV^þ%ÑåµÛR¼”tμ‡Ël¥¿é˜¦j¹„‚øϸ3èm>YjŸÖCƒÕ¸ÄžÄÈÊjbÆn“ªŒUý©?ô‹ïðu«ÈÃWøìý#ë,M€¾ߥJBQlŽ‰âXè-ebtxÃ]€s<—ÿ¢:XÝQ…¸w¶²-N;N¾?Vl¤‘vG‰…,Å%ë9êçöË'bìη9|1.…±!]¹¶DšÏó=RԌݬ¤Iˆg‰=Åh_ìŸ5rÿ/˜ÿŸàÿ  tv…;0ÿ„õ˜endstream endobj 1163 0 obj << /Type /Font @@ -5107,14 +5105,14 @@ endobj /FirstChar 67 /LastChar 85 /Widths 1321 0 R -/BaseFont /XYEBTB+URWPalladioL-Bold-Slant_167 +/BaseFont /VQDNBE+URWPalladioL-Bold-Slant_167 /FontDescriptor 1161 0 R >> endobj 1161 0 obj << /Ascent 708 /CapHeight 672 /Descent -266 -/FontName /XYEBTB+URWPalladioL-Bold-Slant_167 +/FontName /VQDNBE+URWPalladioL-Bold-Slant_167 /ItalicAngle -9 /StemV 123 /XHeight 471 @@ -5130,21 +5128,23 @@ endobj /Length1 771 /Length2 1151 /Length3 532 -/Length 1711 +/Length 1712 /Filter /FlateDecode >> stream -xÚíRiTSבª¡¬2©¤j=,Œ)In4„„†9B £ soÈ-ɽôrIˆ8P¡*Ë"6ºd¥Âª"P”ZbZÀ‰´ŠP²©Z§^°®®ÒŸïýzëóçìogïï|g3\"¤"߀ãé± !HÄPg‡Æ`ˆŒDq,PF"B ž`¥F¸Ë‡/ä-òø4ÀÓtš¢$[s‚Ä"5B r$2R‰¨©r™ -Hq9Š:©T`íÄt°IGˆ fÑ À¨œ£±'4‰1øo`X“ö6•é”(à6)“ (‘0Ž©tF4ö*œê†PZþ²¦Ö¨T«dê‰ò“Ný+/S£*Ý_ \¦!Hp!°©Ôä8 £õÔ¬˜”©P¹KQ!ÀZÎâ,ƒ£éÁ¨#PR® -™*™Ä žª„òoR;”AocJyŠ ZDN3ÝÀåÞ[>Þ{j[MNPUçQkfú|Ãá-í綞4x³†z½®?F"üa¿Õþcô˜]ÉpØWlXÁ룟eõRöÖ{£­³bŸtÆùPBÒ´Kem­ï©l¿kZhNktð“ëÓ;ç¬ëÂïAüJúpÁôš›7^>ÎIÝØÑg²ùv,¡%–߃Dÿz§èÊøý¼ -7U_š›°ï©ã+½õvwê-[ƒ °LbuÝàób‡©UôwРý© M±¥‚•RáÌùž×¢Ë Àâ}C¬osS˜ä÷™]LÁ€‹áÝnq^vIhŒ8jdÞÑ -yÍ<•OH5Ý©o]×¢öÅ.ä›ë×ä9¤Öwr}Š¡´Æ=ŒµÉc/,Ú1ýIâóç½Ï^Ò[Èõ.ÎǧŸ{í÷Ëpsb¶sèÖW?3ºÄÉ”_Ü%E~¡½6+ -ÛÔ?øõg5J@¬àz®Ó#Ÿ¹š¸´{Â1õÞò%ëÜ¿n2îNÒZâ.bõW>üíbKá~nRp@|oò™È›î—jÎW:ÖæOO46W-jš‰÷ øÏuñuœï=ÛN”`Žʦ ÝÚ¢ûʳY¼ñ±Ç„žº_xþXel>ì¹ Çzpó¼Ô¬û‘Kõ^¿[ «MÖuzÕž0~?gÉ^82ËcÍÞÔc5a5ÛÔºG‚Y{Ž -êBVåYgŸˆš¾S”E Î-lãÓ¥Ì6Æú˵H»¢ˆç•É,"ÎïLK+F`æãcú î™ÕëyÞ )¯º}¯=X­ßµñÁ£›Ël_OÚô÷ èiAŸ–ä¼Þ2Ò¢±±jj7awn߇ -6Ÿ=h¯qõ‰ýj±o ½îü/£+Öxpí‘zŽ*νÀ²œ7Wªk°“ù’¿,ÅÍäl”8~+~âŒ›Ó -·“ŒC/OT•D³sÌ=+Nzºá£•BLºX|JµÔbÚíé£KœÍO‰M®†òÊwÂ~·*"ÖTŒûÜé×ä:^.èøùô2‰Bò:^º'y®"S§íœ“ÙÔU:Ï®\àá¶åôjýçÜ/N6n²˜C¬GÀßX*Û·]s¼m«†6Ç´ÜgGb;ò¬ÞÍ.XI§‚.®Õî« -5÷Ùq13êý|ã·hçÒ ’W–qÑuƒí–e ‡¸B‡Fyc}áî •Å¶E«ˆÒÈ1XT} ånPOhÖ3¿ïރ߱Yô8挡 ÿ¹YÙ{Ú«¼X`µV ¸+›/ä­òøÆ2ô8’¦"€W0}’Ä" Œ# +9 +¤rBkÈ +¹È0z&©Õ`ýäL°΄ñ,bR8! +l„Ó”šÔ$A•à¿…!mÆ»TŒg’¢€×”L: EBªÖVRXk1²LjùoÈš^lÀRÙ™“è[€ Xi“³Gº7‰ýõiAA˜ÎÀXÁ .lÅ^é ø¤Aïb%Bz +Ã:XA±ÜÄ~[?Ýwz{mž¸ºë˜==s¡éÈÖŽóÛN™ü˜Ã}~.×ñ¦Ÿ¢à~sÞæü)rÜ©t$â¤äõSO‹rÌk[¯³ÙÑ^¹_6ë¡b8)eÆåòö¶4wܳ,¶f4y?üÙóÙݬóöõkîsøUÔ‘¢™µ·n¾z’—¾©³ßâð5ä9TJI.?³f/óÏ»ÅW'„aÕ˜¥æòü¤ýÏ\_[¨mwzÒo;šÆr©Ý “ÿË9lºN9ÐIáH_l‰+¬– g/ô¹Sa6ú{˜âZš#¤¿Îì¦ =Lï÷H +rKÃc%Ñ£ ŽUº(j¨ýÃj¨¶pC[B«&½XhmXWà’ÞÐÅõ/ád4í¥­OEûmÉΙO“_¼è{þÆHm}¨0xظŸ˜ëí{ 0ËË{˜ÞÁ¦Ú_ûÂì/W}u†÷9¬2¶kþ8Ó2&q‚ùn7~áiáRî Ç5û*þ&Mðþ¶Ù¼'I¬³Ä_B?¨zô¯K­ÆÜ”ÐàľԳQ·¼/×5^¨q­+œ™ln ­^Ò<ë šïàºÐo®“(ÉT»,{tÅTçr\xã‹Ž }ö¼ôú©4ÚÜ4rÄgQžýЖ默¢–|µ;Q—ªïò­;iþqÞ²}PTcݾôãµµÛ5úÇ‚9{ qì*rÎ=5ÿ ,Ç‹A½WĦgËéí´ WêNÅ‘/ªR™x|àÙÖ6G­'Æ YܳŸlàù%¥½î 8²þPa÷¦‡o­\´cEè0Ð;( fˆ?/Í{³u´7Lëà,nîH´ ÷Ž™îüØ·œ;ä¬õôûfi@+µþÂ?ÆV­cp•Q¶:Þ»Èv`‚µTiêÜh›õr<ÍËân–º~/yꎚ[2ŒÛC ÚáW'«KcXyÖÞU§|<ˆ5cUBT¶TrZ½ÜfÆ™cOJÝ­Ïðͯ…ó+vA·+#F+'üïvOhó]¯Œuþrf…T)}“(Û›:_™­×uÍËnî.[àT¡ fxm=ó‰áKîW§M›mæák%‘Ðw¶ªŽí×]¯†Ç8j8[b:îó£qvïç­¦R?CKëÇtûëÃˬýGw^ÊŽþ°Ð|×+ƽL\úÚ6>¦~¨Ã¶<é0WèÒ¤hj0î¹XUâøqŒ:/‹*P´ßNÙ²zXZßxb·ÃÎ!UNI÷Ü–Y wnþÙíñ²,Yå× çùY1çByýs¾÷\\¬" ”Ü“CÅ⚃i÷Ľá9ÏøzÏ>dtɓس¦¢ÂVUßߊÉð•.Ñ­¶=´ºnusMYáéÜZ— ï…9î¸"¼æä¿»£¤ƒ÷Yû8uñòuâ©ånßêS‹9!=ÆGa­k²!ôH+⸶¯É¥=™Ÿ/* ê¾±kD•ÒØy½<ÿ4ZÖHh¯Þ?‡Ï +hŸ…/ØͺÿÑÕøÏ¿K­áŽ]·&_ëýrtÝNþKK2‹ž\Ì«zxó,ŸfG.¨¦Ö °ÿÃEùÿ‰ +5,Ç L#ÇÓ)ÿjVŒÓendstream endobj 1138 0 obj << /Type /Font @@ -5153,14 +5153,14 @@ endobj /FirstChar 60 /LastChar 62 /Widths 1323 0 R -/BaseFont /LGOXXV+CMMI10 +/BaseFont /ZWIXZW+CMMI10 /FontDescriptor 1136 0 R >> endobj 1136 0 obj << /Ascent 694 /CapHeight 683 /Descent -194 -/FontName /LGOXXV+CMMI10 +/FontName /ZWIXZW+CMMI10 /ItalicAngle -14.04 /StemV 72 /XHeight 431 @@ -5184,34 +5184,33 @@ endobj /Filter /FlateDecode >> stream -xÚíwgPTݶ-’$)¹ɱ‰’sRr Bw M7t7QrF$Y’’sF%GÉAr’¬ QÌC¿{ιõ½óëÞóëÕÛU»j¯9çsÌ9æZU›•IGŸWŒ°¨ àh^ Ÿ€@ êdãŠÒ·†kð* ``À­Q„€•U ±FCp%k4D`” €  (..NÀ -PD8{"¡vöh‡¡ž'77Ï¿,¿C6žÿðÜîDAíà¶Û7 áì£o!þÇõ!Ú°… Emu-U‡ª–!@‡ ­aWЀ‚ p„`‹@`-  ý]ŠïK° œ! èí6ˆâüÛÅp†  (Ôí7ŠØ!­áèÛ (sÿ&pk·Eü!äŒDÜF8ÝúnÁt(4 -„„:£·Yu”Tþ≶·Fÿ΂޺ÛÛH0äú»¤?¾[˜[/Ú -GÐôï\6Šr†Y{Þæ¾sFBÿÐpEAávÿbÀ@B쬑`…º…¹ÅþÝÕ øoÕ[;;Ã<ÿìFü‰ú'(Ùòos‚з¹í pþ߃¢·E€ÙÁ®Îÿð¹AÄñ{f8oIXƒp˜' ±%à×B oS8þg*óýçDþHüø?"ïÿNÜ¿kôßñÿö<ÿZÅÓ²vº€¿.Àí ƒh~ß1ÿW¬µæùo¢ÿhù‹á¿QG[߶Anw+…ŸÀ_F(Jêë@Ñ {€­5ì¶Gì†p0 ƒÂ!·Zþi#€("ò7Ÿ=äÿÝtQñ?.üwæ·òüáÍo¬-obbÈý÷ÛôO”έêhOç[bÿU‡&üÏÅo „à/PLÀ+$ v{Ø„âÂâ>ÿ&ß à¿ÖšÖh$Ô`v[´ðOéÿõþkeñ7e8þ='úhk8øv´þiøí¹"‘·Šþ9í·%ÿcýgÈ!ˆ`f’ vHNKAWqʶQÔ‹½ %lSQgë_tõ,ß_âÐ}BâíýâôgqËñ§xtâ|Ïô¦*†ò#i YEî÷m¶ø­_'ì}=Ý]-wÛÖh¹3cðY%Ý°‰Ù"ý]2ieM ‹_¼²yŒï,Kh m3äZ˜> ª]˜nâWf_lWBê/Ô.,ç~`f¿kõÐîò›}—hš¥]½x“h›òHní§í`´¬ot»ú“]ÿ•/µ÷¡4ÇûEOøW*„“¿tLï.8\ÍÄùPa=Ì×áŸËw>Rûæií€t9~œ*ų$”û¢p€,{ñ·xÌSÇš±ø\¿`[_?éëµáo£ïÝÞ!£Êj™ù‰ }ÑUƒÛ¿X/>;Sf‡Gнs̘~¯ÐY\ùáèÈíýä*ÃA¯ˆæ’¿x?༸_x&õ -ŠªÄixW´Z&WÈÈÈ}ßО&½OèÔ•£/•Ó¾FB&0ÓOrÔ¯—ˆ‹ú”† œW3 ÷ÙÌ2ü Yú=¸ÛNÌÏI;ÀªÑÔ¤`ŽÅ-Iy—X~–âækõdðn¾éoÀä‰Sõ*ñÒ ÏŸ:ü˜.åDœ~üÂ/.ÒÉÝÁpŒ;†[ƒ•iÜÛÁïìXB²Ð‡ ¬6~‘:æöчƋ£eÃ<¡?ÃÛãÔ ðQ.‰çõ¥ Ð’“ûÔš»¬T‰i9¸wVfP -ß(¼>éSeè+Œ£4K¨‘Œ„‚J‚½SYõºÊ²¿0"s_tFãweú§³râ&¥.#9N39K$5ç<Þ‡KÆ!‡„³È -¸[ëêäW_âG ·tÝUjÔ.¹ÊðZN(OéùÝ/üóøÚèí¦ éÄ`佫JK‹š\ #Lò$šZoüŸ|SÿôZ a ˆ×7ü쀔ueL]üþSÇa£T,Ê.~©ìí¡$mY/ÅÊøÛ‰H&4™¬ÚËQ~#Bi¸Ä`L29\:[‹µÄçyµ? ¹Ï™6¯¤ÈLuƒÕá׬4åDœPÑt‹%\ûº×2îß^¶ŸéÙ#äµ,ÆÚ,,fuæ*K%r[ à–µËŠK“4u’g¶F€ù• eÂDž…‡ì8xŠküª" ŸöÑ*¸úÚÙ¦ÉüÙÎ2Áãyó+Ft¨qàà§{yÓ»¢Ì,Î3³À˜p°;3ÖÑ ¯v9½…¼‰œÃ¡`Ž™>˜ŸtXió6s½‚hžÆý”jF)\_ëSd|Tnpæ¶Íz€–‡PCZô†¼c dv¡d11.®)kjêP—ºšEÕÄkzDLf8xlS‰<Û»ÒœSüYýèã;FSاè ÊÃ}öe¦wkwùÆt>ô’ÄŸYñ?¹Æs‹RŠê´Ëü:Mßñ-<æƒb1Ü´ŽÕˆa6[I×Ðm˜Ïb`cÇÜE:¹¢ðÙ:il­‰¶Œ¯HÿFQ¢È‰ŒP—‰óYAª* Þ¶Ò}òÞÖV7¥™ÄB¯úÜ´îÅdÔv {·y»_›1ÒrH#¾D}:Ð×M‡\­å¤hü²—ùÎk7à€˜«ñªÛ34®9•›…žEõKU¬‰iMÚ’<£GŒN5Ž¨L5=ª,¢d¸–‡9*Œõ²îJ—Z®å.¥ÿôÇ,ý@-cO™v”ˆ q=7µÛÂœcšƒ'wNgØÅŽŸj±›Ü“R7¯§ðbQ zœ?R^+\Ùsg\Ú?d{­!ÔßÛØÎDçÏ¡ÊÊ9µ?bF¦F·0zí…š×|HgBãØ“<r;×›¹—Ý10Á`2ß®ðª§EíîŠÊfä5õÓßÓ |½ãŸ«žˆénÂ}lsæhÃ|p”ì²î<ûB'©É%âÄ{£`°°ÚåÒØ]ñßúeùÉ·O–ú€úÉ÷«¦>T\lúßä âvE„‡@uz ÎÇãw -#G;Þ±#AþãœÌo†;?”iÉ|J¼-’ͦ¨µY“ÅgÈ"ÏŸª,wÐèÛöJÔJo_¿×05€?ˆsZ}¹:º IÂ2Ãx/üi¯©ØúDª¥€;Æ•†MÅ`'›…ÁY’êí›UF*д<^¹$a7.ØüSŸP„ú‚³c黌ª¶MØð¤IYËNB"A…ûý¨ì_ïSü1:‚È‚e4ï–%1 µ5¸+ ä‰Ué²ã+qÇïâÀüØÓßô;‘{š5‚²³Â"vÓáXFëw\z$u“¾^©´h¸ŸrÝÔú%c÷X?ß“n¤¬Äd êêí+#ñgââ`ÕÙ:ûy -;ÁbÜ9*švö{8ZóB#\(v²U&ßõc@oY~:¯5Vd~NÍë1©Â½:)ÛøÞuÞòøær™Z1O…41hºR‚?)—']¼úöP<ëxµU³¡<ˆŸF’¸£Yè‹ÜŽ¼Ú@ šú¦+þ'½D›D¸šª% -F¿\-5Åa™éoqC:ä4&×a8 -ãs;4ò®áê±’m-¼N‘qöFÜ°°FeŽöMV|§ûv†‘|P_lM¦#w±È:îÝÊ¡™Þô"÷æA›0“V†&¶yï÷¶”båõ4.A*pÔÛ7é XØ€ëæª:˜Â$•a—ã毬ԿQ‰%¯Ë§|­m\óK( صÀËCñóÊå.ü z>C.,ÉNvvm´—B]{fÛþ÷]B™Ù0kÃÛ¡[jcÌd6Iµž@°Í¢Â«ë)q€sêP¿::L 9iýòºS…´6ÚÈÌ¡G'Žµ÷Ó~ûÎfÄâuå:GŒÒ‘Ñ‚ #*¶šSùGb¯ÓzÛF}€N{Æõ«E}¦Å€‚dåïöº¢.z/Ÿ«¥>[óÍþ8S¯¥bÞ½ƒEu N‘:èV_L/±¸Ü¸ÌMbКàHBcã¿ ÈZY¸`Ô¨­5Ôd¢íË_Õ_ÊOWK\: }z=½JÑ/Nõ’C<ç?ÊyÏ—h÷Ø©”°åqB~€UÔjþtÕÒ¦Œ/€ò´ØF€é¼Ñ}nÿþæþ,M&Ù#æH¢¦ÏX뺳µ®Ì7¦=ß ïœü­Ý{Üf¥ªæ² þž“¯uw­é¤xséŒÆ ïÂå#s±žû8fqî%Î߈>;p„"ß:­+×YJÔ«v$hj»{ÇŽ°~W̳4$ðkÈóy®¥¢“GýÒÆ3½Vù,YnüÚóÕyó¦ˆ÷•¹ö ¿Ùn%øšÃF”öÍ<ûh|—{^£™ì2e6á‚M­AA'Íl·$R¹½@LqÏù³Í|5¥d`\ÂÃbû'q5}šÐul§,žØ‘dWrµ­Ø䤆öAC=:Ý”?ú–Ï€äTËR7̾•sÀ»å(.7ÉÁ᤟n¾«…‡Ñõ8œ2öš_¦SrNéS3$‹\¸žÍ€m¤šZZúßâ0BÎr-žÇ†nÐP/}&è½0廟ñE §êë­›@Œ—ÏÔNø*3¶s`‰#•º²Úï"ÿ¸µÇµÝôF[gÙ4Lµ¤rÒ„%!6ùË -µiÔ€ß<‡óš†Œ9g=>föìÓ›­HÌ»ßÃdqËû¥®{Ç;Vˆî˜ÉpíÄÊdñžsE¶ô%/]Ÿu)/”*0\ZÏÒÅIBàU’8S<]üÅL«"¹™3\Œ÷i‚NºL°ÈLË£ cð+èZæ©À¸³ª}0•¢KÜ5¿†–¯!cŽ?9Ͻ½ »ãå9k„òÐSImÆÃz¡/ôÙ!ªáÀêµÒ*\ÙVmÊà¶I}ß’ÿG¹"É 'Ï(%¼•rÚïß³KGÈ wkXÇÝ0“vÉ—XªƒVß°¦kL0r’¨Ú !BÆ~ˆÓfé¯á|¡œZåî£O «¹sÂ(5Ñÿ:“­qÊ,‘ÅôÔ^£­ð›‡m5Ü7± x%8»$/ÐÇÓ&Û¤Ïû\Ç—û8=7K×ñ¤ÃËž3ýp§zA•!"2N®X²÷@ûƒ{Ñ–8ƳÝ~̘øK1ÝÂíÑoÚ'ÒøH ‹ZrÛ¢;u¤e sÅ”ÐÍH—«rŸ¥Ÿáú)sö<%îY_"tƒ§M-1ŽÛù’ ©Ô25m¨´»æ„°*Šª T-ÍiÁüH°¿°çÆË÷Ø.«dw&¼5¸þuew‘Å’óŠó‘é“+ èÝò3­hÁ¬ó ßLÎÚJóyÈ9’q -®ØúùŽòâÅÓ¢ ²èémšGn¿ü¾ Ùw‚M …“Ñ™)8ˆ‡…tz]=Æ_ «œÓ×dÚ#;nç•Ü8§•v¶÷ÍÔyhøßO¯÷y3ü-î¹%©ð@ê}¾Œeu3õJî¢IGXÈ<Êý¼¶"È:ºxâ3üjW„&âçSØ¤í“ -ÑÚ‘X²V_oÕ`›~Òέ%É|"‡m\R¬… ™C öé¡o»i´³£DmKù#`>ß„šža‘ÛOúòveŠ]bÄ&~jºÁÉVO5÷Ë )ŒŽbŽxæ‰sm-ä]ªdïpm3–›Ê@q ß£¾G¼±õ­#)¸KųéBbEÚ|ˆ[“ë€B?\/Z–îëk¦Z½î^Ô4.íðèÎa«p9§"ö;X>ž*™–dŠï¿ú$<Ø·þôþöÌÇ:Gˆ¢’Âw¢vkr#ÇdÎ{ UVK·` ‹ix©=«ür0 ’že‹¾Zr²ï®<"Š³! ɦU½Ñ:bðskã›ÿÆÄŠàö8X¢,Ræ*iØ–G‹2ÉÓ÷I™Î–§áÏd*äñ{0õˆL\-ƒÍ\»º‡R›±½ñ‹Çì1æL…Î.àœ\c:Ö~sýáãb0½Æ:I÷Uš°=x£Ü) û»ø2x®p_9fÕ<^‚@z`À…÷ìüŠÿ«hy'Nº®¯òr^ìypå*MË‹DŒnF[z5I…Ù¤ªï¦#Ò‘uCѸÌEú‘ Aj)¤ *w°ß®:ž ºÇû©‹Æ?¸i)¯)¦ñ©M÷øP›2nÎÉ%ôjÑPF{fèXæY°ž½ü©Å·6gD«è^ªj±½4쨾Ÿ,Þ(Ry™$zW†{„ÃK -(è¸ï#½°(מ­J¥ÏÙ Š71ˆQ?¶È]‰é„­üì·ºL“Á06Ì¿©OP²¥dvÞ5¬ÐÁ‚ÄÓ °pö¥kï Ẃ; ‡2D7g¢L IæÆ3Ã)ºM! |¼Iì^ÓÖ+¨Ç®ÖéV -äX™à¨ö¸Ÿ4…Ÿ::R9‹8íA¹ó­9‰M ú¸ÖúÆx ‚/$A¡3eC_Ö9}˜^š¼L'_ÉKr}û“3ºþ¤õ$ö1È&›ni”Ç>^ÁШ(/ø¢1k+ù‘Õc.â’uÑ!"C[.7&'4P4—Z³|«ÒÚ.0×¢Àõ:hC0ý‚³9ÞG³¼û ütù'c<‚ÌbÖÆ4è®1·n™‡Ò®×,öI,ÕHû‚åˆ1‰wòÑq8ƒ†ûcš5^MÎNl¶bs;¥LÑýJÂnv̽îÙÏ'‚JÚsé.¿ìDx|iX-èrÄQU:›îäÕ'?ñ}<Èþà¡»×ÆÊƒÄ -í£m:xY—fŽHúj¤mDý®nZE/5I¶×ÌôN#}.u–®ˆ˜ÆMßŘוZ:Ä C¹K,ºóÙ ëŸ g¶Nµ^—~b¸1´ÚWmŠ8°):}ö°œFŽoWÚŸÐBB^jËë8ÊLR,ôðû°åÛV ½Þý¨©®‹ì-gS1KJSw9ýŠr8¶i¦f3àôؼ FÔm›X¯@²Â¼Àœ§jj—JÞ•{ÞÇEe‡ÑÒPƒ‡Aú 3„I;·×±c÷±Ïb|ýÄ™´alC|zŸŽø ÿøPû«žúbäòAî1ËêKç¦BFKJ üX×6¿èý#³ìÁÖ™GL÷°[.¢Ãlοûç(½ ¸iG̸{Oîê`;P2*d{iúª¿½ð¯­ŸïòGW¶úçH°³j……i‡¥ š#:•XiªïãïÜ¥N˜>Œ™ì×V³+Ù£Ê`º/žoFoBb8@©PŽž‚UpÏSå»ò’½„¦x/ŽšÛ?’õ-#eksX.–mœnÆj£ ÜŒÙƉ+B)—ß$ 1"KÐüìLG[´±±Ã,Ç«¾tt£âID×q9êFÂÖ¶ªn;½oüê]×Ô”ê‡ÉêãAñKžÒ÷d -ÐëÕæÈŒ{q³í/T’-EžvxkÛûÔ»‹–`r§7W6’èV…öµõ›W_Œ˜vò£üç½*³–xØúV€›Ñ´ÂëÔ²½ž.¼[>ì {QÓgLÊ7CP¸dÌgjR±zøJÓ„r§_bx(‚ŒfúËÜ=¢5h%©ž d—ÙTŸz¥^ÒY↞?;Â.ïí°¦T’_ì_z'}¹ªv­É=6i¦¹Uy$B¼jœ¥l^ByNê¬$¬¶ ªÛêé1a©¼të¨b戋ÝÔã/…õ`vç;Ɖ¼¢í“»ʇu%?lÙšXã˜êb9ãÄ»%<ŒÊP\hà(qU†¾—4Äõ‡î1J÷ϭпޘ×Ø B[ Æú'ã‚{ÇQùkÑv×ê Ó1’NÊî9n5˜SÜ<<|'±Ûbbñt¤•Ì¨j g´zóM§ÒÛ ŽIÕÊ\ÐÀÉÒ«;mÁ¾ËÏ=uŒ×–ÑÚ§ŸlÊX3¥¦ô½ÅÀ -ñc³#ùÜÂEd<ÅÍ~ðûtdB“¤®«ŸK{D.9¬¼ô-ésÖ­@§è߇¢EßÓϬ;ÎÒªÚÒs`4ì¶îì~Σî‡?]æzÛ-S%GÄO#K¹T’T± ð -:ò»Ãf™×µí@9¸õ%%µqŽïÒŠIl3€‡=0*ç—é7ß&Öbß´Ì©È%_¶º¬•n¢°µŒ÷ÕóC´Ü(Û|x‰„zy2]5«³Æ¸M|Ü,².ˆ6º¦RpŒõLĺ‹NÄb›„)²”‰ïF—çWHUòv DöZ ‡f®"uƒ3duŽi%z"kŠÄcVð˜'¾sii†f'¥€YüH%2üyRè™Í{~xº/ãö¤á^HBË%¶“ðê/™Ð‹d’ëh‘5G¡N©Íwžnº -Uèâ]$ðä^¸ÞDmªÈ< xË™¿3ê[!è•ðÌœ&WÞÎùþ›ºÇVö önf³E| -ÎkkŽAò'¿ë}>G…ŒÊdØ.dÔøIµŒò„é8³ï†WæÙïm+Zñ°£×žÐYôçm9Sñ‰Õe¤³Áê˜Ï~- ‡o¢TÃ<öÍŸlÖö U#™öJS8R0ï‚%, «Ñ@y …Hq_í Ÿ‡„•^sÓ‡+_ã, -ÔÎIÙ™p¼™ý[&¥™’†ØÇ -¶¦‹}ÍMÄU5μÙ¸‚|èkäÝ=4…‚Ž:W–êae0ª¸âæ!–å+D— -ÑË>æxpOnQ¢Vgq速D#%ñi-OÏ!Ž‡0ƒÎMWùDó3g yïühÁèHž;Z$Tk[ -Fî‡ý i¤G%XRp'?õãñ1ËX„õ Ô*lZÖŽŠÃ¿ ¬Õ6I;u\¢äxߧ[JÀµ§*†jYm\†2Oˆ=]1@kîQ`iØnZûÞL£i¿¡U 'ÿ ‹2˜OÑÜ)!¬“+ÞŠ¾ÑæŸô<0“ÂûéÕrSÝm5œkìq {±2`™÷IÍ -£éée…sêõÕÑÝU+ ZÀà 3Û$h$Í0aqÍðU–u“ä˵«Yr²¨¡–Å$¯·RÏÇ‚&=Í—#ʨ½Z^ÃÝ2Ø~07žU”ã=òW,eŽïTüúIØLõWÝ÷¨¹úú·°R’¹•ñ Õ¾ ƒ¨ M8ŽþM±yrp.Ml­Sü!ÀU¤dØ 4O²ü!ó\?4÷(iß‹[Iêq볟K)×92¬[2_zô™ô;3B½ƒY› öz‚ñ‹€¥]+ÄGDúÏ{üÞ˜{^U ,{úÏ–NFÙM¥_bß@h‘ò´Š2­ªp*ÉLå˜@)¿ÓïæF}îòAâ -äbµ½Ã‹°/;û¼¹2<ÔÌŠ› O\ùJ]–kz¢Ì/f 6…6Ò|ÖÊd®~>¢KFkp…!×l^æ!îNŸz§ægóÜ õFRcqh‰¼‡³ìR¾É;CÏ#êBn8cHIì¸ÂEnþËÁÌ€·’땵I‹Õ ±9o¸>Ò‹±È³»6_ãqÔ(}ÑìÍ"u¦þUbà=‰ÞYÌÇœh]e+àn´"Qã¨)š”zÿŽ§L&fm¥®Ÿ§bÏɱ7RÃË$m\íæÐÜkíâü}’{‰S¦P`…—˜“ ÙƹŸ¡h[ÎÒ¼©é¥k•¼¡¬µ½þ7k©æ$Ë®,™–hØglVs“»îjÿ’}±*`/Õ¡¯¹Õ¯o€x²ýöí¯UËóÜ]Ù½XÊÊã›;ušÕÏïzQsžX/é]íÄ©KÔ~½ÆL 9ʼn£”ÐŒŸ8±{Ë~-ôž°ÿ§mñ)— O;»òäÀ1!¨C6Ã}GN¸×èúúLEÜ?i¾ÿ>X"kl~ûŸ5òÜöªŸãWB%çâ‹3nå–; i"éí?N)´¬ ySo.FvñùÈ!Àô¼c†Ñ‡`uèÄAŒ‹æ˜DmU&«¶î’qöÉVøæRÑŸú?•qn¤s0Wƒþ—ÁÿøƒX#Ñ'k¤#Áÿ:…vendstream +xÚíwgPTݶ-’£ IÉ HŽM”(9(9ˆd¡»†¦º›(9#H’,I‰’3’³ä 9IV(Hæ¡ß=çÜúÞùuïùõêíª]µ×œs9æs­ªÍƬ£Ï'FXCTp4_P u´vAé[Á5ø00àÖ(JÈƦˆ„X¡¡¸’" 0‚€J@H” d("œ­)%ˆU¥|–ˆ²v[ñÌQô-óÔ¡j,.Ç7ÈÆÇWæzmøÛè×÷ÈÈ’jc’tÅàö/¶‹ÏNTYaáô¯ÄÒ§?(t–•7¹~˜\e<èÕ\ò“èœõ‹L S¥#_C‘Cå¸uï WKä +˜˜xîÚѦõ Ÿºpö¥ð`ÚUIÊdøJMƒúõðPM©xÀyõXïÍLÃÏ…1 ï}œv¦8.º6†3,)*ùYÊ›¯•“A»¹œ&w¾“&NÕ+$>¦{üÔÀt.½ æòyy‘FáF€£Ý0\ë,Mbß ~çÀ~ }PwÀfí¡cf%xø|q´d˜7äÇ`X{¬z>þ} Ê9á¼öc£ZjrFs—:!5ïÎÊ JáaÀ[ƒ7'}ªŒ}Q ”f1 ’‰HHI¨w*³VWùqø/Œˆœ—QøÀ]ÙþéÌìØIéËp"Γ„ ®b)Í9÷aR±È!‘Lò|îÅÖšùÕxBÅW‘Ã-]8JõÚÅWéžË)# Õ)ƒ€Û¥£_.ƒít½8Œ¢wUIciQ“›q„YžTÓ^ë­ß“oêMoãÇ€ø}ãAÏÈØVÆÔ%î=u6JÁ¢êÎúÔBÚ–YñJ¼D ˜tB“Ù²½å;"œŠGb°Æ$—ã·1_»Orþ€Oëѳà ùìéçaå”)®°ª#‚ª•†ìȃÓjÚn±!âøkßóC—ájf bBèõ»Ëö30CG¸¼–…ýX›¹ù¬îÏeé˼’öÇ2¤ ­á`&åÙPÑgaÁ;ö?‡*ˆÂ¦Ýƒµò¯¾v¶i²|6„³NðzÜüŠª8øéVÚð¾0#“ëÌ4 ÚäÆ‚u4ä̧]Ê`.o,g(”mª ›Ä–[¿ËX/#ž§u;¥žQ +Ó×úÁ™”±m=¤î¯å.\Șõ…1÷Xg™U UóœÏ„-%e¨¿K]Í<œzâ ":# <¶©Dží]iÎ.ú¬~ôé=“ ¬)*êpGŸc™ùýÿ£Nc/iÜ™¥À“k|×H¥ÈNÛŒ¯Ó ßÂòf‹à u¬z ÓÙrúºnÃÓ˜Aã™Q»šë™W¾RÅš˜Ö¤{)Å;z”þÐèäa³áˆÊTÃÃZÀ"J–Çy˜Ó¾ì¹žB&ŽÌÇC‹µœ¥´Ÿî˜idí¨R´.ç&â[˜SâÌsðÄóÎétÛ˜ñS-ã»Òêfµ”ž¬*CòFJ«E*3zîŒËøoo£³4„û{ëÛ™éýxÃUÙ¸¦öGLÉÕèF¯=Qóšè©Ã`œ{RÇ®çz3w³:&ŸO5eVøW_tªÙ–"¸]—Iùîeˆ÷¢ìˆÓ”_œEw .}I¤óXÚ)*O…Q‡ËR3FÂÞk\G×Ëà¼c«…5ÔY5ÎÈHuÆ$"¢l=YdrÀ¯Kì®JÍË” ‰…åF~ѵ²{SæCwS]I‹­1+æb½qq­…Ù£&äå(+>x¾Í0{²¹3þ`–QŽ‰MÚ|JT5ü +‰- n­ ô–ýv5€_9-f‹#Jô8=·¡Ÿá®nÀè¿xXåD8Hwî]g“=Gê«d›yçÙz)MnQG¾ƒ…Õ.çúî²—V¯JO¾5¥×[êj'?¬šxSs³ë“3ˆÝSŠÕè:ÙkÜ)ˆíxKÌù]Œs±¼îl,Ñ’mJ¸-|œEYm3³öžþxñTe¹ƒVߦW²º@fûúƒ†‰ü~¬ãê«ÕÑeHšD –)Æ‘¦½†"«k™–¶?Þw*65·¿íãŒH ®¢à/ŸÌ2Á†åñò%IÛq¡æŸúD¢tЗ\KßeUµ­C‡'KZvâË(ÝîEfýúì‡ÑH$«‰S’È,ÜÖ0â¦4K,^¡ËA Ä·‹ óåH{ÛïHìiÖÌDRΊˆÚN‡a­ßqî‘ÒMüz¥Ò¢5âB2~Ê}S후Ôc.r?lO¸‘¼Ž>¨©µ+ ˜±gŒM8ˆ…Uféìç*ì^Šód«hÚ¦ÛíájÍ p£88ÉW™}zÔ½%yi|VXyÙUoƤ öj§lâz×ýøJ_˜Éu¤ghE?ÖÄ íRHjR.M¼xýíDæñ:[«f]i ­IG³p«ÜŽ¼Ú@€šú¦+î'ƒd›d˜šª +Æ°\%=%aéoqEÚg×'Õa8 +/ðØ×ó­á鱑o.¼I–uò†ß°²EfŒöM–}§ÿv†‘tP[dE®#w±È2îÕÊ©™Öð2çæ~›?³Vº&¶Yï÷¶ä"åõTn!jpä»·YÙëfœª:˜"„¤å¡—ãf¯-Õ¿Q‹'­Ë“$­®\ó/öß5ÇËE ðÉå,ü |1C!"ÅA~vm´—LS}fÓþûCR™Å0sÃË>[zcÌx6Qµ–@¸ÍªÂ§ë!y€{j_»:2Ì€ =iýò¦S…¬:ÊÈÔ¾G'–­·i¿}g³Jrñºü>½µÆÇ‘Ñü NY#jöªSù‡âoR{ÛF}ꀎzÆõ+ż§ÅBä¥ï÷º"/z/_¨¥<[óÉú4S«©bÙ½ƒEy N™2èV_L+6¿Ü¸LIdÔšàLDc¼òÏ\U°` Ô¨®6Ôd¦ëË[Õ_ÎKSKX: }z=µJÙ/Aý’ C¼8ÊþÀŸ`ûÈñ#QË9â„:îü«°Õì骅u ¿?Õi‘µ óy½ÛÜþ½Íý+Xªl’{ô‘dUßs­ëÎÖþ5úŸèö&éË +Iä€ï<;§Óš†¬W-fÖìÓ—›­HLœïa?2yäý†ÇRÖ½âÊÄvLe¹wbd3ùι#Zú’–®Ïº†HÆ”I>*°ø_ZÍ2|ÅMDà—“:Q>YüÅB§,µ™=\„ß4ÁHcY&ò_d ¢ãU5øx-ûTpÜÉÕ>˜BÙ%a‡š_CËWQ¼5#˜œçÙ^x¼ãé1k„r×SIiÆÇz©/üÙ>²îÀòÒ*\ÙFmÊà¶qmß’ß'¹BA© GH%Aü•Rºïß³>ŽPíV±»b&îR,±V®¾%aKÓ˜`$â"Uµ0Bý ËÔ_Ãý:C5µþÚÍ[Ÿ +V=sÂ$=Ñÿ&ƒ½~žŸÊ"™ÉüÔ^¥­ð›—}5€Â'±x-4»$/ÐÇ×&ßdÈý\ßû4=7Kßñ¤ÃËŽ+íp§rA•1<"V®Hª÷@»Ñˆ#•xKãÙn?ftÜ¥¸nÁöèŒÝ™ûüd†…-9mQ:2 sÄ•ÐÍHç«R寧aúÉsvœ¼Ån™_Âuƒ„¦MÌ2ÛúP«T37l¨´»äå³(Š© V,ÍiÁ|I±¿päÄÉ÷Ø,«duÆ¿3¸þue{žÉšýšë¡É“+I(Né™V„pÖiÐw&{m¥ù<øÉ4W hý|Gy ñòiáyÔô6íC×_¾_†ì:Á&†ÃÈéMì%Bƒ;=¯¬„–Ïék2ï‘·óImœÓI ;ÛûfjÜ5üî¥Õz¿þû‚Ld õ!OÖ‚²¼™Àz-wÑ #¢'dåyQ]h] 8ñ~=‡'Jþó)lÒæI™XõHŒ;y«—juY×Ö’T±ý6ÖB ì¡»­$ÇtcÈÛÃnZí¬H1›á0ïo ϰ(ì&}øº2OÅ/1bšnp³ÔSÌ|Ærƒ ¢"YŸyà^[ {}T²³¿¶ËI a¤¼ð×ïQß#ÙØ üÖ‘Ü¥æÝt&µ$k>īʆõ‡C¡×‹÷õ‚4S,ßt/j>/ípïÎf/s>g"ö;X?*™gHì¿ lì[zo{æSàCÄqqÁ{1Û5¹Oc²ç¼„Ë+eZ0 E´|4¾Ù˜‰Ï²Ä^/¹Ûu— ÇZ“gÑ©Þh1úº¶ñÏcf#ðw}¤GY!{•8lëE•èáó¤DgK’Ëð‹G5òxŠ#ˆfD6¶šÑzH®ÝÝC¥ÍÔ^ÿÅ}ös¦Lç7pN®> k¿¹öðQ˜Ac4ç*UļQêèßý]b<][.':;$@,‡F³t«ÜÊ6 Ç<ßå:hMï?ý‚»9ÞG»¼û ütù7}<œÜ|ÖÚ$ç9n¹»Ò®ç,öI õHû‚ÅÈsnR¯¤£ã0F ·G´k|~š\?Øm0Äç¶JbûåDݘ{ÁݳŸO‹Ûsè/¿ûï„»©[ÍïrÀUS<›îäÓ§8ñy4Èqÿ›çÆÊý„2í£^mzxI—f¶°hÚª?¤mDG7µ¬—†4Ësfz§ž!‡&S OT\ã¦ïÇbô›r-’º¡œ%VÝù¬ էϊD3['LZo>61ÞZî«6„XžÞ}PJ+Ç¿+ãGd.©ÇÿhÃç0ÊBZ$üàû°+Õ»V ƒÞ½Èh鮋¬-'q *79ý²R8¶I†f3àôØ,¿JÌu›D?_ªÌܬ€ÐŒ·bj—JÑ•sÞËMå€ÑÑÒ€‡AúŒ3D‰ŸÙ“´×p`÷±Ëdzóĉ¬nlCbzŸŽhÔt¨ýUO}±ry?瀄›uõ•SC­~¬k“Wøá¡é ö`ë‚ì#æ»ØÏ[.¢B­Ï¿ûe+½ó¿iG̸yMîê`ÛS1)ägyjú¨¿»ð«®ïòC—·úeKr°’i…†j‡&£šÃ;•Øh+ïìàˆÑÄOƽJòm«Ú•êÇUe4YÈ“È3e° &5 †”)GÍ ÃʸŽç©óœ ùÉ_A“½GÍì>ö)!co³_.z\?ÝŒÕF°+½[ˆR.½IfB£8˜¶èbb†Y;W}è%éGý%‰¯c?qÖŒ„®mUÜvzÿùë÷]SSªœÆ«%f,{>~ W€^¯6G¤ß ˆ=˜íl¯©’d!ú´ÃKÛλÖM¬“'­¹¼žÂˆP·"¤¯­ß¬òbĤSå7ïYž¹ÄËÞï¿ܬ¢Y§yÜëá¼Á·åÍQ·ù)UñùŒqéf# +œåLM:F@išHîôK4/e ÑLß#Yœ#:ƒVÒÊÙ¦qÙMõ™¡×êÅÅ®èù³#ìÒÞ. ›a*%ùÅþ¥÷2—«jךU4­ýÇi½¥–%"+¯câÅÍÄ!11˜žwH7j R‡ND;kŽIVWd°‰cë.=Ï:Ù +{ËòQì§þOeÜ™lÌÕ ÁÿåCøÿþŸÁ VH4ÂÑ +é@øcíveendstream endobj 971 0 obj << /Type /Font @@ -5220,14 +5219,14 @@ endobj /FirstChar 36 /LastChar 121 /Widths 1324 0 R -/BaseFont /XOAYYU+NimbusSanL-Bold +/BaseFont /COFMNT+NimbusSanL-Bold /FontDescriptor 969 0 R >> endobj 969 0 obj << /Ascent 722 /CapHeight 722 /Descent -217 -/FontName /XOAYYU+NimbusSanL-Bold +/FontName /COFMNT+NimbusSanL-Bold /ItalicAngle 0 /StemV 141 /XHeight 532 @@ -5251,8 +5250,7 @@ x ù¸9ž×@®¿ U(ÄÎÁ  †¡¶ûgJÊÁÜÅlÓpqt´…€Aê`g¨9ØY`ñ\ÙfH:8z@!–V0£–ºÎff–!üüü3¿€Øbi ^¸‚mÿÈô,! ¶CŸ‹ý«ja* ‚ÀþhÀhƒ9 °³;Z˜‚Ÿ16g 6{0ŒýÍs¡Òö I»?œÑþðL -›?7åÁþwßlìÜì½þ¶€Øƒþl äâÈ®eqrËKýOð3„ö/Ì p9ü@NØ v7·bÿ#¥¦‡#øO’ãØÔäãåèà°0µuû@,ÀÏ4/gSW0uûxýïÄ¿ïÐ88 ˆ9 `¶|>†©?Ã`‹ì•MaPˆ;à= äÿøþseø|  {[…«˜Úì -Új’ÚêÌïýŸQÏ’¬¼o¬œ|ÜÏ“ò¬ÈÏÍõwÅzñ—¢ª¦ÿ©ø/Iy{ ÿ?Úyöñ¯–\ÁPççÙ0þ9Æoÿ®¯âƒ˜ƒŒÿ 7ðyjž/ÿu¤þÿ¯ƒõ÷2.¶¶ºÂø;Ï~8”8bk +›?7åÁþwßlìÜì½þ¶€Øƒþl äâÈ®eqrËKýOð3„ö/Ì p9ü@NØ v7·bÿ#¥¦‡#øO’ãØÔäãåèà°0µuû@,ÀÏ4/gSW0uûxýïÄ¿ïÐ88 ˆ9 `¶|>†©?Ã`‹ì•MaPˆ;à= äÿøþseø|  {[…«˜ÚìšâújÌïýŸQÏ’¬¼o¬œ|ÜÏ“ò¬ÈÏÍõwÅzñ—¢ª¦ÿ©ø/Iy{ ÿ?Úyöñ¯–\ÁPççÙ0þ9Æoÿ®¯âƒ˜ƒŒÿ 7ðyjž/ÿu¤þÿ¯ƒõ÷2.¶¶ºÂø;Ï~8”8bk ýpS;ˆ­Ç¹áï:àLÿÿAGfj 1··´ý§Mgˆ;¤ ™[ýc\þrôçsVup†üñ$X9¸9þÆiZAÌmìÁÎÎÏgñ'¶ý-¥´½¹bo Ѐ=O¥)ôOàÚÜ }¶çÏz¾÷¯½ä¹@0ØlŽ¶4ï`.d]ÔvS%Nêƺ=ÎÕË£uõäBù-ÚöÅ&| @@ -5290,7 +5288,7 @@ N16ȉ Áí!Ù‚m vžÊÜ1|úNÄîîÙüé ÉÔÝ¢Å,(7Çy$‰ÝS]æYÁÒ?À’/8#ÙÏÌñ¹Š6žvvdR6&Ûÿµít¤»Ò%šï=dË]¾¥-,¾µ‹XmI·§—ð`dã I¦&@ÎÕ cÿ.i¥gYñ‚OËà û%UîË´7’¤¯ý'ÉkÕåue¬£r‚÷Ç)ÚJ~\ë³³sqŒLÏ{KKQøvOÈÄï.BRœ,£­6ëM‹ñŒ¦ÒOÔéìœjªjL/I¯üi¯IRÒÜÛÉ4Þx¸’ô»¨t.ô›7É w^ÑØ=ˆˆêÞ®'ÔMò(¾ËqçAÏnû˜Õ<&hŠ\©Å{¡gz :-Õ« ‰+ï—Û¿hů–Ë’¹u¡ ½[ð®Ù©m8:y‹pU72_ò-|g$e™.¤Fo Â¯êŠ~8¼´ˆgjtÆ:ºHNÆÉ䓸j2›¬¡gŒ·WEhíŒh×zSL7qòÃËÍ”¾GEYA|µ,ƒ Ø'Ù×È*f²¦=ÇЋu¹¡Bn½x)þ“sìbµ¥¥¤Ü/©¹QsÏ?½u7ÓdšbÛk9cµª§·­oXaY²mÞí4G¯eŸ-M ³MGé®d0ûÐ`8WÔ=Ý+w}`ï.®áãb“)éaõ ¼y±ö¦äYÇò”·b}5gwø4í®ÔVÀŒ× |X‘Å눈qñã³L¤®&<…+÷+Sùb µÇ[ñnX‘¥BFú³×ßhKmÊ»‹Q½WíÉ/>i§¿RPßUܤè3¬oÄFÊúÑv~=M‰h^"vÝ_ÝÍ^ÕçÞU°nëRarïŒAV0Ç`ɨ'lµÍv»\Åÿ‚„GÑ^ÔŒKVP×çl"ûXykÛ¸ͳÞíCÂÛßyæ æªùE»xj'ï ™îò¬‘2šèY…,±Æ;®‡ Û`’oEdÑë9jÏ4‘¿¬"žr°™µ¶Öò£=XT÷^Š>åNbd®ê€ïA5º`,q=ßþÕaU£ïú:×-õôŽå½(InO-ÑŒÑZfƒùˆÐf› Ìà¤O‡¡æK›ºtƒÕÞa{,|Aҥו-F­g©ji¼Ô9/ƒT´ž›·%Z‰Ëçø"Q ÁUÛŽ¹§ýbntû¼Ž)¦7µ£iir(Ð}È zïB<¡¨Ò¢´Bún:ªPßÅ£ùÎ;¶ÌˆóÅ7cŸ¬éFb‰Läª_ÝÄÜzô¡¹FzŠâJ‚ J¦Sñ‘A9VBvÜÈs-8×SÓ½j!vÇþ}¶u*Ä„eË<›to¢V÷Oß|Ûz6‚ÊQTe Ùèâäá òtÞê!H3j.þj5°ˆìÎV†É8Ý}sa½††^+Ô8Ñ (lAÏ\øŠ6T‘]vF¼Úºè×ô˜q.‡”ý²n¶Úƒ^kT~§jßë•›¦9ÓÆƱ÷³’£mÌcØ$iq\¥@”±>OÝ:^ß!î&ʇfx?J…Eôá­~šµûΦPsA ’${òˆ”JÿÍöC™X¡`ALç+_ŒÆîüô„¶nè;|ÃÉÝ}Eö>Y©™«wlsŒŽ‘PXüXÚMãX@>à-ÎnâZq¡8å2§™qÕ„ÈBËx ®´×ܼҢÄ*pÙúV©ùà¾ã½‹²Œ‡òFN”´V %;â â›>Ÿ“ÂbÇöò»B—¾lò«=z7ÎÔ]$ÕÍÛo ûÏ<™-22UJö³ªCeEÇ6ÀDWìrtÙ3/Ëö²ÐdÉý°i)U´.í‡õl†™g°U’âÒj­öâ¥Ét#— a#ØÛý‚e>ú¾VˆòçOV$ñ‹)ce¶B…žqí¶3(xùpLÝAõ¯©ÓKÇÿ—´ÿ/ðÿ„€¹-Ø -s°3…Ú yAÁÎ0èÿòAû_V}endstream +s°3…Ú yAÁÎ0èÿòAû_¹x}!endstream endobj 858 0 obj << /Type /Font @@ -5299,14 +5297,14 @@ endobj /FirstChar 2 /LastChar 148 /Widths 1325 0 R -/BaseFont /JVQCVR+NimbusSanL-Regu +/BaseFont /TSAZQS+NimbusSanL-Regu /FontDescriptor 856 0 R >> endobj 856 0 obj << /Ascent 712 /CapHeight 712 /Descent -213 -/FontName /JVQCVR+NimbusSanL-Regu +/FontName /TSAZQS+NimbusSanL-Regu /ItalicAngle 0 /StemV 85 /XHeight 523 @@ -5326,38 +5324,38 @@ endobj /Filter /FlateDecode >> stream -xÚíteT”ÿÖ6ˆJÒC7 !ÒÝ’"À0 00Ì 3Cw7RÒHHƒtIw# Ò¢’Šò ÿ÷œó¬ÿ{>=Ïùô®÷^ë¾×ýÛ×Þ×ÎßfcÒÕç“·AXCTp Ÿ ?P  u²vAk!àš| -˜Ž5 -¸°±)¢ Wa #ˆ @  ÅÅÅ ØŠ¤ -jgp<5ââááý—ä· -ÀÚãÈ%j°ßü¸B`¤Ž¹¡øêC Œ=` …AŠ:º&êÚªNUm€*A`]—›TÀM(GC¸¶ö×FÀm ¿SCóßpÉ£  CoÌ î`ò7Ä @BPNP4úæEìP 8æ¦ -Ã\l~p#·Eü ‰BÜh8Ý`7dº4 FA‘ÀW]%•¿âÄ؃0¿}£¡70a{£iƒ»üNévCsƒb@P8€¸c~û²†l h$ äqãû† ‰‚þ à …Ûý+^ -bBÙÀ hô Í ÷ïêü+OÀË„DÂ<þX#þhý3( Ùò -Ýøcn|ÛAῇEn‹ÿ’Û¸ ÿ¹BP -Äù{f¸n‚Ù à0€ Ä–@@¹q àüŸu™ÿ?×äÿ@‹ÿ# þ´÷×Ü¿÷è¿]âÿí}þ;µŠ ¦ rº€¿– àfË š€ß{ð{Ñ8»@þ/æño¬þ®hù+ÒßdÇÔ1 ›rÈÃínZÂ'(ÄüK E«@Ý!6ºP Ø` ‚ÝTëÜnAÁ pÈMWÿôÆüöÌ -v„ÿ.ÿ£¿ Üæï±ß4êOäšjzz&š<ÿn·þÑÔ½™Ì3$ðÜi!lþyøÍ£ €pxñ‰ -ø„‹ÄD€±Ç‚>ÿÆãÁµ@Ô`ä7ß¼ÿ:=ÿ2Œ°ù=3úÜæfÌþ)ø ƒ]P¨›îþ¹ù7Iÿãügà!w˜`þ,ìš‘†©¢ÊîU2ëîÄéAÕ>ËÏó¯@tø¥†¯‰—Y]U†ð×½“øõÖcfùsSƒ{k°“ÆÑ‘ 9Ê¥óaáêÊ#]foy̳(`QD”v`íõyZsõ¶©(Ðpk}Tï©EáÕ]úw-Â(¼Ïç\þ,®yþä¬gÈû¾à”š­$uXdU¯÷ØwÏÏ8z‡úû:¾ÜéÚ|Èóê>›¤ëm"ö(çWeM ʼ"Xe”‡FHï™'Ê¿c^ô"òpÇf\ÑË9%,a€U$ÇG®=À•!1ÖálT{x‚źF2õŸñV Ÿr9ýÚÜ<–c¿TS¦’‹‰Z®-ùüŠË/jGÄE$Òê;ÝeRº¦èóÄ)°àÁÕeˆÇÏÑaêVMLO’"­h=ñìë«û„'A$ÁÖóÕf-Z…9¯ã«CŒ™Ý‰«¾ñÅN=ìSËú¢–eøÅGAø§¤vqaòÏñ@¿ë$ã<¡RŒA¥¨ïõŒÃf%­zÃùáÞÏÈïéÕ8Í•¹2 Ðó{/ð;3¹¨^ñPÑW±š‚öKŠºå§ÒZ&Kû‹Ê2ãM`+W;Ì?”{ÊXÓÒAOµcdCî*änBhEÞ´¸C¡`«j«¤=­Rº:NW¥ÞýÕBÃ.ë¨îñãºæò¥ rýgex­¡éü$t; µdçl t³Æ†A¨N‚3Û4œŸ=u4Iñ1%JT !6G¸GQ)®Ÿ¿zë=M -Z+}Ý-v|^Ë0b§›VÙ´8eå9)ƒåkjiIøAì]sK[…–i8ÂáËZÖKÊ«ËÏK‚ÌJ3´Ÿ+ú}¢››Š1!È‹a¡Ë .A Ö¯®žÌ{žÀ'XdôÅnyj¥_Þ×ym}·æ¥T¢î–«Q-:_ñòÈ®r¨ê¶>©³·„œá¶Èö½ûÒ¤™¦»­ðbýãµ½ÀdÍþ6µ²ãždà£îc¶Y )áÕïÜ"?’ ›£ã¬‡ÖOïÏX–tò+s}—u“´5]=~` -)¯¤‚¤Ñý2±òÊk»C¹»ò7„Xfeå¾im¡îû:Gýjƒ­¡bϘÞ"ã'úîºv y¨ºÔ÷Ên5íÉRN}p’Üs B ®#N:¶xÉ^-hm¥ÀÆX}ÐBÍÕfãŠ|®ÃgBÝá:/zC‰ª–…HÊ2[ý{¹ƒ/CÚÕÚe4Ãò¸1Oñp fˤö<7N¡™jÜ#ª‘3ì†^¢ºWù"ÝüÑ;Æu%tËfBÕKÞü“E‡.И%EãgãÙ/ëâÄ…20Œ~Amî>5+Õ6®”Í^4)våѱº±V88§“ç†ñç¿ê·oµ:¿eÐYÊAZ;âM­Î;9ºô±î§X¸<˜ pT¯º663|8u´ß³Ûò²’Üjѧ|ß~¹úte(Y:kÄhŽî×LßdÈB¤¿ì”Ô˜' ’Ö×Ùl|–Z=»FÍã"„ÑÚ”r¸¯ƒU=;–S6˜’òã–~TŠSd×J²–RÔÌ–t•jáJ -Ì…ýV¢ÄæVªáÒÊö±Ê›¬¤’Œ¥ue\Kòfj!Zã'—6|݈ë•7è•÷§†<Éj^rëÓ\¾Ìqø0Õ<„ÖiŠnÆÞÞq±Ç³Ì¬“£;¥Ü–¸Ïæ¾ÓÒáƒW†Ø­DÄU;ç±ZÎξMîûûà~ÇàŒÌIRI;|fÃ{dV/ñ#‰sŠ˜0±~ª6«kyhMG/žèv2-¬ºÊÀ{$©Š%—9ï…x£¤$:·O¼?ôàÜ üÞS½jÍÍ•&Ä«pˆœbé’q¢F‹{Í~®¾f4©Rh)"j¿—i(ºè½õdÓý¹9Ž6OtYýà[Â]ÿSó…­a^+v»# kJjý9jyg¹ÞŠÕ,9]b‰ÑäcúãqÖÜáQB n?”3rgºàdKÚIíBïîvª XæɺʼnBÎZîãOCÑö`h›Lk)"Á´ûý£«ùÝ__ßñ’§˜ïª¢=ÓÏñç 4ÏêœwO´IøLZq>ÍÆë¿bš‹ÊèÖcb¥}¢å›5Mãìªáú@\æc³lS'´*§0æÝŠèÓk®{Þš²ÔŽÏ,OºŒoùüÀåyÆ21¢Ýü]wÝp‡²øáW|‘¼ŒÎç É‘S>KŸç ûx¤ÊÙ¨øüWú³‘sdøHZKÇ„GAiwc%ù1ñužCåOÞÖÂsÁš©V2½ÌãaëÑdp¡ÛO[â<ДR ÍQÍ–>ìqMx O¦yÞ&ØpªãÑuu~ŠÞÅdñ,ê¡,yuÏ—#ÙÃý{TgÊ´ú“ûd~c v?{—¿÷‡ëeÏäHÅ -Ý/–Ç®×-Ö³«ï$¨Ä?)R‰ù5ê×tF6ö³°ìì .ÿæT°D KI†u-°is«z3©§úëKZ~B_Ef¾Û‡št×"5]1ë)‘'ZÆrÖ¥Š --j gWa?vθ(‰ìÑþc$ ubu/¯ÉM:È› ²èðög© ]ä,àj-TÌsòI˵…[±óÃçøjùê<©¡ÎkbºM”ë=`. :ÝtS.vŠˆûÎÐÌùŽ6GPû$î³ëo&íð¥ãœbµ;#ðÑpµIOdsLÓ2ÜLþtéÅ~²ñ“Ûœí>%•C‡ø“Ø“ë FF?ìŽ>%þÖk¶\RKII]ÕfÏUYÀž¥h#3Ð^4•o—zzéòye"‘²%k.gxÅÆÞ»’OÊ< -Óî¥X×|QŽw©Ôi˜£‘ü¤Ž{ÙbU¦ºˆB Á±gÿªëÕÛ°³üºJÑ%<ùâ 3•­9×ÒIaÞ«†èfryR¯ ¢ÈkSåÕ¸àq»Ô†|žÑ){¬i×µ–k¥[îc†jxéû ÆïèjRvQY 3u{õ¨ ->/c`¸Øv¿•Ùɹ¨êv€ù†ZÙ[©¿#JR  °^Òm;ÜáÓbRý”ù —‚º”åLRÖ¡—R-a;§°(¾ -Ô|]ÎÑÊ+”§†¨éž…±<µ‡Ï¬{¨6ËõËå,òz+‘`˜Ýw‹„BÏe0ɘÛv=Ò>!Â¥Ð>‹Qà -mXbÔ*Ä+'ê^{ë~6@éDññÝ1ÑÛ³À>X?WŸ²TÖ´¼î™ v£SD´Þ÷'˜åÐö“ß4`=µ™¨\‹ía¶ÈJ›@Èûÿ˜âzŸ¾ü5.\$lXºœ~ýävØ }·¶¢*§a òý'õö#±âtkÕ37D—Þ76·ÌjrÆæ6iœF5Â÷]«)kiÓé™ÃÞ=Õ¸Îxl¹H;Íõci·Ó)fûà -©è÷cy~x_ç’Ï›ÚlCŽ¥ìç&+JÉnK<§zXY“^–¬‹ˆ'êx¥2²­.‹&±íšÕãnXG”€%§[ãZJ÷íðFìÚSôŽ¨.®Ä!’¨C²M™ m†K±ø+êä‚ïÛ~%¼^…\1bP—9çF/Þ‗²ŽLþ½ý¶]¿oØ}DRY¨¯¯EðpÌ&·FdŒ¡­w¨•bXÒ·±Äëì7º]¦‹=™. èªK!±$*íOí/ jfÙ²ŸK™¼Â%C3JÑò}r=¶½ñˆfMŸͳ?z1_;1ÈZZ ¥xaNVÞ¹ÌE°ãÊÒcn÷CÉ{agq©Û]\Ç9¹¿€ËS ’»Ð2¾sŸÖ¡ã¼~å?Xe$OæáòéIwf)Iòà,n†äjË ‚(2ýtï¨s2yÍè¾Ìnû9¾”k×ξã^Ç^¿ûÙl£î—ßÚÇO/Ï¡èÇ“62ozøøÊ«ºE Þ$U3¦‰8g·”óx¼º¬ç -U4PŒŒ>oq>Zpê`¿Vc8ä?ðËcw ”ü0W·½¿™œ`x¬£6¤ïÁF;„'餣—î+=+ûJÒPÚ–Ð9¼¬7óˆW§;“p®3V¬t…†‰×qºð§÷ñG©3`Íý²t½ü|é!«3õ]Ù{È â<6t_­ß¬œßÕ -|FE¡7AC–6,Øìb »ï.D—Yïn(Ätü‚r0¦o:²ùì|ù»?lt•=Yt¯yp5°âGK†_øé9ÙÉÓz•¯ÁÓËð¶Vi嵈rì`‰{r¡8C¡Þ‹`žôûLWNÃlé}€æfHúÙ`+KÕgªR‰¶;:è¦ÆPq{~x-È'X[KtúÂæ/pG°zж2«—&’éÄÞ}IoBÁöªD™®Lw+]+Pá»3¿¢„5.YHØi…>iíœfüÉDü<Ò §'‡øÓ‡XùF~E'm[{‚fW ýÑ.®åÉC¾ü"ŸS|D¿_Wä|ÞPP/L_:zv5[±Vซ—Ûw;À<‡Û0¤0XôÂ@pBŒd› ƒ}¾Ëö¬’ÛÞEÙà0#¿²½égÖl Û¤¿ª>ÙB?6± -±‹}ûΡ -rúÑt‘ÉM× Vµ"£#”WltUº_î:¸Â~+ F¬m•~2|²+Óy¶8ëf×úÌ4Ml׳ܦNBÀõ(¶GF*Ñ_¹®Dá°ÿõaÌ­¢ˆb"L‹—éÒÁ'v*º_‡µ³¯èz'LÌ»„>T"=:»xÜ«År7Dbtßr³sÜ•!Þ‡+á€ÕÚ@õƒ˜ñž1Å®^ ;‰Œ-7ŽÚAJ>˜ÙGN›€# ›^øò‰;A°]ÖlÊ! PË×èKŸ·qÉ_A¼Ýr—€˜1^°)&ð*½Ò$:üÝ×ÜçŽÞ&t«ø.i_¸ÏÓEäáŒV”Êu4~?jɃôetŸ-4H½WæÈ)4¦Ï~Èá?ï`bb3{Æj~Çä¶yü:¹;ZŽx¡ùlb0,‹™ãûvïËb$Ôy}²Á‘I÷ÐS¡e sÑ]¬ ²û¢¯Ye‘$Ráö~p]8‰Ó©«®&ùTfÊÎXé“Krë p¼Œö±ÑKؼ¼XÓ=þVªÔÿÐÀéÃ^c5$vÉÝÞèí,YŽ!‹:k)ó W…ö"Ô]YªÅ»ùwƒyCëÉQÏ”¿¿¯aŸëô¸Êâ$,t× 9Ü,ªE/“}eàl\¦±Ö+1ùV±æÞ=Ž ßéØ„2éÞWq÷äÜ7Y%x·•—™‡,¡f`æ}Y§aÉö VÿXK3Wß6í=ÈÎQCÐm9ƒGš-âgƒxç˜ÐXWOgñ÷–ò'–w£ªç¬Pà˾[<¹¨ƒ1= ¦<žödx(nq· JÌúµ-nüÖç'·ÙWÆTáÔ¢,4røA–u · ÛÆ`¢ž² æ÷éıõ‰‰;Ѹã`„™¶»Ãˆùµg…j4ܘÉ@³àÝTqô -Ž¤1õ«–Ju+Ÿ,+¹Ä¾oÄž@¦*ùÅynÃ''yŸ¦ËmÊ”÷«bª=8VچȇN" 8L,£ßS]”ùS~Ñu -±ò E›vÞÅ™ªzÜ,:©ŽTÃNqasGÚcŨmÔëd\åି¼ûÄ8ê±sdÂIqUýº5)ƒvñ}2”€Î ›ÛðKó;i®:|''·•ö>åP´Ð2a÷:Âáœ;ê…Ç}†j8c!ÇÁU‰&«öÅRKG­‚·™s}`dMj™+»­ÌRéÏÄ5°(-Üæpä©Ö‡K‰ÇwgnÃl„°O¯S°úB†¯r›*_ØÞ{~q!ÿ…ÆqÒHôâ8£fmÚµèi`†þÑõ‡´4GÁkU,,òÄçE ÃýþÉ¥Wè -K¢ g¢L2Ö#×Æ]AþÊ•9²k÷Ý– N»üM¢,±—Kv3†r:¯'<*ƒw½®÷ À¢s¶UÚÒ_0,#ý[’á¡ÂNmQxMC‹ñ£Iî=®•T¢UÛ@=Àéì·à*´"µsGìxEªõ·ÂieØ·óO0”3ì& yÞáTø2LŒÖ;ósÅÙ»à×IåòdE>Ø9ÓÔd«QÌøÙæÏòHçŽ|›ú'\ŸÓÏ è?¯m3`P”öÒ]/zYTÏ·H²œ]²Ö”Yoz;¾ì0£Nl"퉰YžÜ¿lŠüP2êbT"æ§"§ÁN-bƒÔ3øîоŸrór>Ô4à›‚zÞuȉ®T+ç³U óòca‹ÒÀ«ʾ@¶77…ÏÚ,77 © O ’Ť–†®YÛQ¦Šø]— }?ÆrP`@#KÍ‘.¨¸1ÿë“×ṪÄTóÃl5×SµrÏ•V6%&sd® eS°Þ‚»Nv–>]ßm<2Þ[×éwÓËoûwZ˜%M?Ïò~Éñdêçi¬ïz©i+ã¦×–R’5=¼Gw©–« ÇÚž†S²÷WbÍ¡rñj/„·,ô6sòÖ/ƒ…NÍaGðæ)íËô -b;å>¬Í1{29R£×&¾ÀÓÜ„ë\åöªÖ.ƒ6,ˆë˜eUUUJÖ¸ð]ú5Ê4ZÊøš“Æ~¾r—*ÿ¥I‰®ú{.žŒš_ZÁ¹Ïi{ˆðwñgò•_¡‹ïô0ºhEÇî~Sev–wWÈ%­Ló€pj]7¿kڨ6$¨¨‘³O çñ ïÊœw»âî½z{ùi— ™å‰Çê8?Û -ªà=q*¥§6ÓZµXÎÅùEReÜëfƒbb@~!չ÷*Ün]™ïéÉ1¡²ÄU~Þ4‹KÐKB]jÏ ÷.º~›°K^±Uxˆß‹Òdâ4l¤ H}äÙS{ÁÓÀðe&+·ÆåùOuiÒ Ð¦µMˆgµÝ+Á›d·å²gÇå&Å.fõºwàöí£1?Ç+zxûÿˇàÿü?A†A@(  „r$ø/7?endstream +xÚíteT”ÿÖ6ˆJÒC7 !ÒÝJK#0  3ÃÌÐÝ”4Ò ]ÒÝH§4‚¨¤¢<èÿ=ç<ëÿžOÏs>½ë½×ºïuÿöµ÷µó·Ù˜tôùämÖÃ'È”hA¬]КøS>ÌFÛÜØØQŠ€+0 €Ä „„‚âââlEÒµ³Ç8 ôŒ¸xxxÿ%ù­°öørc‰†ÚÁì7?®écn(þdžúcØBa€¢¶Ž‰º–*€SUË  +CP @Çå&0à) £!\[ +ûë#à6Ðß©¡ùo¸äÑ„€¡7fw0ùâ !('(}ó€¢v(sS …ƒa.6¿¸‘Û"þ„D!n4œn°2ƒ£ H àÆ«Ž’Ê_qbìA˜ß¾ÑЀ°½Ñ´A€]~§ô»¡¹A1 ( À@Ü1¿}YC6P4ò¸ñ}C†DAÿ„ႆÂíþ/±¡l`4ú†æ†ûwuþ•'à¿eB"a¬´þƒ†Àlù …n|‚17¾í pßâ·EÉm\ÿÀ\!¨?âü=3\7A€lp˜ÀbK  …ÀܸpþϺÌÿŸkò Åÿ‘ÿGÚû¿kîß{ôß.ñÿö>ÿZÅÓ9Ý À_Kp³e€§€ß{ð{Ñ8»@þ/æño¬þ®hù+ÒßdÇÔ1 ›rÈÃínZÂ'(ÄüK E«@Ý!6:P Ø` ‚ÝTëÜnAÁ pÈMWÿôÆüöÌ +v„ÿ.ÿ£¿ Üæï±ß4êOä*¦ºJÊz<ÿn·þÑÔ¹™Ì3$ðÜi"lþyøÍ£ €pxñ‰ +ø„‹ÄD€±Ç‚>ÿÆãÁ5AÔ`ä7ß¼ÿ:=ÿ2Œ°ù=3úÜæfÌþ)ø ƒ]P¨›îþ¹ù7Iÿãügà!w˜`þ,ìš‘†©¢ÊîU2ëîÄéAÕ>ËÏó¯@tø¥†¯‰—Y]U†ð×½“øõÖcfùsSƒ{k°“ÆÑ‘ 9Ê¥óaáêÊ#]foy̳(`QD”v`íõyúéêmSQ áÖú¨®žEáÕ]úw-Â(¼Ïç\þ,®yþä¬gÈû¾à”š­$uXdU¯÷ØwÏÏ8z‡úû:¾ÜéÚ|Èóê>›¤ëm"ö(çWeM ʼ"Xe”‡FHï™'Ê¿c^ô"òpÇf\ÑÍ9%,a€U$ÇG®=À•!1ÖælT{x‚źF2õŸñV Ÿr9ýÚÜ<–c¿TS¦’‹‰Z®-ùüŠË/jGÄE$Òê;ÝeRº¦èóÄ)°àÁÕeˆÇÏÑaêVMLO’"­h=ñìë«û„'A$ÁÖóÕf-Z…9¯ã«CŒ™Ý‰«¾ñÅN=ìSËú¢–eøÅGAø§¤VqaòÏñ@¿ë$ã<¡RŒA¥¨ïõŒÃf%­zÃùáÞÏÈïéÕ8Í•¹2 Ðó{/ð;3¹¨^ñPÑW±š‚öKŠºå§ÒZ&Kû‹Ê2ãM`+W;Ì?”{ÊXÓÒAOµcdCî*änBhEÞ´¸C¡`«j«¤5­Rº:NW¥ÞýÕBÃ.ë¨îñãºæò¥ rýgex­¡éü$t; µdçl t³Æ†A¨N‚3Û4œŸ=u4Iñ1%JT !6G¸GQ)®Ÿ¿zëê%­ŒÀƒ•¾î;>¯e±ÓI«lZœ²òœ”Áò5µ´$ü ö®¹¥­BÓ4áðe-ë%åÕågŠ%Af¥Çšž6þé*…÷C(NÃÑÀ½@ùT2$[:»m"itËŽ[‹ ™§bë@H ênêÜÒkºpsæ¶:òA½Á‘Þ¨ª¥}Aëq4ÏuJK4£s›?á/ +Ó8oÕ“4“Yï +€ær/ˆ<ÄýÎcâlÓF2Ë8RÄßVH/åÎë¬k‘OÆçŠ~Ÿèæ¦bLòbXèr‚KÐß‚õ««'óž'ðÁ =B±[ô¬ôËû:¯­ïÖ¼”JÔÙr5ªEç+^ÙUUÝÖ'uö–ó Ü–Ù¾w_š4{ê.E+¼Xÿxm/0ÂY³¿M­ì¸'ø¨û˜mVBJ¸Aõ;·È$èæè8롵ÞãýË’®Q~e®ï²n’¶¦«ÇL!åõ‚T4º_&V^yíawˆ#w÷Qþ†ˬ¬Ü7­-Ô}_ç(£_m°5TìÓ[aüDß]×n!U—ú^Ù­¦Ý"YÊ©N’{®AÈ¡Áu$ÐIÇ/Ù« ­­Ø«Z¨¹Ú¬b\‘òÏuøÌC¨3\çEoh#QÕ¡IYFb«/wðeH»Z¢ŒfX7ÆB×``¶LjÏsãdš©Æ=¢Ú9Ãnè%ú¨{•/ÒÍݹc\—QB·l&T½dáÍ?YtèYR4~6žmð²Þ!NŒP(Ã8áÔæîS³RmàJÙìE“bW«k…ƒs:yn(àþ«~ûV«óø[í¥¤%°#ÞÔ꼓£Kë~Š…˃ +G…ðªkc3ÇSGû=»-/Ûè É­}Ê÷í—û¨OW†’¥C°FŒæè~ÍôM†,DúÈÞHIyÂ"i}=ÀÆg©Ù³kÔ<.B­E)‡û:XÕ³c9eƒ))?néG¥8Evm¡$k)EÍlIW©&©¤ÀÜÁ½3›šŽM‚— ,ïÕØv{Õ|OOÌÒµt +R´ƒNž¾Õ·Ï°v¶(ú¦äÔ‘Ñž¿ƒ¦ÌïlÇÒtC„ÜjÕÍEÏ÷‡MeJíUS7´ÕTÃu]ùZgægÏbÅßÜK,ê”&¼ý•íN¼#cØÎÌVÌ_ÇÁæÇ:î ³×ßÈšìS³ÂdÒ¼¸^Xz³Rywê «Ý­¥,Ðþæ¾pÇøã8¹VÍ4|® Ù ÙS×!ç! näá‚eRïð?ÚB1Œ:d(Ò$éL/]Œ™{3° Å&¤$ʇx[ )8I1±áYüýÞ@¼Ó‚hß1ûo}-Eš&L¥¾°©1×›µ;>Ó<àîtjaNäœG0ÅWÔM"ÅM@q÷œI´D’³Ý†µhò´^ôKì\•»Í—ŠÍ;Àw-ßßÏ|Êó7[¨Q[ÒºƒÛ2¿jì/7ƒx;üR,š±pñú¸Leoù¦¡Ö¡"7hç•d“cçøiâv3d±8éŒO;Åçš2ra7×Ùq”ìnÚŒn„vT~>ÏѬœ×&$Ý5ßÖ|šM¿Ë¬ø¦öÀ3x¯({ýÑý‡ËØq©M+o2iÒŽ—X†\cS&áT«|É¡?¿“q‡;I|=_®ÃîpÝMW‘ù†Çk©V'ŽÏÞÊÕ¼;["¨‘ÐŽÞ_Õ¯ ¿ÅÙc5Æé¤ +Í¡tVíiû> zIÃ!’T¬CÇ+û ¬»z–]ÚWá×dïQn—°K¦@ }÷øÕýˆù³mŠ žDk-îrG¼øÁà8ªí/rûUÛÁXýH'®Õó´—F·ã³êv­nÕ2V}M*QÅÞz0)ì,£ð“êeÆÿ†8±niZ#Hûz d÷{8mÁ´=\Ì#òþ£è£‹Ø7Íü —û½[!¬ü>A‘n=lÚòPÜtùŠûtbkX0Z®àXõU²çìUnì©\’áoSÚyí÷É–fwâÛ¹¸‹ÉuPOãâ¼ùõf×N«‹r:8iK™-ª` }‹ø’ àöÂCR×#Ïcª¿µ¦¥ç*i”¥ühäsÁPZû3Fi`z¿Î¯JÉå;(y6÷ÃèœÁ¼é +v1ÓØ 7ö—X#ä£k‘”ã«Þ ¤Zë75† š`+Nþüà…¹¯Hé½á”Ï4 ˆ=êB´Id ÞBó9ŽyHªÓVúö[‰›[©†K+ÛÇ*Cl²’J2–Ö•q-É?š©…hkœ\Úðu"®WÞ WÞŸò$«yÉ­Osù2ÇYàÃTóš§):{{ÇÅÏ2 ³NŽî”r[â>7šûNK‡^b#´WíœÇj9;Xø6¹ïïƒûo€3r0'I%íð™ Sì‘Y½Ä$Î)bÂÄú©Ú¬®å¡Ÿ:zñD·“ibÕUÞó IU,¹Ìy/Ä%%ѹ}âý¡çNà÷žrèUkn®4!^…CäK—Œ5ZÜkösõ5£I•BKQû½LCÑEï-=QLöç>æ8Ú<Ñeõƒo wýOÍ^´†y­ØíŽ4¬)9¨õç¨ååz+V³ät‰%F“éŒ7ÆYr‡G =2@ºýPÎ@È逓-i'´ +½»Û©‚`=OOÖ-NrÖrŠ¶CÛdZKy ¦ýØïÅXíÈèþúúΈ‡<À|Wíé˜~xŽ?_ yVç¼Ëx¢ÝHÂgÒ²ˆói6^ïøÓ\Tö@·N(í-߬igW¥×â2›e›:¡U9…1ïVDŸnsÝóÖ”¥v|f‰xÒe|Ëç.Ï3–‰íæïºë†;”Å¿âk‹äe$p>OHŽœ:ðYú<_ØÿÃ#uPÎFÅç—¸šÐ÷˜œ#ÃGÒšÚ&< +J»+ÉyŒ¬ó*ò¶Îž ~šj%ÓË<¶Mº­×禔jhŽjÆ°ôa?…údJçm‚ §:QWç§è^LÏ¢ÊR‘W7ð|9’m1Ü¿GÅqö L³?Ù¸Oæg1ñj÷Ó¹wéðÛx¸nöLŽT¬ÐýbyìzÝb=»úžA‚JŒñ“"•˜_£NqMgdc? ËΞàòoNÛI²”dX×ò›6·ª0“úxª¿¾¤å'ôeQdæ»}¨Iw-RÓ³žy¢iœ!g]ª¨Ð¢–pvöcçŒë€’Èí?F’P'V÷øšÜ¤óˆ¼™ ‹o–ÚÐEήÖBÅ<'Ÿ´¬Q[¸;?|Ž¯–¯Î“ê,°&¦ÓD¹ÞÓ æÒ ÓI7åò`§ˆ¸ï Íœï(`s°Oâ>›±.ñfÒ +_:~Á)VP›±3r W›ôD6Ç4-ÃÍäO—^ì'?¹ÍùÑîSR9tˆ?‰=¹ž`taôóÀ^á¨ñ·^³å’ZJJêª6{®Êö,Eƒ™ö¢©|»ÔÓK=䕉DÊ–¬¹œá{ïJ>)ó(L»J”býé‹r¼K¥NÃ|ä'ÕpüÛË«2ÕEÔjŽ=ûW¯Þ†å×UŠ.áÉo˜©l͹>¾H +ó~X5D7“»È z]E^›*¯.ÀÛ¥–0äóŒNÙs`M»®µ\+õØr;0TÃKßo0~ç@W“²ópˆÊj˜©Û«G]¸hñyÃŶû­ÌNÎEU·4xÈ7¼ÐÊÞJýP’J …õ’nÛáŸ&“ê§Ì¹DÈÐ¥Ô(g’²Ý”j Û9…E) ðUàÓ×å­¼Byj(€šÎY‹ž=|fÝCµY®çÑÊ‘%?0ÑMÚÜÕ(´ô¶ÙgǕɸÕ­„øKrÂñY.g‘×[‰Ãì¾[$º.ƒIÆܶë‘ö .…žÀðY¤ˆWhÃÀ£f!^9Q÷Ú[÷³J'ŠïŽ‰ÞžöÁú¹ú”¥j4§åuε ¢õF¸?Á,‡¶Ÿü¦‰3è©ÍDåZl³EVÞBØÿÇ×ûôå¯qá"aÃÒåôë'·Ãf軵|U9 •ï·8©·§‰§[«ž¹!º4ñ¾±¹eV36°±Hã4ª¾×èÚXMYH›NÏöî©ÆuÆËð`ËEºØ=]?–v;b¶®Š~?–ç‡çðu.ù¼©Í6äXÊ~n²¢”ì¶Äsª‡õ5ée™Áº¨‰x¢ŽW*#Ûê²hÛ®Y]î†uDXrº5îà ¥tßoÄ®=E÷ˆêâJ"‰:$Û” Òb¸‹¿¢¡N.ø¾íWÂëUÈ#u™s>aôòá-x)ëÈäßÛïaÛ…ñû†MAÐG$•…úúZÇlrkDÆÚz‡Z)†%}K¼þÇ~ƒ Ûeºø§Ñ“é’€®ºK¢ÂÑþÔþÒ f–-;ñi°¤‘É+\24“¡Ô-ïÑw½ë±íG¤à0kjüŒhžý èЋùÚ‰AžÐÒ)Å s²òÎe.‚W–s»JÞ ;8»ˆKÝîâ:ÎÉý\Ž˜•Ü…–ñ‹ø´mçõ³(ÿÁ*#yú0—OOº“¨0KI’§gq3$WK†\D‘é§sG“ÉkFçeŽpÛÏñ¥\»Æp†ô÷:öúÝoÌfu¿üÖ>~zyE?ž´‘ÙxÓÃÇW^Õ-Z ð&©š1M<À9»¥œÇCàÕe=W¨¢bdôy‹ó¹Ð‚Sûµ‚ Ä!ÿ_»{L ä‡„¹ºíýÍäÃcmµ±è }Ÿ6Ú!S•J´ÝÑF75†ŠÛóÃxhA>ÁºhìxØZ¢sÐ6;*°€Õƒ¶•ùû[½4‘L'öîKº +¶W%Èteº[éš +ßù%¬qÉB‚ÀN+ôIkç4ãO~$âç‘9=9ÄϘ>ÄÊ7ò+:iÛÚ4Ó¸Jèvq-Oòåùü˜â#úýº"çó†‚zaúÒѳè܊µÇ]¼Ü¾Ûæ9l܆!…Á¢‚b$Ûdìó]¶w`•Üö.‚ȇù•íM?³fÙ&ýUõÉú±‰Uˆ]ìÛwmPëЦ‹Lnºn°ª¡¼b£›¨Òýr×Áö[a0býhl«´ð“á“]™Î³ÀY7»öèÔg¦ib»žå6uº®G±=2R‰æøÊ…p% +‡ý¯c.hEûaš¼L—>±SÑýê8¬ œ}E×;abÞ%ô¡éÑÙÅã^-–»! +£û–›ã® ô>\ ¬Öª<ÀŒ÷Œ)–puKØIdl¹qÔvRòÁlÌ>rZaØô—OœØi ‚í²fSa€Z¾F_ú¼Kþêâ햻Čñ‚M1Wé•&Ñáï¾æ>w|ðÖ0¡[ÅwIëÂ}ž."g´¢T®£ñûQëH¤/(£ûl¡Aê½2GN¡1}öã@ÿy›Ù3Vó;&·Íã×ÉÝÑrÄk Ígë€aYÌÌß·{_#¡Îë“ ŽL:‡ž +-k˜‹žèb•XÝý§UI"nï×…“8ºêj’Oe† ìŒ5œ‘Ú¹$g±¾ÇËhÝ„ÍË‹9Ñão¥Jý œ>ì5VCb—ÜíÞÞÁ’岨³–2rUh/BÝ•¥Z¼›7˜7´žõLùû÷ûö¹N«,NÂIwãÁÍ¢ºQô2ÙWÎÆek½ÑokîÝã¸ðþ€M(!“î}wOþÇ-y“U‚w Yy™yÈjfÞ—u–lbõ5ŸæêÛ¦½Ù9jº-gðH³Eülïëê)0â,þÞRþÄònTõœõ +|ÙW`‹'Uc0¦Ä”ÇÓž Å-îD‰Y£¶ÅM‚ßúüä6ûʘ*œZ”…F?Ȳ®á¶axÓLÔUÄàêMûPŸ˜¸;þF˜i¹;Œ˜_{V¨FÙ ž¼›Š Ž^Á‘ô#¦~ÕR©nå“e%—Ø÷ØÈT%¿8Ïmøä$ïÓt¹M™€òaULµÇJÁÙâÐID§‘‰eôÛaªKƒ!Ê"ºN!Vž¡hÓλ8SUB›E'Õ‘êaØ). cîH{¬µz팫œõ—wŸG=aŽLX")®ª_·&åaÐ + ¾O†Оas~ciþ `'ÍU›ïä䶲¾çª‚Zæ/ì^G8܃sG²ðx ÏPÍg,ä8¸*ÑdbÕ¾Xjé¨Uð6óq®Œ¬I-se·•Y*ý™¸¥…Û<Ž<Õüp)ñønàÌm˜öéuÊV_ÈðUnSå Û{ïÁ/.Äã¿Ð¸#N‰^gÔ¬M»é†aè]AKs ±VUÀÂ"O|^:ÜïŸ\z…Ρ°$šp&Ê$c=rmLÑä¯\™#»vßýh™à´ËoÐ$Ê{é°d7c(§ýz£2x× QázŸ‘,:g[õ -ýÃ2Ò¿%*ìÔ…×4´?š4áÞãZI%Zµ ÔœÎ~ ®B+R;wÄŽW¤Z+|V†};ÿC9ÃN¡ašçN…/ÃÄh½3?Wœ½ ~T>ü(KV$àƒ3MM¶ +ÅŒŸmþ,tî¸Á·©Âõ9ýÜ€þóÚ–1ÖEi/õ¢—Eõì|ˆ$ËÙ%;á§2ëMoÇ—æaÔ‰M¤=6+“û—M‘JF]ŒJÄü”#àQäà4ØiÀ ElzÒÚ÷Sn^·š|SPÏ»9Ñ•jå|¶ +Tb^~,lQXbUÙÈöæ¦ðY›åæ†"5äi€A²˜ÔÒÐ5k;ÊT¿ër¡ïÇX + hd©9Ò57æ}òšŠù˜j~˜­æbª60@î¹ÒʦÄdŽÌ´l +Ö]p×ÎÎÒ§ë»GÆ{ë:ýnzùmÿN ³¤égâÙBÞ/9žLýPíã…ð–…ÞfN~Øòe°Ð©9ìÞ<¥u™þA¡Ql§\ǵ9fO&GÊ`ôÚÄx:€›p«Ü^ÕÚeІq³¬ªªJÉÂ÷¾ R¿F™FK_sÒØÏWîRå¿4)ÑQυÓQóK38÷9mþÎ!þL¾ò+tñý€F×"£ÍãØÝoªÌÎòî +¹¤•i®SÍëæw‚BÕ}BVUÆ5röiá<¾Áâ]™ónWܽw@o/?à4³\#ñXçg[A¼'N…£ôÔfš â¡˹Xƒ"¿HªŒ{ÝlPL È/¤£ÚwØâV…Û­+ó==9&T–ƒX ÊÏ›F`qiºI¨K­9áÞÂE×ovÉ+¶ +Ïñ{QO™8 )(RyöÔ^ð40|™ÉÊ­qyþS]št´imâYm·ÇÊCð&Ùm¹ìÙ1A¹„I±‹YG½Î¸}ûhÌÏñŠÞ~àÿò!øÿÿO€a +ƒp¡ þ ’Kòendstream endobj 724 0 obj << /Type /Font @@ -5366,14 +5364,14 @@ endobj /FirstChar 97 /LastChar 122 /Widths 1326 0 R -/BaseFont /LHQQYL+NimbusMonL-BoldObli +/BaseFont /FZQDER+NimbusMonL-BoldObli /FontDescriptor 722 0 R >> endobj 722 0 obj << /Ascent 624 /CapHeight 552 /Descent -126 -/FontName /LHQQYL+NimbusMonL-BoldObli +/FontName /FZQDER+NimbusMonL-BoldObli /ItalicAngle -12 /StemV 103 /XHeight 439 @@ -5396,7 +5394,7 @@ stream xÚíwePœÝ².î^q€6ØÍÖ¦åá®É­rôÖ±u!ff(èöpWzÄÆ {€"ÈÀÏàÃa(x@ü `G'/›‘¾1;''׿,¿]¶~ÿ@"a`GwËÃÈÕâr÷z ø€@/'Àì (è蚪i«ØT´* wè Ðõ~hÅ  ¶¹Ã@ì(Àõ¯ÀÎÃÝü»5Ï— À ;ðCÈ×ù q ¨{x€aG(ÐÝëa¼<`w;Woûß<Ø<þzþ‡œv^¹Áî8O‹š»ƒ€÷/»½7ä˜úgƒØ~Ï ûC@{wW?€=È究‡×CJÛÿLežÿœÈÿ‰ÿ#ÿGäý߉ûwþÛ!þßžç¿S+{»ºjÝà¯KðpËx4¿ïW ðû®ñôý_a@7°«ß¿ ü»£1è¯bÿ‹ïï°šðaSäÜ„áæãçáýË †)ƒ}Aöº`/;'€ÐõaÏþØÜíAPW°;èAÛ?ÛúÄËû7ÌÐ lçâþ[¡¿ »ýßËëOñOµ Õuôå9ÿÝ ûÇS÷a¼ ý À¥1Öò°ÿçâ7¼¼‡/ÀŸ[˜ÀÍ/ ˆòñþ›ŒhøþµÖzAÁ¾s^^^>ÀÃï?¾ÿZYþFÉÝÎÃþ÷äxÝí†íŸ†ß°7ú ñŸóÿÐô?ÖÆòÙáÌM{ØID8gåd{ÕQä÷+š÷tñ¡öGBÊ ‹ß„ÔxtgE¯ˆUÚÜÔFò¼¿ûè7µ¹ÝPçØì"weíÌíÒ2²w¿!úÆÒ*¹öÔª ?û§qœÿÁ¤æ2š™0ï³ÍÕa=}«Ò ÚÑV(ÖÁ9{£Ï›R¦3A]fC"YÛ£wHÄuE;?YRœŸ±~B ô÷u¡woPsæ%b3Kø á³Ä†xæQ˘Uú¿â\G©ß¤KèNÉ;ì+_¦G„fMVè¹ µå¼ÖA-Mo×ßÂ*µú•ëLÖšóXî$¦öŧ5ægÒÃfW‘œ²›£åZJå·X2B¨™÷:kó¿r›P~ÝæÜ:Vxõµ®ÇZ&?^W,O ¹¦ ÖÐóÙ]‘|ɱþ‡œv^¹Áî8O‹š»ƒ€÷/»½7ä˜úgƒØ~Ï ûC@{wW?€=È究‡×CJÛÿLežÿœÈÿ‰ÿ#ÿGäý߉ûwþÛ!þßžç¿S+{»ºjÝà¯KðpËx4¿ïW ðû®ñôý_a@7°«ß¿ ü»£1è¯bÿ‹ïï°šðaSäÜ„áæãçáýË †)ƒ}Aöº`/;'€ÐõaÏþØÜíAPW°;èAÛ?ÛúÄËû7ÌÐ lçâþ[¡¿ »ýßËëOñOU•Õµõ´8ÿÝ ûÇS÷a¼ ý À¥1Öò°ÿçâ7¼¼‡/ÀŸ[˜ÀÍ/ ˆòñþ›ŒhøþµÖzAÁ¾s^^^>ÀÃï?¾ÿZYþFÉÝÎÃþ÷äxÝí†íŸ†ß°7ú ñŸóÿÐô?ÖÆòÙáÌM{ØID8gåd{ÕQä÷+š÷tñ¡öGBÊ ‹ß„ÔxtgE¯ˆUÚÜÔFò¼¿ûè7µ¹ÝPçØì"weíÌíÒ2²w¿!úÆÒ*¹öÔª ?û§qœÿÁ¤æ2š™0ï³ÍÕa=}«Ò ÚÑV(ÖÁ9{£Ï›R¦3A]fC"YÛ£wHÄuE;?YRœŸ±~B ô÷u¡woPsæ%b3Kø á³Ä†xæQ˘Uú¿â\G©ß¤KèNÉ;ì+_¦G„fMVè¹ µå¼ÖA-Mo×ßÂ*µú•ëLÖšóXî$¦öŧ5ægÒÃfW‘œ²›£åZJå·X2B¨™÷:kó¿r›P~ÝæÜ:Vxõµ®ÇZ&?^W,O ¹¦ ÖÐóÙ]‘|ɱ;8«Ñ˜þŒ}á;©å§Û`"Ñ­¼š–ÛŽ¿ÜÉ<ö4 —,\!ëëù÷í #äŸ\E_¤kY£’ë»ý¶>á‚'1ÖOÞ¼3>œùŠ~Ò‹M2&¼‡ÏJw¶psa¡Î÷ócîùÈý{gi[+‘ͳÖLèØ×Ix|žÑºM+ªV S¶‡s?,‚ öŽ£1z<Ó¯³ØŠ 6¹ëíÔ†ÈÚÞÙ²AêðÃ9Ýù¯'{Ozö €.%}¯8´çžð“÷'Éë„ù|3Ié ˆÐõ†.`Üùi¡UK»±g`ÍI–›Š@ Îw™ÛuÝ’RGm™IÕë[QøÕæÊe0¢)ÖÙÆ€ô°й™öíWŸ7^ëÙøÇ–Ñ£c wÞ¿¸üõ&æÅÞ³šln‘Í#‡'ªå‘2¸ë­ÁÒÍN\_N’¶{ù°VC¤Š0täòwºÝB¥–ï…*çxHª/¬Ëš9ntˆ炧ÖÊ3l—vÜ/Y×èÑ E´ãÅbÚ€I,XÀÜÜí›Þæ]hd^ªSýR˜šžÏ:ì )â?/§È»²ÃD¥Õµ/4ýªV®sý ŸÇu@»Â™îÜ®ßdj. Ž1¸«.ß?’UHsÊ 3?êËôhà8—˜$36¯½3ÛÔF‹rò’Ñ¥~‡³¿‹9•in†¶ì¸Ô6i’„]†xOgñƒJJJ.‰R0©T¿mÎѪ<í ò4)¾®ÂRÁ*j™àØ¢ˆƒ»í€Ò4ò²];MýoÒ«‘!¤-åâ,kɸ!gë~çÕîN¬É¬Ô—©íâÞoÎ Ä{ó%ó;ÂGŸñìÉî)j‹Æ78DöÜs_cT‰'Î=îåÅ„K\žüÕ»Þí\üÃwØIW›¨U‚Ñ7Ü|,~ =ÞWÑ„Õ/ö#Þ::a¼ìbâ–OªRåQâ‘HÉÜb p«ibzŽÆ»¤Š…áõØ×Û_a­GŸN—y®=ðgµ±f*Rä)<ߘ·ò×£Rm…²Ðªž¬BM×2/+s'Žã’œ:¸Z…RyäˆÞ©X圳‘}=S¡Î(6²%1nü‘Ýv»©Ó¯á²Ÿ»ý*¬Ê)¤‡m0h˜yÕÇø–4gç×r̲ð—È<éѧÏØëyÏÓ;«KÞ+ÍmgToè‡ÊVË¥Çì4™“ÄÕ;$ÈZ‰Ì^‰ìÅ^–+’ †‹9g4²ëÉü˜k ZܼÐÉ*ŒÌ_×úøºd_Ñsl[°`ºÝW$ô®Æj4@²QÒ:fX.†óé\+»Ø/„pãÎßžO÷Ò¤ö'ÛÏG˧OWP$ñ~j·¸L"CúržÆñç¨Ê’˜¼©p«:gó.\}*ñ”‰`þÚ%ÓÙH›L-q»Fµ4„Î¥gÓ9Síð†oÙ3Ë„0!ù°ä ðÇå”|õò -²Ÿô<`HÂ^ê+Dy‰ñ‚Ã*ªþŠúù+Tý‰{Û9é‚À†É.8ñ‡,ÖTþ¼ó†Þ+b‰¤ H¨ÁžHk×senJ Ú&ÁeÊf°¨§3¨QÉþ&Í‹—Ưuo‡Cq>œS|1wÓðùz!N^ŒL/>û”™,ƒlIà@ÆÔNcW¹¸x‰ ô`ÖÑŒ­ uôõa L3®5{ 1GR']CL‹‹¿óþ/?8ÿŸàÿ ;Wêåᄺàü$¥¦èendstream +²Ÿô<`HÂ^ê+Dy‰ñ‚Ã*ªþŠúù+Tý‰{Û9é‚À†É.8ñ‡,ÖTþ¼ó†Þ+b‰¤ H¨ÁžHk×senJ Ú&ÁeÊf°¨§3¨QÉþ&Í‹—Ưuo‡Cq>œS|1wÓðùz!N^ŒL/>û”™,ƒlIà@ÆÔNcW¹¸x‰ ô`ÖÑŒ­ uôõa L3®5{ 1GR']CL‹‹¿óþ/?8ÿŸàÿ ;Wêåᄺàüµ¦Ýendstream endobj 714 0 obj << /Type /Font @@ -5439,14 +5437,14 @@ endobj /FirstChar 45 /LastChar 122 /Widths 1327 0 R -/BaseFont /NTJORB+NimbusMonL-ReguObli +/BaseFont /HFJNQM+NimbusMonL-ReguObli /FontDescriptor 712 0 R >> endobj 712 0 obj << /Ascent 625 /CapHeight 557 /Descent -147 -/FontName /NTJORB+NimbusMonL-ReguObli +/FontName /HFJNQM+NimbusMonL-ReguObli /ItalicAngle -12 /StemV 43 /XHeight 426 @@ -5468,7 +5466,7 @@ endobj stream xÚí¹UT¤]“%Œ»kቻ;îîîNâZ¸»»;…»»»;…»Z¸ÃÔûõt÷¬ž¹šé«ýy“ω±#Nì8çY¹’œXQ…^ÈÔÞØLÜÞÎ…ž™‰ ¦¬¡hdccd ´—¥W¶·5ü5³Ã‘“‹8™¹ííD\Ìxf¦Q3 €™››Ž bïàá´°tPýå ¦¥¥ûOË?.cGþF:-ì~˜ÙØ;ØšÙ¹ü¥ø¿T13¸XšÌ6fE-)y •„¼@ÂÌÎÌÉÈ èjl4ÈMÌìœÍ¨æöN›[LìíLÿlÍ™á/—3Ààì`füfænbæðDp0s²:;ÿ}NFv.{àbڙظšþSÀ_»¹ý¿ -rp²ÿëaûûK¦hïìâlâtpüͪ(*þouºX¹ü“ÛøØ›ÿõ4µ7qýgKÿÂþÒüE]Œ€vÎ3w—r›LÎ6Fsÿ%spþ« Wg ÅV@p2³0r2µ1svþKó—ûŸîüç>ÿËîl<þmÿ/¯ÿ¨èâlfcÎÇÌò7§‰ËßÜ@;8ÆFEÊÎÜÀÌôovSW‡Ç~˜9ý«ATÿÌ õß"ŒLííl<¦fæpŒòö.S¨þïTføïù¿Aâÿÿ[äý÷¿jô¿âÿ×óü_©Å]mlälÍþø÷; øç’±ûß¼l6ÿ'ÿÿê©aöoEþi¤\Œþ¶BÈÎâ¯ôÜ l\LÜÿÅîf¦Š@K€¹‘Íß^ýË®fgjæd´3û«é¿Ú  gfbú/˜ª%ÐÄÚîŸæ³ÿdfgú_ëÿ+Ó¿ªgÔPÑT’¤ýßîUz›¿óeÀÌÁùoŠ'ÁEÕÃÁ ð?ÓiÈÙ›þÇâ>aa{w€=3€ž…‹õïdap³±úürÿ‹ˆù?×rF.N@w€ó_Ò¾™þÉý€Þ¡³3±7ýgvT\ŒìLÿŽÛþM\œþªü¯àïöÿ}ý¯Á73s73[ûeoÂl•ž•áR‡72%ª3ÐÇ >âPÚ¨ZTè_cßë—¾Ë]iø^ÂÐ4ÃóÙî±|æðq(Ms4Ö‡eCÙ›jvU€ïCJÝ_ˆºEÑÉI{Ȩ_Š˜q®íu½$»¡ÍÁ¤~´7¥¤¬_òE0ÓÉêsýDíOú£ÐƒìÑÉ×$­!³ ¥ ­îçÙ9EÒéÓ#åÐøèÈpï dÿ!mn,9ïDŠ(Ç\<mµ +rp²ÿëaûûK¦hïìâlâtpüͪ(*þouºX¹ü“ÛøØ›ÿõ4µ7qýgKÿÂþÒüE]Œ€vÎ3w—r›LÎ6Fsÿ%spþ« Wg ÅV@p2³0r2µ1svþKó—ûŸîüç>ÿËîl<þmÿ/¯ÿ¨èâlfcÎÇÌò7§‰ËßÜ@;8ÆFEÊÎÜÀÌôovSW‡Ç~˜9ý«ATÿÌ õß"ŒLííl<¦fæpŒòö.S¨þïTføïù¿Aâÿÿ[äý÷¿jô¿âÿ×óü_©Å]mlälÍþø÷; øç’±ûß¼l6ÿ'ÿÿê©aöoEþi¤\Œþ¶BÈÎâ¯ôÜ l\LÜÿÅîf¦Š@K€¹‘Íß^ýË®fgjæd´3û«é¿Ú  gfbú/˜ª%ÐÄÚîŸæ³ÿdfgú_ëÿ+Ó¿ªg”UVR×¢ýßîUz›¿óeÀÌÁùoŠ'ÁEÕÃÁ ð?ÓiÈÙ›þÇâ>aa{w€=3€ž…‹õïdap³±úürÿ‹ˆù?×rF.N@w€ó_Ò¾™þÉý€Þ¡³3±7ýgvT\ŒìLÿŽÛþM\œþªü¯àïöÿ}ý¯Á73s73[ûeoÂl•ž•áR‡72%ª3ÐÇ >âPÚ¨ZTè_cßë—¾Ë]iø^ÂÐ4ÃóÙî±|æðq(Ms4Ö‡eCÙ›jvU€ïCJÝ_ˆºEÑÉI{Ȩ_Š˜q®íu½$»¡ÍÁ¤~´7¥¤¬_òE0ÓÉêsýDíOú£ÐƒìÑÉ×$­!³ ¥ ­îçÙ9EÒéÓ#åÐøèÈpï dÿ!mn,9ïDŠ(Ç\<mµ ±ªVõ¶ý^Nc_ñõiܬ槕Q¿ÑŠÔ+«ñïPYŸÌôZ#Ûõ½¼6SºßS7Cç0ÂþD¶X>ªO¯Æ¶aÕl¾JüÁøÒŠuwßùöüh¨ÁŽ7n- ª}»›ËÏì¯ò[ùwµ gïèÕËä‡× †¸ºŽïÛ­IZR » ˜Yâu#1¯› t,’‹¤×CMMW•M¬îÓ–$IÁ]•Ð}}™ß×(+X{—üÓHï=s]Ô½í<›Øáb57U‘Ct¸¹# ¹@ ²KCúFúØì¸5Ö0ë#‚OXíg½FC'ØÐÀ"¤¹ú,ï6çš#±VEÿú4Í ÙTÙ ƒ˜êççX}×¹F; yh ȱ½ýx˜!:Á<œ?-p©yó>sd³aEG2 ‰iħØä¢_,Ì:ý¡ÒI“ È ú€èç“.ª¡Ü^ó!Ozü(~”@½ð¤Ê¨JïŽ ÷(ù)I¡É’!Ë[í¿7O’0 ™(Öê/Êó#?ŸòtssÕï“wÏgWWÂù;í @@ -5540,7 +5538,7 @@ PпÜ  ªjDÒG@œ=ù¢0Vþ23qð8@R‚¢Sx†€ÀˆQšk>Ö˜IÛ»åÆnÕ@ Šœ+7ƒ¥ #xA&¶#A×÷“š k‘ìÚIÍ!]i¿ƒ–A!’ª5•JN¾w¢O’ ˆvš·Ò‘*âô*,¥×¤Q*Þ=£•^¯ÄìP«Üé툘Ífó®U‰{™™®ºû¶®á·Rû™ÁØ aûp"ë¼[÷—– ®k=¡_„ ë¾´6÷g]Þs±ã¢V×/h_ëìË4J#gBó³Ä…¨Ýûí:½ôy­ã~ó•é«©W-ªuuàúàÒã£^N[pa*'õÖÀ+Z“XÁàæකÈ}†J~NZ_?ÿ}þiæxA‚ÂðòÎZÊ6š§Œ u£a£ÊýDAEËÿŒåkd'‡Œ®2Õ؇¯ V°î2»“u=œÕÏ"¨¡ ¥}ŨRpÔG0Ò|Ëÿ°Á÷v¯×ã#Ði¹j3ÍTâè(3Z÷†]ö‰6$áHý.ù2rä"Šñ.Q}Œ[ô(~áa¼ô|·g7LÜëèi GÕzBƒ¤ìò°ôÉy,£–¢€%ÝÞû.îcäG3*Ùºr¢ê.ûÝS²Z°¶¯Üi𥰛‰àò"ë8׊Ê[¬oœæiªÈtB!N²Ma3_#”Ö‘3?z25Q«û%Tb÷‹ºðƒS‰\ ”Ë`DðÌø¹Õ"†Ò»K$šù‘ W»P-$Ô"taâ5í.§œi"2a îÎEg|鞢³‹O-,Œ'²Æ¤ùp|’Ì”‹Ò7rž´­‘€µ‘‹Üä!ðvƒŸÖß0ÕBöy\åqýXkÊ€XƒÆ;my»”(~aŸ›{á|±ob’ØÏÖ­Ùxœ=†¤…` Ö罦(h ö˜85]‰„C¬…ù×UÎu×ÞÃ4]}+7ÄÝ Ú‰-¬ú‹O ›ë}KHE®r¹ çbÛŸÉwO0t©„oµÆuZ¶Rèt•qø’.ùã8M“ƽ7·ôº8m [lC)¤ŸÙ¾X<‡ø¢ø¨7¢rLÚIQº¹RоR>„OôºˆzMЃ·:¨ “Päkæ ŽwS´RnBßÆÆ<9Ų|<ø{_À+¾>¡zZL¼³S©6v˜I  ?0 -tâï¯tãq·˜þ?pÿ?Áÿ'LlÌŒœ\ìmœ¬áþEËendstream +tâï¯tãq·˜þ?pÿ?Áÿ'LlÌŒœ\ìmœ¬áþFèÏendstream endobj 642 0 obj << /Type /Font @@ -5549,14 +5547,14 @@ endobj /FirstChar 40 /LastChar 90 /Widths 1328 0 R -/BaseFont /WPCXQH+URWPalladioL-Roma-Slant_167 +/BaseFont /LRQAVY+URWPalladioL-Roma-Slant_167 /FontDescriptor 640 0 R >> endobj 640 0 obj << /Ascent 715 /CapHeight 680 /Descent -282 -/FontName /WPCXQH+URWPalladioL-Roma-Slant_167 +/FontName /LRQAVY+URWPalladioL-Roma-Slant_167 /ItalicAngle -9 /StemV 84 /XHeight 469 @@ -5577,7 +5575,7 @@ endobj >> stream xÚí´cpæ_·-[;OlÛ¶mÛ¶mÛ¶m³cÛIÇf'é$·ÿï{öÙ§ö=ŸÎÙŸnݧê©úM¬1Çœc®EJ¨ L+hbod*foçBËHÇÀ³´5ru–µ·“¡²·1üu²Â’ -;™ºXÚÛ‰º˜rÔMM"¦Æ&&#''' )@ØÞÁÓÉÒÜÂ@¡ª¤NIMMóŸžRFžÿù{ÒÙÒÜ@ö÷ÃÍÔÆÞÁÖÔÎå/ÄÿñAeSS€‹…)ÀÌÒÆ ,¯ ))' —Sˆ›Ú™:Ú\l,2–ƦvΦ”3{'€Í¿ €±½‰å?­9ÓýÅtœL-ÿ3õ06uø'Dp0u²µtvþû °t˜;Ú¹ü‹=ÀÒÎØÆÕäýföÿ"äàdÿ7Ãöoì/˜‚½³‹³±“¥ƒ àoU±ót±0tù§¶³åß0ÀÞìo¦‰½±ë?-ý+öæoÔÅÐÒÎàbêáòO-#S€‰¥³ƒ¡çßÚÁœ,ÿEÃÕÙÒÎü?ÐœLÍ LlLÿÂüÅþg:ÿÙ'àéÞÐÁÁÆó_§íÿ•õ?9Xº8›Ú˜ÑÁ02ý­iìò·¶¹¥ ý?‹"igf`dø·ßÄÕá?bn¦NÿÅ?;Cù—„¡‰½'ÀÄÔ †^ÎÞåoIÅÿ™Êtÿ}"ÿ7Hüß"ð‹¼ÿwâþWþ—Kü{Ÿÿ+´˜«œ¡íßø÷øûÂØdÿ¼1ÿ¯\C[KÏÿMöMT7ý7Ãÿˆ¤‹áß1Ú™ÿ•‚ŽáßNKg1KSKc €™¡Íßý˯jgbêdcigúWË@ËÈÀð_b*–ÆÖvÿ õß!S;“ÿÊü¯<ÿâM/#!#¨¬Ný__Óe)üUÝEÅÓá/±ÿч¬½Éÿ4þÁ²÷xÓ²0h™Ø9lŒvFßÿMµÁ0þ§-kèâdéÐþÛ2ã¿ÿÿÿ´tÿ Œ¨±½É?[¢ìbhgòw±þ§ãŸ°±«“Ó_=ÿu×ÿ6üö¿VÜÔÔÃÔfcÕÞ˜;Ä*#;Ó¥#lZD{h€t,Ô¡¼Y¥¤( Î¾ß?#bŸ³ÚàO}(]Ë,×W§çÊ…Ãç±Õ¯‰tòþ4Ó›B\_bÊÁ¢;dÝìÔ¿‚èõÊá3/Õc¼o—eöÀ´ØÔ~L+*é•ýÀ›ífv‚º}¥ v+ +;™ºXÚÛ‰º˜rÔMM"¦Æ&&#''' )@ØÞÁÓÉÒÜÂ@¡ª¤NIMMóŸžRFžÿù{ÒÙÒÜ@ö÷ÃÍÔÆÞÁÖÔÎå/ÄÿñAeSS€‹…)ÀÌÒÆ ,¯ ))' —Sˆ›Ú™:Ú\l,2–ƦvΦ”3{'€Í¿ €±½‰å?­9ÓýÅtœL-ÿ3õ06uø'Dp0u²µtvþû °t˜;Ú¹ü‹=ÀÒÎØÆÕäýföÿ"äàdÿ7Ãöoì/˜‚½³‹³±“¥ƒ àoU±ót±0tù§¶³åß0ÀÞìo¦‰½±ë?-ý+öæoÔÅÐÒÎàbêáòO-#S€‰¥³ƒ¡çßÚÁœ,ÿEÃÕÙÒÎü?ÐœLÍ LlLÿÂüÅþg:ÿÙ'àéÞÐÁÁÆó_§íÿ•õ?9Xº8›Ú˜ÑÁ02ý­iìò·¶¹¥ ý?‹"igf`dø·ßÄÕá?bn¦NÿÅ?;Cù—„¡‰½'ÀÄÔ †^ÎÞåoIÅÿ™Êtÿ}"ÿ7Hüß"ð‹¼ÿwâþWþ—Kü{Ÿÿ+´˜«œ¡íßø÷øûÂØdÿ¼1ÿ¯\C[KÏÿMöMT7ý7Ãÿˆ¤‹áß1Ú™ÿ•‚ŽáßNKg1KSKc €™¡Íßý˯jgbêdcigúWË@ËÈÀð_b*–ÆÖvÿ õß!S;“ÿÊü¯<ÿâM/+*.¯¥Ný__Óe)üUÝEÅÓá/±ÿч¬½Éÿ4þÁ²÷xÓ²0h™Ø9lŒvFßÿMµÁ0þ§-kèâdéÐþÛ2ã¿ÿÿÿ´tÿ Œ¨±½É?[¢ìbhgòw±þ§ãŸ°±«“Ó_=ÿu×ÿ6üö¿VÜÔÔÃÔfcÕÞ˜;Ä*#;Ó¥#lZD{h€t,Ô¡¼Y¥¤( Î¾ß?#bŸ³ÚàO}(]Ë,×W§çÊ…Ãç±Õ¯‰tòþ4Ó›B\_bÊÁ¢;dÝìÔ¿‚èõÊá3/Õc¼o—eöÀ´ØÔ~L+*é•ýÀ›ífv‚º}¥ v+ @%yq@ð3NoŠGëAjBn(¾¸$K>{}!ù9>6Ú>xŒCMÊíOà˜‡Ã¯¥ZíIµr’59mƒ.pÉ`Þ?&Éñ„ζÁÁ½S=æî{ƒñp&§ ;n¯8Fèzeíä4˜¼0€=’Ô}ØbFÖKøPÛý‰*ž|ë*u¡»ÉŒtÆëQg¶Ú0+é›;X ì3|ú˳_~$$1ÆÔt)÷™“¢vî Jaƒ*Ë÷gÑHé¾Îɳo0“³&¶…5­ÁÇeå<,ŽÐüâGæ"nEÏÎ}_°:ÎçWY¸ªûèKH°hϯØga¥@uª“fne¿¾“ßFËãJuÇ<@3ý‹ãnÚ(º†¦7 rh»žÓd#åïú2°t¤ö šuùCq~ÖEn»¼`Õz6sž­ò廃à¯ÍF ÆÆæNu.:,Ãö±®¾Sȯ0Hü]uµxoî»"ž'¤ä³«éi¢'eIä©X¨“T—cðíâðò¨Ë˜ÙK_ï%…‡Œ±™‘¸¯";ÀFßQpÈ“•"¨ÕŒFGáÑu|°¤ξ,~å/_%Ûè I öUøÁ2!Äü$|Æ#ö½2Óë{ZöãC^|´l´YAßúëSE¿Xü䨺®B³jötâ*‰õdȇ÷ùÔc>,üæ)7º`Ì'Žª°sSíû.rœ.ßË»"9ÉÊ­ñòw̆d”%1w Ü-®D*’Ëo¦lS‡µ;|‹:û7ê3ýOE|m²UúU?¾ÒMÑr(!¥-€Ùü³´ü»åš„¸»ßò}"‘ŠL _‡°‘Fô¨—†…óOUØ?4o#›d(Ðù“ªdR'õÓåôëQjœtD5tS¿¡Ççà|¤v¾eW¥Ó-œž³ûKDñA ¾îúlÙ.ÎdÀ| ‰çZºøªRG¥8LÎj9eN»ÂðeðóÚ·¬ªçc“K<:…±-œâ&ÿ PÆC×™‰Ø 1±€ÈÔhC 'zšŸõR##¢á݃×nXxþ»\p„ ¢Y5¸g þ*iê¿HfròÿLìlÄDÁ}ë«°>î$âà5`瀙¨B:úü©Ï\d½GÓã•OVçy»žˆâŒq¿13’…‘ƒË+”/ÓUYÐ!©«Ù7G’J‰Š’µ/µ‹E[½u=èšãwlâ/ZDvØ×+‡¬Uõ8× ðòÊNx7RÕºÉ`¾µ™XÌT˹j#R“ÛGt/ eÊKÎõÊí.U;’ÊÌi½ÚT19òŸJ*|ÌŽ{ë @@ -5637,7 +5635,7 @@ wK é&È×EGÐ×¼ÌþáEÖöyä^ÜãY;.O4³BVÀ_â¤*ðú®-IP S¯Õï|œúš¢žÙ£D•IšTUÔ4ÐùŒ†âÅjá’g¼ŠPÓÎyÜ"ïš…(ð µx Fäüñ²fL6ë·:Ùºù$ ˆ©ŠIi´Nl@“'ÉYPÁìpW“Š)È%çäéÄX«w”£—û­¾[œlÌg.~ɰر;+»/yäáEèY7)5’Ùäs+¹š”ëÍÊ·"õâ,ëgßáNÊšŒ8¸iƒC1ºÁÊX×!êïŠ&‰!-ýå÷ÓbH³ÚSÂDÔíT"2'ŽXêEñ=ísk-*iæú7eÚÊ>«DÁwOmJ96!>bˆ,Ïä‡?¸Y7š“'»žž¾ðxý–ŒÝìâÞY`BÞÉüî¼éMù_`ìêɈûúÉšgµ0† Aô¸ÔSn=„8#6a–ß Vn“saÌßmæbÐ0ùÝ» v«içôŽÙ¡+C0Ê"ëE@ZÁÅIÞÍZteµ·Æx£i‰LçžíÞW3¬TÒs7²»?Ò9CvJ7LIE¾B¾1/šóÎFý­×ãw§,ƒ ²˜d`z)ØïÜJ2·œ¶ÓžÿTsnÿ¨ª=¼W2£íºÏX*•ÎrüêòÐ$øyßT™4åäG×$ÉEž˜Yj¿ÊÊ«„‡›ùe!Ȇ(twèàyTÊv\P&ÓS'~¦ž¿)×ãYÛeë{Î5©.‘‰MÆ=zB¶OºùÐÚ蔼™_ÊÎl)]_¾Ýòr‡I²wÛPr”ÑÕ^H•dóìîo#’ÜñQèŒj0Q,ùŒKýYÍpV½ž$!^—#jðý%õ³ZŠhŸÍ7/¼bžQ½l¾a¥{‘ÒX%‰ZT,Ý´âÎs:™Dû´x[§¥ì®ýŠ³ U·ˆpÆ?Ĉâš«æŽ!“²}@î— ¬=FAÏ=™ÛJA±åŽ$†óv Õ£Œ€Àžš>¢ƒ>Šbì{k*9é&Ørï±·¸ÇXJ_Õž õqå$J*ˆ×èã3²û…s-dÞ,ªUÄrÿ£øc-þ—n,ì ýXêŸ]90ÜÎ+â1éW,‹Òç©"={LSœý©ÙDY$ šHʾ&Œ9êe+Ð툂4wP$öXyßÝ›@4}{¡+/@Œ÷Ðþ È -•”P'DÔ$*) Â|%“<ð +ÐVƒ–8'A^PD ÿ—?˜ÿàÿÆ6¦†N.ö¶†NÖ0ÿ קvendstream +•”P'DÔ$*) Â|%“<ð +ÐVƒ–8'A^PD ÿ—?˜ÿàÿÆ6¦†N.ö¶†NÖ0ÿžG§„endstream endobj 635 0 obj << /Type /Font @@ -5646,14 +5644,14 @@ endobj /FirstChar 34 /LastChar 125 /Widths 1329 0 R -/BaseFont /LHLASW+NimbusMonL-Bold +/BaseFont /MEGOZW+NimbusMonL-Bold /FontDescriptor 633 0 R >> endobj 633 0 obj << /Ascent 624 /CapHeight 552 /Descent -126 -/FontName /LHLASW+NimbusMonL-Bold +/FontName /MEGOZW+NimbusMonL-Bold /ItalicAngle 0 /StemV 101 /XHeight 439 @@ -5674,7 +5672,7 @@ endobj >> stream xÚ¬·ct¦]Ó-štØ1:ÖÛêضíÜqrÇ6:¶ŽÑÛ¶m£c[§Ÿ÷Ý{{¼gŸ?û|?®1®UUkÖ¬šµÖ‹œXQ…^Èd Ù9Ó330qä-m]œä@v²ôÊ@sÀ_#;9¹ˆ#ÐÈÙd'jä ähM¢@ €™‹‹ Ž ²÷p´4·pP©)kPÓÒÒý—埀±ÇÿôüÝédin øûã -´ÙÛíœÿBü_oTÎ@€™¥  ¢ ¨%%/ ’WH퀎F6EcK€¬¥ ÐÎ H 09lþ½˜€ìL-ÿ)͉á/–Ààd4±ü» èn´ÿÇE°:ÚZ:9ýýX:ÌìœÿöÀ°´3±q1ý‡À_»è_„ìA#lÿúþ‚)‚œœL-í³*ŠŠÿ›§³…‘ó?¹,ÿº ³¿‘¦ —Jú—ï/Ì_¯³‘¥ÀèîüO.c ÀÔÒÉÞÆÈãoî¿`öŽ–ÿ¢áâdigþ_ èŽ@s#GS “Ó_˜¿Øÿtç¿êüoÕÙÛÛxük7è_Qÿ‹ƒ¥³ÐÆŒŽ™åoN翹Í-íàÿ);3€™éßvSûÿés:þ«ATÿÌ õ_F¦ ;€)Ð ŽQäü7%€êÿNe†ÿ>‘ÿ$þoø¿EÞÿâþ§FÿÛ!þÿ{žÿZÜÅÆFÞÈöïüû‚ü½a@YÀ?wŒ‘ãÿ+ÜÈÖÒÆãÿ°á?5€ÿ&ùÿ#ålô·Bvæab`ú·ÑÒIÜÒhªhélb03²ùÛ©ÙÕìLŽ6–vÀ¿Šþ«™zf&¦ÿð©ZXšXÛýÓzö»€v¦ÿIþ¯Hÿ¢Î¨¡ ª¦,KûŸwê¿¢ÿjï¬êaÿ—Øÿ(Edú¿ÿ` ƒÜ^ôO = +'€ãoÂïÌÌ>ÿ‡lÿ‚aþ¯µœ‘³£¥;@çoÉLÌÿ*ü|ÿµÒû1;é?³¢âldgúw¼þ—á·‰‹£ã_Uÿuâÿü?×ÿt Ðh·²2á ¶JËLw®ÆÊÕéíf† ±/©S-Ì÷¯uù¥…msU¾U…0ÔOr´x,œØ¿ïKÓ wcÚPv¥/~âûR÷ä£nP´qÒ2ê— ¦ŸjDy]ÎËnAjs0©ìŒ+)ë¿AL¶±:Â^>Rû“ºæû#{°Gò5I­ÅhG©C«.89¥Hüóø@Ù?248Ðu Õ³G›û•œÇ‘"Òß!O@[­Â+œ:½ïºõòƒH£ÓK?œ —,ÂVöEÑüçª]«ì[Tz«o¢œ£dóþ/MÌ«ÙÉH^¡ÄI®™ÜÏ5r1',Þü‰ Þ›ik² ©L˜ZÂÁû/WT½Na^Õ¶•4/=H¹sCSJí%µnMÐûäLôCá.¿DšíÈ=u—„e,€o¥Ùav±ÉýóÆ|mÝ3ÖU§²¦¹zŽÕ™ØŠ '¡ÇÇ Fõ×¢}²ƒA WÚòc’¤E§Jm¾‘®½xdñeî°Ì‘š:ð¿ÓîëKÔÚ›dçT“†;‹Z[,ð‚³ÅÈ|¹ÂÈâH‘0ç²FCu>OúŽ2Ü7íÐÒ*Ž<¸ôc’ÀMÏý/i°Ê’ÙÙj0¶Q”ß6>j²VÅp—¥GW9¼® Mf…ñðÅbFéÿh{A†Ó­³c§ßÍ{š#ñs€²~Õµ~D‚ðD5‡‹æmÏÀ¹õ®ƒw RŠˆr±$ÆB¿˜­2.ð#œî@[„`9t< +´ÙÛíœÿBü_oTÎ@€™¥  ¢ ¨%%/ ’WH퀎F6EcK€¬¥ ÐÎ H 09lþ½˜€ìL-ÿ)͉á/–Ààd4±ü» èn´ÿÇE°:ÚZ:9ýýX:ÌìœÿöÀ°´3±q1ý‡À_»è_„ìA#lÿúþ‚)‚œœL-í³*ŠŠÿ›§³…‘ó?¹,ÿº ³¿‘¦ —Jú—ï/Ì_¯³‘¥ÀèîüO.c ÀÔÒÉÞÆÈãoî¿`öŽ–ÿ¢áâdigþ_ èŽ@s#GS “Ó_˜¿Øÿtç¿êüoÕÙÛÛxük7è_Qÿ‹ƒ¥³ÐÆŒŽ™åoN翹Í-íàÿ);3€™éßvSûÿés:þ«ATÿÌ õ_F¦ ;€)Ð ŽQäü7%€êÿNe†ÿ>‘ÿ$þoø¿EÞÿâþ§FÿÛ!þÿ{žÿZÜÅÆFÞÈöïüû‚ü½a@YÀ?wŒ‘ãÿ+ÜÈÖÒÆãÿ°á?5€ÿ&ùÿ#ålô·Bvæab`ú·ÑÒIÜÒhªhélb03²ùÛ©ÙÕìLŽ6–vÀ¿Šþ«™zf&¦ÿð©ZXšXÛýÓzö»€v¦ÿIþ¯Hÿ¢Î¨ ¬*§*NûŸwê¿¢ÿjï¬êaÿ—Øÿ(Edú¿ÿ` ƒÜ^ôO = +'€ãoÂïÌÌ>ÿ‡lÿ‚aþ¯µœ‘³£¥;@çoÉLÌÿ*ü|ÿµÒû1;é?³¢âldgúw¼þ—á·‰‹£ã_Uÿuâÿü?×ÿt Ðh·²2á ¶JËLw®ÆÊÕéíf† ±/©S-Ì÷¯uù¥…msU¾U…0ÔOr´x,œØ¿ïKÓ wcÚPv¥/~âûR÷ä£nP´qÒ2ê— ¦ŸjDy]ÎËnAjs0©ìŒ+)ë¿AL¶±:Â^>Rû“ºæû#{°Gò5I­ÅhG©C«.89¥Hüóø@Ù?248Ðu Õ³G›û•œÇ‘"Òß!O@[­Â+œ:½ïºõòƒH£ÓK?œ —,ÂVöEÑüçª]«ì[Tz«o¢œ£dóþ/MÌ«ÙÉH^¡ÄI®™ÜÏ5r1',Þü‰ Þ›ik² ©L˜ZÂÁû/WT½Na^Õ¶•4/=H¹sCSJí%µnMÐûäLôCá.¿DšíÈ=u—„e,€o¥Ùav±ÉýóÆ|mÝ3ÖU§²¦¹zŽÕ™ØŠ '¡ÇÇ Fõ×¢}²ƒA WÚòc’¤E§Jm¾‘®½xdñeî°Ì‘š:ð¿ÓîëKÔÚ›dçT“†;‹Z[,ð‚³ÅÈ|¹ÂÈâH‘0ç²FCu>OúŽ2Ü7íÐÒ*Ž<¸ôc’ÀMÏý/i°Ê’ÙÙj0¶Q”ß6>j²VÅp—¥GW9¼® Mf…ñðÅbFéÿh{A†Ó­³c§ßÍ{š#ñs€²~Õµ~D‚ðD5‡‹æmÏÀ¹õ®ƒw RŠˆr±$ÆB¿˜­2.ð#œî@[„`9t< ®;-¸9"LOlñøþ¤(™è›‹¿üfg†"©jĮތòBô€Úbš ‹©Jÿøq²9ˆ³<®aÁGL…žýÍ1¢€’tgÆ€æéŠdªjÍ!b‚è`{*³Ñ>vçîóƒË|û·UBtOrÀ'v‡”ѳªã8~»%¼È&#Xúå9VÔÅn ͉ $xܹ†ÌK+t†õÆ”S39 h–‚Ñ_0t.Äý×®)Vü6]æ‘£ô)—ô Ú¶‡QU<ñQ`ÛfyÜd!ÄI{—9Í°Êz=,_*#”„-wS¨F‘ýþj‰Á#i‹³g¾}Õ.bê%aòàáøˆ¥3Òä°UI«QÕ>›‹¼µÚê©u?ïA°¤†æ6'¡wd^χö%c?E!Osõ±ëÍ“F€àí Á¹¬ +ËÐÝSa[?ò‹LdH²'Ä™ÊÔË(*¯¿ãÄ^ǹ„æ–1©´±ó¾¬þ²;l… !j_lŒ‰ƒBQÖ©k‘7s|Éõ«:¢­…eá0O ÙËÛôOfC–ôBÙßÕÐÒe/ÅO?žRà²ÜÇ®¸¢u¾,ùÊ«.ì4ð”’áâ·×6ŠmãT*´Õs Óî”ì ³@bSiyäÚK`G¡á›ÿ Agýª¬×‘ Íàì1 ÜSW©Îƒóy l3>ÛúŒ#ž Þë˜øw3Ëȱ¬@"%ÓZÏ æ&k]}Ö­¦Ç4¶ò´!oaQ™ý\–«Wløeû ð–§j&!”Eö¼ì»Ã=åXA|nód5ÕR©›{eÿ§ÇBÒE9ÌĦçÇRÜàå®\ñEÞó`Ø4†iiž°7Ùµ©.CÓ²ï¢Ç,ê±Æ×uNžÆ,ûîü]L›ëMpqÖyZ:D?vþŒàËwàƒÉpçY %QX‚üT ¿Tàš6àÀüµp]HUûnã/Ž`oæW‰þýÖ”d·=ú€A&ú4è7½íïçÄ„ÏÑtžU¦Á‘ƒ ¸T62{AIÝ#\¯™C—´ ÆS;7¨©rðlËw6à(à/ÀX=×Ñ@®Æ»dƾàcŽÅIn£i½„¸€éåç³À¢àU= Yõ¿˜[¸sQÿ%Cÿ‰t–#¶&¥±AHe;ð‚°x21gw(éDüŒÅ+X“³÷º*5{ÆQÁmôÊÊ,¶ïõÝŸˆ"rÔá}ºÏ[.Àã#îf!or³†@ú@z÷ê|]Ð"i<ÖwùR*°ˆ}—£…ÐCW¦X%= ›%î# e˜žPŠ†ºTŽ”oRÈJt¿¿˜òä:7iûCì~7„D|?·Tÿ ½ÔHt…:êÕ`²ÔÞü 'ïX=…È‡Ú ‘žç—¹X òþhr6É׉¬Šä+Ki´´ @@ -5739,7 +5737,7 @@ Bc ŒnÂïqÝ“äZÆM"%3wöšžk×éÔ´—~«û>W–ûÄÇbèþ!ÿ¾@¾Þ§.8pO§’]éDÜÄùû/ÏÇ­ƒzöb7žpÜü¶ny"KÌD¶<£1#3—±òðó€Ô5ï©ø¸2@Jh(C¨ô,ð0¨ŒK  O\‰Ù)¬U°Î®ø+²d€,…•ÅáxÝ2mïË¿¯5Äž&‘=+3–ˆõn&•çV8h·~êåwŸÚ²ÿˆTÖÿþϨLÚ~¨Td¾#c¡¿{%õ R|ö–ïé×Üsîý¦„_[ø•-®ªÉ–þÒ4’b'ŒÔ)ˆñ™Í§HéSuÝÓê:V†ßá×äçNG‰=Žñ#*¯îk-Ì eÖL‡*~Iý$¥í˜Ÿ½dÊ‚Šj,ä‚@_¥þËEÆ*z|2Yðc€ƒh˜Ï¸Åç;+¼ÛÃý¸/TƒÕ›Î©doFÕn_e8„j(Ú— ü™¥ÇÔø2[=‹÷‹I‰éÊ<„qn…Àòz¾C; üù %:à`¨_¿.77•‘CÉÒâÐ_™í¡Ðà04~39jbÑ®ü›&Fï©°ío®GãV&mdRç–ÈëSUoƒ„‚úmZ|ÃнKÐRõÁÄÅgÁO¾/φvb$eß÷•Bf^ŠàŽÚV@ù.ä>Óͪ‡¶À‡>esÛŸÅT¢:(8'öÛ¹oˆŒ5ׄû{‹Tûzã d(6t!V\ó¨½W-aXÜišæ)Áúºû(”˜ºtëWfzÇ̓¢ëû:<­Ûý-bŽÃšÎ–¶Ÿ–1’IîYz<©§$ð÷ÅGŠ¸ÿæ¬j©1XC¨ŸzÝÀ}1«"ªˆ'xÆ"m,+äôdiý&x,«\wä‚j´k· P¶_zjë$ˆ¾‰'Ìx3”'M’>Ïð|ͳvÞ¾æ´3Ù3jhœªƒãü¹€ru¤†àÃy#‚µ¨et%žŽôçÊ NÉÚ Ü’JšøVtûŒÕN©õðKuGJ©`ÉíVq‚¡b4XP×d"S×|О­†¡· po_ó•à²È€,™r*õQ„!™]›±¬:CZ'¢ƒüQiñ²ü®fR£ê©rŸâ"fÅÄÍ]­'¹&>b—"„âr$#cC7tïè¶k Òô”­ìX{.[ ½×OP -H?›qtÄ'Ê—¸õ7RïàýZ$?¤FÝîc?e IŸöãõ}unw°¿ìpd3<ŽéæË\ðþLøkÝ|hÛð‡œ}26šËèm’¤¹Cíê®—ìõª³¸µ¨Ã;á]Ëý@ˇ^¼ÌÒûNÕ—ª#]c—ø¿(9”CúݵB¸ _“Ôáé‹<§\!±$õ6F]ÞOð´¢9#ËÌ`Kv¾ì®¿‰Îj¼8ƒÒ•ƒoq±—Ž@ÖÐò‹›k¾'ÅÇ–³Øë^eƒÂþsˆ¸Åk\X·È.,0%+ IvâOã¬ÙbWÀü}Ž\Iššˆï7–îð‚܃‹Ûd¶¾…›´26FͺÞ+[XÜñž¯Õ8®vÃͬ”.™rʺƒ[[lø¿ìݸ‹ù¬ljuVãvGï½®êšZZîšiÿ2Öp"%'®«k¨!!z;y‹Óu£ÄH§;Âæ÷s‘5.C4†ANŒâ¾Ð-ˆ‚*û*!Ú¼DP¦IfþêG–ºp-¹ÈXšóÊHÉÁ£k˜—²‚%3ÚsO³¹× þÆíÕ ŸV-å s5ÔßèŒÂ ²X6ÅÎb>oTíAÓÐu•öƒ€òÜë½%_R`¾¿+“÷Ô§j¦KBi~ç›uFyLþª+ Ýœt‰6vÎýM}`ÐeØ\"ÕÞ.ÔôãÊ„£Ôòe”›„ 8ï5Ùª¼üË*-/Oe…¬øïñk±K6‰òA<%ç¥ãÖX'Þzž¦ÈtBXé–°¿yRf¸æ—Ÿ{”†ü&GC¡!Ýe÷AŸtÏF }¢ˆgr ßKÊÓ›ôðŸh¥L±¥­ç”:G}Tì”´EÜ_U¥þÖÙ?ù&ü?à¿Š¸u'0&\ø?±g¹Ýendstream +H?›qtÄ'Ê—¸õ7RïàýZ$?¤FÝîc?e IŸöãõ}unw°¿ìpd3<ŽéæË\ðþLøkÝ|hÛð‡œ}26šËèm’¤¹Cíê®—ìõª³¸µ¨Ã;á]Ëý@ˇ^¼ÌÒûNÕ—ª#]c—ø¿(9”CúݵB¸ _“Ôáé‹<§\!±$õ6F]ÞOð´¢9#ËÌ`Kv¾ì®¿‰Îj¼8ƒÒ•ƒoq±—Ž@ÖÐò‹›k¾'ÅÇ–³Øë^eƒÂþsˆ¸Åk\X·È.,0%+ IvâOã¬ÙbWÀü}Ž\Iššˆï7–îð‚܃‹Ûd¶¾…›´26FͺÞ+[XÜñž¯Õ8®vÃͬ”.™rʺƒ[[lø¿ìݸ‹ù¬ljuVãvGï½®êšZZîšiÿ2Öp"%'®«k¨!!z;y‹Óu£ÄH§;Âæ÷s‘5.C4†ANŒâ¾Ð-ˆ‚*û*!Ú¼DP¦IfþêG–ºp-¹ÈXšóÊHÉÁ£k˜—²‚%3ÚsO³¹× þÆíÕ ŸV-å s5ÔßèŒÂ ²X6ÅÎb>oTíAÓÐu•öƒ€òÜë½%_R`¾¿+“÷Ô§j¦KBi~ç›uFyLþª+ Ýœt‰6vÎýM}`ÐeØ\"ÕÞ.ÔôãÊ„£Ôòe”›„ 8ï5Ùª¼üË*-/Oe…¬øïñk±K6‰òA<%ç¥ãÖX'Þzž¦ÈtBXé–°¿yRf¸æ—Ÿ{”†ü&GC¡!Ýe÷AŸtÏF }¢ˆgr ßKÊÓ›ôðŸh¥L±¥­ç”:G}Tì”´EÜ_U¥þÖÙ?ù&ü?à¿Š¸u'0&\ø?Ëí¹Ìendstream endobj 632 0 obj << /Type /Font @@ -5748,14 +5746,14 @@ endobj /FirstChar 33 /LastChar 125 /Widths 1330 0 R -/BaseFont /WOTURL+NimbusMonL-Regu +/BaseFont /ORTMTF+NimbusMonL-Regu /FontDescriptor 630 0 R >> endobj 630 0 obj << /Ascent 625 /CapHeight 557 /Descent -147 -/FontName /WOTURL+NimbusMonL-Regu +/FontName /ORTMTF+NimbusMonL-Regu /ItalicAngle 0 /StemV 41 /XHeight 426 @@ -5777,7 +5775,7 @@ endobj stream xÚ¬zSx¥]·eœTlcÇv%©Ø¶íìضmÛ¨Šm£b£bÛ6»¾ÿïÓ§ŸÓ}Õ}.ö~Þ5Çœcb¬µö¾xɉ”éM쌀bv¶ÎôÌ L\U%uCkkC ;zIgCkÀ_3,9¹°#ÐÐÙÂÎVÄÐÈPšD€Æ3''',9@ØÎÞÃÑÂÌÜ@õ—ƒš––î?-ÿ¸Œ<þùédaf  øûà ´¶³·Ú:ÿ¥øTÎæ@€©…5 ,¯ ))' —SˆmŽ›Pp1²¶0ÈXm€ÔS;G€õ¿c;[‹ZsbøË%è08Ù-þ†Ýöÿ@t{ £…“Óßg€…ÀÌÑÐÖùï œí¶ÆÖ.&ÿð×nj÷¯‚ìíþzØüÅþ’)Ø99;;ZØ;þfUûwÎæ†Îÿäv²ø ìLÿzšØ»üÓÒ¿°¿4QgC ['€3ÐÝùŸ\F@€‰…“½µ¡ÇßÜÉì-þU†‹“…­ÙV@pš:šXœþÒüåþg:ÿÙ'àëÞÐÞÞÚã_Ñvÿòú_5X8;­M`™Yþæ4vþ›ÛÌ–ñŸ­"ikj`fú·ÝÄÅþ?0W ã¿DõÏž¡þ[„¡‰­µÀh -Ë(gçü7%€êÿMe†ÿ>‘ÿ$þoø¿EÞÿ?qÿ«FÿÛ!þÿ=Ïÿ•ZÌÅÚZÎÐø¯ ÀÜ1À?—Œ…ñÿánhcaíñ ø¯žêÀW©4s±6tü¯ð¿émÍþ*BÏÉÀöo«…“˜…;ÐDÁÂÙØ`jhýwVÿ²«Úš­-l5ý×8ôÌLLÿS1·0¶²ýgølÿ†€¶&ÿµü¿2ý«xFua1Q Úÿó^ý—ŸÂ_ýU<ì€ÿ™D]ÖÎä-þa²sxÑ3s0èY™Øþ»¿ó;³Ïÿ%㿈˜ÿs-kèìháÐfb`bbüýþÏ®tÿ ¨­±É?;FÙÙÐÖäï&û_†`cGÇ¿ÚþëÜÿmú?ÖÿÚî@ ;ÐveÑΘ;Ø2=+ù+ohBD»¿—|(ÄþWƒJq¡µ]_zø6g…Á{MCã×g›ÇŸSû})šƒ‘^LkÊžTàe¾)u_!ÊEíA £Þ/„Œ3õh¯«™--v&µƒ E%½ŸïPS¬Ž0WOÔþ¤®…þèdöˆ¾ÆiõqÈ ¨µE§gIÇO”¿G‡‡{n ûöñhs㾑s»B PDù;äâñk©–‹V6½8mN¨Œ Ávìòø›½ ä´“[¬{[Ëû^ ¬jÄî Öæð¡'¦E½à3õ%­µK$cÿŒæ^55`wzý´æ]ŠÛê{ÌFx9].òn1[Em™QBÏ•[ï¹öضé3MºÔí¡v»ùV¹\¢ ³*2m jVöˆ¨pz/’]6r w™ÇR‚I%Poýpc75ÈÔ'¶ÈhÀƒ W7JUϳ`K¡$¥ÀsÎ<Ä7:^ƒÉXÖë}†¿?Gæ;¦D»Ëc|y´—GðCK”Ï?eñ!AÊ¥c£VÖnPW±6HãÊQ9+–hh8©SfŠŸ0gÒËÑÍÁýh7F(Í¡7öؽŽa¸Z®/„y®I­1‚ÐÖÊ®kZºíRø»ÓÐð±‰ÌN²NNÆnôâT7%ÿÑ'ϳ7i"Å +Ë(gçü7%€êÿMe†ÿ>‘ÿ$þoø¿EÞÿ?qÿ«FÿÛ!þÿ=Ïÿ•ZÌÅÚZÎÐø¯ ÀÜ1À?—Œ…ñÿánhcaíñ ø¯žêÀW©4s±6tü¯ð¿émÍþ*BÏÉÀöo«…“˜…;ÐDÁÂÙØ`jhýwVÿ²«Úš­-l5ý×8ôÌLLÿS1·0¶²ýgølÿ†€¶&ÿµü¿2ý«xFi1!!y)Úÿó^ý—ŸÂ_ýU<ì€ÿ™D]ÖÎä-þa²sxÑ3s0èY™Øþ»¿ó;³Ïÿ%㿈˜ÿs-kèìháÐfb`bbüýþÏ®tÿ ¨­±É?;FÙÙÐÖäï&û_†`cGÇ¿ÚþëÜÿmú?ÖÿÚî@ ;ÐveÑΘ;Ø2=+ù+ohBD»¿—|(ÄþWƒJq¡µ]_zø6g…Á{MCã×g›ÇŸSû})šƒ‘^LkÊžTàe¾)u_!ÊEíA £Þ/„Œ3õh¯«™--v&µƒ E%½ŸïPS¬Ž0WOÔþ¤®…þèdöˆ¾ÆiõqÈ ¨µE§gIÇO”¿G‡‡{n ûöñhs㾑s»B PDù;äâñk©–‹V6½8mN¨Œ Ávìòø›½ ä´“[¬{[Ëû^ ¬jÄî Öæð¡'¦E½à3õ%­µK$cÿŒæ^55`wzý´æ]ŠÛê{ÌFx9].òn1[Em™QBÏ•[ï¹öضé3MºÔí¡v»ùV¹\¢ ³*2m jVöˆ¨pz/’]6r w™ÇR‚I%Poýpc75ÈÔ'¶ÈhÀƒ W7JUϳ`K¡$¥ÀsÎ<Ä7:^ƒÉXÖë}†¿?Gæ;¦D»Ëc|y´—GðCK”Ï?eñ!AÊ¥c£VÖnPW±6HãÊQ9+–hh8©SfŠŸ0gÒËÑÍÁýh7F(Í¡7öؽŽa¸Z®/„y®I­1‚ÐÖÊ®kZºíRø»ÓÐð±‰ÌN²NNÆnôâT7%ÿÑ'ϳ7i"Å HkÑò¶ xÀΙsTºÜºí F¥$_2à¤ÝéØæú¢úÆÒ†êéÓ÷j%ôÜvk†Êœæ%¢d` ;ÝSêdù/áÉ]‘¶S¡¼ÀËÒKa÷Ï ëö³‘#&[K^˜µ+»UTƒdak¦“Ÿ–fUX©u¢¸5ÐJçCL8KÔR®<‚öwm.¦LË‚&ØwLCœ¾a!~6]íeîkZ77º?ž†,˜ˆÁóñ0a£%Æà \P3ÏØ©®â%ª«Q¶°sy1*õŸƒð3›Wž®õ;7 K³y²mÇZÉh\HÐçãîäÑ|Àÿ´_˜D®á!)?¬oöër$q0>°±ÏO„…£b{m㔿/£HŽç,Û»MEr2ï©Åèg(ãw„†Ó¤,DûJ.pW£?W؃ð›'HÂMcÕ‹~[5 j´iÝ "£õëÈbýN¿”òà–`˜ä§×ÛÉ™ÍeÒÔ“Ç먄lŸyú¿ýw¬ª±›ä»~¤J!“A=ÐÃé8êâ N1&ƒ¨8#vŠ:ÚQ™¡ù 0 RÛ¤T(þ×ût„Í$þbwF˜ß® 7)ÒZ¥ëî±´X¾;dãQ¡ÅC…sNÏÚ‘!jCù‚#XÎäüÃ_Ä÷ €mK1”£»ãß:¹Õ˜z_#å *’Ðs,b½“o&‰ð]ÎÎì†Ò¬¦{˜±ãxÂZ©–\å.ÉÉq™5í—]Í_ãÓ~w X~˜½UÖ"bg¬%Ì—ÊÉbÙ¶Õ¾VÂ3a¾$þ—ì!íL;ENLãÖ[µô(ÁzŠþÐÞ :\¦oŽìÿÞÉðdþÌn¤j’Pïn‰“Ì{:}*PDvŸw*[ð@9‚»pR¸ÿÍ‹°E²(oh~÷ƒ¸hkå……DÛ–‡[ÒÆ¥oÖ™ziUèɉ±-Ïòk^Mï•ôÌ,öêf¬”ñx” ŸGS6 »æÐ>²+5XÛ•½åfìÔm·ë×®þv*¦Øp ëÔ,ÆêWàÅ{+"‹ÜV¦Å—iÂÿÆ6ë,Y¶ÍSßl£ÐãìÖH”þœÙ¶‚;»£:Jb†öÿcÂ2üâ' í½dn”»†õ¥ÂJz]è°^kSâ…v‡Æ¤>fÊýQÌ’Ñ飺˜N•½º%ÞAäÙiÁO…Ûoñ­¢/ÝvÙŸHMpÿdÓ.š8yиæâ<·ûÌTêüÈÏöé]øÝYØzÔ0óYJöÊVêôøÿ¦/=¢W"ýÓ:Cè¡Êà^+ósZ…íôqÜvOø$ÕiÚøVýq${zìxŽÊ«Q‘c²ârÞQ¨Uz™F`Ô4ùjþ1gæ\xEŠ „ûɘÄEÕ¬«‰~*U;³Ù ¿É› Ô0a¸­¦û[ßÅräÛ%Ó\qŸž]£÷Àëð|O-FêkÞ‹³€'‰Qö.ÊÂTqëÚĵ¦Îš)RžcÀ¾ôßØDã“V¶¢Ååž5yÔL ùR„wOƒùͳ¬¯ãƲ¹ûx¥óuj2a™ dêMèaÁxö³]&e9õ};ªÄqÜm–íʳì $j´’V¢_yŸ¹6€W 3‚èíRõѹc§EsšN1}œÇ‹”Çžácž!\°­1£,,ᄬ¨\XMÔ›ÖÁ€DÊŸ&ë«~9F=Þ'KJk®©YGŽ¿¸éí s¬zÖÃÔcü„Xnú°à¬KNT‡E}Í®¶ˆjYMr5†Ò™NgeƒËÝ Ë ªòÒ •õ¼š3÷1¨vypæËj6µ}åI_ói­EÅÎq¸'½ šþñ+„žb2ä÷R…‚¶~UÞci„eù‹Pz©k!ïÊ×2oˆáûv)³!> ­ZJ®‰ÙGj]ÙîWðH:‘”·Y«äMŽ˜‚Ïéì©qîmuëO#/3K®ÈíöiEpë×3ä‡ÔO@â0¡á‹5!³ÑŒ¯ Ü8ßï;*UbÊS”ßÖq—2,Â#h=ÕM x'üÁROª…ÙB!É<Áq ݘ87¥3üB$ò:ÿÕzÆOE:óP¶%õŠkÄ´{@æÿíÿ€ÿ -ÀÝÏói<ÐÿiŒö?ÞXª­endstream +ÀÝÏói<ÐÿiŒö?9—ªŠendstream endobj 626 0 obj << /Type /Font @@ -5869,14 +5867,14 @@ endobj /FirstChar 2 /LastChar 151 /Widths 1331 0 R -/BaseFont /WTCFEX+URWPalladioL-Ital +/BaseFont /KFBBOJ+URWPalladioL-Ital /FontDescriptor 624 0 R >> endobj 624 0 obj << /Ascent 722 /CapHeight 693 /Descent -261 -/FontName /WTCFEX+URWPalladioL-Ital +/FontName /KFBBOJ+URWPalladioL-Ital /ItalicAngle -9.5 /StemV 78 /XHeight 482 @@ -5896,16 +5894,11 @@ endobj /Filter /FlateDecode >> stream -xÚíUkTgnõJÀ+Å€€¸ -æ2@ Š, „‹ŠT†dBI& (— -A@0¨P¹TZ)­`åb°¢àY#BAn¬\uÝôØ¥?wíÙ™?ó>Ïó½ß3Ïûó™™xxœØHì‚ÅÒg7ïC ‰dœ™™3 -Cb"܉aÚÛƒ€“$©ÙŽF!Ó¨v83À ‹DyÁ\1`áüÙ¢ÈpÀ( 7HÌ…XļG'>ðZ\!¼`ŒFÀl"6%‚à`žGZtÄrÀnfKÂÞQ0*ÂL˜ÉÏÌ"ò#6ÌÁ‘Ül/sòß0µ²¹‹„Ïw‡‹í—Rú xüÈ· -D&Ã(à†°aT¸Rê /›sƒÙ<‰`%ËC|ËİhC$[S— žÈ…'…Ù<1‹ p ¾^Âa!{¥,¾%#$ŸCîû]=­ÞÎu‰ô€xBñÈ0 ¿W/ÕàûK åI2‘L1!ö¾û -X±ÙBÂæ ƒ -Õ€PŠÄa'«¨@4ð„lX -ÀRÌ1‰(DÄØ‹&à (nq¬ 5@bñPf-NM¼È.T€„eÿ"S0 …X0æü¶~ /ý=n‹áúÀ2ÀV¨ˆ‰¸K🃣Ói4bìm±A[ÀÎŽóoB–Ea¡xélbñ¿«9ß87Ø­½ÑÒ뤥éf»Þ šnÂG<éÜ:Y—wc'kâö}W†^ä’f®à8jMC³qœ…ÂÊsÄ©åžJyLŸ=¿ž™Þä/}jœjšbö¼Õ»\:“kýÛ­0MüÝÔ±Œâ™¯™Z¸&cúõ;ò¤JRfüÞFcW£¶GÖÜW›Û¬ÜeŸ“­W]©5hy|ð—*0åJssYì‹r(´ &×xÏÓ¨ðïëwÎÄgÄ¿¬>}èYi½\»»^ÔÝu¯×9óe¡–{‡FÅMruVVË=1FÂÛttßÙ[ú(^ðŽÁw_{Ôà2˜ËkŒ–áÁã×Ã(Z¦².;#ó¯|^1V—¯•Xl•\ŠK¤õ«nvvTãGrb“Œ4½Üàk 0Žo_eÙ¼QV§×SsV&ïÓ1ÖìWfEé)Ld•â@çŒölfz†G€»§ß—qGšó’˜ÏÕê¾Ïʳ;ƶ$Œùª“'Z_NXM‰Æ½µi—ºJýR Í#áK Ž63šNåg׫ -$§ý&Ýïâ.nar67j*õÜ?L_Æ þ>ùýÆ¢ÂOÑ–CÈ­}Ù3q#n'˸ϕÌ:‡ê2cb¯ý¸]ROHΕ%µ+×<Åß´ì<¼ïÅ8<.ëhø˜‰‡†.³\vÅA;!A æºn¡,dv‡N„æü³R1-l5¢~ê‘®éݺcÏäÇÚ— ¼FNíøIM±”´~Ws€ø`ºúà¦7™>Ï;èú¹Ÿ„þMwÖOý*úK_‹¾ª®îèéήdßXWÓ¹viÊåÔÆíÝ„»²™'ûöÓ]ÏhôÏɵV'•Ç²;BêmиC’ž˜l/^·`m`onçòøàþßà¢vuC¨@h(î_$/þyendstream +xÚíU}8Tùß­gYC¯VC¨Cײ4/gÖ(eX5»/‘Í1sÆ 3s83£Á†‹ÅŠŠÍKØìfíö‚‹õÒhSôl“XòVS4C´y­uêi¯ýóÞ¿îsÏùç|?ŸÏïûûœÏ÷÷$â.Á ŽNG¤1Š=@°·Å~m;;êѲ$( + ÅKg‹ÿmÍáa#ƒa)ÌÂõv#,‡¤Ð¼êäŠØÏÎÝþþ’Ö‹¶Ju¯f³_ml>}Ô‡zÖË$D\:Z¬¼r\ŽSèÎr8©‹^6ÈðHÿrºD÷•´¢r¿¬xj±Ç•˜&[óÊÊ|”!8pªàk¥!­ }xæ›mÛ{§·Åµéœe«èþç绵7ZzŸ°4Ýl×{^sàýMø¨Ç['kãò®ïdMܺçÆðÄ‹\ÓÌGíàihö.©PXy8µÜU)è³ç×3Ó›¤OŒSMSÌžµú”KgÒb c~¿®‰¿“:–Q<óS ×dL¿6p[žt]IÊŒßÓhìfÔöКûrs›•‡ì£ò õª‹#µí¡öÿ\¦¼Vin.‹}^…Ôä»<‰Žø®~çÜ~|ÆQâÕ§>-­—kw×뺻îö:g¾(ÔòèÐH£¸K®ÌÊj¹ÇÇHøáq›ŽîÛ{JÆ ÞÓ1øö+¯À\r}¥‘Ñ2ù%ÜûùÒïüm¨t2b}þÕ›ò«r¢+¡u¢µÿf‘-UqäÁ¤òZåõ1Ià sIy‹²?át; 4Ï÷Âjfë²ÊâQUScOÝ|JРh!º«¨ú˜6ržºŽW8LV–Ð>õÙûkUÌ9áôü—“¤×‰ÝÏ5êZ¥Fe¾ôª”©é­Ö×[=³Ú‡˜ƒz²9+K:¥zdo3H³ßÝo¸Ã…3wþw©}˺q_EbŒ½ŽwH£3ÎòC'?ÝiÞýŠ›ÿô˜FLŠ|¸ˆŽO\pOµJ¥>eN»'¬#Ö¦ÿÕcW¡2%y>rKþеƊ]òÍ>-ìŽm˜mz™h¡ú&³ÊÓtµqqßBI%@ß6\¬.ø€$Þ^6à¡O¥±&>-Jhèˆð˜ë’ä4ä&äxÈ/G“3—"Å~­6:åø➘K¢î p´Q[MCàí¿§:éZ7sç.œZ_(sS­ŠÑì3нÓéZ6ªÛºPËÞÝrkÔ1tÈ骖$˜ß¦ùÓ‚Ì¿)$øûæ¥kÎØlHDLrÒÇ» ¶ë®Ë6ÚCâððáMóøÇÔ³[½mǧ²iNùM‡Åã˜s&?|}X5°6bôç¾}U]ÝáS]ɾ±n¦síÒ”ÓÊ©;Û» Çwe31Nô}Nw;­Ñ?'×ZTËî­·AãJzŽf{kôʸkƒzs+8ïéÿÃ÷ÿÿ °«BňBÃpÿ€Êþ„endstream endobj 616 0 obj << /Type /Font @@ -5914,14 +5907,14 @@ endobj /FirstChar 13 /LastChar 110 /Widths 1333 0 R -/BaseFont /VYNJLQ+CMSY10 +/BaseFont /ZXDORX+CMSY10 /FontDescriptor 614 0 R >> endobj 614 0 obj << /Ascent 750 /CapHeight 683 /Descent -194 -/FontName /VYNJLQ+CMSY10 +/FontName /ZXDORX+CMSY10 /ItalicAngle -14.035 /StemV 85 /XHeight 431 @@ -5945,7 +5938,7 @@ endobj /Filter /FlateDecode >> stream -xÚ¬¸c”$Z°%\]¶Í,Ûv—m›Y¶­.Û¶m»»lwÙÕeÛõõ½oÞ¼Yoæ×|ó#×ÊgÇŽØqb­LrbEz!S{c ¸½ =3@MYCÑÈÆÆÈÔÒ^–^ÙÞÖð×ÌKN.â4r±´·5rò4€¦Q  €…ÀÌÍÍ K±wðt²4·pPýÅ ¦¥¥û/Ë?!cÏÿôü½élin øûÅ hcï` ´sù ñ}Q¸Xf–6@€ˆ‚¢–”¼€JB^ ´:Ù]m,M²–&@;g 5ÀÌÞ `󀉽©å?¥93üÅrœ€&–¯=L€ÿ¸è@'[Kgç¿ß–Îs'#;—¿=p±XڙظšþCà¯ÝÌþ_BNö#lÿúþ‚)Ú;»8›8Y:¸þfUÿž.F.ÿäv¶üëØ›ý4µ7qý§¤}aþz]Œ,íœ.@—r¦–Î6Fžsÿsp²ü—†«³¥ù1 8ÍœLm€ÎÎaþbÿÓÿªð¿Toäà`ãùïmû£þ'Kg ,3Ëßœ&.s›[ÚÁ2þ3*Rvföf¦ÿ°›º:ü§Ï èôoƒ¨þ™ê¿$ŒLííl<¦@3XFy{—¿)Tÿw*3ü¿ùÿÄÿOþ"ïÿ?qÿ»FÿË#þÿûžÿ;´¸«¼‘-ðßK€ÿÜ1YÀ?KÆî‹6²µ´ñü?Åÿ÷H àü?ÂH¹ým…ù_9˜˜þÃhé,né4U´t1±˜ÙüíÓ¿v5;S “¥ð¯žÿ¶@ÏÌÄôß|ª–&Övÿ4žý?\@;ÓÿÎý¯Dÿ2gQT•¢ýßwê¿qŠµwQõtøKí”"goú?ÿ  Û{¼é™98ô,\¬Ÿ 3€›Õ÷ÿñ_ æÿ:˹8Yztþ–ÍÄüoñÿãó_'½ÿ#fgboúÏ´¨¸Ù™þ°ÿiøÇmâêäôW×ßüߢÿóüï¨@ØÕßö&¼ÁVéY.õXyÓ¢:¿ú™Á†CÊšT‹ jíûüÓÃw¸« ßëBš§y>;<—N>¤iþŒöcÚPö¥/ ð}I©¢lRtqÒþ bÔ/CÈ8Óˆö¾Z”Ý×æ`Rÿ³;©¤¬_úI0ÝÅê}õD@êV€Nöè€èg’Ö‡ÑÜ ‚Z_tzF‘tüôH9862<Ôwñó67†œ× "*À1OP[­R¬ºM½}¯O‡ÓØO|íCZÁ7$«åiyĤ2õÒjŒr<(+ð“yŸ^kx«¡×fR—/1u#t=ì:²ÕâQ}j%¶³v“ðUâýK+ÖcÌcûùÑPƒoÌZò›öíN®s€Ê‰òIÍwξ‘Ë—‰ï qu¿·[!“´¤Zv'@0³Äëzb^Ù·ÑH.F>O59T]U65VÐúO[’t& xUBµ%\£¬bíòg #Q¼÷Ì5QCöö³l~ËN«ÙÉJð¢ƒUˆmAÉyjÒ7ÒÇÇÍÑÆh|ÂëU:áñ‹äGÑýiæ·:Ò|ÓJ´ß8c©Tò@`Xx ÔþD•©KB§#…t*&]³²S½À¤y{~Ý.Ó{7Ñ+=g&Ç3îxÄ©I6 ³»šˆË!µgR ƒTä#X*¼J3Êû5нª +xÚ¬¸c”$Z°%\]¶Í,Ûv—m›Y¶­.Û¶m»»lwÙÕeÛõõ½oÞ¼Yoæ×|ó#×ÊgÇŽØqb­LrbEz!S{c ¸½ =3@MYCÑÈÆÆÈÔÒ^–^ÙÞÖð×ÌKN.â4r±´·5rò4€¦Q  €…ÀÌÍÍ K±wðt²4·pPýÅ ¦¥¥û/Ë?!cÏÿôü½élin øûÅ hcï` ´sù ñ}Q¸Xf–6@€ˆ‚¢–”¼€JB^ ´:Ù]m,M²–&@;g 5ÀÌÞ `󀉽©å?¥93üÅrœ€&–¯=L€ÿ¸è@'[Kgç¿ß–Îs'#;—¿=p±XڙظšþCà¯ÝÌþ_BNö#lÿúþ‚)Ú;»8›8Y:¸þfUÿž.F.ÿäv¶üëØ›ý4µ7qý§¤}aþz]Œ,íœ.@—r¦–Î6Fžsÿsp²ü—†«³¥ù1 8ÍœLm€ÎÎaþbÿÓÿªð¿Toäà`ãùïmû£þ'Kg ,3Ëßœ&.s›[ÚÁ2þ3*Rvföf¦ÿ°›º:ü§Ï èôoƒ¨þ™ê¿$ŒLííl<¦@3XFy{—¿)Tÿw*3ü¿ùÿÄÿOþ"ïÿ?qÿ»FÿË#þÿûžÿ;´¸«¼‘-ðßK€ÿÜ1YÀ?KÆî‹6²µ´ñü?Åÿ÷H àü?ÂH¹ým…ù_9˜˜þÃhé,né4U´t1±˜ÙüíÓ¿v5;S “¥ð¯žÿ¶@ÏÌÄôß|ª–&Övÿ4žý?\@;ÓÿÎý¯Dÿ2gTÑÔ’•W ýßwê¿qŠµwQõtøKí”"goú?ÿ  Û{¼é™98ô,\¬Ÿ 3€›Õ÷ÿñ_ æÿ:˹8Yztþ–ÍÄüoñÿãó_'½ÿ#fgboúÏ´¨¸Ù™þ°ÿiøÇmâêäôW×ßüߢÿóüï¨@ØÕßö&¼ÁVéY.õXyÓ¢:¿ú™Á†CÊšT‹ jíûüÓÃw¸« ßëBš§y>;<—N>¤iþŒöcÚPö¥/ ð}I©¢lRtqÒþ bÔ/CÈ8Óˆö¾Z”Ý×æ`Rÿ³;©¤¬_úI0ÝÅê}õD@êV€Nöè€èg’Ö‡ÑÜ ‚Z_tzF‘tüôH9862<Ôwñó67†œ× "*À1OP[­R¬ºM½}¯O‡ÓØO|íCZÁ7$«åiyĤ2õÒjŒr<(+ð“yŸ^kx«¡×fR—/1u#t=ì:²ÕâQ}j%¶³v“ðUâýK+ÖcÌcûùÑPƒoÌZò›öíN®s€Ê‰òIÍwξ‘Ë—‰ï qu¿·[!“´¤Zv'@0³Äëzb^Ù·ÑH.F>O59T]U65VÐúO[’t& xUBµ%\£¬bíòg #Q¼÷Ì5QCöö³l~ËN«ÙÉJð¢ƒUˆmAÉyjÒ7ÒÇÇÍÑÆh|ÂëU:áñ‹äGÑýiæ·:Ò|ÓJ´ß8c©Tò@`Xx ÔþD•©KB§#…t*&]³²S½À¤y{~Ý.Ó{7Ñ+=g&Ç3îxÄ©I6 ³»šˆË!µgR ƒTä#X*¼J3Êû5нª %É‘÷Q•£,ň;0º3êì¾fC|³%œQ™”îflh`ÒRsšÆ‚w›sÅ‘X§¢uü-Í ÙTÙ ˜ªès´¡ûÌN£Ð2¸iɱ½õx!:Î<”?%x¡yƒMŸ9¼Ñ¸¬#ØÌ4ìÛfÙì¢_"Ì:õ¡ÒE“ Èüñþ“_º¸–rkÕ—<éñ£äQåÜ‹*£:½'&ܳ´H’B“%C–·&`wŽ$a"Q´-@”Ç-?ŸòxccÅÿ“w×wGW™v™4;ÌRC“  ¨Ž\]“.ü\°ß5_Ë*Ù7†·w¡.r.†把zÙf’9p¥¥JÛÕŸ—þLÔ‹1œÐÇ5-ÌÝ€i*¡²Þß=#€–—cþ ¼ JgLú§ooGâC12¢)Œ.ì)0·»b›Ì)7ühøÏ´åÚi{Œ¼ ÒŠnèˆ({ßø^4­nÆ*n–¨s¼-ø÷VkHÛì“äù&Ö{‡–…nªNzË,¯CZ‹ì%ø½EMEÂîy."6¦ˆÜBú<Œq°)ì LD­þçxä ÂÜA¸Ò…¼¶üæ¥Ê×öŸ¾z¦SÁ‘,#¸º!6cc d­cu!2?Ü1=ú뛇‹Wûµ·,ÿô‹§…)ÝÐÌŸ$Ê-Æ6†˜þÙÞ¦ÿDÊ|(ØufË«‰4ú]á4Ê®ò\¸†ÑóÆ°íkÑ$i@–WÏ_ÏíÕµB¿„G5µ2c?L?~pÉ÷’¬Ÿ¸¿áQÂl4^”ê[‘^W¢ ú'iM¼¶ˆ€UxìÑ[Ü1­.yM< üDðWà:Hÿ]³ô^¥ŒnKGCA @@ -6043,7 +6036,7 @@ N £9ªåJdŽ²k¬û¡!î—yOßËHg´¤½ð>pèÓrR¡”|fwÐÜ)‰ß©éËÈíª6ÞÛÀ“Ç*i}J.âÙ¨œE‡ÆöqÿŒ0ÿ|Ñö*–fÕ$% þ¶6É™ÑÖZùQX;]Ÿu¬ïë:«\Ò†¡é±CµÐBkÕÔÊÝTÕ¡Á™•ŠG’ót¾€‘4Þ¨4ìöš¦Á½œ€w?Ìá›Bx[R eßÏA‹üúG4)óÖm½ïËä£ÄW®¡„»{&8V^›v”TxBÓ‹‹"[“¡XÀ¸”Tò€Öiøð;ÅÈçæ=Ú‰]r–R Ô³{6ð¤Ã‘¹„5šöÞæÜ(Fƒu«ú¸ìtÈæõí’ŒÏý­çâ–ý”wKB§:"Ñ‹´øT>+ÈŠ v",Ú¦d] £³\Bù›‰—¢IÑAÚ‡u5:)¶±ç«ei9c;“Ock¤ÒýcT9„»·¹ äøâlˆ‡Ùæ6øй¢ÚÓÌÓ¶ W4ŸÞç†(œ$<ç,èT-Ikñ¬qS\øïˆÁÀÌê™â Tb©¯ £¾¹†¢Eâd¹u’\ hajˆ±èÀöµÕß½ÏK œK§é.à*wã7E]Š½Ú–…:Ê‘«â­ß¥¿áØÒc¸ûŽEýª’|¸$\Š\Š?‚¿µj*ˆM?žãY‰þôÁ„ÖæÖ0EØéòRçl¾¢Øÿ›…r‰od:‰Æçu&Ù¤CÑ*¥Í¯Ý%|У ð‹¥Îtª$]$2Tk!𠟬¨ <|þœýÿÒÿ€ÿ -ÀÜ`êêîä`êj‡ôìƒ÷Ëendstream +ÀÜ`êêîä`êj‡ô(øendstream endobj 608 0 obj << /Type /Font @@ -6052,14 +6045,14 @@ endobj /FirstChar 2 /LastChar 151 /Widths 1334 0 R -/BaseFont /ACPTNA+URWPalladioL-Roma +/BaseFont /SXYLNO+URWPalladioL-Roma /FontDescriptor 606 0 R >> endobj 606 0 obj << /Ascent 715 /CapHeight 680 /Descent -282 -/FontName /ACPTNA+URWPalladioL-Roma +/FontName /SXYLNO+URWPalladioL-Roma /ItalicAngle 0 /StemV 84 /XHeight 469 @@ -6079,7 +6072,8 @@ endobj /Filter /FlateDecode >> stream -xÚ¬´ct¦[´%VìTŒ76ß bÛ¶mÛ¬ŠmÛ¶SqR±mÛÆWçܾ}{Üî_ýõgŒg/Ì5ךko2"y%:c;CQ;[g:&zFN€Š¢š¼µµ±…4 µ1௙–ŒLÈÑÄÀÙÂÎVØÀÙ„ fb 6103˜888`ÉBvöŽfæÎÊ¿T44´ÿeù'`èñŸž¿™Nf¶ò¿?®&Övö6&¶Î!þ¯•LLÎæ&S k€œ¼†„¬€RLV fbkâh` w1´¶0H[™Ø:™PLíÖÿqÙÙ[üÓšý_,'€ÀÉÞÄÈâoš‰»‘‰ý?.Z€½‰£…“Ó߀…ÀÌÑÀÖùï œí¶FÖ.Æÿøk7µû—½£Ýß›¿¾¿`òvNÎNFŽö΀¿Uå…Eÿƒ§³¹ó?µ,þºv¦#íŒ\þié_ß_˜¿^g ['€³‰»ó?µ MÆNöÖkÿ³w´ø—†‹“…­Ù1 8š˜8[›89ý…ù‹ýÏtþ«OÀÿÒ½½½µÇ¿ÙvÿFýOÎN&Ö¦ô°LÌk9ÿ­mfa ËðϪHØšÚ˜ÿÃnìbÿŸ>WÇDùÏÎPý%a`lgkí061…eµsþ[@ù§2ýÿ;‘ÿHüÿDàÿ'òþÿ÷¿kô¿\âÿ¿÷ù¿C‹ºX[Ëؘü›øÏ7 øç‘ùß‚ l,¬=þOáÿ=RÍä?8þŸP$œ þBÀÖ쯌ôŒÿa´pµp71–·p62˜XÿÒ¿v[cGk [“¿jþ;H#ãó)›[YÙþ3vÖÿp™Øÿwêú—8ƒ°€œªœÍÿþ¢þ'ÿWygeû¿ÔþG'2vÆÿóðŠ  ;À‹Ž‰•@ddú{áþòá²úü*þ Äô_ggG w€Ö߶ÿfþÓüÿøþë¤óß`DlìŒÿÙ%g[ã¿ëõ? ÿ¸\ÿªúïÿÛôžÿ]tw#Ø•E;#®`ËÔŒ4çZÌœ¡qa­¾^&ð¡û’åÂ|ÿj»¿Ô_Ûúï5!ô“œŸm §öû’Ô#½Ö=É&—yx>$T¿óQ6È;ØitKÒÎÔ"½®æ¥· 4ÙUvÆu‹ß¿áOv¡¯ž¨üI\óýÑIí}Rêc¾w"7‚ Öœž‘'?=R Œ öÜ@þÞǥɎ!ãr…@ ðwÈÆåÓT)©l¤¼lˉ0æÞ»oÎ^(jÈÙOx­AñÁ'‰YŸ9ã^$ÄLòº¥YÒªžU+ÖÛãŸê²ñ¦iN^|à=_ S˜'a…´?“5tD'c{…ßðØ×O ð¹€N$ÏÒ)'²TeÓ9ÍSæÕÜÜÌô¿;ò`‚óP~G¥aþFª°£3ëÐnÎôÖ¦tÍÓ‰‹w>þaMg¹Û|™2?h£ØY5º´0< §m«¿•“è0Oƒo'r•z¶Òý´`“~œZ“§V†¡\U[MΤo8À5°±nùaV—½õ&—Éíã#z'&Xü«g&(ÑU¢Àήºœ.Z/¯‘4D˜pRïíåf%5fpt: ݈K@ÉÝ8²XÎŽÿiœ$ó§"‘ò80ã{p¦¬9H7Ê$rKø6Ô9¢»´éÀí¯oRoùÖy5Í|3VÁ=ìM“,d+G÷[’â]\ZZü.‡ GLîG~Ú \fžm"(„¤\éÐœ„†ËcÕX¬"™ZÃ5CåjstÏ[«ZªëujÒÉ~àÆýGµ±ö¬Ë]é¦pùÌ|_ª—õœ^¥Â²úî]໾­@Ko‘§_[,÷1ka´ÙoÝ‘šTô׺"Û›bzte`> +xÚ¬´ct¦[´%VìTŒ76ß bÛ¶mÛ¬ŠmÛ¶SqR±mÛÆWçܾ}{Üî_ýõgŒg/Ì5ךko2"y%:c;CQ;[g:&zFN€Š¢š¼µµ±…4 µ1௙–ŒLÈÑÄÀÙÂÎVØÀÙ„ fb 6103˜888`ÉBvöŽfæÎÊ¿T44´ÿeù'`èñŸž¿™Nf¶ò¿?®&Övö6&¶Î!þ¯•LLÎæ&S k€œ¼†„¬€RLV fbkâh` w1´¶0H[™Ø:™PLíÖÿqÙÙ[üÓšý_,'€ÀÉÞÄÈâoš‰»‘‰ý?.Z€½‰£…“Ó߀…ÀÌÑÀÖùï œí¶FÖ.Æÿøk7µû—½£Ýß›¿¾¿`òvNÎNFŽö΀¿Uå…Eÿƒ§³¹ó?µ,þºv¦#íŒ\þié_ß_˜¿^g ['€³‰»ó?µ MÆNöÖkÿ³w´ø—†‹“…­Ù1 8š˜8[›89ý…ù‹ýÏtþ«OÀÿÒ½½½µÇ¿ÙvÿFýOÎN&Ö¦ô°LÌk9ÿ­mfa ËðϪHØšÚ˜ÿÃnìbÿŸ>WÇDùÏÎPý%a`lgkí061…eµsþ[@ù§2ýÿ;‘ÿHüÿDàÿ'òþÿ÷¿kô¿\âÿ¿÷ù¿C‹ºX[Ëؘü›øÏ7 øç‘ùß‚ l,¬=þOáÿ=RÍä?8þŸP$œ þBÀÖ쯌ôŒÿa´pµp71–·p62˜XÿÒ¿v[cGk [“¿jþ;H#ãó)›[YÙþ3vÖÿp™Øÿwêú—8ƒŒ’ ¨¸ +Íÿþ¢þ'ÿWygeû¿ÔþG'2vÆÿóðŠ  ;À‹Ž‰•@ddú{áþòá²úü*þ Äô_ggG w€Ö߶ÿfþÓüÿøþë¤óß`DlìŒÿÙ%g[ã¿ëõ? ÿ¸\ÿªúïÿÛôžÿ]tw#Ø•E;#®`ËÔŒ4çZÌœ¡qa­¾^&ð¡û’åÂ|ÿj»¿Ô_Ûúï5!ô“œŸm §öû’Ô#½Ö=É&—yx>$T¿óQ6È;ØitKÒÎÔ"½®æ¥· 4ÙUvÆu‹ß¿áOv¡¯ž¨üI\óýÑIí}Rêc¾w"7‚ Öœž‘'?=R Œ öÜ@þÞǥɎ!ãr…@ ðwÈÆåÓT)©l¤¼lˉ0æÞ»oÎ^(jÈÙOx­AñÁ'‰YŸ9ã^$ÄLòº¥YÒªžU+ÖÛãŸê²ñ¦iN^|à=_ S˜'a…´?“5tD'c{…ßðØ×O ð¹€N$ÏÒ)'²TeÓ9ÍSæÕÜÜÌô¿;ò`‚óP~G¥aþFª°£3ëÐnÎôÖ¦tÍÓ‰‹w>þaMg¹Û|™2?h£ØY5º´0< §m«¿•“è0Oƒo'r•z¶Òý´`“~œZ“§V†¡\U[MΤo8À5°±nùaV—½õ&—Éíã#z'&Xü«g&(ÑU¢Àήºœ.Z/¯‘4D˜pRïíåf%5fpt: ݈K@ÉÝ8²XÎŽÿiœ$ó§"‘ò80ã{p¦¬9H7Ê$rKø6Ô9¢»´éÀí¯oRoùÖy5Í|3VÁ=ìM“,d+G÷[’â]\ZZü.‡ GLîG~Ú \fžm"(„¤\éÐœ„†ËcÕX¬"™ZÃ5CåjstÏ[«ZªëujÒÉ~àÆýGµ±ö¬Ë]é¦pùÌ|_ª—õœ^¥Â²úî]໾­@Ko‘§_[,÷1ka´ÙoÝ‘šTô׺"Û›bzte`> :ÿ¦ÐüÈ­?š¼dOQ7ÿVK U ¸¹S=ýˆ»ü Ã^‹ Y¶>Grù‚£d„)Óâ~à|¿¥n¾`Ãc™·)áâ6‡.k¨A«!]Ýõ€=Úa ¦ë;”K–’+M̦ŽöæOloôRŒÃxcב›nÊ÷‰E·yöì¬ä2÷‹2O$2–bPoÑk#OóÐ)ä³%Õ°¹±y?‚E»@y¶žƒtù"ùë÷Q÷«}NC&ýjŸ/Ü3sÑ2?ávƒä­ë“ò $>–S²²ðNùMZ,T±‰p_š·ïI­"h|\9¢3Á†¥ßNÑÎØ›õº.æfL?ˆ’Çú«™ ΞӄŸÃ±‹&Æóý ½/6[Ékëãºv'Û°§le™ó[{6ál»Yžt–Û( å"mѦÛð?ʬJÙÛU8FØÙ•1Ò«˜¢ÿ½O)S-ylвÁ¡tU®dq7{Šgq©SÄtî£"Ñë ü_I=sO6‘v°‰X!Åó>]øÑ*饳šú‡­«‘N~PCfTØ…{ŠdÚ¤,#os?…©¬· Š ¯Uögqlö8Ä k¶Ó&'ë¼gm¿_rƒð ”û 4q&Ï¡pk€?*¸RêÈ[^¼¦»¬5ì(@.{¬…#ÔÌ´¾$Dõù,­MÈЫՈÏ @@ -6174,7 +6168,7 @@ G ­\^Élxχ¾PÙ´[äS®ãEhsŽаÂÜ]5:zÕÐSSœUÌï^F€kv»¥’ ã{'˜áÿ¸´–1¼Mwô‡êýê'‡u-ËÅ1sÜQ& ö¦X£…#!z×è‡_QËsŠÑ•ÜÕ_‚ÜS8^íÞÙLóŪUµwg$T´8ý™Gÿ¥`ïç4ß$.¢ŽüpdÞé5¸á-pÏÎH¦å’àRm…ìÝÒ€”S± Ô¢æ–[¶Ø„K'ÓÉåv;ôs'ˆdž“¯¯uè÷–WhU/RŽ¨ËöÓ¯%ØãkûŸ-ò„Ï däœ|UNò©‡Ñùƒ,Ÿj˶ÙײèËæ‚, Lyªpò9\ åk„9ð/U ow âB+Dž^ÇC…óíò–ý•H½‰½ÍYáˆR]SžÈt¦¢z—Ðݶ”ö¸2¤õ·´ä¦ƒ¡áÉÜ’ë0ëwÄæ>ëøõ€Q)ßUœÆà© ¿¹ßŽ^ƒV=öVlƤ¶š¿)ÒIî«8@+Œ"«Wã@£óíÊ Ñ.œ­’u&—lP1% "ÒïÂ¥Á%„èòñÂátÑ»‰šqȃ¡AÊäÖôè­×“\AbâäÁ´þ²±ü»ŠjkLÆRýˆ™T÷¬óéê›áp2ÙWYöj\Ýl=šqÍ?×Åzx”ICˆèïiNÊ]Ç6„/f“m!9Îqý›á‰Ô9Êbóä××Mö'âï‹4±¤¬\&Â&_ÓPØ&?Ñy©#Þ1Ô¤‘Ñg×K-ò9¬‹³8eÊâÙ‹Wëa¯,c©å„ÓÍ}¢Š'îOªw¦ñË\m#ÆWm桃à03 ´w€)Íû™ÁzÊê[Ê{‘[u¿üᥨ¢,ãq ¦f§1<Þcåεßâi.{Ý¥4z?}†ß *eÄ¿N›ùù1Éb1‰$ÁÄEçB´¥ØÍ5ÑN°…¿öxõè.Pÿ$Ž<|Gê'IÆ{𢋸ÿ´¦õ*~ #(<> endobj 603 0 obj << /Ascent 708 /CapHeight 672 /Descent -266 -/FontName /DAOVOK+URWPalladioL-Bold +/FontName /MSBFHU+URWPalladioL-Bold /ItalicAngle 0 /StemV 123 /XHeight 471 @@ -7400,7 +7394,7 @@ endobj >> endobj 1345 0 obj << /Author()/Title()/Subject()/Creator(LaTeX with hyperref package)/Producer(pdfeTeX-1.21a)/Keywords() -/CreationDate (D:20060727150631+10'00') +/CreationDate (D:20060831095457+10'00') /PTEX.Fullbanner (This is pdfeTeX, Version 3.141592-1.21a-2.2 (Web2C 7.5.4) kpathsea version 3.5.4) >> endobj xref @@ -7412,595 +7406,595 @@ xref 0000000000 00000 f 0000000009 00000 n 0000019000 00000 n -0000470220 00000 n +0000470221 00000 n 0000000054 00000 n 0000000086 00000 n 0000019124 00000 n -0000470148 00000 n +0000470149 00000 n 0000000133 00000 n 0000000173 00000 n 0000019249 00000 n -0000470062 00000 n +0000470063 00000 n 0000000221 00000 n 0000000273 00000 n 0000019374 00000 n -0000469976 00000 n +0000469977 00000 n 0000000321 00000 n 0000000377 00000 n 0000023744 00000 n -0000469866 00000 n +0000469867 00000 n 0000000425 00000 n 0000000478 00000 n 0000023868 00000 n -0000469792 00000 n +0000469793 00000 n 0000000531 00000 n 0000000572 00000 n 0000023993 00000 n -0000469705 00000 n +0000469706 00000 n 0000000625 00000 n 0000000674 00000 n 0000024118 00000 n -0000469618 00000 n +0000469619 00000 n 0000000727 00000 n 0000000757 00000 n 0000028266 00000 n -0000469494 00000 n +0000469495 00000 n 0000000810 00000 n 0000000861 00000 n 0000028391 00000 n -0000469420 00000 n +0000469421 00000 n 0000000919 00000 n 0000000964 00000 n 0000028516 00000 n -0000469333 00000 n +0000469334 00000 n 0000001022 00000 n 0000001062 00000 n 0000028641 00000 n -0000469259 00000 n +0000469260 00000 n 0000001120 00000 n 0000001162 00000 n 0000031554 00000 n -0000469135 00000 n +0000469136 00000 n 0000001215 00000 n 0000001260 00000 n 0000031679 00000 n -0000469074 00000 n +0000469075 00000 n 0000001318 00000 n 0000001355 00000 n 0000031804 00000 n -0000469000 00000 n +0000469001 00000 n 0000001408 00000 n 0000001463 00000 n 0000034244 00000 n -0000468875 00000 n +0000468876 00000 n 0000001509 00000 n 0000001556 00000 n 0000034369 00000 n -0000468801 00000 n +0000468802 00000 n 0000001604 00000 n 0000001648 00000 n 0000034494 00000 n -0000468714 00000 n +0000468715 00000 n 0000001696 00000 n 0000001735 00000 n 0000034619 00000 n -0000468627 00000 n +0000468628 00000 n 0000001783 00000 n 0000001825 00000 n 0000034744 00000 n -0000468540 00000 n +0000468541 00000 n 0000001873 00000 n 0000001935 00000 n 0000036064 00000 n -0000468466 00000 n +0000468467 00000 n 0000001983 00000 n 0000002033 00000 n 0000037705 00000 n -0000468338 00000 n +0000468339 00000 n 0000002079 00000 n 0000002124 00000 n 0000037829 00000 n -0000468225 00000 n +0000468226 00000 n 0000002172 00000 n 0000002216 00000 n 0000037954 00000 n -0000468149 00000 n +0000468150 00000 n 0000002269 00000 n 0000002320 00000 n 0000038079 00000 n -0000468072 00000 n +0000468073 00000 n 0000002374 00000 n 0000002432 00000 n 0000040777 00000 n -0000467981 00000 n +0000467982 00000 n 0000002481 00000 n 0000002519 00000 n 0000041029 00000 n -0000467889 00000 n +0000467890 00000 n 0000002568 00000 n 0000002598 00000 n 0000044649 00000 n -0000467772 00000 n +0000467773 00000 n 0000002647 00000 n 0000002692 00000 n 0000044775 00000 n -0000467654 00000 n +0000467655 00000 n 0000002746 00000 n 0000002812 00000 n 0000044901 00000 n -0000467575 00000 n +0000467576 00000 n 0000002871 00000 n 0000002915 00000 n 0000048014 00000 n -0000467496 00000 n +0000467497 00000 n 0000002974 00000 n 0000003022 00000 n 0000053799 00000 n -0000467417 00000 n +0000467418 00000 n 0000003076 00000 n 0000003109 00000 n 0000056633 00000 n -0000467285 00000 n +0000467286 00000 n 0000003156 00000 n 0000003195 00000 n 0000056759 00000 n -0000467167 00000 n +0000467168 00000 n 0000003244 00000 n 0000003282 00000 n 0000056885 00000 n -0000467102 00000 n +0000467103 00000 n 0000003336 00000 n 0000003378 00000 n 0000061202 00000 n -0000467009 00000 n +0000467010 00000 n 0000003427 00000 n 0000003486 00000 n 0000061328 00000 n -0000466916 00000 n +0000466917 00000 n 0000003535 00000 n 0000003568 00000 n 0000068056 00000 n -0000466784 00000 n +0000466785 00000 n 0000003617 00000 n 0000003645 00000 n 0000068182 00000 n -0000466666 00000 n +0000466667 00000 n 0000003699 00000 n 0000003768 00000 n 0000068308 00000 n -0000466587 00000 n +0000466588 00000 n 0000003827 00000 n 0000003875 00000 n 0000068434 00000 n -0000466508 00000 n +0000466509 00000 n 0000003934 00000 n 0000003979 00000 n 0000068560 00000 n -0000466415 00000 n +0000466416 00000 n 0000004033 00000 n 0000004101 00000 n 0000071664 00000 n -0000466322 00000 n +0000466323 00000 n 0000004155 00000 n 0000004225 00000 n 0000071790 00000 n -0000466229 00000 n +0000466230 00000 n 0000004279 00000 n 0000004342 00000 n 0000071916 00000 n -0000466136 00000 n +0000466137 00000 n 0000004396 00000 n 0000004451 00000 n 0000072041 00000 n -0000466057 00000 n +0000466058 00000 n 0000004505 00000 n 0000004537 00000 n 0000075674 00000 n -0000465964 00000 n +0000465965 00000 n 0000004586 00000 n 0000004614 00000 n 0000075800 00000 n -0000465871 00000 n +0000465872 00000 n 0000004663 00000 n 0000004695 00000 n 0000075926 00000 n -0000465739 00000 n +0000465740 00000 n 0000004744 00000 n 0000004774 00000 n 0000079148 00000 n -0000465660 00000 n +0000465661 00000 n 0000004828 00000 n 0000004869 00000 n 0000079274 00000 n -0000465567 00000 n +0000465568 00000 n 0000004923 00000 n 0000004966 00000 n 0000079399 00000 n -0000465474 00000 n +0000465475 00000 n 0000005020 00000 n 0000005072 00000 n 0000083023 00000 n -0000465381 00000 n +0000465382 00000 n 0000005126 00000 n 0000005168 00000 n 0000083149 00000 n -0000465302 00000 n +0000465303 00000 n 0000005222 00000 n 0000005267 00000 n 0000083274 00000 n -0000465184 00000 n +0000465185 00000 n 0000005316 00000 n 0000005362 00000 n 0000083400 00000 n -0000465105 00000 n +0000465106 00000 n 0000005416 00000 n 0000005476 00000 n 0000084608 00000 n -0000465026 00000 n +0000465027 00000 n 0000005530 00000 n 0000005599 00000 n 0000087064 00000 n -0000464893 00000 n +0000464894 00000 n 0000005646 00000 n 0000005699 00000 n 0000087190 00000 n -0000464814 00000 n +0000464815 00000 n 0000005748 00000 n 0000005804 00000 n 0000087316 00000 n -0000464735 00000 n +0000464736 00000 n 0000005853 00000 n 0000005902 00000 n 0000091688 00000 n -0000464602 00000 n +0000464603 00000 n 0000005949 00000 n 0000006001 00000 n 0000091814 00000 n -0000464484 00000 n +0000464485 00000 n 0000006050 00000 n 0000006101 00000 n 0000095666 00000 n -0000464366 00000 n +0000464367 00000 n 0000006155 00000 n 0000006200 00000 n 0000095792 00000 n -0000464287 00000 n +0000464288 00000 n 0000006259 00000 n 0000006293 00000 n 0000095918 00000 n -0000464208 00000 n +0000464209 00000 n 0000006352 00000 n 0000006400 00000 n 0000099054 00000 n -0000464090 00000 n +0000464091 00000 n 0000006454 00000 n 0000006494 00000 n 0000099180 00000 n -0000464011 00000 n +0000464012 00000 n 0000006553 00000 n 0000006587 00000 n 0000099306 00000 n -0000463932 00000 n +0000463933 00000 n 0000006646 00000 n 0000006694 00000 n 0000102914 00000 n -0000463799 00000 n +0000463800 00000 n 0000006743 00000 n 0000006793 00000 n 0000103166 00000 n -0000463720 00000 n +0000463721 00000 n 0000006847 00000 n 0000006894 00000 n 0000103292 00000 n -0000463627 00000 n +0000463628 00000 n 0000006948 00000 n 0000007008 00000 n 0000108273 00000 n -0000463534 00000 n +0000463535 00000 n 0000007062 00000 n 0000007114 00000 n 0000108399 00000 n -0000463441 00000 n +0000463442 00000 n 0000007168 00000 n 0000007233 00000 n 0000112085 00000 n -0000463348 00000 n +0000463349 00000 n 0000007287 00000 n 0000007338 00000 n 0000112211 00000 n -0000463255 00000 n +0000463256 00000 n 0000007392 00000 n 0000007456 00000 n 0000112337 00000 n -0000463162 00000 n +0000463163 00000 n 0000007510 00000 n 0000007557 00000 n 0000112463 00000 n -0000463069 00000 n +0000463070 00000 n 0000007611 00000 n 0000007671 00000 n 0000112588 00000 n -0000462976 00000 n +0000462977 00000 n 0000007725 00000 n 0000007776 00000 n 0000115798 00000 n -0000462844 00000 n +0000462845 00000 n 0000007831 00000 n 0000007896 00000 n 0000115924 00000 n -0000462765 00000 n +0000462766 00000 n 0000007956 00000 n 0000008003 00000 n 0000123067 00000 n -0000462686 00000 n +0000462687 00000 n 0000008063 00000 n 0000008111 00000 n 0000126334 00000 n -0000462593 00000 n +0000462594 00000 n 0000008166 00000 n 0000008216 00000 n 0000128976 00000 n -0000462500 00000 n +0000462501 00000 n 0000008271 00000 n 0000008334 00000 n 0000129102 00000 n -0000462407 00000 n +0000462408 00000 n 0000008389 00000 n 0000008441 00000 n 0000135856 00000 n -0000462274 00000 n +0000462275 00000 n 0000008496 00000 n 0000008561 00000 n 0000140070 00000 n -0000462195 00000 n +0000462196 00000 n 0000008621 00000 n 0000008665 00000 n 0000153502 00000 n -0000462102 00000 n +0000462103 00000 n 0000008725 00000 n 0000008764 00000 n 0000153628 00000 n -0000462009 00000 n +0000462010 00000 n 0000008824 00000 n 0000008867 00000 n 0000156494 00000 n -0000461916 00000 n +0000461917 00000 n 0000008927 00000 n 0000008966 00000 n 0000156620 00000 n -0000461823 00000 n +0000461824 00000 n 0000009026 00000 n 0000009068 00000 n 0000159838 00000 n -0000461730 00000 n +0000461731 00000 n 0000009128 00000 n 0000009171 00000 n 0000163907 00000 n -0000461637 00000 n +0000461638 00000 n 0000009231 00000 n 0000009292 00000 n 0000167784 00000 n -0000461544 00000 n +0000461545 00000 n 0000009352 00000 n 0000009403 00000 n 0000167910 00000 n -0000461451 00000 n +0000461452 00000 n 0000009463 00000 n 0000009515 00000 n 0000171062 00000 n -0000461358 00000 n +0000461359 00000 n 0000009576 00000 n 0000009614 00000 n 0000171188 00000 n -0000461265 00000 n +0000461266 00000 n 0000009675 00000 n 0000009727 00000 n 0000175141 00000 n -0000461172 00000 n +0000461173 00000 n 0000009788 00000 n 0000009832 00000 n 0000178799 00000 n -0000461079 00000 n +0000461080 00000 n 0000009893 00000 n 0000009947 00000 n 0000182362 00000 n -0000460986 00000 n +0000460987 00000 n 0000010008 00000 n 0000010044 00000 n 0000182491 00000 n -0000460907 00000 n +0000460908 00000 n 0000010105 00000 n 0000010154 00000 n 0000185558 00000 n -0000460814 00000 n +0000460815 00000 n 0000010209 00000 n 0000010260 00000 n 0000185687 00000 n -0000460721 00000 n +0000460722 00000 n 0000010315 00000 n 0000010379 00000 n 0000189869 00000 n -0000460628 00000 n +0000460629 00000 n 0000010434 00000 n 0000010491 00000 n 0000189998 00000 n -0000460535 00000 n +0000460536 00000 n 0000010546 00000 n 0000010616 00000 n 0000193346 00000 n -0000460442 00000 n +0000460443 00000 n 0000010671 00000 n 0000010720 00000 n 0000193475 00000 n -0000460349 00000 n +0000460350 00000 n 0000010775 00000 n 0000010837 00000 n 0000195071 00000 n -0000460256 00000 n +0000460257 00000 n 0000010892 00000 n 0000010941 00000 n 0000200338 00000 n -0000460138 00000 n +0000460139 00000 n 0000010996 00000 n 0000011058 00000 n 0000200467 00000 n -0000460059 00000 n +0000460060 00000 n 0000011118 00000 n 0000011157 00000 n 0000205278 00000 n -0000459966 00000 n +0000459967 00000 n 0000011217 00000 n 0000011251 00000 n 0000205407 00000 n -0000459873 00000 n +0000459874 00000 n 0000011311 00000 n 0000011352 00000 n 0000214552 00000 n -0000459794 00000 n +0000459795 00000 n 0000011412 00000 n 0000011464 00000 n 0000218619 00000 n -0000459676 00000 n +0000459677 00000 n 0000011513 00000 n 0000011546 00000 n 0000218748 00000 n -0000459558 00000 n +0000459559 00000 n 0000011600 00000 n 0000011672 00000 n 0000218876 00000 n -0000459479 00000 n +0000459480 00000 n 0000011731 00000 n 0000011775 00000 n 0000226638 00000 n -0000459400 00000 n +0000459401 00000 n 0000011834 00000 n 0000011887 00000 n 0000227027 00000 n -0000459307 00000 n +0000459308 00000 n 0000011941 00000 n 0000011991 00000 n 0000230555 00000 n -0000459214 00000 n +0000459215 00000 n 0000012045 00000 n 0000012083 00000 n 0000230814 00000 n -0000459121 00000 n +0000459122 00000 n 0000012137 00000 n 0000012186 00000 n 0000233796 00000 n -0000458989 00000 n +0000458990 00000 n 0000012240 00000 n 0000012292 00000 n 0000233925 00000 n -0000458910 00000 n +0000458911 00000 n 0000012351 00000 n 0000012403 00000 n 0000234054 00000 n -0000458817 00000 n +0000458818 00000 n 0000012462 00000 n 0000012515 00000 n 0000234182 00000 n -0000458738 00000 n +0000458739 00000 n 0000012574 00000 n 0000012623 00000 n 0000237345 00000 n -0000458659 00000 n +0000458660 00000 n 0000012677 00000 n 0000012757 00000 n 0000240026 00000 n -0000458526 00000 n +0000458527 00000 n 0000012804 00000 n 0000012856 00000 n 0000240155 00000 n -0000458447 00000 n +0000458448 00000 n 0000012905 00000 n 0000012949 00000 n 0000243899 00000 n -0000458315 00000 n +0000458316 00000 n 0000012998 00000 n 0000013060 00000 n 0000244028 00000 n -0000458236 00000 n +0000458237 00000 n 0000013114 00000 n 0000013162 00000 n 0000244157 00000 n -0000458157 00000 n +0000458158 00000 n 0000013216 00000 n 0000013267 00000 n 0000244286 00000 n -0000458078 00000 n +0000458079 00000 n 0000013316 00000 n 0000013363 00000 n 0000247217 00000 n -0000457945 00000 n +0000457946 00000 n 0000013410 00000 n 0000013447 00000 n 0000247346 00000 n -0000457827 00000 n +0000457828 00000 n 0000013496 00000 n 0000013535 00000 n 0000247475 00000 n -0000457762 00000 n +0000457763 00000 n 0000013589 00000 n 0000013667 00000 n 0000247604 00000 n -0000457669 00000 n +0000457670 00000 n 0000013716 00000 n 0000013783 00000 n 0000247733 00000 n -0000457590 00000 n +0000457591 00000 n 0000013832 00000 n 0000013877 00000 n 0000251209 00000 n -0000457471 00000 n +0000457472 00000 n 0000013925 00000 n 0000013957 00000 n 0000251338 00000 n -0000457353 00000 n +0000457354 00000 n 0000014006 00000 n 0000014046 00000 n 0000251467 00000 n -0000457288 00000 n +0000457289 00000 n 0000014100 00000 n 0000014161 00000 n 0000254633 00000 n -0000457156 00000 n +0000457157 00000 n 0000014210 00000 n 0000014260 00000 n 0000254762 00000 n -0000457052 00000 n +0000457053 00000 n 0000014314 00000 n 0000014367 00000 n 0000254891 00000 n -0000456973 00000 n +0000456974 00000 n 0000014426 00000 n 0000014465 00000 n 0000255020 00000 n -0000456894 00000 n +0000456895 00000 n 0000014524 00000 n 0000014562 00000 n 0000255149 00000 n -0000456762 00000 n +0000456763 00000 n 0000014611 00000 n 0000014668 00000 n 0000255278 00000 n -0000456697 00000 n +0000456698 00000 n 0000014722 00000 n 0000014769 00000 n 0000259792 00000 n -0000456579 00000 n +0000456580 00000 n 0000014818 00000 n 0000014880 00000 n 0000259921 00000 n -0000456500 00000 n +0000456501 00000 n 0000014934 00000 n 0000014989 00000 n 0000271573 00000 n -0000456407 00000 n +0000456408 00000 n 0000015043 00000 n 0000015084 00000 n 0000271702 00000 n -0000456328 00000 n +0000456329 00000 n 0000015138 00000 n 0000015190 00000 n 0000015544 00000 n @@ -8008,20 +8002,20 @@ xref 0000015243 00000 n 0000015666 00000 n 0000015729 00000 n -0000453307 00000 n -0000428475 00000 n -0000453133 00000 n -0000427410 00000 n -0000401373 00000 n -0000427236 00000 n -0000454305 00000 n +0000453308 00000 n +0000428476 00000 n +0000453134 00000 n +0000427411 00000 n +0000401374 00000 n +0000427237 00000 n +0000454306 00000 n 0000016450 00000 n 0000016265 00000 n 0000015877 00000 n 0000016387 00000 n -0000400688 00000 n -0000398543 00000 n -0000400524 00000 n +0000400689 00000 n +0000398544 00000 n +0000400525 00000 n 0000019625 00000 n 0000018815 00000 n 0000016535 00000 n @@ -8029,25 +8023,25 @@ xref 0000019061 00000 n 0000019186 00000 n 0000019311 00000 n -0000397689 00000 n -0000377331 00000 n -0000397515 00000 n +0000397690 00000 n +0000377332 00000 n +0000397516 00000 n 0000019436 00000 n 0000019499 00000 n 0000019562 00000 n -0000376402 00000 n -0000357074 00000 n -0000376229 00000 n -0000356331 00000 n -0000339607 00000 n -0000356158 00000 n +0000376403 00000 n +0000357075 00000 n +0000376230 00000 n +0000356332 00000 n +0000339608 00000 n +0000356159 00000 n 0000024243 00000 n 0000023061 00000 n 0000019749 00000 n 0000023555 00000 n -0000339072 00000 n -0000322155 00000 n -0000338888 00000 n +0000339073 00000 n +0000322156 00000 n +0000338889 00000 n 0000023618 00000 n 0000023681 00000 n 0000023805 00000 n @@ -8085,7 +8079,7 @@ xref 0000034556 00000 n 0000034681 00000 n 0000034806 00000 n -0000454423 00000 n +0000454424 00000 n 0000036189 00000 n 0000035879 00000 n 0000034954 00000 n @@ -8117,9 +8111,9 @@ xref 0000044424 00000 n 0000044712 00000 n 0000044838 00000 n -0000321667 00000 n -0000312717 00000 n -0000321490 00000 n +0000321668 00000 n +0000312718 00000 n +0000321491 00000 n 0000159901 00000 n 0000140133 00000 n 0000048140 00000 n @@ -8127,15 +8121,15 @@ xref 0000045151 00000 n 0000047951 00000 n 0000048077 00000 n -0000312369 00000 n -0000304798 00000 n -0000312192 00000 n +0000312370 00000 n +0000304799 00000 n +0000312193 00000 n 0000052187 00000 n 0000051797 00000 n 0000048290 00000 n 0000052124 00000 n 0000051939 00000 n -0000454541 00000 n +0000454542 00000 n 0000108462 00000 n 0000054051 00000 n 0000053614 00000 n @@ -8179,7 +8173,7 @@ xref 0000068371 00000 n 0000068497 00000 n 0000068623 00000 n -0000454659 00000 n +0000454660 00000 n 0000072166 00000 n 0000071289 00000 n 0000068822 00000 n @@ -8228,7 +8222,7 @@ xref 0000087001 00000 n 0000087253 00000 n 0000087379 00000 n -0000454777 00000 n +0000454778 00000 n 0000087874 00000 n 0000087689 00000 n 0000087540 00000 n @@ -8261,9 +8255,9 @@ xref 0000101804 00000 n 0000099542 00000 n 0000102851 00000 n -0000303963 00000 n -0000294866 00000 n -0000303791 00000 n +0000303964 00000 n +0000294867 00000 n +0000303792 00000 n 0000102977 00000 n 0000103040 00000 n 0000103103 00000 n @@ -8278,7 +8272,7 @@ xref 0000108336 00000 n 0000107775 00000 n 0000107926 00000 n -0000454895 00000 n +0000454896 00000 n 0000272212 00000 n 0000112714 00000 n 0000111537 00000 n @@ -8321,7 +8315,7 @@ xref 0000129039 00000 n 0000128762 00000 n 0000129165 00000 n -0000455013 00000 n +0000455014 00000 n 0000130769 00000 n 0000130584 00000 n 0000129338 00000 n @@ -8365,7 +8359,7 @@ xref 0000153691 00000 n 0000153121 00000 n 0000153284 00000 n -0000455131 00000 n +0000455132 00000 n 0000195135 00000 n 0000178863 00000 n 0000156746 00000 n @@ -8374,9 +8368,9 @@ xref 0000156431 00000 n 0000156557 00000 n 0000156683 00000 n -0000294322 00000 n -0000286019 00000 n -0000294149 00000 n +0000294323 00000 n +0000286020 00000 n +0000294150 00000 n 0000159964 00000 n 0000159653 00000 n 0000156911 00000 n @@ -8406,7 +8400,7 @@ xref 0000175078 00000 n 0000174756 00000 n 0000174911 00000 n -0000455249 00000 n +0000455250 00000 n 0000178927 00000 n 0000178478 00000 n 0000175378 00000 n @@ -8443,7 +8437,7 @@ xref 0000194880 00000 n 0000193716 00000 n 0000195006 00000 n -0000455373 00000 n +0000455374 00000 n 0000196480 00000 n 0000196289 00000 n 0000195311 00000 n @@ -8502,7 +8496,7 @@ xref 0000219070 00000 n 0000219135 00000 n 0000219200 00000 n -0000455498 00000 n +0000455499 00000 n 0000223365 00000 n 0000222720 00000 n 0000219377 00000 n @@ -8541,9 +8535,9 @@ xref 0000233731 00000 n 0000233860 00000 n 0000233989 00000 n -0000285664 00000 n +0000285665 00000 n 0000283667 00000 n -0000285499 00000 n +0000285500 00000 n 0000234117 00000 n 0000234245 00000 n 0000237604 00000 n @@ -8561,7 +8555,7 @@ xref 0000240219 00000 n 0000239531 00000 n 0000239746 00000 n -0000455623 00000 n +0000455624 00000 n 0000244414 00000 n 0000243708 00000 n 0000240409 00000 n @@ -8636,7 +8630,7 @@ xref 0000261152 00000 n 0000261217 00000 n 0000261281 00000 n -0000455748 00000 n +0000455749 00000 n 0000268018 00000 n 0000264326 00000 n 0000261497 00000 n @@ -8727,37 +8721,37 @@ xref 0000272023 00000 n 0000272244 00000 n 0000283588 00000 n -0000285911 00000 n -0000285880 00000 n -0000294607 00000 n -0000304371 00000 n -0000312612 00000 n -0000321930 00000 n -0000339412 00000 n -0000356751 00000 n -0000376956 00000 n -0000398093 00000 n -0000401175 00000 n -0000400945 00000 n -0000427978 00000 n -0000453821 00000 n -0000455846 00000 n -0000455966 00000 n -0000456090 00000 n -0000456170 00000 n -0000456252 00000 n -0000470330 00000 n -0000482355 00000 n -0000482396 00000 n -0000482436 00000 n -0000482570 00000 n +0000285912 00000 n +0000285881 00000 n +0000294608 00000 n +0000304372 00000 n +0000312613 00000 n +0000321931 00000 n +0000339413 00000 n +0000356752 00000 n +0000376957 00000 n +0000398094 00000 n +0000401176 00000 n +0000400946 00000 n +0000427979 00000 n +0000453822 00000 n +0000455847 00000 n +0000455967 00000 n +0000456091 00000 n +0000456171 00000 n +0000456253 00000 n +0000470331 00000 n +0000482356 00000 n +0000482397 00000 n +0000482437 00000 n +0000482571 00000 n trailer << /Size 1346 /Root 1344 0 R /Info 1345 0 R -/ID [<67EC8DB4DA54B78233C7FF2983DF6C55> <67EC8DB4DA54B78233C7FF2983DF6C55>] +/ID [ ] >> startxref -482834 +482835 %%EOF From 285254345ce5ab270848f8c11f7be146793f1e00 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 31 Aug 2006 00:19:52 +0000 Subject: [PATCH 453/465] regen --- bin/check/named-checkzone.8 | 4 ++-- bin/check/named-checkzone.html | 6 +++--- doc/arm/Bv9ARM.ch06.html | 4 ++-- doc/arm/man.named-checkzone.html | 6 +++--- 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/bin/check/named-checkzone.8 b/bin/check/named-checkzone.8 index 74e2f1ea72..187148093a 100644 --- a/bin/check/named-checkzone.8 +++ b/bin/check/named-checkzone.8 @@ -13,7 +13,7 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: named-checkzone.8,v 1.34 2006/06/29 13:03:31 marka Exp $ +.\" $Id: named-checkzone.8,v 1.35 2006/08/31 00:19:51 marka Exp $ .\" .hy 0 .ad l @@ -170,7 +170,7 @@ Write zone output to Specify the style of the dumped zone file. Possible styles are \fB"full"\fR (default) and -\fB"default"\fR. The full format is most suitable for processing automatically by a separate script. On the other hand, the default format is more human\-readable and is thus suitable for editing by hand. For +\fB"relative"\fR. The full format is most suitable for processing automatically by a separate script. On the other hand, the relative format is more human\-readable and is thus suitable for editing by hand. For \fBnamed\-checkzone\fR this does not cause any effects unless it dumps the zone contents. It also does not have any meaning if the output format is not text. .TP 3n diff --git a/bin/check/named-checkzone.html b/bin/check/named-checkzone.html index 55891d4ab2..07e6133974 100644 --- a/bin/check/named-checkzone.html +++ b/bin/check/named-checkzone.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -175,10 +175,10 @@

    Specify the style of the dumped zone file. Possible styles are "full" (default) - and "default". + and "relative". The full format is most suitable for processing automatically by a separate script. - On the other hand, the default format is more + On the other hand, the relative format is more human-readable and is thus suitable for editing by hand. For named-checkzone this does not cause any effects unless it dumps the zone diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html index 53b216a7a7..3c6823cc0a 100644 --- a/doc/arm/Bv9ARM.ch06.html +++ b/doc/arm/Bv9ARM.ch06.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -2009,7 +2009,7 @@ digits" + "tkey-domain". In most cases, If specified, the listed type (A or AAAA) will be emitted before other glue in the additional section of a query response. - The default is not to preference any type (NONE). + The default is not to prefer any type (NONE).

    root-delegation-only
    diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html index c1ef3a8e08..a775d7d82a 100644 --- a/doc/arm/man.named-checkzone.html +++ b/doc/arm/man.named-checkzone.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -193,10 +193,10 @@

    Specify the style of the dumped zone file. Possible styles are "full" (default) - and "default". + and "relative". The full format is most suitable for processing automatically by a separate script. - On the other hand, the default format is more + On the other hand, the relative format is more human-readable and is thus suitable for editing by hand. For named-checkzone this does not cause any effects unless it dumps the zone From f34249bb28093d6589196cd00ca040f503a65e2b Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 31 Aug 2006 03:56:36 +0000 Subject: [PATCH 454/465] 2066. [security] Handle SIG queries gracefully. [RT #16300] --- CHANGES | 2 +- bin/named/query.c | 6 +++--- lib/dns/resolver.c | 23 ++++++++++++++--------- 3 files changed, 18 insertions(+), 13 deletions(-) diff --git a/CHANGES b/CHANGES index 144f9fd55d..946088cfd6 100644 --- a/CHANGES +++ b/CHANGES @@ -43,7 +43,7 @@ 2067. [bug] 'rndc' could close the socket too early triggering a INSIST under Windows. [RT #16317] -2066. [placeholder] rt16300 +2066. [security] Handle SIG queries gracefully. [RT #16300] 2065. [bug] libbind: probe for HPUX prototypes for endprotoent_r() and endservent_r(). [RT 16313] diff --git a/bin/named/query.c b/bin/named/query.c index ddd91508de..f3579f47b9 100644 --- a/bin/named/query.c +++ b/bin/named/query.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: query.c,v 1.288 2006/06/04 23:59:33 marka Exp $ */ +/* $Id: query.c,v 1.289 2006/08/31 03:56:36 marka Exp $ */ /*! \file */ @@ -3369,7 +3369,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) is_zone = ISC_FALSE; qtype = event->qtype; - if (qtype == dns_rdatatype_rrsig) + if (qtype == dns_rdatatype_rrsig || qtype == dns_rdatatype_sig) type = dns_rdatatype_any; else type = qtype; @@ -3410,7 +3410,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) /* * If it's a SIG query, we'll iterate the node. */ - if (qtype == dns_rdatatype_rrsig) + if (qtype == dns_rdatatype_rrsig || qtype == dns_rdatatype_sig) type = dns_rdatatype_any; else type = qtype; diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index af7a59ac3e..b223691c5d 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: resolver.c,v 1.334 2006/08/30 23:09:18 marka Exp $ */ +/* $Id: resolver.c,v 1.335 2006/08/31 03:56:36 marka Exp $ */ /*! \file */ @@ -779,7 +779,8 @@ fctx_sendevents(fetchctx_t *fctx, isc_result_t result) { INSIST(result != ISC_R_SUCCESS || dns_rdataset_isassociated(event->rdataset) || fctx->type == dns_rdatatype_any || - fctx->type == dns_rdatatype_rrsig); + fctx->type == dns_rdatatype_rrsig || + fctx->type == dns_rdatatype_sig); isc_task_sendanddetach(&task, ISC_EVENT_PTR(&event)); count++; @@ -3387,7 +3388,8 @@ validated(isc_task_t *task, isc_event_t *event) { if (hevent != NULL) { if (!negative && !chaining && (fctx->type == dns_rdatatype_any || - fctx->type == dns_rdatatype_rrsig)) { + fctx->type == dns_rdatatype_rrsig || + fctx->type == dns_rdatatype_sig)) { /* * Don't bind rdatasets; the caller * will iterate the node. @@ -3508,7 +3510,8 @@ validated(isc_task_t *task, isc_event_t *event) { if (!ISC_LIST_EMPTY(fctx->validators)) { INSIST(!negative); INSIST(fctx->type == dns_rdatatype_any || - fctx->type == dns_rdatatype_rrsig); + fctx->type == dns_rdatatype_rrsig || + fctx->type == dns_rdatatype_sig); /* * Don't send a response yet - we have * more rdatasets that still need to @@ -3662,14 +3665,15 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo, return (result); anodep = &event->node; /* - * If this is an ANY or SIG query, we're not going - * to return any rdatasets, unless we encountered + * If this is an ANY, SIG or RRSIG query, we're not + * going to return any rdatasets, unless we encountered * a CNAME or DNAME as "the answer". In this case, * we're going to return DNS_R_CNAME or DNS_R_DNAME * and we must set up the rdatasets. */ if ((fctx->type != dns_rdatatype_any && - fctx->type != dns_rdatatype_rrsig) || + fctx->type != dns_rdatatype_rrsig && + fctx->type != dns_rdatatype_sig) || (name->attributes & DNS_NAMEATTR_CHAINING) != 0) { ardataset = event->rdataset; asigrdataset = event->sigrdataset; @@ -3728,7 +3732,7 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo, */ if (secure_domain && rdataset->trust != dns_trust_glue) { /* - * SIGs are validated as part of validating the + * RRSIGs are validated as part of validating the * type they cover. */ if (rdataset->type == dns_rdatatype_rrsig) @@ -3798,7 +3802,8 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo, if (ANSWER(rdataset) && need_validation) { if (fctx->type != dns_rdatatype_any && - fctx->type != dns_rdatatype_rrsig) { + fctx->type != dns_rdatatype_rrsig && + fctx->type != dns_rdatatype_sig) { /* * This is The Answer. We will * validate it, but first we cache From 34b7c0adacd796de4a9f8c2d022e6aa4b3fd17e2 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 31 Aug 2006 04:26:18 +0000 Subject: [PATCH 455/465] 9.2.7rc2 --- lib/bind/api | 2 +- lib/dns/api | 2 +- lib/isc/api | 2 +- lib/lwres/api | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/lib/bind/api b/lib/bind/api index 2bcba231e6..4222749fc0 100644 --- a/lib/bind/api +++ b/lib/bind/api @@ -1,3 +1,3 @@ LIBINTERFACE = 4 -LIBREVISION = 4 +LIBREVISION = 5 LIBAGE = 0 diff --git a/lib/dns/api b/lib/dns/api index 409db1925b..d17f838025 100644 --- a/lib/dns/api +++ b/lib/dns/api @@ -1,3 +1,3 @@ LIBINTERFACE = 18 -LIBREVISION = 0 +LIBREVISION = 1 LIBAGE = 2 diff --git a/lib/isc/api b/lib/isc/api index 083b745146..5db2c05f37 100644 --- a/lib/isc/api +++ b/lib/isc/api @@ -1,3 +1,3 @@ LIBINTERFACE = 9 -LIBREVISION = 0 +LIBREVISION = 1 LIBAGE = 2 diff --git a/lib/lwres/api b/lib/lwres/api index a8b05fb19e..64115cd641 100644 --- a/lib/lwres/api +++ b/lib/lwres/api @@ -1,3 +1,3 @@ LIBINTERFACE = 2 -LIBREVISION = 6 +LIBREVISION = 7 LIBAGE = 1 From f07098524fb08b876d7f85bb631a43b265df1a5b Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 7 Sep 2006 23:17:57 +0000 Subject: [PATCH 456/465] auto update --- doc/private/branches | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/private/branches b/doc/private/branches index 1eae938e98..23ef13e627 100644 --- a/doc/private/branches +++ b/doc/private/branches @@ -35,6 +35,7 @@ rt14895 open jinmei rt14895b open jinmei rt15327 open rt15452 open marka // NSEC3 +rt15452a new rt15473 review marka rt15473b review marka rt15698 open From fc8d06c624ff6ac8c0054400a677aeb9c8bb35a7 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 11 Sep 2006 02:32:38 +0000 Subject: [PATCH 457/465] regen --- doc/arm/man.dig.html | 20 ++++++++++---------- doc/arm/man.dnssec-keygen.html | 12 ++++++------ doc/arm/man.dnssec-signzone.html | 8 ++++---- doc/arm/man.host.html | 10 +++++----- doc/arm/man.named-checkconf.html | 12 ++++++------ doc/arm/man.named-checkzone.html | 6 +++--- doc/arm/man.named.html | 16 ++++++++-------- doc/arm/man.rndc-confgen.html | 12 ++++++------ doc/arm/man.rndc.conf.html | 12 ++++++------ doc/arm/man.rndc.html | 12 ++++++------ 10 files changed, 60 insertions(+), 60 deletions(-) diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html index abfc89e462..eaa7d3ac26 100644 --- a/doc/arm/man.dig.html +++ b/doc/arm/man.dig.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -52,7 +52,7 @@

    dig [global-queryopt...] [query...]

    -

    DESCRIPTION

    +

    DESCRIPTION

    dig (domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and @@ -91,7 +91,7 @@

    -

    SIMPLE USAGE

    +

    SIMPLE USAGE

    A typical invocation of dig looks like:

    @@ -137,7 +137,7 @@

    -

    OPTIONS

    +

    OPTIONS

    The -b option sets the source IP address of the query to address. This must be a valid @@ -237,7 +237,7 @@

    -

    QUERY OPTIONS

    +

    QUERY OPTIONS

    dig provides a number of query options which affect the way in which lookups are made and the results displayed. Some of @@ -556,7 +556,7 @@

    -

    MULTIPLE QUERIES

    +

    MULTIPLE QUERIES

    The BIND 9 implementation of dig supports @@ -602,7 +602,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr

    -

    IDN SUPPORT

    +

    IDN SUPPORT

    If dig has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. @@ -616,14 +616,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr

    -

    FILES

    +

    FILES

    /etc/resolv.conf

    ${HOME}/.digrc

    -

    SEE ALSO

    +

    SEE ALSO

    host(1), named(8), dnssec-keygen(8), @@ -631,7 +631,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr

    -

    BUGS

    +

    BUGS

    There are probably too many query options.

    diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html index c4ef941771..624e07bca8 100644 --- a/doc/arm/man.dnssec-keygen.html +++ b/doc/arm/man.dnssec-keygen.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@

    dnssec-keygen {-a algorithm} {-b keysize} {-n nametype} [-c class] [-e] [-f flag] [-g generator] [-h] [-k] [-p protocol] [-r randomdev] [-s strength] [-t type] [-v level] {name}

    -

    DESCRIPTION

    +

    DESCRIPTION

    dnssec-keygen generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC <TBA\>. It can also generate keys for use with @@ -58,7 +58,7 @@

    -

    OPTIONS

    +

    OPTIONS

    -a algorithm
    @@ -212,7 +212,7 @@

    -

    EXAMPLE

    +

    EXAMPLE

    To generate a 768-bit DSA key for the domain example.com, the following command would be @@ -233,7 +233,7 @@

    -

    SEE ALSO

    +

    SEE ALSO

    dnssec-signzone(8), BIND 9 Administrator Reference Manual, RFC 2535, @@ -242,7 +242,7 @@

    -

    AUTHOR

    +

    AUTHOR

    Internet Systems Consortium

    diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html index c6420fd8b7..26ce99cfff 100644 --- a/doc/arm/man.dnssec-signzone.html +++ b/doc/arm/man.dnssec-signzone.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@

    dnssec-signzone [-a] [-c class] [-d directory] [-e end-time] [-f output-file] [-g] [-h] [-k key] [-l domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-p] [-r randomdev] [-s start-time] [-t] [-v level] [-z] {zonefile} [key...]

    -

    DESCRIPTION

    +

    DESCRIPTION

    dnssec-signzone signs a zone. It generates NSEC and RRSIG records and produces a signed version of the @@ -61,7 +61,7 @@

    -

    OPTIONS

    +

    OPTIONS

    -a

    @@ -257,7 +257,7 @@

    -

    EXAMPLE

    +

    EXAMPLE

    The following command signs the example.com zone with the DSA key generated in the dnssec-keygen diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html index eb11fc4b42..849afd48a1 100644 --- a/doc/arm/man.host.html +++ b/doc/arm/man.host.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@

    host [-aCdlnrsTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-m flag] [-4] [-6] {name} [server]

    -

    DESCRIPTION

    +

    DESCRIPTION

    host is a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa. @@ -202,7 +202,7 @@

    -

    IDN SUPPORT

    +

    IDN SUPPORT

    If host has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. @@ -216,12 +216,12 @@

    -

    FILES

    +

    FILES

    /etc/resolv.conf

    -

    SEE ALSO

    +

    SEE ALSO

    dig(1), named(8).

    diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html index 8476af7ad4..b9c5f05792 100644 --- a/doc/arm/man.named-checkconf.html +++ b/doc/arm/man.named-checkconf.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,14 +50,14 @@

    named-checkconf [-v] [-j] [-t directory] {filename} [-z]

    -

    DESCRIPTION

    +

    DESCRIPTION

    named-checkconf checks the syntax, but not the semantics, of a named configuration file.

    -

    OPTIONS

    +

    OPTIONS

    -t directory

    @@ -88,20 +88,20 @@

    -

    RETURN VALUES

    +

    RETURN VALUES

    named-checkconf returns an exit status of 1 if errors were detected and 0 otherwise.

    -

    SEE ALSO

    +

    SEE ALSO

    named(8), BIND 9 Administrator Reference Manual.

    -

    AUTHOR

    +

    AUTHOR

    Internet Systems Consortium

    diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html index a775d7d82a..a2bd805a00 100644 --- a/doc/arm/man.named-checkzone.html +++ b/doc/arm/man.named-checkzone.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -51,7 +51,7 @@

    named-compilezone [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-i mode] [-k mode] [-m mode] [-n mode] [-o filename] [-s style] [-t directory] [-w directory] [-D] [-W mode] {zonename} {filename}

    -

    DESCRIPTION

    +

    DESCRIPTION

    named-checkzone checks the syntax and integrity of a zone file. It performs the same checks as named does when loading a @@ -71,7 +71,7 @@

    -

    OPTIONS

    +

    OPTIONS

    -d

    diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html index 6adae0df9b..f9cc37c5f2 100644 --- a/doc/arm/man.named.html +++ b/doc/arm/man.named.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@

    named [-4] [-6] [-c config-file] [-d debug-level] [-f] [-g] [-n #cpus] [-p port] [-s] [-t directory] [-u user] [-v] [-x cache-file]

    -

    DESCRIPTION

    +

    DESCRIPTION

    named is a Domain Name System (DNS) server, part of the BIND 9 distribution from ISC. For more @@ -65,7 +65,7 @@

    -

    OPTIONS

    +

    OPTIONS

    -4

    @@ -198,7 +198,7 @@

    -

    SIGNALS

    +

    SIGNALS

    In routine operation, signals should not be used to control the nameserver; rndc should be used @@ -219,7 +219,7 @@

    -

    CONFIGURATION

    +

    CONFIGURATION

    The named configuration file is too complex to describe in detail here. A complete description is provided @@ -228,7 +228,7 @@

    -

    FILES

    +

    FILES

    /etc/named.conf

    @@ -241,7 +241,7 @@

    -

    SEE ALSO

    +

    SEE ALSO

    RFC 1033, RFC 1034, RFC 1035, @@ -252,7 +252,7 @@

    -

    AUTHOR

    +

    AUTHOR

    Internet Systems Consortium

    diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html index b62daecd2a..51f93932dd 100644 --- a/doc/arm/man.rndc-confgen.html +++ b/doc/arm/man.rndc-confgen.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -48,7 +48,7 @@

    rndc-confgen [-a] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]

    -

    DESCRIPTION

    +

    DESCRIPTION

    rndc-confgen generates configuration files for rndc. It can be used as a @@ -64,7 +64,7 @@

    -

    OPTIONS

    +

    OPTIONS

    -a
    @@ -171,7 +171,7 @@
    -

    EXAMPLES

    +

    EXAMPLES

    To allow rndc to be used with no manual configuration, run @@ -188,7 +188,7 @@

    -

    SEE ALSO

    +

    SEE ALSO

    rndc(8), rndc.conf(5), named(8), @@ -196,7 +196,7 @@

    -

    AUTHOR

    +

    AUTHOR

    Internet Systems Consortium

    diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html index bdb25a6d01..a401cb8957 100644 --- a/doc/arm/man.rndc.conf.html +++ b/doc/arm/man.rndc.conf.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@

    rndc.conf

    -

    DESCRIPTION

    +

    DESCRIPTION

    rndc.conf is the configuration file for rndc, the BIND 9 name server control utility. This file has a similar structure and syntax to @@ -135,7 +135,7 @@

    -

    EXAMPLE

    +

    EXAMPLE

           options {
         default-server  localhost;
@@ -209,7 +209,7 @@
    -

    NAME SERVER CONFIGURATION

    +

    NAME SERVER CONFIGURATION

    The name server must be configured to accept rndc connections and to recognize the key specified in the rndc.conf @@ -219,7 +219,7 @@

    -

    SEE ALSO

    +

    SEE ALSO

    rndc(8), rndc-confgen(8), mmencode(1), @@ -227,7 +227,7 @@

    -

    AUTHOR

    +

    AUTHOR

    Internet Systems Consortium

    diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html index f907fec77d..b5bee8d2db 100644 --- a/doc/arm/man.rndc.html +++ b/doc/arm/man.rndc.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@

    rndc [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-V] [-y key_id] {command}

    -

    DESCRIPTION

    +

    DESCRIPTION

    rndc controls the operation of a name server. It supersedes the ndc utility @@ -79,7 +79,7 @@

    -

    OPTIONS

    +

    OPTIONS

    -b source-address

    @@ -152,7 +152,7 @@

    -

    LIMITATIONS

    +

    LIMITATIONS

    rndc does not yet support all the commands of the BIND 8 ndc utility. @@ -166,7 +166,7 @@

    -

    SEE ALSO

    +

    SEE ALSO

    rndc.conf(5), named(8), named.conf(5) @@ -175,7 +175,7 @@

    -

    AUTHOR

    +

    AUTHOR

    Internet Systems Consortium

    From 7c693bfdbe488ca8fa4f0831c71f5809972f6cc7 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 13 Sep 2006 00:18:27 +0000 Subject: [PATCH 458/465] 2082. [doc] Document 'cache-file' as a test only option. --- CHANGES | 2 ++ bin/named/named.conf.docbook | 6 +++--- doc/arm/Bv9ARM-book.xml | 13 ++++++++++++- 3 files changed, 17 insertions(+), 4 deletions(-) diff --git a/CHANGES b/CHANGES index 946088cfd6..99bd8b6bf8 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +2082. [doc] Document 'cache-file' as a test only option. + 2081. [port] libbind: minor 64-bit portability fix in memcluster.c. [RT #16360] diff --git a/bin/named/named.conf.docbook b/bin/named/named.conf.docbook index 2978ce1e12..d5ab4da85e 100644 --- a/bin/named/named.conf.docbook +++ b/bin/named/named.conf.docbook @@ -17,7 +17,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + Aug 13, 2004 @@ -250,7 +250,7 @@ options { check-integrity boolean; check-mx-cname ( fail | warn | ignore ); check-srv-cname ( fail | warn | ignore ); - cache-file quoted_string; + cache-file quoted_string; // test option suppress-initial-notify boolean; // not yet implemented preferred-glue string; dual-stack-servers port integer { @@ -399,7 +399,7 @@ view string optional_class check-integrity boolean; check-mx-cname ( fail | warn | ignore ); check-srv-cname ( fail | warn | ignore ); - cache-file quoted_string; + cache-file quoted_string; // test option suppress-initial-notify boolean; // not yet implemented preferred-glue string; dual-stack-servers port integer { diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index 1db49b156e..1abb831a18 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -18,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + BIND 9 Administrator Reference Manual @@ -4371,6 +4371,7 @@ category notify { null; }; named-xfer path_name; tkey-domain domainname; tkey-dhkey key_name key_tag; + cache-file path_name; dump-file path_name; memstatistics-file path_name; pid-file path_name; @@ -4612,6 +4613,15 @@ digits" + "tkey-domain". In most cases, + + cache-file + + + This is for testing only. Do not use. + + + + dump-file @@ -4623,6 +4633,7 @@ digits" + "tkey-domain". In most cases, + memstatistics-file From 963ee7dc7d92a9dddbb071ff37669d09bd053202 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 13 Sep 2006 00:28:07 +0000 Subject: [PATCH 459/465] 2082. [doc] Document 'cache-file' as a test only option. --- CHANGES | 1 + bin/named/named.conf.docbook | 3 ++- doc/arm/Bv9ARM-book.xml | 12 +++++++++++- 3 files changed, 14 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index d540f0e813..66929eb1d9 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,4 @@ +2082. [doc] Document 'cache-file' as a test only option. --- 9.2.7rc2 released --- diff --git a/bin/named/named.conf.docbook b/bin/named/named.conf.docbook index 5068cf5156..d365bc4ddc 100644 --- a/bin/named/named.conf.docbook +++ b/bin/named/named.conf.docbook @@ -17,7 +17,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -172,6 +172,7 @@ options { coresize size; datasize size; directory quoted_string; + cache-file quoted_string; // test option dump-file quoted_string; files size; heartbeat-interval integer; diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index 9a7065386c..9d080990d6 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -18,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + BIND 9 Administrator Reference Manual @@ -2651,6 +2651,7 @@ statement in the named.conf file: named-xfer path_name; tkey-domain domainname; tkey-dhkey key_name key_tag; + cache-file path_name; dump-file path_name; memstatistics-file path_name; pid-file path_name; @@ -2798,6 +2799,15 @@ public and private keys from files in the working directory. In most cases, the keyname should be the server's host name. + + cache-file + + + This is for testing only. Do not use. + + + + dump-file The pathname of the file the server dumps the database to when instructed to do so with From 9c38bd2ef05206d877a63989c3b025e4ee295f8f Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 13 Sep 2006 02:56:03 +0000 Subject: [PATCH 460/465] regen --- bin/named/named.conf.5 | 3 +- bin/named/named.conf.html | 11 ++-- doc/arm/Bv9ARM.ch06.html | 79 +++++++++++++++-------------- doc/arm/Bv9ARM.ch07.html | 14 +++--- doc/arm/Bv9ARM.ch08.html | 18 +++---- doc/arm/Bv9ARM.ch09.html | 102 +++++++++++++++++++------------------- doc/arm/Bv9ARM.html | 46 ++++++++--------- 7 files changed, 140 insertions(+), 133 deletions(-) diff --git a/bin/named/named.conf.5 b/bin/named/named.conf.5 index 2d80a817d4..7a867a2c7d 100644 --- a/bin/named/named.conf.5 +++ b/bin/named/named.conf.5 @@ -12,7 +12,7 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: named.conf.5,v 1.1.6.10 2006/07/18 20:50:03 marka Exp $ +.\" $Id: named.conf.5,v 1.1.6.11 2006/09/13 02:56:02 marka Exp $ .\" .hy 0 .ad l @@ -145,6 +145,7 @@ options { coresize \fIsize\fR; datasize \fIsize\fR; directory \fIquoted_string\fR; + cache\-file \fIquoted_string\fR; // test option dump\-file \fIquoted_string\fR; files \fIsize\fR; heartbeat\-interval \fIinteger\fR; diff --git a/bin/named/named.conf.html b/bin/named/named.conf.html index bad2b05142..37b162ab8d 100644 --- a/bin/named/named.conf.html +++ b/bin/named/named.conf.html @@ -13,7 +13,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -144,6 +144,7 @@ options coresize size;
    datasize size;
    directory quoted_string;
    + cache-file quoted_string; // test option
    dump-file quoted_string;
    files size;
    heartbeat-interval integer;
    @@ -251,7 +252,7 @@ options

    -

    VIEW

    +

    VIEW


    view string optional_class {
    match-clients { address_match_element; ... };
    @@ -348,7 +349,7 @@ view

    -

    ZONE

    +

    ZONE


    zone string optional_class {
    type ( master | slave | stub | hint |
    @@ -413,13 +414,13 @@ zone

    -

    FILES

    +

    FILES

    /etc/named.conf

    -

    SEE ALSO

    +

    SEE ALSO

    named(8), rndc(8), diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html index 814694a3a6..3c274e61f2 100644 --- a/doc/arm/Bv9ARM.ch06.html +++ b/doc/arm/Bv9ARM.ch06.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -66,26 +66,26 @@ Usage

    lwres Statement Grammar
    lwres Statement Definition and Usage
    options Statement Grammar
    -
    options Statement Definition and Usage
    +
    options Statement Definition and Usage
    server Statement Grammar
    server Statement Definition and Usage
    -
    trusted-keys Statement Grammar
    -
    trusted-keys Statement Definition +
    trusted-keys Statement Grammar
    +
    trusted-keys Statement Definition and Usage
    -
    view Statement Grammar
    -
    view Statement Definition and Usage
    +
    view Statement Grammar
    +
    view Statement Definition and Usage
    zone Statement Grammar
    -
    zone Statement Definition and Usage
    +
    zone Statement Definition and Usage
    -
    Zone File
    +
    Zone File
    Types of Resource Records and When to Use Them
    -
    Discussion of MX Records
    +
    Discussion of MX Records
    Setting TTLs
    -
    Inverse Mapping in IPv4
    -
    Other Zone File Directives
    -
    BIND Master File Extension: the $GENERATE Directive
    +
    Inverse Mapping in IPv4
    +
    Other Zone File Directives
    +
    BIND Master File Extension: the $GENERATE Directive
    @@ -1014,6 +1014,7 @@ statement in the named.conf file:

    [ named-xfer path_name; ] [ tkey-domain domainname; ] [ tkey-dhkey key_name key_tag; ] + [ cache-file path_name; ] [ dump-file path_name; ] [ memstatistics-file path_name; ] [ pid-file path_name; ] @@ -1103,7 +1104,7 @@ statement in the named.conf file:

    -options Statement Definition and Usage

    +options Statement Definition and Usage

    The options statement sets up global options to be used by BIND. This statement may appear only once in a configuration file. If more than one occurrence is found, @@ -1148,6 +1149,10 @@ to generate shared keys with clients using the Diffie-Hellman mode of TKEY. The server must be able to load the public and private keys from files in the working directory. In most cases, the keyname should be the server's host name.

    +
    cache-file
    +

    + This is for testing only. Do not use. +

    dump-file

    The pathname of the file the server dumps the database to when instructed to do so with @@ -1454,7 +1459,7 @@ The use of this option for any other purpose is discouraged.

    -Forwarding

    +Forwarding

    The forwarding facility can be used to create a large site-wide cache on a few servers, reducing traffic over links to external nameservers. It can also be used to allow queries by servers that @@ -1531,7 +1536,7 @@ from these addresses will not be responded to. The default is

    -Interfaces

    +Interfaces

    The interfaces and ports that the server will answer queries from may be specified using the listen-on option. listen-on takes an optional port, and an address_match_list. @@ -1573,7 +1578,7 @@ the server will not listen on any IPv6 address.

    -Query Address

    +Query Address

    If the server doesn't know the answer to a question, it will query other nameservers. query-source specifies the address and port used for such queries. For queries sent over @@ -1736,7 +1741,7 @@ but applies to notify messages sent to IPv6 addresses.

    -Operating System Resource Limits

    +Operating System Resource Limits

    The server's usage of many system resources can be limited. Scaled values are allowed when specifying resource limits. For example, 1G can be used instead of @@ -1780,7 +1785,7 @@ may use. The default is default.

    -Server Resource Limits

    +Server Resource Limits

    The following options set limits on the server's resource consumption that are enforced internally by the server rather than the operating system.

    @@ -1813,7 +1818,7 @@ records are purged from the cache only when their TTLs expire.

    -Periodic Task Intervals

    +Periodic Task Intervals
    cleaning-interval

    The server will remove expired resource records @@ -2278,7 +2283,7 @@ supported.

    -trusted-keys Statement Grammar

    +trusted-keys Statement Grammar
    trusted-keys {
     string number number number string ;
     [ string number number number string ; [...]]
@@ -2287,7 +2292,7 @@ supported.
    
 
 
    
 
    
-trusted-keys Statement Definition
+trusted-keys Statement Definition
 and Usage
    
 
    The trusted-keys statement defines DNSSEC
 security roots. DNSSEC is described in the section called “DNSSEC”. A security root is defined when the public key for a non-authoritative
@@ -2303,7 +2308,7 @@ key data.
    
 
    
 
    
 
    
-view Statement Grammar
    
+view Statement Grammar
    
 
    view view_name [class] {
       match-clients { address_match_list } ;
       match-destinations { address_match_list } ;
@@ -2316,7 +2321,7 @@ key data.
    
 
 
    
 
    
-view Statement Definition and Usage
    
+view Statement Definition and Usage
    
 
    The view statement is a powerful new feature
 of BIND 9 that lets a name server answer a DNS query differently
 depending on who is asking. It is particularly useful for implementing
@@ -2499,10 +2504,10 @@ zone zone_name [
 
    
 
    
-zone Statement Definition and Usage
    
+zone Statement Definition and Usage
    
 
    
 
    
-Zone Types
    
+Zone Types
    
 
    @@ -2613,7 +2618,7 @@ from forwarders.
    
 
    
-Class
    
+Class
    The zone's name may optionally be followed by a class. If
 a class is not specified, class IN (for Internet),
 is assumed. This is correct for the vast majority of cases.
    
@@ -2628,7 +2633,7 @@ in the mid-1970s. Zone data for it can be specified with the 
 
    
-Zone Options
    
+Zone Options
 
    
 
    allow-notify
    
 
    See the description of
@@ -2844,7 +2849,7 @@ SIG, NS, SOA, and NXT. Types may be specified by name, including
 
    
 
    
 
    
-Zone File
    
+Zone File
    
 
    
 
    
 Types of Resource Records and When to Use Them
    
@@ -2854,7 +2859,7 @@ Since the publication of RFC 1034, several new RRs have been identified
 and implemented in the DNS. These are also included.
    
 
    
 
    
-Resource Records
    
+Resource Records
    
 
    A domain name identifies a node.  Each node has a set of
         resource information, which may be empty.  The set of resource
         information associated with a particular name is composed of
@@ -3129,7 +3134,7 @@ used as "pointers" to other data in the DNS.
    
 
 
    
 
    
-Textual expression of RRs
    
+Textual expression of RRs
    
 
    RRs are represented in binary form in the packets of the DNS
 protocol, and are usually represented in highly encoded form when
 stored in a nameserver or resolver.  In the examples provided in
@@ -3219,7 +3224,7 @@ each of a different class.
    
 
 
    
 
    
-Discussion of MX Records
    
+Discussion of MX Records
    
 
    As described above, domain servers store information as a
 series of resource records, each of which contains a particular
 piece of information about a given domain name (which is usually,
@@ -3336,7 +3341,7 @@ can be explicitly specified, for example, 1h30m. 
 
    
 
    
-Inverse Mapping in IPv4
    
+Inverse Mapping in IPv4
    
 
    Reverse name resolution (that is, translation from IP address
 to name) is achieved by means of the in-addr.arpa domain
 and PTR records. Entries in the in-addr.arpa domain are made in
@@ -3374,7 +3379,7 @@ that the example is relative to the listed origin.
    
 
 
    
 
    
-Other Zone File Directives
    
+Other Zone File Directives
    
 
    The Master File Format was initially defined in RFC 1035 and
 has subsequently been extended. While the Master File Format itself
 is class independent all records in a Master File must be of the same
@@ -3383,7 +3388,7 @@ class.
    
 and $TTL.
    
 
    
 
    
-The $ORIGIN Directive
    
+The $ORIGIN Directive
    
 
    Syntax: $ORIGIN
 domain-name [ comment]
    
 
    $ORIGIN sets the domain name that will
@@ -3398,7 +3403,7 @@ WWW     CNAME   MAIN-SERVER
 
 
    
 
    
-The $INCLUDE Directive
    
+The $INCLUDE Directive
    
 
    Syntax: $INCLUDE
 filename [
 origin ] [ comment ]
    
@@ -3422,7 +3427,7 @@ This could be construed as a deviation from RFC 1035, a feature, or both.
 
 
    
 
    
-The $TTL Directive
    
+The $TTL Directive
    
 
    Syntax: $TTL
 default-ttl [
 comment ]
    
@@ -3433,7 +3438,7 @@ with undefined TTLs. Valid TTLs are of the range 0-2147483647 seconds.
    
 
 
    
 
    
-BIND Master File Extension: the  $GENERATE Directive
    .
+BIND Master File Extension: the  $GENERATE Directive
    .
         
    Syntax: $GENERATE range lhs type rhs [ comment ]
    
 
    $GENERATE is used to create a series of
 resource records that only differ from each other by an iterator. $GENERATE can
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index c5a3b29ef5..059269b2b2 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -46,11 +46,11 @@
 
    Table of Contents
    
 
    
 
    Access Control Lists
    
-
    chroot and setuid (for
+
    chroot and setuid (for
 UNIX servers)
    
 
    
-
    The chroot Environment
    
-
    Using the setuid Function
    
+
    The chroot Environment
    
+
    Using the setuid Function
    
 
    
 
    Dynamic Update Security
    
 
    
@@ -102,7 +102,7 @@ see the AUSCERT advisory at
 
 
    
 
    
-chroot and setuid (for
+chroot and setuid (for
 UNIX servers)
    
 
    On UNIX servers, it is possible to run BIND in a chrooted environment
 (using the chroot() function) by specifying the "-t"
@@ -117,7 +117,7 @@ user 202:
    
 
    /usr/local/bin/named -u 202 -t /var/named
    
 
    
 
    
-The chroot Environment
    
+The chroot Environment
    
 
    In order for a chroot environment to
 work properly in a particular directory
 (for example, /var/named),
@@ -142,7 +142,7 @@ to set up things like
 
 
    
 
    
-Using the setuid Function
    
+Using the setuid Function
    
 
    Prior to running the named daemon, use
 the touch utility (to change file access and
 modification times) or the chown utility (to
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index da266a82c1..058c8d8284 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,18 +45,18 @@
 
    
 
    Table of Contents
    
 
    
-
    Common Problems
    
-
    It's not working; how can I figure out what's wrong?
    
-
    Incrementing and Changing the Serial Number
    
-
    Where Can I Get Help?
    
+
    Common Problems
    
+
    It's not working; how can I figure out what's wrong?
    
+
    Incrementing and Changing the Serial Number
    
+
    Where Can I Get Help?
    
 
    
 
    
 
    
 
    
-Common Problems
    
+Common Problems
    
 
    
 
    
-It's not working; how can I figure out what's wrong?
    
+It's not working; how can I figure out what's wrong?
    
 
    The best solution to solving installation and
       configuration issues is to take preventative measures by setting
       up logging files beforehand. The log files provide a
@@ -66,7 +66,7 @@
 
 
    
 
    
-Incrementing and Changing the Serial Number
    
+Incrementing and Changing the Serial Number
    
 
    Zone serial numbers are just numbers-they aren't date
     related.  A lot of people set them to a number that represents a
     date, usually of the form YYYYMMDDRR. A number of people have been
@@ -87,7 +87,7 @@
 
 
    
 
    
-Where Can I Get Help?
    
+Where Can I Get Help?
    
 
    The Internet Software Consortium (ISC) offers a wide range
     of support and service agreements for BIND and DHCP servers. Four
     levels of premium support are available and each level includes
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index 6a9cd594eb..a494a6fe55 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -43,26 +43,26 @@
 
    
 
    Table of Contents
    
 
    
-
    Acknowledgements
    
-
    A Brief History of the DNS and BIND
    
+
    Acknowledgements
    
+
    A Brief History of the DNS and BIND
    
 
    Historical DNS Information
    
 
    Classes of Resource Records
    
-
    General DNS Reference Information
    
+
    General DNS Reference Information
    
 
    IPv6 addresses (A6)
    
 
    Bibliography (and Suggested Reading)
    
 
    
 
    Request for Comments (RFCs)
    
 
    Internet Drafts
    
-
    Other Documents About BIND
    
+
    Other Documents About BIND
    
 
    
 
    
 
    
 
    
 
    
-Acknowledgements
    
+Acknowledgements
    
 
    
 
    
-A Brief History of the DNS and BIND
    
+A Brief History of the DNS and BIND
    
 
    Although the "official" beginning of the Domain Name
       System occurred in 1984 with the publication of RFC 920, the
       core of the new system was described in 1983 in RFCs 882 and
@@ -125,7 +125,7 @@ individuals.
    
 Classes of Resource Records
 
    
 
    
-HS = hesiod
    
+HS = hesiod
    
 
    The [hesiod] class is an information service
 developed by MIT's Project Athena. It is used to share information
 about various systems databases, such as users, groups, printers
@@ -134,7 +134,7 @@ hesiod.
    
 
 
    
 
    
-CH = chaos
    
+CH = chaos
    
 
    The chaos class is used to specify zone
 data for the MIT-developed CHAOSnet, a LAN protocol created in the
 mid-1970s.
    
@@ -143,7 +143,7 @@ mid-1970s.
    
 
 
    
 
    
-General DNS Reference Information
    
+General DNS Reference Information
    
 
    
 
    
 IPv6 addresses (A6)
    
@@ -323,17 +323,17 @@ the number of the RFC). RFCs are also available via the Web at
 
    
 
    
 
    
-Bibliography
    
+Bibliography
    
 
    
 
    Standards
    
 
    
-
    [RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 
    
+
    [RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 
    
 
    
 
    
-
    [RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987. 
    
+
    [RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987. 
    
 
    
 
    
-
    [RFC1035] P. V. Mockapetris. Domain Names — Implementation and
+
    [RFC1035] P. V. Mockapetris. Domain Names — Implementation and
 Specification. November 1987. 
    
 
    
 
    
@@ -341,22 +341,22 @@ Specification. November 1987. 
    
 
    
 Proposed Standards
    
 
    
-
    [RFC2181] R., R. Bush Elz. Clarifications to the DNS Specification. July 1997. 
    
+
    [RFC2181] R., R. Bush Elz. Clarifications to the DNS Specification. July 1997. 
    
 
    
 
    
-
    [RFC2308] M. Andrews. Negative Caching of DNS Queries. March 1998. 
    
+
    [RFC2308] M. Andrews. Negative Caching of DNS Queries. March 1998. 
    
 
    
 
    
-
    [RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996. 
    
+
    [RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996. 
    
 
    
 
    
-
    [RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996. 
    
+
    [RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996. 
    
 
    
 
    
-
    [RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997. 
    
+
    [RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997. 
    
 
    
 
    
-
    [RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000. 
    
+
    [RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000. 
    
 
    
 
 
    
@@ -367,85 +367,85 @@ Specification. November 1987. 
    
 RFCs are undergoing major revision by the IETF.
    
 
    
 
    
-
    [RFC1886] S. Thomson and C. Huitema. DNS Extensions to support IP version 6. December 1995. 
    
+
    [RFC1886] S. Thomson and C. Huitema. DNS Extensions to support IP version 6. December 1995. 
    
 
    
 
    
-
    [RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997. 
    
+
    [RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997. 
    
 
    
 
    
-
    [RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997. 
    
+
    [RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997. 
    
 
    
 
 
    
 
    Other Important RFCs About DNS Implementation
    
 
    
-
    [RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely Deployed DNS Software.. October 1993. 
    
+
    [RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely Deployed DNS Software.. October 1993. 
    
 
    
 
    
-
    [RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation Errors and Suggested Fixes. October 1993. 
    
+
    [RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation Errors and Suggested Fixes. October 1993. 
    
 
    
 
    
-
    [RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996. 
    
+
    [RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996. 
    
 
    
 
    
 
    
 
    Resource Record Types
    
 
    
-
    [RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990. 
    
+
    [RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990. 
    
 
    
 
    
-
    [RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994. 
    
+
    [RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994. 
    
 
    
 
    
-
    [RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using
+
    [RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using
 the Domain Name System. June 1997. 
    
 
    
 
    
-
    [RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the Domain
+
    [RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the Domain
 Name System. January 1996. 
    
 
    
 
    
-
    [RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the Location of
+
    [RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the Location of
 Services.. October 1996. 
    
 
    
 
    
-
    [RFC2163] A. Allocchio. Using the Internet DNS to Distribute MIXER
+
    [RFC2163] A. Allocchio. Using the Internet DNS to Distribute MIXER
 Conformant Global Address Mapping. January 1998. 
    
 
    
 
    
-
    [RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997. 
    
+
    [RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997. 
    
 
    
 
    
 
    
 
    
 DNS and the Internet
    
 
    
-
    [RFC1101] P. V. Mockapetris. DNS Encoding of Network Names and Other Types. April 1989. 
    
+
    [RFC1101] P. V. Mockapetris. DNS Encoding of Network Names and Other Types. April 1989. 
    
 
    
 
    
-
    [RFC1123] Braden. Requirements for Internet Hosts - Application and Support. October 1989. 
    
+
    [RFC1123] Braden. Requirements for Internet Hosts - Application and Support. October 1989. 
    
 
    
 
    
-
    [RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994. 
    
+
    [RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994. 
    
 
    
 
    
-
    [RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998. 
    
+
    [RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998. 
    
 
    
 
    
 
    
 
    
 DNS Operations
    
 
    
-
    [RFC1537] P. Beertema. Common DNS Data File Configuration Errors. October 1993. 
    
+
    [RFC1537] P. Beertema. Common DNS Data File Configuration Errors. October 1993. 
    
 
    
 
    
-
    [RFC1912] D. Barr. Common DNS Operational and Configuration Errors. February 1996. 
    
+
    [RFC1912] D. Barr. Common DNS Operational and Configuration Errors. February 1996. 
    
 
    
 
    
-
    [RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers.. October 1996. 
    
+
    [RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers.. October 1996. 
    
 
    
 
    
-
    [RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for Network Services.. October 1997. 
    
+
    [RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for Network Services.. October 1997. 
    
 
    
 
    
 
    
@@ -456,28 +456,28 @@ Conformant Global Address Mapping. January 1998
 DNS-related, are not concerned with implementing software.
    
 
    
 
    
-
    [RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String Attributes. May 1993. 
    
+
    [RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String Attributes. May 1993. 
    
 
    
 
    
-
    [RFC1713] A. Romao. Tools for DNS Debugging. November 1994. 
    
+
    [RFC1713] A. Romao. Tools for DNS Debugging. November 1994. 
    
 
    
 
    
-
    [RFC1794] T. Brisco. DNS Support for Load Balancing. April 1995. 
    
+
    [RFC1794] T. Brisco. DNS Support for Load Balancing. April 1995. 
    
 
    
 
    
-
    [RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997. 
    
+
    [RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997. 
    
 
    
 
    
-
    [RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998. 
    
+
    [RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998. 
    
 
    
 
    
-
    [RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998. 
    
+
    [RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998. 
    
 
    
 
 
    
 
    Obsolete and Unimplemented Experimental RRs
    
 
    
-
    [RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical
+
    [RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical
 Location. November 1994. 
    
 
    
 
    
@@ -497,13 +497,13 @@ after which they are deleted unless updated by their authors.
 
 
    
 
    
-Other Documents About BIND
    
+Other Documents About BIND
    
 
    
 
    
 
    
-Bibliography
    
+Bibliography
    
 
    
-
    Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 
    
+
    Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 
    
 
    
 
 
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index 40c23426dc..fab5b21988 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -146,59 +146,59 @@ Usage
 
    lwres Statement Grammar
    
 
    lwres Statement Definition and Usage
    
 
    options Statement Grammar
    
-
    options Statement Definition and Usage
    
+
    options Statement Definition and Usage
    
 
    server Statement Grammar
    
 
    server Statement Definition and Usage
    
-
    trusted-keys Statement Grammar
    
-
    trusted-keys Statement Definition
+
    trusted-keys Statement Grammar
    
+
    trusted-keys Statement Definition
 and Usage
    
-
    view Statement Grammar
    
-
    view Statement Definition and Usage
    
+
    view Statement Grammar
    
+
    view Statement Definition and Usage
    
 
    zone
 Statement Grammar
    
-
    zone Statement Definition and Usage
    
+
    zone Statement Definition and Usage
    
 
-
    Zone File
    
+
    Zone File
    
 
    
 
    Types of Resource Records and When to Use Them
    
-
    Discussion of MX Records
    
+
    Discussion of MX Records
    
 
    Setting TTLs
    
-
    Inverse Mapping in IPv4
    
-
    Other Zone File Directives
    
-
    BIND Master File Extension: the  $GENERATE Directive
    
+
    Inverse Mapping in IPv4
    
+
    Other Zone File Directives
    
+
    BIND Master File Extension: the  $GENERATE Directive
    
 
    
 
 
    7. BIND 9 Security Considerations
    
 
    
 
    Access Control Lists
    
-
    chroot and setuid (for
+
    chroot and setuid (for
 UNIX servers)
    
 
    
-
    The chroot Environment
    
-
    Using the setuid Function
    
+
    The chroot Environment
    
+
    Using the setuid Function
    
 
    
 
    Dynamic Update Security
    
 
    
 
    8. Troubleshooting
    
 
    
-
    Common Problems
    
-
    It's not working; how can I figure out what's wrong?
    
-
    Incrementing and Changing the Serial Number
    
-
    Where Can I Get Help?
    
+
    Common Problems
    
+
    It's not working; how can I figure out what's wrong?
    
+
    Incrementing and Changing the Serial Number
    
+
    Where Can I Get Help?
    
 
    
 
    A. Appendices
    
 
    
-
    Acknowledgements
    
-
    A Brief History of the DNS and BIND
    
+
    Acknowledgements
    
+
    A Brief History of the DNS and BIND
    
 
    Historical DNS Information
    
 
    Classes of Resource Records
    
-
    General DNS Reference Information
    
+
    General DNS Reference Information
    
 
    IPv6 addresses (A6)
    
 
    Bibliography (and Suggested Reading)
    
 
    
 
    Request for Comments (RFCs)
    
 
    Internet Drafts
    
-
    Other Documents About BIND
    
+
    Other Documents About BIND
    
 
    
 
    
 

From 22c71c7b86fa57a19f7df0da4222eb8593e6ad12 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 13 Sep 2006 02:57:21 +0000
Subject: [PATCH 461/465] regen

---
 bin/named/named.conf.5           |   6 +-
 bin/named/named.conf.html        |  14 +--
 doc/arm/Bv9ARM.ch06.html         |  75 +++++++------
 doc/arm/Bv9ARM.ch07.html         |  14 +--
 doc/arm/Bv9ARM.ch08.html         |  18 +--
 doc/arm/Bv9ARM.ch09.html         | 182 +++++++++++++++----------------
 doc/arm/Bv9ARM.html              |  40 +++----
 doc/arm/man.dig.html             |  20 ++--
 doc/arm/man.dnssec-keygen.html   |  14 +--
 doc/arm/man.dnssec-signzone.html |  12 +-
 doc/arm/man.host.html            |  10 +-
 doc/arm/man.named-checkconf.html |  12 +-
 doc/arm/man.named-checkzone.html |  12 +-
 doc/arm/man.named.html           |  16 +--
 doc/arm/man.rndc-confgen.html    |  12 +-
 doc/arm/man.rndc.conf.html       |  12 +-
 doc/arm/man.rndc.html            |  12 +-
 17 files changed, 243 insertions(+), 238 deletions(-)

diff --git a/bin/named/named.conf.5 b/bin/named/named.conf.5
index 3deb3a2963..92fc2863fd 100644
--- a/bin/named/named.conf.5
+++ b/bin/named/named.conf.5
@@ -12,7 +12,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: named.conf.5,v 1.21 2006/06/29 13:03:32 marka Exp $
+.\" $Id: named.conf.5,v 1.22 2006/09/13 02:57:21 marka Exp $
 .\"
 .hy 0
 .ad l
@@ -224,7 +224,7 @@ options {
 	check\-integrity \fIboolean\fR;
 	check\-mx\-cname ( fail | warn | ignore );
 	check\-srv\-cname ( fail | warn | ignore );
-	cache\-file \fIquoted_string\fR;
+	cache\-file \fIquoted_string\fR; // test option
 	suppress\-initial\-notify \fIboolean\fR; // not yet implemented
 	preferred\-glue \fIstring\fR;
 	dual\-stack\-servers [ port \fIinteger\fR ] {
@@ -358,7 +358,7 @@ view \fIstring\fR \fIoptional_class\fR {
 	check\-integrity \fIboolean\fR;
 	check\-mx\-cname ( fail | warn | ignore );
 	check\-srv\-cname ( fail | warn | ignore );
-	cache\-file \fIquoted_string\fR;
+	cache\-file \fIquoted_string\fR; // test option
 	suppress\-initial\-notify \fIboolean\fR; // not yet implemented
 	preferred\-glue \fIstring\fR;
 	dual\-stack\-servers [ port \fIinteger\fR ] {
diff --git a/bin/named/named.conf.html b/bin/named/named.conf.html
index 18437734b2..77374b7108 100644
--- a/bin/named/named.conf.html
+++ b/bin/named/named.conf.html
@@ -13,7 +13,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -222,7 +222,7 @@ options
 	check-integrity boolean;
    
 	check-mx-cname ( fail | warn | ignore );
    
 	check-srv-cname ( fail | warn | ignore );
    
-	cache-file quoted_string;
    
+	cache-file quoted_string; // test option
    
 	suppress-initial-notify boolean; // not yet implemented
    
 	preferred-glue string;
    
 	dual-stack-servers [ port integer ] {
    
@@ -313,7 +313,7 @@ options
 
    
 
 
    
-
    VIEW
    
+
    VIEW
    
 

    
 view string optional_class {
    
 	match-clients { address_match_element; ... };
    
@@ -370,7 +370,7 @@ view
 	check-integrity boolean;
    
 	check-mx-cname ( fail | warn | ignore );
    
 	check-srv-cname ( fail | warn | ignore );
    
-	cache-file quoted_string;
    
+	cache-file quoted_string; // test option
    
 	suppress-initial-notify boolean; // not yet implemented
    
 	preferred-glue string;
    
 	dual-stack-servers [ port integer ] {
    
@@ -453,7 +453,7 @@ view
 
    
 
    
 
    
-
    ZONE
    
+
    ZONE
    
 

    
 zone string optional_class {
    
 	type ( master | slave | stub | hint |
    
@@ -538,12 +538,12 @@ zone
 
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    /etc/named.conf
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    named(8),
       rndc(8),
       BIND 9 Administrator Reference Manual.
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index 3c6823cc0a..09b5494b8e 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -77,23 +77,23 @@
 
    server Statement Grammar
    
 
    server Statement Definition and
             Usage
    
-
    trusted-keys Statement Grammar
    
-
    trusted-keys Statement Definition
+
    trusted-keys Statement Grammar
    
+
    trusted-keys Statement Definition
             and Usage
    
 
    view Statement Grammar
    
-
    view Statement Definition and Usage
    
+
    view Statement Definition and Usage
    
 
    zone
             Statement Grammar
    
-
    zone Statement Definition and Usage
    
+
    zone Statement Definition and Usage
    
 
-
    Zone File
    
+
    Zone File
    
 
    
 
    Types of Resource Records and When to Use Them
    
-
    Discussion of MX Records
    
+
    Discussion of MX Records
    
 
    Setting TTLs
    
-
    Inverse Mapping in IPv4
    
-
    Other Zone File Directives
    
-
    BIND Master File Extension: the  $GENERATE Directive
    
+
    Inverse Mapping in IPv4
    
+
    Other Zone File Directives
    
+
    BIND Master File Extension: the  $GENERATE Directive
    
 
    Additional File Formats
    
 
    
 
@@ -1728,6 +1728,7 @@ category notify { null; };
     [ named-xfer path_name; ]
     [ tkey-domain domainname; ]
     [ tkey-dhkey key_name key_tag; ]
+    [ cache-file path_name; ]
     [ dump-file path_name; ]
     [ memstatistics-file path_name; ]
     [ pid-file path_name; ]
@@ -1939,6 +1940,10 @@ digits    " + "tkey-domain". In most cases,
                 In
                 most cases, the keyname should be the server's host name.
               
    
+
    cache-file
    
+
    
+                This is for testing only.  Do not use.
+              
    
 
    dump-file
    
 
    
                 The pathname of the file the server dumps
@@ -2772,7 +2777,7 @@ options {
 
    
 
    
 
    
-Forwarding
    
+Forwarding
    
 
    
             The forwarding facility can be used to create a large site-wide
             cache on a few servers, reducing traffic over links to external
@@ -2816,7 +2821,7 @@ options {
 
 
    
 
    
-Dual-stack Servers
    
+Dual-stack Servers
    
 
    
             Dual-stack servers are used as servers of last resort to work
             around
@@ -2976,7 +2981,7 @@ options {
 
 
    
 
    
-Interfaces
    
+Interfaces
    
 
    
             The interfaces and ports that the server will answer queries
             from may be specified using the listen-on option. listen-on takes
@@ -3056,7 +3061,7 @@ listen-on-v6 port 1234 { !2001:db8::/32; any; };
 
 
    
 
    
-Query Address
    
+Query Address
    
 
    
             If the server doesn't know the answer to a question, it will
             query other name servers. query-source specifies
@@ -3336,7 +3341,7 @@ query-source-v6 address * port *;
 
 
    
 
    
-Bad UDP Port Lists
    
+Bad UDP Port Lists
    
 
    avoid-v4-udp-ports
             and avoid-v6-udp-ports specify a list
             of IPv4 and IPv6 UDP ports that will not be used as system
@@ -3350,7 +3355,7 @@ query-source-v6 address * port *;
 
 
    
 
    
-Operating System Resource Limits
    
+Operating System Resource Limits
    
 
    
             The server's usage of many system resources can be limited.
             Scaled values are allowed when specifying resource limits.  For
@@ -3409,7 +3414,7 @@ query-source-v6 address * port *;
 
 
    
 
    
-Server  Resource Limits
    
+Server  Resource Limits
    
 
    
             The following options set limits on the server's
             resource consumption that are enforced internally by the
@@ -3487,7 +3492,7 @@ query-source-v6 address * port *;
 
 
    
 
    
-Periodic Task Intervals
    
+Periodic Task Intervals
    
 
    
 
    cleaning-interval
    
 
    
@@ -4534,7 +4539,7 @@ query-source-v6 address * port *;
 
    
 
    
 
    
-trusted-keys Statement Grammar
    
+trusted-keys Statement Grammar
    
 
    trusted-keys {
     string number number number string ;
     [ string number number number string ; [...]]
@@ -4543,7 +4548,7 @@ query-source-v6 address * port *;
 
 
    
 
    
-trusted-keys Statement Definition
+trusted-keys Statement Definition
             and Usage
    
 
    
             The trusted-keys statement defines
@@ -4586,7 +4591,7 @@ query-source-v6 address * port *;
 
    
 
    
 
    
-view Statement Definition and Usage
    
+view Statement Definition and Usage
    
 
    
             The view statement is a powerful
             feature
@@ -4838,10 +4843,10 @@ zone zone_name [
 
    
 
    
-zone Statement Definition and Usage
    
+zone Statement Definition and Usage
    
 
    
 
    
-Zone Types
    
+Zone Types
    
 
    
 
 

 
 
 
    @@ -5050,7 +5055,7 @@ zone zone_name [
 
    
 
    
-Class
    
+Class
    
 
    
               The zone's name may optionally be followed by a class. If
               a class is not specified, class IN (for Internet),
@@ -5072,7 +5077,7 @@ zone zone_name [
 
    
 
    
-Zone Options
    
+Zone Options
    
 
    
 
    allow-notify
    
 
    
@@ -5560,7 +5565,7 @@ zone zone_name [
 
    
 
    
-Zone File
    
+Zone File
    
 
    
 
    
 Types of Resource Records and When to Use Them
    
@@ -5573,7 +5578,7 @@ zone zone_name [
 
    
 
    
-Resource Records
    
+Resource Records
    
 
    
               A domain name identifies a node.  Each node has a set of
               resource information, which may be empty.  The set of resource
@@ -6224,7 +6229,7 @@ zone zone_name [
 
    
 
    
-Textual expression of RRs
    
+Textual expression of RRs
    
 
    
               RRs are represented in binary form in the packets of the DNS
               protocol, and are usually represented in highly encoded form
@@ -6427,7 +6432,7 @@ zone zone_name [
 
    
 
    
-Discussion of MX Records
    
+Discussion of MX Records
    
 
    
             As described above, domain servers store information as a
             series of resource records, each of which contains a particular
@@ -6685,7 +6690,7 @@ zone zone_name [
 
    
 
    
-Inverse Mapping in IPv4
    
+Inverse Mapping in IPv4
    
 
    
             Reverse name resolution (that is, translation from IP address
             to name) is achieved by means of the in-addr.arpa domain
@@ -6746,7 +6751,7 @@ zone zone_name [
 
    
 
    
-Other Zone File Directives
    
+Other Zone File Directives
    
 
    
             The Master File Format was initially defined in RFC 1035 and
             has subsequently been extended. While the Master File Format
@@ -6761,7 +6766,7 @@ zone zone_name [
 
    
 
    
-The $ORIGIN Directive
    
+The $ORIGIN Directive
    
 
    
               Syntax: $ORIGIN
               domain-name
@@ -6789,7 +6794,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 
    
 
    
-The $INCLUDE Directive
    
+The $INCLUDE Directive
    
 
    
               Syntax: $INCLUDE
               filename
@@ -6825,7 +6830,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 
    
 
    
-The $TTL Directive
    
+The $TTL Directive
    
 
    
               Syntax: $TTL
               default-ttl
@@ -6844,7 +6849,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 
    
 
    
-BIND Master File Extension: the  $GENERATE Directive
    
+BIND Master File Extension: the  $GENERATE Directive
    
 
    
             Syntax: $GENERATE
             range
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index c903af0d69..5b48f60f9c 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -46,10 +46,10 @@
 
    Table of Contents
    
 
    
 
    Access Control Lists
    
-
    chroot and setuid
    
+
    chroot and setuid
    
 
    
-
    The chroot Environment
    
-
    Using the setuid Function
    
+
    The chroot Environment
    
+
    Using the setuid Function
    
 
    
 
    Dynamic Update Security
    
 
    
@@ -118,7 +118,7 @@ zone "example.com" {
 
 
    
 
    
-chroot and setuid
    
+chroot and setuid
    
 
    
           On UNIX servers, it is possible to run BIND in a chrooted environment
           (using the chroot() function) by specifying the "-t"
@@ -141,7 +141,7 @@ zone "example.com" {
         
    
 
    
 
    
-The chroot Environment
    
+The chroot Environment
    
 
    
             In order for a chroot environment
             to
@@ -169,7 +169,7 @@ zone "example.com" {
 
 
    
 
    
-Using the setuid Function
    
+Using the setuid Function
    
 
    
             Prior to running the named daemon,
             use
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index 47bd5155ed..da8d9ad3f1 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,18 +45,18 @@
 
    
 
    Table of Contents
    
 
    
-
    Common Problems
    
-
    It's not working; how can I figure out what's wrong?
    
-
    Incrementing and Changing the Serial Number
    
-
    Where Can I Get Help?
    
+
    Common Problems
    
+
    It's not working; how can I figure out what's wrong?
    
+
    Incrementing and Changing the Serial Number
    
+
    Where Can I Get Help?
    
 
    
 
    
 
    
 
    
-Common Problems
    
+Common Problems
    
 
    
 
    
-It's not working; how can I figure out what's wrong?
    
+It's not working; how can I figure out what's wrong?
    
 
    
             The best solution to solving installation and
             configuration issues is to take preventative measures by setting
@@ -68,7 +68,7 @@
 
 
    
 
    
-Incrementing and Changing the Serial Number
    
+Incrementing and Changing the Serial Number
    
 
    
           Zone serial numbers are just numbers-they aren't date
           related.  A lot of people set them to a number that represents a
@@ -95,7 +95,7 @@
 
 
    
 
    
-Where Can I Get Help?
    
+Where Can I Get Help?
    
 
    
           The Internet Systems Consortium
           (ISC) offers a wide range
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index 1a130bfa7e..1ea9836a65 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,21 +45,21 @@
 
    
 
    Table of Contents
    
 
    
-
    Acknowledgments
    
+
    Acknowledgments
    
 
    A Brief History of the DNS and BIND
    
-
    General DNS Reference Information
    
+
    General DNS Reference Information
    
 
    IPv6 addresses (AAAA)
    
 
    Bibliography (and Suggested Reading)
    
 
    
 
    Request for Comments (RFCs)
    
 
    Internet Drafts
    
-
    Other Documents About BIND
    
+
    Other Documents About BIND
    
 
    
 
    
 
    
 
    
 
    
-Acknowledgments
    
+Acknowledgments
    
 
    
 
    
 A Brief History of the DNS and BIND
    
@@ -148,7 +148,7 @@
 
    
 
    
 
    
-General DNS Reference Information
    
+General DNS Reference Information
    
 
    
 
    
 IPv6 addresses (AAAA)
    
@@ -235,17 +235,17 @@
           
    
 
    
 
    
-Bibliography
    
+Bibliography
    
 
    
 
    Standards
    
 
    
-
    [RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 
    
+
    [RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 
    
 
    
 
    
-
    [RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987. 
    
+
    [RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987. 
    
 
    
 
    
-
    [RFC1035] P. V. Mockapetris. Domain Names — Implementation and
+
    [RFC1035] P. V. Mockapetris. Domain Names — Implementation and
                   Specification. November 1987. 
    
 
    
 
    
@@ -253,42 +253,42 @@
 
    
 Proposed Standards
    
 
    
-
    [RFC2181] R., R. Bush Elz. Clarifications to the DNS
+
    [RFC2181] R., R. Bush Elz. Clarifications to the DNS
                   Specification. July 1997. 
    
 
    
 
    
-
    [RFC2308] M. Andrews. Negative Caching of DNS
+
    [RFC2308] M. Andrews. Negative Caching of DNS
                   Queries. March 1998. 
    
 
    
 
    
-
    [RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996. 
    
+
    [RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996. 
    
 
    
 
    
-
    [RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996. 
    
+
    [RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996. 
    
 
    
 
    
-
    [RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997. 
    
+
    [RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997. 
    
 
    
 
    
-
    [RFC2671] P. Vixie. Extension Mechanisms for DNS (EDNS0). August 1997. 
    
+
    [RFC2671] P. Vixie. Extension Mechanisms for DNS (EDNS0). August 1997. 
    
 
    
 
    
-
    [RFC2672] M. Crawford. Non-Terminal DNS Name Redirection. August 1999. 
    
+
    [RFC2672] M. Crawford. Non-Terminal DNS Name Redirection. August 1999. 
    
 
    
 
    
-
    [RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000. 
    
+
    [RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000. 
    
 
    
 
    
-
    [RFC2930] D. Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000. 
    
+
    [RFC2930] D. Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000. 
    
 
    
 
    
-
    [RFC2931] D. Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000. 
    
+
    [RFC2931] D. Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000. 
    
 
    
 
    
-
    [RFC3007] B. Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000. 
    
+
    [RFC3007] B. Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000. 
    
 
    
 
    
-
    [RFC3645] S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. Generic Security Service Algorithm for Secret
+
    [RFC3645] S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. Generic Security Service Algorithm for Secret
                        Key Transaction Authentication for DNS
                        (GSS-TSIG). October 2003. 
    
 
    
@@ -297,19 +297,19 @@
 
    
 DNS Security Proposed Standards
    
 
    
-
    [RFC3225] D. Conrad. Indicating Resolver Support of DNSSEC. December 2001. 
    
+
    [RFC3225] D. Conrad. Indicating Resolver Support of DNSSEC. December 2001. 
    
 
    
 
    
-
    [RFC3833] D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). August 2004. 
    
+
    [RFC3833] D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). August 2004. 
    
 
    
 
    
-
    [RFC4033] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. March 2005. 
    
+
    [RFC4033] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. March 2005. 
    
 
    
 
    
-
    [RFC4044] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. March 2005. 
    
+
    [RFC4044] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. March 2005. 
    
 
    
 
    
-
    [RFC4035] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS
+
    [RFC4035] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS
                        Security Extensions. March 2005. 
    
 
    
 
@@ -317,146 +317,146 @@
 
    Other Important RFCs About DNS
                 Implementation
    
 
    
-
    [RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely
+
    [RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely
                   Deployed DNS Software.. October 1993. 
    
 
    
 
    
-
    [RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation
+
    [RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation
                   Errors and Suggested Fixes. October 1993. 
    
 
    
 
    
-
    [RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996. 
    
+
    [RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996. 
    
 
    
 
    
-
    [RFC4074] Y. Morishita and T. Jinmei. Common Misbehaviour Against DNS
+
    [RFC4074] Y. Morishita and T. Jinmei. Common Misbehaviour Against DNS
                 Queries for IPv6 Addresses. May 2005. 
    
 
    
 
 
    
 
    Resource Record Types
    
 
    
-
    [RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990. 
    
+
    [RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990. 
    
 
    
 
    
-
    [RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994. 
    
+
    [RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994. 
    
 
    
 
    
-
    [RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using
+
    [RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using
                   the Domain Name System. June 1997. 
    
 
    
 
    
-
    [RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the
+
    [RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the
                   Domain
                   Name System. January 1996. 
    
 
    
 
    
-
    [RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the
+
    [RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the
                   Location of
                   Services.. October 1996. 
    
 
    
 
    
-
    [RFC2163] A. Allocchio. Using the Internet DNS to
+
    [RFC2163] A. Allocchio. Using the Internet DNS to
                   Distribute MIXER
                   Conformant Global Address Mapping. January 1998. 
    
 
    
 
    
-
    [RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997. 
    
+
    [RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997. 
    
 
    
 
    
-
    [RFC2536] D. Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999. 
    
+
    [RFC2536] D. Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999. 
    
 
    
 
    
-
    [RFC2537] D. Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999. 
    
+
    [RFC2537] D. Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999. 
    
 
    
 
    
-
    [RFC2538] D. Eastlake, 3rd and O. Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999. 
    
+
    [RFC2538] D. Eastlake, 3rd and O. Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999. 
    
 
    
 
    
-
    [RFC2539] D. Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999. 
    
+
    [RFC2539] D. Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999. 
    
 
    
 
    
-
    [RFC2540] D. Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999. 
    
+
    [RFC2540] D. Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999. 
    
 
    
 
    
-
    [RFC2782] A. Gulbrandsen. P. Vixie. L. Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000. 
    
+
    [RFC2782] A. Gulbrandsen. P. Vixie. L. Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000. 
    
 
    
 
    
-
    [RFC2915] M. Mealling. R. Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000. 
    
+
    [RFC2915] M. Mealling. R. Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000. 
    
 
    
 
    
-
    [RFC3110] D. Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001. 
    
+
    [RFC3110] D. Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001. 
    
 
    
 
    
-
    [RFC3123] P. Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001. 
    
+
    [RFC3123] P. Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001. 
    
 
    
 
    
-
    [RFC3596] S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. DNS Extensions to support IP
+
    [RFC3596] S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. DNS Extensions to support IP
                   version 6. October 2003. 
    
 
    
 
    
-
    [RFC3597] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003. 
    
+
    [RFC3597] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003. 
    
 
    
 
    
 
    
 
    
 DNS and the Internet
    
 
    
-
    [RFC1101] P. V. Mockapetris. DNS Encoding of Network Names
+
    [RFC1101] P. V. Mockapetris. DNS Encoding of Network Names
                   and Other Types. April 1989. 
    
 
    
 
    
-
    [RFC1123] Braden. Requirements for Internet Hosts - Application and
+
    [RFC1123] Braden. Requirements for Internet Hosts - Application and
                   Support. October 1989. 
    
 
    
 
    
-
    [RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994. 
    
+
    [RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994. 
    
 
    
 
    
-
    [RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998. 
    
+
    [RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998. 
    
 
    
 
    
-
    [RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000. 
    
+
    [RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000. 
    
 
    
 
    
-
    [RFC2929] D. Eastlake, 3rd, E. Brunner-Williams, and B. Manning. Domain Name System (DNS) IANA Considerations. September 2000. 
    
+
    [RFC2929] D. Eastlake, 3rd, E. Brunner-Williams, and B. Manning. Domain Name System (DNS) IANA Considerations. September 2000. 
    
 
    
 
    
 
    
 
    
 DNS Operations
    
 
    
-
    [RFC1033] M. Lottor. Domain administrators operations guide.. November 1987. 
    
+
    [RFC1033] M. Lottor. Domain administrators operations guide.. November 1987. 
    
 
    
 
    
-
    [RFC1537] P. Beertema. Common DNS Data File
+
    [RFC1537] P. Beertema. Common DNS Data File
                   Configuration Errors. October 1993. 
    
 
    
 
    
-
    [RFC1912] D. Barr. Common DNS Operational and
+
    [RFC1912] D. Barr. Common DNS Operational and
                   Configuration Errors. February 1996. 
    
 
    
 
    
-
    [RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers.. October 1996. 
    
+
    [RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers.. October 1996. 
    
 
    
 
    
-
    [RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for
+
    [RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for
                   Network Services.. October 1997. 
    
 
    
 
    
 
    
 
    Internationalized Domain Names
    
 
    
-
    [RFC2825] IAB and R. Daigle. A Tangled Web: Issues of I18N, Domain Names,
+
    [RFC2825] IAB and R. Daigle. A Tangled Web: Issues of I18N, Domain Names,
                        and the Other Internet protocols. May 2000. 
    
 
    
 
    
-
    [RFC3490] P. Faltstrom, P. Hoffman, and A. Costello. Internationalizing Domain Names in Applications (IDNA). March 2003. 
    
+
    [RFC3490] P. Faltstrom, P. Hoffman, and A. Costello. Internationalizing Domain Names in Applications (IDNA). March 2003. 
    
 
    
 
    
-
    [RFC3491] P. Hoffman and M. Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003. 
    
+
    [RFC3491] P. Hoffman and M. Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003. 
    
 
    
 
    
-
    [RFC3492] A. Costello. Punycode: A Bootstring encoding of Unicode
+
    [RFC3492] A. Costello. Punycode: A Bootstring encoding of Unicode
                        for Internationalized Domain Names in
                        Applications (IDNA). March 2003. 
    
 
    
@@ -472,50 +472,50 @@
                 
    
 
    
 
    
-
    [RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String
+
    [RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String
                   Attributes. May 1993. 
    
 
    
 
    
-
    [RFC1713] A. Romao. Tools for DNS Debugging. November 1994. 
    
+
    [RFC1713] A. Romao. Tools for DNS Debugging. November 1994. 
    
 
    
 
    
-
    [RFC1794] T. Brisco. DNS Support for Load
+
    [RFC1794] T. Brisco. DNS Support for Load
                   Balancing. April 1995. 
    
 
    
 
    
-
    [RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997. 
    
+
    [RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997. 
    
 
    
 
    
-
    [RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998. 
    
+
    [RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998. 
    
 
    
 
    
-
    [RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998. 
    
+
    [RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998. 
    
 
    
 
    
-
    [RFC3071] J. Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001. 
    
+
    [RFC3071] J. Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001. 
    
 
    
 
    
-
    [RFC3258] T. Hardie. Distributing Authoritative Name Servers via
+
    [RFC3258] T. Hardie. Distributing Authoritative Name Servers via
                        Shared Unicast Addresses. April 2002. 
    
 
    
 
    
-
    [RFC3901] A. Durand and J. Ihren. DNS IPv6 Transport Operational Guidelines. September 2004. 
    
+
    [RFC3901] A. Durand and J. Ihren. DNS IPv6 Transport Operational Guidelines. September 2004. 
    
 
    
 
    
-
    [RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998. 
    
+
    [RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998. 
    
 
    
 
 
    
 
    Obsolete and Unimplemented Experimental RFC
    
 
    
-
    [RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical
+
    [RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical
                   Location. November 1994. 
    
 
    
 
    
-
    [RFC2673] M. Crawford. Binary Labels in the Domain Name System. August 1999. 
    
+
    [RFC2673] M. Crawford. Binary Labels in the Domain Name System. August 1999. 
    
 
    
 
    
-
    [RFC2874] M. Crawford and C. Huitema. DNS Extensions to Support IPv6 Address Aggregation
+
    [RFC2874] M. Crawford and C. Huitema. DNS Extensions to Support IPv6 Address Aggregation
                        and Renumbering. July 2000. 
    
 
    
 
    
@@ -529,39 +529,39 @@
                 
    
 
 
    
-
    [RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997. 
    
+
    [RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997. 
    
 
    
 
    
-
    [RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997. 
    
+
    [RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997. 
    
 
    
 
    
-
    [RFC2535] D. Eastlake, 3rd. Domain Name System Security Extensions. March 1999. 
    
+
    [RFC2535] D. Eastlake, 3rd. Domain Name System Security Extensions. March 1999. 
    
 
    
 
    
-
    [RFC3008] B. Wellington. Domain Name System Security (DNSSEC)
+
    [RFC3008] B. Wellington. Domain Name System Security (DNSSEC)
                        Signing Authority. November 2000. 
    
 
    
 
    
-
    [RFC3090] E. Lewis. DNS Security Extension Clarification on Zone Status. March 2001. 
    
+
    [RFC3090] E. Lewis. DNS Security Extension Clarification on Zone Status. March 2001. 
    
 
    
 
    
-
    [RFC3445] D. Massey and S. Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002. 
    
+
    [RFC3445] D. Massey and S. Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002. 
    
 
    
 
    
-
    [RFC3655] B. Wellington and O. Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003. 
    
+
    [RFC3655] B. Wellington and O. Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003. 
    
 
    
 
    
-
    [RFC3658] O. Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003. 
    
+
    [RFC3658] O. Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003. 
    
 
    
 
    
-
    [RFC3755] S. Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004. 
    
+
    [RFC3755] S. Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004. 
    
 
    
 
    
-
    [RFC3757] O. Kolkman, J. Schlyter, and E. Lewis. Domain Name System KEY (DNSKEY) Resource Record
+
    [RFC3757] O. Kolkman, J. Schlyter, and E. Lewis. Domain Name System KEY (DNSKEY) Resource Record
                       (RR) Secure Entry Point (SEP) Flag. April 2004. 
    
 
    
 
    
-
    [RFC3845] J. Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004. 
    
+
    [RFC3845] J. Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004. 
    
 
    
 
 
@@ -582,13 +582,13 @@
 
 
    
 
    
-Other Documents About BIND
    
+Other Documents About BIND
    
 
    
 
    
 
    
-Bibliography
    
+Bibliography
    
 
    
-
    Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 
    
+
    Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 
    
 
    
 
 
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index 4cd7b41821..6536bfa2c8 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -155,54 +155,54 @@
 
    server Statement Grammar
    
 
    server Statement Definition and
             Usage
    
-
    trusted-keys Statement Grammar
    
-
    trusted-keys Statement Definition
+
    trusted-keys Statement Grammar
    
+
    trusted-keys Statement Definition
             and Usage
    
 
    view Statement Grammar
    
-
    view Statement Definition and Usage
    
+
    view Statement Definition and Usage
    
 
    zone
             Statement Grammar
    
-
    zone Statement Definition and Usage
    
+
    zone Statement Definition and Usage
    
 
-
    Zone File
    
+
    Zone File
    
 
    
 
    Types of Resource Records and When to Use Them
    
-
    Discussion of MX Records
    
+
    Discussion of MX Records
    
 
    Setting TTLs
    
-
    Inverse Mapping in IPv4
    
-
    Other Zone File Directives
    
-
    BIND Master File Extension: the  $GENERATE Directive
    
+
    Inverse Mapping in IPv4
    
+
    Other Zone File Directives
    
+
    BIND Master File Extension: the  $GENERATE Directive
    
 
    Additional File Formats
    
 
    
 
 
    7. BIND 9 Security Considerations
    
 
    
 
    Access Control Lists
    
-
    chroot and setuid
    
+
    chroot and setuid
    
 
    
-
    The chroot Environment
    
-
    Using the setuid Function
    
+
    The chroot Environment
    
+
    Using the setuid Function
    
 
    
 
    Dynamic Update Security
    
 
    
 
    8. Troubleshooting
    
 
    
-
    Common Problems
    
-
    It's not working; how can I figure out what's wrong?
    
-
    Incrementing and Changing the Serial Number
    
-
    Where Can I Get Help?
    
+
    Common Problems
    
+
    It's not working; how can I figure out what's wrong?
    
+
    Incrementing and Changing the Serial Number
    
+
    Where Can I Get Help?
    
 
    
 
    A. Appendices
    
 
    
-
    Acknowledgments
    
+
    Acknowledgments
    
 
    A Brief History of the DNS and BIND
    
-
    General DNS Reference Information
    
+
    General DNS Reference Information
    
 
    IPv6 addresses (AAAA)
    
 
    Bibliography (and Suggested Reading)
    
 
    
 
    Request for Comments (RFCs)
    
 
    Internet Drafts
    
-
    Other Documents About BIND
    
+
    Other Documents About BIND
    
 
    
 
    
 
    I. Manual pages
    
diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index eaa7d3ac26..85c38f49e1 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -52,7 +52,7 @@
 
    dig  [global-queryopt...] [query...]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dig
       (domain information groper) is a flexible tool
       for interrogating DNS name servers.  It performs DNS lookups and
@@ -91,7 +91,7 @@
     
    
 
    
 
    
-
    SIMPLE USAGE
    
+
    SIMPLE USAGE
    
 
    
       A typical invocation of dig looks like:
       
    
@@ -137,7 +137,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
       The -b option sets the source IP address of the query
       to address.  This must be a valid
@@ -237,7 +237,7 @@
     
    
 
    
 
    
-
    QUERY OPTIONS
    
+
    QUERY OPTIONS
    
 
    dig
       provides a number of query options which affect
       the way in which lookups are made and the results displayed.  Some of
@@ -556,7 +556,7 @@
     
    
 
    
 
    
-
    MULTIPLE QUERIES
    
+
    MULTIPLE QUERIES
    
 
    
       The BIND 9 implementation of dig 
       supports
@@ -602,7 +602,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     
    
 
    
 
    
-
    IDN SUPPORT
    
+
    IDN SUPPORT
    
 
    
       If dig has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names.
@@ -616,14 +616,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    /etc/resolv.conf
     
    
 
    ${HOME}/.digrc
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    host(1),
       named(8),
       dnssec-keygen(8),
@@ -631,7 +631,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     
    
 
    
 
    
-
    BUGS
    
+
    BUGS
    
 
    
       There are probably too many query options.
     
    
diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index 624e07bca8..6a28ed3722 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    dnssec-keygen  {-a algorithm} {-b keysize} {-n nametype} [-c class] [-e] [-f flag] [-g generator] [-h] [-k] [-p protocol] [-r randomdev] [-s strength] [-t type] [-v level] {name}
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-keygen
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC <TBA\>.  It can also generate keys for use with
@@ -58,7 +58,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a algorithm
    
 
    
@@ -166,7 +166,7 @@
 
    
 
    
 
    
-
    GENERATED KEYS
    
+
    GENERATED KEYS
    
 
    
       When dnssec-keygen completes
       successfully,
@@ -212,7 +212,7 @@
     
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
    
       To generate a 768-bit DSA key for the domain
       example.com, the following command would be
@@ -233,7 +233,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
       RFC 2535,
@@ -242,7 +242,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index 26ce99cfff..69b05257e8 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    dnssec-signzone  [-a] [-c class] [-d directory] [-e end-time] [-f output-file] [-g] [-h] [-k key] [-l domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-p] [-r randomdev] [-s start-time] [-t] [-v level] [-z] {zonefile} [key...]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-signzone
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
@@ -61,7 +61,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a
    
 
    
@@ -257,7 +257,7 @@
 
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
    
       The following command signs the example.com
       zone with the DSA key generated in the dnssec-keygen
@@ -283,14 +283,14 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 2535.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html
index 849afd48a1..1fdac5adf9 100644
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    host  [-aCdlnrsTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-m flag] [-4] [-6] {name} [server]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    host
       is a simple utility for performing DNS lookups.
       It is normally used to convert names to IP addresses and vice versa.
@@ -202,7 +202,7 @@
     
    
 
    
 
    
-
    IDN SUPPORT
    
+
    IDN SUPPORT
    
 
    
       If host has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names. 
@@ -216,12 +216,12 @@
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    /etc/resolv.conf
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dig(1),
       named(8).
     
    
diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index b9c5f05792..af8ef58f74 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,14 +50,14 @@
 
    named-checkconf  [-v] [-j] [-t directory] {filename} [-z]
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    named-checkconf
       checks the syntax, but not the semantics, of a named
       configuration file.
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -t directory
    
 
    
@@ -88,20 +88,20 @@
 
    
 
    
 
    
-
    RETURN VALUES
    
+
    RETURN VALUES
    
 
    named-checkconf
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    named(8),
       BIND 9 Administrator Reference Manual.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index a2bd805a00..003ead0e42 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -51,7 +51,7 @@
 
    named-compilezone  [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-i mode] [-k mode] [-m mode] [-n mode] [-o filename] [-s style] [-t directory] [-w directory] [-D] [-W mode] {zonename} {filename}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    named-checkzone
       checks the syntax and integrity of a zone file.  It performs the
       same checks as named does when loading a
@@ -71,7 +71,7 @@
      
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -d
    
 
    
@@ -251,21 +251,21 @@
 
    
 
    
 
    
-
    RETURN VALUES
    
+
    RETURN VALUES
    
 
    named-checkzone
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    named(8),
       RFC 1035,
       BIND 9 Administrator Reference Manual.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index f9cc37c5f2..97fc3afb79 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    named  [-4] [-6] [-c config-file] [-d debug-level] [-f] [-g] [-n #cpus] [-p port] [-s] [-t directory] [-u user] [-v] [-x cache-file]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    named
       is a Domain Name System (DNS) server,
       part of the BIND 9 distribution from ISC.  For more
@@ -65,7 +65,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -4
    
 
    
@@ -198,7 +198,7 @@
 
    
 
    
 
    
-
    SIGNALS
    
+
    SIGNALS
    
 
    
       In routine operation, signals should not be used to control
       the nameserver; rndc should be used
@@ -219,7 +219,7 @@
     
    
 
    
 
    
-
    CONFIGURATION
    
+
    CONFIGURATION
    
 
    
       The named configuration file is too complex
       to describe in detail here.  A complete description is provided
@@ -228,7 +228,7 @@
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    
 
    /etc/named.conf
    
 
    
@@ -241,7 +241,7 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    RFC 1033,
       RFC 1034,
       RFC 1035,
@@ -252,7 +252,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index 51f93932dd..d9b20622a2 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -48,7 +48,7 @@
 
    rndc-confgen  [-a] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    rndc-confgen
       generates configuration files
       for rndc.  It can be used as a
@@ -64,7 +64,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a
    
 
    
@@ -171,7 +171,7 @@
 
    
 
    
 
    
-
    EXAMPLES
    
+
    EXAMPLES
    
 
    
       To allow rndc to be used with
       no manual configuration, run
@@ -188,7 +188,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    rndc(8),
       rndc.conf(5),
       named(8),
@@ -196,7 +196,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index a401cb8957..e9a22f04b5 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    rndc.conf 
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    rndc.conf is the configuration file
       for rndc, the BIND 9 name server control
       utility.  This file has a similar structure and syntax to
@@ -135,7 +135,7 @@
     
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
           options {
         default-server  localhost;
@@ -209,7 +209,7 @@
     
    
 
    
 
    
-
    NAME SERVER CONFIGURATION
    
+
    NAME SERVER CONFIGURATION
    
 
    
       The name server must be configured to accept rndc connections and
       to recognize the key specified in the rndc.conf
@@ -219,7 +219,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    rndc(8),
       rndc-confgen(8),
       mmencode(1),
@@ -227,7 +227,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index b5bee8d2db..41d24a60ca 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    rndc  [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-V] [-y key_id] {command}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    rndc
       controls the operation of a name
       server.  It supersedes the ndc utility
@@ -79,7 +79,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -b source-address
    
 
    
@@ -152,7 +152,7 @@
     
    
 
    
 
    
-
    LIMITATIONS
    
+
    LIMITATIONS
    
 
    rndc
       does not yet support all the commands of
       the BIND 8 ndc utility.
@@ -166,7 +166,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    rndc.conf(5),
       named(8),
       named.conf(5)
@@ -175,7 +175,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    

From 44f44f996c6fd115265646ebdf4a11bcc2d0c1fb Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 14 Sep 2006 23:18:00 +0000
Subject: [PATCH 462/465] auto update

---
 doc/private/branches | 1 +
 1 file changed, 1 insertion(+)

diff --git a/doc/private/branches b/doc/private/branches
index 23ef13e627..ead9a446e4 100644
--- a/doc/private/branches
+++ b/doc/private/branches
@@ -70,6 +70,7 @@ rt16341				new
 rt16354				new	
 rt16361				new	
 rt16363				new	
+rt16399				new	
 rt1727				open		// ixfr-from-differences workfile
 skan				new	
 skan-metazones1			private	

From c1c9e72292db84ebf69093f38a2d1a4a60aeebab Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 15 Sep 2006 00:31:24 +0000
Subject: [PATCH 463/465] 4641:   DNSSEC Operational Practices

---
 doc/rfc/fetch                                 |    1 +
 doc/rfc/index                                 |    1 +
 .../rfc4641.txt}                              | 2033 ++++++++---------
 3 files changed, 992 insertions(+), 1043 deletions(-)
 rename doc/{draft/draft-ietf-dnsop-dnssec-operational-practices-08.txt => rfc/rfc4641.txt} (51%)

diff --git a/doc/rfc/fetch b/doc/rfc/fetch
index 634ce2af4f..17ce40fe85 100755
--- a/doc/rfc/fetch
+++ b/doc/rfc/fetch
@@ -1,5 +1,6 @@
 #!/bin/sh -f
 for i in $*
 do
+	i=`echo $i | sed -e 's/^rfc//' -e 's/\.txt$//'`
 	fetch "http://www.ietf.org/rfc/rfc${i}.txt"
 done
diff --git a/doc/rfc/index b/doc/rfc/index
index ded9674700..990d4a90be 100644
--- a/doc/rfc/index
+++ b/doc/rfc/index
@@ -111,3 +111,4 @@
 	 in E-Mail, Version 1
 4470:	Minimally Covering NSEC Records and DNSSEC On-line Signing
 4634:	US Secure Hash Algorithms (SHA and HMAC-SHA)
+4641:	DNSSEC Operational Practices
diff --git a/doc/draft/draft-ietf-dnsop-dnssec-operational-practices-08.txt b/doc/rfc/rfc4641.txt
similarity index 51%
rename from doc/draft/draft-ietf-dnsop-dnssec-operational-practices-08.txt
rename to doc/rfc/rfc4641.txt
index 8ca68a8b2b..0a013bcba5 100644
--- a/doc/draft/draft-ietf-dnsop-dnssec-operational-practices-08.txt
+++ b/doc/rfc/rfc4641.txt
@@ -1,39 +1,22 @@
 
 
 
-DNSOP                                                         O. Kolkman
-Internet-Draft                                                 R. Gieben
-Obsoletes: 2541 (if approved)                                 NLnet Labs
-Expires: September 7, 2006                                 March 6, 2006
+
+
+
+Network Working Group                                         O. Kolkman
+Request for Comments: 4641                                     R. Gieben
+Obsoletes: 2541                                               NLnet Labs
+Category: Informational                                   September 2006
 
 
                       DNSSEC Operational Practices
-          draft-ietf-dnsop-dnssec-operational-practices-08.txt
 
-Status of this Memo
+Status of This Memo
 
-   By submitting this Internet-Draft, each author represents that any
-   applicable patent or other IPR claims of which he or she is aware
-   have been or will be disclosed, and any of which he or she becomes
-   aware will be disclosed, in accordance with Section 6 of BCP 79.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on September 7, 2006.
+   This memo provides information for the Internet community.  It does
+   not specify an Internet standard of any kind.  Distribution of this
+   memo is unlimited.
 
 Copyright Notice
 
@@ -46,136 +29,100 @@ Abstract
    administrators deploying DNSSEC.
 
    The document discusses operational aspects of using keys and
-   signatures in the DNS.  It discusses issues as key generation, key
-   storage, signature generation, key rollover and related policies.
-
-
-
-
-Kolkman & Gieben        Expires September 7, 2006               [Page 1]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
+   signatures in the DNS.  It discusses issues of key generation, key
+   storage, signature generation, key rollover, and related policies.
 
    This document obsoletes RFC 2541, as it covers more operational
-   ground and gives more up to date requirements with respect to key
+   ground and gives more up-to-date requirements with respect to key
    sizes and the new DNSSEC specification.
 
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben             Informational                      [Page 1]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
 Table of Contents
 
-   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
-     1.1.  The Use of the Term 'key'  . . . . . . . . . . . . . . . .  4
-     1.2.  Time Definitions . . . . . . . . . . . . . . . . . . . . .  5
-   2.  Keeping the Chain of Trust Intact  . . . . . . . . . . . . . .  5
-   3.  Keys Generation and Storage  . . . . . . . . . . . . . . . . .  6
-     3.1.  Zone and Key Signing Keys  . . . . . . . . . . . . . . . .  6
-       3.1.1.  Motivations for the KSK and ZSK Separation . . . . . .  7
-       3.1.2.  KSKs for High Level Zones  . . . . . . . . . . . . . .  8
-     3.2.  Key Generation . . . . . . . . . . . . . . . . . . . . . .  8
-     3.3.  Key Effectivity Period . . . . . . . . . . . . . . . . . .  9
-     3.4.  Key Algorithm  . . . . . . . . . . . . . . . . . . . . . .  9
-     3.5.  Key Sizes  . . . . . . . . . . . . . . . . . . . . . . . . 10
-     3.6.  Private Key Storage  . . . . . . . . . . . . . . . . . . . 12
-   4.  Signature generation, Key Rollover and Related Policies  . . . 12
-     4.1.  Time in DNSSEC . . . . . . . . . . . . . . . . . . . . . . 12
-       4.1.1.  Time Considerations  . . . . . . . . . . . . . . . . . 13
-     4.2.  Key Rollovers  . . . . . . . . . . . . . . . . . . . . . . 14
-       4.2.1.  Zone Signing Key Rollovers . . . . . . . . . . . . . . 15
-       4.2.2.  Key Signing Key Rollovers  . . . . . . . . . . . . . . 19
-       4.2.3.  Difference Between ZSK and KSK Rollovers . . . . . . . 20
-       4.2.4.  Automated Key Rollovers  . . . . . . . . . . . . . . . 21
-     4.3.  Planning for Emergency Key Rollover  . . . . . . . . . . . 22
-       4.3.1.  KSK Compromise . . . . . . . . . . . . . . . . . . . . 22
-       4.3.2.  ZSK Compromise . . . . . . . . . . . . . . . . . . . . 24
-       4.3.3.  Compromises of Keys Anchored in Resolvers  . . . . . . 24
-     4.4.  Parental Policies  . . . . . . . . . . . . . . . . . . . . 24
-       4.4.1.  Initial Key Exchanges and Parental Policies
-               Considerations . . . . . . . . . . . . . . . . . . . . 24
-       4.4.2.  Storing Keys or Hashes?  . . . . . . . . . . . . . . . 25
-       4.4.3.  Security Lameness  . . . . . . . . . . . . . . . . . . 25
-       4.4.4.  DS Signature Validity Period . . . . . . . . . . . . . 26
-   5.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 26
-   6.  Security Considerations  . . . . . . . . . . . . . . . . . . . 27
-   7.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 27
-   8.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 27
-     8.1.  Normative References . . . . . . . . . . . . . . . . . . . 27
-     8.2.  Informative References . . . . . . . . . . . . . . . . . . 28
-   Appendix A.  Terminology . . . . . . . . . . . . . . . . . . . . . 29
-   Appendix B.  Zone Signing Key Rollover Howto . . . . . . . . . . . 30
-   Appendix C.  Typographic Conventions . . . . . . . . . . . . . . . 31
-   Appendix D.  Document Details and Changes  . . . . . . . . . . . . 33
+   1. Introduction ....................................................3
+      1.1. The Use of the Term 'key' ..................................4
+      1.2. Time Definitions ...........................................4
+   2. Keeping the Chain of Trust Intact ...............................5
+   3. Keys Generation and Storage .....................................6
+      3.1. Zone and Key Signing Keys ..................................6
+           3.1.1. Motivations for the KSK and ZSK Separation ..........6
+           3.1.2. KSKs for High-Level Zones ...........................7
+      3.2. Key Generation .............................................8
+      3.3. Key Effectivity Period .....................................8
+      3.4. Key Algorithm ..............................................9
+      3.5. Key Sizes ..................................................9
+      3.6. Private Key Storage .......................................11
+   4. Signature Generation, Key Rollover, and Related Policies .......12
+      4.1. Time in DNSSEC ............................................12
+           4.1.1. Time Considerations ................................12
+      4.2. Key Rollovers .............................................14
+           4.2.1. Zone Signing Key Rollovers .........................14
+                  4.2.1.1. Pre-Publish Key Rollover ..................15
+                  4.2.1.2. Double Signature Zone Signing Key
+                           Rollover ..................................17
+                  4.2.1.3. Pros and Cons of the Schemes ..............18
+           4.2.2. Key Signing Key Rollovers ..........................18
+           4.2.3. Difference Between ZSK and KSK Rollovers ...........20
+           4.2.4. Automated Key Rollovers ............................21
+      4.3. Planning for Emergency Key Rollover .......................21
+           4.3.1. KSK Compromise .....................................22
+                  4.3.1.1. Keeping the Chain of Trust Intact .........22
+                  4.3.1.2. Breaking the Chain of Trust ...............23
+           4.3.2. ZSK Compromise .....................................23
+           4.3.3. Compromises of Keys Anchored in Resolvers ..........24
+      4.4. Parental Policies .........................................24
+           4.4.1. Initial Key Exchanges and Parental Policies
+                  Considerations .....................................24
+           4.4.2. Storing Keys or Hashes? ............................25
+           4.4.3. Security Lameness ..................................25
+           4.4.4. DS Signature Validity Period .......................26
+   5. Security Considerations ........................................26
+   6. Acknowledgments ................................................26
+   7. References .....................................................27
+      7.1. Normative References ......................................27
+      7.2. Informative References ....................................28
+   Appendix A. Terminology ...........................................30
+   Appendix B. Zone Signing Key Rollover How-To ......................31
+   Appendix C. Typographic Conventions ...............................32
 
 
 
-Kolkman & Gieben        Expires September 7, 2006               [Page 2]
+
+Kolkman & Gieben             Informational                      [Page 2]
 
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
-
-     D.1.  draft-ietf-dnsop-dnssec-operational-practices-00 . . . . . 33
-     D.2.  draft-ietf-dnsop-dnssec-operational-practices-01 . . . . . 33
-     D.3.  draft-ietf-dnsop-dnssec-operational-practices-02 . . . . . 33
-     D.4.  draft-ietf-dnsop-dnssec-operational-practices-03 . . . . . 33
-     D.5.  draft-ietf-dnsop-dnssec-operational-practices-04 . . . . . 34
-     D.6.  draft-ietf-dnsop-dnssec-operational-practices-05 . . . . . 34
-     D.7.  draft-ietf-dnsop-dnssec-operational-practices-06 . . . . . 34
-     D.8.  draft-ietf-dnsop-dnssec-operational-practices-07 . . . . . 34
-     D.9.  draft-ietf-dnsop-dnssec-operational-practices-08 . . . . . 34
-   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 35
-   Intellectual Property and Copyright Statements . . . . . . . . . . 36
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben        Expires September 7, 2006               [Page 3]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
+RFC 4641              DNSSEC Operational Practices        September 2006
 
 
 1.  Introduction
 
-   This document describes how to run a DNSSEC (DNS SECure) enabled
+   This document describes how to run a DNS Security (DNSSEC)-enabled
    environment.  It is intended for operators who have knowledge of the
-   DNS (see RFC 1034 [1] and RFC 1035 [2]) and want deploy DNSSEC.  See
-   RFC 4033 [4] for an introduction into DNSSEC and RFC 4034 [5] for the
-   newly introduced Resource Records and finally RFC 4035 [6] for the
+   DNS (see RFC 1034 [1] and RFC 1035 [2]) and want to deploy DNSSEC.
+   See RFC 4033 [4] for an introduction to DNSSEC, RFC 4034 [5] for the
+   newly introduced Resource Records (RRs), and RFC 4035 [6] for the
    protocol changes.
 
    During workshops and early operational deployment tests, operators
@@ -187,11 +134,11 @@ Internet-Draft        DNSSEC Operational Practices            March 2006
    explicitly not be seen as representing 'Best Current Practices'.
 
    The procedures herein are focused on the maintenance of signed zones
-   (i.e. signing and publishing zones on authoritative servers).  It is
+   (i.e., signing and publishing zones on authoritative servers).  It is
    intended that maintenance of zones such as re-signing or key
    rollovers be transparent to any verifying clients on the Internet.
 
-   The structure of this document is as follows.  In Section 2 we
+   The structure of this document is as follows.  In Section 2, we
    discuss the importance of keeping the "chain of trust" intact.
    Aspects of key generation and storage of private keys are discussed
    in Section 3; the focus in this section is mainly on the private part
@@ -199,7 +146,7 @@ Internet-Draft        DNSSEC Operational Practices            March 2006
    public part of the keys.  Since these public keys appear in the DNS
    one has to take into account all kinds of timing issues, which are
    discussed in Section 4.1.  Section 4.2 and Section 4.3 deal with the
-   rollover, or supercession, of keys.  Finally Section 4.4 discusses
+   rollover, or supercession, of keys.  Finally, Section 4.4 discusses
    considerations on how parents deal with their children's public keys
    in order to maintain chains of trust.
 
@@ -207,80 +154,90 @@ Internet-Draft        DNSSEC Operational Practices            March 2006
    Appendix C.
 
    Since this is a document with operational suggestions and there are
-   no protocol specifications, the RFC 2119 [9] language does not apply.
+   no protocol specifications, the RFC 2119 [7] language does not apply.
+
+   This document obsoletes RFC 2541 [12] to reflect the evolution of the
+   underlying DNSSEC protocol since then.  Changes in the choice of
+   cryptographic algorithms, DNS record types and type names, and the
+   parent-child key and signature exchange demanded a major rewrite and
+   additional information and explanation.
+
+
+
+
+
+
+Kolkman & Gieben             Informational                      [Page 3]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
 
-   This document obsoletes RFC 2541 [12].
 
 1.1.  The Use of the Term 'key'
 
    It is assumed that the reader is familiar with the concept of
-   asymmetric keys on which DNSSEC is based (Public Key Cryptography
-   [18]).  Therefore, this document will use the term 'key' rather
+   asymmetric keys on which DNSSEC is based (public key cryptography
+   [17]).  Therefore, this document will use the term 'key' rather
    loosely.  Where it is written that 'a key is used to sign data' it is
-
-
-
-Kolkman & Gieben        Expires September 7, 2006               [Page 4]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
-
    assumed that the reader understands that it is the private part of
    the key pair that is used for signing.  It is also assumed that the
    reader understands that the public part of the key pair is published
-   in the DNSKEY resource record and that it is the public part that is
+   in the DNSKEY Resource Record and that it is the public part that is
    used in key exchanges.
 
 1.2.  Time Definitions
 
-   In this document we will be using a number of time related terms.
+   In this document, we will be using a number of time-related terms.
    The following definitions apply:
-   o  "Signature validity period"
-         The period that a signature is valid.  It starts at the time
-         specified in the signature inception field of the RRSIG RR and
-         ends at the time specified in the expiration field of the RRSIG
-         RR.
-   o  "Signature publication period"
-         Time after which a signature (made with a specific key) is
-         replaced with a new signature (made with the same key).  This
-         replacement takes place by publishing the relevant RRSIG in the
-         master zone file.
-         After one stops publishing an RRSIG in a zone it may take a
-         while before the RRSIG has expired from caches and has actually
-         been removed from the DNS.
-   o  "Key effectivity period"
-         The period during which a key pair is expected to be effective.
-         This period is defined as the time between the first inception
-         time stamp and the last expiration date of any signature made
-         with this key, regardless of any discontinuity in the use of
-         the key.
-         The key effectivity period can span multiple signature validity
-         periods.
-   o  "Maximum/Minimum Zone Time to Live (TTL)"
-         The maximum or minimum value of the TTLs from the complete set
-         of RRs in a zone.  Note that the minimum TTL is not the same as
-         the MINIMUM field in the SOA RR.  See [11] for more
-         information.
+
+   o  "Signature validity period" The period that a signature is valid.
+      It starts at the time specified in the signature inception field
+      of the RRSIG RR and ends at the time specified in the expiration
+      field of the RRSIG RR.
+
+   o  "Signature publication period" Time after which a signature (made
+      with a specific key) is replaced with a new signature (made with
+      the same key).  This replacement takes place by publishing the
+      relevant RRSIG in the master zone file.  After one stops
+      publishing an RRSIG in a zone, it may take a while before the
+      RRSIG has expired from caches and has actually been removed from
+      the DNS.
+
+   o  "Key effectivity period" The period during which a key pair is
+      expected to be effective.  This period is defined as the time
+      between the first inception time stamp and the last expiration
+      date of any signature made with this key, regardless of any
+      discontinuity in the use of the key.  The key effectivity period
+      can span multiple signature validity periods.
+
+   o  "Maximum/Minimum Zone Time to Live (TTL)" The maximum or minimum
+      value of the TTLs from the complete set of RRs in a zone.  Note
+      that the minimum TTL is not the same as the MINIMUM field in the
+      SOA RR.  See [11] for more information.
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben             Informational                      [Page 4]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
 
 
 2.  Keeping the Chain of Trust Intact
 
    Maintaining a valid chain of trust is important because broken chains
    of trust will result in data being marked as Bogus (as defined in [4]
-   section 5), which may cause entire (sub)domains to become invisible
+   Section 5), which may cause entire (sub)domains to become invisible
    to verifying clients.  The administrators of secured zones have to
    realize that their zone is, to verifying clients, part of a chain of
    trust.
 
    As mentioned in the introduction, the procedures herein are intended
-
-
-
-Kolkman & Gieben        Expires September 7, 2006               [Page 5]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
-
    to ensure that maintenance of zones, such as re-signing or key
    rollovers, will be transparent to the verifying clients on the
    Internet.
@@ -290,61 +247,68 @@ Internet-Draft        DNSSEC Operational Practices            March 2006
    seen by verifying clients; it may take some time for the data to be
    transferred to other secondary authoritative nameservers and clients
    may be fetching data from caching non-authoritative servers.  In this
-   light it is good to note that the time for a zone transfer from
-   master to slave is negligible when using NOTIFY [8] and IXFR [7],
-   increasing by reliance on AXFR, and more if you rely on the SOA
-   timing parameters for zone refresh.
+   light, note that the time for a zone transfer from master to slave is
+   negligible when using NOTIFY [9] and incremental transfer (IXFR) [8].
+   It increases when full zone transfers (AXFR) are used in combination
+   with NOTIFY.  It increases even more if you rely on full zone
+   transfers based on only the SOA timing parameters for refresh.
 
-   For the verifying clients it is important that data from secured
+   For the verifying clients, it is important that data from secured
    zones can be used to build chains of trust regardless of whether the
-   data came directly from an authoritative server, a caching nameserver
-   or some middle box.  Only by carefully using the available timing
-   parameters can a zone administrator assure that the data necessary
-   for verification can be obtained.
+   data came directly from an authoritative server, a caching
+   nameserver, or some middle box.  Only by carefully using the
+   available timing parameters can a zone administrator ensure that the
+   data necessary for verification can be obtained.
 
    The responsibility for maintaining the chain of trust is shared by
    administrators of secured zones in the chain of trust.  This is most
-   obvious in the case of a 'key compromise' when a trade off between
+   obvious in the case of a 'key compromise' when a trade-off between
    maintaining a valid chain of trust and replacing the compromised keys
    as soon as possible must be made.  Then zone administrators will have
-   to make a trade off, between keeping the chain of trust intact -
-   thereby allowing for attacks with the compromised key - or to
-   deliberately break the chain of trust and making secured sub domains
-   invisible to security aware resolvers.  Also see Section 4.3.
+   to make a trade-off, between keeping the chain of trust intact --
+   thereby allowing for attacks with the compromised key -- or
+   deliberately breaking the chain of trust and making secured
+   subdomains invisible to security-aware resolvers.  Also see Section
+   4.3.
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben             Informational                      [Page 5]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
 
 
 3.  Keys Generation and Storage
 
    This section describes a number of considerations with respect to the
    security of keys.  It deals with the generation, effectivity period,
-   size and storage of private keys.
+   size, and storage of private keys.
 
 3.1.  Zone and Key Signing Keys
 
    The DNSSEC validation protocol does not distinguish between different
    types of DNSKEYs.  All DNSKEYs can be used during the validation.  In
-   practice operators use Key Signing and Zone Signing Keys and use the
-   so-called (Secure Entry Point) SEP [3] flag to distinguish between
+   practice, operators use Key Signing and Zone Signing Keys and use the
+   so-called Secure Entry Point (SEP) [3] flag to distinguish between
    them during operations.  The dynamics and considerations are
    discussed below.
 
    To make zone re-signing and key rollover procedures easier to
-
-
-
-Kolkman & Gieben        Expires September 7, 2006               [Page 6]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
-
    implement, it is possible to use one or more keys as Key Signing Keys
-   (KSK).  These keys will only sign the apex DNSKEY RRSet in a zone.
+   (KSKs).  These keys will only sign the apex DNSKEY RRSet in a zone.
    Other keys can be used to sign all the RRSets in a zone and are
-   referred to as Zone Signing Keys (ZSK).  In this document we assume
+   referred to as Zone Signing Keys (ZSKs).  In this document, we assume
    that KSKs are the subset of keys that are used for key exchanges with
-   the parent and potentially for configuration as trusted anchors - the
-   SEP keys.  In this document we assume a one-to-one mapping between
-   KSK and SEP keys and we assume the SEP flag to be set on all KSKs.
+   the parent and potentially for configuration as trusted anchors --
+   the SEP keys.  In this document, we assume a one-to-one mapping
+   between KSK and SEP keys and we assume the SEP flag to be set on all
+   KSKs.
 
 3.1.1.  Motivations for the KSK and ZSK Separation
 
@@ -352,19 +316,30 @@ Internet-Draft        DNSSEC Operational Practices            March 2006
    advantages:
 
    o  No parent/child interaction is required when ZSKs are updated.
-   o  The KSK can be made stronger (i.e. using more bits in the key
+
+   o  The KSK can be made stronger (i.e., using more bits in the key
       material).  This has little operational impact since it is only
-      used to sign a small fraction of the zone data.  Also the KSK is
+      used to sign a small fraction of the zone data.  Also, the KSK is
       only used to verify the zone's key set, not for other RRSets in
       the zone.
+
    o  As the KSK is only used to sign a key set, which is most probably
       updated less frequently than other data in the zone, it can be
       stored separately from and in a safer location than the ZSK.
+
    o  A KSK can have a longer key effectivity period.
 
-   For almost any method of key management and zone signing the KSK is
+   For almost any method of key management and zone signing, the KSK is
    used less frequently than the ZSK.  Once a key set is signed with the
-   KSK all the keys in the key set can be used as ZSK.  If a ZSK is
+   KSK, all the keys in the key set can be used as ZSKs.  If a ZSK is
+
+
+
+Kolkman & Gieben             Informational                      [Page 6]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
    compromised, it can be simply dropped from the key set.  The new key
    set is then re-signed with the KSK.
 
@@ -373,55 +348,54 @@ Internet-Draft        DNSSEC Operational Practices            March 2006
    RR.  If the flag field is an odd number it is a KSK.  If it is an
    even number it is a ZSK.
 
-   The zone signing key can be used to sign all the data in a zone on a
-   regular basis.  When a zone signing key is to be rolled, no
-   interaction with the parent is needed.  This allows for "Signature
-   Validity Periods" on the order of days.
+   The Zone Signing Key can be used to sign all the data in a zone on a
+   regular basis.  When a Zone Signing Key is to be rolled, no
+   interaction with the parent is needed.  This allows for signature
+   validity periods on the order of days.
 
-   The key signing key is only to be used to sign the DNSKEY RRs in a
-   zone.  If a key signing key is to be rolled over, there will be
+   The Key Signing Key is only to be used to sign the DNSKEY RRs in a
+   zone.  If a Key Signing Key is to be rolled over, there will be
    interactions with parties other than the zone administrator.  These
    can include the registry of the parent zone or administrators of
    verifying resolvers that have the particular key configured as secure
    entry points.  Hence, the key effectivity period of these keys can
    and should be made much longer.  Although, given a long enough key,
-
-
-
-Kolkman & Gieben        Expires September 7, 2006               [Page 7]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
-
-   the Key Effectivity Period can be on the order of years we suggest
-   planning for a key effectivity of the order of a few months so that a
+   the key effectivity period can be on the order of years, we suggest
+   planning for a key effectivity on the order of a few months so that a
    key rollover remains an operational routine.
 
-3.1.2.  KSKs for High Level Zones
+3.1.2.  KSKs for High-Level Zones
 
-   Higher level zones are generally more sensitive than lower level
+   Higher-level zones are generally more sensitive than lower-level
    zones.  Anyone controlling or breaking the security of a zone thereby
-   obtains authority over all of its sub domains (except in the case of
-   resolvers that have locally configured the public key of a sub
-   domain, in which case this, and only this, sub domain wouldn't be
-   affected by the compromise of the parent zone).  Therefore, extra
-   care should be taken with high level zones and strong keys should
-   used.
+   obtains authority over all of its subdomains (except in the case of
+   resolvers that have locally configured the public key of a subdomain,
+   in which case this, and only this, subdomain wouldn't be affected by
+   the compromise of the parent zone).  Therefore, extra care should be
+   taken with high-level zones, and strong keys should be used.
 
    The root zone is the most critical of all zones.  Someone controlling
    or compromising the security of the root zone would control the
-   entire DNS name space of all resolvers using that root zone (except
-   in the case of resolvers that have locally configured the public key
-   of a sub domain).  Therefore, the utmost care must be taken in the
+   entire DNS namespace of all resolvers using that root zone (except in
+   the case of resolvers that have locally configured the public key of
+   a subdomain).  Therefore, the utmost care must be taken in the
    securing of the root zone.  The strongest and most carefully handled
    keys should be used.  The root zone private key should always be kept
-   off line.
+   off-line.
 
    Many resolvers will start at a root server for their access to and
    authentication of DNS data.  Securely updating the trust anchors in
    an enormous population of resolvers around the world will be
    extremely difficult.
 
+
+
+
+Kolkman & Gieben             Informational                      [Page 7]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
 3.2.  Key Generation
 
    Careful generation of all keys is a sometimes overlooked but
@@ -430,137 +404,121 @@ Internet-Draft        DNSSEC Operational Practices            March 2006
    use if an adversary can guess enough to lower the size of the likely
    key space so that it can be exhaustively searched.  Technical
    suggestions for the generation of random keys will be found in RFC
-   4086 [15].  One should carefully assess if the random number
+   4086 [14].  One should carefully assess if the random number
    generator used during key generation adheres to these suggestions.
 
    Keys with a long effectivity period are particularly sensitive as
    they will represent a more valuable target and be subject to attack
-   for a longer time than short period keys.  It is strongly recommended
-   that long term key generation occur off-line in a manner isolated
-   from the network via an air gap or, at a minimum, high level secure
+   for a longer time than short-period keys.  It is strongly recommended
+   that long-term key generation occur off-line in a manner isolated
+   from the network via an air gap or, at a minimum, high-level secure
    hardware.
 
-
-
-
-
-Kolkman & Gieben        Expires September 7, 2006               [Page 8]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
-
 3.3.  Key Effectivity Period
 
-   For various reasons keys in DNSSEC need to be changed once in a
+   For various reasons, keys in DNSSEC need to be changed once in a
    while.  The longer a key is in use, the greater the probability that
    it will have been compromised through carelessness, accident,
-   espionage, or cryptanalysis.  Furthermore when key rollovers are too
+   espionage, or cryptanalysis.  Furthermore, when key rollovers are too
    rare an event, they will not become part of the operational habit and
    there is risk that nobody on-site will remember the procedure for
    rollover when the need is there.
 
-   From a purely operational perspective a reasonable key effectivity
+   From a purely operational perspective, a reasonable key effectivity
    period for Key Signing Keys is 13 months, with the intent to replace
    them after 12 months.  An intended key effectivity period of a month
    is reasonable for Zone Signing Keys.
 
-   For key sizes that matches these effectivity periods see Section 3.5.
+   For key sizes that match these effectivity periods, see Section 3.5.
 
-   As argued in Section 3.1.2 securely updating trust anchors will be
-   extremely difficult.  On the other hand the "operational habit"
+   As argued in Section 3.1.2, securely updating trust anchors will be
+   extremely difficult.  On the other hand, the "operational habit"
    argument does also apply to trust anchor reconfiguration.  If a short
-   key-effectivity period is used and the trust anchor configuration has
-   to be revisited on a regular basis the odds that the configuration
+   key effectivity period is used and the trust anchor configuration has
+   to be revisited on a regular basis, the odds that the configuration
    tends to be forgotten is smaller.  The trade-off is against a system
    that is so dynamic that administrators of the validating clients will
    not be able to follow the modifications.
 
-   Key effectivity periods can be made very short, as in the order of a
-   few minutes.  But when replacing keys one has to take the
-   considerations from Section 4.1 and Section 4.2 into account.
+   Key effectivity periods can be made very short, as in a few minutes.
+   But when replacing keys one has to take the considerations from
+   Section 4.1 and Section 4.2 into account.
+
+
+
+
+Kolkman & Gieben             Informational                      [Page 8]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
 
 3.4.  Key Algorithm
 
    There are currently three different types of algorithms that can be
-   used in DNSSEC: RSA, DSA and elliptic curve cryptography.  The latter
-   is fairly new and has yet to be standardized for usage in DNSSEC.
+   used in DNSSEC: RSA, DSA, and elliptic curve cryptography.  The
+   latter is fairly new and has yet to be standardized for usage in
+   DNSSEC.
 
    RSA has been developed in an open and transparent manner.  As the
    patent on RSA expired in 2000, its use is now also free.
 
-   DSA has been developed by NIST.  The creation of signatures takes
-   roughly the same time as with RSA, but is 10 to 40 times as slow for
-   verification [18].
+   DSA has been developed by the National Institute of Standards and
+   Technology (NIST).  The creation of signatures takes roughly the same
+   time as with RSA, but is 10 to 40 times as slow for verification
+   [17].
 
    We suggest the use of RSA/SHA-1 as the preferred algorithm for the
    key.  The current known attacks on RSA can be defeated by making your
-   key longer.  As the MD5 hashing algorithm is showing (theoretical)
-   cracks, we recommend the usage of SHA-1.
+   key longer.  As the MD5 hashing algorithm is showing cracks, we
+   recommend the usage of SHA-1.
 
-
-
-
-Kolkman & Gieben        Expires September 7, 2006               [Page 9]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
-
-   At the time of publication it is known that the SHA-1 hash has
+   At the time of publication, it is known that the SHA-1 hash has
    cryptanalysis issues.  There is work in progress on addressing these
    issues.  We recommend the use of public key algorithms based on
-   hashes stronger than SHA-1, e.g.  SHA-256, as soon as these
-   algorithms are available in protocol specifications (See [20] and
-   [21] ) and implementations.
+   hashes stronger than SHA-1 (e.g., SHA-256), as soon as these
+   algorithms are available in protocol specifications (see [19] and
+   [20]) and implementations.
 
 3.5.  Key Sizes
 
    When choosing key sizes, zone administrators will need to take into
    account how long a key will be used, how much data will be signed
-   during the key publication period (See Section 8.10 of [18]) and,
+   during the key publication period (see Section 8.10 of [17]), and,
    optionally, how large the key size of the parent is.  As the chain of
    trust really is "a chain", there is not much sense in making one of
    the keys in the chain several times larger then the others.  As
    always, it's the weakest link that defines the strength of the entire
    chain.  Also see Section 3.1.1 for a discussion of how keys serving
-   different roles (ZSK v.  KSK) may need different key sizes.
+   different roles (ZSK vs. KSK) may need different key sizes.
 
-   Generating a key of the correct size is a difficult problem, RFC 3766
-   [14] tries to deal with that problem.  The first part of the
+   Generating a key of the correct size is a difficult problem; RFC 3766
+   [13] tries to deal with that problem.  The first part of the
    selection procedure in Section 1 of the RFC states:
 
       1. Determine the attack resistance necessary to satisfy the
          security requirements of the application.  Do this by
-         estimating the minimum number of computer operations that
-         the attacker will be forced to do in order to compromise
-         the security of the system and then take the logarithm base
-         two of that number.  Call that logarithm value "n".
+         estimating the minimum number of computer operations that the
+         attacker will be forced to do in order to compromise the
+
+
+
+
+Kolkman & Gieben             Informational                      [Page 9]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+         security of the system and then take the logarithm base two of
+         that number.  Call that logarithm value "n".
 
          A 1996 report recommended 90 bits as a good all-around choice
-         for system security.  The 90 bit number should be increased
-         by about 2/3 bit/year, or about 96 bits in 2005.
+         for system security.  The 90 bit number should be increased by
+         about 2/3 bit/year, or about 96 bits in 2005.
 
-   [14] goes on to explain how this number "n" can be used to calculate
+   [13] goes on to explain how this number "n" can be used to calculate
    the key sizes in public key cryptography.  This culminated in the
    table given below (slightly modified for our purpose):
 
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben        Expires September 7, 2006              [Page 10]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
-
       +-------------+-----------+--------------+
       | System      |           |              |
       | requirement | Symmetric | RSA or DSA   |
@@ -581,48 +539,49 @@ Internet-Draft        DNSSEC Operational Practices            March 2006
    resilient against a trillionaire attacker.  Assuming this rich
    attacker will not attack your key and that the key is rolled over
    once a year, we come to the following recommendations about KSK
-   sizes; 1024 bits low value domains, 1300 for medium value and 2048
-   for the high value domains.
+   sizes: 1024 bits for low-value domains, 1300 bits for medium-value
+   domains, and 2048 bits for high-value domains.
 
-   Whether a domain is of low, medium, high value depends solely on the
-   views of the zone owner.  One could for instance view leaf nodes in
-   the DNS as of low value and TLDs or the root zone of high value.  The
-   suggested key sizes should be safe for the next 5 years.
+   Whether a domain is of low, medium, or high value depends solely on
+   the views of the zone owner.  One could, for instance, view leaf
+   nodes in the DNS as of low value, and top-level domains (TLDs) or the
+   root zone of high value.  The suggested key sizes should be safe for
+   the next 5 years.
 
-   As ZSKs can be rolled over more easily (and thus more often) the key
+   As ZSKs can be rolled over more easily (and thus more often), the key
    sizes can be made smaller.  But as said in the introduction of this
    paragraph, making the ZSKs' key sizes too small (in relation to the
    KSKs' sizes) doesn't make much sense.  Try to limit the difference in
    size to about 100 bits.
 
-   Note that nobody can see into the future, and that these key sizes
-   are only provided here as a guide.  Further information can be found
-   in [17] and Section 7.5 of [18].  It should be noted though that [17]
-   is already considered overly optimistic about what key sizes are
+
+
+
+
+
+Kolkman & Gieben             Informational                     [Page 10]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+   Note that nobody can see into the future and that these key sizes are
+   only provided here as a guide.  Further information can be found in
+   [16] and Section 7.5 of [17].  It should be noted though that [16] is
+   already considered overly optimistic about what key sizes are
    considered safe.
 
    One final note concerning key sizes.  Larger keys will increase the
    sizes of the RRSIG and DNSKEY records and will therefore increase the
-   chance of DNS UDP packet overflow.  Also the time it takes to
+   chance of DNS UDP packet overflow.  Also, the time it takes to
    validate and create RRSIGs increases with larger keys, so don't
    needlessly double your key sizes.
 
-
-
-
-
-
-Kolkman & Gieben        Expires September 7, 2006              [Page 11]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
-
 3.6.  Private Key Storage
 
    It is recommended that, where possible, zone private keys and the
-   zone file master copy that is to be signed, be kept and used in off-
-   line, non-network connected, physically secure machines only.
-   Periodically an application can be run to add authentication to a
+   zone file master copy that is to be signed be kept and used in off-
+   line, non-network-connected, physically secure machines only.
+   Periodically, an application can be run to add authentication to a
    zone by adding RRSIG and NSEC RRs.  Then the augmented file can be
    transferred.
 
@@ -630,49 +589,49 @@ Internet-Draft        DNSSEC Operational Practices            March 2006
    that at least one private key of the zone will have to reside on the
    master server.  This key is only as secure as the amount of exposure
    the server receives to unknown clients and the security of the host.
-   Although not mandatory one could administer the DNS in the following
+   Although not mandatory, one could administer the DNS in the following
    way.  The master that processes the dynamic updates is unavailable
    from generic hosts on the Internet, it is not listed in the NS RR
    set, although its name appears in the SOA RRs MNAME field.  The
-   nameservers in the NS RR set are able to receive zone updates through
-   NOTIFY, IXFR, AXFR or an out-of-band distribution mechanism.  This
+   nameservers in the NS RRSet are able to receive zone updates through
+   NOTIFY, IXFR, AXFR, or an out-of-band distribution mechanism.  This
    approach is known as the "hidden master" setup.
 
-   The ideal situation is to have a one way information flow to the
+   The ideal situation is to have a one-way information flow to the
    network to avoid the possibility of tampering from the network.
    Keeping the zone master file on-line on the network and simply
    cycling it through an off-line signer does not do this.  The on-line
    version could still be tampered with if the host it resides on is
    compromised.  For maximum security, the master copy of the zone file
-   should be off net and should not be updated based on an unsecured
+   should be off-net and should not be updated based on an unsecured
    network mediated communication.
 
-   In general keeping a zone-file off-line will not be practical and the
-   machines on which zone files are maintained will be connected to a
-   network.  Operators are advised to take security measures to shield
+   In general, keeping a zone file off-line will not be practical and
+   the machines on which zone files are maintained will be connected to
+   a network.  Operators are advised to take security measures to shield
    unauthorized access to the master copy.
 
-   For dynamically updated secured zones [10] both the master copy and
+
+
+
+
+Kolkman & Gieben             Informational                     [Page 11]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+   For dynamically updated secured zones [10], both the master copy and
    the private key that is used to update signatures on updated RRs will
    need to be on-line.
 
-
-4.  Signature generation, Key Rollover and Related Policies
+4.  Signature Generation, Key Rollover, and Related Policies
 
 4.1.  Time in DNSSEC
 
-   Without DNSSEC all times in DNS are relative.  The SOA fields
-   REFRESH, RETRY and EXPIRATION are timers used to determine the time
+   Without DNSSEC, all times in the DNS are relative.  The SOA fields
+   REFRESH, RETRY, and EXPIRATION are timers used to determine the time
    elapsed after a slave server synchronized with a master server.  The
    Time to Live (TTL) value and the SOA RR minimum TTL parameter [11]
-
-
-
-Kolkman & Gieben        Expires September 7, 2006              [Page 12]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
-
    are used to determine how long a forwarder should cache data after it
    has been fetched from an authoritative server.  By using a signature
    validity period, DNSSEC introduces the notion of an absolute time in
@@ -684,92 +643,115 @@ Internet-Draft        DNSSEC Operational Practices            March 2006
 
    Because of the expiration of signatures, one should consider the
    following:
+
    o  We suggest the Maximum Zone TTL of your zone data to be a fraction
       of your signature validity period.
+
          If the TTL would be of similar order as the signature validity
          period, then all RRSets fetched during the validity period
          would be cached until the signature expiration time.  Section
          7.1 of [4] suggests that "the resolver may use the time
          remaining before expiration of the signature validity period of
-         a signed RRSet as an upper bound for the TTL".  As a result
+         a signed RRSet as an upper bound for the TTL".  As a result,
          query load on authoritative servers would peak at signature
          expiration time, as this is also the time at which records
          simultaneously expire from caches.
-         To avoid query load peaks we suggest the TTL on all the RRs in
+
+         To avoid query load peaks, we suggest the TTL on all the RRs in
          your zone to be at least a few times smaller than your
          signature validity period.
-   o  We suggest the Signature Publication Period to end at least one
-      Maximum Zone TTL duration before the end of the Signature Validity
-      Period.
+
+   o  We suggest the signature publication period to end at least one
+      Maximum Zone TTL duration before the end of the signature validity
+      period.
+
+
+
+
+
+
+
+Kolkman & Gieben             Informational                     [Page 12]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
          Re-signing a zone shortly before the end of the signature
          validity period may cause simultaneous expiration of data from
          caches.  This in turn may lead to peaks in the load on
          authoritative servers.
-   o  We suggest the minimum zone TTL to be long enough to both fetch
+
+   o  We suggest the Minimum Zone TTL to be long enough to both fetch
       and verify all the RRs in the trust chain.  In workshop
-      environments it has been demonstrated [19] that a low TTL (under 5
-      to 10 minutes) caused disruptions because of the following two
+      environments, it has been demonstrated [18] that a low TTL (under
+      5 to 10 minutes) caused disruptions because of the following two
       problems:
+
          1.  During validation, some data may expire before the
-         validation is complete.  The validator should be able to keep
-         all data, until is completed.  This applies to all RRs needed
-         to complete the chain of trust: DSs, DNSKEYs, RRSIGs, and the
-         final answers i.e. the RRSet that is returned for the initial
-         query.
+             validation is complete.  The validator should be able to
+             keep all data until it is completed.  This applies to all
+             RRs needed to complete the chain of trust: DSes, DNSKEYs,
+             RRSIGs, and the final answers, i.e., the RRSet that is
+             returned for the initial query.
+
          2.  Frequent verification causes load on recursive nameservers.
-         Data at delegation points, DSs, DNSKEYs and RRSIGs benefit from
-         caching.  The TTL on those should be relatively long.
-
-
-
-
-
-Kolkman & Gieben        Expires September 7, 2006              [Page 13]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
+             Data at delegation points, DSes, DNSKEYs, and RRSIGs
+             benefit from caching.  The TTL on those should be
+             relatively long.
 
    o  Slave servers will need to be able to fetch newly signed zones
       well before the RRSIGs in the zone served by the slave server pass
       their signature expiration time.
+
          When a slave server is out of sync with its master and data in
-         a zone is signed by expired signatures it may be better for the
-         slave server not to give out any answer.
-         Normally a slave server that is not able to contact a master
+         a zone is signed by expired signatures, it may be better for
+         the slave server not to give out any answer.
+
+         Normally, a slave server that is not able to contact a master
          server for an extended period will expire a zone.  When that
-         happens the server will respond differently to queries for that
-         zone.  Some servers issue SERVFAIL while others turn off the
-         'AA' bit in the answers.  The time of expiration is set in the
-         SOA record and is relative to the last successful refresh
-         between the master and the slave server.  There exists no
-         coupling between the signature expiration of RRSIGs in the zone
-         and the expire parameter in the SOA.
-         If the server serves a DNSSEC zone then it may well happen that
-         the signatures expire well before the SOA expiration timer
+         happens, the server will respond differently to queries for
+         that zone.  Some servers issue SERVFAIL, whereas others turn
+         off the 'AA' bit in the answers.  The time of expiration is set
+         in the SOA record and is relative to the last successful
+         refresh between the master and the slave servers.  There exists
+         no coupling between the signature expiration of RRSIGs in the
+         zone and the expire parameter in the SOA.
+
+         If the server serves a DNSSEC zone, then it may well happen
+         that the signatures expire well before the SOA expiration timer
          counts down to zero.  It is not possible to completely prevent
-         this from happening by tweaking the SOA parameters.
-         However, the effects can be minimized where the SOA expiration
-         time is equal or shorter than the signature validity period.
-         The consequence of an authoritative server not being able to
-         update a zone, whilst that zone includes expired signatures, is
-         that non-secure resolvers will continue to be able to resolve
-         data served by the particular slave servers while security
-         aware resolvers will experience problems because of answers
-         being marked as Bogus.
+         this from happening by tweaking the SOA parameters.  However,
+         the effects can be minimized where the SOA expiration time is
+         equal to or shorter than the signature validity period.  The
+         consequence of an authoritative server not being able to update
+
+
+
+Kolkman & Gieben             Informational                     [Page 13]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+         a zone, whilst that zone includes expired signatures, is that
+         non-secure resolvers will continue to be able to resolve data
+         served by the particular slave servers while security-aware
+         resolvers will experience problems because of answers being
+         marked as Bogus.
+
          We suggest the SOA expiration timer being approximately one
          third or one fourth of the signature validity period.  It will
          allow problems with transfers from the master server to be
-         noticed before the actual signature times out.
-         We also suggest that operators of nameservers that supply
-         secondary services develop 'watch dogs' to spot upcoming
-         signature expirations in zones they slave, and take appropriate
-         action.
+         noticed before the actual signature times out.  We also suggest
+         that operators of nameservers that supply secondary services
+         develop 'watch dogs' to spot upcoming signature expirations in
+         zones they slave, and take appropriate action.
+
          When determining the value for the expiration parameter one has
          to take the following into account: What are the chances that
-         all my secondaries expire the zone; How quickly can I reach an
-         administrator of secondary servers to load a valid zone?  All
-         these arguments are not DNSSEC specific but may influence the
-         choice of your signature validity intervals.
+         all my secondaries expire the zone? How quickly can I reach an
+         administrator of secondary servers to load a valid zone?  These
+         questions are not DNSSEC specific but may influence the choice
+         of your signature validity intervals.
 
 4.2.  Key Rollovers
 
@@ -777,93 +759,102 @@ Internet-Draft        DNSSEC Operational Practices            March 2006
    rollovers -- or supercessions, as they are sometimes called -- are a
    fact of life when using DNSSEC.  Zone administrators who are in the
    process of rolling their keys have to take into account that data
-
-
-
-Kolkman & Gieben        Expires September 7, 2006              [Page 14]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
-
    published in previous versions of their zone still lives in caches.
    When deploying DNSSEC, this becomes an important consideration;
    ignoring data that may be in caches may lead to loss of service for
    clients.
 
    The most pressing example of this occurs when zone material signed
-   with an old key is being validated by a resolver which does not have
+   with an old key is being validated by a resolver that does not have
    the old zone key cached.  If the old key is no longer present in the
-   current zone, this validation fails, marking the data Bogus.
-   Alternatively, an attempt could be made to validate data which is
+   current zone, this validation fails, marking the data "Bogus".
+   Alternatively, an attempt could be made to validate data that is
    signed with a new key against an old key that lives in a local cache,
-   also resulting in data being marked Bogus.
+   also resulting in data being marked "Bogus".
 
 4.2.1.  Zone Signing Key Rollovers
 
-   For zone signing key rollovers there are two ways to make sure that
-   during the rollover data still cached can be verified with the new
-   key sets or newly generated signatures can be verified with the keys
-   still in caches.  One schema, described in Section 4.2.1.2, uses
-   double signatures; the other uses key pre-publication
-   (Section 4.2.1.1).  The pros, cons and recommendations are described
-   in Section 4.2.1.3.
+   For "Zone Signing Key rollovers", there are two ways to make sure
+   that during the rollover data still cached can be verified with the
+   new key sets or newly generated signatures can be verified with the
+   keys still in caches.  One schema, described in Section 4.2.1.2, uses
 
-4.2.1.1.  Pre-publish Key Rollover
+
+
+
+
+Kolkman & Gieben             Informational                     [Page 14]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+   double signatures; the other uses key pre-publication (Section
+   4.2.1.1).  The pros, cons, and recommendations are described in
+   Section 4.2.1.3.
+
+4.2.1.1.  Pre-Publish Key Rollover
 
    This section shows how to perform a ZSK rollover without the need to
-   sign all the data in a zone twice - the so-called "pre-publish
-   rollover".This method has advantages in the case of a key compromise.
-   If the old key is compromised, the new key has already been
-   distributed in the DNS.  The zone administrator is then able to
-   quickly switch to the new key and remove the compromised key from the
-   zone.  Another major advantage is that the zone size does not double,
-   as is the case with the double signature ZSK rollover.  A small
-   "HOWTO" for this kind of rollover can be found in Appendix B.
+   sign all the data in a zone twice -- the "pre-publish key rollover".
+   This method has advantages in the case of a key compromise.  If the
+   old key is compromised, the new key has already been distributed in
+   the DNS.  The zone administrator is then able to quickly switch to
+   the new key and remove the compromised key from the zone.  Another
+   major advantage is that the zone size does not double, as is the case
+   with the double signature ZSK rollover.  A small "how-to" for this
+   kind of rollover can be found in Appendix B.
 
-   Pre-publish Key Rollover involves four stages as follows:
+   Pre-publish key rollover involves four stages as follows:
 
-    initial         new DNSKEY       new RRSIGs      DNSKEY removal
+      ----------------------------------------------------------------
+      initial         new DNSKEY       new RRSIGs      DNSKEY removal
+      ----------------------------------------------------------------
+      SOA0            SOA1             SOA2            SOA3
+      RRSIG10(SOA0)   RRSIG10(SOA1)    RRSIG11(SOA2)   RRSIG11(SOA3)
 
-    SOA0            SOA1             SOA2            SOA3
-    RRSIG10(SOA0)   RRSIG10(SOA1)    RRSIG11(SOA2)   RRSIG11(SOA3)
+      DNSKEY1         DNSKEY1          DNSKEY1         DNSKEY1
+      DNSKEY10        DNSKEY10         DNSKEY10        DNSKEY11
+      DNSKEY11         DNSKEY11
+      RRSIG1 (DNSKEY) RRSIG1 (DNSKEY)  RRSIG1(DNSKEY)  RRSIG1 (DNSKEY)
+      RRSIG10(DNSKEY) RRSIG10(DNSKEY)  RRSIG11(DNSKEY) RRSIG11(DNSKEY)
+      ----------------------------------------------------------------
 
-    DNSKEY1         DNSKEY1          DNSKEY1         DNSKEY1
-    DNSKEY10        DNSKEY10         DNSKEY10        DNSKEY11
-                    DNSKEY11         DNSKEY11
-    RRSIG1 (DNSKEY) RRSIG1 (DNSKEY)  RRSIG1(DNSKEY)  RRSIG1 (DNSKEY)
-    RRSIG10(DNSKEY) RRSIG10(DNSKEY)  RRSIG11(DNSKEY) RRSIG11(DNSKEY)
+                         Pre-Publish Key Rollover
 
+   initial: Initial version of the zone: DNSKEY 1 is the Key Signing
+      Key.  DNSKEY 10 is used to sign all the data of the zone, the Zone
+      Signing Key.
 
-
-
-Kolkman & Gieben        Expires September 7, 2006              [Page 15]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
-
-   initial: Initial version of the zone: DNSKEY 1 is the key signing
-      key.  DNSKEY 10 is used to sign all the data of the zone, the zone
-      signing key.
    new DNSKEY: DNSKEY 11 is introduced into the key set.  Note that no
       signatures are generated with this key yet, but this does not
       secure against brute force attacks on the public key.  The minimum
       duration of this pre-roll phase is the time it takes for the data
       to propagate to the authoritative servers plus TTL value of the
       key set.
-   new RRSIGs: At the "new RRSIGs" stage (SOA serial 2) DNSKEY 11 is
-      used to sign the data in the zone exclusively (i.e. all the
+
+   new RRSIGs: At the "new RRSIGs" stage (SOA serial 2), DNSKEY 11 is
+      used to sign the data in the zone exclusively (i.e., all the
       signatures from DNSKEY 10 are removed from the zone).  DNSKEY 10
       remains published in the key set.  This way data that was loaded
+
+
+
+Kolkman & Gieben             Informational                     [Page 15]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
       into caches from version 1 of the zone can still be verified with
-      key sets fetched from version 2 of the zone.
-      The minimum time that the key set including DNSKEY 10 is to be
-      published is the time that it takes for zone data from the
-      previous version of the zone to expire from old caches i.e. the
-      time it takes for this zone to propagate to all authoritative
-      servers plus the Maximum Zone TTL value of any of the data in the
-      previous version of the zone.
+      key sets fetched from version 2 of the zone.  The minimum time
+      that the key set including DNSKEY 10 is to be published is the
+      time that it takes for zone data from the previous version of the
+      zone to expire from old caches, i.e., the time it takes for this
+      zone to propagate to all authoritative servers plus the Maximum
+      Zone TTL value of any of the data in the previous version of the
+      zone.
+
    DNSKEY removal: DNSKEY 10 is removed from the zone.  The key set, now
-      only containing DNSKEY 1 and DNSKEY 11 is re-signed with the
+      only containing DNSKEY 1 and DNSKEY 11, is re-signed with the
       DNSKEY 1.
 
    The above scheme can be simplified by always publishing the "future"
@@ -872,57 +863,43 @@ Internet-Draft        DNSSEC Operational Practices            March 2006
    as DNSKEY 12 and again a newer one, numbered 13, in "new DNSKEY
    (II)":
 
+      ----------------------------------------------------------------
+      initial             new RRSIGs          new DNSKEY
+      ----------------------------------------------------------------
+      SOA0                SOA1                SOA2
+      RRSIG10(SOA0)       RRSIG11(SOA1)       RRSIG11(SOA2)
+
+      DNSKEY1             DNSKEY1             DNSKEY1
+      DNSKEY10            DNSKEY10            DNSKEY11
+      DNSKEY11            DNSKEY11            DNSKEY12
+      RRSIG1(DNSKEY)      RRSIG1 (DNSKEY)     RRSIG1(DNSKEY)
+      RRSIG10(DNSKEY)     RRSIG11(DNSKEY)     RRSIG11(DNSKEY)
+      ----------------------------------------------------------------
+
+      ----------------------------------------------------------------
+      new RRSIGs (II)     new DNSKEY (II)
+      ----------------------------------------------------------------
+      SOA3                SOA4
+      RRSIG12(SOA3)       RRSIG12(SOA4)
+
+      DNSKEY1             DNSKEY1
+      DNSKEY11            DNSKEY12
+      DNSKEY12            DNSKEY13
+      RRSIG1(DNSKEY)      RRSIG1(DNSKEY)
+      RRSIG12(DNSKEY)     RRSIG12(DNSKEY)
+      ----------------------------------------------------------------
+
+              Pre-Publish Key Rollover, Showing Two Rollovers
 
 
 
 
 
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben        Expires September 7, 2006              [Page 16]
+Kolkman & Gieben             Informational                     [Page 16]
 
-Internet-Draft        DNSSEC Operational Practices            March 2006
+RFC 4641              DNSSEC Operational Practices        September 2006
 
 
-       initial             new RRSIGs          new DNSKEY
-
-       SOA0                SOA1                SOA2
-       RRSIG10(SOA0)       RRSIG11(SOA1)       RRSIG11(SOA2)
-
-       DNSKEY1             DNSKEY1             DNSKEY1
-       DNSKEY10            DNSKEY10            DNSKEY11
-       DNSKEY11            DNSKEY11            DNSKEY12
-       RRSIG1(DNSKEY)      RRSIG1 (DNSKEY)     RRSIG1(DNSKEY)
-       RRSIG10(DNSKEY)     RRSIG11(DNSKEY)     RRSIG11(DNSKEY)
-
-
-       new RRSIGs (II)     new DNSKEY (II)
-
-       SOA3                SOA4
-       RRSIG12(SOA3)       RRSIG12(SOA4)
-
-       DNSKEY1             DNSKEY1
-       DNSKEY11            DNSKEY12
-       DNSKEY12            DNSKEY13
-       RRSIG1(DNSKEY)      RRSIG1(DNSKEY)
-       RRSIG12(DNSKEY)     RRSIG12(DNSKEY)
-
-
-   Pre-Publish Key Rollover, showing two rollovers.
-
    Note that the key introduced in the "new DNSKEY" phase is not used
    for production yet; the private key can thus be stored in a
    physically secure manner and does not need to be 'fetched' every time
@@ -931,57 +908,54 @@ Internet-Draft        DNSSEC Operational Practices            March 2006
 4.2.1.2.  Double Signature Zone Signing Key Rollover
 
    This section shows how to perform a ZSK key rollover using the double
-   zone data signature scheme, aptly named "double sig rollover".
+   zone data signature scheme, aptly named "double signature rollover".
 
    During the "new DNSKEY" stage the new version of the zone file will
    need to propagate to all authoritative servers and the data that
    exists in (distant) caches will need to expire, requiring at least
-   the maximum Zone TTL.
+   the Maximum Zone TTL.
 
+   Double signature ZSK rollover involves three stages as follows:
 
+      ----------------------------------------------------------------
+      initial             new DNSKEY         DNSKEY removal
+      ----------------------------------------------------------------
+      SOA0                SOA1               SOA2
+      RRSIG10(SOA0)       RRSIG10(SOA1)      RRSIG11(SOA2)
+      RRSIG11(SOA1)
 
+      DNSKEY1             DNSKEY1            DNSKEY1
+      DNSKEY10            DNSKEY10           DNSKEY11
+      DNSKEY11
+      RRSIG1(DNSKEY)      RRSIG1(DNSKEY)     RRSIG1(DNSKEY)
+      RRSIG10(DNSKEY)     RRSIG10(DNSKEY)    RRSIG11(DNSKEY)
+      RRSIG11(DNSKEY)
+      ----------------------------------------------------------------
 
+                Double Signature Zone Signing Key Rollover
 
+   initial: Initial Version of the zone: DNSKEY 1 is the Key Signing
+      Key.  DNSKEY 10 is used to sign all the data of the zone, the Zone
+      Signing Key.
 
-
-
-
-
-
-Kolkman & Gieben        Expires September 7, 2006              [Page 17]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
-
-   Double Signature Zone Signing Key Rollover involves three stages as
-   follows:
-
-       initial             new DNSKEY         DNSKEY removal
-
-       SOA0                SOA1               SOA2
-       RRSIG10(SOA0)       RRSIG10(SOA1)      RRSIG11(SOA2)
-                           RRSIG11(SOA1)
-
-       DNSKEY1             DNSKEY1            DNSKEY1
-       DNSKEY10            DNSKEY10           DNSKEY11
-                           DNSKEY11
-       RRSIG1(DNSKEY)      RRSIG1(DNSKEY)     RRSIG1(DNSKEY)
-       RRSIG10(DNSKEY)     RRSIG10(DNSKEY)    RRSIG11(DNSKEY)
-                           RRSIG11(DNSKEY)
-
-   initial: Initial Version of the zone: DNSKEY 1 is the key signing
-      key.  DNSKEY 10 is used to sign all the data of the zone, the zone
-      signing key.
    new DNSKEY: At the "New DNSKEY" stage (SOA serial 1) DNSKEY 11 is
       introduced into the key set and all the data in the zone is signed
       with DNSKEY 10 and DNSKEY 11.  The rollover period will need to
       continue until all data from version 0 of the zone has expired
-      from remote caches.  This will take at least the maximum Zone TTL
+      from remote caches.  This will take at least the Maximum Zone TTL
       of version 0 of the zone.
+
    DNSKEY removal: DNSKEY 10 is removed from the zone.  All the
       signatures from DNSKEY 10 are removed from the zone.  The key set,
       now only containing DNSKEY 11, is re-signed with DNSKEY 1.
 
+
+
+Kolkman & Gieben             Informational                     [Page 17]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
    At every instance, RRSIGs from the previous version of the zone can
    be verified with the DNSKEY RRSet from the current version and the
    other way around.  The data from the current version can be verified
@@ -999,41 +973,48 @@ Internet-Draft        DNSSEC Operational Practices            March 2006
    during the rollover.  New data can be introduced in the zone as long
    as it is signed with both keys.
 
-
-
-
-
-
-Kolkman & Gieben        Expires September 7, 2006              [Page 18]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
-
 4.2.1.3.  Pros and Cons of the Schemes
 
-   Pre-publish Key Rollover: This rollover does not involve signing the
+   Pre-publish key rollover: This rollover does not involve signing the
       zone data twice.  Instead, before the actual rollover, the new key
-      is published in the key set and thus available for cryptanalysis
-      attacks.  A small disadvantage is that this process requires four
-      steps.  Also the pre-publish scheme involves more parental work
-      when used for KSK rollovers as explained in Section 4.2.3.
-   Double Signature Zone-signing Key Rollover: The drawback of this
-      signing scheme is that during the rollover the number of
-      signatures in your zone doubles, this may be prohibitive if you
-      have very big zones.  An advantage is that it only requires three
-      steps.
+      is published in the key set and thus is available for
+      cryptanalysis attacks.  A small disadvantage is that this process
+      requires four steps.  Also the pre-publish scheme involves more
+      parental work when used for KSK rollovers as explained in Section
+      4.2.3.
+
+   Double signature ZSK rollover: The drawback of this signing scheme is
+      that during the rollover the number of signatures in your zone
+      doubles; this may be prohibitive if you have very big zones.  An
+      advantage is that it only requires three steps.
 
 4.2.2.  Key Signing Key Rollovers
 
-   For the rollover of a key signing key the same considerations as for
-   the rollover of a zone signing key apply.  However we can use a
+   For the rollover of a Key Signing Key, the same considerations as for
+   the rollover of a Zone Signing Key apply.  However, we can use a
    double signature scheme to guarantee that old data (only the apex key
    set) in caches can be verified with a new key set and vice versa.
    Since only the key set is signed with a KSK, zone size considerations
    do not apply.
 
 
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben             Informational                     [Page 18]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+   --------------------------------------------------------------------
        initial        new DNSKEY        DS change       DNSKEY removal
+   --------------------------------------------------------------------
      Parent:
        SOA0           -------->         SOA1            -------->
        RRSIGpar(SOA0) -------->         RRSIGpar(SOA1)  -------->
@@ -1051,41 +1032,42 @@ Internet-Draft        DNSSEC Operational Practices            March 2006
        RRSIG1 (DNSKEY) RRSIG1 (DNSKEY)  -------->       RRSIG2 (DNSKEY)
                        RRSIG2 (DNSKEY)  -------->
        RRSIG10(DNSKEY) RRSIG10(DNSKEY)  -------->       RRSIG10(DNSKEY)
+   --------------------------------------------------------------------
 
-   Stages of Deployment for Key Signing Key Rollover.
-
-
-
-
-
-
-
-Kolkman & Gieben        Expires September 7, 2006              [Page 19]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
+   Stages of Deployment for a Double Signature Key Signing Key Rollover
 
    initial: Initial version of the zone.  The parental DS points to
-      DNSKEY1.  Before the rollover starts the child will have to verify
-      what the TTL is of the DS RR that points to DNSKEY1 - it is needed
-      during the rollover and we refer to the value as TTL_DS.
-   new DNSKEY: During the "new DNSKEY" phase the zone administrator
+      DNSKEY1.  Before the rollover starts, the child will have to
+      verify what the TTL is of the DS RR that points to DNSKEY1 -- it
+      is needed during the rollover and we refer to the value as TTL_DS.
+
+   new DNSKEY: During the "new DNSKEY" phase, the zone administrator
       generates a second KSK, DNSKEY2.  The key is provided to the
-      parent and the child will have to wait until a new DS RR has been
+      parent, and the child will have to wait until a new DS RR has been
       generated that points to DNSKEY2.  After that DS RR has been
       published on all servers authoritative for the parent's zone, the
       zone administrator has to wait at least TTL_DS to make sure that
       the old DS RR has expired from caches.
+
    DS change: The parent replaces DS1 with DS2.
+
    DNSKEY removal: DNSKEY1 has been removed.
 
    The scenario above puts the responsibility for maintaining a valid
-   chain of trust with the child.  It also is based on the premises that
+   chain of trust with the child.  It also is based on the premise that
    the parent only has one DS RR (per algorithm) per zone.  An
    alternative mechanism has been considered.  Using an established
    trust relation, the interaction can be performed in-band, and the
    removal of the keys by the child can possibly be signaled by the
-   parent.  In this mechanism there are periods where there are two DS
+   parent.  In this mechanism, there are periods where there are two DS
+
+
+
+Kolkman & Gieben             Informational                     [Page 19]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
    RRs at the parent.  Since at the moment of writing the protocol for
    this interaction has not been developed, further discussion is out of
    scope for this document.
@@ -1098,8 +1080,7 @@ Internet-Draft        DNSSEC Operational Practices            March 2006
    waiting for it.
 
    A zone key rollover can be handled in two different ways: pre-publish
-   (Section Section 4.2.1.1) and double signature (Section
-   Section 4.2.1.2).
+   (Section 4.2.1.1) and double signature (Section 4.2.1.2).
 
    As the KSK is used to validate the key set and because the KSK is not
    changed during a ZSK rollover, a cache is able to validate the new
@@ -1109,19 +1090,9 @@ Internet-Draft        DNSSEC Operational Practices            March 2006
    We first describe the rollover scheme and then indicate these
    drawbacks.
 
-
-
-
-
-
-
-
-Kolkman & Gieben        Expires September 7, 2006              [Page 20]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
-
+   --------------------------------------------------------------------
      initial         new DS           new DNSKEY      DS/DNSKEY removal
+   --------------------------------------------------------------------
    Parent:
      SOA0            SOA1             -------->       SOA2
      RRSIGpar(SOA0)  RRSIGpar(SOA1)   -------->       RRSIGpar(SOA2)
@@ -1130,7 +1101,6 @@ Internet-Draft        DNSSEC Operational Practices            March 2006
      RRSIGpar(DS)    RRSIGpar(DS)     -------->       RRSIGpar(DS)
 
 
-
    Child:
      SOA0            -------->        SOA1            SOA1
      RRSIG10(SOA0)   -------->        RRSIG10(SOA1)   RRSIG10(SOA1)
@@ -1140,43 +1110,47 @@ Internet-Draft        DNSSEC Operational Practices            March 2006
      DNSKEY10        -------->        DNSKEY10        DNSKEY10
      RRSIG1 (DNSKEY) -------->        RRSIG2(DNSKEY)  RRSIG2 (DNSKEY)
      RRSIG10(DNSKEY) -------->        RRSIG10(DNSKEY) RRSIG10(DNSKEY)
+   --------------------------------------------------------------------
 
-   Stages of Deployment for a Pre-publish Key Signing Key rollover.
+      Stages of Deployment for a Pre-Publish Key Signing Key Rollover
 
-   When the child zone wants to roll it notifies the parent during the
+
+
+
+
+
+Kolkman & Gieben             Informational                     [Page 20]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+   When the child zone wants to roll, it notifies the parent during the
    "new DS" phase and submits the new key (or the corresponding DS) to
    the parent.  The parent publishes DS1 and DS2, pointing to DNSKEY1
-   and DNSKEY2 respectively.  During the rollover ("new DNSKEY" phase),
+   and DNSKEY2, respectively.  During the rollover ("new DNSKEY" phase),
    which can take place as soon as the new DS set propagated through the
    DNS, the child replaces DNSKEY1 with DNSKEY2.  Immediately after that
-   ("DS/DNSKEY removal" phase) it can notify the parent that the old DS
+   ("DS/DNSKEY removal" phase), it can notify the parent that the old DS
    record can be deleted.
 
    The drawbacks of this scheme are that during the "new DS" phase the
    parent cannot verify the match between the DS2 RR and DNSKEY2 using
    the DNS -- as DNSKEY2 is not yet published.  Besides, we introduce a
-   "security lame" key (See Section 4.4.3).  Finally the child-parent
+   "security lame" key (see Section 4.4.3).  Finally, the child-parent
    interaction consists of two steps.  The "double signature" method
    only needs one interaction.
 
 4.2.4.  Automated Key Rollovers
 
    As keys must be renewed periodically, there is some motivation to
-   automate the rollover process.  Consider that:
+   automate the rollover process.  Consider the following:
 
    o  ZSK rollovers are easy to automate as only the child zone is
       involved.
+
    o  A KSK rollover needs interaction between parent and child.  Data
-      exchange is needed to provide the new keys to the parent,
+      exchange is needed to provide the new keys to the parent;
       consequently, this data must be authenticated and integrity must
-
-
-
-Kolkman & Gieben        Expires September 7, 2006              [Page 21]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
-
       be guaranteed in order to avoid attacks on the rollover.
 
 4.3.  Planning for Emergency Key Rollover
@@ -1187,23 +1161,33 @@ Internet-Draft        DNSSEC Operational Practices            March 2006
 
    When the private material of one of your keys is compromised it can
    be used for as long as a valid trust chain exists.  A trust chain
-   remains intact for:
+   remains intact for
+
    o  as long as a signature over the compromised key in the trust chain
       is valid,
+
    o  as long as a parental DS RR (and signature) points to the
       compromised key,
+
    o  as long as the key is anchored in a resolver and is used as a
       starting point for validation (this is generally the hardest to
       update).
 
-   While a trust chain to your compromised key exists, your name-space
-   is vulnerable to abuse by anyone who has obtained illegitimate
-   possession of the key.  Zone operators have to make a trade off if
+
+
+Kolkman & Gieben             Informational                     [Page 21]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+   While a trust chain to your compromised key exists, your namespace is
+   vulnerable to abuse by anyone who has obtained illegitimate
+   possession of the key.  Zone operators have to make a trade-off if
    the abuse of the compromised key is worse than having data in caches
    that cannot be validated.  If the zone operator chooses to break the
    trust chain to the compromised key, data in caches signed with this
    key cannot be validated.  However, if the zone administrator chooses
-   to take the path of a regular roll-over, the malicious key holder can
+   to take the path of a regular rollover, the malicious key holder can
    spoof data so that it appears to be valid.
 
 4.3.1.  KSK Compromise
@@ -1215,56 +1199,60 @@ Internet-Draft        DNSSEC Operational Practices            March 2006
    A compromised KSK can be used to sign the key set of an attacker's
    zone.  That zone could be used to poison the DNS.
 
-   Therefore when the KSK has been compromised, the trust anchor or the
-   parental DS, should be replaced as soon as possible.  It is local
+   Therefore, when the KSK has been compromised, the trust anchor or the
+   parental DS should be replaced as soon as possible.  It is local
    policy whether to break the trust chain during the emergency
    rollover.  The trust chain would be broken when the compromised KSK
    is removed from the child's zone while the parent still has a DS
    pointing to the compromised KSK (the assumption is that there is only
-   one DS at the parent.  If there are multiple DSs this does not apply
+   one DS at the parent.  If there are multiple DSes this does not apply
    -- however the chain of trust of this particular key is broken).
 
    Note that an attacker's zone still uses the compromised KSK and the
-
-
-
-Kolkman & Gieben        Expires September 7, 2006              [Page 22]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
-
    presence of a parental DS would cause the data in this zone to appear
    as valid.  Removing the compromised key would cause the attacker's
-   zone to appear as valid and the child's zone as Bogus.  Therefore we
+   zone to appear as valid and the child's zone as Bogus.  Therefore, we
    advise not to remove the KSK before the parent has a DS to a new KSK
    in place.
 
 4.3.1.1.  Keeping the Chain of Trust Intact
 
-   If we follow this advice the timing of the replacement of the KSK is
+   If we follow this advice, the timing of the replacement of the KSK is
    somewhat critical.  The goal is to remove the compromised KSK as soon
    as the new DS RR is available at the parent.  And also make sure that
    the signature made with a new KSK over the key set with the
    compromised KSK in it expires just after the new DS appears at the
-   parent.  Thus removing the old cruft in one swoop.
+   parent, thus removing the old cruft in one swoop.
 
    The procedure is as follows:
+
    1.  Introduce a new KSK into the key set, keep the compromised KSK in
        the key set.
+
+
+
+Kolkman & Gieben             Informational                     [Page 22]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
    2.  Sign the key set, with a short validity period.  The validity
        period should expire shortly after the DS is expected to appear
-       in the parent and the old DSs have expired from caches.
+       in the parent and the old DSes have expired from caches.
+
    3.  Upload the DS for this new key to the parent.
+
    4.  Follow the procedure of the regular KSK rollover: Wait for the DS
        to appear in the authoritative servers and then wait as long as
        the TTL of the old DS RRs.  If necessary re-sign the DNSKEY RRSet
        and modify/extend the expiration time.
+
    5.  Remove the compromised DNSKEY RR from the zone and re-sign the
        key set using your "normal" validity interval.
 
    An additional danger of a key compromise is that the compromised key
    could be used to facilitate a legitimate DNSKEY/DS rollover and/or
-   nameserver changes at the parent.  When that happens the domain may
+   nameserver changes at the parent.  When that happens, the domain may
    be in dispute.  An authenticated out-of-band and secure notify
    mechanism to contact a parent is needed in this case.
 
@@ -1274,26 +1262,18 @@ Internet-Draft        DNSSEC Operational Practices            March 2006
 4.3.1.2.  Breaking the Chain of Trust
 
    There are two methods to break the chain of trust.  The first method
-   causes the child zone to appear as 'Bogus' to validating resolvers.
-   The other causes the the child zone to appear as 'insecure'.  These
-   are described below.
+   causes the child zone to appear 'Bogus' to validating resolvers.  The
+   other causes the child zone to appear 'insecure'.  These are
+   described below.
 
-   In the method that causes the child zone to appear as 'Bogus' to
+   In the method that causes the child zone to appear 'Bogus' to
    validating resolvers, the child zone replaces the current KSK with a
-   new one and resigns the key set.  Next it sends the DS of the new key
-
-
-
-Kolkman & Gieben        Expires September 7, 2006              [Page 23]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
-
-   to the parent.  Only after the parent has placed the new DS in the
-   zone, the child's chain of trust is repaired.
+   new one and re-signs the key set.  Next it sends the DS of the new
+   key to the parent.  Only after the parent has placed the new DS in
+   the zone is the child's chain of trust repaired.
 
    An alternative method of breaking the chain of trust is by removing
-   the DS RRs from the parent zone altogether.  As a result the child
+   the DS RRs from the parent zone altogether.  As a result, the child
    zone would become insecure.
 
 4.3.2.  ZSK Compromise
@@ -1302,8 +1282,16 @@ Internet-Draft        DNSSEC Operational Practices            March 2006
    ZSK is compromised, the situation is less severe than with a KSK
    compromise.  The zone must still be re-signed with a new ZSK as soon
    as possible.  As this is a local operation and requires no
-   communication between the parent and child this can be achieved
+   communication between the parent and child, this can be achieved
    fairly quickly.  However, one has to take into account that just as
+
+
+
+Kolkman & Gieben             Informational                     [Page 23]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
    with a normal rollover the immediate disappearance of the old
    compromised key may lead to verification problems.  Also note that as
    long as the RRSIG over the compromised ZSK is not expired the zone
@@ -1319,12 +1307,12 @@ Internet-Draft        DNSSEC Operational Practices            March 2006
    should be notified of this fact.  Zone administrators may consider
    setting up a mailing list to communicate the fact that a SEP key is
    about to be rolled over.  This communication will of course need to
-   be authenticated e.g. by using digital signatures.
+   be authenticated, e.g., by using digital signatures.
 
    End-users faced with the task of updating an anchored key should
    always validate the new key.  New keys should be authenticated out-
-   of-band, for example, looking them up on an SSL secured announcement
-   website.
+   of-band, for example, through the use of an announcement website that
+   is secured using secure sockets (TLS) [21].
 
 4.4.  Parental Policies
 
@@ -1335,36 +1323,35 @@ Internet-Draft        DNSSEC Operational Practices            March 2006
    account that the authentication and authorization mechanisms used
    during a key exchange should be as strong as the authentication and
    authorization mechanisms used for the exchange of delegation
-   information between parent and child.  I.e. there is no implicit need
-   in DNSSEC to make the authentication process stronger than it was in
-
-
-
-Kolkman & Gieben        Expires September 7, 2006              [Page 24]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
-
-   DNS.
+   information between parent and child.  That is, there is no implicit
+   need in DNSSEC to make the authentication process stronger than it
+   was in DNS.
 
    Using the DNS itself as the source for the actual DNSKEY material,
    with an out-of-band check on the validity of the DNSKEY, has the
    benefit that it reduces the chances of user error.  A DNSKEY query
    tool can make use of the SEP bit [3] to select the proper key from a
-   DNSSEC key set; thereby reducing the chance that the wrong DNSKEY is
+   DNSSEC key set, thereby reducing the chance that the wrong DNSKEY is
    sent.  It can validate the self-signature over a key; thereby
    verifying the ownership of the private key material.  Fetching the
    DNSKEY from the DNS ensures that the chain of trust remains intact
    once the parent publishes the DS RR indicating the child is secure.
 
-   Note: the out-of-band verification is still needed when the key-
+   Note: the out-of-band verification is still needed when the key
    material is fetched via the DNS.  The parent can never be sure
-   whether the DNSKEY RRs have been spoofed or not.
+   whether or not the DNSKEY RRs have been spoofed.
+
+
+
+Kolkman & Gieben             Informational                     [Page 24]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
 
 4.4.2.  Storing Keys or Hashes?
 
    When designing a registry system one should consider which of the
-   DNSKEYs and/or the corresponding DSs to store.  Since a child zone
+   DNSKEYs and/or the corresponding DSes to store.  Since a child zone
    might wish to have a DS published using a message digest algorithm
    not yet understood by the registry, the registry can't count on being
    able to generate the DS record from a raw DNSKEY.  Thus, we recommend
@@ -1374,7 +1361,7 @@ Internet-Draft        DNSSEC Operational Practices            March 2006
    during troubleshooting and, as long as the child's chosen message
    digest is supported, the overhead of generating DS records from them
    is minimal.  Having an out-of-band mechanism, such as a registry
-   directory (e.g.  Whois), to find out which keys are used to generate
+   directory (e.g., Whois), to find out which keys are used to generate
    DS Resource Records for specific owners and/or zones may also help
    with troubleshooting.
 
@@ -1382,43 +1369,48 @@ Internet-Draft        DNSSEC Operational Practices            March 2006
    interface and the method by which data is transferred between
    registrant and registry; Will the child zone administrator be able to
    upload DS RRs with unknown hash algorithms or does the interface only
-   allow DNSKEYs?  In the registry-registrar model one can use the
-   DNSSEC EPP protocol extension [16] which allows transfer of DS RRs
-   and optionally DNSKEY RRs.
+   allow DNSKEYs?  In the registry-registrar model, one can use the
+   DNSSEC extensions to the Extensible Provisioning Protocol (EPP) [15],
+   which allows transfer of DS RRs and optionally DNSKEY RRs.
 
 4.4.3.  Security Lameness
 
-   Security Lameness is defined as what happens when a parent has a DS
-   RR pointing to a non-existing DNSKEY RR.  When this happens the
-   child's zone may be marked as "Bogus" by verifying DNS clients.
-
-   As part of a comprehensive delegation check the parent could, at key
-
-
-
-Kolkman & Gieben        Expires September 7, 2006              [Page 25]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
+   Security lameness is defined as what happens when a parent has a DS
+   RR pointing to a non-existing DNSKEY RR.  When this happens, the
+   child's zone may be marked "Bogus" by verifying DNS clients.
 
+   As part of a comprehensive delegation check, the parent could, at key
    exchange time, verify that the child's key is actually configured in
-   the DNS.  However if a parent does not understand the hashing
-   algorithm used by child the parental checks are limited to only
+   the DNS.  However, if a parent does not understand the hashing
+   algorithm used by child, the parental checks are limited to only
    comparing the key id.
 
-   Child zones should be very careful removing DNSKEY material,
+   Child zones should be very careful in removing DNSKEY material,
    specifically SEP keys, for which a DS RR exists.
 
-   Once a zone is "security lame", a fix (e.g. removing a DS RR) will
+   Once a zone is "security lame", a fix (e.g., removing a DS RR) will
    take time to propagate through the DNS.
 
+
+
+
+
+
+
+
+
+Kolkman & Gieben             Informational                     [Page 25]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
 4.4.4.  DS Signature Validity Period
 
    Since the DS can be replayed as long as it has a valid signature, a
    short signature validity period over the DS minimizes the time a
    child is vulnerable in the case of a compromise of the child's
    KSK(s).  A signature validity period that is too short introduces the
-   possibility that a zone is marked Bogus in case of a configuration
+   possibility that a zone is marked "Bogus" in case of a configuration
    error in the signer.  There may not be enough time to fix the
    problems before signatures expire.  Something as mundane as operator
    unavailability during weekends shows the need for DS signature
@@ -1427,14 +1419,14 @@ Internet-Draft        DNSSEC Operational Practices            March 2006
 
    The maximum signature validity period of the DS record depends on how
    long child zones are willing to be vulnerable after a key compromise.
-   On the other hand shortening the DS signature validity interval
-   increases the operational risk for the parent.  Therefore the parent
+   On the other hand, shortening the DS signature validity interval
+   increases the operational risk for the parent.  Therefore, the parent
    may have policy to use a signature validity interval that is
    considerably longer than the child would hope for.
 
    A compromise between the operational constraints of the parent and
    minimizing damage for the child may result in a DS signature validity
-   period somewhere between the order of a week to order of months.
+   period somewhere between a week and months.
 
    In addition to the signature validity period, which sets a lower
    bound on the number of times the zone owner will need to sign the
@@ -1442,42 +1434,37 @@ Internet-Draft        DNSSEC Operational Practices            March 2006
    vulnerable after key compromise, there is the TTL value on the DS
    RRs.  Shortening the TTL means that the authoritative servers will
    see more queries.  But on the other hand, a short TTL lowers the
-   persistence of DS RRSets in caches thereby increases the speed with
+   persistence of DS RRSets in caches thereby increasing the speed with
    which updated DS RRSets propagate through the DNS.
 
-
-5.  IANA Considerations
-
-   This overview document introduces no new IANA considerations.
-
-
-
-Kolkman & Gieben        Expires September 7, 2006              [Page 26]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
-
-6.  Security Considerations
+5.  Security Considerations
 
    DNSSEC adds data integrity to the DNS.  This document tries to assess
    the operational considerations to maintain a stable and secure DNSSEC
    service.  Not taking into account the 'data propagation' properties
    in the DNS will cause validation failures and may make secured zones
-   unavailable to security aware resolvers.
+   unavailable to security-aware resolvers.
 
+6.  Acknowledgments
 
-7.  Acknowledgments
-
-   Most of the ideas in this draft were the result of collective efforts
-   during workshops, discussions and try outs.
+   Most of the ideas in this document were the result of collective
+   efforts during workshops, discussions, and tryouts.
 
    At the risk of forgetting individuals who were the original
-   contributors of the ideas we would like to acknowledge people who
+   contributors of the ideas, we would like to acknowledge people who
+
+
+
+Kolkman & Gieben             Informational                     [Page 26]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
    were actively involved in the compilation of this document.  In
    random order: Rip Loomis, Olafur Gudmundsson, Wesley Griffin, Michael
    Richardson, Scott Rose, Rick van Rein, Tim McGinnis, Gilles Guette
    Olivier Courtay, Sam Weiler, Jelte Jansen, Niall O'Reilly, Holger
-   Zuleger, Ed Lewis, Hilarie Orman, Marcos Sanz and Peter Koch.
+   Zuleger, Ed Lewis, Hilarie Orman, Marcos Sanz, and Peter Koch.
 
    Some material in this document has been copied from RFC 2541 [12].
 
@@ -1486,257 +1473,299 @@ Internet-Draft        DNSSEC Operational Practices            March 2006
 
    Section 4.2.4 was supplied by G. Guette and O. Courtay.
 
-   Emma Bretherick, Adrian Bedford and Lindy Foster corrected many of
+   Emma Bretherick, Adrian Bedford, and Lindy Foster corrected many of
    the spelling and style issues.
 
-   Kolkman and Gieben take the blame for introducing all miscakes(SIC).
+   Kolkman and Gieben take the blame for introducing all miscakes (sic).
 
-   Kolkman was employed by the RIPE NCC while working on this document.
+   While working on this document, Kolkman was employed by the RIPE NCC
+   and Gieben was employed by NLnet Labs.
 
+7.  References
 
-8.  References
+7.1.  Normative References
 
-8.1.  Normative References
+   [1]   Mockapetris, P., "Domain names - concepts and facilities", STD
+         13, RFC 1034, November 1987.
 
-   [1]  Mockapetris, P., "Domain names - concepts and facilities",
-        STD 13, RFC 1034, November 1987.
+   [2]   Mockapetris, P., "Domain names - implementation and
+         specification", STD 13, RFC 1035, November 1987.
 
-   [2]  Mockapetris, P., "Domain names - implementation and
-        specification", STD 13, RFC 1035, November 1987.
+   [3]   Kolkman, O., Schlyter, J., and E. Lewis, "Domain Name System
+         KEY (DNSKEY) Resource Record (RR) Secure Entry Point (SEP)
+         Flag", RFC 3757, May 2004.
 
-   [3]  Kolkman, O., Schlyter, J., and E. Lewis, "Domain Name System KEY
+   [4]   Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+         "DNS Security Introduction and Requirements", RFC 4033, March
+         2005.
+
+   [5]   Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+         "Resource Records for the DNS Security Extensions", RFC 4034,
+         March 2005.
+
+   [6]   Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+         "Protocol Modifications for the DNS Security Extensions", RFC
+         4035, March 2005.
 
 
 
-Kolkman & Gieben        Expires September 7, 2006              [Page 27]
+
+
+Kolkman & Gieben             Informational                     [Page 27]
 
-Internet-Draft        DNSSEC Operational Practices            March 2006
+RFC 4641              DNSSEC Operational Practices        September 2006
 
 
-        (DNSKEY) Resource Record (RR) Secure Entry Point (SEP) Flag",
-        RFC 3757, May 2004.
+7.2.  Informative References
 
-   [4]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-        "DNS Security Introduction and Requirements", RFC 4033,
-        March 2005.
-
-   [5]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-        "Resource Records for the DNS Security Extensions", RFC 4034,
-        March 2005.
-
-   [6]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-        "Protocol Modifications for the DNS Security Extensions",
-        RFC 4035, March 2005.
-
-8.2.  Informative References
-
-   [7]   Ohta, M., "Incremental Zone Transfer in DNS", RFC 1995,
-         August 1996.
-
-   [8]   Vixie, P., "A Mechanism for Prompt Notification of Zone Changes
-         (DNS NOTIFY)", RFC 1996, August 1996.
-
-   [9]   Bradner, S., "Key words for use in RFCs to Indicate Requirement
+   [7]   Bradner, S., "Key words for use in RFCs to Indicate Requirement
          Levels", BCP 14, RFC 2119, March 1997.
 
-   [10]  Eastlake, D., "Secure Domain Name System Dynamic Update",
-         RFC 2137, April 1997.
+   [8]   Ohta, M., "Incremental Zone Transfer in DNS", RFC 1995, August
+         1996.
+
+   [9]   Vixie, P., "A Mechanism for Prompt Notification of Zone Changes
+         (DNS NOTIFY)", RFC 1996, August 1996.
+
+   [10]  Wellington, B., "Secure Domain Name System (DNS) Dynamic
+         Update", RFC 3007, November 2000.
 
    [11]  Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)",
          RFC 2308, March 1998.
 
-   [12]  Eastlake, D., "DNS Security Operational Considerations",
-         RFC 2541, March 1999.
+   [12]  Eastlake, D., "DNS Security Operational Considerations", RFC
+         2541, March 1999.
 
-   [13]  Gudmundsson, O., "Delegation Signer (DS) Resource Record (RR)",
-         RFC 3658, December 2003.
-
-   [14]  Orman, H. and P. Hoffman, "Determining Strengths For Public
+   [13]  Orman, H. and P. Hoffman, "Determining Strengths For Public
          Keys Used For Exchanging Symmetric Keys", BCP 86, RFC 3766,
          April 2004.
 
-   [15]  Eastlake, D., Schiller, J., and S. Crocker, "Randomness
+   [14]  Eastlake, D., Schiller, J., and S. Crocker, "Randomness
          Requirements for Security", BCP 106, RFC 4086, June 2005.
 
-   [16]  Hollenbeck, S., "Domain Name System (DNS) Security Extensions
-         Mapping for the Extensible Provisioning Protocol (EPP)",
-         RFC 4310, December 2005.
+   [15]  Hollenbeck, S., "Domain Name System (DNS) Security Extensions
+         Mapping for the Extensible Provisioning Protocol (EPP)", RFC
+         4310, December 2005.
 
-
-
-Kolkman & Gieben        Expires September 7, 2006              [Page 28]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
-
-   [17]  Lenstra, A. and E. Verheul, "Selecting Cryptographic Key
+   [16]  Lenstra, A. and E. Verheul, "Selecting Cryptographic Key
          Sizes", The Journal of Cryptology 14 (255-293), 2001.
 
-   [18]  Schneier, B., "Applied Cryptography: Protocols, Algorithms, and
+   [17]  Schneier, B., "Applied Cryptography: Protocols, Algorithms, and
          Source Code in C", ISBN (hardcover) 0-471-12845-7, ISBN
          (paperback) 0-471-59756-2, Published by John Wiley & Sons Inc.,
          1996.
 
-   [19]  Rose, S., "NIST DNSSEC workshop notes", June 2001.
+   [18]  Rose, S., "NIST DNSSEC workshop notes", June 2001.
 
-   [20]  Jansen, J., "Use of RSA/SHA-256 DNSKEY and RRSIG Resource
-         Records in DNSSEC", draft-ietf-dnsext-dnssec-rsasha256-00.txt
-         (work in progress), January 2006.
+   [19]  Jansen, J., "Use of RSA/SHA-256 DNSKEY and RRSIG Resource
+         Records in DNSSEC", Work in Progress, January 2006.
 
-   [21]  Hardaker, W., "Use of SHA-256 in DNSSEC Delegation Signer (DS)
-         Resource Records (RRs)", draft-ietf-dnsext-ds-sha256-04.txt
-         (work in progress), January 2006.
+   [20]  Hardaker, W., "Use of SHA-256 in DNSSEC Delegation Signer (DS)
+         Resource Records (RRs)", RFC 4509, May 2006.
+
+
+
+
+
+Kolkman & Gieben             Informational                     [Page 28]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+   [21]  Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J., and
+         T. Wright, "Transport Layer Security (TLS) Extensions", RFC
+         4366, April 2006.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben             Informational                     [Page 29]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
 
 
 Appendix A.  Terminology
 
-   In this document there is some jargon used that is defined in other
-   documents.  In most cases we have not copied the text from the
-   documents defining the terms but given a more elaborate explanation
-   of the meaning.  Note that these explanations should not be seen as
-   authoritative.
+   In this document, there is some jargon used that is defined in other
+   documents.  In most cases, we have not copied the text from the
+   documents defining the terms but have given a more elaborate
+   explanation of the meaning.  Note that these explanations should not
+   be seen as authoritative.
 
-   Anchored Key: A DNSKEY configured in resolvers around the globe.
+   Anchored key: A DNSKEY configured in resolvers around the globe.
       This key is hard to update, hence the term anchored.
+
    Bogus: Also see Section 5 of [4].  An RRSet in DNSSEC is marked
-      "Bogus" when a signature of a RRSet does not validate against a
+      "Bogus" when a signature of an RRSet does not validate against a
       DNSKEY.
+
    Key Signing Key or KSK: A Key Signing Key (KSK) is a key that is used
       exclusively for signing the apex key set.  The fact that a key is
       a KSK is only relevant to the signing tool.
+
    Key size: The term 'key size' can be substituted by 'modulus size'
       throughout the document.  It is mathematically more correct to use
       modulus size, but as this is a document directed at operators we
       feel more at ease with the term key size.
-   Private and Public Keys: DNSSEC secures the DNS through the use of
+
+   Private and public keys: DNSSEC secures the DNS through the use of
       public key cryptography.  Public key cryptography is based on the
       existence of two (mathematically related) keys, a public key and a
       private key.  The public keys are published in the DNS by use of
       the DNSKEY Resource Record (DNSKEY RR).  Private keys should
       remain private.
 
-
-
-
-
-
-Kolkman & Gieben        Expires September 7, 2006              [Page 29]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
-
-   Key Rollover: A key rollover (also called key supercession in some
-      environments) is the act of replacing one key pair by another at
+   Key rollover: A key rollover (also called key supercession in some
+      environments) is the act of replacing one key pair with another at
       the end of a key effectivity period.
-   Secure Entry Point key or SEP Key: A KSK that has a parental DS
-      record pointing to it or is configured as a trust anchor.
-      Although not required by the protocol we recommend that the SEP
-      flag [3] is set on these keys.
-   Self-signature: This is only applies to signatures over DNSKEYs; a
+
+   Secure Entry Point (SEP) key: A KSK that has a parental DS record
+      pointing to it or is configured as a trust anchor.  Although not
+      required by the protocol, we recommend that the SEP flag [3] is
+      set on these keys.
+
+   Self-signature: This only applies to signatures over DNSKEYs; a
       signature made with DNSKEY x, over DNSKEY x is called a self-
-      signature.  Note: without further information self-signatures
-      convey no trust, they are useful to check the authenticity of the
-      DNSKEY, i.e. they can be used as a hash.
-   Singing the Zone File: The term used for the event where an
+      signature.  Note: without further information, self-signatures
+      convey no trust.  They are useful to check the authenticity of the
+      DNSKEY, i.e., they can be used as a hash.
+
+
+
+
+
+
+Kolkman & Gieben             Informational                     [Page 30]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+   Singing the zone file: The term used for the event where an
       administrator joyfully signs its zone file while producing melodic
       sound patterns.
+
    Signer: The system that has access to the private key material and
       signs the Resource Record sets in a zone.  A signer may be
-      configured to sign only parts of the zone e.g. only those RRSets
+      configured to sign only parts of the zone, e.g., only those RRSets
       for which existing signatures are about to expire.
-   Zone Signing Key or ZSK: A Zone Signing Key (ZSK) is a key that is
-      used for signing all data in a zone.  The fact that a key is a ZSK
-      is only relevant to the signing tool.
-   Zone Administrator: The 'role' that is responsible for signing a zone
+
+   Zone Signing Key (ZSK): A key that is used for signing all data in a
+      zone.  The fact that a key is a ZSK is only relevant to the
+      signing tool.
+
+   Zone administrator: The 'role' that is responsible for signing a zone
       and publishing it on the primary authoritative server.
 
-
-Appendix B.  Zone Signing Key Rollover Howto
+Appendix B.  Zone Signing Key Rollover How-To
 
    Using the pre-published signature scheme and the most conservative
    method to assure oneself that data does not live in caches, here
-   follows the "HOWTO".
+   follows the "how-to".
+
    Step 0: The preparation: Create two keys and publish both in your key
-      set.  Mark one of the keys as "active" and the other as
-      "published".  Use the "active" key for signing your zone data.
-      Store the private part of the "published" key, preferably off-
-      line.
-      The protocol does not provide for attributes to mark a key as
-      active or published.  This is something you have to do on your
-      own, through the use of a notebook or key management tool.
+      set.  Mark one of the keys "active" and the other "published".
+      Use the "active" key for signing your zone data.  Store the
+      private part of the "published" key, preferably off-line.  The
+      protocol does not provide for attributes to mark a key as active
+      or published.  This is something you have to do on your own,
+      through the use of a notebook or key management tool.
+
    Step 1: Determine expiration: At the beginning of the rollover make a
       note of the highest expiration time of signatures in your zone
-      file created with the current key marked as "active".
-      Wait until the expiration time marked in Step 1 has passed
-   Step 2: Then start using the key that was marked as "published" to
-      sign your data i.e. mark it as "active".  Stop using the key that
-      was marked as "active", mark it as "rolled".
-
-
-
-
-
-Kolkman & Gieben        Expires September 7, 2006              [Page 30]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
+      file created with the current key marked as active.  Wait until
+      the expiration time marked in Step 1 has passed.
 
+   Step 2: Then start using the key that was marked "published" to sign
+      your data (i.e., mark it "active").  Stop using the key that was
+      marked "active"; mark it "rolled".
 
    Step 3: It is safe to engage in a new rollover (Step 1) after at
-      least one "signature validity period".
+      least one signature validity period.
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben             Informational                     [Page 31]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
 
 
 Appendix C.  Typographic Conventions
 
    The following typographic conventions are used in this document:
+
    Key notation: A key is denoted by DNSKEYx, where x is a number or an
-      identifier, x could be thought of as the key id.
+   identifier, x could be thought of as the key id.
+
    RRSet notations: RRs are only denoted by the type.  All other
-      information - owner, class, rdata and TTL - is left out.  Thus:
-      "example.com 3600 IN A 192.0.2.1" is reduced to "A".  RRSets are a
-      list of RRs.  A example of this would be: "A1, A2", specifying the
-      RRSet containing two "A" records.  This could again be abbreviated
-      to just "A".
+   information -- owner, class, rdata, and TTL--is left out.  Thus:
+   "example.com 3600 IN A 192.0.2.1" is reduced to "A".  RRSets are a
+   list of RRs.  A example of this would be "A1, A2", specifying the
+   RRSet containing two "A" records.  This could again be abbreviated to
+   just "A".
+
    Signature notation: Signatures are denoted as RRSIGx(RRSet), which
-      means that RRSet is signed with DNSKEYx.
+   means that RRSet is signed with DNSKEYx.
+
    Zone representation: Using the above notation we have simplified the
-      representation of a signed zone by leaving out all unnecessary
-      details such as the names and by representing all data by "SOAx"
+   representation of a signed zone by leaving out all unnecessary
+   details such as the names and by representing all data by "SOAx"
+
    SOA representation: SOAs are represented as SOAx, where x is the
-      serial number.
+   serial number.
+
    Using this notation the following signed zone:
 
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben        Expires September 7, 2006              [Page 31]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
-
    example.net.      86400  IN SOA  ns.example.net. bert.example.net. (
                             2006022100   ; serial
                             86400        ; refresh (  24 hours)
@@ -1758,6 +1787,15 @@ Internet-Draft        DNSSEC Operational Practices            March 2006
                      86400  RRSIG   DNSKEY 5 2 86400 20130522213204 (
                                   20130422213204 14 example.net.
                                   J4zCe8QX4tXVGjV4e1r9... )
+
+
+
+
+Kolkman & Gieben             Informational                     [Page 32]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
                      86400  RRSIG   DNSKEY 5 2 86400 20130522213204 (
                                   20130422213204 15 example.net.
                                   keVDCOpsSeDReyV6O... )
@@ -1785,124 +1823,33 @@ Internet-Draft        DNSSEC Operational Practices            March 2006
        RRSIG15(KEY)
 
    The rest of the zone data has the same signature as the SOA record,
+   i.e., an RRSIG created with DNSKEY 14.
 
 
 
-Kolkman & Gieben        Expires September 7, 2006              [Page 32]
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben             Informational                     [Page 33]
 
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
-
-   i.e a RRSIG created with DNSKEY 14.
-
-
-Appendix D.  Document Details and Changes
-
-   This section is to be removed by the RFC editor if and when the
-   document is published.
-
-   $Id: draft-ietf-dnsop-dnssec-operational-practices.xml,v 1.31.2.14
-   2005/03/21 15:51:41 dnssec Exp $
-
-D.1.  draft-ietf-dnsop-dnssec-operational-practices-00
-
-   Submission as working group document.  This document is a modified
-   and updated version of draft-kolkman-dnssec-operational-practices-00.
-
-D.2.  draft-ietf-dnsop-dnssec-operational-practices-01
-
-   changed the definition of "Bogus" to reflect the one in the protocol
-   draft.
-
-   Bad to Bogus
-
-   Style and spelling corrections
-
-   KSK - SEP mapping made explicit.
-
-   Updates from Sam Weiler added
-
-D.3.  draft-ietf-dnsop-dnssec-operational-practices-02
-
-   Style and errors corrected.
-
-   Added Automatic rollover requirements from I-D.ietf-dnsop-key-
-   rollover-requirements.
-
-D.4.  draft-ietf-dnsop-dnssec-operational-practices-03
-
-   Added the definition of Key effectivity period and used that term
-   instead of Key validity period.
-
-   Modified the order of the sections, based on a suggestion by Rip
-   Loomis.
-
-   Included parts from RFC 2541 [12].  Most of its ground was already
-   covered.  This document obsoletes RFC 2541 [12].  Section 3.1.2
-   deserves some review as it in contrast to RFC 2541 does _not_ give
-   recomendations about root-zone keys.
-
-
-
-Kolkman & Gieben        Expires September 7, 2006              [Page 33]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
-
-   added a paragraph to Section 4.4.4
-
-D.5.  draft-ietf-dnsop-dnssec-operational-practices-04
-
-   Somewhat more details added about the pre-publish KSK rollover.  Also
-   moved that subsection down a bit.
-
-   Editorial and content nits that came in during wg last call were
-   fixed.
-
-D.6.  draft-ietf-dnsop-dnssec-operational-practices-05
-
-   Applied some another set of comments that came in _after_ the the
-   WGLC.
-
-   Applied comments from Hilarie Orman and made a referece to RFC 3766.
-   Deleted of a lot of key length discussion and took over the
-   recommendations from RFC 3766.
-
-   Reworked all the heading of the rollover figures
-
-D.7.  draft-ietf-dnsop-dnssec-operational-practices-06
-
-   One comment from Scott Rose applied.
-
-   Marcos Sanz gave a lots of editorial nits.  Almost all are
-   incorporated.
-
-D.8.  draft-ietf-dnsop-dnssec-operational-practices-07
-
-   Peter Koch's comments applied.
-
-   SHA-1/SHA-256 remarks added
-
-D.9.  draft-ietf-dnsop-dnssec-operational-practices-08
-
-   IESG comments applied.  Added headers and some captions to the tables
-   and applied all the nits.
-
-   IESG DISCUSS comments applied
-
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben        Expires September 7, 2006              [Page 34]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
+RFC 4641              DNSSEC Operational Practices        September 2006
 
 
 Authors' Addresses
@@ -1913,18 +1860,13 @@ Authors' Addresses
    Amsterdam  1098 VA
    The Netherlands
 
-   Email: olaf@nlnetlabs.nl
+   EMail: olaf@nlnetlabs.nl
    URI:   http://www.nlnetlabs.nl
 
 
-   Miek Gieben
-   NLnet Labs
-   Kruislaan 419
-   Amsterdam  1098 VA
-   The Netherlands
+   R. (Miek) Gieben
 
-   Email: miek@nlnetlabs.nl
-   URI:   http://www.nlnetlabs.nl
+   EMail: miek@miek.nl
 
 
 
@@ -1956,12 +1898,33 @@ Authors' Addresses
 
 
 
-Kolkman & Gieben        Expires September 7, 2006              [Page 35]
+
+
+
+
+
+Kolkman & Gieben             Informational                     [Page 34]
 
-Internet-Draft        DNSSEC Operational Practices            March 2006
+RFC 4641              DNSSEC Operational Practices        September 2006
 
 
-Intellectual Property Statement
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (2006).
+
+   This document is subject to the rights, licenses and restrictions
+   contained in BCP 78, and except as set forth therein, the authors
+   retain all their rights.
+
+   This document and the information contained herein are provided on an
+   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Intellectual Property
 
    The IETF takes no position regarding the validity or scope of any
    Intellectual Property Rights or other rights that might be claimed to
@@ -1985,32 +1948,16 @@ Intellectual Property Statement
    this standard.  Please address the information to the IETF at
    ietf-ipr@ietf.org.
 
+Acknowledgement
 
-Disclaimer of Validity
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Copyright Statement
-
-   Copyright (C) The Internet Society (2006).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-
-Acknowledgment
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
+   Funding for the RFC Editor function is provided by the IETF
+   Administrative Support Activity (IASA).
 
 
 
 
-Kolkman & Gieben        Expires September 7, 2006              [Page 36]
+
+
+
+Kolkman & Gieben             Informational                     [Page 35]
 

From b6783650e61950e792bd3d947ffcfff11a169939 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Mon, 25 Sep 2006 04:01:40 +0000
Subject: [PATCH 464/465] update openssl

---
 win32utils/BuildAll.bat     |   4 ++
 win32utils/updateopenssl.pl | 107 ++++++++++++++++++++++++++++++++++++
 2 files changed, 111 insertions(+)
 create mode 100644 win32utils/updateopenssl.pl

diff --git a/win32utils/BuildAll.bat b/win32utils/BuildAll.bat
index 28bb80984e..038e7db287 100644
--- a/win32utils/BuildAll.bat
+++ b/win32utils/BuildAll.bat
@@ -30,6 +30,10 @@ rem a future release of BIND 9 for Windows NT/2000/XP.
 
 echo Setting up the BIND files required for the build
 
+rem Get and update for the latest build of the openssl library
+perl updateopenssl.pl
+
+rem Setup the files
 call BuildSetup.bat
 
 echo Build all of the Library files
diff --git a/win32utils/updateopenssl.pl b/win32utils/updateopenssl.pl
new file mode 100644
index 0000000000..1165b6b3b0
--- /dev/null
+++ b/win32utils/updateopenssl.pl
@@ -0,0 +1,107 @@
+#!/usr/bin/perl
+#
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: updateopenssl.pl,v 1.2 2006/09/25 04:01:40 marka Exp $
+
+# updateopenssl.pl
+# This script locates the latest version of OpenSSL in the grandparent
+# directory and updates the build scripts to use that version.
+#
+# Path and directory
+$path = "../..";
+$SSLDirprefix = "openssl-*";
+
+# List of files that need to be updated with the actual version of the
+# openssl directory
+@filelist = ("BuildSetup.bat",
+             "../lib/dns/win32/libdns.mak",
+             "../lib/dns/win32/libdns.dsp");
+
+# Locate the openssl directory
+$substr = getdirectory();
+if ($substr eq 0) {
+     print "No directory found\n";
+}
+else {
+     print "Found $substr directory\n";
+}
+#Update the list of files
+if ($substr ne 0) {
+   $ind = 0;
+   foreach $file (@filelist) {
+        print "Updating file $file\n";
+	updatefile($file, $substr);
+	$ind++;
+   }
+}
+
+# Function to find the
+sub getdirectory {
+    my(@namelist);
+    my($file, $name);
+    my($cnt);
+    opendir(DIR,$path) || die "No Directory: $!";
+    @namelist = grep (/^$SSLDirprefix/i, readdir(DIR));
+    closedir(DIR);
+
+    # Make sure we have something
+    if (scalar(@namelist) == 0) {
+        return (0);
+    }
+    # Now see if we have a directory or just a file.
+    # Make sure we are case insensitive
+    foreach $file (sort {uc($a) cmp uc($b)} @namelist) {
+        if (-d $path.$file) {
+           $name = $file;
+        }
+    }
+
+    # If we have one use it otherwise report the error
+    # Note that we are only interested in the last one
+    # since the sort should have taken care of getting
+    # the latest
+    if (defined($name)) {
+        return ($name);
+    }
+    else {
+        return (0);
+    }
+}
+
+# function to replace the openssl directory name with the latest one
+sub updatefile {
+        my($filename, $substr, $line);
+        my(@Lines);
+
+        $filename = $_[0];
+        $substr   = $_[1];
+
+        open (RFILE, $filename) || die "Can't open file $filename: $!";
+        @Lines = ;
+        close (RFILE);
+
+        # Replace the string
+        foreach $line (@Lines) {
+                $line =~ s/openssl\-[0-9]+\.[0-9]+\.[0-9]+[a-z]/$substr/gi;
+        }
+        #update the file
+        open (RFILE, ">$filename") || die "Can't open file $filename: $!";
+        foreach $line (@Lines) {
+               print RFILE $line;
+        }
+        close(RFILE);
+}
+

From c9317c486255fce28b549ddabd2360cd58d3eeec Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Mon, 25 Sep 2006 04:23:59 +0000
Subject: [PATCH 465/465] fix path

---
 win32utils/updateopenssl.pl | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/win32utils/updateopenssl.pl b/win32utils/updateopenssl.pl
index 1165b6b3b0..6a818338ef 100644
--- a/win32utils/updateopenssl.pl
+++ b/win32utils/updateopenssl.pl
@@ -14,14 +14,14 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: updateopenssl.pl,v 1.2 2006/09/25 04:01:40 marka Exp $
+# $Id: updateopenssl.pl,v 1.3 2006/09/25 04:23:59 marka Exp $
 
 # updateopenssl.pl
 # This script locates the latest version of OpenSSL in the grandparent
 # directory and updates the build scripts to use that version.
 #
 # Path and directory
-$path = "../..";
+$path = "..\\..\\";
 $SSLDirprefix = "openssl-*";
 
 # List of files that need to be updated with the actual version of the